-
SAST
¶ - Static Application Security Testing — analysing source code (or compiled bytecode) without running it, to find security vulnerabilities. Opposite of DAST. StaticCodeAudit is a SAST tool.
-
DAST
¶ - Dynamic Application Security Testing — analysing a running application from the outside (HTTP requests, login flows). Complementary to SAST. Cannot find issues in unreachable code paths.
-
IAST
¶ - Interactive Application Security Testing — combines SAST and DAST by instrumenting the application at runtime. Requires an agent in the app's process, which limits offline use.
-
CWE
¶ - Common Weakness Enumeration — a community-developed list of software weaknesses (e.g., CWE-89 « SQL Injection ») maintained by MITRE. Every StaticCodeAudit rule is tagged with at least one CWE identifier.
-
CVE
¶ - Common Vulnerabilities and Exposures — a unique identifier for a publicly disclosed vulnerability (e.g., CVE-2021-44228 = log4shell). Used to track which version of a library is affected.
-
OWASP Top 10
¶ - Owasp's regularly updated list of the 10 most critical web application security risks (last update: 2021). Includes A01 Broken Access Control, A03 Injection, A07 Identification & Authentication Failures, etc.
-
OWASP ASVS
¶ - Application Security Verification Standard — OWASP's checklist of 280+ verification requirements grouped into 14 chapters. Levels 1 (basic) / 2 (standard) / 3 (advanced). Current version: 5.0.0.
-
ISO/IEC 27001
¶ - International standard for information security management systems. Annex A lists 93 controls (2022 revision). Certification proves an organisation has implemented and operates an ISMS.
-
NIST CSF 2.0
¶ - NIST Cybersecurity Framework, version 2.0 (2024). Five functions: Identify, Protect, Detect, Respond, Recover. Widely adopted by US federal agencies and critical infrastructure operators.
-
SARIF
¶ - Static Analysis Results Interchange Format — OASIS standard (v2.1.0) JSON format for tool-agnostic SAST output. Ingested by GitHub Code Scanning, GitLab Security Dashboard, ServiceNow, RSA Archer, etc.
-
SBOM
¶ - Software Bill of Materials — a machine-readable inventory of every component (library, version, license) in a piece of software. Required by US Executive Order 14028 and EU NIS2 directive for software supply chain attestation. Common formats: CycloneDX, SPDX.
-
Taint analysis
¶ - Tracking how untrusted user input (« source ») flows through code until it reaches a dangerous function (« sink ») without going through a sanitiser. The technique behind detection of SQL injection, XSS, SSRF, command injection.
-
CSP
¶ - Content Security Policy — HTTP response header that tells the browser which sources of script, style, image, etc. are allowed. Mitigates XSS by blocking inline scripts and unauthorised CDNs.
-
XSS
¶ - Cross-Site Scripting — vulnerability where attacker-controlled input is reflected in HTML without escaping, letting the attacker execute JavaScript in the victim's browser. Variants: stored, reflected, DOM-based.
-
SQL Injection
¶ - Vulnerability where user input is concatenated into an SQL query without parameter binding, letting an attacker alter the query logic (read other rows, drop tables, exfiltrate data). CWE-89.
-
SSRF
¶ - Server-Side Request Forgery — vulnerability where an attacker tricks a server into making HTTP requests to internal services (cloud metadata endpoints, RDS, internal microservices) the attacker can't reach directly. CWE-918.
-
XXE
¶ - XML External Entity — vulnerability in XML parsers that resolve external entities (DTD references). Lets attackers read local files, perform SSRF, or trigger denial of service (billion laughs). CWE-611.
-
CSRF
¶ - Cross-Site Request Forgery — attack where an authenticated victim is tricked into submitting a request the attacker chose, abusing the victim's session cookie. Mitigated by anti-CSRF tokens or SameSite cookies. CWE-352.
-
Prototype Pollution
¶ - JavaScript-specific vulnerability where attacker can pollute
Object.prototypevia crafted keys (__proto__,constructor). Affects every downstream object. CWE-1321. -
Insecure Deserialization
¶ - Deserialising attacker-controlled bytes (pickle, Java ObjectInputStream, PHP unserialize, .NET BinaryFormatter) leads to arbitrary code execution via gadget chains. CWE-502.
-
Air-gapped
¶ - A computing environment physically and logically isolated from external networks (no internet, no DNS, no removable media). Required for classified-data environments (SCIF, zone restreinte) and many defense/critical-infra deployments.
-
NIS2
¶ - EU directive 2022/2555 on cybersecurity for « essential » and « important » entities (energy, banks, healthcare, digital infra, etc.). Article 21 mandates risk management measures including supply chain security and SBOM evidence.
-
SOC 2
¶ - Service Organisation Control 2 — AICPA audit framework for service providers, covering 5 « Trust Service Criteria » (security, availability, processing integrity, confidentiality, privacy). Type II audits cover a period (typically 6-12 months).
-
HIPAA
¶ - US Health Insurance Portability and Accountability Act. The Security Rule (45 CFR §164.302–318) requires technical safeguards on electronic protected health information (ePHI), including access controls, audit logs, and integrity verification.
-
PCI-DSS
¶ - Payment Card Industry Data Security Standard. Required by Visa/MC/Amex for any merchant or processor handling payment card data. Version 4.0 (2024) §6.2 requires secure development practices including code review.
Authoritative sources
Every definition in this glossary is derived from a publicly maintained specification. Verify directly:
- • CWE — cwe.mitre.org (MITRE, maintained list)
- • CVE — cve.org (MITRE / CVE Program)
- • OWASP Top 10 (2021) — owasp.org/Top10
- • OWASP ASVS v5 — owasp.org/ASVS
- • ISO/IEC 27001:2022 — iso.org/standard/27001
- • NIST CSF 2.0 — nist.gov/cyberframework
- • SARIF v2.1.0 — OASIS specification
- • SBOM (CycloneDX) — cyclonedx.org (OWASP project)
- • SBOM (SPDX) — spdx.dev (Linux Foundation)
- • WCAG 2.1 — w3.org/TR/WCAG21
- • NIS2 (EU 2022/2555) — EUR-Lex full text
- • SOC 2 (AICPA) — aicpa-cima.com
- • HIPAA Security Rule — hhs.gov/hipaa
- • PCI-DSS v4.0 — pcisecuritystandards.org