Programming Glossary
Accessibility
Accessibility, from a web perspective, is the practice of ensuring that websites are accessible to all, regardless of ability or disability. Disabilities to consider include physical disabilities, situational disabilities and socio-economic restrictions.
Accessible Rich Internet Applications (ARIA)
A specification by the World Wide Web Consortium (W3C) for adding semantics and other metadata to HTML to aid those who use assistive technology.
Active Directory (AD)
The directory service portion of the Windows operating system that stores information about network-based entities, such as applications, files, printers, and people, and provides a structured, consistent way to name, describe, locate, access, and manage these resources.
Active Server Pages (ASP)
An older server-side scripting framework for web servers introduced by Microsoft, which has since been replaced by ASP.NET in 2002.
Application Programming Interface (API)
A set of instructions as to how to interface with a computer program so that developers can access defined interfaces in a program.
Bourne Again Shell (BASH)
A command language for Linux systems.
C#
C# is an Object-Oriented Programming (OOP) language from Microsoft, which was first released back in 2002, along with the .NET Framework. C#, along with the .NET software development framework, can be used to create both Microsoft Windows and web-based applications, as well as XML web services and much more. It shares much of its syntax with the C and C++ programming languages.
With the introduction of the .NET Core software development framework in 2016, it is now possible to produce cross-platform applications for the Microsoft Windows, Linux and macOS operating systems.
Cascading Style Sheet (CSS)
A language that is used to provide the look and feel to the structure of a web page, for example, the colour and font used for paragraph text.
Ciphertext
Ciphertext is the result of plaintext being encrypted using an algorithm, known as a cipher.
Command-Line Interface (CLI [1])
Allows a user to issue commands in the form of lines of text.
Common Vulnerabilities and Exposures (CVE [1])
A database hosted by the MITRE corporation, which incorporates a list of known vulnerabilities in publicly released software.
Common Vulnerability Enumeration (CVE [2])
A specification that provides a common language of discourse for discussing, finding, and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture.
Common Vulnerability Scoring System (CVSS)
A framework for scoring the severity of a vulnerability.
Common Weakness Enumeration (CWE)
A specification developed and maintained by MITRE to identify the root cause, or weaknesses, of security vulnerabilities.
Common Weakness Scoring System (CWSS)
A specification developed and maintained by MITRE to provide a way to prioritise software weaknesses that can introduce security vulnerabilities.
Confidentiality, Integrity, and Availability (CIA)
The CIA triad is widely considered to be the foundation of IT security. It is put into practice through various security methods and controls. Every security technique, practice, and mechanism put into place to protect systems and data relates in some fashion to ensuring confidentiality, integrity, and availability.
Configuration as Code (CaC)
The practice of managing system configurations through code, which are maintained in repositories such as Git. This facilitates the use of version control, peer review, and automated testing for the system configurations in question.
Containers as a Service (CaaS)
A cloud computing model that provides a managed and automated platform for container orchestration, which automatically provisions, deploys, scales, and manages containerised applications, without having to worry about the underlying infrastructure.
Content Management System (CMS)
A web based application that allows non-technical users to manage the content of a website. These applications are built using web technologies such as PHP or the .NET Framework and utilise a database, for example, MySQL, PostgreSQL, Oracle or SQL Server, to store the website information.
Continuous Integration and Continuous Delivery (CI/CD)
The combined practices of continuous integration and continuous delivery to allow software development teams to deliver code changes more frequently and reliably. Continuous integration is the practice of regularly committing code changes to a version control system that can test and deploy code automatically. Continuous delivery is a practice where code changes are automatically prepared for a release to production.
Create, Read, Update and Delete (CRUD)
Refers to the possible ways to operate on stored data, such as in a database.
Cron
A tool used by a number of Linux distributions for automatically running tasks at a scheduled time.
Cross-Site Request Forgery (CSRF or XSRF)
A method of attacking a system by sending malicious input to the system and relying on the parsers and execution elements to perform the requested actions, thus instantiating the attack. CSRF exploits the trust a site has in the user’s browser.
Cross-site Scripting (XSS)
A method of attacking a system by sending script commands to the system input and relying on the parsers and execution elements to perform the requested scripted actions, thus instantiating the attack. XSS exploits the trust a user has for the site.
Data Encryption Standard (DES)
A private key encryption algorithm adopted by the U.S. government as a standard for the protection of sensitive but unclassified information. Commonly used in 3DES, where three rounds are applied to provide greater security.
Database as a Service (DBaaS)
A cloud computing managed service offering that provides access to a database without requiring the setup of physical hardware, the installation of software or the need to configure the database.
Database Management System (DBMS)
Software designed to define, manipulate, retrieve and manage data in a database.
Diffie-Hellman Ephemeral (DHE)
A cryptographic method of establishing a shared key over an insecure medium in a secure fashion using a temporary key to enable perfect forward secrecy.
Digital Signature Algorithm (DSA)
A U.S. government standard for implementing digital signatures.
Discretionary Access Control (DAC)
An access control mechanism in which the owner of an object (such as a file) can decide which other subjects (such as other users) may have access to the object as well as what access (read, write, execute) these subjects can have.
Distributed Denial of Service (DDoS)
A multicomputer assault on a network resource that attempts, with sheer overwhelming quantity of requests, to prevent regular users from receiving services from the resource. Can also be used to crash systems. DDoS attacks are usually executed using botnets consisting of compromised systems referred to as zombies.
Document Object Mode (DOM)
The DOM is an API, or interface, which is loaded in a web browser, that allows for interaction with HTML and XML documents. It represents these documents in a tree structure, where each node is an object representing a part of the document.
Drive-by Download
A drive-by download is where something is downloaded from the internet to a computer without the prior knowledge of the user, or where a download is authorised by the user but the full consequences of the download are not understood.
Elliptic Curve Cryptography (ECC)
A method of public key cryptography based on the algebraic structure of elliptic curves over finite fields.
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
A cryptographic method using ECC to establish a shared key over an insecure medium in a secure fashion using a temporary key to enable perfect forward secrecy.
Elliptic Curve Digital Signature Algorithm (ECDSA)
A cryptographic method using ECC to create a digital signature.
Encryption
The process of converting plain text into ciphertext to prevent unauthorised access.
End of Life (EOL)
A term used to denote that something has reached the end of its useful life.
End of Service (EOS [1])
A term used to denote when the manufacturer stops selling an item. In most cases, the manufacturer no longer provides maintenance services or updates.
End of Support (EOS [2])
A point in time where a manufacturer stops providing technical support and updates for a product. The product may still function after this time.
Exclusive OR (XOR)
An operation commonly used in cryptography.
Extended Instruction Pointer (EIP)
Used to track the address of the current instruction running inside an application.
Extensible Application Markup Language (XAML)
A markup language developed by Microsoft, that is used for creating application interfaces.
Extensible Markup Language (XML)
A text-based, human-readable data markup language.
File Transfer Protocol (FTP)
A protocol that works at the application layer, which is used to transfer files over a network connection. FTP utilises TCP ports 20 and 21.
File Transfer Protocol Secure (FTPS)
A protocol that works at the application layer, which is used to transfer files over a network connection, using FTP over an SSL or TLS connection.
First In, First Out (FIFO)
A method of processing and retrieving data. In a FIFO system, the first items entered are the first ones to be removed.
Function as a Service (FaaS)
A cloud service model that sits between Platform as a Service (PaaS) and Software as a Service (SaaS). A function in this context, also called a serverless function, is a fully operational programme that runs only when it is triggered by a specific event. Cost is only incurred when the function is running.
General Data Protection Regulations (GDPR)
European Union law that specifies a broad set of rights and protections for personal information of EU citizens.
Globally Unique Identifier (GUID)
A 128-bit number used to uniquely identify information in computer systems.
GNU Debugger (GDB)
A powerful source-level debugging package that lets you see what is going on inside your program. It runs on many Unix-like systems and works with programming languages including Ada, Assembly, C, C++, D, Fortran, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust.
GNU Privacy Guard (GPG)
An application program that follows the OpenPGP standard for encryption.
HMAC-based One-time Password (HOTP)
A method of producing one-time passwords using HMAC functions.
Hypertext Markup Language (HTML)
A language that is used to provide the structure of web pages, using tags to define different parts of the page structure, for example, <h1> tags to denote the largest headings, or <p> tags for paragraphs of text.
Hypertext Preprocessor (PHP)
PHP is a scripting language, a bit like JavaScript, however, instead of being executed by the users browser, it is interpreted by the web server where the website resides, which produces HTML that the end user sees. It is known as a server-side scripting language. Again, as with JavaScript, it can be embedded into HTML and used to make a web page more dynamic. It can also be used to interact with a database such as, MySQL, PostgreSQL or Oracle, to store and retrieve content.
Hypertext Transfer Protocol (HTTP)
A network protocol that facilitates the transfer of documents, such as web pages, on the web, typically between a web browser and a server.
Hypertext Transfer Protocol Secure (HTTPS)
A secure version of HTTP in which hypertext is encrypted by Transport Layer Security (TLS) before being sent over the network. Prior to TLS, this was accomplished using Secure Sockets Layer (SSL).
Identity and Access Management (IAM)
The policies and procedures used to manage access control.
Identity Provider (IdP)
A system that creates, maintains, and manages identity information, including authentication services.
Immutable Object
A computer programming term used to describe an object whose state cannot be changed after it has been defined.
Industrial Control System (ICS)
System that monitors and controls machines such as those in a factory or chemical plant, or even just a large HVAC system in an office building.
Industrial Internet of Things (IIoT)
IIoT refers to devices, sensors, applications, and associated network equipment, that work together to gather, monitor, and analyse data from industrial operations.
Infrastructure as Code (IaC)
The use of machine-readable definition files as well as code to manage and provision computer systems.
Inheritance
In Object-Oriented Programming, Inheritance refers to the ability of an object to take on, or inherit, the properties of another object.
Initialisation Vector (IV)
A data value used to seed a cryptographic algorithm, providing for a measure of randomness.
Integration Platform as a Service (iPaaS)
A subscription based service, which provides tools to enable the integration of data, applications and processes hosted on different physical and cloud services.
International Data Encryption Algorithm (IDEA)
A symmetric encryption algorithm used in a variety of systems for bulk encryption services.
Internet Information Services (IIS)
Web server software, that is provided by Microsoft and available on various versions of Microsoft Windows, including Windows 10 and Windows 11, as well as Windows Server.
Internet Key Exchange (IKE)
A standard key exchange protocol used on the Internet, which is an implementation of the Diffie-Hellmann algorithm.
Internet Message Access Protocol (IMAP)
Protocol for retrieving e-mail from an SMTP server.
Internet of Things (IoT)
The everyday objects that can communicate with each other over the Internet, such as smart home appliances, automobiles, video surveillance systems, and more.
Internet Protocol (IP)
Layer 3 protocol responsible for logical addressing and routing packets across networks, including the Internet. It doesn't guarantee reliable delivery of packets across the network, leaving that task to higher-level protocols.
Internet Protocol Address Management (IPAM)
A suite of tools to enable end-to-end planning, deploying, managing, and monitoring of IP address infrastructure within an organisation. It automatically discovers IP address infrastructure servers and Domain Name System (DNS) servers on a network and enables the management of them from a central interface.
Internet Protocol Security (IPSec)
A protocol used to secure IP packets during transmission across a network. IPSec offers authentication, integrity, and confidentiality services. It uses Authentication Header (AH) and Encapsulating Security Payload (ESP) to accomplish this.
Java
Java is an Object-Oriented Programming (OOP) language that was first released by its original developers, Sun Microsystems, back in 1995. Today the development of Java is in the hands of Oracle, following its acquisition of Sun Microsystems back in January 2010.
The Java language shares much of its syntax with the C and C++ programming languages, and is said to be fast, reliable and secure. It was developed on the WORA, or Write Once Read Anywhere, principle, which means that it can run on any platform that supports Java, including, laptops, datacentres, game consoles, supercomputers, mobile phones and more.
JavaScript
JavaScript is a scripting language that is designed for use with the web. It is built into all modern web browsers and can be used to make web pages more dynamic. JavaScript can be embedded into the HTML of a web page and is executed by the browser on the users computer. It can be used, for example, to validate the entry of a contact form before it is submitted, or, change a web page visually in some way following a particular event.
JavaScript Object Notation (JSON)
A text-based data interchange format designed for transmitting structured data. It is most commonly used for transferring data between web applications and web servers.
Last In, First Out (LIFO)
A method of processing data in which the last items entered are the first to be removed.
Lightweight Directory Access Protocol (LDAP)
An application protocol used to access directory services across a TCP/IP network.
Lightweight Directory Access Protocol over SSL (LDAPS)
A secure version of LDAP.
Linux, Apache, MySQL, and PHP (LAMP)
The Linux operating system, Apache web server, MySQL database, and PHP web scripting language can be used together to create a fully functioning web server.
Local File Inclusion (LFI)
An attack technique in which an attacker tricks a web-based application into running or exposing sensitive information, and in severe cases, can lead to cross-site scripting (XSS), and remote code execution.
Mac OS, Apache, MySQL, and PHP (MAMP)
The Mac OS operating system, Apache web server, MySQL database, and PHP web scripting language can be used together to create a fully functioning web server.
Mandatory Access Control (MAC [1])
An authorisation method in which the system grants access to resources based on security labels and clearance levels. Used in organisations with very high security needs.
Message Authentication Code (MAC [4])
A short piece of data used to authenticate a message. This is often a hashed message authentication code (HMAC), where a hash function is used on the message authentication code to ensure the integrity and authenticity of a message.
Message Digest 5 (MD5)
A hashing algorithm and a specific method of producing a message digest.
Microsoft Challenge Handshake Authentication Protocol (MSCHAP)
A Microsoft Developed variant of the Challenge Handshake Authentication Protocol (CHAP).
Model-View-Controller (MVC)
A design pattern utilised in software development, which is used to implement software interfaces, data and controlling logic, separating out the business logic from the display.
Multifactor Authentication (MFA)
The use of more than one different factor for authenticating a user to a system.
Mutable Object
A computer programming term used to describe an object whose state can change after it has been defined.
Next-generation Secure Web Gateway (NG-SWG)
A solution designed to filter unwanted web traffic from a user-initiated session to enforce policy compliance.
Object-Oriented Programming (OOP)
A programming paradigm based on the concept of “objectsâ€, which may contain data, in the form of fields or attributes, and behaviours, in the form of procedures or methods. Computer programs created in this way are usually made up of multiple objects that interact with one another.
Open Authorization (OAUTH)
An open protocol that allows secure, token-based authorisation on the Internet from web, mobile, and desktop applications via a simple and standard method. It can be used by an external partner site to allow access to protected data without having to re-authenticate the user. It was created to remove the need for users to share their passwords with third-party applications, by substituting it with a token.
Open Source
Software that is said to be open source refers to the fact that the original source code used to create it is made freely available to view, modify, enhance and redistribute.
Open Web Application Security Project (OWASP)
A non-profit foundation dedicated to improving security in web applications.
Operational Technology (OT)
The name for an IT system used in an industrial setting to control physical processes.
Password Authentication Protocol (PAP)
A simple protocol used to authenticate a user to a network access server.
Password-based Key Derivation Function 2 (PBKDF2)
A key derivation function that is part of the RSA Laboratories Public Key Cryptography Standards, published as IETF RFC 2898.
Polymorphism
In Object-Oriented Programming, Polymorphism refers to the ability of a programming language to process objects differently depending on their data type or class.
Post Office Protocol (POP)
One of the two protocols that receive e-mail from SMTP servers.
Post Office Protocol version 3 (POP3)
One of the two protocols that receive e-mail from SMTP servers.
Proof of Concept (PoC)
A realisation of a certain method or idea to demonstrate its feasibility, or a demonstration in principle with the aim of verifying that some concept or theory has practical potential. A proof of concept is usually small and may or may not be complete. Also known as proof of principle.
Public Key Cryptography Standards (PKCS)
A series of standards covering aspects of the implementation of public key cryptography.
Public Key Infrastructure (PKI)
Infrastructure for binding a public key to a known user through a trusted intermediary, typically a certificate authority.
Python
Python is a general-purpose programming language, which can be used for building web applications, desktop application, video games and much more. It supports multiple programming paradigms, including object-oriented, imperative and functional programming.
Quality Assurance (QA)
The term used in both manufacturing and service industries to describe the systematic efforts taken to ensure that the product delivered to a customer meets with the contractual and other agreed upon performance, design, reliability, and maintainability expectations of that customer.
Rapid Application Development (RAD)
A software development methodology that favours the use of rapid prototypes and changes as opposed to extensive advanced planning.
Reflected Cross-site Scripting (RXSS)
A vulnerability that arises when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Remote Authentication Dial-in User Service (RADIUS)
A standard protocol for providing authentication services that is commonly used in dial-up, wireless, and PPP environments.
Remote File Inclusion (RFI [2])
A type of vulnerability that allows an attacker to include a file, usually exploiting a dynamic file inclusion mechanism implemented in the target application. This vulnerability exists where there isn’t appropriate user input validation.
Representational State Transfer (REST)
An architectural style for providing standards between computer systems on the web, making it easier for systems to communicate with one another. REST compliant systems, often called RESTful systems, are characterised by how they are stateless and separate the concerns of client and server.
Rivest Cipher version 4 (RC4)
A streaming symmetric-key algorithm. No longer secure due to the many vulnerabilities that have been discovered since its initial implementation.
Rivest, Shamir, & Adleman (RSA)
The names of the three men who developed a public key cryptographic system and the company they founded to commercialise the system.
Role-based Access Control (RBAC [1])
Roles within an organisation are assigned access permissions necessary to carry out those roles. These are in turn assigned to specific users that fulfil the roles within the organisation.
Rule-based Access Control (RBAC [2])
A series of rules are contained within an access control list to determine whether access should be granted or not, for example, don’t allow access to certain files outside of working hours during the week or on weekends.
Secure File Transfer Protocol (SFTP [1])
Uses SSH to provide the encryption for secure file transfer.
Secure Hashing Algorithm (SHA)
A hashing algorithm used to hash block data. The first version is SHA-1, with subsequent versions detailing the hash digest length: SHA-256, SHA-348, and SHA-512.
Secure Hypertext Transfer Protocol (SHTTP)
An alternative to HTTPS in which only the transmitted pages and POST fields are encrypted. Not widely used following the widespread adoption of HTTPS.
Secure Shell (SSH)
An encrypted remote terminal connection program, used to remotely connect to a server. SSH uses asymmetric encryption, however, it generally requires an independent source of trust with a server, such as manually receiving a server key, to operate.
Secure Sockets Layer (SSL)
A protocol developed for transmitting private documents over the internet. It works by using a public key to encrypt sensitive data. This encrypted data is then sent over an SSL connection and then decrypted at the receiving end using a private key. Deprecated by Transport Layer Security (TLS).
Secure Web Gateway (SWG)
An on-premise or cloud-delivered network security service. Sitting between users and the Internet, secure web gateways provide advanced network protection by inspecting web requests against company policy to ensure malicious applications and websites are blocked and inaccessible.
Security Assertions Markup Language (SAML)
An XML-based standard for exchanging authentication and authorisation data.
Server-side Request Forgery (SSRF)
A type of computer security exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.
Simple Object Access Protocol (SOAP)
An XML-based specification for exchanging information associated with web services.
Single Sign-On (SSO)
An authentication process by which the user can enter a single user ID and password and then move from application to application or resource to resource without having to supply further authentication information.
Software as a Service (SaaS)
Cloud service model that provides centralised applications accessed over a network.
Software Development Kit (SDK)
A collection of software development tools that facilitate the creation of software, which can include a software framework, compiler and debugger.
Software Development Life Cycle (SDLC)
A process used by the software industry to design, develop and test high quality software. The Software Development Life Cycle typically consists of stages such as, planning and requirements analysis, definition of requirements, design, build, test, deploy and maintain. There are a number of different Software Development Life Cycle models that are used today, including the waterfall model, the iterative model, the spriral model, the V-medel and the big bang model.
Software Development Life-cycle Methodology (SDLM)
The processes and procedures employed to develop software. Sometimes also called secure development lifecycle model when security is part of the development process.
Software-Defined Network (SDN)
Programming that allows a master controller to determine how network components will move traffic through the network. Used in virtualisation.
Structured Query Language (SQL)
A language created by IBM that relies on simple English statements to perform database queries. SQL enables databases from different manufacturers to be queried using a standard syntax.
Structured Query Language Injection (SQLi)
An attack against an interface using SQL.
System on Chip (SoC [2])
The integration of complete system functions on a single chip in order to simplify construction of devices.
Time-based One Time Password (TOTP)
A password that is used once and is only valid during a specific time period.
Time-of-check (TOC)
Refers to the time a value of something is checked in a multithreaded application.
Time-of-use (TOU)
Refers to the time a value of something is used in a multithreaded application. The greater the separation between the time a program checks a value, and when it uses the value, the more likely it is for problems such as race conditions to arise.
Transmission Control Protocol (TCP)
A Layer 4 connection-oriented protocol within the TCP/IP suite. TCP provides a reliable communications channel over an unreliable network by ensuring all packets are accounted for and retransmitted if any are lost.
Transmission Control Protocol/Internet Protocol (TCP/IP)
A set of communication protocols, developed by the U.S. Department of Defence, which enable dissimilar computers to share information over a network.
Transport Layer Security (TLS)
A protocol where hosts use public-key cryptography to securely negotiate a cipher and symmetric key over an unsecured network, and the symmetric key to encrypt the rest of the session. TLS is the current name for the historical SSL protocol.
Triple Data Encryption Standard (3DES)
Three Rounds of DES encryption used to improve security.
Uniform Resource Identifier (URI)
A set of characters used to identify the name of a resource in a computer system. A URL is a form of URI.
Uniform Resource Locator (URL)
An address that defines the type and the location of a resource on the Internet. URLs are used in almost every TCP/IP application.
Virtual Learning Environment (VLE)
A Virtual Learning Environment, or VLE for short, which is also sometimes referred to as a Learner Management System, or LMS, is a system for delivering learning material via the web. Its purpose is not to replace face to face teaching, but to enhance it, with the use of various activities that they provide. VLEs are also a means to share resources with its users, such as files and web links.
Virtual Private Network (VPN)
A network configuration that enables a remote user to access a private network via the Internet. VPNs employ an encryption methodology called tunnelling, which protects the data from interception.
Visual Basic for Applications (VBA)
A Microsoft specification for using Visual Basic in applications such as the Office Suite.
Web Application Firewall (WAF)
A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level.
Windows, Apache, MySQL, and PHP (WAMP)
The Windows operating system, Apache web server, MySQL database, and PHP web scripting language can be used together to create a fully functioning web server.
World Wide Web Consortium (W3C)
An international body that maintains web-related rules and frameworks, comprising of over 350 member organisations, which jointly develop web standards, run outreach programs, and maintain an open forum for talking about the Web.
XML External Entity (XXE)
A security vulnerability that allows a threat actor to inject unsafe XML entities into a web application that processes XML data. This can lead to the threat actor being able to interact with systems the application can access, view files on the server, and in some cases, perform remote code execution (RCE).
Zed Attack Proxy (ZAP)
An open-source penetration testing tool for finding vulnerabilities in web applications.