Glossary
Security, DevSecOps, and ThreatWeaver-specific terminology. Terms are alphabetically sorted.
ASMβ
Attack Surface Management -- The continuous discovery, analysis, and monitoring of an organization's external-facing digital assets to identify vulnerabilities and exposures.
BASβ
Breach and Attack Simulation -- Automated tools that simulate real-world attack techniques to test the effectiveness of security controls without causing actual damage.
BFLAβ
Broken Function Level Authorization -- A vulnerability where an application fails to properly restrict access to sensitive functions or API endpoints based on the user's role or permissions (OWASP API #5).
BOLAβ
Broken Object Level Authorization -- A vulnerability where an application fails to verify that the user has permission to access a specific object or resource (OWASP API #1). Also known as IDOR in web application contexts.
CARTβ
Continuous Automated Red Teaming -- An approach that automates the offensive security testing process, continuously probing systems for vulnerabilities and weaknesses.
CI/CDβ
Continuous Integration / Continuous Deployment -- Development practices where code changes are automatically built, tested, and deployed to production environments. ThreatWeaver integrates with CI/CD pipelines via the appsecCiScan API.
CSRFβ
Cross-Site Request Forgery -- An attack that forces authenticated users to execute unwanted actions on a web application by tricking them into submitting a malicious request.
CSPMβ
Cloud Security Posture Management -- Tools and practices for assessing and managing security configurations across cloud infrastructure providers (AWS, Azure, GCP).
CVEβ
Common Vulnerabilities and Exposures -- A standardized identifier for publicly known security vulnerabilities, maintained by MITRE Corporation. Format: CVE-YYYY-NNNNN.
CVSSβ
Common Vulnerability Scoring System -- A framework for rating the severity of security vulnerabilities on a 0-10 scale. ThreatWeaver uses CVSS v3.1 as one input to the WeaverScore algorithm.
DASTβ
Dynamic Application Security Testing -- A testing methodology that analyzes a running application from the outside (black-box) by sending crafted requests and analyzing responses. ThreatWeaver's AppSec Scanner is a DAST tool.
EASMβ
External Attack Surface Management -- A subset of ASM focused specifically on internet-facing assets, including subdomains, exposed services, and shadow IT.
EPSSβ
Exploit Prediction Scoring System -- A probabilistic model (0-1 scale) that estimates the likelihood a vulnerability will be exploited in the wild within the next 30 days. EPSS data is incorporated into WeaverScore.
IaCβ
Infrastructure as Code -- Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes. Examples: Terraform, CloudFormation, Pulumi.
IASTβ
Interactive Application Security Testing -- A hybrid approach combining SAST and DAST that uses agents deployed within the application runtime to monitor behavior during testing.
IDORβ
Insecure Direct Object Reference -- A vulnerability where an application exposes internal implementation objects (database IDs, file paths) allowing attackers to access unauthorized resources by manipulating references.
JWTβ
JSON Web Token -- A compact, URL-safe token format used for transmitting claims between parties. ThreatWeaver uses ES256 JWTs for API authentication and service-to-service communication.
KEVβ
Known Exploited Vulnerabilities -- The CISA KEV catalog tracks vulnerabilities that are actively being exploited in the wild. These receive elevated priority in WeaverScore.
MFAβ
Multi-Factor Authentication -- An authentication method requiring two or more verification factors (something you know, have, or are) to gain access.
MITRE ATT&CKβ
MITRE Adversarial Tactics, Techniques, and Common Knowledge -- A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Used for mapping attack patterns and threat intelligence.
OAuthβ
Open Authorization -- An authorization framework that enables third-party applications to obtain limited access to a service on behalf of a resource owner. ThreatWeaver's scanner tests for OAuth misconfigurations.
OWASPβ
Open Worldwide Application Security Project -- A nonprofit foundation that provides freely available resources for web application security, including the OWASP Top 10 and API Security Top 10.
PTaaSβ
Penetration Testing as a Service -- A cloud-delivered model for penetration testing that combines automated scanning with expert analysis. ThreatWeaver functions as a PTaaS platform.
RBACβ
Role-Based Access Control -- An authorization model where access permissions are assigned to roles rather than individual users. ThreatWeaver implements RBAC with Admin, Manager, Analyst, and Viewer roles.
SAMLβ
Security Assertion Markup Language -- An XML-based standard for exchanging authentication and authorization data between identity providers and service providers. ThreatWeaver supports SAML 2.0 SSO.
SARIFβ
Static Analysis Results Interchange Format -- A standard JSON-based format for outputting results from static analysis tools. ThreatWeaver can export findings in SARIF format for CI/CD integration.
SASTβ
Static Application Security Testing -- A testing methodology that analyzes source code, bytecode, or binary code for security vulnerabilities without executing the application.
SBOMβ
Software Bill of Materials -- A formal record of all components, libraries, and dependencies used in a software application. Used for supply chain security and license compliance.
SCAβ
Software Composition Analysis -- Tools that identify open-source and third-party components in a codebase, check for known vulnerabilities, and verify license compliance.
SQLiβ
SQL Injection -- An attack technique where malicious SQL statements are inserted into application inputs to manipulate or extract data from the database. Detected by ThreatWeaver's sqli_* scanner agents.
SSOβ
Single Sign-On -- An authentication scheme that allows users to log in once and access multiple related applications without re-authenticating.
SSRFβ
Server-Side Request Forgery -- A vulnerability where an attacker can make the server-side application send requests to unintended locations, potentially accessing internal services or cloud metadata endpoints.
VFPβ
Vulnerability Fix Planner -- ThreatWeaver's remediation management module that groups vulnerabilities into work packages, assigns teams, tracks SLA compliance, and generates tickets for integration platforms.
WAFβ
Web Application Firewall -- A security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application to protect against common web exploits.
WeaverScoreβ
WeaverScore -- ThreatWeaver's proprietary composite risk scoring algorithm. It combines CVSS base scores, EPSS exploit probability, CISA KEV status, asset criticality, business context, and temporal factors to produce a unified risk priority score (0-100).
XSSβ
Cross-Site Scripting -- A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Types include Reflected, Stored, and DOM-based XSS. Detected by ThreatWeaver's xss_* scanner agents.