Information security - The practice of protecting information by mitigating information risks
Vulnerability - A weakness which can be exploited by a threat actor
Threat - A potential negative action or event facilitated by a vulnerability
Malware - Any software intentionally designed to cause disruption to a computer, server, client, or computer network
Ransomware - A type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid
Social engineering - The psychological manipulation of people into performing actions or divulging confidential information
Phishing - A type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information
Business email compromise (BEC) - A type of phishing attack in which an attacker impersonates a high-level executive and attempts to trick an employee or customer into transferring money or sensitive data
NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations
AC - Access Control
AT - Awareness and Training
AU - Audit and Accountability
CA - Assessment, Authorization and Monitoring
CM - Configuration Management
CP - Contingency Planning
IA - Identification and Authentication
IR - Incident Response
MA - Maintenance
MP - Media Protection
PE - Physical and Environmental Protection
PL - Planning
PM - Program Management
PS - Personnel Security
PT - Personally Identifiable Information Processing and Transparency
RA - Risk Assessment
SA - System and Services Acquisition
SC - System and Communications Protection
SI - System and Information Integrity
SR - Supply Chain Risk Management
NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
ISO/IEC 27001: Information security, cybersecurity and privacy protection — Information security management systems (ISMS)
ISO/IEC 27002: Information security, cybersecurity and privacy protection — Information security controls
ISO/IEC 27018: Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Industry & Audit Standards
PCI-DSS - A global standard that provides a baseline of technical and operational requirements designed to protect account data
Security Content Automation Protocol (SCAP) - A suite of specifications used to enable automated vulnerability management, measurement, and policy compliance evaluation of systems
TPM (Trusted Platform Module) - An international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys
Secure Software Development Framework (SSDF) - A set of fundamental, sound, and secure software development practices based on established secure software development practice documents
All data sources and computing services are considered resources.
All communication is secured regardless of network location.
Access to individual enterprise resources is granted on a per-session basis.
Access to resources is determined by dynamic policy and may include other behavioral and environmental attributes.
The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Software Supply Chain Security
SLSA framework - A specification for describing and incrementally improving supply chain security
in-toto - A framework to secure the integrity of software supply chains
Threat modeling - A process by which potential threats can be identified, enumerated, and prioritized from a hypothetical attacker's point of view
STRIDE model - A mnemonic for categorizing computer security threats into six categories
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege
MITRE ATT&CK - A globally-accessible knowledge base of adversary tactics and techniques
Tactics: The high-level objectives or goals that an adversary aims to achieve during an attack.
Techniques: The specific methods or ways adversaries achieve their tactical objectives.
Procedures: The specific implementations or variations of techniques that adversaries utilize in their operations.
Integrated IAM - The organizational and technical processes for first registering and authorising the identity and the access rights associated with it
FusionAuth CE - A free, self-hosted version of FusionAuth that you can deploy anywhere
KeyCloak - An open source Identity and Access Management solution aimed at modern applications and services
FreeIPA - An integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System)
Microsoft Entra ID - A cloud-based identity and access management service that helps your employees sign in and access apps and resources
AWS IAM - A service that helps you securely control access to AWS resources
AWS Security Token Service (STS) - A web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)
Amazon Cognito - A service that lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily
Auth0 - A flexible, drop-in solution to add authentication and authorization services to your applications
Athenz - An open source platform for X.509 certificate-based service authentication and fine-grained access control in dynamic infrastructures
Directory service - A software system that stores, organizes, and provides access to directory information
LDAP - An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network
OpenLDAP - A free, open source implementation of the Lightweight Directory Access Protocol (LDAP)
Authentication - The act of proving an assertion, such as the identity of a computer system user
Basic authentication - A method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request
JSON Web Token (JWT) - A proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims
WS-Federation - A specification that defines how to request and receive security tokens from web services, and how to manage trust relationships
FIDO2 (Fast Identity Online 2) - The overarching term for a set of specifications that enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments
Relying party - The website or online service that wants to verify a user's identity (e.g., your bank's website)
Authenticator - The device or software that securely stores cryptographic keys and performs authentication for the user.
Client - The software on the user's device, typically a web browser or operating system component, that communicates between the Relying Party and the Authenticator.
WebAuthn - An API for accessing Public Key Credentials
CTAP - A protocol that enables an external authenticator to communicate with a client platform
Passkeys - A phishing-resistant replacement for passwords
SPIRE (SPIFFE Runtime Environment) - A production-ready implementation of the SPIFFE APIs that performs node and workload attestation in order to securely issue SVIDs to workloads
Authorization - The function of specifying access rights/privileges to resources related to information security and computer security in general and to access control in particular
Resource owner - the user who owns the data or resources that are being accessed
Resource server - the server that hosts the protected resources
Client - an application or service that wants to access the resources on behalf of the resource owner
Authorization server - the server that issues access tokens to the client
Permify - An open-source authorization service that helps you to create any kind of authorization system easily with its panel and API
Azure Shared Access Signature (SAS) - A signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters
Linux Fine-grained Access Control
Linux capabilities - The distinct units into which the privileges traditionally associated with the superuser are divided
Linux Mandatory Access Control
SELinux - A mandatory access control (MAC) security system for the Linux operating system
AppArmor - An effective and easy-to-use Linux application security system
mkcert.org - A simple zero-config tool to make locally trusted development certificates with any names you'd like
Certifi - A carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts
testssl.sh - A free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more
OpenSSL library - A robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication
stunnnel - A proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code
Feluda - A Rust-based command-line tool that analyzes the dependencies of a project, notes down their licenses, and flags any permissions that restrict personal or commercial usage