/security-acronyms

Curated list of Cyber Security acronyms & abbreviations

Primary LanguageHTML

Cyber Security Acronyms and Terms

Curated list of acronyms and terms related to cyber security landscape including industry, open source and non-profit organizations (Basically any concept that has anything to do with security practices around the cloud, applications, assets, services, kubernetes and containers).

This glossary classifies and explains security terms to make them understandable beyond the 'buzzoword'.

Any contribution will be more than welcome.

Algorithms

Encryption algorithms and other protection methods

3DES - Triple Data Encryption Algorithm (Also TDEA or Triple DEA)
AES - Advanced Encryption Standard
DES - Data Encryption Standard
MD5 - Message-digest Algorithm
RSA - Rivest–Shamir–Adleman open cryptosystem
SHA - Secure Haching Algorithm

Attacks, Vulnerabilities, and Threats

Malicious strategies from hackers or red-teams

CSRF - Cross Site Request Forgery
DC - Differential cryptanalytics
LC - Linear cryptanalytics
DA - Davies Attack
DoS - Denial of Service
DDoS - Distributed Denial of Service
Malware - Malicious Software
MITM - Man in the middle (also Person in the middle)
RaaS - Ransomware as a Service
RAT - Remote Access Trojan
RCE - Remote Code Execution
SET - Social Engineering Toolkit
SQLi - SQL Injection
SSRF - Server Side Request Forgery
XFS - Cross Frame Scripting
XSS - Cross Site Scripting

Protection approaches

Security strategies, solutions, and patterns

AMSI - Anti-Malware Scan Interface
ASO - Autonomic Security Operations Doc
ASPM - Application Security Posture Management
AST - Application Security Testing Details
AV - Anti-Virus
CAASM - Cyber Asset Attack Surface Management (inventory management)
CASB - Cloud Access Security Broker
CDR - Cloud Detection and Response
CIEM - Cloud Infrastructure Entitlement Management
CIAM - Cloud Identity Access Management
CIRA - Cloud Investigation and Response Automation CNAPP - Cloud Native Application Protection Platform
C-SCRM - Cyber Supplly Chain Risk Management Link
CSPM - Cloud Security Posture Management
CWP - Cloud Workload Protection
CWPP - Cloud Workload Protection Platform
DAST - Dynamic Application Security Testing
DDR - Data Detection & Response
DLP - Data Loss Prevention
DSPM - Data Security Posture Management
EDR - Endpoint Detection and Response, sometimes known as Endpoint Threat Detection and Response (ETDR)
ETDR - See EDR
HIDS - Host based Intrusion Detection System (also NIDS for Network)
HIPS - Host Intrusion Prevention System
IAST - Interactive Application Security Testing
IDS - Intrusion Detection System
IDTR - Identity Detection & Response
IGA - Identity Governance and Administration
IPS - Intrusion Protection System
ISPM - Identity Security Posture Management
ITDR - Identity Threat Detection & Response
MDR - Managed Detection and Response
MDFT - Mobile Device Forensic Tool
MSSP - Managed Security Services Provider
NDR - Network Detection & Response
NGES - Next Generation Endpoint Security
NGSWG - Next Generation Secure Web Gateway
NIDS - Network Intrustion Detection System
NTA - Network Traffic Analysis
RASP - Runtime Application Self-Protection
SASE - Secure Access Service Edge
SAST - Static Application Security Testing
SCA - Software Composition Analysis
SCAP - Security Content Automation Protocols
SIEM - Security Incident & Event Management
SOAR - Security Orchestration & Response
SSE - Security Services Edge (A subset of SASE)
SSPM - SaaS Security Posture Management
SWG - Secure Web Gateway link
TIP - Threat Intelligence Platform
TPRM - Third Party Risk Management
UBA / UEBA - User and entity behavior analytics
VM - Vulnerability Management (also Virtual Machine outside of infosec)
WAF - Web Application Firewall
XDR - eXtended Detection and Response
ZTNA - Zero Trust Network Access

Security & Compliance frameworks & work groups

APRA - Australian Prudential Regulation Authority
ASLR - Address Space Layout Randomisation
ASVS - (OWASP) Application Security Verification Standard
ATT&CK - (MITRE) Adversarial Tactics, Techniques, and Common Knowledge
BGDPL - Brazilian General Data Protection Law (Brazil)
CAPEC - Common Attack Pattern Enumeration and Classification
CSAF - Common Security Advisory Framework (2.0)
CIS - Center for Internet Security Link
CVE - Common Vulnerabilities and Exposures
CVRF - Common Vulnerability Reporting Framework (now CSAF)
CVS - Common Vulnerability Score
CVSS - Common Vulnerability Scoring System
DSS - Data Security Standard (See PCI)
EPSS - Exploit Prediction Scoring System
GDPR - General Data Protection Regulation (Europe)
HIPAA - Health Insurance Portability and Accountability Act
ISO - International Organization for Standardization
MITRE - Not an acronym - “a name that was meaningless and without connotations, but with an attractive feel.”
NVD - National Vulnerability Database (USA)
NIST - National Institute of Standards and Technology (US)
OWASP - Open Web Application Security Project
PCI DSS - Payment Card Industry Data Security Standard
PCI SSC - Payment Card Industry Security Standards Council
PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
TARA - Threat Agent Risk Assessment (Methodology)
SAMM - Software Assurance Maturity Model (OWASP) Link
SLSA - Supply-chain Levels for Software Artifact - Link
SOC (1,2,3) - System and Organization Controls. See also the "Processes, Teams and roles" section.

Patterns, Protocols & Implementation Standards

2FA - Two Factor Authentication; see also MFA
ABAC - Attribute Based Access Control
ACL - Access Control List
CA - Certificate Authority
CORS - Cross Origin Resource Sharing
DoH - DNS over HTTPS
DOM - Document Object Model
FTPS - FTP-SSL or FTP Secure
IR - Incident Response
JIT - Just in Time (SAML)
JWT - JSON Web Token
MFA - Multi Factor Authentication
mTLS - Mutual Transport Layer Security
OASIS - Organisation for the Advancement of Structured Information Standards
OAuth - Open Authorization
OTP - One Time Password ( sometimes One Time Pad)
PaC - Policy as Code
SAML - Security Assertion Markup Language
SARIF - Static Analysis Results Interchange Format
SFTP - SSH File Transfer Protocol
SPDX - Software Package Data Exchange link
SSH - Secure Shell
SSL - Secure Sockets Layer
SSO - Single Sign-on
TLP - Traffic Light Protocol
TLS - Transport Layer Security
U2F - Universal Two Factor
WEP - Wired Equivalent Privacy (Protocol)
WPA - Wi-Fi Protected Access (Protocol)
WPS - Wi-Fi Protected Setup (Standard)

Processes, Teams and roles

A&A - Assessment and Authorization CCSP - Certified Cloud Security Professional (ISC2)
CDC - Cyber Defense Center
CERT - Computer Emergency Response Team
CISO - Chief Information Security Officer
CISSP - Certified Information Systems Security Professional
CPP - Certified Protection Professional
CSO - Chief Security Officer (role)
ECES - Certified Encryption Specialist
FIRST - Forum of Incident Response and Security Teams
NICCS - National Initiative for Cybersecurity Careers and Studies
NICE - NICCS Workforce Framework for Cybersecurity
OSCP - Offensive Security Certified Professional
SOC - Security Operations Center

Misc

APT - Advanced Persistent Threat
Authn - Authentication
Authz - Authorization
BAS - Breach & Attack Simulation
BCP - Business Continuity Plan
BEC - Business Email Compromise
BGH - Big Game Hunting
BIA - Business Impact Analysis
BSIMM - Building Security In Maturity Model
C2 - Command & Control
CAPTCHA - Completely Automated Public Turing Test to Tell Computers And Humans Apart
CIA - Confidentiality; Integrity; Availability
CISA - Cybersecurity and Infrastructure Security Agency | Certified Information Systems Auditor
CoA - Course of Action
CTA - Cyber Threat Intelligence IAM - Identity & Access Management
IOA - Indicators of Attack
IOC - Indicators of Compromise
MALOPS - Malicious Operations
MTTR - Mean Time to Resolve
PAM - Privileged Access Management
RBAC - Role Based Access Control
SDLC - Software Development Lifecycle (Also sometimes System Development Lifecycle)
SD-WAN - Software Defined Wide Area Network
SKU - Stock Keeping Unit (Unique identificaiton that definees an element)
SRA - Security Response Automation
SSS - Stack Smashing Protector (compilers) SWOT - Strengths, Weaknesses, Opportunities, and Threats (SWOT Analysis)
TI - Threat Intelligence
TTP - Tactics, Techniques, and Procedures
UAC - User Access Control
VAP - Very Attacked Person
VPN - Virtual Private Network
YARA - Yet Another Ridiculous Acronym - Rule-based tool for malware analysis Link
YARA-L - YARA for logs (Chronicle)

Useful terms that are not specific to security

CCM - Cloud Controls Matrix
NHI - Non Human Identity
NMS - Network Management System
NRT - Near Real Time
TPP - Third Party Payment provider

Pending to be classified (Help welcome)

Community help will be welcome

CAPP - Controlled Access Protection Profile
CISSP - Certified Information Systems Security Professional (ISC2)
CMF - Collection Management Framework
CSA - (1) Cloud Security Alliance (2) Continuous Security Assessment
CSP - Content Security Policy
CTF - Capture the Flag
CTI - Cyber Threat Intelligence
CWE - Common Weakness Enumeration
DEP - Data Execution Prevention
DFIR - Digital Forensics and Incident Response
DKIM - DomainKeys Identified Mail
DLS - Dedicated Leak Site
DMARC - Domain-based Message Authentication, Reporting & Conformance
DNSSEC - Domain Name System Security Extensions
DREAD - Damage; Reproducability; Exploitability; Affected Users; Discoverability
EASM - Externam Attack Surface Management
EICAR - European Institute for Computer Antivirus Research
EPP - Endpoint Protection Platform
FAIR - Factor Analysis of Information Risk
FiDO - Fast IDentity Online
FIM - File Integrity Monitoring
FPC - Full Packet Capture
GCM - Galois/Counter Mode
GPG - GnuPG
GRC - Governance, Risk & Compliance
HSM - Hardware Security Module
HSTS - HTTP Strict Transfer Protocol
IDAM - Identity & Access Management
IDOR - Insecure Direct Object Reference
IdP - Identity Provider
IETF - Internet Engineering Task Force
IPE - Intelligence Preperation of the Environment
IPSec - Internet Protocol Security
IRM - Integrated Risk Management
IRP - Incident Response Playbook
ISC2 - International Information System Security Certification Consortium
ISMS - Information Security Management System
ISS - Information System Security
KCM - Kill Chain Model
LANGSEC - Language Security
LFI - Local File Inclusion
LOLBin - Living off the Land Binary (also LOLScripts, LOLBAS)
NAC - Network Access Control / also NACL (Network Access Control List)
NDB - Notifiable Data Breache(s)
NGCI - Next Generation Cyber Infrastructure
NGFW - Next Generation Firewall
ODoH - Oblivious DNS over HTTPS
OIDC - OpenID Connect
OPSec - Operational Security
OSCAL - Open Security Controls Assessment Language
OSINT - Open Source Intelligence
PASTA - Process for Attack Simulation & Threat Analysis
PCD - Payment Card Data
PGP - Pretty Good Privacy. See also GPG
PFS - Perfect Forward Secrecy
PTES - Penetration Testing Execution Standard
PUP - Potentially Unwanted Program
RFC - Request For Comments
ROP - Return-oriented programming
RP - Return Pointer
RTR - Rapid Threat Response
SABSA - Sherwood Applied Business Security Architecture
SANS - SysAdmin, Audit, Network, and Security
SAQ - Self-Assessment Questionnaire
SCIM - System for Cross-domain Identity Management
SSDLC - Secure Software Development Lifecycle
SECCOMP - Secure Computing
SFP - Saved Frame Pointer
SOA - Statemenet of Applicability
SOX - Sarbanes-Oxley Act
SPF - Sender Policy Framework
SRI - Sub-resource Integrity
SSVC - Stakeholder-Specific Vulnerability Categorization
STIG - Security Technical Implementation Guide
STIX - Structured Threat Information Expression
STRIDE - Spoofing; Tampering; Repudiation; Information disclosure; Denial of service; Elevation of Privilege
TAXII - Trusted Automated Exchange of Intelligence Information
TOGAF - The Open Group Architecture Framework
XACML - eXtensible Access Control Markup Language
XXE - XML External Entity

Resources

Original list extracted from Ghostinashell Blog
Enriched with terms learned from Sysdig
Added some terms from SecureWorldExpo
Curated list of security resources Awesome-sceurity
List of products and vendors classified by security approach. The Cloud Security List
OWASP Open Web Application Security (nonprofit foundation). OWASP website

Public front page Cloud Security Acronyms
Contribute with Cyber-Security List on Github