Glossary of basic terms and concepts
This page lists some of the most important terms and concepts you'll need to understand to use the Spectra Assure platform efficiently and productively.
ASLR; Address Space Layout Randomizationβ
Definition
A technique focused on memory protection and increasing security that defends operating systems (particularly Windows and Linux) against malicious attacks, especially buffer-overflow attacks. It works on the principle of randomization, which means that each time a program is run, ASLR puts libraries, stack, base, and heap in unpredictable positions across the address space of a process, making their location more difficult to guess.
The Spectra Assure platform checks for Windows and Linux executable files that do not implement ASLR or try to implement it ineffectively, which leaves the application vulnerable to attacks.
build automation; build machine; build systemβ
Definition
A system that automates the process of obtaining source code, compiling it into binary code, executing automated tests (including SAST for finding code defects and vulnerabilities), and publishing the code into a shared repository. Build automation is considered the first step in the process of delivering a deployable software package. Build systems, along with subsequent steps in the software delivery process, can be compromised as part of a software supply chain attack and introduce changes without the knowledge of software publishers.
The Spectra Assure platform provides a final check of the software binary being released, so publishers can be sure the package is what they intended to release to customers.
category of risk; risk category; ReversingLabs Assessmentβ
Definition
A high-level overview of key risks or safety concerns found in your software. Detected risks are grouped according to their shared characteristics, which helps identify, prioritize, and mitigate issues based on the category they belong to.
Spectra Assure classifies risk into six main categories, ordered by priority:
certificate; digital certificateβ
Definition
A set of encrypted sensitive information issued by a Certificate Authority (CA) that is used for making the digital signatures and that confirms the legitimacy of the organization that owns the software package.
In Spectra Assure reports, this type of information is listed in the Secrets page accessed from the sidebar on the left-hand side.
CI/CDβ
Definition
A method combining continuous integration (CI) and continuous delivery (CD) to automate building, testing, and deployment of applications. As an essential part of modern software development, it decreases the possibility of human error and simplifies the process of development while increasing efficiency, reliability, software quality, and overall application security.
The Spectra Assure platform works on preventing CI/CD workflow compromises using innovative detection methods.
componentβ
Definition
A manageable building block of complex software with its own well-defined interface and explicit dependencies that can be deployed separately as a standalone application. It also comes in the form of a reusable chunk of code (e.g., a library or a module) that can be incorporated into various pieces of software.
CPE; Common Platform Enumerationβ
Definition
A naming standard for information technology systems, software, and packages maintained by NIST. It can be used as a standardized source of information for enforcing and verifying IT management policies across tools.
In Spectra Assure products, users can access the available CPE data by exporting the SBOM as a JSON file.
CVE; Common Vulnerabilities and Exposuresβ
Definition
A list of publicly known security vulnerabilities, each of which is assigned a unique identifier to make the information exchange about specific issues more convenient, reliable, and simple. Enterprises typically use CVE and corresponding CVSS scores to identify vulnerabilities, as well as to plan and prioritize the order of resolving detected issues for enhanced protection of their organization.
When a software binary (or installation file) is unpacked into its components via Spectra Assure, the database is checked for CVEs (known vulnerabilities), which are then listed in the Bill of Materials page on the left-hand side of the report.
For more information on the term, see the ReversingLabs glossary.
CVSS; CVSS score; Common Vulnerability Scoring Systemβ
Definition
A numerical value ranging from 0 to 10 determining the severity of a security vulnerability found in the software and labeled by a CVE identifier. Translated to a qualitative value ranging from "low" to "critical", this number serves as a method of prioritizing the order of addressing detected vulnerabilities.
In Spectra Assure reports, this information can be found in the Severity columns.
For more information on the term, see the ReversingLabs glossary
CycloneDXβ
Definition
A data standard for software bill of materials (SBOM) designed for use in application security contexts and supply chain component analysis.
In Spectra Assure products, users can export the SBOM information in this data format as a JSON file, which can then be imported into databases using different data formats.
DAST; Dynamic Application Security Testingβ
Definition
A type of a black box test performed from the outside of an application that simulates direct attacks against it (typically the exposed HTTP and HTML interfaces of web-enabled applications and services) in order to detect potential security vulnerabilities. It is best paired with other testing methods like SAST or SCA.
For more information on the term, see the ReversingLabs glossary.
DEP; Data Execution Preventionβ
Definition
A security feature that prevents damage from security attacks attempting to run malicious code from system memory locations reserved only for data structures and variables. If successful, such attacks can spread to other programs on the computer or damage files.
The Spectra Assure platform checks for Windows executable files that do not implement DEP or try to implement it ineffectively, which leaves the application vulnerable to attacks.
dependencyβ
Definition
- the way they interact with each other within a system or
- the way they're connected to the software.
Based on the former, dependencies can be dynamic, static, or package dependencies, while based on the latter, they can be either direct or transitive.
In Spectra Assure reports, this type of information is listed in the Dependencies category of the Bill of Materials page accessed from the sidebar on the left-hand side.
diffβ
Definition
A comparison of two package versions of the same software highlighting the changes between them.
In terms of the Spectra Assure platform, this comparison is focused on software quality issues, behaviors, file contents, and analysis tags.
direct dependencyβ
Definition
Packages explicitly used in a project.
In Spectra Assure reports, this type of information is listed in the Dependencies category of the Bill of Materials page accessed from the sidebar on the left-hand side.
dynamic dependencyβ
Definition
Shared libraries that exist as separate files and are loaded by an executable file at runtime (when the software is actually executed). Changes to one component can potentially impact other components without requiring recompilation.
In Spectra Assure reports, this type of information is listed in the Dependencies category of the Bill of Materials page accessed from the sidebar on the left-hand side.
effort; remediation effortβ
Definition
A set of actions aimed at remediating security incidents prioritized based on their severity and the amount of work needed to fix them.
In Spectra Assure reports, this information is found in the Policy violations category of the Issues page accessed from the sidebar on the left-hand side.
hardening; application hardeningβ
Definition
Application hardening refers to applying and implementing various vulnerability mitigation strategies during software development and environment configuration. Failing to do so can make your software susceptible to attacks. Application hardening gaps include missing vulnerability protections, insecure coding practices, outdated toolchains, inadequate prevention methods, missing fortified functions, and more.
The presence of such gaps is detected by a group of application hardening policy checks. Reports generated by Spectra Assure products represent this type of information as Application Hardening with details on each detected issue and advice on how to resolve it.
known vulnerabilityβ
Definition
Also sometimes referred to as CVEs. Publicly disclosed weakness in a software, allowing defenders to learn about it and protect their applications. To help automated systems access information about known vulnerabilities, the US government backs the National Vulnerability Database (NVD) that uses information standards such as CVE, CPE, and CVSS.
This category applies to a group of vulnerability policy checks. Reports generated by Spectra Assure products represent this type of information as known vulnerabilities with details on every identified vulnerability. In the background, Spectra Assure uses the information about a component name and version to look up and report known vulnerabilities by their CVE number.
licenseβ
Definition
A document specifying rules for the (re)use and distribution of your code and software, as well as any restrictions that apply and that are put in place to protect against software misuse.
This category applies to a group of license compliance policy checks. The Spectra Assure products look for restricted licenses. This type of information is represented in generated reports as Dependencies with details on each detected restricted license and advice on how to handle it.
malwareβ
Definition
Any sort of malicious code or software purposely inserted into your system and aimed at harming your organization or stealing your sensitive information.
This category applies to a group of malware policy checks. Reports generated by Spectra Assure products represent this type of information as malware detection with details on each detected malware threat and advice on how to resolve it.
package; software packageβ
Definition
An archive file containing an assortment of individual files or resources and related metadata (such as name, vendor, version number, version number) that work together to provide users with a particular functionality. Software packages are often distributed in an executable format, such as EXE or MSI.
The Spectra Assure platform is used for scanning software packages to detect potential risks before their release.
package dependencyβ
Definition
Dependencies integrated into a project to provide specific functionality that are managed through package management systems (i.e. package managers).
In Spectra Assure reports, this type of information is listed in the Dependencies category of the Bill of Materials page accessed from the sidebar on the left-hand side.
package storeβ
Definition
In terms of Spectra Assure, this is a special directory where rl-secure keeps your projects, packages, and analysis results. It can be initialized anywhere on the system.
package URL; purlβ
Definition
A URL string containing the information on the package location and its source in a standardized format. Consult the official format specification for details.
In terms of Spectra Assure, purl refers to a special URL in the format pkg:type/project-name/package-name@package-version, serving as a unique identifier that registers your packages in the package store.
policyβ
Definition
A set of guidelines specifying the actions to take in case of any violation of built-in validation rules.
The Spectra Assure platform allows for managing software quality policies on the fly to ensure compliance and achieve maturity in software releases.
priorityβ
Definition
The urgency which determines the order of resolving incidents and their classification. It relies on many factors, including severity, risk, importance, and so on. This level of deployment risk has values ranging from P0 (highest) to P4 (lowest). In Spectra Assure reports, it can be found in the deployment risk part.
projectβ
Definition
A collection of various versions of the same software package.
In terms of rl-secure, this refers to a subdirectory in the package store containing software packages.
On the Spectra Assure Portal, it can be found in the Projects tab.
reproducible buildβ
Definition
Software compilation process that ensures the consistency in the byte sequence of the source code output, regardless of where the code is run from or when. This is a reliable method of detecting build environment tampering, as well as a way of proving that binaries have been compiled from a trusted source code.
The Spectra Assure products generate separate reports for software package versions and for their artifacts (reproducible builds). The latter contain the Reproducibility page with a diff between the version and the artifact, as well as the reproducible build check. This page is accessed from the sidebar on the left-hand side of the report.
SaaS; Software as a Serviceβ
Definition
Application software deployed on infrastructure hosted, managed, and maintained by the cloud-service provider. It is accessible to customers through web interfaces or APIs. An example of this would be Spectra Assure, the solution which inspects software packages before their release, deployment, or adoption by an organization.
SARIF; Static Analysis Results Interchange Formatβ
Definition
A standard format for displaying the output generated by static code analysis tools. Consult the format specification for details.
The Spectra Assure users can export this information in SARIF data format as a JSON file.
SAST; Static Application Security Testingβ
Definition
A process of reviewing the software's binaries and source code without executing that is focused on identifying sources of security vulnerabilities by examining application code inside-out. It is done quite early in the software development life cycle (SDLC) to promptly determine the deviations from best coding practices.
Static analysis used by Spectra Assure is not the same as SAST because it does not require access to source code or debugging symbols. Therefore, static analysis can be performed on binaries during the release and deployment phases of the SDLC.
For more information on the term, see the ReversingLabs glossary.
SBOM; Software Bill of Materialsβ
Definition
A machine-readable inventory of all the building blocks that make up a software package and are involved in its life cycle. It enhances transparency and helps reduce supply chain risk by facilitating identification of potential changes, vulnerabilities, and other software quality issues. The SBOM displays software components and dependencies, their hierarchical relationships, and information about licenses, copyrights, and security references in a standard data format to simplify information sharing among various software publishers and buyers along a software supply chain.
The Spectra Assure platform unpacks software builds, release packages, and containers to create an SBOM and displays this information in the Bill of materials page accessed from the sidebar on the left-hand side of the report. This information can be exported in several supported data formats and later imported into databases or other external tools.
For more information on the term, see the ReversingLabs glossary.
SCA; Software Composition Analysisβ
Definition
An automated process that provides insight into applications by identifying open source components used in them. All detected components are arranged into an accurate Software Bill of Materials (SBOM), which is then compared against various databases. This helps uncover open-source licensing problems and known vulnerabilities within those components ahead of time, ensuring all software components are compliant and secure.
For more information on the term, see the ReversingLabs glossary.
SDLC; Software Development Life Cycleβ
Definition
A structured process with clearly defined phases that track software development from beginning to end in order to produce software of the highest quality that meets the client requirements.
The Spectra Assure platform focuses on helping users improve their SDLC by providing actionable advice in the form of security scan reports.
For more information on the term, see the ReversingLabs glossary.
secretsβ
Definition
Various kinds of service access credentials, private keys and tokens, certificates and other similar artifacts which enable access to critical infrastructure and highly confidential business data (such as customer information).
This category applies to a group of sensitive information policy checks. Reports generated by Spectra Assure products represent this type of information as sensitive information with details on all detected secrets and advice on how to deal with them.
For more information on the term, see the ReversingLabs glossary.
security vulnerabilityβ
Definition
Weakness, misconfiguration, or flaw in software which may present a significant gap or opportunity for malicious actors to access your system and sensitive information, as well as cause harm to your organization.
In Spectra Assure reports, this information is displayed in the Issues page accessed from the sidebar on the left-hand side. 2adc18e45cbd7511a066baa48e7adeda0e0a9aab
severityβ
Definition
A measure of risk potential that a software quality issue may convert into a security incident. It has three levels - low, medium, high - and is used to prioritize the order of resolving detected software quality and security issues. Assigned by ReversingLabs for all issues based on the issue type and risk category.
In Spectra Assure reports, this information is displayed in the Issues page accessed from the sidebar on the left-hand side.
signature; digital signatureβ
Definition
An electronic stamp of authenticity proving that the information came from a reliable source and has not been modified in any way.
In Spectra Assure reports, this information can be found in the Signatures page accessed from the sidebar on the left-hand side.
silent vulnerabilityβ
Definition
Known vulnerability that canβt be found by inspecting the dependency list. Such vulnerabilities are introduced by statically linking package dependencies, which results in βhidingβ vital information from the dependency list.
Using advanced static analysis on binary code, Spectra Assure provides a way to perform a detailed analysis of various types of software packages and verify their dependencies for presence of known malware and vulnerabilities.
software binaryβ
Definition
Typically a platform-specific file containing data written as a sequence of bytes. It can be an executable, library, archive, database, image, audio, etc. Since software binaries are in a machine-readable format, they can only be opened with special programs that know how the data inside is organized.
software supply chainβ
Definition
The complex system encompassing all tools, components, processes, and people involved in different phases of the software development life cycle (SDLC).
Spectra Assure is a software supply chain security platform that can protect your development lifecycle from software supply chain threats.
SPDX; Software Package Data Exchangeβ
Definition
A standard data format used to document and exchange software bill of materials (SBOM) information, such as software components and the licenses associated with them, as well as copyrights and security references. Consult the format specification for details.
The Spectra Assure users can export the SBOM information in this data format as a JSON file, which can be imported into databases using different data formats.
static dependencyβ
Definition
Libraries involving direct references between components whose code is locked into the executable file at compile time. Their code can still be reused, but each package needs to contain its own copy of it. If any changes are made to a component that directly references and relies on another component's code, the first component might require recompilation.
In Spectra Assure reports, this type of information is listed in the Dependencies category of the Bill of Materials page accessed from the sidebar on the left-hand side.
tamperingβ
Definition
The act of intentionally and illegitimately altering software, its data, or its intended behavior.
This category applies to a group of digital signing and threat hunting policy checks. Reports generated by Spectra Assure products represent this type of information as digital signatures with details on detected software tampering and advice on how to resolve it.
transitive dependencyβ
Definition
Dependencies of a direct dependency used in your software.
In Spectra Assure reports, this type of information is listed in the Dependencies category of the Bill of Materials page accessed from the sidebar on the left-hand side.
verifiedβ
Definition
A tag establishing the trustworthy nature and origins of a software component. It confirms that this component can be found in trusted code repositories, and that it has been checked for malicious intent.
In Spectra Assure reports, this information displayed in the Bill of materials page accessed from the sidebar on the left-hand side.