The fundamental model guiding information security policies. All security objectives relate back to these three pillars:
Confidentiality: Protecting information from unauthorized access and disclosure. (e.g., encryption, access control lists).
Integrity: Ensuring the accuracy, completeness, and consistency of data throughout its lifecycle. (e.g., hashing, digital signatures).
Availability: Guaranteeing that authorized users can access the information and systems when needed. (e.g., backups, redundancy, fault tolerance).
A core security concept requiring that a user, process, or program component be granted only the minimum access rights or permissions necessary to perform its intended function.
Goal: To limit the blast radius of a successful compromise or error. If a process is hacked, it can only affect the resources it absolutely needed.
A security framework centered on the belief that organizations should not automatically trust anything inside or outside its perimeters. It requires verification from every person and device attempting to access resources on the network.
Motto: Never trust, always verify.
Key Action: Access decisions are made on a per-request basis, based on context, user identity, device posture, and risk scores.
These models define the rules and mechanisms for determining who is allowed to access which resources.
A security model where the owner of a resource is responsible for setting its permissions and deciding who can access it.
Key Feature: Access decisions are "discretionary," or left up to the resource owner. (e.g., setting file permissions on a local computer).
A security model where access rights are governed by a central authority (the system or an administrator), not the resource owner.
Key Feature: Access is strictly controlled based on security labels assigned to both the user (clearance) and the resource (classification). Often used in high-security environments.
Access permissions are assigned to roles (e.g., 'Administrator,' 'Editor,' 'Guest'), and users are assigned to those roles.
Benefit: Simplifies management; changing a role's permissions automatically updates access for all users assigned that role.
A dynamic access control model where access rights are granted based on a set of defined attributes or characteristics related to the subject (user), object (resource), action (read, write), and environment (time, location).
Benefit: Highly granular and flexible, allowing real-time context-aware decisions (e.g., "Allow access only to managers in the London office during business hours").
These are the technical mechanisms used to verify identity and manage permissions flow.
The traditional method where a user submits a username and password via a web form. The server validates the credentials, and if successful, issues a session cookie to the user.
An authentication scheme that allows a user to log in with a single set of credentials and access multiple applications or services within the same security domain without re-authenticating.
An authorization framework that allows a third-party application (Client) to obtain limited access to an HTTP service (Resource Server) on behalf of a user (Resource Owner).
Key Function: Grants permissions (authorization), not identity. It uses access tokens to manage delegated authority.
A simple identity layer built on top of the OAuth 2.0 protocol.
Key Function: Provides authentication by verifying the end-user's identity and providing basic profile information in an interoperable ID Token (a JWT). OIDC is often the preferred method for implementing SSO.
A vulnerability that occurs when an attacker interferes with the queries that an application makes to its database. This often allows the attacker to view, modify, or delete data they are not authorized to access.
A vulnerability that allows attackers to inject client-side scripts (usually JavaScript) into web pages viewed by other users. This can be used to hijack user sessions, deface websites, or redirect the user to malicious sites.
An attack that forces an authenticated user to submit a malicious request to a web application they are currently logged into. This can trick the user into performing actions without their consent (e.g., changing their password or making a money transfer).
A one-way mathematical function that converts an input of any size (data, password) into a fixed-size, unique string of characters (the hash). It is used for integrity verification and secure password storage.
Encryption where the same key is used both for encrypting the plaintext and decrypting the ciphertext. It is very fast and commonly used for bulk data encryption (e.g., AES).
Encryption that uses a pair of keys: a public key (shared freely) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the corresponding private key. Used for secure key exchange and digital signatures.
A structured approach for identifying, understanding, and mitigating potential threats to an application. It answers the question: "What can go wrong, and what should we do about it?" Threat modeling is typically performed early in the design phase.
The practice of writing source code that is free of vulnerabilities. This includes proper input validation, output encoding, error handling, and using secure functions/libraries.