Glossary
Cybersecurity Terms
Essential definitions to understand your web application security. Clear vocabulary, designed for SMB leaders and CTOs.
2FA/MFA (Multi-Factor Authentication)
An authentication method requiring at least two distinct proofs of identity: something you know (password), something you have (phone), or something you are (biometrics). MFA drastically reduces the risk of account compromise, even if a password is leaked.
AES (Advanced Encryption Standard)
A symmetric encryption algorithm adopted as a standard by NIST, used worldwide to protect sensitive data. AES operates with 128, 192, or 256-bit keys and is considered secure against all known attacks. It is used in TLS, disk encryption, and database protection.
AI Agent
An autonomous system using an LLM to make decisions, call tools, and execute tasks without direct human intervention. AI agents introduce specific risks: uncontrolled code execution, excessive data access, and manipulation via prompt injection. Their attack surface is proportional to the number of tools they can access.
ANSSI (French National Cybersecurity Agency)
France's national cybersecurity authority, reporting to the SGDSN. ANSSI publishes best practice guides, certifies security providers, and coordinates major incident response in France. Its recommendations (IT hygiene guide, SecNumCloud) are the reference for French SMBs looking to structure their security.
API (Application Programming Interface)
An interface that allows two software systems to communicate with each other. REST and GraphQL APIs are the primary targets of web security audits because they directly expose data and business logic. A poorly secured API is often the most critical attack vector.
APT (Advanced Persistent Threat)
A sophisticated and prolonged cyberattack, typically conducted by a state-sponsored group, targeting a specific organization. APTs combine social engineering, zero-day exploitation, and lateral movement to maintain persistent network access. Groups like APT28 (Russia) and Lazarus (North Korea) are among the most active.
BOLA (Broken Object Level Authorization)
The #1 flaw in the OWASP API Security Top 10, corresponding to insufficient access control at the object level. BOLA is the API version of IDOR: the attacker manipulates object identifiers in API requests to access other users' data. It is systematically tested during API security audits.
Clickjacking
An attack that tricks a user into clicking on an invisible or disguised element on a web page, triggering an unintended action. Clickjacking uses transparent overlapping iframes to deceive users. Protection relies on the X-Frame-Options header and the frame-ancestors CSP directive.
Client security questionnaire
A set of questions sent by a prospect or client before signature to assess a SaaS provider's security posture. In HR software, these questionnaires often focus on data separation, authentication, logging, backups, subprocessors, and security testing.
CNIL (Commission Nationale de l'Informatique et des Libertés)
The French data protection authority responsible for enforcing the GDPR in France. CNIL can conduct inspections, issue formal notices, and impose fines. In 2025, it imposed a record 487 million euros in penalties.
Command Injection
A vulnerability that allows executing arbitrary system commands on the server through unsanitized user input. Command injection occurs when an application passes user data directly to a system shell (exec, system, popen). It gives full server access and constitutes a critical flaw.
Container Escape
An attack that breaks out of a container's isolated environment to access the underlying host system. Container escape exploits vulnerabilities in the runtime (runc, containerd) or misconfigurations (privileged mode, excessive capabilities). It is particularly critical in multi-tenant cloud environments.
CORS (Cross-Origin Resource Sharing)
A browser security mechanism that controls which domains can access an API's resources. An overly permissive CORS configuration (Access-Control-Allow-Origin: *) on authenticated endpoints can expose sensitive data. CORS policy review is part of every application security audit.
CSP (Content Security Policy)
An HTTP security header that defines allowed sources for loading scripts, styles, images, and other resources in a web page. CSP is the primary defense against XSS attacks by preventing execution of unapproved scripts. A poorly configured CSP (unsafe-inline, wildcards) provides little real protection.
CSRF (Cross-Site Request Forgery)
An attack that forces an authenticated user to perform an unwanted action on a web application. CSRF exploits the trust a site places in the user's browser. Protections include anti-CSRF tokens and the SameSite cookie attribute.
CVE (Common Vulnerabilities and Exposures)
A unique identifier assigned to each publicly known security vulnerability (e.g., CVE-2024-XXXXX). CVEs allow security teams to reference and track flaws unambiguously. The CVE database is maintained by MITRE.
CVSS (Common Vulnerability Scoring System)
A standardized system for scoring vulnerability severity from 0 to 10. The CVSS score accounts for exploitation complexity and impact on confidentiality, integrity, and availability. It is used in all professional audit reports.
CWE (Common Weakness Enumeration)
A community-driven catalog of software and hardware weakness types. Each CWE describes a vulnerability pattern (e.g., CWE-79 for XSS, CWE-89 for SQL injection). It enables standardized classification and comparison of security flaws.
DAST (Dynamic Application Security Testing)
A security testing method that analyzes a running application by simulating attacks from the outside. DAST detects exploitable vulnerabilities in real conditions: misconfigurations, missing headers, injections. It complements SAST by finding flaws that are only visible at runtime.
Data Poisoning
An attack that corrupts the training or indexing data of an AI model to alter its behavior. Data poisoning can bias LLM responses, bypass guardrails, or introduce backdoors. This threat is particularly relevant for RAG systems and models fine-tuned on enterprise data.
Defense in Depth
A security strategy that layers multiple independent controls to protect a system. Defense in depth combines WAF, CSP, input validation, encryption, and monitoring so that a single flaw is not enough to compromise the whole. It is a fundamental principle recommended by ANSSI and NIST.
Dependency Confusion
A supply chain attack that exploits package name resolution to substitute an internal dependency with a malicious package published on a public registry. Dependency confusion hit Apple, Microsoft, and PayPal in 2021 via npm, PyPI, and RubyGems. Protection involves package scoping, private registries, and source verification.
Deserialization Attack
An attack that exploits the process of converting serialized data into objects to execute malicious code. Insecure deserialization can lead to remote code execution, privilege escalation, or denial of service. It is listed in the OWASP Top 10 and particularly affects Java, PHP, and Python applications.
DevSecOps
An approach that integrates security into every stage of the software development lifecycle, from design to deployment. DevSecOps automates security testing (SAST, DAST, SCA) in CI/CD pipelines to detect vulnerabilities as early as possible. This approach reduces remediation costs and accelerates secure production releases.
DORA (Digital Operational Resilience Act)
A European regulation on digital operational resilience for the financial sector, applicable from January 2025. DORA requires financial entities to test their resistance to cyberattacks, manage third-party risks, and report major incidents.
Employee data
The set of personal data handled by HR software: identity, contract details, salary, supporting documents, evaluations, absences, bank details, or disciplinary information. Exposure of this data creates immediate compliance, reputation, and client-trust risk.
External Review
A read-only security audit methodology that causes no modification or disruption to the target system. A external review analyzes configuration, headers, exposed endpoints, and publicly accessible code. This is CleanIssue's primary approach: zero disruption, results within 48 hours.
GDPR (General Data Protection Regulation)
A European regulation governing the collection and processing of personal data, in effect since May 2018. The GDPR imposes strict obligations on companies: consent, right of access, breach notification within 72 hours. Penalties can reach 4% of global annual revenue.
GDPR Article 32 (Security of Processing)
A GDPR article that requires data controllers to implement appropriate technical and organizational measures to ensure personal data security. Article 32 cites encryption, pseudonymization, system resilience, and regular testing as expected measures. It is the legal basis invoked by CNIL when sanctioning security failures.
Hash Function
A mathematical function that transforms data of any size into a fixed-size fingerprint, irreversibly. Hash functions (SHA-256, bcrypt, Argon2) are used for password storage, integrity verification, and signatures. MD5 and SHA-1 are considered obsolete and should no longer be used for security functions.
HDS (Health Data Hosting)
A mandatory certification in France for any host processing personal health data. HDS certification guarantees enhanced security: encryption, traceability, and business continuity planning. It is issued by organizations accredited by COFRAC.
HMAC (Hash-based Message Authentication Code)
A cryptographic mechanism that combines a hash function with a secret key to verify the integrity and authenticity of a message. HMAC is used to sign webhooks, validate JWTs, and protect API communications. It is the recommended standard for verifying that a request has not been tampered with in transit.
HRIS security audit
A security review focused on HR software or an HRIS to assess access control, roles, exports, documents, APIs, webhooks, and tenant separation. The goal is to spot real exposure paths before an incident, a client audit, or a compliance request.
HRIS segmentation
The principle of strictly separating data and permissions between companies, subsidiaries, HR teams, managers, and employees in an HRIS. Weak segmentation can let one client, manager, or employee access information that does not belong to them.
HSTS (HTTP Strict Transport Security)
An HTTP header that forces the browser to use only HTTPS when communicating with the server. HSTS protects against downgrade attacks and SSL stripping by preventing any unencrypted HTTP connection. It is recommended to include the preload directive for protection from the very first visit.
IAM (Identity and Access Management)
A set of processes and technologies for managing digital identities and controlling who accesses which resources. IAM covers authentication, authorization, role management, and account provisioning. Poor IAM configuration (overly permissive roles, no MFA) is one of the leading causes of cloud compromise.
IDOR (Insecure Direct Object Reference)
An access control vulnerability where a user can access other users' resources by modifying an identifier in the request (numeric ID, UUID). IDORs are common in REST APIs and allow viewing, modifying, or deleting other users' data. It is one of the most frequently found flaws during SMB audits.
Input Validation
The process of verifying and sanitizing all user-supplied data before it is processed by the application. Input validation is the first line of defense against SQL injection, XSS, command injection, and other injection attacks. It must be applied server-side, as client-side validation is easily bypassed.
ISO 27001
An international standard that defines requirements for an information security management system (ISMS). ISO 27001 certification demonstrates that an organization manages its security risks in a structured and continuous manner. It is increasingly required by enterprise clients and in procurement processes, including for SMBs.
Jailbreak (AI Guardrail Bypass)
A technique aimed at circumventing the restrictions and guardrails of an LLM to make it produce forbidden or dangerous content. Jailbreaks exploit flaws in the model's alignment through carefully crafted prompts. For businesses, a successful jailbreak on a chatbot can expose internal data or produce harmful responses.
JWT (JSON Web Token)
An open standard for securely transmitting information between two parties as a signed JSON token. JWTs are widely used for authentication and authorization in APIs and SPAs. Common mistakes include missing signature verification, the none algorithm vulnerability, and weak signing secrets.
Kubernetes Security
The set of practices for securing Kubernetes clusters: network policies, RBAC, Pod Security Standards, image scanning, and runtime monitoring. Kubernetes introduces a complex attack surface with its APIs, secrets, service accounts, and inter-pod communications. Common misconfigurations (overly permissive RBAC, plaintext secrets) expose production data.
LDAP Injection
An attack that manipulates LDAP queries by injecting special characters into input fields. LDAP injection can bypass authentication, access directory information, or modify entries. It affects applications that use LDAP or Active Directory for identity management.
LFI (Local File Inclusion)
A vulnerability that allows an attacker to read or include local server files by manipulating request parameters. LFI can expose source code, configuration files containing secrets, or system logs. Combined with other flaws, it can lead to remote code execution.
LLM (Large Language Model)
An artificial intelligence model trained on vast text corpora, capable of understanding and generating natural language. LLMs (GPT, Claude, Mistral) are increasingly integrated into enterprise applications, creating new attack surfaces. Their security requires attention to prompt injection, data leakage, and hallucinations.
Mass Assignment
A vulnerability that allows an attacker to modify object fields that should not be accessible by adding unexpected parameters to the request. Mass assignment can enable privilege escalation (adding an admin role) or modification of sensitive data. Common in frameworks like Laravel, Rails, and Django.
MCP (Model Context Protocol)
A standardized protocol that enables LLMs to connect to external tools, APIs, and databases in a structured way. MCP expands AI agent capabilities but creates new attack surfaces: unauthorized data access, command execution, and exfiltration. Security auditing of MCP configurations has become essential in 2026.
MFA Fatigue
An attack technique that bombards a user with MFA push notifications until they accept one out of frustration or by mistake. MFA fatigue was used in the Uber and Cisco compromises in 2022. Countermeasures include number matching, limiting attempt count, and FIDO2 keys.
NIS2 (Network and Information Security Directive)
A European directive strengthening cybersecurity obligations for essential and important entities. NIS2 expands the scope of NIS1 to new sectors (health, energy, transport, digital) and mandates risk management measures and incident notification.
NTLM Relay
A network attack that intercepts and relays NTLM authentication to impersonate a user on another service. NTLM relay exploits weaknesses in Microsoft's NTLM authentication protocol, still widely used in Active Directory environments. This technique is commonly employed during internal penetration tests.
Open Redirect
A vulnerability that allows an attacker to redirect a user to a malicious site via an unvalidated URL parameter. Open redirects are exploited in phishing campaigns because the initial URL appears legitimate. They can also serve as a stepping stone to bypass SSRF filters.
OWASP (Open Web Application Security Project)
A nonprofit organization that produces globally recognized application security frameworks. The OWASP Top 10 is the definitive list of the most critical web vulnerabilities. CleanIssue structures its audits around this methodology.
Pass-the-Hash
An attack technique that uses a user's password hash (without knowing the plaintext) to authenticate on other services. Pass-the-hash is possible when systems accept the NTLM hash as proof of authentication. It is a major vector for lateral movement in Windows enterprise networks.
Path Traversal (Directory Traversal)
An attack that exploits insufficient file path validation to access files outside the authorized directory. Path traversal uses sequences like ../ to navigate up the server's file system. It can expose configuration files, private keys, or application source code.
Payroll software security audit
A focused audit of the flows, roles, documents, and APIs of a payroll product. It checks whether payslips, exports, compensation data, and privileged access are properly protected and correctly separated between clients and users.
PCI-DSS (Payment Card Industry Data Security Standard)
A security standard for any company processing payment card data. PCI-DSS imposes 12 requirements covering network security, encryption, access control, and monitoring. Non-compliance exposes businesses to fines and loss of payment processing rights.
Pentest (Penetration Testing)
An authorized attack simulation designed to identify exploitable vulnerabilities in a system. Unlike a external review, a pentest involves active exploitation attempts. It requires prior written authorization and a defined scope.
Principle of Least Privilege
A security principle that grants each user, process, or system only the minimum permissions necessary for its function. Least privilege reduces the attack surface and limits the impact of a compromise. Its rigorous application is essential for RLS policies, IAM roles, and API permissions.
Prompt Injection
An attack that manipulates a large language model (LLM) by injecting malicious instructions into the data it processes. Prompt injection can force a chatbot to ignore its guidelines, leak confidential data, or perform unauthorized actions. It is the #1 flaw in the OWASP LLM Security Top 10.
Prototype Pollution
A JavaScript-specific vulnerability that allows modifying the prototype of global objects, affecting the behavior of the entire application. Prototype pollution can lead to authentication bypasses, XSS injections, or code execution. It is common in Node.js applications using insecure deep merge functions.
Race Condition
A vulnerability that occurs when the outcome of an operation depends on the execution order of concurrent processes. Race conditions can bypass balance limits, duplicate transactions, or circumvent authorization checks. They are particularly critical in payment systems and fintech APIs.
RAG (Retrieval-Augmented Generation)
An architecture that enriches LLM responses by integrating data retrieved from an external knowledge base. RAG is used to create enterprise chatbots that can answer questions about internal documents. Risks include indirect prompt injection via indexed documents and confidential data leakage.
Ransomware
Malicious software that encrypts a victim's data and demands a ransom for decryption. Modern ransomware practices double extortion: data encryption and threat of publication. SMBs are prime targets because they rarely have offline backups and incident response plans.
Rate Limiting
A defense mechanism that limits the number of requests a user or IP address can send within a given time window. Rate limiting protects against brute force, credential stuffing, and API abuse. Its absence is one of the most common flaws in SMB APIs, often exploited for account enumeration.
RCE (Remote Code Execution)
A vulnerability that allows an attacker to execute arbitrary code on a remote server without physical access. RCE is considered one of the most critical flaws because it gives full control over the target system. Recent CVEs in Log4j, Laravel, and Confluence illustrate the scale of this risk.
Recruiting security
The set of security controls applied to recruiting software or an ATS: protection of resumes, attachments, internal notes, recruiter access, candidate portals, and third-party integrations. It matters because candidate data often moves across several teams and providers.
RFI (Remote File Inclusion)
A vulnerability that allows including a remotely hosted file in an application's execution. RFI directly enables remote code execution by injecting a malicious script. This flaw is primarily found in poorly configured PHP applications.
RLS (Row Level Security)
A database access control mechanism at the row level. RLS restricts which data each user can see, directly at the database layer. It is an essential building block for applications using Supabase or PostgreSQL.
RSA (Rivest-Shamir-Adleman)
An asymmetric encryption algorithm based on the difficulty of factoring large prime numbers. RSA is used for key exchange, digital signatures, and TLS certificates. RSA keys of at least 2048 bits are required for adequate security in 2026.
Sandboxing
An isolation technique that executes a program or process in a restricted environment to limit damage in case of compromise. Sandboxing is used in browsers, Docker containers, and serverless functions to confine potentially dangerous code. It is an essential layer of defense in depth.
SAST (Static Application Security Testing)
A security testing method that analyzes source or compiled code without executing the application. SAST detects vulnerabilities such as injections, XSS, and secret leaks directly in the code. It integrates into CI/CD pipelines and complements DAST, which tests the running application.
Secrets Management
Practices and tools for securely storing, distributing, and rotating sensitive information (API keys, tokens, passwords). Secrets management prevents exposing credentials in source code, plaintext environment variables, or logs. Tools like HashiCorp Vault, AWS Secrets Manager, or Doppler are used for this purpose.
SOC 2 (System and Organization Controls)
An audit framework developed by the AICPA that evaluates security, availability, integrity, and confidentiality controls of a service provider. The SOC 2 Type II report is often required by American clients or SaaS companies to prove security posture maturity. It complements ISO 27001 in the international market.
Social Engineering
A set of psychological manipulation techniques used to trick individuals into disclosing confidential information or granting unauthorized access. Social engineering includes phishing, pretexting, vishing, and tailgating. It is the initial attack vector in over 80% of breaches, according to the Verizon DBIR report.
SQL Injection
An attack technique that injects malicious SQL code into an application's queries. SQL injection can allow reading, modifying, or deleting data, or even taking control of the server. It is historically the #1 vulnerability in the OWASP ranking.
SSRF (Server-Side Request Forgery)
Attack that tricks the server into making requests to internal or external systems from its own network position. SSRF often leads to exposure of cloud metadata (AWS IMDS), internal services, or databases. Common in features that accept user-supplied URLs (webhooks, image previews, exports).
SSTI (Server-Side Template Injection)
A vulnerability that allows injecting code into server-side template engines (Jinja2, Twig, Blade). SSTI occurs when user data is inserted directly into a template without sanitization. It can lead to file reading, system command execution, and full server compromise.
Supabase RLS policy
A Row Level Security rule defined in PostgreSQL/Supabase to restrict which rows can be read or modified. In HR SaaS, an incomplete RLS policy can expose other clients', teams', or employees' data even when the frontend looks properly separated.
Supply Chain Attack
An attack that targets software dependencies, build tools, or CI/CD processes to compromise an application upstream of its distribution. Supply chain attacks (SolarWinds, xz-utils, event-stream) affect thousands of organizations simultaneously. Dependency verification and code signing are the primary defenses.
TLS (Transport Layer Security)
A cryptographic protocol that secures internet communications by encrypting data exchanged between a client and server. TLS (successor to SSL) protects against interception, modification, and spoofing of data in transit. TLS 1.3, recommended since 2018, offers improved performance and stronger security.
Vibe Coding (AI-Assisted Programming)
A development practice where code is generated almost entirely by an LLM (Cursor, Lovable, Bolt) with minimal human oversight. Vibe coding produces functional applications that are often riddled with vulnerabilities: missing RLS, hardcoded secrets, client-side-only validation. Studies show that 62% of vibe-coded applications contain critical flaws.
WAF (Web Application Firewall)
An application firewall that filters and monitors HTTP traffic between the internet and a web application. A WAF protects against common attacks (XSS, SQL injection, CSRF) by analyzing requests in real time. It does not replace fixing vulnerabilities in the code.
Webhook
An HTTP callback mechanism that allows one application to send real-time notifications to another. Webhooks must be secured with HMAC signatures to guarantee request authenticity. An unverified webhook can be exploited to inject fraudulent data.
XPath Injection
An attack that injects malicious XPath expressions into XML navigation queries. XPath injection can bypass authentication or extract sensitive data from XML documents. It is analogous to SQL injection but targets XML databases and configuration files.
XSS (Cross-Site Scripting)
An attack that injects malicious scripts into a web page viewed by other users. XSS can steal sessions, redirect users, or modify displayed content. It is one of the most common vulnerabilities in the OWASP Top 10.
XXE (XML External Entity)
A vulnerability that exploits XML document processing to read local files, make network requests, or cause denial of service. XXE injection occurs when an XML parser accepts external entities without restriction. It is particularly dangerous in SOAP APIs and file import features.
Zero Trust
A security model that assumes no user, device, or network should be trusted by default. Zero trust requires systematic verification of identity and context for every access request, even from the internal network. This model is progressively replacing the traditional perimeter-based approach in modern architectures.
Need an external review of your HR SaaS?
Share your product, stack, and client context. We will come back with the right review scope.
Discuss your audit