A botnet is network of computers infected with malware that can be used by a hacker to do their bidding.

A brute-force attack occurs when an attacker checks all possible passwords until the correct one is found.

Clean URLs (or semantic URLs) are readable URLs for websites or web services that intuitively represent the underlying resource.

Code injection can used by an attacker to introduce malicious code into a vulnerable computer program and change the course of execution.

Content Management Systems (CMS) allow non-technical users to publish and edit online resources.

HTTP is a stateless protocol. Cookies are the most common way to make a conversation between a browser and server stateful.

Data Definition Language (DDL) is the subset of the SQL language that allows table structures to be edited.

Data Manipulation Language (DML) is the subset of the SQL language that allows querying and updating of table content.

Defense in depth refers to employing multiple layers or security controls to reduce the likelihood and impact of an attack.

A denial-of-service (DOS) attack is an attempt to make a web service or

A dictionary attack is attempt to guess passwords by using well-known words or phrases.

Digital signatures are used to demonstrate the authenticity of a digital message.

Hypertext Transfer Protocol (HTTP) is the mechanism that websites and web services use to communicate with user agents such as browsers.

Sensitive web traffic should be sent over an encrypted channel -- that's what HTTPS is for.

You should store user passwords as strong, cryptographic hashes.

Lightweight Directory Access Protocol (LDAP) is a technology used to create directories of individuals or resources.

Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol. They used for defining networking rules in e.g. routers and firewalls.

The Open Web Application Security Project (OWASP) is an online community that tracks common vulnerabilities and publishes information about web application security.

OAuth is an open standard for authorization.

Users are creatures of habit, which means they tend to choose obvious passwords and re-use them over multiple sites.

Phishing is when an attacker sends an email (or other electronic message) to a user, in an attempt to trick them into disclosing sensitive information.

Secure organizations often share information on a "need to know" basis, and this model can be applied to technical systems too.

REpresentational State Transfer (REST) is a style of web service architecture designed to map create, read, update, and delete operations with their corresponding HTTP verbs.

Modern encryption techniques require the generation of random numbers on demand. This is a surprisingly hard problem.

Software is rarely unchanging; it is important to have a clear strategy when pushing out new versions.

Structured Query Language (SQL) is a special purpose programming language for accessing and updating data in a relational database.

Salting refers to adding a random token to a password before hashing it.

A session is a stateful conversation between a website and a user agent, such as a browser.

Social engineering is when an attacker interacts directly with your users or staff, in an effort to trick them into disclosing sensitive information or performing restricted actions.

A Uniform Resource Locator (URL) -- informally called a web address -- specifies the location of a resource on the internet.

A worm is a malicious program that replicates itself in order to spread to other systems.

A zero-day vulnerability is a vulnerability that the application author has not yet become aware of.