An alphabetical listing of (mostly) appSec-related acronyms, initialisms, and abbreviations. Intended to help make sense out of the alphabet soup of AppSec, InfoSec abbreviations, and geek speak in general. Each has a Google link to the term to help get started with additional detail and meaning. In some cases, a brief explanation is provided. An '*' is a pci/privacy related term.
I've also included an AWS section which may be helpful to those just getting started with AWS.
| 0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
- *3DS - 3-D Secure
- AOC - Attestation Of Compliance
- APM - Application Performance Monitoring
- ARIN - American Registry for Internet Numbers
- ASOC - Application Security Orchestration and Correlation
- ASPM - Application Security Posture Management
- AST - Application Security Testing
- ASTO - Application Security Testing Orchestration
- *ASV - Approved Scanning Vendor
- ASVS - Application Security Verification Standard (OWASP)
- ATO - Account Takeover
- AVC - Application Vulnerability Correlation
- BOLA - Broken Object Level Authorization
- BSIMM - Pronounced "bee-simm" - Building Security in Maturity Model - study of existing software security initiatives.
- C-SCRM - Cybersecurity Supply Chain Risk Management
- CAI - Consensus Assessments Initiative
- CAIQ - Consensus Assessments Initiative Questionnaire, from the Cloud Security Alliance
- CARTA - Continuous Adaptive Risk and Trust Assessment
- CASB - Cloud Access Security Broker
- CCM - Cloud Controls Matrix
- CCPA - California Consumer Privacy Act
- *CDE - Cardholder Data Environment
- CDN - Content Delivery Network
- CFAA - Computer Fraud and Abuse Act
- CHD - Card Holder Data
- CIA - Confidentiality, Integrity, Availability
- CIC - Center for Internet Control - policy
- CIS - Center for Internet Security - develops CIS Benchmarks.
- CLASP - Comprehensive, Lightweight Application Security Process
- CLI - Command Line Interpreter. aka Command Language Interpreter.
- *CNP - Card Not Present
- CORS - Cross-Origin Resource Sharing
- CRLF - Carriage Return (ASCII 13, \r), Line Feed (ASCII 10, \n)
- CSA - Cloud Security Alliance
- CSF - CyberSecurity Framework
- CSPM - Cloud Security Posture Management
- CSRF - Cross Site Request Forgery. Pronounced "see serf"
- CTP - Cloud Trust Protocol
- CVE - Mitres Common Vulnerability Exposures - for known vulnerabilities of systems, not the underlying flaw
- CVSS - Common Vulnerability Scoring System
- CWE - Common Weakness Enumeration - Mitre - has to do with the vulnerability, not the finding in the system.
- DAP - Database Audit and Protection
- DAST - Dynamic Application Security Testing
- DFIR - Digital Forensics and Incident Response
- DKIM - DomainKeys Identified Mail
- DLP - Data Loss Prevention
- DMARC - Domain-based Message Authentication, Reporting and Conformance
- DPA - Data Processing Agreement
- Dox / Doxxing - researching and publishing private or identifiable information about a person or org with malicious intent.
- DREAD - Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability
- DSAR - Data Subject Access Request
- DSPM - Data Security Posture Management
- DSS - Data Security Standards
- EASM - External Attack Surface Management
- EDR - Endpoint Detection and Response
- ERM - Enterprise Risk Management. Used in the context of reporting.
- ESAPI - OWASP Enterprise Security API
- EVM - Europay, MasterCard, and Visa
- FED - Forged Email Detection
- FIM - File Integrity Monitoring
- FISMA - Federal Info Security Management Act
- FIPS - Federal Information Processing Standards
- FSA - Financial Statement Attestation - similar to ITGC
- Fuzzing - finding bugs using malformed data injection in an automated fashion. It is used to crash running programs, or implement buffer overflow scenarios
- HIPAA - Health Insurance Portability and Accountability Act
- HIPS - Host-based Intrusion Prevention System
- HSM - Hardware Security Modules
- HSTS - Http Strict Transport Security - instructs modern browsers to disallow http connections
- IAST - Interactive Application Security Testing - minimal human involvement, RASP agent based. Analyzes application behavior during the testing phase using RASP and DAST as an attacker
- IDOR - Insecure Direct Object Reference
- IDS - Intrusion Detection System
- IOA - Indicator of Attack
- IOC - Indicator of Compromise
- IPS - Intrusion Prevention System
- Nmap - the Network Mapper - free security scanner
- NIST - National Institute of Standards and Technology ]
- NVD - National Vulnerability Database - for known vulnerabilities
- *P2PE - Point-to-Point Encryption
- PA-DSS - Processing Applications DSS
- PAN - Primary Account Number
- PAM Privileged Access Management
- PASTA - Process for Attack Simulation and Threat Analysis
- PCI - Payment Card Industry
- PKI - Public Key Infrastructure
- PRNG - Pseudo-Random Number Generator
- PSD2 - The second Payment Services Directive
- QSA - Qualified Security Accessor
- RASP - Runtime Application Self Protection - detects and blocks attacks, by sanitizing inputs w/o changing code.
- RCE - Remote Code Execution
- RPA - Robotics Process Automation
- SAD - Sensitive Authentication Data
- SAMM - Software Assurance Maturity Model - opensamm.org
- *SAQ - Self Assessment Questionnaire
- SASE - Pronounces "Sassy", Secure Access Service Edge
- SAST - Static Application Security Testing
- SCA - Software Composition Analysis - analysis of open source, 3rd party components. - only reports publicly known vulnerabilities. Doesn't scan the code.
- SCAP - Security Content Automation Protocol, pronounced "s-cap"
- SCIM - pronounced "SKIM", System for Cross-domain Identity Management
- *SIG - Standardized Information Gathering
- SIRS - Security Incident Response Servcies
- SIEM - Security Info & Event Management
- SOAR - security orchestration automation response
- SPF - Sender Policy Framework
- SRC - Security, Risk and Compliance
- SRI - SubResource Integrity
- SRM - Security and Risk Management
- SSC - Security Standards Council
- SSE - Security Service Edge
- SSCM - Secure Software Configuration Management
- SSPM - SaaS Security Posture Management
- SSRF - Server Side Request Forgery
- STRIDE - Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of Privilege
- SWA - Secure Web Authentication
- SWG - Secure Web Gateway
- UCF - Unified Compliance Framework
- UBA/UEBA - User (and Entity) Behavior Analytics
- UTM - Unified Threat Management
- VAST - Visual, Agile, and Simple Threat modeling
- VDP - Vulnerability Disclosure Policy
- VDP - Vulnerability Disclosure Program
- WAAP - Web Application and API Protection
- WASC - Web Application Security Consortium
- WAF - Web Application Firewall
- WCAG - Web Content Accessibility Guidelines
- WPL - Microsoft Web Protection Library
- WAAP - Web Application API Protection
- WASC - Web Application Security Consortium
- XSS - Cross Site scripting - can lead to an attacker gaining the same ability to do anything an application user can do with a web browser. Use output encoding and escaping properly to prevent it.
- XDR - Extended Detection and Response
- ALB - Application Load Balancer for EC2 instances
- ASFF - AWS Security Finding Format
- CloudFormation -
- CloudTrail - logging of calls to AWS api's
- CloudWatch - monitoring of the aws resources and the applications you run. Set alarms and react to changes in resources
- EFS - Elastic File System
- ELB - Elastic Load Balancer
- Redshift - Data Warehouse
- RDS - releational database service
- SES - simple email service
- SNS - simple notification service - pub/sub messaging
- SOAR - Security Orchestration, Automation, and Response
- SQS - simple queue service - message queuing service
- VPC Flow Logs - allow you to capture ip traffic from/to network interfaces in your VPC
Pull requests are welcome. For change in direction, please open an issue first to discuss what you would like to do.