Security glossary

A vulnerability where an API exposes an object by its identifier without verifying that the requesting user is authorized to access that specific object.

A classic authorization bug where internal object identifiers are exposed client-side and used without ownership verification.

A PostgreSQL feature (used heavily by Supabase) that restricts which rows a database user can read or write via policies attached to tables.

An attack where a malicious site triggers a state-changing request against your app while your user is logged in, using the user's cookies.

A compact, URL-safe token format for transmitting claims between parties, cryptographically signed by the issuer.

An open standard for delegated authorization — letting an app access a resource on behalf of a user without sharing the user's password.

An authentication method that requires two or more verification factors — something you know, something you have, or something you are.

An extension to OAuth 2.0 Authorization Code flow that protects against code interception for public clients (SPAs, mobile apps).

A principle stating that every user, process, or system should have only the minimum permissions required to perform its function.

A W3C standard for strong, phishing-resistant authentication using public-key cryptography tied to the user's device or security key.

A passwordless credential built on WebAuthn that syncs across the user's devices via iCloud Keychain, Google Password Manager, or a password manager.

An authorization model where users are assigned roles, and roles are granted permissions.

Reading or writing a row that should be filtered by Row-Level-Security policy. Caused by missing RLS, missing policy, broken policy logic (USING without WITH CHECK on INSERT), service-role key in client, or anon-role grants too broad.

An automated attack where the attacker tries username/password pairs leaked from other breaches against your login endpoint. Works because users reuse passwords. Detected by anomaly in login attempts or success rate.

An attacker who already has SOME access elevates to MORE access. Vertical: low-privilege user → admin. Horizontal: user A → user B's data (BOLA / IDOR). The most common bug class in AI-generated apps.

An attack outcome where the attacker gains control of a legitimate user's account. Achieved via credential stuffing, phishing, OAuth abuse, password reset abuse, or session hijacking. The most common 'damaging outcome' bucket in incident reporting.

An attack where the attacker fixes (chooses) a session ID that the victim is then authenticated under, allowing the attacker to use the same session ID to access the victim's account. Mitigated by regenerating session IDs at every privilege transition.

A class of bug where two concurrent operations interact incorrectly because the order of their steps is not enforced. Common security manifestation: TOCTOU (time-of-check-time-of-use) where a permission is checked, then the protected action runs, but the state changed in between.

Supabase's hosted authentication service — handles email/password, magic links, OAuth (Google / GitHub / Apple / many more), phone-OTP, and SAML SSO. Issues JWTs that work seamlessly with Supabase's RLS policies.

OWASP's separate top-10 list for API-specific security risks. Distinct from the regular OWASP Top 10 (which is web-app-centric). 2023 edition is the current as of 2026: API01 BOLA, API02 Broken Authentication, API03 BOPLA (Broken Object Property Level Authorization), API04 Unrestricted Resource Consumption, API05 BFLA, API06 Unrestricted Access to Sensitive Business Flows, API07 SSRF, API08 Security Misconfiguration, API09 Improper Inventory, API10 Unsafe Consumption of Third-Party APIs.

An attack where attacker-controlled JavaScript executes in another user's browser in the context of your application.

An attack where attacker-controlled input is interpolated into a SQL query, letting the attacker execute arbitrary SQL.

An HTTP response header that tells the browser which sources are allowed for scripts, styles, images, and other resources, limiting the impact of XSS.

An attack where a crafted input triggers catastrophic backtracking in a regular-expression engine, hanging the process.

The ability for an attacker to execute arbitrary code on a remote server.

A bug class where an application redirects the user to a URL controlled by the attacker, typically through an unvalidated `?returnTo=` or `?next=` parameter. Used in phishing campaigns to make malicious links look legitimate.

A bug class where an attacker submits extra fields in a request body (JSON, FormData) that the server unsafely uses to update model fields the attacker should not control — like setting `is_admin: true` on their own user record.

An attack where an attacker causes a server to make HTTP requests to destinations chosen by the attacker — often internal networks or cloud metadata endpoints.

An HTTP response header that tells browsers to only ever contact the domain over HTTPS for a specified duration.

An HTTP-layer filter that inspects incoming traffic and blocks requests matching attack patterns like SQL injection, XSS, or known CVE exploitation.

Hardware-isolated compute enclaves that run code and process data invisibly to the host operating system and operator.

Any credential whose compromise would lead to abuse: API keys, database passwords, signing secrets, private keys.

Supabase's privileged API key that bypasses every Row-Level-Security policy. Designed for server-side use only. If it ships in a client bundle, your database is fully open regardless of the policies you wrote.

Supabase's public API key designed for client-side use. Carries no privilege beyond what RLS policies grant to the `anon` role. Safe to ship in your client bundle — by design.

Theft + resale of stolen LLM API keys for unauthorized inference. Documented Claude Opus victim case ran 4.5 days at ~$50K; premium-model abuse can exceed $100K/day.

A security framework for supply-chain integrity — a checklist + standards for how build artifacts are produced, signed, and verified.

A complete inventory of every component in a software product — libraries, dependencies, versions, licenses.

An open framework for cryptographically attesting software supply-chain steps. An in-toto Statement bundles a predicate (what happened) with a subject (what it applies to) under a signed envelope. Securie emits in-toto v1 Statements as the attestation payload for every scan.

Sigstore's transparency log — a Merkle-tree append-only ledger that records signed software artifacts so anyone can verify an attestation existed at the claimed time. Securie publishes attestations to rekor when configured, stamping the rekor UUID into the persisted attestation row.

An attack class where adversarial instructions are embedded inside tool descriptions in an MCP server's catalog. The instructions are invisible to humans browsing the catalog but interpreted by the AI model when the tool is invoked. OWASP MCP Top 10 #1.

An attack pattern where an MCP server ships a safe v1 tool catalog at install time, then mutates to a v2 catalog (with attacker-controlled tools or scope) once it's running in the trust boundary. Disclosed by Invariant Labs in 2025 as a structural class.

An attack where an MCP tool, after install, redefines its declared scope wider than originally authorised. A tool that started as `read-file` quietly becomes `read-file + http-egress` — and the agent dispatches calls under the broader scope.

A machine-readable inventory of an AI system's components — models, training data, datasets, dependencies, accuracy metrics. Available as CycloneDX 1.6 or SPDX 3 SBOM with AI extensions.

An envelope format for signing arbitrary payloads. Used by in-toto + Sigstore for supply-chain attestations. Securie uses DSSE for every signed finding + patch + audit bundle.

Open-source supply-chain attestation infrastructure: Cosign (signing tool), Rekor (transparency log), Fulcio (CA). Securie publishes attestations to Rekor for public verifiability.

Google-led standard defining 4 levels of supply-chain integrity. Securie produces SLSA Level 3 provenance via the attestation chain.

OWASP-led SBOM/AIBOM standard. CycloneDX 1.6 (2024) added machine-learning-model component type.

Linux Foundation-led SBOM standard. SPDX 3 (2024) added AI extensions but tooling adoption lags CycloneDX 1.6.

A supply-chain attack class where an LLM hallucinates a plausible package name that does not exist; an attacker pre-registers the hallucinated name with a malicious payload; the next AI-using developer pulls the malware. Term coined by Seth Larson (March 2025).

OWASP Top 10 (2025) item #3. Replaced the 2021 'Vulnerable and Outdated Components' category with a broader software-and-data supply chain framing. Highest community-vote category in the 2025 survey (50% ranked it #1) and the highest measured incidence rate (5.19%) in OWASP's contributed test data.

An attack where untrusted content (a user message, a document, an email) contains instructions that alter the behavior of an LLM-powered application.

A transparency document listing every AI model a product uses — with role, license, residency, and retention.

Building applications primarily by prompting AI coding assistants (Cursor, Lovable, Bolt, v0, Copilot, Claude Code) rather than writing code by hand. The model translates natural-language intent into running code; the human reviews and ships.

A specification for how LLM agents discover and call tools — file operations, HTTP requests, database queries, git commands. MCP servers host tool catalogues; LLM agents read the catalogue and invoke tools. The new attack surface for AI applications.

Meta's safety classifier model — runs as a filter on LLM input and output to detect prompt injection, jailbreak attempts, and unsafe content classes. Llama Guard 4 (2025) is the current production version.

An open protocol — pioneered by Anthropic in 2024 — that standardises how AI agents discover, call, and dispatch external tools. As of April 2026, MCP runs on 200,000+ servers with 7,000+ public + 150M+ cumulative package downloads.

An attack class disclosed by Palo Alto Unit42 where a malicious MCP server abuses the protocol's sampling feature to perform resource theft (drain compute quota), conversation hijacking (inject persistent instructions), and covert tool invocation (hidden tool calls + filesystem operations).

An attack where adversarial instructions are embedded in data the AI agent reads (a webpage, an email, a Notion page, a tool's response) rather than in the user's direct prompt. When the agent processes the data, the model treats the embedded instructions as authoritative.

The EU AI Act's verification process by which a provider demonstrates a high-risk AI system meets Article 11 + Annex IV requirements. Two routes: self-assessment per Annex VI or Notified Body assessment per Annex VII.

A 2025-coined term (Andrej Karpathy) for building software primarily via natural-language prompts to AI tools (Lovable, Bolt, v0, Cursor, Claude Code).

An attack where adversarial instructions modify AI model behavior. Direct: in user input. Indirect: in data the model reads (URLs, docs, tool responses).

User-supplied adversarial instructions designed to override system prompts.

An attack on AI training data — injecting malicious examples into the training set to alter model behavior at inference time.

Google MLSE / Mitchell et al. 2019 pattern: structured documentation describing an AI model's intended use, performance, evaluation data, ethical considerations.

Adversarial testing of an AI model — attempting prompt injection, jailbreak, data exfiltration, harmful-content generation. Securie's red-team specialist + offensive validation package covers this.

Adversarial prompts designed to bypass an LLM's safety alignment. 'DAN' (Do Anything Now), persona attacks, token-level adversarial inputs.

The scope of damage an AI agent can cause if it executes adversarial / mistaken operations. Reduced via scope-locked credentials + compile-time scope guards.

Simon Willison's June 2025 threat-model heuristic: an AI agent becomes weaponizable when it simultaneously has private-data access + untrusted-content exposure + external-communication capability. Any two are usually safe; all three at once is the catastrophic combination.

The OWASP project's canonical list of the 10 most critical security risks for LLM-powered applications. Distinct from the regular OWASP Top 10. Current edition (2025) covers LLM01 through LLM10.

An attack pattern where a privileged process (the 'deputy') is tricked by a less-privileged caller into misusing its privileges. In AI agents, the deputy is the LLM acting on the user's behalf; the attacker plants instructions in data the deputy reads (URL content, tool descriptions, retrieved documents) and the deputy executes them with full user privileges.

An MCP attack class disclosed by Invariant Labs (2025): a malicious MCP server uses its tool descriptions to interfere with — 'shadow' — the behavior of other legitimate MCP servers loaded in the same agent context. The agent reads the malicious description as part of its system prompt and applies it to legitimate-server tool calls.

Adversarial testing of an AI system — LLM, agent, multimodal model — to discover safety, security, and alignment failures before adversaries do. Distinct from generic LLM red-teaming (which is one subcase) by covering agentic + multimodal + supply-chain attack surfaces.

MITRE's ATT&CK-style framework for AI threats, published 2020 and continuously updated. Catalogs adversarial tactics, techniques, and procedures specific to AI/ML systems: model evasion, model inversion, training-data poisoning, prompt injection, model theft, supply-chain attacks. Referenced by red teams + threat-intelligence reports.

An emerging 2026 product category: a centralized control-plane between AI agents and the MCP servers they use. Handles authentication, audit logging, rate limiting, scope enforcement, and trusted-catalog pinning across an organization's MCP fleet. Examples: Proofpoint MCP Security Platform, Integrate.io MCP gateway category.

A globally-unique identifier for a specific disclosed software vulnerability.

Security testing that analyzes source code or build artifacts without executing the code.

Security testing that runs against a deployed application, sending requests and observing responses.

A hybrid testing approach that instruments a running application to observe security-relevant behavior during test execution.

A security model where no request is trusted by default — every identity, device, and network path must be verified regardless of its origin.

A security strategy layering multiple independent controls so no single failure exposes the system.

A standard for rating the severity of software vulnerabilities on a 0.0 – 10.0 numeric scale.

A nonprofit that publishes open security resources, most famously the OWASP Top 10 and OWASP API Top 10 lists of most-common vulnerabilities.

US government agency that publishes many security standards: NIST 800-53 (controls), NIST CSF (framework), NVD (vulnerability database), PQC (post-quantum) standards.

A structured process to identify, enumerate, and prioritize the ways an attacker could compromise a system.

An authorized simulated attack on a system to identify exploitable vulnerabilities — conducted by humans or autonomous tools.

A policy inviting security researchers to report vulnerabilities in exchange for recognition or monetary reward.

The practice of integrating security into every stage of the DevOps lifecycle — from design to deployment to runtime.

Moving security activities earlier in the development lifecycle — from post-deployment audits to pre-merge code review.

Next.js's RPC mechanism: an async function marked with the `"use server"` directive that runs on the server but is callable from client components. Every Server Action is a public, unauthenticated API endpoint by default — auth + ownership checks are the developer's responsibility.

Reproducing a flagged finding as a working exploit in an isolated sandbox before the finding ships. The structural commitment behind 'prove, don't flag' — if the exploit cannot be reproduced, the finding is dropped.

OWASP's periodically-updated list of the ten most critical web application security risk categories. The 2021 edition is the current canonical reference (next major update expected 2026-2027). Used as a baseline coverage requirement for application security tooling.

The legal/regulatory requirement that customer data physically reside in a specific jurisdiction. Driven by GDPR (EU), data-protection laws in Switzerland, Australia, India, China, Saudi Arabia, etc. Increasingly material for SaaS targeting non-US customers.

A contract under GDPR Article 28 between a data controller (your customer) and a data processor (you) defining how customer personal data is processed, stored, and protected. Typically required by EU customers before signing a SaaS contract.

Common Vulnerability Scoring System — a 0.0-10.0 numeric score quantifying a vulnerability's severity. CVSS 3.1 is the current standard; CVSS 4.0 was published 2023 and is gaining adoption. Used to prioritize patching and to gate deploys.

The act of stealing data out of a compromised system. Often the final stage of an attack chain — the attacker has gained access, located the valuable data, and is now moving it to attacker-controlled infrastructure. Detected by anomalies in outbound traffic and database query patterns.

Code that runs at the edge before your route handlers, on every matching request. Used for auth checks, redirects, A/B routing, and header rewriting. The matcher pattern determines which routes the middleware covers — and where the canonical bug lives.

AWS-developed lightweight VMM (Virtual Machine Monitor) for ephemeral, isolated VMs. Securie uses Firecracker microVMs for prove-don't-flag exploit reproduction.

OWASP Top 10 (2025) item #10 — a new addition. Covers improper error and exception handling that leads to unpredictable or insecure behavior, including improper input validation, incomplete error recovery, and inconsistent exception handling. 24 CWEs map into this category.

OWASP Top 10 item #2 (moved up from #5 in 2021). The umbrella for default-config / unhardened-defaults / verbose-error-leakage / open-cloud-storage classes. 16 CWEs map into this category; 3.00% of tested apps had at least one.

MITRE's annual ranking of the 25 most common and impactful Common Weakness Enumerations (CWEs). Calculated from CVE data weighted by frequency × severity. Complements OWASP Top 10: OWASP describes risks in web apps; CWE Top 25 describes concrete technical weaknesses across all software.