Learn
Cybersecurity Topics: Decoding the Terms
Dive into the glossary below to demystify prevalent software security terms. For a deeper understanding, click on the links under the 'Reference Information' column corresponding to each term.
Software Security and Inventory Terms
Navigate the glossary below to understand prominent cybersecurity directives. For comprehensive insights on each term, click on the link provided in the More Details column.
Sure, here are the details for the remaining terms:
| Term | Full Name | Overview | More details |
|---|---|---|---|
| Advisory | Security Advisory | An official statement or communication from an organization, often related to a security vulnerability or issue, which provides information, guidance, or mitigation about a threat. | |
| CVE | Common Vulnerabilities and Exposures | An identifier given to a unique vulnerability in software, which allows for tracking and addressing vulnerabilities in a standardized manner. Often maintained by the Mitre Corporation and used globally as a standard for identifying vulnerabilities. | MITRE's CVE Overview |
| CWE | Common Weakness Enumeration | A community-developed list of software security weaknesses. It serves as a common language for describing vulnerabilities in architectural, design, or code level. It also provides a standardized measurement for software vulnerabilities and their severity. | MITRE's CWE Introduction |
| CycloneDX | CycloneDX | A lightweight software bill of materials (SBOM) standard format designed for use in application security contexts and supply chain component reviews. | CycloneDX Details |
| CycloneDX VEX | CycloneDX Vulnerability Exploitability Exchange | An extension of CycloneDX for conveying the exploitability details of specific software vulnerabilities. | CycloneDX VEX Details |
| EPSS | Exploit Prediction Scoring System | A system designed to predict the likelihood that a vulnerability will be exploited in the wild within the next 12 months. It provides organizations a metric to prioritize vulnerabilities based on their risk of exploitation rather than just their severity. | FIRST's EPSS Overview |
| OpenVEX | Open Vulnerability Exploitability Exchange | A format for conveying the details of how specific software vulnerabilities can be exploited. | OpenVEX Details |
| SCA | Software Composition Analysis | An automated process that identifies open source components in software, often used to discover licensing and security issues. | SCA Details |
| SBOM | Software Bill of Materials | A list detailing components that make up software; essentially an "ingredients list" for software. | SBOM Details |
| SLSA | Supply-chain Levels for Software Artifacts | A framework used to describe the assurance of software artifacts based on the robustness of their software supply chain. | SLSA Details |
| SPDX | Software Package Data Exchange | A standard format for communicating software bill of materials information including component license, copyright, and security details. | SPDX Overview |
| VDR | Vulnerability Disclosure Report | A report detailing vulnerabilities in software, often issued by security researchers or organizations after a discovery and subsequent vendor coordination for a fix. | VDR Overview |
| VEX | Vulnerability Exploitability eXchange | A format for conveying the details of how specific software vulnerabilities can be exploited. | VEX Details |
| Vulnerability | — | A weakness or flaw in software, hardware, or online service that can be exploited to perform unauthorized actions within a computer system. |