Security Glossary
A comprehensive reference guide to application security, vulnerability management, and DevSecOps terminology. This glossary helps developers, security engineers, and DevOps professionals understand key concepts used throughout Precogs documentation and the broader security industry.
Application Security Testing
SAST (Static Application Security Testing)
Static Application Security Testing (SAST) analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. SAST tools scan your codebase to identify issues like SQL injection, cross-site scripting (XSS), buffer overflows, and insecure cryptographic practices.
How Precogs uses SAST: Precogs employs AI-enhanced SAST that goes beyond pattern matching. By understanding code semantics and data flow, Precogs significantly reduces false positives while catching vulnerabilities that traditional scanners miss.
Related terms: Code Scanning, Data Flow Analysis
SCA (Software Composition Analysis)
Software Composition Analysis (SCA) examines your project's third-party dependencies (npm packages, Python libraries, Maven artifacts, etc.) for known security vulnerabilities. SCA tools cross-reference dependency versions against vulnerability databases like the National Vulnerability Database (NVD).
Why SCA matters: Open-source components make up 70-90% of modern applications. A single vulnerable dependency can expose your entire application to attack. High-profile incidents like Log4Shell (CVE-2021-44228) demonstrate the critical importance of dependency scanning.
What Precogs scans:
package.json/package-lock.json(npm)requirements.txt/Pipfile.lock(Python)pom.xml/build.gradle(Java)go.mod(Go)Gemfile.lock(Ruby)composer.lock(PHP)
DAST (Dynamic Application Security Testing)
Dynamic Application Security Testing (DAST) tests a running application for vulnerabilities by simulating real-world attacks. Unlike SAST, DAST doesn't require access to source code—it interacts with the application through its external interfaces (HTTP endpoints, APIs).
DAST vs SAST:
| Aspect | SAST | DAST |
|---|---|---|
| Tests | Source code | Running application |
| Stage | Development | Testing/Staging |
| False positives | Higher | Lower |
| Coverage | All code paths | Reachable endpoints |
IAST (Interactive Application Security Testing)
Interactive Application Security Testing (IAST) combines SAST and DAST approaches by instrumenting the application at runtime. IAST agents monitor code execution paths while the application handles test traffic, providing accurate vulnerability detection with precise code location.
IaC Scanning (Infrastructure as Code Scanning)
Infrastructure as Code (IaC) scanning analyzes infrastructure configuration files—such as Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles—for security misconfigurations before deployment.
Common IaC issues Precogs detects:
- Publicly exposed S3 buckets
- Overly permissive IAM policies
- Unencrypted databases
- Missing network security groups
- Hardcoded credentials in configurations
Container Scanning
Container scanning examines Docker images and container configurations for vulnerabilities in:
- Base images: Outdated OS packages with known CVEs
- Application layers: Vulnerable libraries installed during build
- Configuration: Insecure Dockerfile practices (running as root, exposed secrets)
Vulnerability Fundamentals
CVE (Common Vulnerabilities and Exposures)
CVE (Common Vulnerabilities and Exposures) is a standardized system for identifying and cataloging publicly known security vulnerabilities. Each CVE receives a unique identifier in the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228 for Log4Shell).
CVE lifecycle:
- Vulnerability discovered
- CVE ID assigned by a CNA (CVE Numbering Authority)
- Details published to CVE database
- Vendors release patches
- Security tools update their detection rules
Notable CVEs:
- CVE-2021-44228 (Log4Shell) — Critical RCE in Apache Log4j
- CVE-2014-0160 (Heartbleed) — OpenSSL memory leak
- CVE-2017-5638 (Struts) — Apache Struts RCE
CVSS (Common Vulnerability Scoring System)
CVSS (Common Vulnerability Scoring System) provides a standardized method for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0.
| Score | Severity | Example |
|---|---|---|
| 9.0-10.0 | Critical | Remote code execution, no auth required |
| 7.0-8.9 | High | Authentication bypass, data exfiltration |
| 4.0-6.9 | Medium | Information disclosure, requires auth |
| 0.1-3.9 | Low | Limited impact, specific conditions |
Precogs severity mapping:
- Critical: CVSS 9.0+, immediate remediation required
- High: CVSS 7.0-8.9, remediate within days
- Medium: CVSS 4.0-6.9, remediate within sprint
- Low: CVSS 0.1-3.9, backlog for future fix
CWE (Common Weakness Enumeration)
CWE (Common Weakness Enumeration) is a community-developed catalog of software and hardware weakness types. While CVE identifies specific vulnerabilities, CWE categorizes the underlying types of weaknesses.
Top CWE weaknesses (OWASP Top 10 aligned):
- CWE-79: Cross-Site Scripting (XSS)
- CWE-89: SQL Injection
- CWE-22: Path Traversal
- CWE-798: Hardcoded Credentials
- CWE-502: Deserialization of Untrusted Data
SBOM (Software Bill of Materials)
SBOM (Software Bill of Materials) is a machine-readable inventory of all components, libraries, and dependencies in your software. Think of it as a "nutrition label" for software that lists every ingredient.
SBOM formats:
- CycloneDX — OWASP standard, security-focused
- SPDX — Linux Foundation standard, license-focused
Why SBOMs matter:
- Compliance: Required by FDA, CISA, and government contracts
- Incident response: Quickly identify affected systems when new CVEs emerge
- Supply chain security: Verify component provenance
Zero-Day Vulnerability
A zero-day vulnerability (or 0-day) is a security flaw that is unknown to the vendor and has no available patch. The term "zero-day" refers to the fact that developers have had zero days to fix the issue since it became known to attackers.
Code Security Concepts
Code Scanning
Code scanning is the automated analysis of source code to identify security vulnerabilities, bugs, and code quality issues. This includes SAST, secret detection, and code quality checks.
Secret Detection
Secret detection scans code and configuration files for accidentally committed credentials, API keys, tokens, and other sensitive data.
Common secrets Precogs detects:
- AWS access keys and secret keys
- GitHub personal access tokens
- Database connection strings
- Private keys (RSA, SSH)
- OAuth client secrets
- API keys (Stripe, Twilio, SendGrid)
Data Flow Analysis
Data flow analysis tracks how data moves through an application from input sources (user input, API requests) to sensitive sinks (database queries, file operations, system commands). This technique helps identify vulnerabilities like injection attacks by tracing untrusted data.
Taint Analysis
Taint analysis is a specific type of data flow analysis that marks ("taints") data from untrusted sources and tracks whether tainted data reaches sensitive operations without proper sanitization.
False Positive
A false positive occurs when a security scanner incorrectly reports a vulnerability that doesn't actually exist. High false positive rates waste developer time and lead to "alert fatigue."
How Precogs reduces false positives:
- Context-aware AI understands code semantics
- Data flow analysis confirms exploitability
- Machine learning trained on real-world codebases
False Negative
A false negative occurs when a security scanner fails to detect a real vulnerability. False negatives are more dangerous than false positives because they provide a false sense of security.
DevSecOps & Workflow
DevSecOps
DevSecOps is the practice of integrating security into every phase of the software development lifecycle (SDLC), rather than treating it as an afterthought. DevSecOps emphasizes automation, collaboration, and "shifting security left."
Shift Left
Shift left refers to moving security testing earlier in the development lifecycle—from production/staging to development/build phases. By finding vulnerabilities sooner, teams reduce remediation costs and prevent security debt.
Shift left with Precogs:
- IDE integration: Scan as you code
- Pre-commit hooks: Block commits with secrets
- PR checks: Automated scanning on every pull request
- CI/CD gates: Fail pipelines on critical vulnerabilities
CI/CD (Continuous Integration / Continuous Deployment)
Continuous Integration (CI) automatically builds and tests code whenever changes are pushed. Continuous Deployment (CD) automatically deploys tested code to production.
Precogs CI/CD integration:
- GitHub Actions
- GitLab CI
- Jenkins
- CircleCI
- Azure DevOps
Security Gate
A security gate is a checkpoint in the CI/CD pipeline that blocks deployment if security criteria aren't met. Common gates include:
- No critical vulnerabilities
- No high-severity secrets
- SBOM generated and signed
Severity Levels
Precogs categorizes findings by severity to help teams prioritize remediation:
| Severity | CVSS Range | Description | SLA Recommendation |
|---|---|---|---|
| Critical | 9.0-10.0 | Exploitable remotely, no authentication, high impact | Immediate (24-48 hours) |
| High | 7.0-8.9 | Significant risk, likely exploitable with minimal effort | 1-7 days |
| Medium | 4.0-6.9 | Moderate risk, requires specific conditions to exploit | Current sprint |
| Low | 0.1-3.9 | Minor risk, unlikely to be exploited in practice | Backlog |
| Info | N/A | Best practice suggestion, not a security vulnerability | Optional |
Platform Concepts
API Key
A unique string (pk_live_...) used to authenticate programmatic requests to the Precogs API from the CLI, SDK, or MCP server.
Bearer Token
The authentication scheme used by the Precogs API. You provide your API key in the Authorization: Bearer <key> header.
ID (Identifier)
Unique strings used to reference resources, such as {d525c438-2a74-...} for projects or scan_abc123 for scan jobs.
Related Resources
- AI Glossary — AI, LLM, and MCP terminology
- FAQ — Frequently asked questions