SANS Top 25

AI Bias

Systematic and repeatable errors in a computer system that create unfair outcomes, such as privileging one arbitrary group of users over others.

AI Data Governance

AI data governance involves the management of data quality, legality, and ethical standards to ensure responsible AI deployment.

AI Governance

AI Governance involves the systematic framework that oversees the ethical design, development, and implementation of AI technologies to ensure accountability, transparency, and fairness.

AI Impact Assessment

AI Impact Assessment is a critical process that evaluates the potential effects and implications of AI technologies on society, the environment, and the economy.

AI Inventory

Comprehensive cataloging and management of all artificial intelligence systems, models, datasets, and related resources within an organization.

AI Red Teaming

Security practice where experts simulate attacks on AI systems to identify vulnerabilities, assess their robustness, and improve their resilience against real-world threats.

AI Security Posture Management

Continuously monitoring, assessing, and improving the security measures and defenses of AI systems to ensure they are protected against threats and vulnerabilities.

AI Supply Chain Security

Safeguarding the integrity and security of AI systems and their components throughout the supply chain, from development to deployment, to prevent vulnerabilities and ensure trustworthiness.

API Security

Protecting Application Programming Interfaces (APIs) from vulnerabilities, ensuring secure data exchange, and preventing unauthorized access or malicious activities.

Application Security Posture Management (ASPM)

Tools and processes for continuously monitoring, assessing, and improving the security posture of software applications throughout their development lifecycle, with a focus on identifying, assessing, and mitigating vulnerabilities and risks associated with applications to ensure they remain secure against potential cyber threats.

Application Security Testing

Evaluating applications to identify and mitigate security vulnerabilities, ensuring that they are secure against threats and comply with security standards.

Artifact Repository

A storage location for software artifacts, including binaries and dependencies, used in the development and deployment process.

Audit Trail

A chronological record of all activities and changes that have occurred in a system or process, ensuring transparency and accountability.

Automated Security Testing

The use of automated tools and processes to continuously test applications for security vulnerabilities throughout the development lifecycle.

Bug Bounty

A a program that rewards individuals for finding and reporting security vulnerabilities in an organization's software, encouraging proactive identification and resolution of potential security issues.

CISA Known Exploited Vulnerabilities (KEV)

List compiled by the US Cybersecurity and Infrastructure Security Agency which identifies vulnerabilities confirmed as being exploited in the wild.

Code Repository

A storage location for source code, often using version control systems like Git.

Common Vulnerabilities and Exposures (CVE)

A list of publicly know vulnerabilities maintained by NIST.

Common Vulnerability Scoring System (CVSS)

A standardized, repeatable, and vendor agnostics method to compare application vulnerabilities.

Common Weakness Enumeration (CWE)

A community-developed list of common software and hardware weaknesses, which could introduce vulnerabilities.

Compliance

Adhering to industry standards, regulations, and best practices to ensure that applications meet legal and security requirements

Compliance Audit

A comprehensive review of an organization's adherence to regulatory guidelines.

Compliance Risk

The potential for losses or legal penalties due to violations of laws, regulations, or prescribed practices.

Container

A lightweight, standalone executable package of software that includes everything needed to run it, ensuring consistency across environments.

Contextual Risk Engine (CoRE)

AppSOC�s proprietary technology for prioritizing security issues based on severity, exploitability, and business context.

Continuous Integration/Continuous Deployment (CI/CD)

A practice that automates the integration and deployment of code changes, enabling frequent and reliable updates to applications.

Continuous Threat Exposure Management (CTEM)

A proactive and continuous program to monitor, evaluate, and reduce levels of exploitability and validate analysis and remediation processes.

Data Privacy

The aspect of information technology that deals with the ability of an organization or individual to determine what data can be shared with third parties.

Dependency

External code libraries or modules that a software project relies on to function properly.

Dependency Resolution

The process of determining and fetching the correct versions of dependencies for a software project.

DevOps

A methodology that combines software development (Dev) and IT operations (Ops) to shorten the development lifecycle, deliver high-quality software continuously, and improve collaboration between development and operations teams.

DevSecOps

An approach that integrates security practices into the DevOps process, ensuring that security is incorporated at every stage of the software development lifecycle to enhance the overall security posture of applications.

Dynamic Application Security Testing (DAST)

A testing method that analyzes applications in their running state to identify vulnerabilities by simulating external attacks.

Endpoint Detection and Response (EDR)

A system that monitors and analyzes endpoint activities to detect, investigate, and respond to security incidents in real-time.

Exploit Prediction Scoring System (EPSS)

A process developed by First.org for estimating the likelihood that a software vulnerability will be exploited in the wild.

False Negative

A failure to detect an actual vulnerability or threat, leading to a potential security risk remaining unaddressed.

False Positive

A security alert that incorrectly indicates the presence of a vulnerability or threat when none exists.

General Data Protection Regulation (GDPR)

European Union regulation that mandates strict data privacy and security measures for protecting personal data, giving individuals greater control over their personal information.

Generative Artificial Intelligence (Gen AI)

Artificial intelligence systems that create new content, such as text, images, or music, by learning patterns from existing data, exemplified by models like OpenAI's GPT-4.

Health Insurance Portability and Accountability Act (HIPAA)

U.S. law that sets national standards for the protection of sensitive patient health information, ensuring that such information is kept confidential and secure, particularly in electronic form.

Incident Management

The process used to manage the lifecycle of incidents to ensure that normal service operation is restored as quickly as possible.

Incident Response

The process of identifying, managing, and mitigating security incidents to minimize their impact on the organization.

Infrastructure as Code (IaC)

The ability to provision and support computing infrastructure using code instead of manual processes and settings.

Integrity Check

Verification that software has not been altered or tampered with.

Internal Audit

An independent, objective assurance and consulting activity designed to add value and improve an organization's operations.

Key Risk Indicators (KRIs)

Metrics used to provide an early signal of increasing risk exposures in various areas of an enterprise.

LLMOps

Practices and tools used to deploy, manage, and maintain large language models (LLMs) efficiently and effectively.

Large Language Models (LLM)

Advanced AI systems, such as OpenAI's GPT-4, that generate human-like text by processing and understanding vast datasets, enabling applications from automated customer service to content creation.

License Compliance

Ensuring that software components comply with licensing agreements and open-source licenses.

MITRE ATLAS

A knowledge base that catalogs the tactics, techniques, and case studies of adversarial attacks on machine learning (ML) and artificial intelligence (AI) systems to help organizations understand and mitigate these threats.

MITRE ATT&CK

Knowledge base of adversary tactics and techniques based on real-world observations, used as a foundation for developing threat models and methodologies in the cybersecurity community.

MLOps

The practice of deploying, managing, and monitoring machine learning models in production to ensure they operate efficiently and effectively.

Model Deployment

The process of integrating a machine learning model into a production environment where it can make predictions on new data and deliver business value.

Model Fuzzing

Testing technique used to identify vulnerabilities and weaknesses in machine learning models by inputting random, unexpected, or malformed data to observe how the model responds.

Model Monitoring

Continuously tracking the performance, accuracy, and behavior of deployed machine learning models to ensure they operate correctly and efficiently over time.

Model Scanning

The process of analyzing machine learning models for vulnerabilities, biases, and compliance with security and ethical standards to ensure they are safe and reliable for deployment.

Model Serving

The process of deploying machine learning models into production environments where they can process real-time data and generate predictions or insights.

Model Supply Chain Security

Protecting the integrity and security of machine learning models throughout their development, deployment, and operational lifecycle to prevent tampering, unauthorized access, and vulnerabilities.

National Institute of Standards and Technology (NIST)

An agency of the US Department of Commerce whose mission is to promote American innovation and industrial competitiveness

National Vulnerability Database (NVD)

U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).

OWASP LLM Top 10

List of the most critical security risks associated with large language models (LLMs), providing guidance for identifying, understanding, and mitigating these vulnerabilities to enhance the security and integrity of AI systems.

OWASP Top 10

A standards list from the non-profit Open Worldwide Application Security Project representing a broad consensus about the most critical security risks to web applications.

Open Source Software (OSS)

Software that is released with a license allowing anyone to view, modify, and distribute the source code.

Package Manager

A tool that automates the process of installing, upgrading, configuring, and removing software packages.

Patch Management

The process of distributing and applying updates to software to fix vulnerabilities and improve functionality.

Penetration Testing

A simulated cyberattack against an application to identify security weaknesses that could be exploited by malicious actors.

Personally Identifiable Information (PII)

Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Prompt Injection

A type of attack where malicious input is crafted to manipulate or alter the behavior of an AI system, particularly those using natural language processing (NLP) models.

Provenance

The history and origin of software components, tracking their creation, modification, and distribution.

Regulatory Compliance

The act of following relevant laws, regulations, and guidelines set by governing bodies to operate within legal frameworks.

Regulatory Framework

A set of standards and principles that guide the operations and governance of an organization within its industry.

Remediation

The process of correcting or mitigating identified security vulnerabilities to protect applications from potential threats.

Risk Appetite

The amount and type of risk that an organization is willing to take in order to meet their strategic objectives.

Risk Assessment

The systematic process of evaluating potential risks that may be involved in a projected activity or undertaking.

Risk Management

The process of identifying, assessing, and prioritizing risks followed by coordinated efforts to minimize, monitor, and control the impact of unfortunate events.

Risk Mitigation

The steps taken by an organization to reduce the impact and likelihood of a risk occurring.

Risk Scoring

The process of evaluating and assigning a score to vulnerabilities based on their severity, exploitability, and potential impact on the organization.

Risk-Based Vulnerability Management (RBVM)

A process to identify and remediate vulnerabilities that pose the greatest risk to an organization.

Security Architecture Review

A continuous process, often initiated early in SDLC, to review security controls present within the architecture of a system or application.

Security Assessment

A comprehensive evaluation of an application's security posture, including vulnerability scans, penetration tests, and compliance checks.

Security Baseline

A set of minimum security standards and configurations that must be met to ensure an acceptable level of security for applications.

Security Configuration Management

The practice of ensuring that applications and systems are configured securely, following best practices and organizational policies.

Security Information and Event Management (SIEM)

A system that collects, analyzes, and reports on security-related data from various sources to provide a comprehensive view of an organization's security posture.

Security Maturity

The level of development and capability an organization has in implementing, managing, and continuously improving its security practices and controls to protect against threats and vulnerabilities.

Security Orchestration, Automation, and Response (SOAR)

A set of tools and processes designed to automate and streamline security operations, including incident response and threat management.

Security Policy

A set of rules and practices that govern how an organization protects its information and IT assets.

Security Vulnerability

A weakness in a system, application, or network that can be exploited by attackers to gain unauthorized access, cause disruptions, or steal sensitive information.

Shadow AI

Shadow AI refers to the use of artificial intelligence systems and tools within an organization without explicit approval or oversight by its central IT or AI department.

Shift Left

The practice of performing testing earlier in the software development lifecycle to identify and fix issues promptly.

Software Bill of Materials (SBOM)

A comprehensive list of components, libraries, and dependencies used in software development.

Software Composition Analysis (SCA)

A process that identifies and manages open source and third-party components within an application, ensuring they are secure and compliant with licensing requirements.

Software Supply Chain Security

Process of protecting the entire lifecycle of software, from development through deployment and maintenance, to prevent vulnerabilities and ensure the integrity, authenticity, and security of software components.

Software Supply Chain Vulnerability

Potential security weaknesses within the processes and components involved in developing, managing, and distributing software, which can be exploited by malicious actors.

Static Application Security Testing (SAST)

A testing method that analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program.

Threat Modeling

The process of identifying, categorizing, and evaluating potential threats to an application to develop strategies for mitigating those threats.

Threat and Vulnerability Management

A proactive approach to identifying, assessing, and mitigating security threats and vulnerabilities within an organization's IT environment.

Unified Vulnerability Management

An comprehensive approach to cybersecurity, bringing together all the information about possible security gaps in an organization's network, software and systems.

Vulnerability Assessment

Systematically identifying, evaluating, and prioritizing security weaknesses in an organization's IT infrastructure, including networks, applications, and systems, to mitigate potential risks.

Vulnerability Detection

The process of identifying weaknesses and security flaws in an organization's systems, applications, and networks.