IT Glossary & Dictionary

Practices and mechanisms for protecting APIs from unauthorized access, data breaches, and abuse.

An attack method that systematically tries all possible combinations of passwords or keys until the correct one is found.

A security technique that associates a host with its expected TLS certificate or public key, preventing man-in-the-middle attacks with fraudulent certificates.

An HTTP security header that controls which resources a browser is allowed to load for a web page, preventing XSS and data injection.

A browser security mechanism that controls which web domains can access resources from another domain via HTTP requests.

The practices and procedures for generating, storing, distributing, rotating, and revoking encryption keys securely.

An attack that tricks authenticated users into submitting unwanted requests to a web application they are logged into.

Testing a running application from the outside by sending malicious requests to discover security vulnerabilities.

A strategy and set of tools that detect and prevent unauthorized transmission of sensitive data outside an organization.

An attack that floods a target server or network with traffic from multiple sources to overwhelm it and deny service to legitimate users.

The process of converting readable data into an unreadable format using algorithms, reversible only with the correct key.

Configuration entries that define which network traffic is allowed or blocked based on source, destination, port, and protocol.

A one-way function that converts input data into a fixed-size string of characters, used for data integrity and password storage.

The process of verifying that user-supplied data meets expected formats, types, and ranges before processing it.

A compact, self-contained token format used for securely transmitting information between parties as a JSON object.

An attack where the attacker secretly intercepts and potentially alters communication between two parties who believe they are communicating directly.

An authorization framework that allows third-party applications to access user resources without sharing passwords.

A regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project.

An authorized simulated cyberattack on a system to evaluate its security defenses and identify vulnerabilities.

A social engineering attack that uses fraudulent communications to trick people into revealing sensitive information or installing malware.

A framework of policies, hardware, and software for creating, managing, distributing, and revoking digital certificates.

A security principle where users and programs receive only the minimum access rights needed to perform their specific tasks.

A technique that controls the number of requests a client can make to a server within a specified time period.

An access control model where permissions are assigned to roles, and users are assigned to roles rather than getting permissions directly.

Automated analysis of source code to find security vulnerabilities without executing the application.

The practice of securely storing, accessing, and rotating sensitive credentials like API keys, passwords, and certificates.

A systematic examination of an information system to assess compliance with security policies, identify vulnerabilities, and verify controls.

The process of reducing a system's attack surface by disabling unnecessary services, applying patches, and configuring security controls.

HTTP response headers that instruct browsers to enable security features like XSS protection, framing prevention, and content type enforcement.

An attack where an adversary takes over a legitimate user session by stealing or predicting the session identifier.

A platform that collects, correlates, and analyzes security events from across an organization to detect threats and incidents.

A centralized team and facility responsible for monitoring, detecting, analyzing, and responding to cybersecurity threats 24/7.

An attack where malicious SQL code is inserted into application queries through user input to access or manipulate the database.

A cyberattack that targets less-secure elements in the software supply chain to compromise downstream users and organizations.

A security method requiring two different forms of identification before granting access to an account.

Automated testing that identifies known security weaknesses in systems, applications, and network infrastructure.

A security solution that filters and monitors HTTP traffic between a web application and the internet, blocking common attacks.

A security mechanism that verifies webhook payloads are authentic and unmodified using cryptographic signatures.

An attack that injects malicious scripts into web pages viewed by other users, potentially stealing data or session tokens.

A security model that requires strict identity verification for every user and device, regardless of their network location.