Agile Development— An alternative to traditional software development methodology that helps teams respond to unpredictability with cyclical, incremental, and iterative work cadences. Compare with Waterfall Methodology.
Application Programming Interface (API)— A system of tools that define how one application or module can access another.
Application Security (AppSec) – The use of technology, processes, and people to protect software. This includes improving the quality of the software, training, and tools to test.
Application Security Testing — Tests performed on a software application to identify potential vulnerabilities or other risk and includes Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Interactive Application Security Testing (IAST), among others.
Arithmetic errors – A programming error that produces calculation results greater in magnitude than what a given register or storage location can contain or represent.
Array overruns – Software flaws similar to buffer overruns.
Attack Surface— A collection of vulnerable points that may be attacked and potentially penetrated. See threat surface.
Attack Vector— A pathway through which an attacker can exploit a vulnerability.
Automotive Safety Integrity Level (ASIL) --A risk classification scheme used by the automotive industry and defined by ISO 26262 - Functional Safety for Road Vehicles standard.
Backdoor— A programming way of bypassing an established authentication or security process to obtain access to a network or asset.
Binary Code – This is code that has been compiled into a binary format so that a computer can read and execute it. Not human readable. Compare with Source Code.
Bill of Materials (BOM) -- For software, this is a list of third-party code components inside a software package, or firmware.
Black Box— A reference to analysis or testing with little or no prior knowledge of the target system. Compare with White Box.
Black Hat— A hacker who attempts to gain unauthorized access to a computer or computer network or data asset. Compare with White Hat.
Buffer Overflow / Buffer Overrun— A programming error caused by the use of carefully crafted data that overflows the allotted areas of memory and could as a result potentially alter existing code or executing new code. The programming languages C and C++ provide no native protection against accessing or overwriting data in any part of memory are most susceptible. Bounds checking in these languages may help prevent buffer overflows
Bug— A software problem or defect in code at the implementation level. Compare with Flaw.
CAN Bus – An automotive standard that allows microcontrollers and devices to communicate with each other without the use of an operating system.
Container Security – Containers provide an isolated, discrete, and separate environment for applications in Cloud Computing. Containers only contain what is necessary to run the given app hence the nickname JeOS, or "Just enough OS".
Cloud Computing— A pool of shared configurable resources such as networks, storage appliances, software applications, and services.
Code Coverage: The amount of source to be code tested by a specific test suite. High code coverage tests more of the code than low code coverage.
Code decay – A process by which an application gradually deteriorates over time as a result individual components becoming more and more vulnerable.
Component – An individual item in a Bill of Materials report.
Concurrency bugs – A programming property where several computations are executing simultaneously, some with errors.
Continuous Integration/Continuous Delivery (CI/CD)— The process of merging all developer working copies of code to a shared main software library several times a day. This is done to ensure that an application can released into production quickly.
Cross-Site Scripting (XSS)— An attack on an application where malicious executable scripts are injected into a trusted application or website.
Common Vulnerabilities and Exposures (CVE): From the MITRE corporation, a publicly available dictionary of common names for publicly known information security vulnerabilities in the form year of disclosure and assigned number, example CVE 2016-0345.
Common Weakness Enumeration (CWE): From the MITRE corporation, a publically available dictionary of common software coding flaws that can may lead to vulnerabilities.
Cost -- The total cost of the impact to an organization as the result of a particular threat experienced by a vulnerable target. Part of the assessment equation Risk = Threat x Vulnerability x Cost. Compare with Risk.
Cybersecurity— The protection of information systems, particularly software, from attack or damage.
Cyberthreat – A possible but not actual malicious attempt to damage or disrupt a computer system.
Data Breach / Data Leak— Unauthorized access to or exposure of sensitive information.
Dead Code – A programming term for code that is executed but never used by any other computation, wasting computation cycles and potentially consuming memory.
Defect— A software problem that may not cause any harm, even if exploited by attackers. Bugs and flaws are both defects.
DevOps – A shortened phrase for the relationship between software developers and IT operations.
Denial of Service (DoS)— A localized disruption of a compromised computer system that may include a software crash.
Distributed Denial of Service (DDoS) – A coordinated disruption of legitimate access to a specific online service involving more than one compromised computer system often via a botnet.
Division by Zero – A programming error that can, when a computer attempts to divide by 0, provide a cascade effect, stopping code from executing. This is especially true in some languages such as C or C++. In Java, division by zeros are thrown to exceptions.
Dynamic Analysis— A method of testing that involves executing the code in realtime. Compare with Static Analysis.
Dynamic Application Security Testing (DAST): Testing that can reveal a security vulnerability in an application in its running state.
Electronic Control Unit (ECU): An embedded system that controls one or more of the electrical system or subsystems in a motor vehicle, often to control a specific function such as brakes or the engine.
Electronic Design Automation (EDA) - Software tools for the design of electronic systems such as printed circuit boards and integrated circuits.
Encryption— The process of transforming plaintext (human readable) into indecipherable data (ciphertext) through use of an algorithm and a key.
Encryption Key— A string of bits used by both the sender and the receiver of an encrypted message for locking and unlocking the contents.
Exploit— The execution of a vulnerability that results in a security compromise.
Failure Mode and Effects Analysis (FMEA)— One of the first system techniques for failure analysis within systems, used in the automotive industry.
False Negative— A real vulnerability not found during security testing and therefore implying that the code is clean when it is not.
False Positive— A reported vulnerability that is not in fact a vulnerability.
Fault Injection: A technique for improving the coverage of a test by introducing faults to test code paths, in particular error handling code paths, that might otherwise rarely be followed
File Transfer Protocol (FTP)— A network protocol that defines how to transfer data from one computer system to another.
Flaw – A software problem in the design-level or an architectural defect.
Free Open Source software (FOSS) – Software were the source code is publically available and free. See Open Source Software.
Fuzz Testing – A software testing method where malformed input is used to trigger a software crash or unexpected result.
GRC (governance, risk management, and compliance) – A common enterprise term where Governance is established and executed by the board of directors (BOD) toward achieving specific goals. Risk management is anything that may hinder the organization ability to achieve its objectives. And Compliance ensures that the company's policies and procedures, laws and regulations, strong and efficient governance contribute to an organization's overall success.
Hacker – Someone who takes something apart. Commonly, a computer hacker who attempts to deconstruct code or network traffic to learn more about it. Compare with Black Hat and White Hat.
Injection Attack— A specially crafted input that triggers an exploitation of a software or computer vulnerability most often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, and program arguments. Can be detected by fuzz testing.
Integrated Development Environment (IDE) – A software application that provides comprehensive facilities such as a source code editor, build automation tools and a debugger for software development.
Infosec – A shortening of "information security" that is commonly used to describe all aspects of computer security.
Information Sharing and Analysis Organization (ISAO) – A group formed to gather, analyze and disseminate critical information as outlined in Presidential Policy Directive 21. They are different from ISACs in that they are not tied directly to critical infrastructure sectors.
Interactive Application Security Testing (IAST): A testing methodology that combines Static Analysis Security Testing (SAST) and Dynamic Application Security Testing (DAST) into an interactive process using agents to monitor the runtime security of an application.
Internet of Things (IoT)— Non-computer devices that possess software, computational resources, and also share data such as cars, sensors, appliances, etc.