The 'no nonsense' list of security acryonyms

What do all the security acronyms stand for?

You're probably here because you’re inundated (and fed-up!) with the number of acronyms around security tools, platforms, and processes. Every software provider wants to differentiate themselves in a crowded space with new capabilities, leaving developers and security pros exhausted.
‍
So here’s our no nonsense list of security acronyms to help you figure out what’s what. 

CVE: Common Vulnerabilities and Exposures

• What does it mean to app developers?
  ‍CVE is the public catalog of known vulnerabilities operated by the not-for-profit MITRE Corporation. Since launching in 1999, it’s become the standard for reporting cybersecurity issues, and provides the backbone for most AppSec platforms that scan your apps for issues.
  The CVE term can be a little confusing because many security folks and companies use “CVEs” to refer to the vulnerabilities themselves, not the public catalog. When a company’s  website reads, “Our ASPM protects you from severe CVEs,” it means that its platform scans your code, dependencies, and cloud configurations for matches to one or more specific vulnerabilities acknowledged in the CVE catalog.‍
• Do you need to care? 👍
  CVE as a system, and CVEs as individual vulnerabilities or exposures, play a critical role in security. The key is to make sure you have a platform that can inform you about them and give you a smooth path to remediation.

SAST: static application security testing

• aka static analysis
• ‍What does it mean to app developers?
  ‍SAST tools effectively check on the source code for vulnerabilities. Think of it as a way to ensure security early in the development process, as well as throughout the software development lifecycle (SDLC, yep another acronym), but only for the code. It’s not focused on the functionality of your app or how it’ll be deployed. 
• ‍Do you need to care? 👍
  SAST tools are like a spell-checker for AppSec: a focused but essential part of your toolkit. Ideally, your SAST tool will operate as early in development as possible - in your IDE, as a pre-commit Git hook, or in your CI pipeline - helping you catch issues earlier will reduce their impact in terms of mitigation and resources.

Get a platform that covers
all your acronyms

Start for Free

No CC required

DAST: dynamic application security testing

• What does it mean to app developers? 
  Think of DAST as the “living” version of SAST. DAST tools test your application with simulated attacks as it runs in a production-like environment. That way you can close security gaps before attackers find them. . DAST tools don’t care what your app is for, just whether it’s vulnerable to known critical-level attacks.‍
• Do you need to care? 👍
  Soft yes in the short term, hard yes in the long term. Traditionally, DAST was the realm of DevOps or SecOps engineers, but as more organizations shift AppSec responsibilities left to developers, higher-ups and operations folks will inevitably ask you to integrate and interact with these tools sooner rather than later. 

IAST: interactive application and security testing

• aka: RASP (see below!)‍
• What does it mean to app developers?
  IAST is like the lovechild of SAST and DAST, combining both approaches in your IDE and as part of your CI/CD pipeline. Unlike the other two approaches, IAST uses an agent embedded within your application that hooks into your existing functional tests to look for issues like hardcoded credentials and unsanitized user input.‍
• Do you need to care? 🤷
  If you already use SAST and DAST tools in your development lifecycle, you might gain little from adding an IAST-specific alternative to your toolkit. However, if you’re new to AppSec testing and had to pick a single tool to cover all your bases, you might appreciate the unique combination of comprehensiveness and speed of results.

ASPM: application security posture management

• What does it mean to app developers?
  ASPM platforms operate like security observability for your apps. You can ingest data from multiple sources, check for correlations, and prioritize issues across multiple apps with contextual insights and remediation help. They can also be very helpful for risk assessment and prioritization, especially in industries with stronger compliance standards.
  
• Do you need to care? 👍
  From an operational or maintenance perspective, probably not, but ASPMs are becoming the norm for organizations of all sizes - the idea is to reduce the number of security point solutions and use one comprehensive AppSec platform that could encompass SAST, DAST and other functionality. Therefore, in all likeliness you’ll come across ASPMs at some point. 

CSPM: cloud security posture management

• What does it mean to app developers?
  ‍CSPM is security observability for your cloud deployments. These tools help you identify or visualize risk to your cloud infrastructure and recommend how to best remediate misconfigurations, like access controls for service accounts, that could cause you headaches down the line.
• CSPM platforms rely on Infrastructure as Code (IaC) practices, scanning your configuration files before deployment and delivering alerts before you move into production.
  
• Do you need to care? 🤷
  Depends on the team you’re working with. If you’re an app developer also responsible for configuring production environments with a cloud provider, then CSPM might be on your horizon. If you’re mostly focused on business logic, while others handle the operational side, you might never interact with a CSPM. 

DSPM: data security posture management

• aka: “data first” security
• ‍What does it mean to app developers?
  Similar to the other “posture management” categories, DSPM tools provide visibility into your organization’s data storage and usage. They locate sensitive information, calculate the risk involved in where and how you’ve stored it, and offer paths to improving your security posture.
• DSPMs can even automate data classification, influencing how you handle and store information in your apps, particularly if it flows between multiple applications or microservices-based APIs within your infrastructure.‍
• Do you need to care? 👎
  Generally, no. DSPMs are pretty deep in cybersecurity territory—ideal for dedicated security teams at a large or enterprise level, not smaller app development teams at startups or small to medium-sized businesses.

VM: vulnerability management

• aka: vulnerability management system (VMS), threat and vulnerability management (TVM), vulnerability assessment, vulnerability scanning, technical vulnerability management
• ‍What does it mean to app developers?
  VM is a holistic approach to identifying and remediating vulnerabilities across your code, configurations, and cloud deployments, often by aggregating scanning data from additional AppSec tools represented by many of these same acronyms.
  These platforms help you implement a cycle of continuous improvement around security by ranking discovered vulnerabilities against the Common Vulnerability Scoring System (CVSS). This helps you prioritize those you should attack immediately and those you can leave for the next sprint… or next quarter.
  
• Do you need to care? 🤷
  This truly depends on what VM platform your organization is validating or already using.
  Traditional VM platforms are most often the territory of IT security/operations teams, compliance and risk management folks, DevOps engineers, and even penetration testers—people with a lot more security experience and at stake if code goes to production in an insecure state. That said, some AppSec platforms are designed to help developers manage their technical vulnerabilities with less false positives and instantly relevant remediations.

SCA: software composition analysis

• aka: component analysis
• What does it mean to app developers?
  Remember all those packages you added to your application with npm, go get, pip and so on? Each of those dependencies sprawls out into dozens more, and they all bring with them new risks for code and configuration vulnerabilities. The availability of open-source packages is a boon for productivity, but one that carries significant cost to security.
  SCA tools scan your open-source supply chain for vulnerabilities or possible issues around open-source licensing, and some even offer immediate updates
  
• Do you need to care? 👍👍
  SCA tools allow you to safely build on top of all the wonderful open-source frameworks, projects, and libraries, giving you all that much-needed velocity without sacrificing security. A must-have for app developers looking for a baseline of AppSec guarantees.

RASP: runtime application self-protection

• aka: in-app protection, in-app firewall, embedded app security, runtime security, IAST
• What does it mean to app developers?
  RASP tools are embedded directly within an application to detect and block attacks without requiring external infrastructure, such as WAFs (see below). The real-time security insights and “hands off” approach are appealing to some, but because they operate within your app, you’ll need to analyze any performance degradation and weigh that impact against the peace of mind you get from protection against  common attacks, like (No)SQL injection, path traversal, shell injection, and more.
  
• Do you need to care? 👍
  If you’re lean on both development and security talent, RASP tools can be a fantastic shortcut to protect your app and user data from automated attacks. They’re certainly much easier to deploy and manage than their networked cousin, WAFs, which makes them a great choice for applications developers who don’t want the cost and complexity of more infrastructure.
  You should also care because of our open-source Firewall project for Node.js applications. We don’t love the RASP term ourselves—you won’t see it anywhere on our GitHub repository—Firewall works much the same way to detect and block all critical vulnerabilities without you having to change a single line of code.

WAF: web application firewall

• aka: WAAP (web application and API protection)
  
• What does it mean to app developers?
  This on-premises or cloud-based deployment sits on the very edge of your infrastructure, as the first point of contact between a user (or attacker) and your app, “intercepting” traffic intended for your app through DNS. They somewhat quickly run hundreds of regex pattern matches against the first few hundred kilobytes of the incoming request, and block any containing potentially malicious code.
  The result is nearly identical to RASP tools, but WAFs are even less concerned with how your app works or what it’s supposed to do.
  
• Do you need to care? 👎
  In our humble opinion, no. You should know what they are and their intended function, but as an app developer, there are plenty of other AppSec strategies you can implement, with far more ease, than wading into WAF territory. They are notorious for false positives and performance degradation, which will inevitably affect the experience for your legitimate end users.
  

We also don’t love calling Aikido Firewall a WAF either, but it performs all the same functions with far more accuracy and efficiency.

What’s next?

Congratulations on completing your speed run through AppSec acronyms!

Whether you feel compelled to keep going with this painfully long list of acronyms to educate yourself on next, or want to hide away from all things security in the comfort blanket that is your dark-mode IDE, remember the goal isn’t to become a walking AppSec dictionary. No one will be impressed that you can elaborate for ten minutes about the differences between ASPM, CSPM, DSPM, and all the others—they will be impressed if you can quickly recommend the right AppSec tool for their exact situation.