Cybersecurity Style Guide

Pronounced as “demon” or “day-mun.” A background system process on a computer. Daemon processes often include the letter D at the end, as in sshd.

An electrical engineering wiring scheme. Informal.

A Bishop Fox creation. A Raspberry Pi on a drone that can access tall buildings inconspicuously as a flying hacker laptop.

Short for decentralized autonomous organization or data access object. Spell out on first use.

A nebulous term (along with “dark web” and “deep web”) written and used inconsistently to refer to unindexed online black markets. In formal writing, it’s better to call it the black market or specify the site or service.

A security industry publication.

Defense Advanced Research Projects Agency.

Always write data in the singular, as in “the data was recovered.”

Use the tech font for data URIs.

Write out dates (e.g., October 15, 2020) where possible to avoid day/month confusion with global audiences.

A one-day, women-centered security conference. https://www.dayofshecurity.com/

Database. Spell out on first use unless it’s part of a name, as in MongoDB or IMDb.

Database administrator. Pronounced as letters. Spell out on first use in public-facing documents.

Short for “doing business as.”

Dynamic Data Exchange. Spell out on first use.

Distributed denial of service. Pronounced “D-doss” or as letters. Spell out on first use.

Short for double data rate or the arcade game Dance Dance Revolution. Spell out on first use to clarify your intended meaning.

OK to use in formal writing.

Avoid using this term. If possible, try a more specific description like revoke a token or end a session.

A Linux distribution. Pronounced “debb-ee-an.”

Short for decapsulate. To remove the outer coating from a chip.

To tell a program that a function exists before the function has been defined.

Short for decommissioned. Informal.

Famous IBM chess-playing AI. The name was inspired by Deep Thought: the fictional supercomputer in The Hitchhiker’s Guide to the Galaxy.

AI-fabricated video, originally used in pornography.

An annual security conference in Las Vegas. https://www.defcon.org/

Defense readiness condition. A U.S. military alert scale that is set at DEFCON 5 during peacetime and elevates to DEFCON 4 and above during threatening situations.

Spell out on first use. DoS is pronounced as “doss” or the whole phrase.

A network access rule.

Bishop Fox’s preferred alternative term to blacklist. Rephrase to avoid using this term as a verb in formal writing.

Frustration from software malfunctions caused by errors in third-party software. Informal.

Describes hardware or software that is considered retired but left in for backward compatibility; included but outdated and unsupported.

Data Encryption Standard. A symmetric-key encryption cipher. DES is pronounced as letters or “dezz.” Do not spell out; briefly define on first use.

The process of reconstructing a serialized object. Do not use this interchangeably with “unserialize.” There is an unserialize() function in PHP.

Pronounced “dee-sah-dur.”

Latin for “god from the machine.” A plot device in which an unresolvable problem is conveniently fixed by an unlikely solution.

Short for developer or a system in development, as opposed to a production (prod) system. Also called test. Informal.

Development operations. Corporate jargon.

Short for development, security, operations. Corporate jargon.

Digital Forensics and Incident Response. Spell out on first use.

Diffie-Hellman key exchange.

Department of Homeland Security.

Dynamic HTML. Do not spell out.

An annual, women-centered security conference held at the same time as DEF CON in Las Vegas.

Digital Imaging and Communications in Medicine. The standard for managing medical imaging information.

A brute-force attack in which words from a list such as a dictionary or prior security breach are used to guess a password or decrypt a cipher.

A tool that finds the differences between two files, or the output of such a tool. Can also refer to the Linux tool diff.

A method for securely exchanging secret information.

A common suffix for Bishop Fox tools created by Fran Brown.

A pen testing tool.

If it’s a type of directive, use the normal font. If it’s a named directive, use the tech font, as in “SetCookies directive” or “unsafe-inline.”

Also called a folder. If it’s a type of directory, use the normal font. If it’s a named directory, use the tech font, as in ”the Moss directory.”

Also called path traversal.

Dirty copy-on-write; the CVE-2016-5195 vulnerability.

A messaging platform that originally focused on video gaming.

Corporate jargon; use sparingly.

Short for distribution, as in a version of Linux. Informal.

DomainKeys Identified Mail. This standard allows messages that originate from a protected domain to be cryptographically signed. Pronounced “D-kim.” Spell out on first use.

Dynamic-link library. Do not spell out.

Data loss prevention.

Short for direct message or dungeon master in Dungeons and Dragons. Both are informal.

Direct memory access. An exploitable hardware feature.

Domain-based Message Authentication, Reporting and Conformance. This protocol allows an organization to instruct other mail servers on what to do when fraudulent mail from the protected domain is received. Pronounced “D-mark.”

Digital Millennium Copyright Act. A U.S. copyright law. Spell out on first use.

Demilitarized zone. Also known as a perimeter network. It refers to a less secured portion of a network between external firewalls and the WAN connection.

Short for Distinguished Name in the LDAP API. Spell out on first use.

Domain Name System. Types of records stored in the DNS database include IP addresses, name servers, SMTP mail exchangers, and Start of Authority (SOA). Do not spell out.

Date of birth.

Short for document. Do not use in formal writing.

A platform that makes and manages containers.

Document type declaration.

Department of Defense.

Department of Education.

The practice of a company deliberately using the product they make. Corporate jargon; do not use in formal writing.

Department of Justice.

Document Object Model. Pronounced “dahm.”

Write domain names in tech font.

An object that interfaces with a port and protrudes from it.

Disk Operating System. This is unlikely to come up in our formal writing, but readers may confuse denial of service (DoS) with this.

Denial of service; a common vulnerability. Spell out on first use. DoS is pronounced as “doss” or the whole phrase.

Corporate jargon; use sparingly.

A type of configuration file.

A cryptographic attack that takes advantage of backward compatibility.

Revealing PII to maliciously target an individual online and IRL.

The data protection API used in some Microsoft products. Pronounced as letters. Spell out in public-facing writing.

Dots per inch, as in 300 dpi.

Dell Remote Access Control. Spell out on first use.

Damage, reproducibility, exploitability, affected users, and discoverability: five categories of security threats. A risk assessment model.

A data storage device. If it’s a type of drive, use the normal font. If discussing a drive by name, use the tech font, as in “the C: drive."

Describes a method of attack that does not require direct user interaction. A drive-by download delivers malicious software without the user noticing their device is compromised.

Always hyphenate, as in “server-driven.”

Digital rights management. Spell out on first use.

A file-hosting service.

Decrypting RSA with Obsolete and Weakened eNcryption attack. A TLS bug. Do not spell out.

An open source content management system.

Document type definition. Spell out on first use.

A search engine that doesn’t record search history.

A Bishop Fox tool that searches for exposed Amazon EBS instances.

Informal. For the verb, try download, exfiltrate, extract, gather, remove, retrieve, take, or view instead. For the noun, use extraction.

A file from a memory dump, core dump, stack dump, hex dump, heap dump, etc. Informal.

An authentication provider.

An alternate keyboard setup that is efficient but uncommon. Pronounced “duh-vor-ack,” differently than the last name of classical composer Antonin Dvořák.