# WIA-SEC-018: Vulnerability Assessment ## Glossary **Standard ID:** WIA-SEC-018 **Category:** Security (SEC) **Version:** 1.0.0 **Last Updated:** 2025-12-25 --- ## A **ASLR (Address Space Layout Randomization)** : Security technique that randomizes memory addresses to prevent exploitation of memory corruption vulnerabilities. **Asset** : Any system, application, data, or infrastructure component that has value to an organization and requires protection. **Attack Surface** : The sum of all possible points where an unauthorized user can try to enter or extract data from an environment. **Attack Vector** : The path or means by which an attacker can gain access to a system to deliver an exploit or malicious outcome. --- ## B **Baseline Scan** : Initial comprehensive vulnerability scan used to establish a security baseline for comparison in future assessments. **Blue Team** : Security professionals responsible for defending an organization's systems against attacks and vulnerabilities. **Bug Bounty** : Program that rewards security researchers for discovering and reporting vulnerabilities in software or systems. --- ## C **CIA Triad** : Core principles of information security: Confidentiality, Integrity, and Availability. **CSPM (Cloud Security Posture Management)** : Continuous monitoring and remediation of security risks across cloud infrastructure. **CVE (Common Vulnerabilities and Exposures)** : Dictionary of publicly known information security vulnerabilities and exposures. Each entry has a unique CVE ID. **CVSS (Common Vulnerability Scoring System)** : Industry standard for assessing the severity of computer system security vulnerabilities. Version 3.1 is the current standard. **CWE (Common Weakness Enumeration)** : Community-developed list of software and hardware weakness types that can lead to vulnerabilities. --- ## D **DAST (Dynamic Application Security Testing)** : Black-box testing method that examines an application while it's running to find security vulnerabilities. **Defense in Depth** : Security strategy employing multiple layers of security controls throughout an IT system. **DEP (Data Execution Prevention)** : Security feature that prevents code execution from data pages to mitigate buffer overflow attacks. **Dependency** : External library, framework, or component that an application relies on to function. **DevSecOps** : Integration of security practices within the DevOps process, making security a shared responsibility. --- ## E **Exploit** : Code or technique that takes advantage of a vulnerability to cause unintended behavior or gain unauthorized access. **Exploit Kit** : Software kit designed to run on web servers to identify vulnerabilities in client software and exploit them. **Exploitability** : Measure of how easy it is to exploit a vulnerability, considering factors like complexity and required access. **Exposure** : Condition where sensitive data or functionality is accessible to unauthorized parties. --- ## F **False Negative** : Security vulnerability that exists but is not detected by a scanning tool. **False Positive** : Alert or finding that incorrectly identifies normal behavior or non-vulnerable code as a security issue. **Fuzzing** : Automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a program. --- ## G **Gray Box Testing** : Security testing approach where the tester has partial knowledge of the internal workings of the system. **GHSA (GitHub Security Advisory)** : Database of security vulnerabilities affecting software hosted on GitHub. --- ## H **Hardening** : Process of securing a system by reducing its attack surface and eliminating unnecessary functionality. **Hash** : Fixed-size string of characters generated from input data using a cryptographic algorithm. **Honeypot** : Decoy system designed to attract and detect attackers, providing early warning of security threats. --- ## I **IAST (Interactive Application Security Testing)** : Hybrid testing approach that combines SAST and DAST by analyzing applications during runtime with access to source code. **Impact** : Potential damage or consequences that could result from successful exploitation of a vulnerability. **Indicator of Compromise (IoC)** : Forensic data that suggests a system has been breached or compromised. **Intrusion Detection System (IDS)** : System that monitors network or system activities for malicious activities or policy violations. --- ## J **JIT (Just-In-Time) Access** : Security practice of providing privileged access only when needed and for a limited time period. --- ## K **Kerberos** : Network authentication protocol designed to provide strong authentication for client/server applications. **Known Vulnerability** : Security weakness that has been publicly documented and assigned a CVE identifier. --- ## L **Lateral Movement** : Techniques attackers use to progressively move through a network searching for key assets and data. **Least Privilege** : Security principle of providing users and processes only the minimum levels of access required to perform their functions. **Log4Shell** : Critical remote code execution vulnerability (CVE-2021-44228) in Apache Log4j logging library. --- ## M **Malware** : Malicious software designed to infiltrate, damage, or gain unauthorized access to computer systems. **MITRE ATT&CK** : Knowledge base of adversary tactics and techniques based on real-world observations. **MTTR (Mean Time To Remediate)** : Average time required to fix a vulnerability from discovery to verified resolution. --- ## N **NVD (National Vulnerability Database)** : U.S. government repository of standards-based vulnerability management data. **NIST (National Institute of Standards and Technology)** : U.S. agency that develops cybersecurity standards and guidelines. --- ## O **OSS (Open Source Software)** : Software with source code that anyone can inspect, modify, and enhance. **OSV (Open Source Vulnerabilities)** : Database providing vulnerability information for open source projects. **OWASP (Open Web Application Security Project)** : Nonprofit foundation working to improve software security through community-led projects. **OWASP Top 10** : List of the 10 most critical web application security risks updated periodically by OWASP. --- ## P **Patch** : Software update designed to fix security vulnerabilities or bugs. **Patch Management** : Process of managing patches across IT infrastructure to ensure systems are up to date and secure. **Payload** : Component of an exploit that performs the malicious action. **Penetration Testing** : Authorized simulated attack on a system to evaluate its security posture. **PoC (Proof of Concept)** : Demonstration that a vulnerability can be exploited, usually in a controlled environment. **Post-Quantum Cryptography** : Cryptographic algorithms designed to be secure against attacks by quantum computers. **Privilege Escalation** : Act of exploiting a vulnerability to gain elevated access to resources normally protected from users. --- ## Q **QRadar** : Security Information and Event Management (SIEM) platform by IBM. **Qualys** : Cloud-based security and compliance solutions provider. --- ## R **RASP (Runtime Application Self-Protection)** : Security technology built into applications to detect and prevent attacks in real-time. **RCE (Remote Code Execution)** : Vulnerability that allows an attacker to execute arbitrary code on a remote system. **Red Team** : Group of security professionals who act as adversaries to test an organization's security defenses. **Remediation** : Process of fixing or mitigating a security vulnerability. **Risk** : Likelihood and potential impact of a threat exploiting a vulnerability. **Risk Acceptance** : Conscious decision to accept the risk of a vulnerability without remediation, typically for low-severity issues. **Risk Score** : Numerical value representing the overall risk level of a vulnerability, considering CVSS, exploitability, and business impact. --- ## S **SANS** : Organization providing cybersecurity training, certification, and research. **SARIF (Static Analysis Results Interchange Format)** : Standard format for static analysis tool output. **SAST (Static Application Security Testing)** : White-box testing method that analyzes source code or binaries for security vulnerabilities without executing the program. **SBOM (Software Bill of Materials)** : Comprehensive inventory of all components used in a piece of software. **SCA (Software Composition Analysis)** : Process of identifying open source and third-party components in applications and assessing their security. **Scope** : In CVSS, whether a vulnerability can affect resources beyond its security scope. **Security Misconfiguration** : Security vulnerability caused by incorrect or insecure configuration of systems or applications. **Security Posture** : Overall security status of an organization's IT infrastructure, including vulnerabilities, controls, and risk level. **Severity** : Classification of how serious a vulnerability is, typically rated as Critical, High, Medium, or Low. **SIEM (Security Information and Event Management)** : Technology that provides real-time analysis of security alerts generated by applications and network hardware. **SLA (Service Level Agreement)** : Commitment between service provider and client defining expected service levels, including remediation timeframes. **Snyk** : Developer security platform for finding and fixing vulnerabilities in dependencies and containers. **SOC (Security Operations Center)** : Centralized unit that monitors, detects, investigates, and responds to cybersecurity incidents. **Splunk** : Platform for searching, monitoring, and analyzing machine-generated data. **SQL Injection** : Code injection technique that exploits vulnerabilities in database queries. **SSL/TLS** : Cryptographic protocols providing secure communication over computer networks. **SSRF (Server-Side Request Forgery)** : Vulnerability allowing attackers to make requests from a vulnerable server to internal or external resources. --- ## T **Temporal Score** : CVSS metric that reflects characteristics of a vulnerability that may change over time, such as exploit availability. **Threat** : Potential cause of an unwanted incident that may harm a system or organization. **Threat Actor** : Individual or group that carries out cyber attacks. **Threat Intelligence** : Evidence-based knowledge about existing or emerging threats to assets. **Threat Model** : Structured representation of potential threats to a system and methods to mitigate them. **Trivy** : Comprehensive open source security scanner for containers and other artifacts. **True Positive** : Correctly identified security vulnerability by a scanning tool. --- ## U **UAT (User Acceptance Testing)** : Final phase of testing before software release, including security validation. **Use-After-Free** : Memory corruption vulnerability that occurs when memory is used after being freed. --- ## V **Validation** : Process of confirming that a reported vulnerability actually exists and is exploitable. **Vector String** : CVSS notation representing the metric values used to calculate a vulnerability's score. **Verification** : Process of confirming that a vulnerability has been successfully remediated. **Virtual Patching** : Security policy enforcement layer that prevents exploitation of a vulnerability without modifying the vulnerable code. **Vulnerability** : Weakness in a system that can be exploited by a threat to gain unauthorized access or cause harm. **Vulnerability Assessment** : Systematic process of identifying, quantifying, and prioritizing vulnerabilities in a system. **Vulnerability Database** : Repository of known vulnerabilities, such as NVD, CVE, or vendor-specific databases. **Vulnerability Disclosure** : Process of making information about a security vulnerability public. **Vulnerability Management** : Ongoing process of identifying, classifying, remediating, and mitigating vulnerabilities. **Vulnerability Scanner** : Automated tool that probes systems for known vulnerabilities. --- ## W **WAF (Web Application Firewall)** : Security solution that filters and monitors HTTP traffic between web applications and the Internet. **Weaponized Exploit** : Exploit code that has been packaged for easy deployment and use in attacks. **White Box Testing** : Security testing approach where the tester has full knowledge of the system's internal structure. **Workaround** : Temporary measure to mitigate a vulnerability while a permanent fix is being developed. --- ## X **XDR (Extended Detection and Response)** : Security solution that provides detection and response capabilities across multiple security layers. **XML External Entity (XXE)** : Vulnerability that allows attackers to interfere with XML data processing. **XSS (Cross-Site Scripting)** : Injection vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. --- ## Y **YARA** : Tool for identifying and classifying malware samples based on textual or binary patterns. --- ## Z **Zero-Day** : Vulnerability that is unknown to software vendors and for which no patch exists. **Zero-Day Exploit** : Exploit targeting a zero-day vulnerability before a fix is available. **Zero Trust** : Security model that assumes no implicit trust and requires verification for every access request. --- ## Acronyms Quick Reference | Acronym | Full Form | |---------|-----------| | API | Application Programming Interface | | APT | Advanced Persistent Threat | | ASLR | Address Space Layout Randomization | | AV | Antivirus / Attack Vector | | BCP | Business Continuity Planning | | C&C | Command and Control | | CAPEC | Common Attack Pattern Enumeration and Classification | | CEH | Certified Ethical Hacker | | CERT | Computer Emergency Response Team | | CIA | Confidentiality, Integrity, Availability | | CISA | Cybersecurity and Infrastructure Security Agency | | CISSP | Certified Information Systems Security Professional | | CNA | CVE Numbering Authority | | CORS | Cross-Origin Resource Sharing | | COTS | Commercial Off-The-Shelf | | CPA | Certified Penetration Analyst | | CREST | Council of Registered Ethical Security Testers | | CSRF | Cross-Site Request Forgery | | CSPM | Cloud Security Posture Management | | CVE | Common Vulnerabilities and Exposures | | CVSS | Common Vulnerability Scoring System | | CWE | Common Weakness Enumeration | | DDoS | Distributed Denial of Service | | DLP | Data Loss Prevention | | DMZ | Demilitarized Zone | | DoS | Denial of Service | | DREAD | Damage, Reproducibility, Exploitability, Affected users, Discoverability | | EDR | Endpoint Detection and Response | | GDPR | General Data Protection Regulation | | HIPAA | Health Insurance Portability and Accountability Act | | HSM | Hardware Security Module | | HTTPS | Hypertext Transfer Protocol Secure | | IAST | Interactive Application Security Testing | | IDS | Intrusion Detection System | | IoC | Indicator of Compromise | | IoT | Internet of Things | | IPS | Intrusion Prevention System | | IR | Incident Response | | ISO | International Organization for Standardization | | KPI | Key Performance Indicator | | LDAP | Lightweight Directory Access Protocol | | MFA | Multi-Factor Authentication | | MITRE | Massachusetts Institute of Technology Research and Engineering | | MTTR | Mean Time To Remediate | | NIST | National Institute of Standards and Technology | | NVD | National Vulnerability Database | | OAST | Out-of-Band Application Security Testing | | OSI | Open Systems Interconnection | | OSS | Open Source Software | | OSINT | Open Source Intelligence | | OSV | Open Source Vulnerabilities | | OWASP | Open Web Application Security Project | | PAM | Privileged Access Management | | PCI DSS | Payment Card Industry Data Security Standard | | PII | Personally Identifiable Information | | PKI | Public Key Infrastructure | | PoC | Proof of Concept | | RASP | Runtime Application Self-Protection | | RBAC | Role-Based Access Control | | RCE | Remote Code Execution | | REST | Representational State Transfer | | RFI | Remote File Inclusion | | ROP | Return-Oriented Programming | | SAML | Security Assertion Markup Language | | SANS | SysAdmin, Audit, Network, and Security | | SARIF | Static Analysis Results Interchange Format | | SAST | Static Application Security Testing | | SBOM | Software Bill of Materials | | SCA | Software Composition Analysis | | SDL | Security Development Lifecycle | | SDLC | Software Development Life Cycle | | SIEM | Security Information and Event Management | | SLA | Service Level Agreement | | SOAR | Security Orchestration, Automation and Response | | SOC | Security Operations Center | | SPDX | Software Package Data Exchange | | SQL | Structured Query Language | | SSRF | Server-Side Request Forgery | | SSO | Single Sign-On | | STRIDE | Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege | | TLS | Transport Layer Security | | TTP | Tactics, Techniques, and Procedures | | UAT | User Acceptance Testing | | UI | User Interface | | URL | Uniform Resource Locator | | VAPT | Vulnerability Assessment and Penetration Testing | | VM | Virtual Machine / Vulnerability Management | | VPN | Virtual Private Network | | WAF | Web Application Firewall | | WIA | World Certification Industry Association | | XDR | Extended Detection and Response | | XML | Extensible Markup Language | | XSS | Cross-Site Scripting | | XXE | XML External Entity | | ZAP | Zed Attack Proxy | --- ## Related Standards and Frameworks **CIS Controls** : Center for Internet Security's critical security controls for effective cyber defense. **FAIR (Factor Analysis of Information Risk)** : Framework for understanding, analyzing, and quantifying information risk. **ISO/IEC 27001** : International standard for information security management systems. **NIST Cybersecurity Framework** : Framework consisting of standards, guidelines, and best practices to manage cybersecurity risk. **NIST SP 800-53** : Security and privacy controls for information systems and organizations. **PCI DSS** : Payment Card Industry Data Security Standard for organizations handling credit card information. **SOC 2** : Service Organization Control 2 reporting framework for service providers. --- ## Version History | Version | Date | Changes | |---------|------|---------| | 1.0.0 | 2025-12-25 | Initial glossary release | --- **Document Version:** 1.0.0 **Last Updated:** 2025-12-25 **Next Review:** 2026-06-25 --- 弘益人間 (홍익인간) - Benefit All Humanity © 2025 SmileStory Inc. / WIA