Alex Smolen

Software Security Neologisms


Sep 26, 2007

During a web hacking class I recently taught, I noted that usually security testers spend more time writing up findings than actually hacking. This is also the case with code reviews; properly explaining security issues requires an awful lot of verbiage.

With all that writing going on to describe web security issues, a few new words get cooked up to describe certain “undefinable” terms. I’ve collected a few neologisms I’ve seen floated around in white papers and reports. All of the words below got a red squiggly underline in Microsoft Word. Got anything to add?

Unvalidated, adj. Referring to data which has not been checked for validity or appropriateness.

Untrusted, adj. Referring to an entity which is not under immediate control, and may be under the control of an attacker.

Canonicalize, verb. The process of converting data into its canonical form – a single, agreed representation.

Proxied, adj. That which has been sent through a proxy.

Misconfiguration, noun. A configuration setting which is incorrect, or introduces a weakness into a system

Decompilation, noun. The act of reverse engineering (decompiling) code which has compiled to a binary format back to its original source code.

Keystore, noun. A file or digital repository for storing cryptographic keys and key pairs.

Deprovision, verb. To remove from a directory.