Cybersecurity Style Guide

An authentication protocol standard. Pronounced as “O-auth.” Do not spell out.

A programming language.

Off-by-one error. Spoken out loud as the whole phrase. Always spell out in formal writing.

Oracle Cloud Infrastructure. Spell out on first use.

An older version of hashcat.

Optical character recognition. Pronounced as letters or the whole phrase. Spell out on first use.

Open Data Protocol. A RESTful means of exposing access to a data store. Do not spell out unless defining the term.

Original equipment manufacturer. Spoken out loud as letters or the whole phrase. Spell out on first use.

Always spell out in formal writing.

Off-the-block cryptocurrency transactions.

Offensive security. Informal. Spell out on first use in public-facing documents.

Avoid using this term to describe websites. To discuss open redirects, focus on origins instead.

Object-Graph Navigation Language. An open source language. Vulnerable to injection attacks. Pronounced as “ogg-null.”

Informal. Do not use in formal reports outside of the 200 OK response, quoted code, and tables.

A company providing enterprise identity control. Some of our clients use Okta SSO internally.

This phrase indicates that irrelevant parts of the quoted code have not been included.

A command-line script on one line.

A satirical news site.

Hidden services On Tor.

Short for on-premises. Informal.

On-site at a physical location. Often used to describe servers not on the cloud.

Out-of-band. Spoken out loud as the whole phrase. Spell out on first use.

Object-oriented programming. Pronounced as letters or the whole phrase. Spell out on first use.

Operation code. A piece of a machine language instruction. Do not spell out as a phrase.

An authentication protocol.

Software with its source code made available to encourage modifications. In common usage, this is often used interchangeably with “free software.” However, some open source software may not be free due to restrictions on modification and distribution.

Open source VPN software.

Another term for a security researcher, more commonly used in the military and NSA, and also used by Bishop Fox’s Cosmos service.

Tools used to decrypt credentials during security assessments.

Operations security. Pronounced as “opp-seck.” Do not spell out. OPSEC can also refer to Check Point’s Open Platform for Security framework. Briefly define if you’re writing about the framework.

Object-relational mapping. A technique that uses object-oriented programming to interact with a database. Spell out on first use.

Orphan web pages are not linked to by any other pages on the same site.

Operating system. Pronounced as letters. To pluralize, spell it out as operating systems instead of “OS’s” or “OSes.”

Offensive Security Certified Professional. Pronounced as letters. Do not spell out when appending as a certification title to a person’s name. Other similar certifications include OSCE and OSWE.

Open Services Gateway Initiative. A Java framework for developing and deploying modular applications. Do not spell out unless defining the framework.

Open source intelligence. Pronounced as “O-S-int” or “O-sint.” Spell out on first use.

Open source software. Spell out on first use. Do not use as an adjective.

Operational technology. Spell out on first use.

Over-the-air (programming). Spell out on first use.

Short for USB On-The-Go. Informal. Spell out on first use.

Short for “one-time password” in security or “one true pairing” in online fandom communities. Pronounced as letters or the whole phrase. Spell out on first use.

Spell out on first use.

Outlook Web Access. Spoken out loud as the whole phrase. Spell out on first use.

Every few years, the Open Web Application Security Project curates a list of the top 10 threats in information security. Pronounced “O-wasp.” https://www.owasp.org/

A web vulnerability proxy and scanner.

Always hyphenate.