Skip to main content

Veracode glossary

This glossary provides definitions for general application security terms and terms specific to Veracode products.



A collection of items, such as IP addresses or domains, email addresses, or open-source components, that you want to make available to users or systems. To access Veracode products and services, specific domains and IP addresses must be available to your organization. You must add the required domains and IP addresses to the allowlist for your organization. See Blocklist.

Application Perimeter Monitoring (APM)

Rapidly discover all public-facing applications and conduct lightweight dynamic analysis to quickly identify the most exploitable vulnerabilities — such as SQL injection and cross-site scripting (XSS) — by scanning thousands of websites simultaneously.

Application profile

Application profiles serve as an organizing container for scan results from different scan types of the same application. For SCA upload scans and Static Analysis, Veracode automatically adds the scan results to the application profile. To add scan results from SCA agent-based scans or Dynamic Analysis to an application profile, you must manually link the results to the application profile.

Application Programming Interface (API)

A computing interface that defines interactions between multiple software intermediaries.

AppSec (Application Security)

The process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats, such as unauthorized access and modification.


A by-product produced during the software development process, typically during a build. It might consist of the project or application, source code, dependencies, binaries, bytecode, or other resources. To ensure the security and availability of artifacts, development teams usually store them securely in a repository. See packaged application.

Assignment (Security Labs)

A group of labs in a campaign.


A measure of confidence that the security features, practices, procedures, and architecture of a system accurately mediate and enforce an application security policy. It helps answer whether the security controls for the organization provide the expected security level for the application. See Business Criticality.

Attack vector

A path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. For example, for Dynamic Analysis and Manual Penetration Testing, the attack vector is the URL of the target web application or API. For Static Analysis, the attack vector is the function or class in your code that contains the flaw.



A collection of items, such as IP addresses or domains, email addresses, or open-source components, that you do not want to make available to users or systems. For example, you can blocklist specific URLs to exclude from Dynamic Analysis scans or third-party licenses from SCA scans. Other Veracode products and services have specific domains and IP addresses that must not be on your blocklist. See Allowlist.

Business criticality

A Veracode rating system that uses a five-point scale, from Very High (5) to Very Low (1), to indicate the importance to the organization of securing an application. You set the business criticality for an application when you create an application profile. In general, applications that require higher security have a higher business criticality. See Assurance.

Business owner

A person in your organization who is responsible for ensuring the security of certain applications. They monitor Veracode scans of these applications and ensure that the teams assigned to these applications have addressed any flaws.

Business unit

A subdivision of your organization that you define in the Veracode Platform. Your organization uses business units to organize Veracode users and applications for your entire Veracode program.


Call stack

The path that Static Analysis takes to locate a flaw in your code. In a Veracode interface, such as the Veracode Platform or an IDE integration, the call stack appears as a stacked series of steps.

Campaign (Security Labs)

A group of assignments assigned to one or more user roles.

Certified Information Systems Auditor (CISA)

A designation issued by the Information Systems Audit and Control Association (ISACA).

Certified Information Systems Security Professional (CISSP)

An independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC)².

Chief Information Security Officer (CISO)

A senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.

Command Line Interface (CLI)

A Command Line Interface (CLI) is a non-graphical input method that receives text input from users to perform a variety of actions. Veracode CLI is a tool that you install locally and invoke directly from a command line to perform various Veracode tasks, such as running scans and reviewing scan results.

Commercial Off the Shelf (COTS)

Commercial off-the-shelf or commercially available off-the-shelf products are packaged solutions that are then adapted to satisfy the needs of the purchasing organization, rather than the commissioning of custom-made solutions.

Common Vulnerabilities and Exposures (CVE)

A dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. Developers and security practitioners can use a unique identifier, called the CVE ID, to look up details about vulnerabilities detected in the code. For Software Composition Analysis (SCA) or Manual Penetration Testing (MPT) results, Veracode uses the Common Vulnerability Scoring System (CVSS) rating assigned to the CVE to determine the flaw severity. For more information, see the NIST website.

Common Vulnerability Scoring System (CVSS)

A free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.

Common Weakness Enumeration (CWE)

A community-developed list of common software and hardware weakness types that have security implications. For application security, weaknesses are flaws, vulnerabilities, faults, bugs, or other errors in the code that, if left unaddressed, could make systems, networks, or hardware vulnerable to attack.

Veracode uses CWEs to identify flaws in your applications during Static Analysis and Dynamic Analysis. Developers and security practitioners can use the results from these analyses to identify and remediate weaknesses at the source to ensure more secure applications prior to delivery.

For details, see the Mitre website.

Competition Mode (Security Labs)

A type of campaign in which individuals or teams compete against each other for points. A campaign in competition mode has its own leaderboard and countdown timer.

Cross-Site Request Forgery (CSRF)

Also known as one-click attack or session riding and abbreviated as CSRF or XSRF, this is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.



A product or feature that Veracode no longer recommends you use and has communicated a timeline for its end of life (EOL). You can still use the product or feature, but Veracode only provides limited support, such as critical bug fixes.

Developer sandbox

A feature that allows you to perform a Static Analysis of your applications early and often in the Software Development Life Cycle (SDLC). You can create sandboxes within existing application profiles and submit your code for analysis, while simultaneously analyzing your code against your application security policy.


A set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from the Agile methodology. See DevSecOps.


A set of practices that combines software development (Dev), security (Sec), and IT operations (Ops). The term draws attention to the need for DevOps teams to embed security at every stage of their product lifecycle. Veracode champions DevSecOps to promote the awareness, identification, and remediation of risk through systemic security automation, culture, and processes. See DevOps.

Direct Web Remoting (DWR)

A Java open source library that helps developers write web sites that include Ajax technology. It allows code in a browser to use Java functions running on a web server just as if it was in the browser.


A product or feature that Veracode no longer recommends you use based on best practices. You can still use the feature or product and Veracode continues to support it.

Domain Name System (DNS)

A hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

Dynamic Analysis

The Veracode Dynamic Application Security Testing (DAST) solution that enables broad scan coverage for internal and external web applications and REST APIs.

Dynamic Application Security Testing (DAST)

A testing method that communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. See the Veracode DAST solution, Dynamic Analysis.


Early Adopter

The Veracode Early Adopter (EA) program makes certain features or products available to users who participate in the EA program. Specific EA features or products might have additional restrictions, such as preventing you from using them in production.

Effort to fix

A numeric scale that Veracode uses to estimate the time required for you to fix a particular flaw.


Veracode eLearning consists of course-based training that helps developers gain the critical skills they need to identify and address potential vulnerabilities. These courses contain multiple slides, videos, and, usually, a quiz.

End of life

A Veracode product or feature that has reached end of life (EOL) is no longer available for you to purchase from Veracode or use and it no longer works.

End of sale

A Veracode product or feature that you can no longer purchase from Veracode. If you have purchased the product or feature, based on your entitlements, Veracode continues to provide support.

End of support

A product or feature that Veracode no longer sells or supports.


For ISM, the JAR file that establishes the necessary connection between the gateway and the applications to scan. You must deploy endpoints behind your firewall in a location in your network that has access to the applications you want to scan.

Endpoint activity

For ISM, indicates when scans are in progress or when Veracode is providing scan support using an endpoint.

Endpoint installer

For ISM, the tool that supports the simple installation of your endpoints and creates a service that runs your endpoints continuously. Veracode recommends you use it to install your endpoints.

Endpoint status

For ISM, the status of the connection between the endpoint and gateway: Ready, Pending, or Offline.


A procedure or program intended to take advantage of a vulnerability, potentially by leveraging one or more flaws. For flaws discovered during Veracode Static Analysis, Veracode might assign an exploitability rating to the flaw. The rating indicates the likelihood or ease with which an attacker could exploit a flaw.


False negative

The absence of a test result known to exist for a particular condition or attribute.

False positive

A test result that incorrectly indicates that a particular condition or attribute is present.


A potential security risk that Veracode detected in your application during an analysis. The security risk can be a flaw in your source code discovered during a Static Analysis, a vulnerability in a web application or API discovered during a Dynamic Analysis or Manual Penetration Testing (MPT), or a vulnerability in an open-source component discovered during a Software Composition Analysis (SCA). For simplicity in user interfaces, Veracode generally refers to vulnerabilities and flaws as findings. See flaw or vulnerability.


Potentially exploitable area, such as a coding error or defect, of an application. Veracode detects flaws during Static Analysis. Veracode identifies flaws at the point where data leaves the application. For simplicity in user interfaces, Veracode generally refers to flaws and vulnerabilities as findings. See finding.



For ISM, the access point to the Veracode cloud. It provides information to endpoints upon request, acting as the intermediate system between endpoints and the Veracode scan machines. You should create only one gateway for your ISM configuration.

Gateway status

For ISM, the availability status of the gateway for Dynamic Analysis: Ready, Initializing, or Offline.

Generally available

A Veracode product or feature that is generally available (GA), usually for purchase, to all users. You can use these products or features in production environments.



The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.


Information Security Risk Management (ISRM)

The process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization’s assets.

Integrated Development Environment (IDE)

A software application that provides comprehensive facilities to computer programmers for software development.

Internal Scanning Management (ISM)

Veracode Internal Scanning Management is a simplified approach to web application scanning for applications hosted within a corporate firewall that cannot be reached from the public internet. ISM allows Veracode to bring uniformity to the scanning of external and internal applications for Veracode Dynamic Analysis users.


Manual Penetration Testing (MPT)

Veracode can perform a manual penetration test of your application and provide you with the test results. The tests involve simulating real-world attack scenarios to identify vulnerabilities. Veracode offers the following penetration tests.

  • Web applications
  • DevOps, or Network Penetration Testing
  • APIs (headless)
  • Mobile applications
  • Desktop applications


National Institute of Standards and Technology (NIST)

A physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. Responsible for the National Vulnerability Database.


Open Source Software (OSS)

A type of computer software in which source code is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software to anyone and for any purpose. See Software Composition Analysis.

Open Web Application Security Project (OWASP)

An online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. For details, see their website.


A high-level, organizational unit, such as a business or company, to which all applications and Veracode users belong on the Veracode Platform. For Manual Penetration Testing, the organization is the account under which Veracode performs the manual tests.


Packaged application

An archive or executable file, such as a JAR, ZIP, or EXE, that contains application source code for Veracode Static Analysis scanning. Also called an artifact. The packaged application must meet specific packaging requirements. See artifact.

Payment Card Industry (PCI)

A set of guidelines set forth by the PCI Standards Council. PCI compliance is governed by the PCI Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards.


For SCA agent-based scanning, projects typically correspond directly to a repository in a source control system. When using the agent to execute a scan, the agent automatically creates the project based on the repository in which you run the scan.


Qualified Security Assessor (QSA)

A designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.


Remote Code Execution (RCE)

A vulnerability commonly found in web applications. An attacker with system-level access to a server with this vulnerability can run code against this weakness. After compromising the system, the attacker might be able to access all information on the server, such as databases that contain sensitive data. Veracode Dynamic Analysis can detect these vulnerabilities in web applications.


SCA agent

For SCA agent-based scanning, an agent is a command-line tool that interfaces with the artifacts or repositories to be scanned and the Veracode service. Agents associate the results of their scans to a project within a particular workspace. You can configure agents at the organization or workspace level.

Security Labs

Veracode Security Labs provides interactive lessons that help developers gain practical knowledge about application security. These lessons contain instructions and hands-on lab exercises.

Security policy

A Veracode application security policy that you configure to enforce specific security requirements for individual applications or a specific a uniform policy of security requirements across all applications in an application portfolio. Veracode provides default policies, but you can create custom policies based on the security requirements for your organization.

Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) provides a standardized, structured inventory of software components and the associated supply chains that an application uses. Veracode provides multiple options for you to generate an SBOM based on your desired specification standard, output format, and target origin.

Software Composition Analysis (SCA)

An analysis of third-party components or libraries and open-source code in applications to detect known vulnerabilities. Veracode SCA solutions include scanning applications you upload to Veracode or running agent-based scans. See SCA Agent.

Software Development Life Cycle (SDLC)

A process that produces software with the highest quality and lowest cost in the shortest time possible. SDLC provides a well-structured flow of phases that help an organization to quickly produce high-quality software that is well-tested and ready for production use.

Static Analysis

Veracode Static Analysis is a Static Application Security Testing (SAST) solution that enables you to quickly identify and remediate application security findings. It analyzes major frameworks and languages without requiring source code, so you can assess the code you write, buy, or download, and measure progress in a single platform.

Static Application Security Testing (SAST)

A set of technologies designed to analyze application source code, byte code, and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the inside out in a non-running state. See the Veracode SAST solution, Static Analysis.


URL configuration

For Dynamic Analysis, the detailed configuration of a specific URL in a scan occurrence. It includes URL blocklists and allowlists, login settings, and user agent details.


Veracode level

A rating that Veracode assigns to an application based on the maturity of the application security posture. Veracode determines the Veracode level based on the type of testing you perform on the application and the severity and types of flaws it found during scanning.

Veracode Platform

The web application you use to manage your entire Veracode organization and scan your applications from a central interface. You access the Veracode Platform from the Region Domain for your Veracode account.

Veracode Support Engineer

Provides multiple levels of support for your ISM project, such as:

  • Troubleshooting login issues
  • Configuring dynamic scanners to support uncommon settings
  • Removing false positives from scan results
You have the option to grant Veracode Support Engineers limited access to your environment to perform these functions.

Veracode Vulnerability Database

The Veracode Vulnerability Database contains all the public CVEs and vulnerability content that is exclusively available through Veracode. You can use the Veracode Vulnerability Database as a tool to determine if a library is safe prior to adding it to your code. It also provides important details about a library, such as the license in use and insight into specific vulnerabilities.


The teams assigned to an application profile. Security leads and members of the assigned teams can access the application profile and the linked scan results.


An exploitable weakness that Veracode found in your application during a Dynamic Analysis, a Software Composition Analysis, or Manual Penetration Testing. For simplicity in user interfaces, Veracode generally refers to vulnerabilities as findings. See finding.



Workspaces serve as the organizing container for your agent-based scanning projects. Some common groupings include creating workspaces by product, by scrum team, or by geographic region.