Skip to main content

Glossary of basic terms and concepts

This page lists some of the most important terms and concepts you'll need to understand to use the Spectra Assure platform efficiently and productively.

ASLR; Address Space Layout Randomization​

Definition

A technique focused on memory protection and increasing security that defends operating systems (particularly Windows and Linux) against malicious attacks, especially buffer-overflow attacks. It works on the principle of randomization, which means that each time a program is run, ASLR puts libraries, stack, base, and heap in unpredictable positions across the address space of a process, making their location more difficult to guess.

The Spectra Assure platform checks for Windows and Linux executable files that do not implement ASLR or try to implement it ineffectively, which leaves the application vulnerable to attacks.

build automation; build machine; build system​

Definition

A system that automates the process of obtaining source code, compiling it into binary code, executing automated tests (including SAST for finding code defects and vulnerabilities), and publishing the code into a shared repository. Build automation is considered the first step in the process of delivering a deployable software package. Build systems, along with subsequent steps in the software delivery process, can be compromised as part of a software supply chain attack and introduce changes without the knowledge of software publishers.

The Spectra Assure platform provides a final check of the software binary being released, so publishers can be sure the package is what they intended to release to customers.

category of risk; risk category; SAFE assessment​

Definition

A high-level overview of key risks or safety concerns found in your software. Detected risks are grouped according to their shared characteristics, which helps identify, prioritize, and mitigate issues based on the category they belong to. This information is displayed in the SAFE Assessment section of the SAFE report.

There are six main risk categories in Spectra Assure, ordered by priority:

  1. Malware
  2. Tampering
  3. Vulnerabilities
  4. Secrets
  5. Hardening
  6. Licenses

Every policy is mapped to a risk category. When that policy is violated, an issue is reported to cause risk in that category. This relationship between policies, policy violations, and risks is illustrated in the SAFE Assessment Evaluations section of the SAFE report.

certificate; digital certificate​

Definition

A set of encrypted sensitive information issued by a Certificate Authority (CA) that is used for making the digital signatures and that confirms the legitimacy of the organization that owns the software package.

CI/CD​

Definition

A method combining continuous integration (CI) and continuous delivery (CD) to automate building, testing, and deployment of applications. As an essential part of modern software development, it decreases the possibility of human error and simplifies the process of development while increasing efficiency, reliability, software quality, and overall application security.

The Spectra Assure platform prevents CI/CD workflow compromises using innovative detection methods.

component​

Definition

A software component is a manageable building block of complex software with its own well-defined interface and explicit dependencies that can be deployed separately as a standalone application. It also comes in the form of a reusable chunk of code (e.g., a library or a module) that can be incorporated into various pieces of software.

Software components are included in the SBOM and displayed in the Bill of Materials section of the SAFE report.

The Components section of the SAFE report contains all software components from the SBOM and any other artifacts extracted from the analyzed file that are not considered software components, but have triggered policy violations during analysis. If an artifact does not have any issues (policy violations) and is not considered a software component, it will not be displayed in the Components section, as it is irrelevant for issue investigation and mitigation. This may result in some discrepancies between component vs file counts in different parts of the SAFE report.

CPE; Common Platform Enumeration​

Definition

A naming standard for information technology systems, software, and packages maintained by NIST. It can be used as a standardized source of information for enforcing and verifying IT management policies across tools.

In Spectra Assure products, users can access the available CPE data by exporting the SBOM as a JSON file.

CVE; Common Vulnerabilities and Exposures​

Definition

A list of publicly known security vulnerabilities, each of which is assigned a unique identifier to make the information exchange about specific issues more convenient, reliable, and simple. Enterprises typically use CVE and corresponding CVSS scores to identify vulnerabilities, as well as to plan and prioritize the order of resolving detected issues for enhanced protection of their organization.

When a software binary (or installation file) is unpacked into its components via Spectra Assure, the database is checked for CVEs (known vulnerabilities), which are then listed on the Vulnerabilities page in the SAFE report.

For more information on the term, see the ReversingLabs glossary.

CVSS; CVSS score; Common Vulnerability Scoring System​

Definition

A numerical value ranging from 0 to 10 determining the severity of a security vulnerability found in the software and labeled by a CVE identifier. Translated to a qualitative value ranging from "low" to "critical", this number serves as a method of prioritizing the order of addressing detected vulnerabilities.

In the SAFE report, this information is displayed in the CVSS Score column on the Vulnerabilities page.

For more information on the term, see the ReversingLabs glossary

CycloneDX​

Definition

A data standard for software bill of materials (SBOM) designed for use in application security contexts and supply chain component analysis.

In Spectra Assure products, users can export the SBOM information in this data format as a JSON file, which can then be imported into databases using different data formats.

DAST; Dynamic Application Security Testing​

Definition

A type of a black box test performed from the outside of an application that simulates direct attacks against it (typically the exposed HTTP and HTML interfaces of web-enabled applications and services) in order to detect potential security vulnerabilities. It is best paired with other testing methods like SAST or SCA.

For more information on the term, see the ReversingLabs glossary.

DEP; Data Execution Prevention​

Definition

A security feature that prevents damage from security attacks attempting to run malicious code from system memory locations reserved only for data structures and variables. If successful, such attacks can spread to other programs on the computer or damage files.

The Spectra Assure platform checks for Windows executable files that do not implement DEP or try to implement it ineffectively, which leaves the application vulnerable to attacks.

dependency​

Definition
Reusable chunks of code, like libraries and packages, upon which other software components rely in order to work properly. They're primarily categorized based on either of the following:
  1. the way they interact with each other within a system or
  2. the way they're connected to the software.

Based on the former, dependencies can be dynamic, static, or package dependencies, while based on the latter, they can be either direct or transitive.

In the SAFE report, this type of information is listed in the Dependencies section of the Bill of Materials page accessed from the sidebar on the left-hand side.

diff​

Definition

A comparison of two package versions of the same software highlighting the changes between them.

In terms of the Spectra Assure platform, this comparison is focused on software quality issues, behaviors, file contents, and analysis tags.

The SAFE report is the only Spectra Assure analysis report format that can include the diff information.

direct dependency​

Definition

Packages explicitly used in a project.

In the SAFE report, this type of information is listed in the Dependencies section of the Bill of Materials page accessed from the sidebar on the left-hand side.

dynamic dependency​

Definition

Shared libraries that exist as separate files and are loaded by an executable file at runtime (when the software is actually executed). Changes to one component can potentially impact other components without requiring recompilation.

In the SAFE report, this type of information is listed in the Dependencies section of the Bill of Materials page accessed from the sidebar on the left-hand side.

effort; remediation effort​

Definition

A set of actions aimed at remediating security incidents prioritized based on their severity and the amount of work needed to fix them.

In the SAFE report, this information is displayed as an effort Estimate for every detected issue on the Issues page accessed from the sidebar on the left-hand side.

hardening; application hardening​

Definition

Application hardening refers to applying and implementing various vulnerability mitigation strategies during software development and environment configuration. Failing to do so can make your software susceptible to attacks. Application hardening gaps include missing vulnerability protections, insecure coding practices, outdated toolchains, inadequate prevention methods, missing fortified functions, and more.

The presence of such gaps is detected by a group of application hardening policy checks.

The SAFE report enumerates detected issues in the Application Hardening issue category with details on each issue and advice on how to resolve it.

known vulnerability​

Definition

Also sometimes referred to as CVEs. Publicly disclosed weakness in a software, allowing defenders to learn about it and protect their applications. To help automated systems access information about known vulnerabilities, the US government backs the National Vulnerability Database (NVD) that uses information standards such as CVE, CPE, and CVSS.

During analysis, Spectra Assure products perform vulnerability policy checks and use the information about a component name and version to look up and report known vulnerabilities by their CVE number.

The SAFE report represents detected issues as known vulnerabilities with details on every identified vulnerability. The Summary page immediately highlights any presence of such vulnerabilities in the analyzed software.

license​

Definition

A document specifying rules for the (re)use and distribution of your code and software, as well as any restrictions that apply and that are put in place to protect against software misuse.

During analysis, Spectra Assure products perform license compliance checks to detect various types of potentially risky software licenses.

In the SAFE report, licensing information about every detected software component and dependency can be found on the Bill of Materials page.

malware​

Definition

Any sort of malicious code or software purposely inserted into your system and aimed at harming your organization or stealing your sensitive information.

During analysis, Spectra Assure products perform malware policy checks and classify detected software components and dependencies.

The SAFE report enumerates detected issues in the Malware Detection issue category with details on each issue and advice on how to resolve it. The Summary page immediately highlights any presence of malware in the analyzed software.

package; software package​

Definition

An archive file containing an assortment of individual files or resources and related metadata (such as name, vendor, version number, version number) that work together to provide users with a particular functionality. Software packages are often distributed in an executable format, such as EXE or MSI.

The Spectra Assure platform is used for scanning software packages to detect potential risks before their release.

package dependency​

Definition

Dependencies integrated into a project to provide specific functionality that are managed through package management systems (i.e. package managers).

In the SAFE report, this type of information is listed in the Dependencies section of the Bill of Materials page accessed from the sidebar on the left-hand side.

package store​

Definition

A special directory where the Spectra Assure CLI (rl-secure) keeps your projects, packages, and analysis results. It can be initialized anywhere on the system.

Read more about the package store concept and structure in the CLI documentation.

package URL; purl​

Definition

A URL string containing the information on the package location and its source in a standardized format. Consult the official format specification for details.

In terms of Spectra Assure, purl refers to a special URL in the format pkg:type/project-name/package-name@package-version, serving as a unique identifier that registers your packages in the package store.

policy​

Definition

In the context of Spectra Assure, a policy is a set of built-in rules that prescribe how software should behave in order to be considered secure. Policies are used when analyzing software packages to identify and report a range of software quality and security concerns.

More specifically, policies are triggered on files. When Spectra Assure detects a file in a software package that violates a policy (breaks its built-in rules), that gets reported as an issue. Every detected issue causes a specific type of risk based on the policy category. In the SAFE report, this information can be found on the Issues page and in the SAFE Assessment Evaluations section of the Summary page.

Every policy automatically sets the priority for its violation (issue) and impacts the final build status (CI PASS or FAIL) of the analyzed software. These factors can be modified or overridden by users in the policy configuration to suppress issues or disable policies altogether so that they are not used during analysis.

Every policy also provides guidelines specifying the actions to take in case the policy violation is detected.

In Spectra Assure products and documentation, policies are differentiated by their unique IDs. The first two letters of the ID indicate the policy type:

  • SQ* - software quality policies
  • TH* - threat hunting policies

priority​

Definition

The urgency which determines the order of resolving incidents and their classification. It relies on many factors, including severity, risk, importance, and so on. This level of deployment risk has values ranging from P0 (highest) to P4 (lowest).

In the SAFE report, the priority information is displayed for every detected issue on the Issues page.

project​

Definition

A collection of software packages, usually of the same product and/or developed by the same team. In the context of Spectra Assure, a project is used to manage and organize software packages the user wants to analyze. Every package in a project can have multiple versions.

In the Spectra Assure CLI (rl-secure), a project refers to a subdirectory in the package store containing software packages. In the Spectra Assure Portal, users can create projects in the Projects tab and add software packages to them.

ReversingLabs SAFE report​

Definition

Analysis report created by Spectra Assure products using the advanced, unique ReversingLabs technology to unpack software binaries, extract deep layers of metadata, and detect software supply chain compromise.

The SAFE (Software Assurance Foundational Evaluation) report contains the file classification information along with the complete SBOM (Software Bill of Materials), deployment risks categorized by severity and priority, information on digital signatures, file behavior descriptions, extracted URIs, and many more details on the analyzed file.

The SAFE report is sometimes referred to as the HTML report, because the Spectra Assure CLI generates this type of report with the rl-html parameter.

All analyzed files on the Spectra Assure Portal get the SAFE report - that is the default report displayed in the Portal interface.

ReversingLabs Spectra Assure Community​

Definition

ReversingLabs Spectra Assure Community is a free-to-use, no-registration-required online service where software producers, consumers, and auditors can check the security status of widely distributed developer tools and software packages from popular communities (npm, PyPI, RubyGems, NuGet). The contents of these software package repositories are continually analyzed by ReversingLabs, and the latest findings made available on the Spectra Assure Community website. As such, Spectra Assure Community functions as the largest free risk assessment catalogue of open source software packages and dependencies. It monitors open source package repositories to identify malware, code tampering and indicators of software supply chain attacks, and provides comprehensive risk analysis in the form of a report.

The Spectra Assure Community report is similar to the SAFE report, although less detailed and more focused on the community aspects such as maintainer identity, package activity and popularity, and risk trends across package versions.

For every supported community, users can look up software packages directly by name or browse the list of the most popular packages to view their status and the risk analysis report.

The Spectra Assure Community website also offers the option to browse the list of the last 10 packages in each community that have been marked as malicious by ReversingLabs threat researchers. With this information, users can stay up-to-date on emerging threats within popular communities.

Spectra Assure Community helps developers and repository managers ensure their current and future dependencies are safe, increases the build quality and security, saves time, and improves traceability to help engineering teams deliver secure software.

reproducible build​

Definition

Software compilation process that ensures the consistency in the byte sequence of the source code output, regardless of where the code is run from or when. This is a reliable method of detecting build environment tampering, as well as a way of proving that binaries have been compiled from a trusted source code.

The Spectra Assure products generate separate reports for software package versions and for their reproducible build artifacts. The SAFE report for the latter contains the Reproducibility page with a diff between the main version artifact and the reproducible build artifact. The SAFE report also indicates if a reproducibility check has been performed in the Performed Checks section of the Summary page.

SaaS; Software as a Service​

Definition

Application software deployed on infrastructure hosted, managed, and maintained by the cloud-service provider. It is accessible to customers through web interfaces or APIs. An example of this would be Spectra Assure, the solution which inspects software packages before their release, deployment, or adoption by an organization.

SARIF; Static Analysis Results Interchange Format​

Definition

A standard format for displaying the output generated by static code analysis tools. Consult the format specification for details.

The Spectra Assure users can export this information in SARIF data format as a JSON file.

SAST; Static Application Security Testing​

Definition

A process of reviewing the software's binaries and source code without executing that is focused on identifying sources of security vulnerabilities by examining application code inside-out. It is done quite early in the software development life cycle (SDLC) to promptly determine the deviations from best coding practices.

Static analysis used by Spectra Assure is not the same as SAST because it does not require access to source code or debugging symbols. Therefore, static analysis can be performed on binaries during the release and deployment phases of the SDLC.

For more information on the term, see the ReversingLabs glossary.

SBOM; Software Bill of Materials​

Definition

A machine-readable inventory of all the building blocks that make up a software package and are involved in its life cycle. It enhances transparency and helps reduce supply chain risk by facilitating identification of potential changes, vulnerabilities, and other software quality issues. The SBOM displays software components and dependencies, their hierarchical relationships, and information about licenses, copyrights, and security references in a standard data format to simplify information sharing among various software publishers and buyers along a software supply chain.

The Spectra Assure platform unpacks software builds, release packages, and containers to create an SBOM and displays this information in the Bill of Materials page accessed from the sidebar on the left-hand side of the SAFE report. This information can be exported in several supported data formats and later imported into databases or other external tools.

For more information on the term, see the ReversingLabs glossary.

SCA; Software Composition Analysis​

Definition

An automated process that provides insight into applications by identifying open source components used in them. All detected components are arranged into an accurate Software Bill of Materials (SBOM), which is then compared against various databases. This helps uncover open-source licensing problems and known vulnerabilities within those components ahead of time, ensuring all software components are compliant and secure.

For more information on the term, see the ReversingLabs glossary.

SDLC; Software Development Life Cycle​

Definition

A structured process with clearly defined phases that track software development from beginning to end in order to produce software of the highest quality that meets the client requirements.

The Spectra Assure platform focuses on helping users improve their SDLC by providing actionable advice in the form of security scan reports.

For more information on the term, see the ReversingLabs glossary.

secrets​

Definition

Various kinds of service access credentials, private keys and tokens, certificates and other similar artifacts which enable access to critical infrastructure and highly confidential business data (such as customer information).

During analysis, Spectra Assure products perform sensitive information policy checks to detect exposed secrets and verify their liveness status with the corresponding services.

The SAFE report enumerates detected issues in the Sensitive Information issue category with details on all detected secrets and advice on how to deal with them.

For more information on the term, see the ReversingLabs glossary.

security vulnerability​

Definition

Any weakness, misconfiguration, or flaw in software which may present a significant gap or opportunity for malicious actors to access your system and sensitive information, as well as cause harm to your organization.

In the SAFE report, this information is displayed on the Issues page accessed from the sidebar on the left-hand side. The Summary page of the report highlights the most critical security concerns in the SAFE Assessment section.

severity​

Definition

A measure of risk potential that a software quality issue may convert into a security incident. It has three levels - low, medium, high - and is used to prioritize the order of resolving detected software quality and security issues. Assigned by ReversingLabs for all issues based on the issue type and risk category.

In the Spectra Assure CLI output, issue severity is indicated by the letters H-M-L for every detected issue.

In the Spectra Assure Portal, issue severity can be viewed by switching the SAFE Assessment column to Show issues on the File Stream page and on project and package pages.

signature; digital signature​

Definition

An electronic stamp of authenticity proving that the information came from a reliable source and has not been modified in any way.

In the SAFE report, this information can be found in the Signatures page accessed from the sidebar on the left-hand side.

silent vulnerability​

Definition

Known vulnerability that can’t be found by inspecting the dependency list. Such vulnerabilities are introduced by statically linking package dependencies, which results in β€œhiding” vital information from the dependency list.

Using advanced static analysis on binary code, Spectra Assure provides a way to perform a detailed analysis of various types of software packages and verify their dependencies for presence of known malware and vulnerabilities.

software binary​

Definition

Typically a platform-specific file containing data written as a sequence of bytes. It can be an executable, library, archive, database, image, audio, etc. Since software binaries are in a machine-readable format, they can only be opened with special programs that know how the data inside is organized.

software supply chain​

Definition

The complex system encompassing all tools, components, processes, and people involved in different phases of the software development life cycle (SDLC).

Spectra Assure is a software supply chain security platform that can protect your development lifecycle from software supply chain threats.

SPDX; Software Package Data Exchange​

Definition

A standard data format used to document and exchange software bill of materials (SBOM) information, such as software components and the licenses associated with them, as well as copyrights and security references. Consult the format specification for details.

The Spectra Assure users can export the SBOM information in this data format as a JSON file, which can be imported into databases using different data formats.

static dependency​

Definition

Libraries involving direct references between components whose code is locked into the executable file at compile time. Their code can still be reused, but each package needs to contain its own copy of it. If any changes are made to a component that directly references and relies on another component's code, the first component might require recompilation.

In the SAFE report, this type of information is listed in the Dependencies section of the Bill of Materials page accessed from the sidebar on the left-hand side.

tampering​

Definition

The act of intentionally and illegitimately altering software, its data, or its intended behavior.

During analysis, Spectra Assure products perform digital signatures, package integrity and threat hunting policy checks to detect indicators of tampering and software supply chain compromise.

The SAFE report enumerates detected issues in the Tampering assessment category with details on detected tampering risk and advice on how to resolve it.

transitive dependency​

Definition

Dependencies of a direct dependency used in your software.

In the SAFE report, this type of information is listed in the Dependencies section of the Bill of Materials page accessed from the sidebar on the left-hand side.

verified​

Definition

A tag establishing the trustworthy nature and origins of a software component. It confirms that this component can be found in trusted code repositories, and that it has been checked for malicious intent.

In the SAFE report, this information is displayed in the Name and Version column for every detected component and dependency on the Bill of Materials page.