Acceptable risk
A suitable level of risk commensurate with the
potential benefits of the organization’s operations
as determined by senior management.
Access control system
Means to ensure that access to assets is authorized
and restricted based on business and security
requirements related to logical and physical
systems.
Access control tokens
The system decides if access is to be granted or
denied based upon the validity of the token for the
point where it is read based on time, date, day,
holiday, or other condition used for controlling
validation.
Accountability
Accountability ensures that account management
has assurance that only authorized users are
accessing the system and using it properly.
ActiveX Data Objects
(ADO)
A Microsoft high-level interface for all kinds of data.
Address Resolution
Protocol (ARP)
Is used at the Media Access Control (MAC) Layer to
provide for direct communication between two
devices within the same LAN segment.
Algorithm
A mathematical function that is used in the
encryption and decryption processes.
Asset
An item perceived as having value.
Asset lifecycle
The phases that an asset goes through from
creation (collection) to destruction.
Asymmetric
Not identical on both sides. In cryptography, key
pairs are used, one to encrypt, the other to decrypt.
Attack surface
Different security testing methods find different
vulnerability types.
Attribute- based access
control (ABAC)
This is an access control paradigm whereby access
rights are granted to users with policies that
combine attributes together.
Audit/auditing
The tools, processes, and activities used to perform
compliance reviews.
Authorization
The process of defining the specific resources a
user needs and determining the type of access to
those resources the user may have.
Availability
Ensuring timely and reliable access to and use of
information by authorized users.
Baselines
A minimum level of security.
Bit
Most essential representation of data (zero or one)
at Layer 1 of the Open Systems Interconnection
(OSI) model.
Black-box testing
Testing where no internal details of the system
implementation are used.
Bluetooth (Wireless
Personal Area Network
IEEE 802.15)
Bluetooth wireless technology is an open standard
for short-range radio frequency communication
used primarily to establish wireless personal area
networks (WPANs), and it has been integrated into
many types of business and consumer devices.
Bridges
Layer 2 devices that filter traffic between segments
based on Media Access Control (MAC) addresses.
Business continuity (BC)
Actions, processes, and tools for ensuring an
organization can continue critical operations
during a contingency.
Business continuity and
disaster recovery
(BCDR)
A term used to jointly describe business continuity
and disaster recovery efforts.
A list of the organization’s assets, annotated to
Business impact analysis
reflect the criticality of each asset to the
(BIA)
organization.
Capability Maturity
Model for Software or
Software Capability
Maturity model focused on quality management
processes and has five maturity levels that contain
several key practices within each maturity level.
Maturity Model (CMM or
SW-CMM)
Cellular Network
A radio network distributed over land areas called
cells, each served by at least one fixed-location
transceiver, known as a cell site or base station.
An entity trusted by one or more users as an
authority that issues, revokes, and manages digital
Certificate authority (CA)
certificates tof bind individuals and entities to their
public keys.
Change management
A formal, methodical, comprehensive process for
requesting, reviewing, and approving changes to
the baseline of the IT environment.
CIA/AIC Triad
Security model with the three security concepts of
confidentiality, integrity, and availability make up
the CIA Triad. It is also sometimes referred to as the
AIC Triad.
Ciphertext
The altered form of a plaintext message, so as to be
unreadable for anyone except the intended
recipients. Something that has been turned into a
secret.
Classification
Arrangement of assets into categories.
Clearing
The removal of sensitive data from storage devices
in such a way that there is assurance that the data
may not be reconstructed using normal system
functions or software recovery utilities.
Code-division multiple
access (CDMA)
Every call’s data is encoded with a unique key, then
the calls are all transmitted at once.
Common Object Request
Broker Architecture
(CORBA)
A set of standards that addresses the need for
interoperability between hardware and software
products.
Compliance
Adherence to a mandate; both the actions
demonstrating adherence and the tools, processes,
and documentation that are used in adherence.
Computer virus
A program written with functions and intent to
copy and disperse itself without the knowledge and
cooperation of the owner or user of the computer.
Concentrators
Multiplex connected devices into one signal to be
transmitted on a network.
Condition coverage
This criterion requires sufficient test cases for each
condition in a program decision to take on all
possible outcomes at least once. It differs from
branch coverage only when multiple conditions
must be evaluated to reach a decision.
Confidentiality
Preserving authorized restrictions on information
access and disclosure, including means for
protecting personal privacy and proprietary
information.
Configuration
management (CM)
A formal, methodical, comprehensive process for
establishing a baseline of the IT environment (and
each of the assets within that environment).
Confusion
Provided by mixing (changing) the key values used
during the repeated rounds of encryption. When
the key is modified for each round, it provides
added complexity that the attacker would
encounter.
Content Distribution
Network (CDN)
Is a large distributed system of servers deployed in
multiple data centers across the internet.
Covert channel
An information flow that is not controlled by a
security control and has the opportunity of
disclosing confidential information.
Covert security testing
Performed to simulate the threats that are
associated with external adversaries. While the
security staff has no knowledge of the covert test,
the organization management is fully aware and
consents to the test.
Crossover Error Rate
(CER)
This is achieved when the type I and type II are
equal.
Cryptanalysis
The study of techniques for attempting to defeat
cryptographic techniques and, more generally,
information security services provided through
cryptography.
Cryptography
Secret writing. Today provides the ability to
achieve confidentiality, integrity, authenticity, nonrepudiation, and access control.
Cryptology
The science that deals with hidden, disguised, or
encrypted information and communications.
Curie Temperature
The critical point where a material’s intrinsic
magnetic alignment changes direction.
Custodian
Responsible for protecting an asset that has value,
while in the custodian’s possession.
Data classification
Entails analyzing the data that the organization
retains, determining its importance and value, and
then assigning it to a category.
Data custodian
The person/role within the organization
owner/controller.
Data flow coverage
This criteria requires sufficient test cases for each
feasible data flow to be executed at least once.
Data mining
A decision-making technique that is based on a
series of analytical techniques taken from the fields
of mathematics, statistics, cybernetics, and genetics.
Data owner/ controller
An entity that collects or creates PII.
Data subject
The individual human related to a set of personal
data.
Database Management
System (DBMS)
A suite of application programs that typically
manages large, structured sets of persistent data.
Database model
Describes the relationship between the data
elements and provides a framework for organizing
the data.
Decision (branch)
coverage
Considered to be a minimum level of coverage for
most software products, but decision coverage
alone is insufficient for high-integrity applications.
Decryption
The reverse process from encryption. It is the
process of converting a ciphertext message back
into plaintext through the use of the cryptographic
algorithm and the appropriate key that was used to
do the original encryption.
Defensible destruction
Eliminating data using a controlled, legally
defensible, and regulatory compliant way.
DevOps
An approach based on lean and agile principles in
which business owners and the development,
operations, and quality assurance departments
collaborate.
Diffusion
Provided by mixing up the location of the plaintext
throughout the ciphertext. The strongest
algorithms exhibit a high degree of confusion and
diffusion.
Digital certificate
An electronic document that contains the name of
an organization or individual, the business address,
the digital signature of the certificate authority
issuing the certificate, the certificate holder’s public
key, a serial number, and the expiration date. Used
to bind individuals and entities to their public keys.
Issued by a trusted third party referred to as a
Certificate Authority (CA).
Digital rights
management (DRM)
A broad range of technologies that grant control
and protection to content providers over their own
digital media. May use cryptography techniques.
Digital signatures
Provide authentication of a sender and integrity of
a sender’s message and non-repudiation services.
Disaster recovery (DR)
Those tasks and activities required to bring an
organization back from contingency operations and
reinstate regular operations.
Discretionary access
control (DAC)
The system owner decides who gets access.
Due care
A legal concept pertaining to the duty owed by a
provider to a customer.
Due diligence
Actions taken by a vendor to demonstrate/ provide
due care.
Ports 49152 – 65535. Whenever a service is
requested that is associated with Well- Known or
Dynamic or Private Ports
Registered Ports those services will respond with a
dynamic port.
Dynamic testing
When the system under test is executed and its
behavior is observed.
Encoding
The action of changing a message into another
format through the use of a code.
Encryption
The process of converting the message from its
plaintext to ciphertext.
False Acceptance Rate
(Type II)
This is erroneous recognition either by confusing
one user with another, or by accepting an imposter
as a legitimate user.
False Rejection Rate
(Type I)
This is failure to recognize a legitimate user.
Fibre Channel over
Ethernet (FCoE)
A lightweight encapsulation protocol, and it lacks
the reliable data transport of the TCP layer.
Firewalls
Devices that enforce administrative security
policies by filtering incoming traffic based on a set
of rules.
Frame
Data represented at Layer 2 of the Open Systems
Interconnection (OSI) model.
Global System for
Mobiles (GSM)
Each call is transformed into digital data that is
given a channel and a time slot.
Governance
The process of how an organization is managed;
usually includes all aspects of how decisions are
made for that organization, such as policies, roles,
and procedures the organization uses to make
those decisions.
Governance committee
A formal body of personnel who determine how
decisions will be made within the organization and
the entity that can approve changes and exceptions
to current relevant governance.
Guidelines
Suggested practices and expectations of activity to
best accomplish tasks and attain goals.
Hash function
Accepts an input message of any length and
generates, through a one-way operation, a fixedlength output called a message digest or hash.
Honeypots/ honeynets
Machines that exist on the network, but do not
contain sensitive or valuable data, and are meant to
distract and occupy maliciousor unauthorized
intruders, as a means ofdelaying their attempts to
accessproduction data/assets. A number
ofmachines of this kind, linked together as
anetwork or subnet, are referred to as a
“honeynet.”
Identity as a service
(IDaaS)
Cloud-based services that broker identity and
access management (IAM) functions to target
systems on customers’ premises and/or in the
cloud.
Identity proofing
The process of collecting and verifying information
about a person for the purpose of proving that a
person who has requested an account, a credential,
or other special privilege is indeed who he or she
claims to be and establishing a reliable relationship
that can be trusted electronically between the
individual and said credential for purposes of
electronic authentication.
Initialization vector (IV)
A non-secret binary vector used as the initializing
input algorithm, or a random starting point, for the
encryption of a plaintext block sequence to increase
security by introducing additional cryptographic
variance and to synchronize cryptographic
equipment.
Integrated Process and
Product Development
(IPPD)
A management technique that simultaneously
integrates all essential acquisition activities
through the use of multidisciplinary teams to
optimize the design, manufacturing, and
supportability processes.
Integrity
Guarding against improper information
modification or destruction and includes ensuring
information non-repudiation and authenticity.
Intellectual property
Intangible assets (notably includes software and
data).
Provides a means to send error messages and a
Internet Control Message
way to probe the network to determine network
Protocol (ICMP)
availability.
Internet Group
Management Protocol
(IGMP)
Used to manage multicasting groups that are a set
of hosts anywhere on a network that are listening
for a transmission.
Internet Protocol (IPv4)
Is the dominant protocol that operates at the Open
Systems Interconnection (OSI) Network Layer 3. IP
is responsible for addressing packets so that they
can be transmitted from the source to the
destination hosts.
Internet Protocol (IPv6)
Is a modernization of IPv4 that includes a much
larger address field: IPv6 addresses are 128 bits
that support 2128 hosts.
Intrusion detection
system (IDS)
A solution that monitors the environment and
automatically recognizes malicious attempts to gain
unauthorized access.
Intrusion prevention
system (IPS)
A solution that monitors the environment and
automatically takes action when it recognizes
malicious attempts to gain unauthorized access.
Inventory
Complete list of items.
Job rotation
The practice of having personnel become familiar
with multiple positions within the organization as a
means to reduce single points of failure and to
better detect insider threats.
Key Clustering
When different encryption keys generate the same
ciphertext from the same plaintext message.
Key Length
The size of a key, usually measured in bits, that a
cryptographic algorithm uses in ciphering or
deciphering protected information.
Key or Cryptovariable
The input that controls the operation of the
cryptographic algorithm. It determines the
behavior of the algorithm and permits the reliable
encryption and decryption of the message.
Knowledge Discovery in
Databases (KDD)
A mathematical, statistical, and visualization
method of identifying valid and useful patterns in
data.
Least privilege
The practice of only granting a user the minimal
permissions necessary to perform their explicit job
function.
Lifecycle
Phases that an asset goes through from creation to
destruction.
Log
A record of actions and events that have taken
place on a computer system.
Logical access control
system
Non-physical system that allows access based upon
pre-determined policies.
Loop coverage
This criterion requires sufficient test cases for all
program loops to be executed for zero, one, two,
and many iterations covering initialization, typical
running, and termination (boundary) conditions.
Mandatory access
controls (MAC)
Access control that requires the system itself to
manage access controls in accordance with the
organization’s security policies.
Maximum allowable
downtime (MAD)
The measure of how long an organization can
survive an interruption of critical functions. Also
known as maximum tolerable downtime (MTD).
Media
Any object that contains data.
Message authentication
code (MAC)
A small block of data that is generated using a
secret key and then appended to the message, used
to address integrity.
Message digest
A small representation of a larger message.
Message digests are used to ensure the
authentication and integrity of information, not the
confidentiality.
Metadata
Information about the data.
Misuse case
A use case from the point of view of an actor hostile
to the system under design.
These criteria require sufficient test cases to
Multi-condition coverage exercise all possible combinations of conditions in a
program decision.
Multi-factor
authentication
Ensures that a user is who he or she claims to be.
The more factors used to determine a person’s
identity, the greater the trust of authenticity.
Multiprotocol Label
Switching (MPLS)
Is a wide area networking protocol that operates at
both Layer 2 and 3 and does label switching.
Need-to-know
Primarily associated with organizations that assign
clearance levels to all users and classification levels
to all assets; restricts users with the same clearance
level from sharing information unless they are
working on the same effort. Entails
compartmentalization.
Negative testing
This ensures the application can gracefully handle
invalid input or unexpected user behavior.
Network Function
Virtualization (NFV)
The objective of NFV is to decouple functions such
as firewall management, intrusion detection,
network address translation, or name service
resolution away from specific hardware
implementation into software solutions.
Non-repudiation
Inability to deny. In cryptography, a service that
ensures the sender cannot deny a message was sent
and the integrity of the message is intact, and the
receiver cannot claim receiving a different message.
Null cipher
Hiding plaintext within other plaintext. A form of
steganography.
Open Authorization
(OAuth)
The OAuth 2.0 authorization framework enables a
third-party application to obtain limited access to
an HTTP service, either on behalf of a resource
owner by orchestrating an approval interaction
between the resource owner and the HTTP service,
or by allowing the third-party application to obtain
access on its own behalf.
Open Shortest Path First
(OSPF)
An interior gateway routing protocol developed for
IP networks based on the shortest path first or linkstate algorithm.
OSI Layer 1
Physical layer.
OSI Layer 2
Data-link layer.
OSI Layer 3
Network layer.
OSI Layer 4
Transport layer.
OSI Layer 5
Session layer.
OSI Layer 6
Presentation layer.
OSI Layer 7
Application layer.
Overt security testing
Overt testing can be used with both internal and
external testing. When used from an internal
perspective, the bad actor simulated is an employee
of the organization. The organization’s IT staff is
made aware of the testing and can assist the
assessor in limiting the impact of the test by
providing specific guidelines for the test scope and
parameters.
Ownership
Possessing something, usually of value.
Packet
Representation of data at Layer 3 of the Open
Systems Interconnection (OSI) model.
Packet Loss
A technique called Packet Loss Concealment (PLC)
is used in VoIP communications to mask the effect
of dropped packets.
Parity bits
RAID technique; logical mechanism used to mark
striped data; allows recovery of missing drive(s) by
pulling data from adjacent drives.
Patch
An update/fix for an IT asset.
Path coverage
This criteria require sufficient test cases for each
feasible path, basis path, etc., from start to exit of a
defined program segment, to be executed at least
once.
Personally identifiable
information (PII)
Any data about a human being that could be used to
identify that person.
Physical access control
system
An automated system that manages the passage of
people or assets through an opening(s) in a secure
perimeter(s) based on a set of authorization rules.
Ping of Death
Exceeds maximum packet size and causes receiving
system to fail.
Ping Scanning
Network mapping technique to detect if host
replies to a ping, then the attacker knows that a
host exists at that address.
Plaintext
The message in its natural format has not been
turned into a secret.
Point-to-Point Protocol
(PPP)
Provides a standard method for transporting
multiprotocol datagrams over point-to-point links.
Policy
Documents published and promulgated by senior
management dictating and describing the
organization’s strategic goals.
An extension to NAT to translate all addresses to
Port Address Translation
one routable IP address and translate the source
(PAT)
port number in the packet to a unique value.
Positive testing
This determines that your application works as
expected.
Privacy
The right of a human individual to control the
distribution of information about him- or herself.
Procedures
Explicit, repeatable activities to accomplish a
specific task. Procedures can address one-time or
infrequent actions or common, regular occurrences.
Purging
The removal of sensitive data from a system or
storage device with the intent that the data cannot
be reconstructed by any known technique.
Qualitative
Measuring something without using numbers,
using adjectives, scales, and grades, etc.
Quantitative
Using numbers to measure something, usually
monetary values.
Real user monitoring
(RUM)
An approach to web monitoring that aims to
capture and analyze every transaction of every user
of a website or application.
Recovery point objective
(RPO)
A measure of how much data the organization can
lose before the organization is no longer viable.
Recovery time objective
(RTO)
The target time set for recovering from any
interruption.
Registered Ports
Ports 1024 – 49151. These ports typically
accompany non-system applications associated
with vendors and developers.
Registration authority
(RA)
This performs certificate registration services on
behalf of a Certificate Authority (CA).
Remanence
Residual magnetism left behind.
Residual risk
The risk remaining after security controls have
been put in place as a means of risk mitigation.
Resources
Assets of an organization that can be used
effectively.
Responsibility
Obligation for doing something. Can be delegated.
Risk
The possibility of damage or harm and the
likelihood that damage or harm will be realized.
Risk acceptance
Determining that the potential benefits of a
business function outweigh the possible risk
impact/likelihood and performing that business
function with no other action.
Risk avoidance
Determining that the impact and/or likelihood of a
specific risk is too great to be offset by the potential
benefits and not performing a certain business
function because of that determination.
Risk mitigation
Putting security controls in place to attenuate the
possible impact and/or likelihood of a specific risk.
Risk transference
Paying an external party to accept the financial
impact of a given risk.
Role-based access
control (RBAC)
An access control model that bases the access
control authorizations on the roles (or functions)
that the user is assigned within an organization.
Rule-based access
control (RBAC)
An access control model that is based on a list of
predefined rules that determine what accesses
should be granted.
Sandbox
An isolated test environment that simulates the
production environment but will not affect
production components/data.
Security Assertion
Markup Language 2.0
(SAML 2.0)
A version of the SAML standard for exchanging
authentication and authorization data between
security domains.
Security control
framework
A notional construct outlining the organization’s
approach to security, including a list of specific
security processes, procedures, and solutions used
by the organization.
Security governance
The entirety of the policies, roles, and processes the
organization uses to make security decisions in an
organization.
Segment
Data representation at Layer 4 of the Open Systems
Interconnection (OSI) model.
Separation of duties
The practice of ensuring that no organizational
process can be completed by a single person; forces
collusion as a means to reduce insider threats.
Session Initiation
Protocol (SIP)
Is designed to manage multimedia connections.
Single factor
authentication
Involves the use of simply one of the three available
factors solely to carry out the authentication
process being requested.
Smurf
ICMP Echo Request sent to the network broadcast
address of a spoofed victim causing all nodes to
respond to the victim with an Echo Reply.
Software assurance
The level of confidence that software is free from
vulnerabilities either intentionally designed into
the software or accidentally inserted at any time
during its lifecycle and that it functions in the
intended manner.
Software- defined
networks (SDNs)
Separates network systems into three components:
raw data, how the data is sent, and what purpose
the data serves. This involves a focus on data,
control, and application (management) functions or
“planes”.
Is an extension of the SDN practices to connect to
Software Defined Wide
entities spread across the internet to support WAN
Area Network (SD-WAN)
architecture especially related to cloud migration.
Standards
Specific mandates explicitly stating expectations of
performance or conformance.
Statement coverage
This criterion requires sufficient test cases for each
program statement to be executed at least once;
however, its achievement is insufficient to provide
confidence in a software product’s behavior.
Static source code
analysis (SAST)
Analysis of the application source code for finding
vulnerabilities without executing the application.
Steganography
Hiding something within something else, or data
hidden within other data.
Stream cipher
When a cryptosystem performs its encryption on a
bit-by-bit basis.
Striping
RAID technique; writing a data set across multiple
drives.
Substitution
The process of exchanging one letter or bit for
another.
Switches
Operate at Layer 2. A switch establishes a collision
domain per port.
Symmetric algorithm
Operate with a single cryptographic key that is used
for both encryption and decryption of the message.
Synthetic performance
monitoring
Involves having external agents run scripted
transactions against a web application.
Teardrop Attack
Exploits the reassembly of fragmented IP packets in
the fragment offset field that indicates the starting
position, or offset, of the data contained in a
fragmented packet relative to the data of the
original unfragmented packet.
Threat modeling
A process by which developers can understand
security threats to a system, determine risks from
those threats, and establish appropriate
mitigations.
Time multiplexing
Allows the operating system to provide welldefined and structured access to processes that
need to use resources according to a controlled and
tightly managed schedule.
Takes advantage of the dependency on the timing
Time of check time of use
of events that takes place in a multitasking
(TOCTOU) Attacks
operating system.
Transmission Control
Protocol (TCP)
Provides connection-oriented data management
and reliable data transfer.
Layering model structured into four layers
Transport Control
(network interface layer, internet layer, transport
Protocol/ Internet
layer, host-to-host transport layer, application
Protocol (TCP/ IP) Model
layer).
Transposition
The process of reordering the plaintext to hide the
message by using the same letters or bits.
Trusted computing base
(TCB)
The collection of all of the hardware, software, and
firmware within a computer system that contains
all elements of the system responsible for
supporting the security policy and the isolation of
objects.
Trusted Platform Module
A secure crypto processor and storage module.
(TPM)
Uninterruptible power
supplies (UPS)
Batteries that provide temporary, immediate
power during times when utility service is
interrupted.
Use cases
Abstract episodes of interaction between a system
and its environment.
User Datagram Protocol
(UDP)
The User Datagram Protocol provides
connectionless data transfer without error
detection and correction.
Virtual Local Area
Networks (VLANs)
Allow network administrators to use switches to
create software-based LAN segments that can be
defined based on factors other than physical
location.
Voice over Internet
Protocol (VoIP)
Is a technology that allows you to make voice calls
using a broadband internet connection instead of a
regular (or analog) phone line.
Waterfall Development
Methodology
A development model in which each phase contains
a list of activities that must be performed and
documented before the next phase begins.
Well-Known Ports
Ports 0–1023 ports are related to the common
protocols that are utilized in the underlying
management of Transport Control
Protocol/Internet Protocol (TCP/IP) system,
Domain Name Service (DNS), Simple Mail Transfer
Protocol (SMTP), etc.
White-box testing
A design that allows one to peek inside the “box”
and focuses specifically on using internal
knowledge of the\ software to guide the selection
of test data.
Whitelisting/
blacklisting
A whitelist is a list of email addresses and/or
internet addresses that someone knows as “good”
senders. A blacklist is a corresponding list of known
“bad” senders.
Wi-Fi (Wireless LAN
IEEE 802.11x)
Primarily associated with computer networking,
Wi-Fi uses the IEEE 802.11x specification to create
a wireless local-area network either public or
private.
WiMAX
(Broadband Wireless
Access IEEE 802.16)
One well-known example of wireless broadband is
WiMAX. WiMAX can potentially deliver data rates
of more than 30 megabits per second.
Work factor
This represents the time and effort required to
break a cryptography system.