New CS proposal: Security Definitions

[jmanico]

I find that even senior developers struggle with some security terminology. Encoding vs escaping vs serialization? Signatures vs encryption? Etc.

I suggest we build a cheatsheet that goes over security terminology that is critical to understanding other projects like the ASVS standard. It assumes developers have a basic security understanding.

[mackowski]

Love it!

[szh]

I think this is a great idea as well! Just to double check, are there any other OWASP projects that already have something like this? I know theres the CNCF Glossary which may be a good reference for this effort.

[Prasad-JB]

Hi @jmanico,

This cheatsheet idea sounds great — I can help compile and organize the glossary, referencing OWASP and CNCF sources to keep it consistent. Could you please assign me this issue so I can start drafting?

Thanks!

[jmanico]

This cheatsheet idea sounds great — I can help compile and organize the glossary, referencing OWASP and CNCF sources to keep it consistent. Could you please assign me this issue so I can start drafting?

Done!

[ajayojha]

@jmanico I have some suggestions.

I find that even senior developers struggle with some security terminology.

I agree. I think that providing only simple terminology definitions may not fully solve the problem. Developers can already get basic definitions from sources like ChatGPT by asking ex. “what is encoding”., But by asking a simple question they may not get below information:
I believe this below information would make this cheatsheet uniquely valuable is adding context around each term:

• Why the terminology is crucial in security.
• How misunderstandings or incorrect usage can lead to vulnerabilities.
• Real-world examples or common vulnerabilities reported due to misuse.
• Where developers should focus in their projects to apply the concept correctly.
• Practical use cases and best practices.

This is just a quick thought, if this is not align with your expectation then please ignore :).

[kwwall]

I think this is a great idea as well! Just to double check, are there any other OWASP projects that already have something like this? I know theres the CNCF Glossary which may be a good reference for this effort.

Not sure if there are other OWASP projects doing this, but speaking from experience (I attempted to do this first for a security class I taught and then later with an AppSec team at a former company until it became a maintenance headache), there are other good public security glossaries out there. I know that NSA has one and I think NIST does as well. And IEEE has one, but it's not limited to just security terminology.

My conclusion is it was just easier to link to someone else's definition than for our team of 5-7 AppSec engineer's to maintain our own. Also, if you link to something like the NSA glossary (if it's still a thing), very few are going to argue with the definition. If we write our own definitions, that's not going to be the case. Just sayin'.