Security Acronym Circus

Cybersec

You did not understand the last crypto seminar? A write-up on your favorite CTF challenge? A dream job advertisement in cybersecurity? The dialog box to configure the Wi-Fi? Please don’t panic, I may help!

Cybersecurity is a vast domain with a multitude of precise technical concepts (and sometimes some less technical concepts) that require naming. However, the people of cybersecurity (and related fields) seem to love acronyms. Personally, I don’t love them that much and keep forgetting their meanings. So, here is an attempt to list them once and for all.

To help the reader, the entries are tagged with emojis of approximate categories:

  • 🔑 Cryptology (applied and theoretical);
  • 👔 Governance and defense of IT systems;
  • 🕶️ Identification and access control;
  • 📜 Laws, recommendations, catalogs, and groups;
  • 💬 Networking and protocols;
  • 🪲 Software vulnerabilities, attacks, and countermeasures;
  • 🍄 Miscellaneous.

The list also contains acronyms not directly related to cybersecurity. Those either appear in other definitions (bootstrap) or are homonyms with legitimate entries and computer-related (thus can be confused). Also, the list does not include certifications and the organizations that sell them, as I am not familiar with them and do not want to promote the bad ones inadvertently.

Links go to Wikipedia because the linked article might be good (or might improve over time, I don’t know, I haven’t the time to read them all yet), and it’s a simple criterion for inclusion in the list — even if I do not respect the criterion that much.

Big thanks to Hubert Hackin’’ people who reviewed the list and proposed valuable additions. I will update the list if people notify me about missing ones.

  • 0-day 🪲 Zero-day vulnerability. A security bug in software that is unknown to its developers.
    By extension, an exploit or an attack that targets that bug.
  • 2FA 🕶️ Two-Factor Authentication. see MFA with M=2.
  • 2PC 🔑 Two-Party Computation. See MPC with M=2.
  • AAA 🕶️ Authentication, Authorization, and Accounting. A type of protocols that control and track access, usage, and disconnection within a computer network. RADIUS is usually the only example.
  • AAAAAAAAA 🪲 AAAAAAAAA. A popular pattern to test for buffer overflows (BOF) and segmentation faults (segfault). More A can be added when needed.
  • ABAC 🕶️ Attribute-Based Access Control. A complex permission system with contextual information.
  • ACE 🪲 Arbitrary Code Execution. See RCE for the popular one.
    ACE 🕶️ Access-Control Entry. An item in an ACL (just below).
  • ACL 🕶️ Access-Control List. A list of permissions associated with a resource. The micro-granularity can become hard to manage, thus causing security issues.
  • AD 🕶️ Active Directory. A popular directory service by Microsoft. Textbook example of EEE with LDAP. Also, stores password as unsalted MD4 for MS-CHAP.
  • AES 🔑 Advanced Encryption Standard. A popular symmetric encryption block cipher. Still good.
  • AH 💬 Authentication Header. A protocol from IPSec that ensures integrity. RFC 4302.
  • AitM 🪲 Adversary in the Middle. A non-gendered MitM.
  • AP 💬 Access Point. A device that connects Wi-Fi devices to a wired network.
  • AppArmor 🪲 Application Armor. A popular LSM with per-program profiles.
  • AppSec 👔 Application Security. Another name for SSDLC. Buzzword.
  • APT 👔 Advanced Persistent Threat. Cyberattack groups with records (persistent) and resources (advanced). Backed by nation states, for instance.
    APT 🍄 Advanced Package Tool. The main package manager for Debian and derived distributions. man apt.
  • ASLR 🪲 Address Space Layout Randomization. Add some randomness to some memory addresses of processes (and kernels) when loading executables and libraries (like ELF or PE). A common counter-counter-counter-measure of ROP.
  • ASM 👔 Attack Surface Management. Identifying and reducing attack vectors.
    ASM 🪲 Assembly. A family of low-level programming languages. It’s used a lot in SRE and PWN.
  • ATT&CK 📜 Adversarial Tactics, Techniques, and Common Knowledge. A catalog of common cyberattack techniques (TTP). By MITRE.
  • AUP 👔 Acceptable Use Policy. The organization’s rules that define what people can do with its IT system and what is prohibited.
  • AV 👔 Antivirus. Software that tries to detect and remove malware. Caveat emptor.
  • BA 🕶️ Basic Authentication. The simplest authentication mechanism of HTTP (but to use with HTTPS), with the annoying built-in browser dialog boxes that appear on another screen.
  • BAS 👔 Breach and Attack Simulation. Software that tries to simulate cyberattacks to test security defenses. Caveat emptor.
  • BBP 👔 Bug Bounty Program. Uberization of cybersecurity.
  • BEC 👔 Business Email Compromise. Email scam that targets businesses by spoofing partners, suppliers, and clients.
  • BFA 🪲 Brute-Force Attack. Exhaustive trial of all possible passwords.
  • Botnet 🍄 Robot network. A swarm of breached and controlled internet-connected devices. Used for nefarious activities like DDoS.
  • BOF 🪲 Buffer Overflow. Bug where data is written in memory beyond its expected location range, causing a lot of fun issues. See AAAAAAAAA. CWE-119.
  • BTI 🪲 Branch Target Identification. A CFI mechanism for ARM processors. See IBT.
  • BYOD 👔 Bring Your Own Device. An organization policy that allows users to use their own equipment (usually mobile phones and laptops) because it makes them happier and/or more productive. Annoying for control freak IT services.
  • BYOE 🔑 Bring Your Own Encryption. The encryption of data before uploading it to a cloud provider. It prevents the provider from reading the data, stealing the secrets, or feeding them to some LLM. Notes: If you upload the encryption keys, you fail at BYOE. If you lose the keys, you also fail.
  • BYOK 🔑 Bring Your Own Key. See BYOE (just above).
  • C2, or C&C 🍄 Command and Control. The software that controls a botnet.
  • CA 🔑 Certificate Authority. A trusted third party (TTP) that issues digital certificates to verify the identity of online entities in a PKI. A common countermeasure for MITM and other impersonation techniques.
    By extension, the CAs of the Internet.
  • CAPEC 📜 Common Attack Pattern Enumeration and Classification. Catalog of common cyberattack techniques (TTP). By MITRE.
  • CAPTCHA 🕶️ Completely Automated Public Turing Test to Tell Computers and Humans Apart. Easier for machines than real humans, or extremely annoying, or both.
  • CAS 🕶️ Central Authentication Service. A web-based SSO protocol (usually non federated).
    CAS 🍄 Compare And Swap. An atomic machine instruction of some processors.
  • CASL 📜 Canada’s Anti-Spam Legislation. Officially “Fighting Internet and Wireless Spam Act”, ou “Loi visant l’élimination des pourriels sur les réseaux Internet et sans fil”, en français.
  • CBC 🔑 Cipher Block Chaining. A previous popular mode of operation for cryptographic block ciphers. Subject to POA.
  • CBC-MAC 🔑 Cipher Block Chaining Message Authentication Code. A MAC, parametrized by a block cipher, that returns the ciphertext of the last block in CBC mode.
  • CC 📜 Common Criteria for Information Technology Security Evaluation. International standard (ISO/IEC 15408) for computer security certification.
  • CCC 📜 Chaos Computer Club. European association of hackers.
  • CCCS 📜 Canadian Centre for Cyber Security, Centre Canadien pour la Cyber Sécurité en français. The CERT of Canada.
  • CCM 🔑 Counter with Cipher block chaining Message authentication code, Counter CBC-MAC (it’s acronyms all the way down!). A popular mode of operation for cryptographic block ciphers.
  • CCMP 💬 Counter Mode Cipher Block Chaining Message Authentication Code Protocol, or CCM mode Protocol. Current version of WPA.
  • CERT 👔 Computer Emergency Response Team. People who clean up the mess and restart things after a cybersecurity incident.
  • CFI 🪲 Control-Flow Integrity. Techniques (usually hardware-based) to prevent the abuse of the program counter. Another common counter-counter-counter-measure to ROP.
  • CHAP 🕶️ Challenge-Handshake Authentication Protocol. A PPP authentication protocol that avoids the direct transmission of the password. Drawback: To validate the challenge, whatever is used as passwords must be stored in clear text in the server’s database. I’m not sure why it’s still used. See PAP and EAP for the other kinds. RFC 1994.
  • CHERI 🪲 Capability Hardware Enhanced RISC Instructions. A hardware-level access control mechanism on pointers. It targets RISC processors and tries to prevent many memory security issues.
  • CHF 🔑 Cryptographic Hash Function. A kind of hash functions with strong cryptographic properties.
  • CIA 📜 Confidentiality, Integrity, Availability. Simple core principles of cybersecurity. Because reducing complex things to simple core principles helps to explain them.
  • CIO 👔 Chief Information Officer. IT boss. Should be a technical person.
  • CSIRT 👔 Computer Security Incident Response Team. Another popular name for CERT.
  • CISO 👔 Chief Information Security Officer. IT sub-boss.
  • CKC 👔 Cyber Kill Chain. A model of cyberattack tactics. Easy to explain to managers.
  • CORS 💬 Cross-Origin Resource Sharing. A web mechanism that gently asks web browsers to bypass SOP when web developers are lazy.
  • CRAM-MD5 🕶️ Challenge-Response Authentication Mechanism - Message Digest, the fifth. A deprecated authentication mechanism that was popular with email servers. It avoids the direct transmission of the password but has too many weaknesses. See CHAP for a similar bad idea. RFC 2195.
  • CRC 🔑 Cyclic Redundancy Check. A short error detection (or correction) code associated with a block of data. Based on polynomial division. Not a CHF.
  • CRL 🔑 Certificate Revocation List. A list of certificates revoked by a CA (for various reasons). RFC 5280.
  • CRT 🔑 Chinese Remainder Theorem. A useful result of modular arithmetic with many applications in cryptology.
  • CSE 📜 Communications Security Establishmen, Centre de la sécurité des télécommunications, en français. Canada’s cybersecurity, cryptologic, cyberintelligence, and SIGINT agency.
  • CSF 📜 Cybersecurity Framework. Checklist for organizations. Developed by NIST.
  • CSIS 📜 Canadian Security Intelligence Service, Service Canadien du Renseignement de Sécurité, en français. Collects and analyzes intelligence about terrorism, espionage, foreign interference, and other domestic threats, including cybersecurity threats.
  • CSP 💬 Content Security Policy. A web mechanism to prevent XSS and other attacks by gently asking web browsers to restrict themselves.
    CSP 🍄 Constraint Satisfaction Problem. A type of formal problem with a set of constraints on some variables.
  • CSRF 🪲 Cross-Site Request Forgery. Unauthorized requests to a server from a trusted (but tricked) user - CWE-352
  • CTF 🚩 Capture The Flag. A popular type of cybersecurity competition.
  • CTI 👔 Cyber Threat Intelligence. Observations about potential or current cyber threats.
  • CTO 👔 Chief Technology Officer. Another IT sub-boss.
  • CTPEC 📜 Canadian Trusted Computer Product Evaluation Criteria. An old Canadian checklist of requirements for cybersecurity. Replaced by Common Criteria (CC).
  • CVD 👔 Coordinated Vulnerability Disclosure. The practice of notifying software vendors about security issues before the general public, so that patches and updates can be ready when the general public is informed. The common alternative is full disclosure, where bugs are published as early as possible to warn potential victims.
  • CVE 📜 Common Vulnerabilities and Exposures. A catalog of glorified bug numbers for publicly known vulnerabilities. Managed by MITRE.
    By extension, the glorified bug numbers.
  • CVSS 📜 Common Vulnerability Scoring System. A method to assign a value to CVE, because management likes numbers.
  • CWE 📜 Common Weakness Enumeration. A catalog of bugs and software malpractices. Managed by MITRE.
  • DAC 🕶️ Discretionary Access Control. A permission system where some users (the owners) can change the permissions of a resource.
  • DAST 👔 Dynamic Application Security Testing. Dynamic program analysis (and tools), but for cybersecurity. Also, manual testing for cybersecurity. Buzzword.
  • DDoS 🪲 Distributed Denial of Service. Overwhelms a system with traffic and requests to disrupt its availability.
  • DEF CON 📜 Not an acronym. Popular hacker conference in Las Vegas.
  • DEP 🪲 Data Execution Prevention. The ESP of Windows. See NX.
  • DES 🔑 Data Encryption Standard. A previously popular, now insecure, symmetric encryption block cipher. Replaced by AES.
  • DevSecOps 👔 Development, Security, Operations. 2nd-order Buzzword. Promote good security practices during the whole software development life cycle (instead of only at some points or never, duh).
  • DH 🔑 Diffie-Hellman key exchange, the authors’ initials. A popular method to securely generate a secret over an insecure channel. Based on modular exponentiation and DLP. Used in SSL/TLS.
  • DID 🕶️ Decentralized Identifier. A specification of a type of identifier used in an SSI system.
    DID 👔 Defense in Depth. The use of multiple and layered cybersecurity strategies and technologies.
  • DKIM 💬 Domain Keys Identified Mail. Cryptographic signing of emails. The public key of the sender’s server is published as a DNS record. RFC 6376.
  • DLP 🔑 Discrete Logarithm Problem. The foundation of popular cryptosystems like DSA, RSA, and ECC. The basic idea is to have situations with b an element of a group and x an integer where a=b^x is easy to compute, but finding x given a and b (i.e. x = log_b(a)) is always very hard. The job of cryptologists is then to find good groups, and prove (or disprove) the easy and very hard claims.
    DLP 👔 Data Loss Prevention. Software that tries to detect data leaks in real time. Caveat emptor.
  • DMARC 💬 Domain-based Message Authentication, Reporting, and Conformance. Extends SPF and DKIM by allowing the sender to explain (also in DNS records) what to do with failures. RFC 7489.
  • DMZ 💬 Demilitarized Zone. A subnetwork voluntarily exposed to the Internet. Usually acts as a buffer.
  • DoS 🪲 Denial of Service. Disrupts the availability of a system or service (just crashing it is enough). Not to be confused with DDoS.
  • DP 🔑 Differential Privacy. A mathematical technique that adds controlled noise to data analysis results to protect individual privacy.
  • DPI 💬 Deep Packet Inspection. The fine analysis of network traffic. Used in advanced firewall (FW), IDS, NDR, and other.
    DPI 🍄 Dots Per Inch. A popular unit of density for monitors, printers, and scanners. Because of the imperial unit, I have no idea about the meaning of the value (same with Fahrenheit, for instance), so when Xorg or a hot tub reports 96, I just acknowledge it.
  • DREAD 📜 Damage, Reproducibility, Exploitability, Affected users, Discoverability. An old Microsoft TM framework.
  • DRM 👔 Digital Rights Management. A restriction of users’ rights, with a lot of shortcomings. Defective by design.
    DRM 🍄 Direct Rendering Manager. The Linux kernel API to command GPUs.
  • DSA 🔑 Digital Signature Algorithm. An old asymmetric cryptosystem used for digital signatures. Based on modular exponentiation and DLP. People prefer RSA or ECC nowadays.
  • DTLS 💬 Datagram Transport Layer Security. The adaptation of TLS for UDP. RFC 9147.
  • EAP 🕶 Extensible Authentication Protocol. Popular authentication protocol for network connections (e.g. WPA-Entreprise or PPP). See CHAP and PAP for simpler ones, and PEAP for a secure one. RFC 3748.
  • ECB 🔑 Electronic Codebook. A very simple mode of operation for cryptographic block ciphers, where each block is just encrypted separately. Insecure.
  • ECC 🔑 Elliptic-Curve Cryptography. Asymmetric cryptography approach based on elliptic curves (y^2=x^3+ax+b) and the DLP.
    ECC 🔑 Error Correction Code. The encoding techniques that add controlled redundancy to prevent some data loss during transmission or storage.
  • ECDH 🔑 Elliptic-Curve Diffie–Hellman. A variant of DH that uses ECC.
  • ECDSA 🔑 Elliptic-Curve Digital Signature Algorithm. A variant of DSA that uses ECC.
  • EdDSA 🔑 Edwards-curve Digital Signature Algorithm. A digital signature approach based on twisted Edwards curves (ax^2 + y^2 = 1 + dx^2y^2) and the DLP.
  • Ed25519 🔑 Edwards-curve Digital Signature Algorithm on Curve25519. Named this way because the curve is y^2=x^3+486662x^2+x (mod p) where p=2^255-19 (it’s in the name, so it’s easy to remember) with the base point where x=9.
  • EDR 👔 Endpoint Detection and Response. Software that tries to monitor servers, PCs, and other devices. Caveat emptor.
  • EEE 🍄 Embrace, Extend, and Extinguish. A business strategy used by some companies, like Microsoft, to reduce the relevance of alternative products and solutions.
  • ELF 🍄 Executable and Linkable Format. A Unix file format for executables and libraries.
  • ERT 👔 Emergency Response Team. Another name for CERT when the C is implicit. Otherwise, it’s related to real-world emergencies that deal with medical assistance, hazardous material spills, hostage situations, etc.
  • ESP 🪲 Executable-Space Protection. NX, or software simulation of NX. See NX.
    ESP 💬 Encapsulating Security Payload. A protocol from IPSec that combines other protocols. RFC 4303.
    ESP 🍄 Extended Stack Pointer. The name of the stack register on i386. The control of the stack register by attacker can lead to many exploits.
  • FIdM 👔 Federated Identity Management. Policies and technologies to manage identities and IdP in a federation.
  • FIDO 📜 Fast Identity Online Alliance. An industry association that does not trust passwords but prefers to sell devices.
  • FIM 👔 File Integrity Monitoring. Software that tries to detect unauthorized changes to critical files or systems. Caveat emptor.
  • FL 🔑 Federated Learning. A machine learning technique that keeps data decentralized for better privacy.
  • FW 💬 Firewall. Software (and hardware) that monitor, filter, and redirect incoming and outgoing network traffic.
  • GDB 🪲 GNU Debugger. Powerful and portable debugger.
  • GDPR 📜 General Data Protection Regulation. EU regulation for protecting personal data and privacy, and annoying cookie banners.
  • GNU 📜 GNU’s Not Unix! Collection of free (as in speech) software. By extension, the project that regroups them.
  • GPG 🔑 GNU Privacy Guard. The GNU version of PGP.
  • GRC 👔 Governance, Risk management, and Compliance. A management principle to coordinate these three topics. By extension, the people of an organization who manage the related internal rules.
    GRC 📜 Gendarmerie Royale du Canada, Royal Canadian Mounted Police in English. It was responsible for domestic cybersecurity, but that role was given to CSIS after major scandals ­— see the October Crisis of 1970.
  • GSS-API 🕶️ Generic Security Service Application Programming Interface. A generic and portable IETF programming API that could abstract many underlying security services. Where many≈1 since it’s used nearly only for Kerberos. RFC 2743.
  • HE 🔑 Homomorphic Encryption. A type of cryptographic system that allows some computations to be directly performed on encrypted data.
  • HIDS 👔 Host-based Intrusion Detection System. An IDS that must be installed on each host. Caveat emptor.
  • HIPAA 📜 Health Insurance Portability and Accountability Act. A U.S.A. law that controls the transfer of healthcare information.
  • HMAC 🔑 Hash-based Message Authentication Code. A standard MAC function parametrized by a cryptographic hash function (CHF). RFC 2104.
  • HOPE 📜 Hackers On Planet Earth. A hacker conference in New York.
  • HOTP 🔑 (Hash-based Message Authentication Code)-based one-time password. An OTP with a counter and a cryptographic hash function (CHF). Too many issues and unpopular. RFC 4226. Based twice.
  • HPP 🪲 Hypertext Transfer Protocol Parameter Pollution. Abuse of URL query string. It’s not even Postel’s fault here. Note: HTTP is innocent; its usage in the name is wrong. Related to CWE-235.
  • HRS 🪲 Hypertext Transfer Protocol Request/Response Smuggling. An attack on HTTP that abuses the Postel law. CWE-444.
    HRS 🪲 Hypertext Transfer Protocol Request/Response Splitting What happens when the developer concatenates user input (especially CRLF) in HTTP headers. CWE-113.
    — Yes, the same acronym for two distinct HTTP attacks; the web security is that bad.
  • HSTS 💬 Hypertext Transfer Protocol Strict Transport Security. A web mechanism that gently asks web browsers to connect to a server only via HTTPS for a given time. RFC 6797.
  • HSM 🔑 Hardware Security Module. A device that stores and protects secrets and performs some cryptography.
  • HTML 💬 Hypertext Markup Language. The standard format for web pages and, unfortunately, emails.
  • hTMM 👔 Hybrid Threat Modeling Method. A TM framework that combines some other methodologies.
  • HTTP 💬 Hypertext Transfer Protocol. Protocol of the web. RFC 1945 and others.
  • HTTPS 💬 Hypertext Transfer Protocol Secure. HTTP over SSL/TLS. RFC 8446.
  • IAM 👔 Identity and Access Management. Software (and policies) that control the user’s access to the IT system.
  • IBT 🪲 Indirect Branch Tracking. A CFI mechanism for Intel processors. See BTI.
  • ICAM 👔 Identity, Credential, and Access Management. Another name for IAM.
  • ID 🕶️ Identifier or Identity. Why is the D uppercase? That makes no sense.
  • IDOR 🪲 Insecure Direct Object Reference. What happens when the developer fails to implement access control. A little more than CWE-639.
  • IdP 🕶️ Identity Provider. A system that manages identities to use, for instance, in SSO, OIDC, and SAML.
  • IDS 👔 Intrusion Detection System. Software that tries to monitor network traffic and access. Caveat emptor.
  • IEEE 📜 Institute of Electrical and Electronics Engineers. American professional organization. Also produces standards like Wi-Fi and the related security protocols.
  • IEEE 802.1x 💬 Institute of Electrical and Electronics Engineers, the 802th dot 1X. Security standard for NAC on LAN (wired and Wi-Fi) based on EAP.
  • IEEE 802.11 💬 Institute of Electrical and Electronics Engineers, the 802th dot 11. Fancy name for Wi-Fi.
  • IETF 📜 Internet Engineering Task Force. Manage various Internet standards and the RFCs.
  • IKE 💬 Internet Key Exchange. A protocol to agree on security parameters in IPsec. See SA. RFC 7296.
  • Infosec 👔 Information Security, portmanteau. Umbrella term for policies and practices about the overall security of information (including cybersecurity) in an organization.
  • IoC 👔 Indicator of Compromise. Evidence of a security breach, such as unusual network traffic or files.
  • IoT 🍄 Internet of Things. Autonomous devices with sensors, software, and Internet connectivity. The S stands for Security, the general public thinks it stands for Smart.
  • IPS 👔 Intrusion Prevention Systems. IDS that try to act instead of just watching. Caveat emptor.
  • IPsec 💬 Internet Protocol Security. An overengineered network protocol, sometimes used by VPN. RFC 4301 and others.
  • IRT 👔 Incident Response Team. Another name for CERT or ERT if no computers are involved.
  • ISO27K 📜 International Organization for Standardization and International Electrotechnical Commission, the 27000 family. A series of international standards about the overall IT security of an organization. Also called the ISMS family.
  • ISO/IEC 27001 📜 International Organization for Standardization and International Electrotechnical Commission, the 27001th. Joint information security standard for organizational management. The full name is “Information security, cybersecurity and privacy protection — Information security management systems — Requirements”. Part of ISO27K.
  • ISOC 📜 Internet Society. An American non-profit organization that funds the IETF (and others) and advocates the Internet.
  • ISMS 👔 Information Security Management System. Policies about the overall IT security of an organization. See ISO27K.
  • IT 👔 Information technology. The field of computer hardware, software, networks, and data.
    By extension, the computer hardware, software, networks, and data of an organization.
    By extension, the people of the organization who manage them.
  • ITSEC 📜 Information Technology Security Evaluation Criteria. An old European checklist of requirements for cybersecurity. Replaced by Common Criteria (CC).
  • IV 🔑 Initialization Vector. A parameter for the initial state of some cryptographic primitives.
  • JAAS 🕶️ Java Authentication and Authorization Service. JAVA implementation of PAM.
  • JOSE 🔑 JavaScript Object Notation Object Signing and Encryption. Family of IETF standards that includes JWA, JWE, JWK, and JWT. “the full set of permutations is extremely large, and might be daunting” write the authors in RFC 7520.
  • JSON 🍄 JavaScript Object Notation. Popular semi-formatted text-based data interchange format. Based on the literal values of the JavaScript language. RFC 7159.
  • JSONP 💬 JavaScript Object Notation with Padding. Old, popular, and insecure web technique to bypass SOP. Superseded by CORS.
  • JWA 🔑 JavaScript Object Notation Web Algorithms. A list of cryptographic algorithms usable in JOSE. RFC 7518.
  • JWE 🔑 JavaScript Object Notation Web Encryption. An encrypted message format using JSON and base64. Part of JOSE. RFC 7516.
  • JWK 🔑 JavaScript Object Notation Web Key. A key in JOSE. RFC 7517.
  • JWS 🔑 JavaScript Object Notation Web Signature. A signed message format using JSON and base64. Part of JOSE. RFC 7515.
  • JWT 🔑 JavaScript Object Notation Web Token. Popular token format based on JSON and base64. Part of JOSE. Avoid developers to roll their own crypto; still more complex than required, with far too many options. RFC 7519.
  • [KDF](Key Derivation Function) A method to transform a secret (e.g. a password) and possibility some salt into one or more keys of good quality. See PBKDF2 for an example.
  • KEM 🔑 Key Encapsulation Mechanism. A standard safe method to send a secret (a symmetric key for instance) over an insecure network.
  • KRB5 🕶️ Kerberos, the fifth. A popular network authentication protocol (UDP) over an insecure network. RFC 4120.
  • LAN 💬 Local Area Network. A computer network within a limited area that uses popular technologies like Ethernet and Wi-Fi. With VPN and tunnels, the area of LAN is less limited.
  • LDAP 🕶️ Lightweight Directory Access Protocol. An oldish but still used directory service protocol that catalogs the users and machines of an organization. RFC 4510.
  • LDP 🔑 Local Differential Privacy. A mathematical technique that adds controlled noise to data before sharing it with a central server (e.g. for telemetry). It protects personal information during data collection.
  • LFI 🪲 Local File Inclusion. What happens when the developer concatenates user input in filepaths. Related to CWE-23.
  • LOTL 🪲 Living off the Land. Stealth cyberattack techniques that use already present software (e.g. system tools). No need to embed, upload, or download artifacts that might be detected.
  • LPE 🪲 Local Privilege Escalation. A bug that grants the attacker more privileges. E.g. becoming root because of a buggy SUID program.
  • LSASS 🕶️ Local Security Authority Subsystem Service. The Microsoft Windows process that manages the access policy.
  • LSM 🕶️ Linux Security Modules. A hook system of the Linux kernel for supporting additional security access control (e.g. MAC). PopularCommon ones are SELinux and AppArmor.
  • LTS 🍄 Long-Term Support. An extended support period for a software version. Usually, its updates only contain vulnerability fixes and severe bug fixes.
  • MAC 🔑 Message Authentication Code. A short message that is used to ensure the authenticity and integrity of a longer message.
    MAC 💬 Medium Access Control. A fancy name for a network interface. It’s the MAC of MAC address.
    MAC 🕶️ Mandatory Access Control. A permission system that restricts the user’s (li)ability to change permissions (when we can’t trust the user not to be an idiot). See DAC.
  • MAID 🪲 Modification of Assumed-Immutable Data. Broad category of bugs. CWE-471.
  • Malware 🪲 Malicious Software, portmanteau. Software designed to do harm.
  • MD5 🔑 Message Digest Algorithm, the fifth. An old popular hash function, considered insecure.
  • MDR 👔 Managed Detection and Response. An MSS for monitoring (EDR, NDR, XDR). Caveat emptor.
    Also, Mort de Rire. LOL in French.
  • ME 🍄 Management Engine. A backdoor in Intel’s chipsets.
  • MFA 🕶️ Multi-Factor Authentication. A security method that requires multiple (usually two) forms of verification for access. Ideally, something you know (like a password) and something you have (like a mobile phone, an email, or a dedicated security device), or something you are (biometry). Annoying if you don’t have access to your phone because it is in another room.
  • MIC 🔑 Message Integrity Code. Another name for MAC used in contexts where MAC (e.g. network interface) is also used, but MIC (e.g. printer’s dots) is not.
    MIC 🍄 Machine Identification Code. Steganographic codes that are added on every printed page by shady printer manufacturers to track documents, users, and printers, and sell more yellow ink.
  • MISP 👔 Malware Information Sharing Platform. An open-source platform to collect, store and share structured information about threats.
  • MitM 🪲 Man-in-the-Middle Attack. An attack where someone (not always a man) secretly relays and possibly alters communication. CWE-300.
    MitM 🔑 Meet-in-the-Middle Attack. A type of cryptanalytic attack against symmetric ciphers.
  • MITRE 📜 Mitre Corporation. Not an acronym, but written in uppercase to confuse people. U.S.A. organization that does many things, including the management of CVE and CWE.
  • MPC 🔑 Multi-Party Computation. A distributed program where the input must remain private to each node. By extension, the field of cryptography that studies them.
  • MS-CHAP 🕶️ Microsoft Challenge-Handshake Authentication Protocol. Microsoft version of CHAP. Insecure (see PtH). Still used with PEAP because Active Directory is popular. RFC 2433 & 2759.
  • MSS 👔 Managed Security Services. Outsourced cybersecurity. Caveat emptor.
  • NAC 👔 Network Access Control. Policy (and software) to restrict network access to devices that do not conform to some security policies.
  • NAS 💬 Network Access Server. An entry point to a network.
    NAS 💬 Network-Attached Storage. A server optimized to service files.
    NAS 🕶️ Numéro d’Assurance Sociale, Social Insurance Number in English. A SPD in Canada.
  • NDR 👔 Network Detection and Response. Software (and hardware) that tries to monitor network traffic. Caveat emptor.
  • NIDS 👔 Network Intrusion Detection System. An IDS that only monitors network traffic.
  • NIS 🕶️ Network Information Service. An old Unix directory service protocol, usable with NSS.
  • NIST 📜 National Institute of Standards and Technology. U.S.A. agency providing cybersecurity frameworks and guidelines.
  • NP 🍄 Nondeterministic Polynomial. The complexity class of decision problems where proofs are decidable in a polynomial time.
    By extension, NP-hard, problems at least as hard as the hardest problems in NP.
    By extension, NP-complete, the hardest problems in NP (i.e. the subset of NP and NP-hard).
  • NPE 🪲 Null Pointer Exception. A type of common bugs that usually crashes the process. CWE-476.
    NPE 🕶️ Non-Person Entity. A non-human actor, like a software application or a device. They matter because we still want to identify, authenticate, and authorize them.
    NPE 🍄 Non-Practicing Entity. A fancy name for a patent troll.
  • NSS 🕶️ Name Service Switch. UNIX way to federate multiple sources of user information and other named things — groups, hosts, etc. man nss
  • NTLM 🕶️ New Technology Local Area Network Manager. An old Microsoft authentication protocol. Insecure and should not be deployed. See PtH.
  • NVD 📜 National Vulnerability Database. A NIST repository that gives CVSS to CVE. Not that reliable.
  • NX 🪲 No-Execute. A hardware protection that prevents some parts of the memory from containing executable machine code. A common countermeasure to shell code.
  • OAuth 🕶️ Open Authorization. A web-based protocol to access resources without sharing credentials. Authorizations are delegated instead. Published by the IETF.
  • OIDC 🕶️ OpenID Connect. Authentication layer on top of OAuth. Not really related to OpenID because this would be less confusing otherwise.
  • OOB 🪲 Out-of-Band. Communication through an independent channel. E.g. exfiltration through DNS requests.
  • OPSEC 👔 Operations Security. Buzzword.
  • OSINT 👔 Open-Source Intelligence. Gathering cyber threat intelligence from publicly available sources. For instance, the things you can find on the web with a search engine. Not directly related to free and open-source software, but since their documentation, source code, bugs, and fixes are often publicly available, they are some good open-source (pun).
  • OT 🔑 Oblivious Transfer. A cryptographic primitive where Bob asks Alice (a database) for an item. Bob gets only the requested item. Alice does not learn which item was requested. Stronger (more restrictive) than PIR.
  • OTP 🔑 One-Time Password. A password that is only valid once. It can be sent through email or SMS as an MFA measure, can be generated (e.g. TOTP), can be read and crossed out from a piece of paper (emergency passwords). Limit the risk of password steal, reuse, and leak.
    OTP 🔑 One-Time Pad. A cipher that uses a single-use pre-shared truly-random key as least as long as the message. A lot of constraints, but unbreakable.
    OTP 🍄 One-Time Programmable. A special type of memory where data can be written once.
  • OWASP 📜 Open Web Application Security Project. An organization focused on web application security awareness.
  • PAC 🪲 Pointer Authentication Codes. An ARM feature that adds MAC to pointers (in the unused bits). Counter-counter-counter-measure to ROP.
    PAC 💬 Proxy Auto-Config. A configuration file with rules for web browsers about the selection of proxies.
  • PAM 🕶️ Pluggable Authentication Module. The common UNIX mechanism to authenticate users. man pam.
    PAM 👔 Privileged Access Management. The control and monitoring of access by privileged users. E.g. the famous “this incident will be reported” of sudo.
  • PAP 🕶️ Password Authentication Protocol. An authentication protocol for PPP that transmits the password in clear text. So you really have to trust the link. See CHAP and EAP for the other kinds. RFC 1334.
  • PASTA 👔 Process for Attack Simulation and Threat Analysis. A popular TM framework.
  • PBKDF2 🔑 Password-Based Key Derivation Function, the second. A standard KDF to transform a password (a secret string) and a salt (a random string) into a key (a binary number with a fixed length) of good quality that can be used in subsequent cryptography routines. RFC 8018.
  • PCI DSS 📜 Payment Card Industry Data Security Standard. The comprehensive rules for protecting cardholder data that must be followed by anyone who processes credit cards.
  • PE 🍄 Portable Executable. A Microsoft file format for executables and libraries.
  • PEAP 🕶️ Protected Extensible Authentication Protocol. EAP on a TLS tunnel to protect credentials and avoid MITM attacks. Popular with WPA-Enterprise. Note: Don’t check “no certificate” in the dialog box, or your credentials could be easily stolen.
  • Pentest 👔 Penetration Test. An evaluation of the security of an IT system by attacking it.
  • PET 🕶️ Privacy-Enhancing Technologies. An umbrella term for software and hardware that improve the privacy of personal data.
  • PFS 🔑 Perfect Forward Secrecy. A type of encryption method that ensures past communications remain secure if keys are compromised.
  • PGP 🔑 Pretty Good Privacy. An encryption program. It encrypts, decrypts, signs, and verifies files and emails.
    By extension, the associated standard (the official name is OpenPGP). RFC 9580.
  • PIC 🍄 Position-Independent Code. Machine code that can be loaded at any memory address (useful for shared libraries). Needed for ASLR on machine code.
  • PIE 🪲 Position-Independent Executable. Executable binaries 100% made of PIC, with ASLR 100% useful.
  • PII 👔 Personally Identifiable Information. A fancy name for personal data like name, social security number, date and place of birth, biometric info, etc.
  • PIN 🔑 Personal Identification Number. A numeric short password. Number is already in the acronym, no need to repeat it.
  • PIPEDA 📜 Personal Information Protection and Electronic Documents Act, ou “Loi sur la protection des renseignements personnels et les documents électroniques” en français. Canadian law for data privacy.
  • PIR 🔑 Private Information Retrieval. A cryptographic primitive where Bob asks Alice (a database) for an item. Bob gets the requested item. Alice does not learn which item was requested. Weaker (less restrictive) than OT.
  • PKCS 🔑 Public-Key Cryptography Standards. Recommendations for implementing and managing RSA.
  • PKE 🔑 Public-Key Encryption. Another name for asymmetric cryptography (with a public key and a private key). Note that Private-Key Encryption would have the same acronym.
  • PKI 🔑 Public Key Infrastructure. Software, hardware, and policies to associate public keys with identities. I’m still not sure why it’s so complex.
    By extension, the specific PKI of the Internet. See PKIX.
  • PKIX 🔑 Public-Key Infrastructure X.509. The working group of the IETF responsible of its PKI standards. RFC 2459.
    By extension, the specific PKI of the Internet.
  • POA 🔑 Padding Oracle Attack. The abuse of the padding validation of some block cipher implementation (e.g. CBC) to leak information.
  • PoLP 👔 Principle of Least Privilege. A strategy to reduce the impact of compromises or weird bugs.
  • PPP 💬 Point-to-Point Protocol. A protocol to encapsulate other protocols over a simple direct link. RFC 1664.
  • PQC 🔑 Post-Quantum Cryptography. The science of cryptographic algorithms that resists quantum computer attacks. DLP is less of a problem with such computers.
  • PRNG 🔑 Pseudorandom Number Generator. An algorithm that generates a sequence of numbers that looks random enough.
  • PSI 🔑 Private Set Intersection. An MPC that computes an intersection where neither party can leak information about elements outside it.
  • PSK 🔑 Pre-Shared Key. A secret previously shared over a (hopefully) secure channel. E.g. the home Wi-Fi password (WPA-Personal).
  • PSP 🍄 Platform Security Processor. The AMD version of ME. Still a backdoor.
  • PtH 🕶️ Pass the Hash. An attack technique enabled by a misunderstanding of the benefits of hashing passwords. Effective against NTLM, but also works with Kerberos or MS-CHAP if hashes are captured or leaked. CWE-836.
  • PWN 🪲 Own. Not an acronym but leetspeek. Used to refer to binary exploitation.
  • RADIUS 🕶️ Remote Authentication Dial-In User Service. An authentication and authorization network protocol (mostly UDP), but that also does accounting (usage, disconnection, etc.), so AAA. RADIUS servers are popular back-ends for WPA-Enterprise authentication (User ↔ AP/NAS ↔ RADIUS server). RFC 2865 & 2866.
  • RASP 👔 Runtime Application Self-Protection. Instrumentation of programs to detect and prevent cyberattacks. Caveat emptor.
  • RAT 🪲 Remote Access Trojan. Malware that remotely controls a compromised system.
  • RBAC 🕶️ Role-Based Access Control. A permission system where the users belong to groups.
  • RC4 🔑 Rivest Cipher, the fourth. Very simple, efficient, and insecure stream cipher.
  • RCE 🪲 Remote Code Execution. The Holy Grail of software exploitation, where the attacker aims to open a shell or a calculator on a remote computer. A sub-kind of CWE-94.
  • RE 🪲 Reverse Engineering. The analysis of something with the hope of understanding some parts of its components and design. See SRE for the software version.
    RE 🍄 Regular Expression. A popular and powerful pattern language to match text (pedantic: to define languages).
    RE 🍄 Recursively Enumerable. The class of the semidecidable decision problems.
  • RELRO 🪲 Relocation Read-Only. A hardening technique for Unix executables and libraries (ELF) that resolves dynamically linked names once and then marks them as read-only.
  • RFC 📜 Request for Comments. Publications published by IETF about technical development related to the Internet, including security. Some of them become standard. Do people really send comments?
  • RFI 🪲 Remote File Inclusion. An attack where external (malicious) code is fetched and executed by the server. Generalization of CWE-98.
  • ROP 🪲 Return-Oriented Programming. A binary exploitation (pwn) technique that controls the stack to execute carefully chosen parts of the existing program. A common counter-counter-measure of NX.
  • RSA 🔑 Rivest–Shamir–Adleman, the authors’ names and not something Signature Algorithm. A popular but old asymmetric cryptosystem based on large prime numbers and DLP.
  • SA 💬 Security Association. A set of agreed security parameters by IKE. See IPsec.
  • SAM 🕶️ Security Account Manager. The /etc/passwd and /etc/shadow of Windows. Because the password hashing is bad (see PtH), it’s a nice target for cybercriminals and red teams.
  • SAML 💬 Security Assertion Markup Language. Overengineered XML-based web-based authentication and authorization protocol for SSO and federations.
  • SASL 🕶️ Simple Authentication and Security Layer. An IETF authentication framework, plugged in some IETF protocols, that delegates the authentication to other IETF authentication methods like CRAM-MD5, NTLM, or GSSAPI. RFC 4422.
  • SAST 👔 Static Application Security Testing. Static program analysis (and tools), but for cybersecurity. Buzzword.
  • SBOM 👔 Software Bill Of Materials. The declared list of ingredients of a software artifact. E.g. libraries and snippets found on the web. Used for vulnerability analysis, license conformance, and risk management.
  • SBX 🪲 Sandbox. A mechanism to isolate a process or a computation from the rest of the system.
    By extension, Sandbox Escape (not sure if the E is missing or if the X was promoted to escape). An exploit that abuses a vulnerability in the sandbox mechanism.
  • SCA 👔 Software Composition Analysis. A software development practice that tries to identify vulnerable or outdated components. Annoying bots on forges.
  • SCIM 🕶️ System for Cross-domain Identity Management. IETF standard for exchanging identities between IdP and IT systems. RFC 7642 and others.
  • SDL 👔 Security Development Lifecycle. Microsoft’s version of DevSecOps. Buzzword.
    SDL 🍄 Simple DirectMedia Layer. A cross-platform multimedia library. Popular for Linux-compatible video games.
  • Seccomp 🪲 Secure Computing, portmanteau. A Linux kernel feature that restricts the system calls a process can make.
  • SegFault 🪲 Segmentation fault. Illegal access to a memory region (or an unmapped one). The operating system usually terminates the process. Frequent bug because pointers and initializations are hard. Some might be exploitable. See AAAAAAAAA.
  • SELinux 🕶️ Security-Enhanced Linux. A complex LSM that implements MAC with security contexts.
  • SGID 🕶️ Set Group Identity, or setgid. Like SUID but with groups.
  • SHA-1 🔑 Secure Hash Algorithm, the first. A popular hash function, now considered insecure. Prefer SHA-2 or SHA-3.
  • SID 🕶️ Security Identifier. User identifier for Windows.
    Sid 🍄 Not an acronym, but Still In Development is cute. The name of the development branch of Debian. Named after the Toy Story character that breaks toys. Also called unstable. Beware that the Debian Security Team only maintains security updates for the current stable release.
  • SIEM 👔 Security Information and Event Management. Software (and hardware) that tries to monitor, analyze, and report security events. Caveat emptor.
  • SIGINT 👔 Signals Intelligence. The intelligence-gathering by interception of radio and electronic signals (with a lot of cryptanalysis).
    SIGINT 🍄 Signal Interrupt. The Unix signal sent when a process is interrupted through its controlling terminal (Ctrl-C).
  • Skid 🍄 Script kiddie. A wannabe hacker who uses cracking tools without real knowledge. Still dangerous.
  • S/MIME 🔑 Secure Multipurpose Internet Mail Extensions, the slash is meaningless. An email standard for encryption and signing. Not that popular because, unlike HTTPS, it’s hard to find free S/MIME certificates. RFC 8551.
  • SMPC 🔑 Secure Multi-Party Computation. See MPC.
  • SMS 💬 Short Message Service. Text messaging for mobile phones. No S stands for Security here.
  • SOAR 👔 Security Orchestration, Automation, and Response. Software that tries to automate incident response. Caveat emptor.
  • SOC 👔 Security Operations Center. People (and software) who monitor and defend the IT system.
    SOC 🍄 System On a Chip. An integrated circuit with almost all the components of a computer.
  • SOC 2 👔 System and Organization Controls, the second. Criteria for managing customer data from the American Institute of Certified Public Accountants, so accountants.
    By extension, the type of report produced during a related audit.
    By extension, the related certification.
  • SOCENG 👔 Social Engineering. A fancy name for scamming. Deception of humans (wetware) in a cybersecurity context to obtain information, bypass security measures, or convince them to do (or not do) something.
  • SOP 💬 Same-Origin Policy. Rules of web browsers that limit data sharing between pages and content from different origins (hostname, port & protocol).
  • SPD 👔 Sensitive Personal Data. A kind of PII that requires more care when handling it. The details vary by jurisdiction.
  • SPF 💬 Sender Policy Framework. An email extension to validate the low-level sender server. The rest of the email can be crap, but the culprit or compromised server is then easier to blame. RFC 7208.
  • SQLI 🪲 Structured Query Language Injection. What happens when the developer concatenates user input in SQL queries. CWE-89.
  • SRE 🪲 Software Reverse Engineering. The analysis of software (usually in a binary form) with the hope of understanding some parts of its components and design.
  • SSDLC 👔 Secure Systems Development Life Cycle. DevSecOps without the Ops. Buzzword.
  • SSH 💬 Secure Shell. A protocol (and software) for secure remote logging and command execution. RFC 4253 (and others). man ssh.
  • SSI 🕶️ Self-Sovereign Identity. A digital identity model where individuals control their personal information.
  • SSL 💬 Secure Sockets Layer. Predecessor to TLS. RFC 6101.
  • SSO 🕶️ Single Sign-On. A type of authentication method that allows users to log in once and access multiple independent systems.
  • SSRF 🪲 Server-Side Request Forgery. An attack where a server is abused to attack another (otherwise inaccessible) server. CWE-918.
  • SSSD 🕶️ System Security Services Daemon. An attempt to implement SSO for Linux. Usable with NSS.
  • SSTI 🪲 Server-Side Template Injection. What happens when the developer concatenates user input in templates. CWE-1336.
  • STO 👔 Security Through Obscurity. Misguided and dangerous security approach. CWE-656.
  • STRIDE 👔 Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. A popular TM framework.
  • sudo 🕶️ Substitute User, Do. A popular Unix command to run programs with higher privileges. Far more complex than needed.
  • SUID 🕶️ Set User Identity, or setuid. File permission to execute programs with higher privileges. Can be the reason for CWE-250 or, more generally, CWE-269.
  • TCB 👔 Trusted Computing Base. The subpart of an IT System that is critical for the security of the whole. The smaller, the better.
  • TCSEC 📜 Trusted Computer System Evaluation Criteria. A U.S.A. checklist of requirements for cybersecurity. Replaced by Common Criteria (CC).
  • TEE 🪲 Trusted Execution Environment. Secure part of a CPU that runs code and handles data in an isolated way.
  • TKIP 💬 Temporal Key Integrity Protocol. Deprecated protocol. Initial version of WPA (protocols evolve, marketing names remain).
  • TLS 💬 Transport Layer Security. Cryptographic protocol widely used on the Internet to secure TCP communications. RFC 8446.
  • TM 👔 Threat Model. Systematic analysis of potential threats. So, the precise questions and precise answers around “what could go wrong?”, “who hates me?”, and “what can I do about that?”.
  • TOCTOU 🪲 Time-of-check Time-of-use. A type of race condition where the state of things changes at the worst moment. CWE-367.
  • TOR 💬 The Onion Routing, never used in the long form. A network on top of the Internet that aims to protect against traffic surveillance. Like ogres, it has layers.
  • TOTP 🔑 Time-based One-Time Password. A password (a 6-digit PIN in fact) that changes every 30 seconds, but because it is time-synchronized, the user and the server always have the same. RFC 6238.
  • TPM 🪲 Trusted Platform Module. A co-processor that is used to ensure the software integrity of a computer (bootloader and operating system).
  • TRNG 🔑 True Random Number Generator. A device that uses the real world noise, entropy, chaos, and quantum shenanigans to generate a sequence of numbers that really looks random.
  • TTP 👔 Tactics, Techniques, and Procedures. The identification and categorization of cybercriminal (and cyberterrorist) activities.
    TTP 🔑 Trusted Third Party. Alice and Bob want to communicate securely, but they don’t know each other and are afraid of MITM attacks, so they ask Trent for help since they both know and trust him.
  • UAF 🪲 Use After Free. An attack that abuses the developer’s bad memory management. CWE-416.
  • UEBA 👔 User and Entity Behavior Analytics. Software that tries to profile users and then tries to detect anomalies. Caveat emptor.
  • VDP 👔 Vulnerability Disclosure Program. Pro bono BBP.
  • VLAN 💬 Virtual Local Area Network. The logical isolation of parts of a local computer network (LAN) that is done at the link layer (layer 2). Used for security or quality of service.
  • VPN 💬 Virtual Private Network. A private network (i.e. not Internet) on top of a public one (i.e. Internet). A bunch of tunnels bundled together.
  • WAF 👔 Web Application Firewall. Software (or hardware) that tries to monitor and filter web traffic. Caveat emptor.
  • WEP 💬 Wired Equivalent Privacy. Obsolete and insecure security protocol for Wi-Fi. That was fun.
  • WG 💬 WireGuard. A popular and modern protocol for VPN tunnels. man wg
  • Wi-Fi 💬 Wireless Fidelity. No meaning, it just sounds cool. Brand name for IEEE 802.11.
  • WPA 💬 Wi-Fi Protected Access. Current and secure security protocol for Wi-Fi. See CCMP.
  • WSTG 📜 Web Security Testing Guide. A comprehensive guide for website and webapp testing. By OWASP.
  • X.509 🔑 X Series, the 509th, it’s more a serial number than an acronym. The standard format of public key certificates in a PKI. See RFC 2459 for instance, or the padlock icon of your navigation bar.
  • XDR 👔 Extended Detection and Response. Single monitoring solution (NDR, EDR, IDS, IPS, etc.). Buzzword.
  • XML 🍄 Extensible Markup Language. The JSON of the 2000s. Overengineered but still used.
  • XOR 🔑 Exclusive Or. The best logical operator and the addition operation of the smallest Galois field. It is used a lot in cryptography.
  • XSS 🪲 Cross-site scripting. What happens when the developer concatenates user input in HTML. CWE-80.
  • XXE 🪲 External XML Entities. What happens when the developer uses an XML parsing library, but does not read the doc. CWE-611.
  • YARA 🪲 Yet Another Recursive Acronym or Yet Another Ridiculous Acronym, never used with in long form. A pattern-matching tool that is mainly used to identify malware.
    By extension, the format of its identification rules.
  • ZKP 🔑 Zero-Knowledge Proof. A cryptography primitive where Alice convinces Bob that something is true without revealing anything specific about the thing, except that it’s true.
  • ZTA 👔 Zero Trust Architecture. An IT system design that assumes the organization’s users and devices should never be trusted by default, but must be continuously controlled.
  • ZTN 👔 Zero Trust Networking. See ZTA (just above).