Overview
Understanding cybersecurity terminology is fundamental to identifying, analyzing, and mitigating security vulnerabilities in software applications. This reference provides key definitions aligned with the NESA HSC Software Engineering Course requirements.Core Cybersecurity Metalanguage
Attack Vector
An approach to exploiting multiple vulnerabilities in a coordinated manner to compromise a system.
Vulnerability
A weakness in a system, hardware, or software that can be exploited by threat actors.
Exploit
The act of using a vulnerability to enter or compromise software or a system.
Threat Actor
A person or group with malicious intentions seeking to compromise systems or data.
Attack Methodologies
Brute Force Attacks
Brute Force Attacks
Use trial and error or bulk attempts to crack a system or software. Common examples include:
- Password cracking through dictionary attacks
- Testing multiple input combinations
- Automated credential stuffing
Brute force attacks can be mitigated through rate limiting, account lockouts, and multi-factor authentication.
Social Engineering
Social Engineering
Phishing Attack Types
A wide-base attack that is ‘fishing’ for success by casting a broad net. Typically involves:
- Mass email campaigns
- Generic messages to large audiences
- Low success rate but high volume
- Minimal personalization
A targeted attack where the threat actor has personal knowledge of the victim. Characteristics include:
- Research-based personalization
- References to specific details about the victim
- Higher success rate due to credibility
- Often targets specific individuals or organizations
A targeted attack by a threat actor where the victim is known to have escalated authorization in a system or software. These attacks:
- Target executives, administrators, or privileged users
- Aim to gain access to sensitive systems or data
- Often involve sophisticated social engineering
- Can result in significant organizational damage
Definitions Reference Table
The complete definitions table from the Normo Unsecure PWA project:| Metalanguage | Definition |
|---|---|
| Attack vector | An approach to exploiting multiple vulnerabilities |
| Brute force | Use trial and error or bulk attempts to crack a system or software |
| Exploit | The act of using a vulnerability to enter or compromise software or system |
| Phishing | A wide base attack that is ‘fishing’ for success |
| Social engineering | Use of deception to manipulate individuals into divulging confidential or personal information |
| Spear phishing | A targeted attack where the threat actor has personal knowledge of the victim |
| Threat actor | A person or group with malicious intentions |
| Vulnerability | A weakness in a system, hardware or software |
| Whale phishing | A targeted attack by a threat actor where the victim is known to have escalated authorisation in a system or software |
Additional Security Terminology
Testing Approaches
Testing Approaches
White-box Testing: Testing with full knowledge of the application’s internal structure and source code.Grey-box Testing: Testing with partial knowledge of the application’s internals.Black-box Testing: Testing with no knowledge of internal implementation, only the external interface.Penetration Testing: Simulated attacks to identify exploitable vulnerabilities.
Security Testing Types
Security Testing Types
SAST (Static Application Security Testing): Automated analysis of source code before compilation to identify security vulnerabilities.DAST (Dynamic Application Security Testing): Testing methodology examining applications while running, with no access to source code.Vulnerability Assessment: Systematic review of security weaknesses in infrastructure, processes, and practices.
External Resources
OWASP Testing Guide
Comprehensive web application security testing resource
ZAPROXY
Open-source penetration testing application
NESA Syllabus
NSW Software Engineering curriculum specifications
CyberChef
Data analysis and decoding toolkit
These definitions are specifically aligned with the NESA HSC Software Engineering Course specifications and support the security analysis of the Normo Unsecure PWA.