Veracode glossary

This glossary defines general application security terms and terms specific to Veracode products.

A

Allowlist

A collection of items, such as IP addresses or domains, email addresses, or open-source components, that you want to make available to users or systems. To access Veracode products and services, specific domains and IP addresses must be available to your organization. You must add the required domains and IP addresses to the allowlist for your organization. See Blocklist.

Application Perimeter Monitoring (APM)

Rapidly discover all public-facing applications and conduct lightweight dynamic analysis to quickly identify the most exploitable vulnerabilities — such as SQL injection and cross-site scripting (XSS) — by scanning thousands of websites simultaneously.

Application profile

An application profile groups scan results from multiple scan types for the same application. For SCA upload scans and Static Analysis, Veracode automatically adds the scan results to the application profile. To add scan results from SCA agent-based scans or Dynamic Analysis to an application profile, you must manually link the results to the application profile.

Application Programming Interface (API)

A computing interface that defines interactions between multiple software intermediaries.

AppSec (Application Security)

The process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats, such as unauthorized access and modification.

Artifact

A by-product produced during the software development process, typically during a build. It might consist of the project or application, source code, dependencies, binaries, bytecode, or other resources. To ensure the security and availability of artifacts, development teams usually store them securely in a repository. See packaged application.

Assignment (Security Labs)

A group of labs in a campaign.

Assurance

A measure of confidence that the security features, practices, procedures, and architecture of a system accurately mediate and enforce an application security policy. It helps answer whether the security controls for the organization provide the expected security level for the application. See Business Criticality.

Attack vector

A path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. For example, for Dynamic Analysis and Manual Penetration Testing, the attack vector is the URL of the target web application or API. For Static Analysis, the attack vector is the function or class in your code that contains the flaw.

B

Blocklist

A collection of items, such as IP addresses or domains, email addresses, or open-source components, that you do not want to make available to users or systems. For example, you can blocklist specific URLs to exclude from Dynamic Analysis scans or third-party licenses from SCA scans. Other Veracode products and services have specific domains and IP addresses that must not be on your blocklist. See Allowlist.

Business criticality

A Veracode rating system that uses a five-point scale, from Very High (5) to Very Low (1), to indicate how important securing an application is to the organization. You set the business criticality for an application when you create an application profile. Applications with higher business criticality typically require stricter security policies and more comprehensive testing methods. See Assurance.

Business owner

A person in your organization who is responsible for ensuring the security of certain applications. They monitor Veracode scans of these applications and ensure that the teams assigned to these applications have addressed any flaws.

Business unit

A subdivision of your organization that you define in the Veracode Platform. Your organization uses business units to organize Veracode users and applications for your entire Veracode program.

C

Call stack

The path that Static Analysis takes to locate a flaw in your code. In a Veracode interface, such as the Veracode Platform or an IDE integration, the call stack appears as a stacked series of steps.

Campaign (Security Labs)

A group of assignments assigned to one or more user roles.

Certified Information Systems Auditor (CISA)

A designation issued by the Information Systems Audit and Control Association (ISACA).

Certified Information Systems Security Professional (CISSP)

An independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC)².

Chief Information Security Officer (CISO)

A senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.

Command Line Interface (CLI)

A Command Line Interface (CLI) is a non-graphical input method that receives text input from users to perform a variety of actions. Veracode CLI is a tool that you install locally and invoke directly from a command line to perform various Veracode tasks, such as running scans and reviewing scan results.

Commercial Off the Shelf (COTS)

Commercial off-the-shelf or commercially available off-the-shelf products are packaged solutions that are then adapted to satisfy the needs of the purchasing organization, rather than the commissioning of custom-made solutions.

Common Vulnerabilities and Exposures (CVE)

A dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. Developers and security practitioners can use a unique identifier, called the CVE ID, to look up details about vulnerabilities detected in the code. For Software Composition Analysis (SCA) or Manual Penetration Testing (MPT) results, Veracode uses the Common Vulnerability Scoring System (CVSS) rating assigned to the CVE to determine the flaw severity. For more information, see the NIST website.

Common Vulnerability Scoring System (CVSS)

A free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.

Common Weakness Enumeration (CWE)

A community-developed list of common software and hardware weakness types that have security implications. For application security, weaknesses are flaws, vulnerabilities, faults, bugs, or other errors in the code that, if left unaddressed, could make systems, networks, or hardware vulnerable to attack.

Veracode uses CWEs to identify flaws in your applications during Static Analysis and Dynamic Analysis. Developers and security practitioners can use the results from these analyses to identify and remediate weaknesses at the source to ensure more secure applications prior to delivery.

For details, see the Mitre website.

Competition Mode (Security Labs)

A type of campaign in which individuals or teams compete against each other for points. A campaign in competition mode has its own leaderboard and countdown timer.

Cross-Site Request Forgery (CSRF)

Also known as one-click attack or session riding and abbreviated as CSRF or XSRF, this is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

D

Deprecated

Veracode no longer recommends using deprecated products. They follow an end of life (EOL) timeline and receive only limited support. You can still use the product or feature, but support is restricted to critical bug fixes.

Developer sandbox

A feature that allows you to perform a Static Analysis of your applications early and often in the Software Development Life Cycle (SDLC). You can create sandboxes within existing application profiles and submit your code for analysis, while simultaneously analyzing your code against your application security policy.

DevOps

A set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from the Agile methodology. See DevSecOps.

DevSecOps

A set of practices that combines software development (Dev), security (Sec), and IT operations (Ops). The term draws attention to the need for DevOps teams to embed security at every stage of their product lifecycle. Veracode supports DevSecOps by promoting awareness, risk identification, and remediation through security automation, culture, and processes. See DevOps.

Direct Web Remoting (DWR)

A Java open source library that helps developers write web sites that include Ajax technology. It allows code in a browser to use Java functions running on a web server just as if it was in the browser.

Discouraged

A product or feature that Veracode no longer recommends you use based on best practices. You can still use the feature or product and Veracode continues to support it.

Domain Name System (DNS)

A hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

Dynamic Analysis

The Veracode Dynamic Application Security Testing (DAST) solution that enables broad scan coverage for internal and external web applications and REST APIs.

Dynamic Application Security Testing (DAST)

A testing method that communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. See the Veracode DAST solution, Dynamic Analysis.

E

Early Adopter

The Veracode Early Adopter (EA) program makes certain features or products available to users who participate in the EA program. Specific EA features or products might have additional restrictions, such as preventing you from using them in production.

Effort to fix

A numeric scale that Veracode uses to estimate the time required for you to fix a particular flaw.

eLearning

Veracode eLearning consists of course-based training that helps developers gain the critical skills they need to identify and address potential vulnerabilities. These courses contain multiple slides, videos, and, usually, a quiz.

End of life

A Veracode product or feature that has reached end of life (EOL) is no longer available for you to purchase from Veracode or use and it no longer works.

End of sale

A Veracode product or feature that you can no longer purchase from Veracode. If you have purchased the product or feature, based on your entitlements, Veracode continues to provide support.

End of support

A product or feature that Veracode no longer sells or supports.

Endpoint

For ISM, the JAR file that establishes the necessary connection between the gateway and the applications to scan. You must deploy endpoints behind your firewall in a location in your network that has access to the applications you want to scan.

Endpoint activity

For ISM, indicates when scans are in progress or when Veracode is providing scan support using an endpoint.

Endpoint installer

For ISM, the tool that supports the simple installation of your endpoints and creates a service that runs your endpoints continuously. Veracode recommends you use it to install your endpoints.

Endpoint status

For ISM, the status of the connection between the endpoint and gateway: Ready, Pending, or Offline.

Exploit

A procedure or program intended to take advantage of a vulnerability, potentially by leveraging one or more flaws. For flaws discovered during Veracode Static Analysis, Veracode might assign an exploitability rating to the flaw. The rating indicates the likelihood or ease with which an attacker could exploit a flaw.

F

False negative

The absence of a test result known to exist for a particular condition or attribute.

False positive

A test result that incorrectly indicates that a particular condition or attribute is present.

Finding

A security risk detected in your application during an analysis. It may be a flaw in source code detected by Static Analysis, a vulnerability in a web application or API found through Dynamic Analysis or Manual Penetration Testing (MPT), or a weakness in an open-source component identified via Software Composition Analysis (SCA). For simplicity in user interfaces, Veracode generally refers to vulnerabilities and flaws as findings. See flaw or vulnerability.

Flaw

Potentially exploitable area, such as a coding error or defect, of an application. Veracode detects flaws during Static Analysis. Veracode identifies flaws at the point where data leaves the application. For simplicity in user interfaces, Veracode generally refers to flaws and vulnerabilities as findings. See finding.

G

Gateway

For ISM, the access point to the Veracode cloud. It provides information to endpoints upon request, acting as the intermediate system between endpoints and the Veracode scan machines. You should create only one gateway for your ISM configuration.

Gateway status

For ISM, the availability status of the gateway for Dynamic Analysis: Ready, Initializing, or Offline.

Generally available

A Veracode product or feature that is generally available (GA), usually for purchase, to all users. You can use these products or features in production environments.

H

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

I

Information Security Risk Management (ISRM)

The process of managing risks associated with the use of information technology. It involves identifying, assessing, and mitigating risks to an organization’s confidentiality, integrity, and availability (CIA).

Integrated Development Environment (IDE)

A software application that provides coding, debugging, and testing tools for software development.

Internal Scanning Management (ISM)

Veracode Internal Scanning Management is a simplified approach to web application scanning for applications hosted within a corporate firewall that cannot be reached from the public internet. ISM standardizes the scanning process for both external and internal applications using Veracode Dynamic Analysis.

Issue

A security risk identified by an SCA agent during Software Composition Analysis (SCA). The SCA agent creates issues based on the following factors:

The policy that is assigned to the workspace.
The SCA rules that are included in the policy.
The type of libraries detected by the SCA agent.

SCA agent-based scanning detects the following issues:

Vulnerability issues: if the SCA agent detects a vulnerability in an open-source library, it creates a vulnerability issue based on the configured policy rules. Vulnerability rules can consider severity, dependency type (direct or transitive), and exploitability.
License issues: f the SCA agent finds a license in an open-source library, it creates a license issue based on policy rules. These rules can assess license risk, dependency type (direct or transitive), and other attributes.

For more information, see About policy rules.

Library issues: if the SCA agent detects an open-source library that is not the latest version, SCA might create a library issue based on the configured rules in the policy. While updating libraries is beneficial, Veracode discourages creating library issues, as they may overwhelm developers with excessive vulnerability and license alerts.

M

Manual Penetration Testing (MPT)

Veracode conducts manual penetration testing (MPT) to simulate real-world attack scenarios and identify security vulnerabilities. Veracode offers the following penetration tests.

Web applications
Network Penetration Testing (DevOps)
APIs (headless)
Mobile applications
Desktop applications

N

National Institute of Standards and Technology (NIST)

A physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. Maintains the National Vulnerability Database (NVD), which provides vulnerability information to improve cybersecurity.

O

Open Source Software (OSS)

Software with source code freely available for use, modification, and distribution under an open license. See Software Composition Analysis.

Open Web Application Security Project (OWASP)

An online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. For details, see their website.

Organization

A high-level, organizational unit, such as a business or company, to which all applications and Veracode users belong on the Veracode Platform. For Manual Penetration Testing, the organization is the account under which Veracode performs the manual tests.

P

Packaged application

An archive or executable file, such as a JAR, ZIP, or EXE, that contains application source code for Veracode Static Analysis scanning. Also called an artifact. The packaged application must meet specific packaging requirements. See artifact.

Payment Card Industry (PCI)

A set of guidelines set forth by the PCI Standards Council. PCI compliance is governed by the PCI Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards.

Project

For SCA agent-based scanning, projects typically correspond directly to a repository in a source control system. When using the agent to execute a scan, the agent automatically creates the project based on the repository in which you run the scan.

Q

Qualified Security Assessor (QSA)

A designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.

R

Remote Code Execution (RCE)

A vulnerability commonly found in web applications. An attacker can execute malicious code remotely, potentially gaining full control of a server and its data. Veracode Dynamic Analysis can detect these vulnerabilities in web applications.

S

SCA agent

For SCA agent-based scanning, an agent is a command-line tool that interfaces with the artifacts or repositories to be scanned and the Veracode service. Agents associate the results of their scans to a project within a particular workspace. You can configure agents at the organization or workspace level.

Security Labs

Veracode Security Labs provides interactive lessons that help developers gain practical knowledge about application security. These lessons contain instructions and hands-on lab exercises.

Security policy

Veracode security policies define thresholds for application security requirements. You can use policies to enforce specific standards for individual applications or apply consistent requirements across your entire application portfolio. Veracode provides built-in policies, or you can create custom policies that reflect your organization's security goals.

Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) provides a standardized, structured inventory of software components and the associated supply chains that an application uses. Veracode provides multiple options for you to generate an SBOM based on your desired specification standard, output format, and target origin.

Software Composition Analysis (SCA)

A security analysis of open-source and third-party components in applications to detect known vulnerabilities. Veracode SCA solutions include scanning applications you upload to Veracode or running agent-based scans. See SCA Agent.

Software Development Life Cycle (SDLC)

A process that produces software with the highest quality and lowest cost in the shortest time possible. SDLC provides a well-structured flow of phases that help an organization to quickly produce high-quality software that is well-tested and ready for production use.

Static Analysis

Veracode Static Analysis is a Static Application Security Testing (SAST) solution that helps you identify and remediate application security issues. It supports major frameworks and languages without requiring source code, allowing you to assess proprietary, open-source, and third-party code in one platform.

Static Application Security Testing (SAST)

A set of technologies designed to analyze application source code, byte code, and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the inside out in a non-running state. See the Veracode SAST solution, Static Analysis.

U

URL configuration

For Dynamic Analysis, the detailed configuration of a specific URL in a scan occurrence. It includes URL blocklists and allowlists, login settings, and user agent details.

V

Veracode level

A rating that helps organizations assess and prioritize application security risks for policy enforcement. Veracode assigns this level based on the type of testing performed, the severity and types of flaws found, and the application's overall security posture.

Veracode Platform

The web application you use to manage your entire Veracode organization and scan your applications from a central interface. You access the Veracode Platform from the Region Domain for your Veracode account.

Veracode Support Engineer

Provides multiple levels of support for your ISM project, such as:

Troubleshooting login issues
Configuring dynamic scanners to support uncommon settings
Removing false positives from scan results
You have the option to grant Veracode Support Engineers limited access to your environment to perform these functions.

You have the option to grant Veracode Support Engineers limited access to your environment to perform these functions.

Veracode Vulnerability Database

The Veracode Vulnerability Database contains all the public CVEs and vulnerability content that is exclusively available through Veracode. You can use the Veracode Vulnerability Database as a tool to determine if a library is safe prior to adding it to your code. It also provides important details about a library, such as the license in use and insight into specific vulnerabilities.

Visibility

The teams assigned to an application profile. Security leads and members of the assigned teams can access the application profile and the linked scan results.

Vulnerability

An exploitable weakness that Veracode found in your application during a Dynamic Analysis, a Software Composition Analysis, or Manual Penetration Testing. For simplicity in user interfaces, Veracode generally refers to vulnerabilities as findings. See finding.

W

Workspace

Workspaces serve as the organizing container for your agent-based scanning projects. Some common groupings include creating workspaces by product, by scrum team, or by geographic region.

A​

Allowlist​

Application Perimeter Monitoring (APM)​

Application profile​

Application Programming Interface (API)​

AppSec (Application Security)​

Artifact​

Assignment (Security Labs)​

Assurance​

Attack vector​

B​

Blocklist​

Business criticality​

Business owner​

Business unit​

C​

Call stack​

Campaign (Security Labs)​

Certified Information Systems Auditor (CISA)​

Certified Information Systems Security Professional (CISSP)​

Chief Information Security Officer (CISO)​

Command Line Interface (CLI)​

Commercial Off the Shelf (COTS)​

Common Vulnerabilities and Exposures (CVE)​

Common Vulnerability Scoring System (CVSS)​

Common Weakness Enumeration (CWE)​

Competition Mode (Security Labs)​

Cross-Site Request Forgery (CSRF)​

D​

Deprecated​

Developer sandbox​

DevOps​

DevSecOps​

Direct Web Remoting (DWR)​

Discouraged​

Domain Name System (DNS)​

Dynamic Analysis​

Dynamic Application Security Testing (DAST)​

E​

Early Adopter​

Effort to fix​

eLearning​

End of life​

End of sale​

End of support​

Endpoint​

Endpoint activity​

Endpoint installer​

Endpoint status​

Exploit​

F​

False negative​

False positive​

Finding​

Flaw​

G​

Gateway​

Gateway status​

Generally available​

H​

HIPAA​

I​

Information Security Risk Management (ISRM)​

Integrated Development Environment (IDE)​

Internal Scanning Management (ISM)​

Issue​

M​

Manual Penetration Testing (MPT)​

N​

National Institute of Standards and Technology (NIST)​

O​

Open Source Software (OSS)​

Open Web Application Security Project (OWASP)​

Organization​

P​

Packaged application​

Payment Card Industry (PCI)​

Project​

Q​

Qualified Security Assessor (QSA)​

A