Glossary

CRA and security terminology explained

A

API Security

API Security involves protecting application programming interfaces from attacks, unauthorized access, and data breaches throughout their lifecycle.

Attack Surface

Attack surface refers to all possible entry points where an unauthorized user could gain access to a system and extract data.

Authentication

Authentication is the process of verifying the identity of a user, device, or system before granting access to resources.

Authorization

Authorization determines what actions an authenticated user or system is permitted to perform within an application or system.

B

Blue Team

Blue Team refers to security professionals who defend systems by implementing security measures and responding to threats.

Bug Bounty

Bug Bounty programs reward security researchers for discovering and reporting vulnerabilities in software or systems.

C

Certificate Authority

A Certificate Authority (CA) is a trusted entity that issues digital certificates to verify the identity of organizations and individuals.

Common Criteria

Common Criteria is an international standard for computer security certification, ensuring products meet specific security requirements.

Compliance Audit

A compliance audit evaluates whether an organization adheres to regulatory requirements, standards, and internal policies.

CRA

The Cyber Resilience Act (CRA) is a European Union regulation establishing cybersecurity requirements for products with digital elements.

Cryptographic Key Management

Cryptographic key management involves the secure generation, storage, distribution, and destruction of encryption keys.

D

Data Encryption

Data encryption converts information into a secure format that can only be read by authorized parties with the decryption key.

Defense in Depth

Defense in Depth is a security strategy employing multiple layers of security controls to protect systems and data.

DevSecOps

DevSecOps integrates security practices into the DevOps process, making security a shared responsibility throughout the development lifecycle.

Digital Signature

A digital signature is a cryptographic mechanism that verifies the authenticity and integrity of digital documents or messages.

Disaster Recovery

Disaster Recovery involves plans and procedures for restoring systems and data after catastrophic events or cyberattacks.

E

Encryption Algorithm

An encryption algorithm is a mathematical procedure used to transform plaintext into ciphertext to protect data confidentiality.

End-of-Life

End-of-Life (EOL) marks when a product no longer receives updates or support, creating security risks for continued use.

Exploit

An exploit is code or technique that takes advantage of a vulnerability to compromise a system or application.

F

Firmware

Firmware is permanent software programmed into hardware devices to control their functions and operations.

G

GDPR

The General Data Protection Regulation (GDPR) is EU legislation protecting personal data privacy and security.

H

Hardware Security Module

A Hardware Security Module (HSM) is a physical device that securely manages and stores cryptographic keys and performs encryption operations.

I

Identity and Access Management

Identity and Access Management (IAM) systems control who can access resources and what actions they can perform.

Intrusion Detection System

An Intrusion Detection System (IDS) monitors network traffic and system activities for malicious behavior and security threats.

ISO 27001

ISO 27001 is an international standard for information security management systems, providing a framework for protecting data.

L

Least Privilege

Least Privilege is a security principle where users and systems are granted only the minimum access required to perform their functions.

M

Malware

Malware is malicious software designed to damage, disrupt, or gain unauthorized access to computer systems.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) requires multiple forms of verification to confirm a user's identity before granting access.

N

Network Segmentation

Network segmentation divides networks into smaller sections to improve security and limit the spread of potential breaches.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks in organizations.

O

Open Source Security

Open Source Security involves identifying and managing vulnerabilities in open-source software components used in products.

P

Penetration Testing

Penetration testing simulates cyberattacks to identify vulnerabilities and security weaknesses in systems before attackers exploit them.

Personal Data

Personal data is any information relating to an identified or identifiable individual that must be protected under privacy regulations.

Phishing

Phishing is a cyberattack technique using deceptive communications to trick users into revealing sensitive information or credentials.

Privacy by Design

Privacy by Design embeds data protection and privacy considerations into product development from the earliest stages.

Product Security Incident Response Team

A Product Security Incident Response Team (PSIRT) handles security vulnerabilities and incidents affecting an organization's products.

Public Key Infrastructure

Public Key Infrastructure (PKI) manages digital certificates and public-key encryption for secure electronic communications.

R

Ransomware

Ransomware is malicious software that encrypts data and demands payment for its release, disrupting business operations.

Red Team

Red Team security professionals simulate real-world attacks to test an organization's defenses and identify weaknesses.

Regulatory Compliance

Regulatory compliance ensures organizations adhere to laws, regulations, and industry standards governing their operations and products.

S

Secure Boot

Secure Boot ensures that devices boot using only software trusted by the manufacturer, preventing unauthorized code execution.

Security Patch

A security patch is a software update specifically designed to fix vulnerabilities and security flaws in existing systems.

Security Testing

Security testing evaluates systems to identify vulnerabilities, weaknesses, and potential security risks before deployment.

SIEM

Security Information and Event Management (SIEM) systems collect, analyze, and correlate security data for threat detection.

Software Composition Analysis

Software Composition Analysis (SCA) identifies open-source and third-party components in software to manage security and licensing risks.

T

Threat Intelligence

Threat intelligence provides knowledge about existing and emerging cybersecurity threats to inform defensive strategies.

Threat Modeling

Threat modeling identifies potential security threats and vulnerabilities during the design phase to mitigate risks early.

Two-Factor Authentication

Two-Factor Authentication (2FA) requires two different authentication factors to verify user identity and enhance security.

V

Vulnerability Management

Vulnerability management is the continuous process of identifying, assessing, prioritizing, and remediating security vulnerabilities.

Z

Zero Trust

Zero Trust is a security model that requires verification for every access request, regardless of whether it originates inside or outside the network.

Zero-Day Vulnerability

A zero-day vulnerability is a software flaw unknown to the vendor that can be exploited by attackers before a patch is available.