Cybersecurity Style Guide

Short for “peer-to-peer.” Pronounced as letters or the whole phrase. Spell out in public-facing documents.

Platform as a service. Pronounced as the whole phrase or “pass.” Spell out on first use.

Private automatic branch exchange. An enterprise telephone switching system. Pronounced as “Pabb-ex.” Spell out on first use.

If it’s a specifically titled web page, capitalize as in “the Forgot Password page.”

Corporate jargon; OK if used sparingly.

Privileged access management or privileged account management. Spell out on first use.

Primary account number or personal area network. Spell out on first use to clarify your intended meaning.

A credit card number display that only shows the last 4 digits.

Also called a prepared statement.

If writing about a type of parameter, use the normal font. If it’s a named parameter, use the tech font, as in “siteCode parameter.”

A programming language.

The password creation pattern that starts with a capital letter and ends with a number or special character. Coined by Kyle Rankin.

Use the tech font for passwords.

An attack in which one password is tried against many accounts. Also known as horizontal password brute-forcing.

Process for Attack Simulation and Threat Analysis. A risk-based threat methodology. Pronounced as “pasta.” Spell out or briefly define on first use.

A text storage site.

This either refers to any text storage site or to the act of publishing something (like credit card numbers) anonymously on the internet, not necessarily on Pastebin. The verb is informal.

An update to existing software that adds or enhances features, fixes bugs, or both.

Also known as directory traversal.

A website where subscribers set up recurring payments to specific creators in exchange for perks.

Penny Arcade Expo. A series of gaming conventions. Pronounced as “packs.”

A mobile payment service.

Avoid using this as a verb in formal writing. Try “blocked by a paywall” or “required a login” instead.

Password-based key derivation function. Generally used interchangeably with cryptographic hash functions, although there are technical distinctions. Do not spell out.

Personal computer. Can refer to any laptop or specifically a machine that runs Windows. Avoid using in formal writing; instead specify the operating system, as in a Windows machine.

Printed circuit board. Spell out on first use.

Short for the Payment Card Industry or Peripheral Component Interconnect. Spell out on first use to clarify your intended meaning.

Payment Card Industry Data Security Standard(s). Spell out on first use.

Peripheral Component Interconnect Express. A serial expansion bus standard. Briefly explain on first use in public-facing documents.

Perl Compatible Regular Expressions. A free library. Spell out on first use.

Program database file.

A patch management tool.

“Problem exists between keyboard and chair.” User error. Pronounced as “peb-cack.” Informal.

Security testing in which evaluators mimic real-world attacks to identify ways to circumvent the security features of an application, system, or network. Penetration testers look for chains of vulnerabilities that can be used together to gain more privileged or overall access. Often informally shortened to pen testing or pentesting.

Fixing things by hitting them. Informal.

An auxiliary device, a piece of equipment, or an accessory.

A programming language.

If writing about a type of permission, use the normal font. If naming a specific permission, use the tech font, as in ”SET_ALARM permissions.”

Personal security. Used in military contexts. Spell out in public-facing documents.

Persistent access means an attacker continues to access a system or application over a long period of time.

1,000 terabytes.

A ransomware attack that hit in June 2017.

An open source firewall.

Pretty Good Privacy. An encryption program. Do not spell out.

If writing about phases generically, lowercase. If dividing a project into sections, capitalize individual phases, as in Phase 2.

Protected health information. Pronounced as letters. Spell out on first use.

Also known as email phishing.

An Adobe graphics editor.

Short for PHP: Hypertext Preprocessor. Do not spell out.

A PHP method that can be used to change the language’s behavior.

Personal health record. Spoken out loud as the whole phrase. Spell out on first use.

Informal.

A Python serialization and deserialization module. It is not secure. A Python object hierarchy may be pickled and unpickled. The output of the pickle module may be called a pickle, styled in normal font.

Describes a Python object hierarchy that has been converted into a byte stream using the pickle function.

Process identifier or persistent identifier. Pronounced as letters or “pid.” Spell out on first use.

Personally identifiable information. Pronounced as letters. Spell out on first use.

Personal identification number. “PIN number” is redundant. Pronounced as “pin.” Do not spell out.

To initiate contact and wait for a response. Sometimes specifically refers to using the ping utility. Use the tech font when referring to the utility itself.

Also called software piracy.

Informal.

A foothold that an attacker can use to gain further access into a system. The point at which an attack switches between horizontal and vertical privilege escalation strategies.

An open source analytics program that has been renamed Matomo.

When describing the dimensions of an image, list width then height with an “x” between, as in 1000x1000-pixel image. Put a space between the number and unit. No commas.

Public key infrastructure. Spell out on first use.

Text that is unformatted (i.e., not rich text).

Can refer to unencrypted text (like cleartext) or the input to a cryptographic system. In our reports, it is not a synonym with cleartext. Define briefly on first use to clarify your intended meaning.

Short for payload. Informal. Spell out on first use.

A programming language used by Oracle.

Also called an add-on or extension. Use the normal font, as in “the LastPass Chrome plugin.”

Put a space after the number, as in 2 p.m. PST. Include the time zone if referring to a testing window or specific event. Avoid using military (24-hour) time unless relevant to the context.

Purchase order. Corporate jargon. Spell out on first use.

Could refer to a “proof of concept,” a “point of contact” within the client company, or a person of color. Pronounced as letters, the phrase, or “pock.” Spell out on first use to clarify your meaning.

Capitalize podcast names and use the normal font, as in Security Weekly.

Power over Ethernet. Spell out on first use.

Padding Oracle on Downgraded Legacy Encryption. A Man-in-the-Middle attack. Do not spell out.

Procedure-oriented programming, point of presence, point of purchase, or Post Office Protocol. Spell out on first use to clarify your intended meaning.

Use this term in formal writing, but “jack” is fine elsewhere.

Video games in which the main character, Chell, uses a portal-shooting gun to bypass obstacles and enemies.

An entranceway, such as an employee login page.

Write without commas in the normal font (port 3389) unless it appears at the end of an IP address (54.243.128.77:3389).

Any actions an attacker takes in a system after it is compromised. For example, a pen tester may search for data and configurations to determine the ultimate impact of an exploit.

A type of database.

Turn it off and on again.

A user with advanced knowledge of a particular software.

In CORS, the browser sends an OPTIONS request before the actual request to check that the server’s response headers allow the user-agent to send the request. The request is dropped if the server response does not allow the request.

An algorithm input.

Also called a parameterized query.

Describes an AWS S3 URL that contains authorization for accessing the data in the URL itself. To avoid redundancy, do not use to describe other resources that have been signed.

A BeEF phishing module.

Cryptographic primitives are basic algorithms used to build cryptographic systems.

The concept that users should have only the permissions necessary for their role in a system, not more.

This can mean to rank vulnerabilities by severity level in an environment.

A common strategy for attackers: start as a low-privilege user and find flaws in permissions to gain admin credentials.

When describing a user’s level of privilege, we prefer to use a hyphen, as in a high-privilege user rather than “a highly privileged user.”

Pseudo-random number generator. (Pseudo refers to the fact that computers cannot make true random numbers; it is not a judgment about their RNG security or quality.) Pronounced as letters. Spell out or briefly define on first use.

An application monitoring tool used during security assessments.

A Windows monitoring tool. The application is named Process Monitor but is often shortened to Procmon.

A system in production, as opposed to a system in development (dev). Informal.

There are many subcategories, such as compiled vs. interpreted languages, high-level vs. low-level languages, and domain-specific vs. general purpose languages. Scripting languages are programming languages, but markup languages are not.

Write coding syntax and commands in tech font to distinguish them outside of code snippets.

How computers talk to each other.

To move data through an intermediary server. Proxy can refer to the intermediary or the act of moving the data.

PlayStation consoles.

Pre-shared key. Spell out on first use.

PHP Standards Recommendation. A PHP specification. Recommendation items are numbered beginning with PSR-0. Spell out on first use to avoid confusion with the Bishop Fox product security review service line.

A public key is a type of cryptographic key that has a matching private key.

A security testing approach that combines aspects of red teaming and blue teaming.

A Windows SSH and Telnet client. Pronounced like “putty.”

A Windows tool for retrieving LM and NTLM hashes in an Active Directory environment.

To defeat, to own. Pwn rhymes with own. Informal when used by itself, but often appears within names of security tools.

An annual awards ceremony for hackers that takes place during Black Hat. Pwnie is pronounced as “pony.”

A tool used in physical assessments that looks like a power adapter.

A programming language that encourages Monty Python references in tool names.