Cybersecurity Style Guide

Simple Storage Service. An Amazon service.

Software as a service. Pronounced as “sass.” Spell out on first use.

An alternative term to whitelisting. Use this term to match client preference in client-facing documents.

Repeatedly stealing money in very small quantities.

In encryption, salted code has random values sprinkled in it to make it more difficult to decode. If two users have the same password, salting ensures that their hashes won’t be the same.

Security Account Manager. A registry file in Microsoft systems that serves as a password database. Also refers to the Sequence Alignment Map file format. Pronounced as “samm.”

Spell out on first use to distinguish the acronym from standard operating procedures.

Security Assertion Markup Language. SAML rhymes with “camel.”

A testing environment that is isolated from production or a restricted operating system environment for running unverified programs.

Modifying privileges in a system past the manufacturer’s intention in order to gain root access. More generic than “jailbreak.”

Describes content (usually user input) that has been stripped of unwanted characters to prevent code injection.

The SysAdmin Audit Network Security Institute. Pronounced as “sans.” Do not spell out.

Simple Authentication and Security Layer. Pronounced as “sassle.” Spell out on first use.

Secure Boot Manager. Spell out on first use.

Supervisory control and data acquisition. A control system architecture. Spell out on first use.

Programming language meant to address criticisms of Java.

System Center Configuration Manager. Spell out on first use.

Short for Secure Channel. A Windows SSP. Pronounced as “S-channel.”

The agreed-upon list of applications and environments that an assessment team tests during an engagement.

The gradual expansion of the scope of a project over time. Informal.

A TV show about hacking that ran from 2014 to 2017.

Secure copy protocol. Use the tech font when writing about the command. Spell out on first use.

A script can retrieve (scrape) all of the data from a web page in lieu of an API retrieving the specifically desired information.

Don’t use these terms in formal writing unless the method of capture is relevant to the narrative. We recommend calling them figures or using terms that are related to the content, as in “the login page below.”

A hacker who only knows how to run existing scripts, but not how to write their own. Informal.

An Agile framework. Also the name of meetings within that system.

A hashing (not encryption) algorithm. Pronounced as “S-crypt.”

Small Computer System Interface. A parallel interface. Pronounced as “skuzzy.”

Non-obscene words are sometimes blocked because they contain a banned string of letters, such as “sex” in “Sussex.”

Software development kit. Spell out on first use.

Software development lifecycle. Sometimes written as SDL. Spell out on first use.

Software-defined networking. Spell out on first use.

A type of trolling that involves persistently asking questions in bad faith. Informal.

A flag for protecting HTTP cookies from Man-in-the-Middle attacks.

A security standard for verifying trusted code during launch.

To describe the specific impact of a breach, you can say that information was exposed, disclosed, obtained, or stolen.

Code or another tool (as opposed to policy) that enforces repeatable security. There are preventive controls, detective controls, and corrective controls.

A physical hardware device used to perform MFA.

A Netflix tool for AWS configuration monitoring.

Use the normal font with quotation marks for prompts, as in “What was the name of your favorite unpaid internship?”

The generally maligned practice of making a system extremely complex in the hope that it will prevent anyone from figuring out how to hack it.

A collective of industry volunteers who help others solve information security issues. https://securitywithoutborders.org/

A string of bits used to generate a pseudo-random number for encryption.

To upload file parts in peer-to-peer file sharing.

Do not use. When referring to splitting up network parts, use segment or separate.

Short for Segregated Witness. A cryptocurrency protocol.

Describes a typically insecure cryptographic certificate that has itself as a source of trust.

Also written as SemVer and semver. A versioning system that organizes major, minor, and patch versions.

Search engine optimization. Spell out on first use.

The process of turning a data structure into a data stream that can be more easily stored or transmitted.

Write the names and types of servers in the normal font, as in “SMTP server.”

Apache directives.

Spell out on first use.

A Java program that handles requests for a server.

Short for servomotor.

A web application attack in which a victim’s session token is set to a known value, allowing it to be hijacked.

Also called a cable box.

SSH File Transfer Protocol. Do not spell out unless defining the term.

Secure Hash Algorithm. SHA is a series of cryptographic hash functions. In informal writing, these are often written lowercase and without hyphens, as in “sha256.” Pronounced as “shah.” Do not spell out.

A Microsoft product.

Short for command shell. Informally, you can gain, get, pop, spawn, or drop a shell. Use obtain a shell or gain persistent remote access in formal writing.

Do not pluralize.

A GNU Bash vulnerability. Also known as Bashdoor.

To discontinue the use of. Corporate jargon; use sparingly.

A search engine for devices connected to the internet.

A shortened filename. Also called an 8.3 filename.

Standing behind someone to steal their passwords or other information. Informal.

A program that translates Markdown into HTML.

¯_(ツ)_/¯ is an elaborate emoticon that expresses indifference or a lack of an answer. Sometimes appears in a simplified form as vOv.

Always hyphenate in adjectives.

Security information and event management. Pronounced as “sim” or “see-em.” Spell out on first use.

A privacy-focused messaging app.

Avoid using as a verb if possible. Try identify instead.

A long, signed integer type of data.

A generic term for the tech industry based in the greater San Francisco Bay Area. Also the name of an HBO TV show about a startup company called Pied Piper.

A black market website that was operational between 2011 and 2014.

To isolate or separate. Corporate jargon; use sparingly.

Isolated departments within an organization. Corporate jargon; use sparingly.

Traffic redirection.

Session Initiation Protocol. Spoken out loud as the whole phrase. Spell out on first use.

Apple AI.

Security incident response plan. IR plan and CSIRT may be more familiar terms for your audience. Spell out on first use.

The sitemap file contains the site map.

A set of techniques to improve performance and minimize defects.

A modern feature that is styled to look like an older, physical version.

Stock keeping unit. Do not spell out.

The fictional AI tech by Cyberdyne Systems that led to the creation of the Terminator.

Service-level agreement. Spell out on first use.

An IPv6 attack that exploits the Stateless Address Autoconfiguration process.

A group messaging system.

Service-level objective. Spell out on first use.

A user-friendly URL. Informal.

A programming language.

A generic term for an IoT lock.

An internet-enabled cell phone.

An unbeatable Nintendo Super Smash Bros. AI created by Dan Petro.

Server Message Block. Pronounced as letters. Spell out on first use.

Subject matter expert. Pronounced as “smee,” letters, or the whole phrase. Spell out on first use.

A public encryption key standard for MIME data.

Short for SMS phishing. A type of social engineering attack that uses text messages to target individuals. Briefly define on first use.

Short message service.

Simple Mail Transfer Protocol.

To monitor and capture data packets that pass through a network.

An amount of quoted code. In formal writing, we use a code excerpt instead.

Simple network management protocol.

A network monitoring tool.

An open source security tools company. Pronounced as “sneak” or “snick.”

Shout out. A way to publicly thank someone online. Informal.

Start of Authority or service-oriented architecture. Spell out on first use to clarify your intended meaning.

Simple object access protocol. Spell out on first use.

Security operations center. Pronounced as “sock.” Spell out on first use.

System on chip. Spell out on first use.

A 2010 biopic about the founding of Facebook.

Do not write “SSN number.”

For types of socket, use the normal font. For a specific socket, put the socket type in the tech font, as in jmxrxi socket.

Socket Secure protocol. Do not spell out.

A hacking group also known as APT28 or Fancy Bear.

In contrast to hard programming skills, these are communication skills like listening, presenting, and interpersonal networking.

Short for software token. Used to generate a push notification or OTP on an authentication app as part of a multi-factor authentication process.

Pronounced as “sah-dur.”

SSD is short for solid state drive.

DEF CON radio.

Same-origin policy or standard operating procedure. Pronounced as letters. Spell out on first use.

Do not abbreviate to “source” in formal writing.

Statement of Work. Pronounced as letters. Spell out on first use.

Avoid using in formal writing, unless it is the technical term specific to the technology that is being discussed. Try start or create instead.

Tailored phishing attacks that are aimed at a specific target.

Always hyphenate.

A flaw that affects Intel, AMD, and ARM chipsets. It was publicly disclosed in January 2018. The James Bond supervillain organization is SPECTRE.

Spring Expression Language.

A spelling bee competition for hackers that took place at HOPE 13, DEF CON 26, and DEF CON 27. It used this style guide as the word list.

Sender Policy Framework. Spell out on first use to avoid confusion with the sunscreen rating system.

To crawl websites to index pages. Define on first use.

Avoid using in formal writing. Try launch, instantiate, power on, or create instead.

A SIEM tool.

Service principal name. Pronounced as letters or the whole phrase. Spell out on first use.

To create a fraudulent, attacker-controlled replica of legitimate data (e.g., a website).

Corporate jargon; use sparingly.

A Java application framework.

A programming language. Precede with “a” in phrases like “a SQL query.” Pronounced as “sequel” or as letters.

SQL injection. An application vulnerability. Pronounced as “sequel-eye.” Spell out on first use.

A tool that finds and exploits SQL injections.

A mobile payment service.

A web proxy.

Solid state drive. A drive with no moving parts. Spell out on first use.

Secure software development lifecycle. Spell out on first use.

Secure Shell protocol. It always uses TCP port 22. Do not spell out unless defining the term.

Solid state hybrid drive. Spell out on first use.

Server Side Includes. A programming language. Spell out on first use.

Service set identifier. The human-readable name of a Wi-Fi network. Spell out on first use in public-facing documents.

The Secure Sockets Layer protocol, which is outdated and vulnerable to the POODLE attack. Do not spell out unless defining the term.

An SSL research effort from Qualys.

Secure Sockets Layer/Transport Layer Security. Communications security protocols. Do not spell out unless defining the term.

Social Security number. Don’t capitalize “number.” Spell out on first use.

Single sign-on. Spell out on first use.

Security support provider. Spell out on first use.

Server-side request forgery. Spell out on first use.

Server-side template injection. Spell out on first use.

A Google cloud-based gaming platform.

Does not need to be staged.

An informal daily work meeting.

A privacy-focused search engine.

Describes a protocol in which recipients of a request can track the session from previous requests.

Describes a protocol where the session state is tracked in each request without referring to previous communications.

Science, technology, engineering, arts, and math.

A video game distribution platform.

A strategy of hiding information to avoid its capture rather than openly disguising it through cryptography.

Science, technology, engineering, and math.

A surveillance tool that appears as a Wi-Fi network but actually takes information from the devices that connect to it.

Structured Threat Information Expression. A language used for threat analysis.

Spanning Tree Protocol.

The effect states that requesting the internet to not do something will cause the internet to deliberately do that thing more.

A string of characters written directly into the code.

A worm that sabotaged Iranian uranium enrichment in 2010.

Short for superuser. Use the tech font, as in su command.

A group of IP addresses.

A browser security feature.

Informal.

A version control system.

Noun form of “subvert.” Avoid using this to mean a “sub” version. Use minor version, patch, or just version instead.

Superuser do. Write in the normal font if referring to sudo privileges. If referring to the command sudo, use the tech font.

Someone who has sudo privileges. Informal. In formal writing, try “user with sudo privileges” if it’s not part of a set expression.

The sudo configuration file.

An annual security conference in New York.

Corporate jargon for planned phasing out. OK to use sparingly in the infinitive. Also try no longer support or decommission.

If writing about a type of superclass, use the normal font. If it’s the name of a superclass, use the tech font, as in Throwable.

A type of hackathon party that started in the Bay Area and now has global offshoots.

Apache Subversion. Spell out on first use.

Open source software framework and tools to build, design, and document APIs.

A cryptographic birthday attack.

Pronounced as “swiff.”

Society for Worldwide Interbank Financial Telecommunication. Do not spell out.

A PHP framework.

Symbolic link. Do not use the shortened form in formal writing.

Displaying text within code in different colors based on keywords or categories. We do not use syntax highlighting in client-facing reports.

If writing about a specific system, use the tech font, as in “the dev_test system.” Otherwise, use the normal font.

Spell out on first use.