Application Security
SCA (Software Composition Analysis)
Also known as: Open-source security, Dependency scanning
Definition
Automated analysis of an application's open-source and third-party components to identify known vulnerabilities, license issues and outdated or risky dependencies.
Examples
- Dependabot opening pull requests to upgrade vulnerable npm packages.
- Running Snyk Open Source in CI to fail the build on Critical CVEs with a fix available.
Related terms
SAST (Static Application Security Testing)
Automated analysis of source code, bytecode or binaries — without executing it — to find security weaknesses such as injection, unsafe APIs or insecure crypto.
DAST (Dynamic Application Security Testing)
Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations.
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.
DevSecOps
A culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed.
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
Log4Shell (CVE-2021-44228)
A critical December 2021 remote code execution vulnerability in Apache Log4j 2 that allowed attackers to run arbitrary code by logging a single JNDI lookup string.