DeCaPa / appsec-acronyms

An alphabetical listing of (mostly) appSec-related acronyms, initialisms, and abbreviations.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

appsec-acronyms

An alphabetical listing of (mostly) appSec-related acronyms, initialisms, and abbreviations. Intended to help make sense out of the alphabet soup of AppSec, InfoSec abbreviations, and geek speak in general. Each has a Google link to the term to help get started with additional detail and meaning. In some cases, a brief explanation is provided. An '*' is a pci/privacy related term.

I've also included an AWS section which may be helpful to those just getting started with AWS.

| 0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |

0-9

  • *3DS - 3-D Secure

A

  • AOC - Attestation Of Compliance
  • APM - Application Performance Monitoring
  • ARIN - American Registry for Internet Numbers
  • ASOC - Application Security Orchestration and Correlation
  • ASPM - Application Security Posture Management
  • AST - Application Security Testing
  • ASTO - Application Security Testing Orchestration
  • *ASV - Approved Scanning Vendor
  • ASVS - Application Security Verification Standard (OWASP)
  • ATO - Account Takeover
  • AVC - Application Vulnerability Correlation

B

  • BOLA - Broken Object Level Authorization
  • BSIMM - Pronounced "bee-simm" - Building Security in Maturity Model - study of existing software security initiatives.

C

  • C-SCRM - Cybersecurity Supply Chain Risk Management
  • CAI - Consensus Assessments Initiative
  • CAIQ - Consensus Assessments Initiative Questionnaire, from the Cloud Security Alliance
  • CARTA - Continuous Adaptive Risk and Trust Assessment
  • CASB - Cloud Access Security Broker
  • CCM - Cloud Controls Matrix
  • CCPA - California Consumer Privacy Act
  • *CDE - Cardholder Data Environment
  • CDN - Content Delivery Network
  • CFAA - Computer Fraud and Abuse Act
  • CHD - Card Holder Data
  • CIA - Confidentiality, Integrity, Availability
  • CIC - Center for Internet Control - policy
  • CIS - Center for Internet Security - develops CIS Benchmarks.
  • CLASP - Comprehensive, Lightweight Application Security Process
  • CLI - Command Line Interpreter. aka Command Language Interpreter.
  • *CNP - Card Not Present
  • CORS - Cross-Origin Resource Sharing
  • CRLF - Carriage Return (ASCII 13, \r), Line Feed (ASCII 10, \n)
  • CSA - Cloud Security Alliance
  • CSF - CyberSecurity Framework
  • CSPM - Cloud Security Posture Management
  • CSRF - Cross Site Request Forgery. Pronounced "see serf"
  • CTP - Cloud Trust Protocol
  • CVE - Mitres Common Vulnerability Exposures - for known vulnerabilities of systems, not the underlying flaw
  • CVSS - Common Vulnerability Scoring System
  • CWE - Common Weakness Enumeration - Mitre - has to do with the vulnerability, not the finding in the system.

D

  • DAP - Database Audit and Protection
  • DAST - Dynamic Application Security Testing
  • DFIR - Digital Forensics and Incident Response
  • DKIM - DomainKeys Identified Mail
  • DLP - Data Loss Prevention
  • DMARC - Domain-based Message Authentication, Reporting and Conformance
  • DPA - Data Processing Agreement
  • Dox / Doxxing - researching and publishing private or identifiable information about a person or org with malicious intent.
  • DREAD - Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability
  • DSAR - Data Subject Access Request
  • DSPM - Data Security Posture Management
  • DSS - Data Security Standards

E

  • EASM - External Attack Surface Management
  • EDR - Endpoint Detection and Response
  • ERM - Enterprise Risk Management. Used in the context of reporting.
  • ESAPI - OWASP Enterprise Security API
  • EVM - Europay, MasterCard, and Visa

F

  • FED - Forged Email Detection
  • FIM - File Integrity Monitoring
  • FISMA - Federal Info Security Management Act
  • FIPS - Federal Information Processing Standards
  • FSA - Financial Statement Attestation - similar to ITGC
  • Fuzzing - finding bugs using malformed data injection in an automated fashion. It is used to crash running programs, or implement buffer overflow scenarios

G

  • GDPR - General Data Protection Regulation
  • GRC - Governance Risk and Compliance

H

  • HIPAA - Health Insurance Portability and Accountability Act
  • HIPS - Host-based Intrusion Prevention System
  • HSM - Hardware Security Modules
  • HSTS - Http Strict Transport Security - instructs modern browsers to disallow http connections

I

  • IAST - Interactive Application Security Testing - minimal human involvement, RASP agent based. Analyzes application behavior during the testing phase using RASP and DAST as an attacker
  • IDOR - Insecure Direct Object Reference
  • IDS - Intrusion Detection System
  • IOA - Indicator of Attack
  • IOC - Indicator of Compromise
  • IPS - Intrusion Prevention System

M

  • *MID - Merchant ID
  • *MoR - Merchant of Record
  • MSSP - Managed Security Services Provider

N

  • Nmap - the Network Mapper - free security scanner
  • NIST - National Institute of Standards and Technology ]
  • NVD - National Vulnerability Database - for known vulnerabilities

O

  • OSCi - Operating System Command injection]
  • OWASP - Open Web Application Security Project

P

  • *P2PE - Point-to-Point Encryption
  • PA-DSS - Processing Applications DSS
  • PAN - Primary Account Number
  • PAM Privileged Access Management
  • PASTA - Process for Attack Simulation and Threat Analysis
  • PCI - Payment Card Industry
  • PKI - Public Key Infrastructure
  • PRNG - Pseudo-Random Number Generator
  • PSD2 - The second Payment Services Directive

Q

  • QSA - Qualified Security Accessor

R

  • RASP - Runtime Application Self Protection - detects and blocks attacks, by sanitizing inputs w/o changing code.
  • RCE - Remote Code Execution
  • RPA - Robotics Process Automation

S

  • SAD - Sensitive Authentication Data
  • SAMM - Software Assurance Maturity Model - opensamm.org
  • *SAQ - Self Assessment Questionnaire
  • SASE - Pronounces "Sassy", Secure Access Service Edge
  • SAST - Static Application Security Testing
  • SCA - Software Composition Analysis - analysis of open source, 3rd party components. - only reports publicly known vulnerabilities. Doesn't scan the code.
  • SCAP - Security Content Automation Protocol, pronounced "s-cap"
  • SCIM - pronounced "SKIM", System for Cross-domain Identity Management
  • *SIG - Standardized Information Gathering
  • SIRS - Security Incident Response Servcies
  • SIEM - Security Info & Event Management
  • SOAR - security orchestration automation response
  • SPF - Sender Policy Framework
  • SRC - Security, Risk and Compliance
  • SRI - SubResource Integrity
  • SRM - Security and Risk Management
  • SSC - Security Standards Council
  • SSE - Security Service Edge
  • SSCM - Secure Software Configuration Management
  • SSPM - SaaS Security Posture Management
  • SSRF - Server Side Request Forgery
  • STRIDE - Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of Privilege
  • SWA - Secure Web Authentication
  • SWG - Secure Web Gateway

T

  • TOPT - Time-based One-time Password
  • TTP - Tactics, Techniques, and Procedures

U

  • UCF - Unified Compliance Framework
  • UBA/UEBA - User (and Entity) Behavior Analytics
  • UTM - Unified Threat Management

V

  • VAST - Visual, Agile, and Simple Threat modeling
  • VDP - Vulnerability Disclosure Policy
  • VDP - Vulnerability Disclosure Program

W

  • WAAP - Web Application and API Protection
  • WASC - Web Application Security Consortium
  • WAF - Web Application Firewall
  • WCAG - Web Content Accessibility Guidelines
  • WPL - Microsoft Web Protection Library
  • WAAP - Web Application API Protection
  • WASC - Web Application Security Consortium

X

  • XSS - Cross Site scripting - can lead to an attacker gaining the same ability to do anything an application user can do with a web browser. Use output encoding and escaping properly to prevent it.
  • XDR - Extended Detection and Response

Z

  • ZT - Zero Trust
  • ZTNA - Zero Trust Network Access

AWS

  • ALB - Application Load Balancer for EC2 instances
  • ASFF - AWS Security Finding Format
  • CloudFormation -
  • CloudTrail - logging of calls to AWS api's
  • CloudWatch - monitoring of the aws resources and the applications you run. Set alarms and react to changes in resources
  • EFS - Elastic File System
  • ELB - Elastic Load Balancer
  • Redshift - Data Warehouse
  • RDS - releational database service
  • SES - simple email service
  • SNS - simple notification service - pub/sub messaging
  • SOAR - Security Orchestration, Automation, and Response
  • SQS - simple queue service - message queuing service
  • VPC Flow Logs - allow you to capture ip traffic from/to network interfaces in your VPC

Contributing

Pull requests are welcome. For change in direction, please open an issue first to discuss what you would like to do.

License

MIT

About

An alphabetical listing of (mostly) appSec-related acronyms, initialisms, and abbreviations.

License:MIT License