Appsec Knowledge Base

APPLICATION SECURITY KNOWLEDGE BASE

Application Security Information and Resources

The following is an extensive library of topical guides that are helpful and informative resources on a range of topics relating to application security.

Agile Security While software development teams have often seen a conflict between Agile methods and secure development, agile security is the only way to ensure the long-term viability of software projects. Learn More

Agile Testing While the Agile software development lifecycle, or Agile SDLC, has helped to increase the pace and quality of software development, Agile security can sometimes suffer when speed is prioritized over effective Agile testing. Learn More

Agile Testing Process Many development teams are struggling to find an agile testing process that effectively balances the need for speed and SDLC security. Learn More

Android Hacking Since its inception in September 2008, the Android Platform has been a favorite of hackers worldwide. The open source platform and the variety of hardware options makes Android a hacker’s dream. Learn More

Android Security Learn about safeguarding Android apps and the proper steps to keep your Android mobile device secure.Learn More

Application Security Assessment For enterprises developing software, an application security assessment is essential to producing software that is free of flaws and vulnerabilities. Learn More

Application Security Best Practices First and foremost among application security best practices is the need to integrate testing into the software development process. Learn More

Application Security Tools The right application security tools can help development teams build safer software faster. Learn More

Application Testing Tool Application testing is an important part of securing your enterprise. By identifying vulnerability in software before it is deployed or purchased, Web application testing tools help ward off threats and the negative impact they can have on competitiveness and profits. Learn More

Application Vulnerability Applications are the weak link in your data protection strategy. Don't allow attackers to gain access to confidential information through vulnerabilities in your applications. Learn More

ARP Spoofing ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. Learn More

Automated Code Testing For development teams tasked with delivering better software faster, automated code testing tools can help to effectively and painlessly inject security into the software development lifecycle (SDLC). Learn More

Binary Analysis is a new approach for application security testing and is revolutionizing software security. Binary code analysis scans compiled or "byte" code instead of source code, so enterprises can test comprehensively and more accurately. Learn More

Blackbox Test A blackbox test is a tool for finding security errors in applications in production. Learn More

Black Box Analysis Dynamic Analysis Security Testing (DAST), also known as black box analysis, is a critical tool for securing web applications. Learn More

botnet is a network of compromised computers under the control of a malicious actor. Each individual device in a botnet is referred to as a bot. A bot is formed when a computer gets infected with malware that enables third-party control. Learn More

Buffer Overflow occurs when there is more data in a buffer than it can handle, causing data to overflow into adjacent storage. Learn More

BYOD Security BYOD is short for “Bring Your Own Device,” a term that refers to the practice of allowing employees to bring their own mobile devices to work for use with company systems, software, networks, or information. Learn More

Cache Poisoning Cache poisoning is a type of attack in which corrupt data is inserted into the cache database of the Domain Name System (DNS) name server. The Domain Name System is a system that associates domain names with IP addresses. Learn More

Cloud-based Security A cloud-based security solution has many advantages over on-premises solutions, the primary being updates that can keep up with the speed of devops processes. Learn More

Code Review Tools Code review is an examination of computer source code. A code review tool finds and fixes mistakes introduced into an application in the development phase, improving both the overall quality of software and the developers' skills. Learn More

Code Security Analysis Security is a major aspect of business competitiveness today. A major attack on the enterprise can reduce productivity, tie up resources, harm credibility and cut into profits.

Commercial Off the Shelf Software Commercial off the shelf software (COTS) refers to any software pre-built by a third-party vendor and purchased or licensed for use by an enterprise. Learn More

Computer Worm Computer worms are among the most common types of malware. They spread over computer networks by exploiting operating system vulnerabilities. Learn More

CRLF Injection refers to the special character elements "Carriage Return" and "Line Feed." Exploits occur when an attacker is able to inject a CRLF sequence into an HTTP stream. Learn More

Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) is a malicious attack that tricks the user’s Web browser to perform undesired actions so that they appear as if an authorized user is performing those actions. Learn More

Cross-Site Scripting XSS vulnerabilities target scripts embedded in a page that are executed on the client-side (in the user’s web browser) rather than on the server-side. Learn More

Cybersecurity Many companies and countries understand that cyberthreat is one of the most serious economic security challenges they face and that their economic prosperity depends on cybersecurity. Learn More

DAST Test A dynamic analysis security testing tool, or a DAST test, is an application security solution that can help to find certain vulnerabilities in web applications while they are running in production. Learn More

Data Breach As the number of internet-connected devices skyrockets into the billions, a data breach prevention strategy is an increasingly important part of any organization’s ability to manage and protect critical and confidential information. Learn More

Data Leak Protection As organizations increasingly store and communicate confidential information using digital technology, data leak protection has come into focus as a critical security requirement. Learn More

Data Loss Prevention According to a Gartner CISO survey, data loss prevention (DLP) is a top priority for CISOs. Learn More

Data Loss Protection The key to effective data loss protection strategy is to adopt a multi-layered approach that addresses the potential for data loss at every level. Learn More

Data Security The first step in protecting your enterprise's data privacy and security is to identify the types of information you want to protect and where that information is exposed in your organization. Learn More

DevOps Security The practice of DevOps is transforming the software development lifecycle (SDLC), bringing lessons learned from quality control in manufacturing to the design and production of applications. Learn More

DevOps Testing As DevOps transforms the software development process, development teams everywhere are searching for powerful DevOps testing tools that provide the speed and ease-of-use needed to ensure application security. Learn More

DevSecOps DevSecOps, or secure devops, is the mindset in software development that everyone is responsible for application security. Learn More

Directory Traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files. Learn More

Dynamic Analysis is the testing and evaluation of a program by executing data in real-time and is key to application security. Learn More

Ethical Hacking Computer hacking is a practice with many nuances. Intent, whether benign or malicious, is often in the eyes of the beholder. When examining the root cause of a website hack or application exploit, it pays to follow the money. Learn More

Facebook Security User's guide to Facebook Application Security. Get tips to protect your Facebook account from security flaws. Learn More

Failure to Restrict URL Access is one of the common vulnerabilities listed on the Open Web Application Security Project’s (OWASP) Top 10. The OWASP Top 10 details the most critical vulnerabilities in web applications. Learn More

Firewall Security The term firewall originated to describe a building wall that offers physical protection from damaging fire. Firewall security technology, first introduced to computer networks in the late 1980s, protects private networks by securing gateway servers to external networks like the internet. Learn More

Flash Security Flash has a long record of critical security updates aimed at patching flash vulnerabilities and flash malware, but these issues continue to surface as more flash security issues are discovered. Learn More

iOS Security Veracode's complete guide to iOS security for users. Learn best practices and tips to protect your Apple iPhone and iPad from security breaches.Learn More

Information Technology Infrastructure Library (ITIL) The Information Technology Infrastructure Library (ITIL) is an amassed collection of information that contains guidelines about how to create best practice infrastructure in the IT management of your organization. 

Insecure Cryptographic Storage Insecure cryptographic storage is a common vulnerability that occurs when sensitive data is not stored securely from internal users. Learn More

Insufficient Transport Layer Protection is a security weakness caused by applications not taking any measures to protect network traffic. Learn More

Internet Security is critical for online applications because the web and internet applications must be available 24 hours a day, seven days a week. Learn More

JavaScript Security JavaScript is a high-level, interpreted programming language that has been widely used since its release in 1995. Since its release, there have been several JavaScript security issues that have gained widespread attention

Keylogger Keyloggers or keystroke loggers are software programs or hardware devices that track the activities (keys pressed) of a keyboard. Keyloggers are a form of spyware where computer users are unaware their actions are being tracked. Learn More

LDAP Injection LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request. Learn More

Linux Hacking Linux is an open source operating system. Linux is a Unix-like operating system, meaning that it supports multitasking and multi-user operation. Linux is widely used for supercomputers, mainframe computers and servers. Learn More

Malicious Code Analysis tools are designed to uncover any code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. Learn More

Malicious Mobile Applications A guide to forms of mobile malware and BYOD based protection against them. Learn about MMA history and trends. Read More

Malware Malware is short for “malicious software”: hostile applications that are created with the express intent to damage or disable mobile devices, computers or network servers. Malware’s objectives can include disrupting computing or communication operations, stealing sensitive data, accessing private networks or hijacking systems to exploit their resources. Learn More

Man in the Middle Attack (MITM) A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. Learn More

Mobile Code Security Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system.Learn More

Packet Analyzer Packet analyzers are used to monitor, intercept and decode data packets as they are transmitted across networks   Password Hacking Any way you look at it: your secret passwords are under attack. Computer hackers love to successfully defeat cryptography systems. Cybercriminals enjoy getting access to your online accounts. 

Penetration Testing Penetration testing tools are used as part of a penetration test to automate certain tasks, improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone. Learn More

Rootkit A rootkit is a computer program designed to provide privileged access to a computer while actively hiding its presence. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. Learn More

Ruby Security Just like security applications with other frameworks, securing Ruby apps requires a mix of utilizing best practices in coding along with correctly using helper methods to protect against certain types of attacks. Learn More

Runtime Application Self Protection  Runtime application self-protection (RASP) is a security technology that is built into an application and can detect and then prevent real-time application attacks. Learn More

Secure Development With the vast amount of threats that constantly pressure companies and governments, it is important to ensure that the software applications these organizations utilize are completely secure.

Secure DevOps While DevOps is disrupting software development in powerful and productive ways, implementing devops testing and understanding how to secure DevOps remains a mystery to many development teams. Learn More

Secure Web Application Development Secure web application development is acknowledged as a critical priority for every enterprise producing software. Learn More

Securing Web Applications Effectively securing web applications is critical to preventing data breaches. Learn More

Security Review Software The goal of a software security review is to identify and understand the vulnerabilities that can be exploited in the code your organization leverages. Your business may leverage software and code from a variety of sources, including both internally developed code, outsourced development and purchased third-party software. Learn More

Software Audit There are many ways to “audit” a software application. Indeed, the most basic kinds of software audits examine how the software is functionally configured, integrated or utilized within an organization.

Software Code Security The key to achieving superior software code security is to find a solution that can review large amounts of code as needed, in order to meet development timelines. Learn More

Software Development Lifecycle (SDLC) A software development lifecycle (SDLC) is a series of steps, or stages, that provide a model for the development and lifecycle management of an application or piece of software. Learn More

Software of Unknown Pedigree is a term used where software/hardware/firmware governs a system that if breached could have explicit implications on consumer safety. Learn More

Software Security By testing for flaws in software, security testing solutions seek to remove vulnerabilities before software is purchased or deployed — and before the flaws can be exploited. Learn More

Software Testing Software testing to find flaws and vulnerabilities in code is a critical part of the software development lifecycle (SDLC). Learn More

Software Testing Process As the enterprise network has become more secure, attackers have turned their attention to the application layer, which, according to Gartner, now contains 90 percent of all vulnerabilities. Learn More

Software Testing Tools As the enterprise network has become more secure, attackers have turned their attention to the application layer, which, according to Gartner, now contains 90 percent of all vulnerabilities. To protect the enterprise, security administrators must perform detailed software testing and code analysis when developing or buying software. Learn More

Source Code Analysis For enterprises seeking a source code analysis solution that can actually deliver 100 percent coverage even when source code is not available, Veracode has the answer. Learn More

Source Code Security Analyzer Source Code Security Analyzers performs both dynamic (automated penetration test) and static (automated code review) code analysis and finds security vulnerabilities that include malicious code as well as the absence of functionality that may lead to security breaches. Learn More

Spoofing Attack A spoofing attack is when a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware or bypass access controls. Learn More

Spyware Although it sounds like something James Bond would employ, spyware is all too real. Spyware is any software that installs itself on your computer and starts covertly monitoring your online behavior without your knowledge or permission. Learn More

SQL Injection SQL injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command that is executed by a web application, exposing the back-end database. Learn More

Static Analysis Static analysis is the analysis of computer software that is performed without actually executing, or running, that software. Static analysis tools look at applications in a non-runtime environment. This method of testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. Learn More

Static Code Analysis Static code analysis, also commonly called "white-box" testing, looks at applications in non-runtime environment. This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. Learn More

Static Testing With static testing (also known as white box testing), an application’s source code or compiled binary is evaluated for security vulnerabilities and coding flaws. Learn More

Third-Party Software Security Third-party also known as supply chain, vendor supplied or outsourced software is any program or application that is not written exclusively by employees belonging to the company for which that software was created. Read More

Vulnerability Assessment Veracode's vulnerability assessment tools help users eradicate vulnerabilities. Learn More

Vulnerability Assessment and Penetration Testing Vulnerability Assessment and Penetration Testing (VAPT) are two types of vulnerability testing. The tests have different strengths and are often combined to achieve a more complete vulnerability analysis. Learn More



Vulnerability Scanner Vulnerability scanning offers a way to find application backdoors, malicious code and other threats that may exist in purchased software or applications developed internally. Learn More



Vulnerability Management Vulnerability management can be defined as “the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities." Organizations use vulnerability management to preemptively defend against the exploitation of vulnerabilities in company applications, software and networks. Learn More

Web App Monitoring Web app monitoring lets you find, secure and monitor all your web apps – even the ones you may have lost track of. Learn More

Web App Penetration Testing Web app penetration testing is a key security requirement for a variety of regulatory frameworks, from PCI DSS and GLBA to HIPAA and FISMA. Learn More

Web Application is any application that is accessed via a web browser. The browser is the client that runs the web application and allows the user to enter information. Learn More

Web Application Audit For app developers, a web application audit is the best way to ensure your app is secure before you release it and to prevent hacks, damage to reputation and significant losses to your bottom line. Learn More

Web Application Monitoring Web app monitoring is the process of identifying, securing, and continuously monitoring all web applications. Learn More

Web Application Penetration Testing When searching for vulnerabilities in websites and web apps, manual web application penetration testing is essential. Learn More

Web Application Scanning Web application scanning can help IT teams to monitor the web perimeter and limit risk exposure more effectively. Learn More

Web Application Security Web application testing is critical to enterprise security. Because web applications must be available 24/7 and offer data access to customers, employees, suppliers, and others, they are frequently the weak link in enterprise security. Learn More

Web Application Security Testing Web application security testing is critical to protecting your both your apps and your organization. Learn More

Web Application Testing Web application testing is a critical tool in the defense against security threats to your software applications. Learn More

Web Security Website security protects your data and your users. Learn More

Wireless Sniffer A wireless sniffer is a type of packet analyzer. A packet analyzer (also known as a packet sniffer) is a piece of software or hardware designed to intercept data as it is transmitted over a network and decode the data into a format that is readable for humans. Learn More

White Box Test A white box test is a software testing method in which the internal architecture of the software being tested is known to the tester. Learn More

Veracode Products

Veracode Static Analysis

Veracode Greenlight

Veracode Software Composition Analysis

Veracode Web Application Scanning

Veracode Runtime Protection

Veracode Vendor Application Security Testing

Veracode Developer Training