Cybersecurity Style Guide

Use “an” when the next word begins with a vowel sound when spoken, regardless of spelling. A hybrid test. A unified problem. A Xerox machine. An HTTP issue. An SSH tunnel. An underlying cause. An XSS attack.

Short for accessibility. Often used in relation to technology. The 11 represents the 11 letters removed from the middle of the word. Pronounced like “ally” or “accessibility.”

Avoid using this term unless it’s in quoted code. Try force quit, interrupt, or reboot instead.

An experiment that involves showing different versions to different users.

Avoid using this term. Try misuse or malicious use instead.

Avoid using this term. Try alter, automate, compromise, deface, exhaust, exploit, force, impersonate, intentionally misuse, leverage, manipulate, reuse indefinitely, take advantage of, or a context-specific verb.

Always hyphenate.

Pronounced as letters. Spell out on first use.

Arbitrary code execution or access control entry. Spell out on first use.

Atomicity, consistency, isolation, durability.

Access control list. Spell out on first use.

Spell out on first use.

Android Debug Bridge. adb is both a command-line tool and a specific command. When writing about the command, use the tech font.

Describes immature security infrastructure. In networks (especially wireless ones), ad hoc means decentralized.

Short for administrator. Write in the normal font if referring to admin privileges. If referring to the admin role or username, use the tech font.

Do not use this term in formal writing; use attacker or malicious user instead. In cryptography, it has a mathematical meaning, as in global passive adversary (GPA).

Advanced Encryption Standard. Do not spell out; briefly define on first use.

A software development approach involving continuous iterative changes, cross-functional teams, and a short feedback cycle.

Describes an entity that does not have a preference for any particular product, as in platform agnostic. Corporate jargon; use sparingly.

Artificial intelligence. In technical fields, this term primarily describes machine learning strategies. It has taken on a broader meaning in popular culture. AI can also refer to Amnesty International. Spell out on first use when writing for a general audience.

A suite of tools for testing Wi-Fi network security.

Air-gapped systems are disconnected from insecure networks and the internet.

Asynchronous JavaScript and XML. Do not spell out.

An API management provider.

Amazon AI.

An online retailer based in China.

Bishop Fox’s preferred alternative term to whitelisting. Rephrase to avoid using this term as a verb in formal writing.

Describes strings that contain letters and numbers, but not special characters, punctuation, or spaces.

Put a space after the number, as in “4 a.m. GMT.” Include the time zone if referring to a testing window or specific event. Avoid using military (24-hour) time unless relevant to the context.

Ask me anything. A crowdsourced style of Q&A popularized by Reddit. Can also refer to the American Medical Association, so spell out in non-Q&A contexts.

An online crowdsourced marketplace where users complete Human Intelligence Tasks (HITs) for money.

Spell out on first use. After that, abbreviate as either AWS or Amazon. When discussing individual services within AWS, refer to Amazon’s documentation.

Use sparingly in formal writing.

Google’s mobile operating system.

The [ < ] and [ > ] characters.

A JavaScript framework.

Animated emoji created by Apple in 2017.

An international group of 4chan hacktivists with a Guy Fawkes mask symbol.

Unauthenticated.

A stateful configuration management suite for Linux systems.

A fictional instantaneous hyperspace communication device named by Ursula K. Le Guin.

An internet service provider. Originally stood for America Online.

Short for access point or Associated Press. Both are pronounced as letters. Spell out on first use to clarify your intended meaning.

A fictional research company from the Portal series of video games.

Application programming interface. How software interacts with other software.

Android package.

Smart devices like phones and tablets have apps; computers have applications. App can also be a shortened form of application. To the security industry, they are all exploitable.

Spell out on first use.

Technology company founded by Steve Jobs and Steve Wozniak in 1976.

An alternate term for information security.

Application penetration testing, advanced persistent threat, or advanced packaging tool. Spell out on first use in public-facing documents.

Augmented reality.

An animated spy TV show that inspired the name of the Bishop Fox Danger Drone. Also the name of an RSA security product.

Pronounced “ar-dweeno.”

A type of RISC architecture for microprocessors, primarily used in smartphones and tablets. Define briefly on first use.

Advanced Research Projects Agency Network; the original internet. Do not spell out.

A process of removing normal activity from noisy data sets. Also used to describe flaws in artificial intelligence programs. Define on first use.

In technical fields, this term primarily describes machine learning strategies. It has taken on a broader meaning in popular culture.

American Standard Code for Information Interchange. Pronounced “ask-ee.” Do not spell out.

Application-specific integrated circuit. Less commonly, a programming language related to BASIC. Do not spell out.

Address space layout randomization.

Abstract Syntax Notation One.

Short for application service provider or Active Server Pages, a precursor to ASP.NET.

Authentication Server Response. Spell out on first use.

Assets are systems, software, applications, libraries, personnel, equipment, or anything else an organization values and wants to protect.

Approved scanning vendor. Spell out on first use.

Application Security Verification Standard. Spell out on first use.

Short for automated teller machine or “at the moment.” “ATM machine” is redundant.

A database transaction property. Transactions can be atomic or non-atomic.

A sequence of attacker actions.

If it’s a type of attribute, use the normal font. If it’s a specific attribute, use the tech font, as in “a username attribute.”

Avoid using as a noun in formal writing.

Acceptable use policy. Spell out on first use.

Short for authentication or authorization. Sometimes written as AuthN and AuthZ, respectively, to clarify which word is abbreviated. Spell out on first use to avoid confusion.

A generic term for an application feature that predicts the rest of the word or phrase as a user types.

A generic term for an application feature that fixes identified mistakes in typed words.

The automatic operation of required processes.

Antivirus or audiovisual. Pronounced as letters or the whole word.

The responsiveness of a system. Denial-of-service attacks affect a system’s availability.

A programming language used primarily for text processing.

Amazon Web Services.

A cloud computing service operated by Microsoft.