36 Need to Know Application Security Terms for Tech Marketers

Improve your application security terminology with this glossary of the most common security terms developer use.

As a non-technical marketer, learning about application security practices, understanding the many different acronyms, and figuring out basic developer jargon is challenging. I often find myself looking up word after word just to comprehend something that seems extremely simple to the technical world.

To make things easier for myself (and hopefully for others), I put together a list of some of the most common security terms developers use.

Security Terms to Know


Application security (AppSec)

An IT field where specialists focus on secure application design and are familiar with programming.


A mechanism that confirms a user’s identity when they are requesting access to a resource in a system. This is generally handled by granting users an access token when they confirm their identity through a mechanism such as a password.

Automated remediation

Automatic action taken as a result of insights into how an application is operating.



A digital currency (cryptocurrency) that is not ruled by any governing body.


Essentially, a very big database of transactions, also known as a transaction ledger.


Cloud access security brokers (CASB)

A type of software that provides security policy enforcement between cloud service consumers and providers, consolidating features such as encryption, auditing, DLP, access control, and anomaly detection.

Content delivery network (CDN)

A hosted, geographically-distributed server network that improves website file delivery and performance. It can also include security features such as DDoS protection.

Cross-site request forgery (CSRF)

A malicious web exploit in which an attacking program forces a user’s browser to perform an unwanted action on a site where the user is currently authenticated.

Cross-site scripting (XSS)

A type of injection attack that targets an application through client-side scripts, which will usually be JavaScript.


An encrypted digital exchange whose encryption techniques are used as a method to ensure that secure transactions take place that are both regulated and verified.


Data exfiltration

An unauthorized transfer of data. It can be carried out manually or through a malicious automated program.

Decentralized autonomous organization (DAO)

An organization that serves as a form of a venture capital fund. It runs through smart contracts and its transaction records are maintained in a blockchain.

Distributed denial of service attack (DDOS)

A type of attack that shuts down services, usually by sending a number of requests to the service that the service cannot handle, interrupting legitimate requests of the service.

Dynamic applications security testing (DAST)

An analysis of an application’s security that only monitors the runtime environment and the code that is executed in it. It simulates potential attacks and analyzes the results.



A method for encoding data so that it is unreadable to parties without a method for decryption.


A piece of code that takes advantage of a vulnerability in computer software or hardware in order to produce undesirable behavior.


Fuzz testing (Fuzzing)

An automated method for injecting malformed data in order to find vulnerabilities in an application.


Identity management

A method for defining the abilities and resource accessibility that users have when they are authenticated in a system.

Information scurity (InfoSec)

An IT field where specialists are skilled security generalists, and in larger companies, they are CISOs and managers.

Injection attack

A scenario where attackers relay malicious code through an application to another system for malicious manipulation of the application. These attacks can target an operating system via system calls, external programs via shell commands, or databases via query language (SQL) injection.

Interactive application security testing (IAST)

A combination of SAST and DAST that is usually implemented in the form of an agent that monitors attacks and identifies vulnerabilities within the test runtime environment.

IT security (ITSec)

An IT field where specialists focus on system administration security (i.e. in the host, auth servers, mandatory access controls systems, etc.).


Network security (NetSec)

An IT field where specialists focus on the security of data as it flows through network routers (i.e. firewalls, IDS, VPNs, application-specific protocols, etc.).


Open web application security project (OWASP)

An online community of corporations, educational organizations, and individuals focused on providing web security tools, resources, events, and more for the wider development community.


Penetration testing (Pen testing)

A technique to find vulnerabilities in a computer system by attacking that system through various methods that a real attacker would use.



Calculate the Proof-Of-Work hash of all transactions in a blockchain block, in essence sealing the new block and then transmitting it to the network so that all nodes know a new block has been produced.


Open web application security project (OWASP)

An online community of corporations, educational organizations, and individuals focused on providing web security tools, resources, events, and more for the wider development community.


Protocol exploitation

A security vulnerability that disrupts the interactions between multiple communication protocols.


Runtime application self-protection (RASP)

A feature that is built into an application in order to detect and halt attacks in real-time, automatically.

Reetrancy attacks

An attack where untrusted code reenters a contract and manipulates state.


Single sign-on

A user or session authentication process that allows a user to enter one set of credentials in order to access multiple applications that are connected by the SSO software.

Smart contracts

A computerized transaction protocol that executes the terms of a contract.

Static application security testing (SAST)

An analysis of an application’s security that looks at an application’s source code, bytecode, or binary code to determine if there are parts that could allow security exploits by attackers.


Turing complete

A system theoretically capable of solving any computational problem if memory or runtime limitations are not taken into consideration.


Web application firewall (WAF)

An HTTP/S firewall for web applications; legacy WAFs can create network architecture complexity and aren’t very accurate.


Zero day

A vulnerability that is currently unknown to the software maker or to antivirus vendors. It also refers to a piece of code that allows attackers to exploit a zero day vulnerability