Skip to main content

Veracode Glossary

The Veracode Glossary provides definitions for general application security terms and terms specific to Veracode products.



A collection of items, such as IP addresses or domains, email addresses, or open-source components, that you want to make available to users or systems. To access Veracode products and services, specific domains and IP addresses must be available to your organization. You must add the required domains and IP addresses to the allowlist for your organization. See Blocklist.

Application Profile

Application profiles serve as an organizing container for scan results from different scan types of the same application. For SCA upload scans and Static Analysis, Veracode automatically adds the scan results to the application profile. To add scan results from SCA agent-based scans or Dynamic Analysis to an application profile, you must manually link the results to the application profile.


A by-product produced during the software development process, typically during a build. It might consist of the project source code, dependencies, binaries, bytecode, or other resources. To ensure the security and availability of artifacts, development teams usually store them securely in a repository.

Assignment (Security Labs)

A group of labs in a campaign.


A measure of confidence that the security features, practices, procedures, and architecture of a system accurately mediate and enforce an application security policy. It helps answer whether the security controls for the organization provide the expected security level for the application. See Business Criticality.

Attack Vector

A path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. For example, for Dynamic Analysis and Manual Penetration Testing, the attack vector is the URL of the target web application or API. For Static Analysis, the attack vector is the function or class in your code that contains the flaw.



A collection of items, such as IP addresses or domains, email addresses, or open-source components, that you do not want to make available to users or systems. For example, you can blocklist specific URLs to exclude from Dynamic Analysis scans or third-party licenses from SCA scans. Other Veracode products and services have specific domains and IP addresses that must not be on your blocklist. See Allowlist.

Business Criticality

A Veracode rating system that uses a five-point scale, from Very High (5) to Very Low (1), to indicate the importance to the organization of securing an application. You set the business criticality for an application when you create an application profile. In general, applications that require higher security have a higher business criticality. See Assurance.

Business Owner

A person in your organization who is responsible for ensuring the security of certain applications. They monitor Veracode scans of these applications and ensure that the teams assigned to these applications have addressed any flaws.

Business Unit

A subdivision of your organization that you define in the Veracode Platform. Your organization uses business units to organize Veracode users and applications for your entire Veracode program.


Call Stack

The path that Static Analysis takes to locate a flaw in your code. In a Veracode interface, such as the Veracode Platform or an IDE integration, the call stack appears as a stacked series of steps.

Campaign (Security Labs)

A group of assignments assigned to one or more user roles.

Command Line Interface (CLI)

A Command Line Interface (CLI) is a non-graphical input method that receives text input from users to perform a variety of actions. Veracode CLI is a tool that you install locally and invoke directly from a command line to perform various Veracode tasks, such as running scans and reviewing scan results.

Common Vulnerabilities and Exposures (CVE)

A dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. Developers and security practitioners can use a unique identifier, called the CVE ID, to look up details about vulnerabilities detected in the code. For Software Composition Analysis (SCA) or Manual Penetration Testing (MPT) results, Veracode uses the Common Vulnerability Scoring System (CVSS) rating assigned to the CVE to determine the flaw severity. For more information, see the NIST website.

Common Weakness Enumeration (CWE)

A community-developed list of common software and hardware weakness types that have security implications. For application security, weaknesses are flaws, vulnerabilities, faults, bugs, or other errors in the code that, if left unaddressed, could make systems, networks, or hardware vulnerable to attack.

Veracode uses CWEs to identify flaws in your applications during Static Analysis and Dynamic Analysis. Developers and security practitioners can use the results from these analyses to identify and remediate weaknesses at the source to ensure more secure applications prior to delivery.

For details, see the Mitre website.

Competition Mode (Security Labs)

A type of campaign in which individuals or teams compete against each other for points. A campaign in competition mode has its own leaderboard and countdown timer.



A product or feature that Veracode no longer recommends you use and has communicated a timeline for its end of life (EOL). You can still use the product or feature, but Veracode only provides limited support, such as critical bug fixes.

Developer Sandbox

A feature that allows you to perform a Static Analysis of your applications early and often in the Software Development Life Cycle (SDLC). You can create sandboxes within existing application profiles and submit your code for analysis, while simultaneously analyzing your code against your application security policy.


A set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from the Agile methodology. See DevSecOps.


A set of practices that combines software development (Dev), security (Sec), and IT operations (Ops). The term draws attention to the need for DevOps teams to embed security at every stage of their product lifecycle. Veracode champions DevSecOps to promote the awareness, identification, and remediation of risk through systemic security automation, culture, and processes. See DevOps.


A product or feature that Veracode no longer recommends you use based on best practices. You can still use the feature or product and Veracode continues to support it.

Dynamic Analysis

The Veracode Dynamic Application Security Testing (DAST) solution that enables broad scan coverage for internal and external web applications and REST APIs.


Early Adopter

The Veracode Early Adopter (EA) program makes certain features or products available to users who participate in the EA program. Specific EA features or products might have additional restrictions, such as preventing you from using them in production.

Effort to Fix

A numeric scale that Veracode uses to estimate the time required for you to fix a particular flaw.


Veracode eLearning consists of course-based training that helps developers gain the critical skills they need to identify and address potential vulnerabilities. These courses contain multiple slides, videos, and, usually, a quiz.

End of Life

A Veracode product or feature that has reached end of life (EOL) is no longer available for you to purchase from Veracode or use and it no longer works.

End of Sale

A Veracode product or feature that you can no longer purchase from Veracode. If you have purchased the product or feature, based on your entitlements, Veracode continues to provide support.

End of Support

A product or feature that Veracode no longer sells or supports.


For ISM, the JAR file that establishes the necessary connection between the gateway and the applications to scan. You must deploy endpoints behind your firewall in a location in your network that has access to the applications you want to scan.

Endpoint Activity

For ISM, indicates when scans are in progress or when Veracode is providing scan support using an endpoint.

Endpoint Installer

For ISM, the tool that supports the simple installation of your endpoints and creates a service that runs your endpoints continuously. Veracode recommends you use it to install your endpoints.

Endpoint Status

For ISM, the status of the connection between the endpoint and gateway: Ready, Pending, or Offline.


A procedure or program intended to take advantage of a vulnerability, potentially by leveraging one or more flaws. For flaws discovered during Veracode Static Analysis, Veracode might assign an exploitability rating to the flaw. The rating indicates the likelihood or ease with which an attacker could exploit a flaw.



Potentially exploitable area, such as a coding error or defect, of an application. Veracode detects flaws during Static Analysis, Dynamic Analysis, or Manual Penetration Testing (MPT). Veracode identifies flaws at the point where data leaves the application. For simplicity in user interfaces, Veracode generally refers to vulnerabilities from Dynamic Analysis and MPT as flaws.



For ISM, the access point to the Veracode cloud. It provides information to endpoints upon request, acting as the intermediate system between endpoints and the Veracode scan machines. You should create only one gateway for your ISM configuration.

Gateway Status

For ISM, the availability status of the gateway for Dynamic Analysis: Ready, Initializing, or Offline.

Generally Available

A Veracode product or feature that is generally available (GA), usually for purchase, to all users. You can use these products or features in production environments.


Internal Scanning Management (ISM)

Veracode Internal Scanning Management (ISM) is a simplified approach to web application scanning for applications hosted within a corporate firewall that cannot be reached from the public internet. ISM allows Veracode to bring uniformity to the scanning of external and internal applications for Veracode Dynamic Analysis users.


Manual Penetration Testing (MPT)

Veracode can perform a manual penetration test of your application and provide you with the test results. The tests involve simulating real-world attack scenarios to identify vulnerabilities. Veracode offers the following penetration tests.

  • Web applications
  • DevOps, or Network Penetration Testing
  • APIs (headless)
  • Mobile applications
  • Desktop applications



A high-level, organizational unit, such as a business or company, to which all applications and Veracode users belong on the Veracode Platform. For Manual Penetration Testing, the organization is the account under which Veracode performs the manual tests.



For SCA agent-based scanning, projects typically correspond directly to a repository in a source control system. When using the agent to execute a scan, the agent automatically creates the project based on the repository in which you run the scan.


Remote Code Execution (RCE)

A vulnerability commonly found in web applications. An attacker with system-level access to a server with this vulnerability can run code against this weakness. After compromising the system, the attacker may be able to access all information on the server, such as databases that contain sensitive data. Veracode Dynamic Analysis can detect these vulnerabilities in web applications.


SCA Agent

For SCA agent-based scanning, an agent is a command-line tool that interfaces with the artifacts or repositories to be scanned and the Veracode service. Agents associate the results of their scans to a project within a particular workspace. You can configure agents at the organization or workspace level.

Security Labs

Veracode Security Labs provides interactive lessons that help developers gain practical knowledge about application security. These lessons contain instructions and hands-on lab exercises.

Security Policy

A Veracode application security policy that you configure to enforce specific security requirements for individual applications or a specific a uniform policy of security requirements across all applications in an application portfolio. Veracode provides default policies, but you can create custom policies based on the security requirements for your organization.

Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) provides a standardized, structured inventory of software components and the associated supply chains that an application uses. Veracode provides multiple options for you to generate an SBOM based on your desired specification standard, output format, and target origin.

Software Composition Analysis (SCA)

An analysis of third-party components or libraries and open-source code in applications to detect known vulnerabilities. Veracode SCA solutions include scanning applications you upload to Veracode or running agent-based scans. See SCA Agent.

Static Analysis

Veracode Static Analysis is a Static Application Security Testing (SAST) solution that enables you to quickly identify and remediate application security findings. It analyzes major frameworks and languages without requiring source code, so you can assess the code you write, buy, or download, and measure progress in a single platform.


URL Configuration

For Dynamic Analysis, the detailed configuration of a specific URL in a scan occurrence. It includes URL blocklists and allowlists, login settings, and user agent details.


Veracode Level

A rating that Veracode assigns to an application based on the maturity of the application security posture. Veracode determines the Veracode Level based on the type of testing you perform on the application and the severity and types of flaws it found during scanning.

Veracode Platform

The web application you use to manage your entire Veracode organization and scan your applications from a central interface. You access the Veracode Platform from the Region Domain for your Veracode account.

Veracode Support Engineer

Provides multiple levels of support for your ISM project, such as:

  • Troubleshooting login issues
  • Configuring dynamic scanners to support uncommon settings
  • Removing false positives from scan results
You have the option to grant Veracode Support Engineers limited access to your environment to perform these functions.

Veracode Vulnerability Database

The Veracode Vulnerability Database contains all the public CVEs and vulnerability content that is exclusively available through Veracode. You can use the Veracode Vulnerability Database as a tool to determine if a library is safe prior to adding it to your code. It also provides important details about a library, such as the license in use and insight into specific vulnerabilities.


The teams assigned to an application profile. Security leads and members of the assigned teams can access the application profile and the linked scan results.


An exploitable weakness that Veracode found in your application during a Dynamic Analysis, a Software Composition Analysis, or Manual Penetration Testing. See Flaw.



Workspaces serve as the organizing container for your agent-based scanning projects. Some common groupings include creating workspaces by product, by scrum team, or by geographic region.