Browse by Tags
We've categorized the glossary terms. Use the filters to browse terms by tag.
Adjacent Attacker
An adjacent attacker is an attacker who can exploit a vulnerability by accessing a vulnerable component from a short-range network, such as Bluetooth. The attack must be launched from the same physical or logical network as the vulnerable component. The Common Vulnerability Scoring System (CVSS) uses the attack vector metric to evaluate how easily a vulnerability can be exploited. The attack vector metric has four levels: Adjacent (A): The attacker can only exploit the vulnerability through a shared physical network...
Artifact
Artifacts are work products that are produced and used during a project to capture and convey information (e.g., models, source code). An artifact can also be a piece of evidence, such as text or a reference to a resource, that is submitted to support a response to a question. Source: <a href="https://csrc.nist.gov/glossary/term/artifact">https://csrc.nist.gov/glossary/term/artifact</a>..
Attestation
The issue of a statement, based on a decision, that fulfillment of specified requirements has been demonstrated. In cyber security it can be a review and confirmation of a project or organization’s security status. Source: <a href="https://csrc.nist.gov/glossary/term/attestation">https://csrc.nist.gov/glossary/term/attestation</a>..
Authenticated Attacker
An attacker who has to perform an authentication step (log in) to perform intended actions...
Authentication
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. Source: <a href="https://csrc.nist.gov/glossary/term/authentication">https://csrc.nist.gov/glossary/term/authentication</a>..
Authorization
Giving an authenticated user, process or device permission to access to resources in an information system...
Availability
Timely and reliable access to and use of information. Source: <a href="https://csrc.nist.gov/glossary/term/availability">https://csrc.nist.gov/glossary/term/availability</a>..
Blue Team
A group of security professionals responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically the Blue Team and its supporters must defend against real or simulated attacks. Source: <a href="https://csrc.nist.gov/glossary/term/blue_team">https://csrc.nist.gov/glossary/term/blue_team</a>..
Branch Protection
A feature that helps secure code by enforcing rules on git branches. The rules define whether collaborators can delete or force push to the branch and set requirements for any pushes to the branch, such as passing status checks or a linear commit history...
Brute Force
An attack or technique using a trial-and-error method to access accounts, usually in rapid repetition. For example, an attacker can systematically check all possible passwords and passphrases using a repetitive or iterative mechanism until the correct one is found...
Buffer Overflow
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system Source: <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf</a>..
Capabilities
Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable. Reference for capabilities list: <a href="https://man7.org/linux/man-pages/man7/capabilities.7.html">https://man7.org/linux/man-pages/man7/capabilities.7.html</a>..
CI/CD Pipeline (Continuous Integration and Continuous Delivery)
A process that automates the building, testing, and deployment of software. CI/CD stands for continuous integration and continuous delivery. Continuous integration is the practice of integrating code changes as regularly as possible. Continuous delivery is a set of practices in which code changes are automatically deployed into an acceptance environment...
CI/CD Pipeline Security
The process of integrating security controls into the CI/CD pipeline to protect code and software delivery...
CIA Triad
The CIA triad represents the three pillars of information security: confidentiality, integrity, and availability, as follows. Confidentiality – preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity – guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity Availability – ensuring timely and reliable access to and use of information Source: <a href="https://www.nccoe.nist.gov/publication/1800-26/VolA/index.html">https://www.nccoe.nist.gov/publication/1800-26/VolA/index.html</a>..
CISA
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States government serves as the national coordinator for critical infrastructure security and resilience. The agency’s stated mission is to “lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.” Source: <a href="https://www.cisa.gov/about">https://www.cisa.gov/about</a>..
Clickjacking
Clickjacking is a web security vulnerability that occurs when a victim user is tricked into clicking on UI objects that appear to belong to a foreground decoy web page, while they actually belong to a hidden background web page. Source: <a href="https://cwe.mitre.org/data/definitions/1021.html">https://cwe.mitre.org/data/definitions/1021.html</a>..
Cloud Misconfiguration
Cloud misconfiguration is when a cloud-based system is not set up correctly, which can lead to security breaches, data breaches, and other problems. Examples include leaving data publicly accessible or not using the right security measures...
Cloud Security Posture Management (CSPM)
Cloud security posture management (CSPM) identifies and remediates risk by automating visibility, uninterrupted monitoring, threat detection, and remediation workflows to search for misconfigurations across diverse cloud environments and infrastructure...
Code Review
Code review is a software quality assurance activity in which one or more people examine the source code of a computer program...
Code Scanning
Code scanning is the process of using tools to analyze the source code of a computer program for potential security flaws, bugs, and other issues...
Common Vulnerabilities and Exposures (CVE)
A list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw assigned a CVE ID number. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cyber security vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program...
Common Vulnerability Scoring System (CVSS)
“The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.” The FIRST CVSS SIG gathers feedback to improve the CVSS. CVSS provides a simple estimate of a vulnerability’s severity from a few principal characteristics...
Common Weakness Enumeration (CWE)
“Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weaknesses. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.” Examples of CWEs are: “Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)” (CWE-79), “Out-of-bounds Write” (CWE-787) “Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)” (CWE-89) Each CWE identifies a type of vulnerability...
Confidentiality
The property that sensitive information is not disclosed to unauthorized entities. Source: <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-152.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-152.pdf</a>..
Content Security Policy (CSP)
Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do. The primary use case for CSP is to control which resources, in particular JavaScript resources, a document is allowed to load...
Contributor Ladder
<p>Hi there! 👋 Thanks for your interest in contributing to the OpenSSF Glossary project. Whether you contribute new terms or want to help others get started, there are many ways to become an active member of this community. This doc outlines the different contributor roles within the project and the responsibilities and privileges that come with them.</p> <ol> <li>Contributors The Glossary is for everyone. Anyone can become a Glossary contributor simply by contributing to the project.</li> </ol>..
Critical Information Infrastructure (CII)
Critical Information Infrastructure (CII) constitutes assets (real/virtual), networks, systems, processes, information, and functions that are vital to a nation such that their incapacity or destruction would have a devastating impact on national security, the economic and social well-being of citizens. CII may comprise a number of different infrastructures with essential interdependencies and critical information flows between them. Source: <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors">https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors</a>..
Cross-site scripting (XSS)
A vulnerability in which the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is typically abbreviated as XSS because the abbreviation CSS typically refers to Cascading Style Sheets. Source: <a href="https://cwe.mitre.org/data/definitions/79.html">https://cwe.mitre.org/data/definitions/79.html</a>..
Cyber Resilience Act (CRA)
The European Union (EU) Cyber Resilience Act (CRA) is a regulation that “aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the (European) market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle.” Source: <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2847">https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2847</a>..
DAST
DAST is an acronym for Dynamic Application Security Testing. There is agreement that DAST executes a program (that is, it uses dynamic analysis instead of static analysis) to find vulnerabilities. However, while the term DAST is often seen in the literature, the meaning of DAST has variation in industry. By some definitions, DAST is dynamic analysis for finding vulnerabilities in (only) web applications (see VeraCode, DAST TEST: Benefits of a DAST test for application security, 2020)...
Exfiltration
Exfiltration is the “unauthorized transfer of information from a system”. Source: NIST SP 800-53 Rev. 5..
Fuzzing
Fuzzing, also called fuzz testing, is an automated verification technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is executed and monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Fuzz testing differs from traditional software testing. A traditional software tests sends a known input, executes the program, and verifies that the output is correct. Traditional software tests are much more sensitive to incorrect outputs, but these tests take time to create because the correct output must be determined (requiring an “oracle”)...
Hardening
“Security hardening is the process of enhancing the security posture of a system or network by implementing a series of proactive measures to reduce vulnerabilities and mitigate potential risks. This includes configuring systems, applications, and infrastructure to adhere to best security practices, such as disabling unnecessary services, enforcing strong authentication mechanisms, applying patches and updates regularly, and configuring firewalls and intrusion detection systems. The goal of security hardening is to minimize the attack surface and strengthen defenses against cyber threats, reducing the likelihood of successful attacks and enhancing overall resilience to security breaches and unauthorized access...
Heap overflow
A heap overflow condition is a buffer overflow where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc() [or new]. Source: <a href="https://cwe.mitre.org/data/definitions/122.html">https://cwe.mitre.org/data/definitions/122.html</a>..
How To Contribute
Welcome Welcome to the OpenSSF Glossary contributing guide, and thank you for your interest. There are a number of ways you can contribute to this project, which we’ll cover in detail here: Work on an existing issue Propose new terms Update existing ones OpenSSF glossary overview The goal of this glossary is to simplify the open source software security space and thus make it more accessible to people. The OpenSSF Glossary content is stored in this GitHub repo where you’ll find a list of issues, pull requests (PRs), and discussions about the glossary...
Integrity
A property whereby data has not been altered in an unauthorized manner since it was created, transmitted, or stored. Source: <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-152.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-152.pdf</a>..
Memory Safety
“Memory safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and dangling pointers.” For more information, see the OpenSSF Memory Safety SIG’s definitions and Memory Safety Continuum. Source: <a href="https://en.wikipedia.org/wiki/Memory_safety">https://en.wikipedia.org/wiki/Memory_safety</a>..
MITRE
MITRE is a not-for-profit company in the United States founded in 1958 to serve as objective advisers in systems engineering to government agencies, both military and civilian. MITRE operates federally funded research and development centers (FFRDCs) including the National Cybersecurity FFRDC. The NCF is sponsored by the National Institute of Standards and Technology (NIST) and supports NIST’s Cybersecurity Center of Excellence, a collaborative hub for government, industry, and academia to build practical solutions to cybersecurity challenges...
Negative Testing
Negative testing, also called “error path testing” or “invalid input testing,” is a software testing methodology that evaluates how systems and applications handle unexpected inputs and conditions. This is contrasted with positive testing, that is, testing the “happy path” initiated by expected inputs. Negative testing includes testing to ensure that what should not happen does not happen. This is vital for security. For example, if a user should not be able to delete an object owned by another user, it’s important to test this is the case...
NIST
The National Institute of Standards and Technology (NIST) was founded in 1901 and is part of the U.S. Department of Commerce. NIST’s stated mission is “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” Source: <a href="https://www.nist.gov/about-nist">https://www.nist.gov/about-nist</a>..
NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL. A NULL pointer dereference usually results in the failure of the process unless exception handling (on some platforms) is available and implemented. Thus, it often leads to a failure of availability (a part of the definition of security). In C, dereferencing a null pointer is undefined behavior (UB), permitting any result including any kind of security vulnerability...
Object code
Object code is a form of a work that is not source code. A build process converts source code into object code. Source: <a href="https://www.gnu.org/licenses/gpl-3.0.en.html">https://www.gnu.org/licenses/gpl-3.0.en.html</a>..
OpenSSF Glossary
OpenSSF Glossary The OpenSSF Glossary aims to make the open source security space simpler for people by making it easier to understand, not only for technologists but also for people on the business side. To achieve that, we focus on simplicity (e.g., simple language free from buzzwords, examples anyone using technology can relate to, leaving unnecessary details out). The Glossary is a project led by the OpenSSF Best Practices for Software Developers Working Group...
Reproducible Build
A build is reproducible if given the same source code, any party can recreate bit-by-bit identical copies of all specified artifacts. Information about the build environment and build instructions is usually needed to achieve that. This creates an independently-verifiable path from source to binary code and counters attacks on the build process. A verified reproducible build is a build result that has been independently verified to reproduce. Verified reproducible builds allow multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny...
Source code
Source code is the preferred form of the work for making modifications to it. A build process converts source code into object code. Source: <a href="https://www.gnu.org/licenses/gpl-3.0.en.html">https://www.gnu.org/licenses/gpl-3.0.en.html</a>..
Style Guide
This style guide will help you understand the Glossary audience, definition structure, required level of detail, and how to keep a consistent style. Use simple, accessible language, avoiding technical jargon and buzzwords Avoid colloquial language Use literal and concrete language Omit contractions Use passive voice sparingly Aim to phrase statements in a positive form No exclamation marks outside of quotations Do not exaggerate Avoid repetition Be concise Audience The Glossary is written for technical and non-technical audiences...