Security Abbreviations Glossary: SAST DAST SCA CVE CWE and More

• ASPM – Application Security Posture Management. A platform that aggregates findings from multiple security tools (SAST, DAST, SCA) into a unified view, providing risk prioritization and remediation tracking across the application portfolio.
• CVE – Common Vulnerabilities and Exposures. A standardized identifier for publicly known security vulnerabilities. Each CVE (e.g., CVE-2021-44228 for Log4Shell) has a unique ID, description, and severity score. CVE databases are maintained by MITRE and NVD.
• CWE – Common Weakness Enumeration. A categorized list of software and hardware weakness types. Unlike CVE (which identifies specific vulnerabilities), CWE classifies the type of flaw: CWE-89 is SQL Injection, CWE-79 is XSS, CWE-78 is Command Injection.
• CSP – Content Security Policy. An HTTP response header that controls which resources a browser is allowed to load for a given page. CSP mitigates XSS by restricting inline scripts and specifying allowed script sources.
• CSRF – Cross-Site Request Forgery. An attack that tricks a user's browser into making unintended requests to a site where they are authenticated. Prevented by CSRF tokens and SameSite cookie attributes.
• CVSS – Common Vulnerability Scoring System. A standardized framework for rating vulnerability severity on a 0-10 scale. CVSS considers exploitability (attack vector, complexity, privileges required) and impact (confidentiality, integrity, availability).
• DAST – Dynamic Application Security Testing. Security testing that analyzes running applications by sending crafted requests and observing responses. DAST finds runtime vulnerabilities but cannot pinpoint source code locations.
• DevSecOps – Development, Security, and Operations. An approach that integrates security practices into every phase of the software development lifecycle, rather than treating security as a separate phase. Automated scanning in CI/CD is a core DevSecOps practice.
• HSTS – HTTP Strict Transport Security. A security header that forces browsers to use HTTPS for all requests to a domain, preventing protocol downgrade attacks and cookie hijacking over unencrypted connections.
• IAST – Interactive Application Security Testing. A hybrid approach that uses agents embedded in the running application to monitor execution and identify vulnerabilities with both runtime context and source code location.
• IDOR – Insecure Direct Object Reference. A vulnerability where an application exposes internal object identifiers (database IDs, file names) in URLs or parameters without authorization checks, allowing attackers to access other users' resources.

• JWT – JSON Web Token. A compact, URL-safe token format used for authentication and information exchange. JWTs contain signed claims (user identity, permissions) and are commonly used in API authentication. Security risks include weak signing keys and algorithm confusion attacks.
• OWASP – Open Worldwide Application Security Project. A nonprofit that produces freely available security resources including the OWASP Top 10, a regularly updated list of the most critical web application security risks. The OWASP Top 10 is the industry standard for security awareness.
• PCI-DSS – Payment Card Industry Data Security Standard. A set of security requirements for organizations that handle credit card data. PCI-DSS mandates secure coding practices, vulnerability scanning, and access controls.
• RASP – Runtime Application Self-Protection. A security technology that runs inside the application to detect and block attacks in real-time by monitoring application behavior and input/output operations.
• SARIF – Static Analysis Results Interchange Format. A standardized JSON format for expressing static analysis tool results. SARIF enables interoperability between tools and platforms like the GitHub Security tab.
• SAST – Static Application Security Testing. Security analysis of source code without executing it. SAST tools parse code into abstract syntax trees to identify vulnerability patterns. SAST runs early in development: in IDEs, at pre-commit, and in CI/CD.
• SCA – Software Composition Analysis. Analysis of third-party dependencies (open-source libraries, packages) to identify components with known vulnerabilities, license issues, or maintenance risks.
• SBOM – Software Bill of Materials. A machine-readable inventory of all components in a software application, including direct and transitive dependencies. SBOM formats include SPDX and CycloneDX. Executive Order 14028 mandates SBOMs for U.S. federal software.
• SDLC – Software Development Lifecycle. The complete process of planning, building, testing, deploying, and maintaining software. Secure SDLC integrates security activities (threat modeling, code review, scanning, pen testing) into each phase.
• SSRF – Server-Side Request Forgery. An attack where the attacker causes the server to make HTTP requests to unintended destinations, targeting internal networks and cloud metadata services. SSRF has its own OWASP Top 10 category (A10:2021).

• TLS – Transport Layer Security. The cryptographic protocol that provides encryption for data in transit. TLS 1.3 is the current version, providing forward secrecy and improved performance. TLS replaces the deprecated SSL protocol, though the term "SSL" is still commonly used colloquially.
• WAF – Web Application Firewall. A security layer that filters and monitors HTTP traffic between a web application and the internet. WAFs protect against common attacks (XSS, SQLi, CSRF) using rule-based filtering. However, WAFs are a defense-in-depth measure—they should not be the only protection, as they can be bypassed with obfuscation and encoding techniques.
• XSS – Cross-Site Scripting. An injection vulnerability where an attacker injects malicious scripts into web pages viewed by other users. The three types are Reflected (via URL parameters), Stored (persisted in database), and DOM-based (client-side only). XSS is classified as CWE-79.
• XXE – XML External Entity. A vulnerability in XML parsers that process external entity references in user-supplied XML. XXE can lead to file disclosure, SSRF, and denial of service. Classified as CWE-611 and primarily affecting Java applications with default parser configurations.

CodeSlick directly addresses the majority of these security concepts in its analysis platform:

• SAST: 294 security checks across JavaScript, TypeScript, Python, Java, and Go, completing in under 3 seconds
• SCA: Dependency scanning for npm, pip, Maven, and Go modules with malicious package detection (66 packages + OSV.dev)
• SBOM: Generates SPDX 2.3 and CycloneDX 1.4 software bills of materials
• SARIF: Exports findings in SARIF format for upload to the GitHub Security tab
• CWE/CVSS: Every finding includes CWE classification and CVSS severity scoring
• OWASP: 95% coverage of the OWASP Top 10 2025, with every finding mapped to the relevant OWASP category
• DevSecOps: Three integration points for security in the SDLC—free web scanner, GitHub App for PR reviews, and CLI for pre-commit hooks

CodeSlick detects vulnerabilities across all the major attack categories listed above: XSS, CSRF, SSRF, XXE, IDOR, command injection, and more, with AI-powered fix suggestions for every finding.