Key security terms and definitions. Plain language, no jargon walls.
Consensus-based configuration guidelines published by the Center for Internet Security. They provide prescriptive hardening recommendations for operating systems (Linux, Windows), cloud platforms (AWS, Azure, GCP), containers (Docker, Kubernetes), and applications. H2's CIS Agent automates compliance checks against these benchmarks.
Security testing performed on a running application. DAST tools send requests to the application and analyze responses for vulnerabilities like SQL injection, XSS, and authentication flaws. Unlike SAST, DAST doesn't require source code access.
The practice of integrating security into every phase of the software development lifecycle. Instead of treating security as a final gate, DevSecOps embeds automated testing, policy enforcement, and security review into CI/CD pipelines.
Extension of GitOps principles to security operations. Supply chain security, SBOM generation, branch protection policies, signed commits, and dependency scanning integrated into Git-based workflows.
A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Security teams use ATT&CK to map defenses against known attack patterns, identify coverage gaps, and build detection rules.
A simulated cyberattack performed by authorized security professionals to identify exploitable vulnerabilities in systems, networks, and applications. Goes beyond automated scanning by using manual techniques and creative attack chains to demonstrate real-world impact.
The act of exploiting a vulnerability, design flaw, or misconfiguration to gain elevated access to resources normally protected from an application or user. Horizontal escalation accesses other users' resources; vertical escalation gains higher privilege levels (e.g., admin).
Analysis of source code, bytecode, or binary code for security vulnerabilities without executing the program. SAST tools scan code for patterns like hardcoded credentials, injection flaws, and insecure cryptography. Best used early in development.
A formal, machine-readable inventory of software components and dependencies in an application. SBOMs enable organizations to track known vulnerabilities in their supply chain, meet compliance requirements, and respond quickly to new CVEs.
A compliance framework developed by the AICPA for managing customer data based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC2 Type II audits evaluate controls over a period of time.
A security control that monitors, filters, and blocks HTTP traffic to and from a web application. WAFs protect against common attacks like SQL injection, XSS, and request forgery. H2's Dome includes WAF capabilities as part of its edge security layer.
A security model that assumes no implicit trust for any user, device, or network — even inside the corporate perimeter. Every access request must be verified, authorized, and encrypted. Key principles: verify explicitly, use least-privilege access, assume breach.
Deep-dive into security concepts with our academy or check the FAQ.