Security Glossary

The middle verification tier of OWASP ASVS — the de-facto industry bar for any application handling business or personal data.

Continuous discovery and monitoring of every internet-exposed asset an organisation owns, including assets the security team did not know about.

Defensive operators responsible for detection, incident response and continuous security monitoring.

Ongoing programme that pays external researchers for valid security vulnerabilities reported under defined rules.

Consensus-developed security configuration baselines for operating systems, cloud platforms, network devices and applications.

CISA's Known Exploited Vulnerabilities catalog — the authoritative list of CVEs confirmed exploited in the wild, with binding remediation timelines for US federal agencies.

Common Platform Enumeration — the structured naming scheme that uniquely identifies a hardware or software product for vulnerability matching.

Common Security Advisory Framework — OASIS-standard JSON format for machine-readable vendor vulnerability advisories.

Cyber Threat Intelligence — collection, analysis and dissemination of information about adversaries, their tools and their behaviour.

Common Vulnerabilities and Exposures — the globally unique identifier system for publicly disclosed security vulnerabilities.

Common Vulnerability Scoring System — a numeric framework (0.0–10.0) for rating the severity of a vulnerability.

Common Weakness Enumeration — the taxonomy that classifies the underlying programming-error category that gives rise to vulnerabilities.

Dynamic Application Security Testing — exercises a running application from the outside, like a black-box attacker.

The discipline of writing, testing and maintaining security detections as code with the same rigour as application code.

Operating model where security is a shared responsibility of development, security and operations teams, automated into the delivery pipeline.

Endpoint Detection and Response — agent-based platform that records endpoint telemetry and supports investigation and response.

Exploit Prediction Scoring System — a daily-updated probability score (0-100%) estimating how likely a CVE is to be exploited in the next 30 days.

EU General Data Protection Regulation — comprehensive data-protection law with extraterritorial reach and significant fines.

US Health Insurance Portability and Accountability Act — governs the security and privacy of Protected Health Information.

Identity and Access Management — the system of record for who can do what to which resources, under what conditions.

Interactive Application Security Testing — instruments the running application from inside, combining SAST visibility with DAST realism.

Indicator of Compromise — observable artefact (hash, IP, domain, registry key) that suggests a system has been breached.

International standard for an Information Security Management System (ISMS), certifiable by accredited bodies.

Globally adopted knowledge base of real-world adversary tactics, techniques and procedures, organised as a matrix.

MITRE's defensive-technique knowledge graph that complements ATT&CK by enumerating concrete countermeasures and their relationships.

National Vulnerability Database — the US NIST-operated authoritative repository that enriches CVE records with CVSS, CPE and CWE analysis.

Application Security Verification Standard — a 280-control catalogue OWASP publishes as the canonical checklist for verifying web application security.

Consensus list of the ten most critical web application security risks, refreshed every three to four years.

Payment Card Industry Data Security Standard — mandatory for any entity that stores, processes or transmits cardholder data.

Collaborative engagement where Red and Blue teams work side-by-side to improve detection coverage in real time.

Goal-oriented adversary simulation that tests detection and response, not just whether vulnerabilities exist.

Coordinated process for reporting a vulnerability privately to the vendor before any public disclosure.

Static Application Security Testing — analyses source code or compiled binaries without executing them.

Software Bill of Materials — a machine-readable manifest of every component (and version) that makes up a software product.

Moving security activities earlier in the software development lifecycle so defects are caught when fixing them is cheap.

Extending security activities into production — runtime protection, observability and feedback loops that complement shift-left controls.

Security Information and Event Management — centralised log collection, correlation and alerting platform.

Security Orchestration, Automation and Response — codified playbooks that respond to alerts at machine speed.

AICPA attestation report (Type 1 or Type 2) evaluating a service organisation's controls against the Trust Services Criteria.

Secure Software Development Life Cycle — the systematic integration of security activities into every phase of software delivery.

End-to-end protection of the software production pipeline — source, build, dependencies, artefacts and delivery — against tampering and compromise.

Discussion-based simulation of a security incident, walking stakeholders through their response in a no-pressure setting.

Proactive, hypothesis-driven search through telemetry for adversary activity that automated detections did not catch.

Structured analysis of what could go wrong in a system, performed early so design changes are still cheap.

Tactics, Techniques and Procedures — the behavioural signatures that describe how an adversary operates.

User and Entity Behaviour Analytics — machine-learning analysis of user and asset behaviour to surface anomalies a rule-based SIEM would miss.

Vulnerability Assessment and Penetration Testing — automated discovery layered with manual exploitation against an in-scope asset.

Vulnerability Exploitability eXchange — a machine-readable statement of whether a known CVE is actually exploitable in a given product.

Extended Detection and Response — unified detection and response across endpoint, network, identity, email and cloud.

Security model that assumes breach and verifies every request explicitly, regardless of network location.