Glossary C

CaaS provides managed container orchestration infrastructure, abstracting away the complexity of running Kubernetes or Docker Swarm. AWS ECS/EKS, Google GKE, and Azure AKS are CaaS offerings that handle control plane management, node upgrades, and auto-scaling. CaaS sits between IaaS (raw VMs) and PaaS (no container control), giving teams container-level control without cluster administration overhead.

A caching layer stores frequently accessed data in a fast in-memory store to reduce latency and database load. Application caches (Redis, Memcached) serve sub-millisecond reads for hot data. CDN caches serve static and dynamic content from edge locations. Effective caching strategies require careful cache invalidation to prevent stale data from being served to users.

Calico is an open-source networking and network security solution for Kubernetes that implements Kubernetes NetworkPolicy and provides extended policy capabilities through its GlobalNetworkPolicy CRDs. It uses BGP for routing and supports both Linux iptables and eBPF data planes. Calico enables fine-grained pod-to-pod network segmentation, encrypted inter-node communication via WireGuard, and threat detection through network flow logs.

Canary analysis automatically evaluates the health of a canary deployment by comparing metrics (error rates, latency, business KPIs) between the canary version and the baseline. Tools like Kayenta and Argo Rollouts automate this comparison and can automatically roll back if the canary underperforms. Canary analysis removes human subjectivity from progressive delivery decisions.

Canary deployments gradually route a small percentage of traffic to a new version of a service while monitoring for errors or performance degradation. If metrics look healthy, the rollout percentage increases; if problems appear, traffic is shifted back to the stable version. Named after the mining practice, canary deployments reduce the blast radius of problematic releases and enable data-driven rollout decisions.

A canary deployment gradually routes a small percentage of production traffic to a new version of a service while the majority continues to use the stable version. This approach limits the blast radius of defects to a small user cohort. Automated canary analysis monitors key metrics and automatically promotes or rolls back the canary based on defined success criteria.

The CAP theorem states that a distributed data system can guarantee at most two of three properties simultaneously: Consistency (all nodes see the same data), Availability (every request receives a response), and Partition tolerance (the system operates despite network partitions). Since network partitions are unavoidable in practice, distributed systems must choose between CP (consistent but potentially unavailable) and AP (available but potentially inconsistent).

A CASB is a security policy enforcement point positioned between cloud service consumers and providers. It provides visibility into shadow IT (unsanctioned SaaS usage), enforces data security policies for cloud applications, and prevents unauthorized data uploads to personal accounts. CASBs can operate in forward proxy, reverse proxy, or API-based deployment modes.

A Cloud Center of Excellence is a cross-functional team that defines cloud adoption strategy, governance standards, and security policies for an organization's cloud usage. The CCOE typically owns the landing zone design, account vending, cost optimization guidance, and security baseline. It acts as an internal consultancy that enables business units to adopt cloud services rapidly while maintaining consistent security and compliance posture.

CCPA is California's data privacy law granting consumers rights to know what personal information is collected, delete it, opt out of its sale, and access it in a portable format. Amended by CPRA (2023), it applies to for-profit businesses meeting revenue or data-volume thresholds. Compliance requires data mapping, privacy notices, opt-out mechanisms, and vendor contracts.

CDC captures row-level changes (inserts, updates, deletes) from database transaction logs and streams them in near-real-time to downstream systems. Tools like Debezium read PostgreSQL or MySQL WAL to emit change events to Kafka. CDC enables event-driven integration between operational databases and analytics systems without polling or custom triggers.

AWS CDK (Cloud Development Kit) lets engineers define cloud infrastructure using familiar programming languages like TypeScript, Python, and Java instead of YAML or JSON templates. CDK synthesizes infrastructure definitions into CloudFormation templates, enabling type safety, code reuse via constructs, and unit testing of infrastructure. It bridges the gap between application code and infrastructure configuration.

A CDN is a geographically distributed network of servers that caches and delivers content from locations close to end users. CDNs reduce latency, improve load times, and offload traffic from origin servers. They're essential for serving static assets (images, CSS, JavaScript) and increasingly used for edge computing and serverless functions.

Certificate pinning is a technique where a client hard-codes the expected certificate or public key for a specific server, rejecting TLS connections that present a different certificate even if it is signed by a trusted CA. It prevents man-in-the-middle attacks via rogue or compromised certificate authorities. Mobile apps commonly pin certificates to protect API communications against interception.

Certificate Transparency (CT) is a framework requiring certificate authorities to log all issued TLS certificates to publicly auditable logs. This allows domain owners and security researchers to detect misissued or fraudulent certificates for their domains. Browsers enforce CT by requiring certificates to include Signed Certificate Timestamps (SCTs) proving inclusion in a recognized CT log.

Chain-of-thought (CoT) prompting encourages language models to reason step-by-step before producing a final answer, improving accuracy on multi-step arithmetic, logical reasoning, and coding tasks. CoT can be elicited by including worked examples in the prompt (few-shot CoT) or by simply appending "Let's think step by step" (zero-shot CoT). The intermediate reasoning steps help the model avoid shortcut errors.

Change failure rate is the percentage of deployments that result in a service degradation, outage, or require a rollback. It is one of the four DORA metrics used to measure DevOps performance. Elite teams maintain change failure rates below 5%, achieved through automated testing, canary deployments, and progressive delivery practices.

Chaos engineering deliberately injects failures into production or staging systems to verify that they are resilient to unexpected conditions. Pioneered by Netflix (Chaos Monkey), the practice involves forming hypotheses about system behavior, running controlled experiments, and using failures to find weaknesses before they cause incidents. Chaos engineering builds confidence in system resilience and uncovers hidden dependencies.

ChatOps is the practice of integrating operational workflows directly into team chat platforms (Slack, Teams, Discord) so that deployments, alerts, and runbook execution happen in shared conversation threads. ChatOps creates a visible, searchable audit trail of operational actions and enables collaborative incident response. Tools like PagerDuty, Opsgenie, and custom bots surface alerts and allow command execution in chat.

Choreography is a microservice coordination pattern where services react to events published by other services without a central coordinator. Each service knows what events to publish and subscribe to, and the overall workflow emerges from the interactions. Choreography promotes loose coupling but makes distributed tracing and debugging harder compared to orchestration.

Chunking is the process of splitting documents into smaller segments before embedding them for retrieval-augmented generation. Chunk size, overlap, and splitting strategy (by sentence, paragraph, or fixed token count) significantly affect retrieval quality. Good chunking preserves semantic coherence so that retrieved chunks contain enough context for the language model to generate accurate answers.

CI/CD is the practice of automatically building, testing, and deploying code changes. Continuous Integration merges developer changes into a shared branch frequently with automated tests. Continuous Delivery extends this by automatically preparing releases for production. Together, they reduce integration risk, catch bugs early, and enable teams to ship multiple times per day.

CIDR is a method for allocating IP addresses and routing by using a prefix notation (e.g., 10.0.0.0/16) that specifies the network address and the number of bits used for the network portion. CIDR notation determines how many hosts a subnet can contain and governs routing table entries. Proper CIDR planning in VPCs avoids address space exhaustion and enables VPC peering without overlap.

CIEM focuses on discovering and right-sizing excessive permissions in cloud environments, where identity sprawl routinely grants far more access than needed. It analyzes effective permissions across cloud identities (human users, service accounts, roles) and surfaces high-risk entitlements like unused admin privileges. CIEM operationalizes least-privilege at cloud scale.

Cilium is an open-source networking, observability, and security project for Kubernetes that uses eBPF to enforce network policies at the kernel level with high performance. It supports Layer 7 (HTTP, gRPC, Kafka) policy enforcement, transparent encryption via WireGuard or IPsec, and detailed network flow visibility through Hubble. Cilium is increasingly adopted as the CNI of choice for security-sensitive Kubernetes deployments.

CircleCI is a cloud-native CI/CD platform that executes build, test, and deployment pipelines in isolated Docker containers or VMs. It supports orbs (reusable configuration packages), parallelism, test splitting, and caching to optimize pipeline performance. CircleCI is popular in SaaS companies for its fast spin-up times and rich integration ecosystem.

The Circuit Breaker pattern prevents cascading failures in distributed systems by detecting when a downstream service is failing and stopping calls to it for a defined period. When the circuit is 'open', calls fail fast instead of hanging and exhausting thread pools. This pattern, popularized by Netflix Hystrix, is fundamental to building resilient microservice architectures.

CIS Benchmarks are consensus-developed configuration guidelines for operating systems, cloud platforms, containers, and applications. Each benchmark provides scored and unscored recommendations at two levels: Level 1 (practical, minimal performance impact) and Level 2 (defense-in-depth for high-security environments). CSPM tools use CIS Benchmarks as the basis for cloud posture assessments.

Clean Architecture, defined by Robert Martin, organizes code into concentric layers where inner layers contain business rules and outer layers handle I/O concerns. Dependencies only point inward — the domain layer knows nothing about frameworks, databases, or UIs. It enforces separation of concerns and makes the system testable in isolation from external dependencies.

A CLI is a text-based interface for interacting with software through typed commands. CLIs are preferred by developers for automation, scripting, and power-user workflows because they're composable (piping output between commands), scriptable, and faster than GUIs for repetitive tasks. Most developer tools provide a CLI alongside web interfaces.

Clickjacking is a UI redress attack that tricks users into clicking hidden or disguised interface elements by overlaying a transparent iframe on top of a legitimate page. Attackers exploit this to capture clicks intended for the victim page — triggering unintended actions like enabling a webcam, making purchases, or liking social media content. Prevention relies on X-Frame-Options or CSP frame-ancestors response headers.

Google Cloud Armor is GCP's managed DDoS protection and WAF service that protects applications deployed on Cloud Load Balancing, Cloud CDN, and Google Cloud endpoints. It provides pre-configured rule sets (OWASP ModSecurity Core Rule Set), adaptive protection that automatically detects and mitigates volumetric DDoS attacks, and geo-based access controls. Cloud Armor integrates with Google's global network infrastructure to absorb attacks close to their source.

Cloud audit logging captures records of API calls, configuration changes, and resource access events in a cloud environment for security investigation and compliance purposes. AWS CloudTrail, Azure Monitor Activity Log, and GCP Cloud Audit Logs are the primary audit logging services from major cloud providers. Comprehensive audit logging is required by most compliance frameworks and enables forensic reconstruction of attacker activity during incident response.

Cloud compliance refers to the adherence of cloud infrastructure and workloads to regulatory requirements, industry standards, and organizational security policies. Cloud providers offer compliance programs (FedRAMP, SOC 2, PCI DSS, HIPAA) that cover their infrastructure, but customers retain responsibility for securing their workloads and data on top of compliant cloud services. CSPM tools continuously monitor cloud environments against compliance benchmarks like CIS Foundations.

Cloud cost optimization is the practice of reducing cloud spend while maintaining performance and reliability. Key strategies include right-sizing instances, using reserved or savings plan pricing, leveraging spot instances, implementing auto-scaling, deleting unused resources, and using storage lifecycle policies. FinOps practices align engineering and finance teams around shared cost accountability.

Cloud forensics involves the collection, preservation, and analysis of digital evidence from cloud environments following a security incident. Cloud forensics differs from traditional forensics because evidence is stored across distributed services, logs may have limited retention windows, and shared infrastructure limits physical access to hardware. Key evidence sources include cloud audit logs, VPC flow logs, object storage access logs, and memory snapshots from isolated instances.

A cloud HSM is a dedicated, tamper-resistant hardware device hosted in a cloud provider's data center that generates and stores cryptographic keys in a FIPS 140-2 Level 3 validated hardware environment. Unlike software key stores, HSMs provide hardware-enforced key isolation where private key material never leaves the device. Cloud HSM services (AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM) are required for regulatory scenarios mandating hardware-backed key storage.

Cloud identity management governs how human users and machine workloads authenticate to cloud services and what resources they can access. It encompasses federated identity (SSO via SAML or OIDC from corporate identity providers), service account management, cross-account access patterns, and just-in-time privilege elevation. Effective cloud identity management applies zero trust principles: verify every access request, grant minimum required permissions, and continuously monitor for anomalous access patterns.

A Cloud KMS is a managed service for creating, storing, and controlling access to cryptographic keys used to encrypt data across cloud services. AWS KMS, Azure Key Vault, and GCP Cloud KMS integrate with storage, database, and compute services to provide encryption at rest without requiring applications to manage keys directly. Cloud KMS supports automatic key rotation, granular IAM-based access control, and audit logging of all key usage.

Cloud native security applies security principles specifically to cloud native architectures built around containers, microservices, serverless functions, and declarative infrastructure. The 4Cs model (Cloud, Cluster, Container, Code) provides a layered framework for thinking about cloud native security from the underlying cloud provider through to application code. Cloud native security emphasizes policy-as-code, shifting security left into developer workflows, and automating compliance verification through CI/CD.

Cloud security architecture is the design of security controls, trust boundaries, and data flows within cloud-based systems to protect against threats while enabling business requirements. It encompasses network segmentation design (VPC topology, subnet zoning), identity architecture (federation, workload identity, privilege design), data protection (encryption key hierarchy, data classification), and detective controls (logging strategy, threat detection coverage). Architecture reviews before cloud adoption decisions are significantly more cost-effective than remediating production security gaps.

Cloud security benchmarks are standardized sets of security configuration guidelines for cloud services, maintained by organizations like the Center for Internet Security (CIS) and cloud providers. CIS Benchmarks for AWS, Azure, and GCP cover hundreds of configuration checks across IAM, networking, storage, logging, and monitoring. CSPM tools map their findings to benchmark controls, providing scored posture assessments that guide remediation prioritization.

Cloud SQL is Google Cloud's fully managed relational database service supporting MySQL, PostgreSQL, and SQL Server. It handles backups, replication, failover, and patching automatically. Cloud SQL integrates with Cloud IAM for authentication, VPC for private connectivity, and supports read replicas for scaling read-heavy workloads.

A cloud WAF is a managed web application firewall delivered as a cloud service that inspects and filters HTTP/S traffic to protect web applications from common attacks. Cloud WAFs (AWS WAF, Azure WAF, Cloudflare WAF) offer managed rule sets updated by the provider, custom rule creation, rate limiting, and geographic blocking. Cloud WAFs are deployed at the edge — in front of CDN or load balancer — providing protection before traffic reaches origin servers.

A cloud workload is any application, process, or task running in a cloud environment — including virtual machines, containers, serverless functions, and data processing jobs. Cloud workload security addresses the unique risks of ephemeral, dynamically provisioned compute: short-lived credentials, image integrity, runtime behavior monitoring, and network policy enforcement. CWPP and CNAPP platforms are purpose-built for cloud workload protection.

Cloud workload protection encompasses the security controls applied to compute workloads running in cloud environments — virtual machines, containers, and serverless functions — to detect threats, enforce compliance, and respond to incidents. CWPP platforms provide vulnerability assessment, runtime threat detection, drift detection from baseline configurations, and behavioral monitoring across heterogeneous workload types. Workload protection complements CSPM's infrastructure focus with runtime security for the workloads themselves.

CloudFormation is AWS's native infrastructure-as-code service that provisions and manages AWS resources through JSON or YAML templates. It handles dependency resolution, rollback on failure, and drift detection. While powerful for AWS-native workflows, CloudFormation's verbosity and slow feedback loops have made CDK and Terraform popular alternatives.

AWS CloudTrail records API calls made to AWS services, capturing the caller identity, timestamp, source IP, request parameters, and response elements for every action. It provides an immutable audit trail for detecting unauthorized access, investigating incidents, and demonstrating compliance. CloudTrail logs should be centralized in a dedicated logging account, protected with S3 Object Lock, and streamed to a SIEM for real-time threat detection.

The Cluster Autoscaler is a Kubernetes component that automatically adjusts the number of nodes in a node pool based on pod scheduling demand. It adds nodes when pods are unschedulable due to resource constraints and removes underutilized nodes to reduce costs. It works in conjunction with HPA and VPA to provide full-stack scaling from pod replicas to cluster capacity.

CMMC is a DoD framework requiring defense contractors to demonstrate cybersecurity maturity before handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). It defines three levels based on NIST 800-171 and NIST 800-172 controls. Third-party assessments are required for Level 2 and above, and certification is a contract award prerequisite.

CNAPP unifies CSPM, CWPP, CIEM, and application security capabilities into a single platform covering the full lifecycle of cloud-native applications. The term was coined by Gartner to describe integrated solutions that protect cloud workloads from development through runtime. CNAPP reduces tool sprawl by consolidating posture management, workload protection, and runtime security in one view.

Code review is the practice of having peers examine proposed code changes before they are merged, checking for correctness, design quality, security issues, and adherence to team standards. Pull request-based code reviews (GitHub, GitLab, Bitbucket) are the dominant model. Effective code reviews are focused, timely, and constructive — they catch bugs and spread knowledge rather than enforce style preferences.

Code signing uses asymmetric cryptography to attach a digital signature to software artifacts, proving they were produced by a known publisher and have not been modified since signing. Operating systems and package managers verify signatures before execution or installation, blocking tampered or unsigned software. Code signing is required for macOS/Windows apps and is increasingly enforced in container registries.

CodeQL is a semantic code analysis engine developed by GitHub that treats code as data and enables querying for security vulnerabilities using a declarative query language. It supports 10+ languages and ships with hundreds of built-in security queries covering OWASP Top 10 and CWE Top 25 issues. CodeQL powers GitHub Advanced Security's code scanning feature and is available as a standalone CLI for CI integration.

Compliance as code translates regulatory requirements and security controls into automated checks and tests that run continuously against infrastructure and application code. Tools like InSpec, Open Policy Agent, and Chef Compliance encode compliance requirements as executable specifications. This approach provides continuous compliance verification rather than point-in-time audits.

A compliance region is a cloud region selected specifically to satisfy regulatory requirements for data residency — keeping data within a particular country or jurisdiction. Regulations like GDPR, HIPAA, and national data sovereignty laws mandate that certain data never leave specific geographic boundaries. Cloud providers offer region-level controls and data residency guarantees to support compliance requirements.

Conditional access policies enforce access decisions based on signals such as user identity, device compliance, location, IP address, and application sensitivity. If conditions are met (e.g., managed device, known location), access is granted; if not, the system may require MFA, block access, or limit capabilities. Microsoft Entra ID and Okta Adaptive MFA implement conditional access as a core zero trust control.

Confidential computing protects data in use by performing computation within hardware-isolated Trusted Execution Environments (TEEs) that encrypt memory contents and are inaccessible to the cloud provider, hypervisor, or other tenants. It addresses the gap in cloud security where data must be decrypted before processing. Intel TDX, AMD SEV-SNP, and ARM Confidential Compute Architecture are the primary hardware technologies enabling confidential computing.

Configuration drift occurs when the actual state of infrastructure or applications diverges from the desired state defined in code or configuration files. Manual changes, partial deployments, or failed rollbacks cause drift over time. GitOps tools like ArgoCD and FluxCD continuously reconcile actual state against declared state to detect and correct drift automatically.

A container escape is an attack where a process breaks out of container isolation and gains access to the host operating system or other containers. Container escapes typically exploit privileged container configurations, kernel vulnerabilities, or mount path traversal to access host resources. Prevention requires running containers with dropped Linux capabilities, non-root users, read-only filesystems, restricted seccomp profiles, and keeping container runtimes and host kernels patched.

A container image is a lightweight, standalone, executable package that includes application code, runtime, libraries, environment variables, and configuration. Images are built in layers, with each instruction in a Dockerfile adding a new read-only layer. Images are stored in registries and instantiated as running containers by runtimes like Docker or containerd.

Container image scanning analyzes container images for known OS package vulnerabilities, application dependency CVEs, hardcoded secrets, and misconfigurations before images are deployed to production. Scanning occurs at image build time in CI/CD pipelines and can also be applied continuously in container registries. Tools like Trivy, Grype, and Snyk Container integrate with registries (ECR, GCR, ACR) to gate promotion of images with critical vulnerabilities.

Container orchestration automates the deployment, scaling, networking, and lifecycle management of containerized applications across clusters of machines. Orchestrators schedule containers onto available nodes, handle health checks and restarts, manage service discovery, and distribute load. Kubernetes is the dominant orchestration platform, with Docker Swarm and Nomad serving niche use cases.

Container orchestration security covers the security of the platforms used to deploy and manage containers at scale — primarily Kubernetes and managed services like EKS, AKS, and GKE. Key concerns include securing the Kubernetes API server (RBAC, authentication, audit logging), protecting etcd (encryption at rest, access restriction), enforcing pod security standards, configuring admission controllers, and keeping cluster components patched. Managed Kubernetes services handle some of these concerns but customers retain responsibility for worker node and workload security.

A container registry is a repository service for storing, versioning, and distributing container images. Cloud-native registries — Amazon ECR, Google Artifact Registry, and Azure Container Registry — provide access controls, vulnerability scanning, and regional replication. Private registries prevent unauthorized image access, while signed image policies enforce supply chain integrity at the registry layer.

Container security covers the practices and tools that protect containerized workloads throughout their lifecycle: image scanning for vulnerabilities, runtime protection against container escapes, network policy enforcement, and Kubernetes RBAC. Key concerns include running containers as non-root, using minimal base images, and preventing privileged container deployments.

Containment is the incident response phase focused on limiting the spread and impact of an active security incident. Actions include isolating compromised systems, revoking credentials, blocking malicious IPs, and disabling compromised accounts. Short-term containment prioritizes stopping damage quickly; long-term containment involves hardening the environment while systems are rebuilt.

Content delivery refers to the technical infrastructure and strategies for serving web content — HTML, images, JavaScript, video — efficiently to geographically distributed users. Modern content delivery leverages CDN edge nodes for static assets, origin shield configurations to reduce origin load, dynamic content acceleration for API responses, and edge computing for request-time personalization. Performance directly impacts SEO and conversion rates.

The context window is the maximum number of tokens a language model can process in a single forward pass, covering both the prompt and generated output. Larger context windows allow models to handle longer documents, maintain coherent conversations, and perform in-context learning with more examples. Models like GPT-4 and Claude support context windows of 128K–1M tokens.

Conventional Commits is a specification for commit messages that provides a structured format (type(scope): description) enabling automated changelog generation, semantic version bumping, and searchable history. Types like feat, fix, chore, and breaking change carry semantic meaning. Tools like semantic-release and changesets use Conventional Commits to automate release management in CI/CD pipelines.

CORS is a browser security mechanism that controls which web origins can access resources from a different domain. Servers declare allowed origins, methods, and headers through HTTP response headers. CORS prevents malicious websites from making unauthorized API calls using a user's cookies, while allowing legitimate cross-origin requests for SPAs and microservice architectures.

cosign is an open-source tool from the Sigstore project for signing, verifying, and storing signatures for container images and other OCI artifacts. It supports keyless signing using ephemeral keys tied to OIDC identity tokens, creating a transparent and auditable supply chain. cosign is widely adopted as part of software supply chain security practices.

Cosine similarity measures the angle between two vectors in a high-dimensional space, returning a value from -1 to 1 where 1 indicates identical direction. It is the standard distance metric for comparing embedding vectors in semantic search because it is invariant to vector magnitude, focusing purely on directional alignment. High cosine similarity between a query and document embedding indicates semantic relatedness.

Azure Cosmos DB is Microsoft's globally distributed, multi-model NoSQL database service with turnkey global distribution and multi-master writes. It offers multiple consistency models (from strong to eventual) and supports document, key-value, graph, and column-family data models through various APIs. Cosmos DB guarantees single-digit millisecond latency for reads and writes at the 99th percentile.

CPE is a standardized naming scheme for IT systems, platforms, and packages maintained by NIST. CPE names uniquely identify software products (e.g., cpe:2.3:a:apache:log4j:2.14.1) so that vulnerability databases can precisely describe which versions are affected. SCA tools use CPE matching to correlate SBOM components against NVD vulnerability records.

CQRS separates read (query) and write (command) operations into distinct models, allowing each to be optimized independently. The write model handles state changes and enforces business rules; a separate read model (often a denormalized projection) serves queries efficiently. CQRS is commonly paired with Event Sourcing and enables independent scaling of read and write workloads.

Cross-region replication automatically copies data to a secondary cloud region for disaster recovery, latency reduction, or compliance purposes. S3, GCS, and Azure Blob support automatic cross-region replication with configurable rules and storage classes. Database cross-region replication (Aurora Global Database, Cloud SQL read replicas) enables low-RPO disaster recovery for relational workloads.

Crossplane is an open-source Kubernetes add-on that extends the Kubernetes API to provision and manage cloud infrastructure (databases, buckets, networks) using Kubernetes-native CRDs and controllers. It enables a "platform team" to offer self-service infrastructure to application teams through Kubernetes manifests, bringing GitOps workflows to cloud resource management.

CRUD describes the four basic operations for persistent data storage. These operations map to HTTP methods in REST APIs (POST, GET, PUT/PATCH, DELETE) and SQL statements (INSERT, SELECT, UPDATE, DELETE). Most application features are fundamentally CRUD operations with business logic layered on top.

Cryptographic failures occur when applications use weak, outdated, or incorrectly implemented cryptography to protect sensitive data. Common examples include using MD5 or SHA-1 for password hashing, storing passwords without salting, using ECB mode for symmetric encryption, or transmitting sensitive data over HTTP. OWASP renamed this category from Sensitive Data Exposure in 2021 to better reflect that the root cause is often a crypto failure rather than just missing encryption.

CSAF is an OASIS standard for machine-readable security advisories that replaces the older CVRF format. It defines a JSON schema for publishing vulnerability advisories, including VEX documents, in a way that automated tools can ingest and process. Vendors publish CSAF documents so downstream consumers can programmatically determine their exposure.

CSP is an HTTP response header that instructs browsers to only load resources from approved sources, significantly reducing the risk of XSS and data injection attacks. A strict CSP policy can block inline scripts, restrict script sources to specific domains, and prevent clickjacking via frame-ancestors directives. Deploying CSP requires careful inventory of all resource origins to avoid breaking legitimate functionality.

CSPM tools continuously assess cloud infrastructure configurations against security best practices and compliance benchmarks. They detect misconfigurations like publicly accessible S3 buckets, overly permissive IAM policies, and unencrypted databases. CSPM provides a continuous view of cloud security posture across AWS, Azure, and GCP, with automated remediation capabilities.

CSRF is an attack that tricks authenticated users into submitting unintended requests to a web application. The attacker crafts a malicious request that rides on the victim's active session, potentially changing account settings, making purchases, or modifying data. Prevention typically involves anti-CSRF tokens and SameSite cookie attributes.

CUDA is NVIDIA's parallel computing platform and programming model that enables software to use NVIDIA GPUs for general-purpose computations. Deep learning frameworks like PyTorch and TensorFlow rely on CUDA kernels to execute matrix operations at the speed required for model training and inference. CUDA support is a de facto requirement for running large AI models efficiently.

Customer-managed keys (CMKs or CMEKs) give cloud customers control over the encryption keys used to protect their data in cloud services, rather than using provider-managed keys. Customers create and manage keys in a Cloud KMS or HSM, and the cloud service uses these keys via the Key Management Service API. CMEKs allow customers to audit key usage, revoke access by deleting keys, and meet regulatory requirements mandating customer control over encryption keys.

CVE is a standardized system for identifying and cataloging publicly known security vulnerabilities. Each CVE entry has a unique identifier (e.g., CVE-2024-1234), a description, and references. Security teams use CVE identifiers to track, prioritize, and communicate about specific vulnerabilities across tools and organizations.

CVSS provides a numerical score (0-10) that rates the severity of security vulnerabilities. It considers factors like attack complexity, required privileges, and potential impact on confidentiality, integrity, and availability. Organizations use CVSS scores to prioritize remediation efforts and set SLA targets for vulnerability resolution.

CWE is a community-developed catalog of software and hardware weakness types maintained by MITRE. Each CWE entry describes a class of vulnerability (e.g., CWE-79: Cross-site Scripting) rather than a specific instance. Security tools map findings to CWE identifiers to standardize reporting, and OWASP Top 10 entries map to corresponding CWEs.

CWPPs protect workloads running in cloud environments — virtual machines, containers, serverless functions, and Kubernetes pods. They provide vulnerability scanning, runtime threat detection, and behavioral monitoring at the workload level. CWPPs complement CSPM (which focuses on configuration) by focusing on what is running inside the infrastructure.