Glossary

Botnets: A botnet is network of computers infected with malware that can be used by a hacker to do their bidding.

Brute Force Attacks: A brute-force attack occurs when an attacker checks all possible passwords until the correct one is found.

Clean URLs: Clean URLs (or semantic URLs) are readable URLs for websites or web services that intuitively represent the underlying resource.

Code Injection: Code injection can be used by an attacker to introduce malicious code into a vulnerable computer program and change the course of execution.

Content Management Systems: Content Management Systems (CMS) allow non-technical users to publish and edit online resources.

Cookies: HTTP is a stateless protocol. Cookies are the most common way to make a conversation between a browser and server stateful.

DDL: Data Definition Language (DDL) is the subset of the SQL language that allows table structures to be edited.

Defense in Depth: Defense in depth refers to employing multiple layers or security controls to reduce the likelihood and impact of an attack.

Denial of Service Attacks: A denial-of-service (DOS) attack is an attempt to make a web service or website unavailable by flooding it with network packets.

Dictionary Attacks: A dictionary attack is attempt to guess passwords by using well-known words or phrases.

Digital Signatures: Digital signatures are used to demonstrate the authenticity of a digital message.

DML: Data Manipulation Language (DML) is the subset of the SQL language that allows querying and updating of table content.

Hashing: You should store user passwords as strong, cryptographic hashes.

HTTP: Hypertext Transfer Protocol (HTTP) is the mechanism that websites and web services use to communicate with user agents such as browsers.

HTTPS: Sensitive web traffic should be sent over an encrypted channel -- that's what HTTPS is for.

LDAP: Lightweight Directory Access Protocol (LDAP) is a technology used to create directories of individuals or resources.

Netmasks: Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol. They are used for defining networking rules in e.g. routers and firewalls.

OAuth: OAuth is an open standard for authorization.

OWASP: The Open Web Application Security Project (OWASP) is an online community that tracks common vulnerabilities and publishes information about web application security.

Password Lists: Users are creatures of habit, which means they tend to choose obvious passwords and re-use them over multiple sites.

Phishing: Phishing is when an attacker sends an email (or other electronic message) to a user, in an attempt to trick them into disclosing sensitive information.

Principle of Least Privilege: Secure organizations often share information on a "need to know" basis, and this model can be applied to technical systems too.

Randomness: Modern encryption techniques require the generation of random numbers on demand. This is a surprisingly hard problem.

Releases: Software is rarely unchanging; it is important to have a clear strategy when pushing out new versions.

REST: REpresentational State Transfer (REST) is a style of web service architecture designed to map create, read, update, and delete operations with their corresponding HTTP verbs.

Salting: Salting refers to adding a random token to a password before hashing it.

Sessions: A session is a stateful conversation between a website and a user agent, such as a browser.

Social Engineering: Social engineering is when an attacker interacts directly with your users or staff, in an effort to trick them into disclosing sensitive information or performing restricted actions.

SQL: Structured Query Language (SQL) is a special purpose programming language for accessing and updating data in a relational database.

URLs: A Uniform Resource Locator (URL) -- informally called a web address -- specifies the location of a resource on the internet.

Worms: A worm is a malicious program that replicates itself in order to spread to other systems.

Zero-Day Exploits: A zero-day vulnerability is a vulnerability that the application author has not yet become aware of.