DevSecOps Glossary

Integration of security across the full DevOps cycle, from design to production.

DevSecOps makes security a shared responsibility across dev, ops and security. The goal is to detect and fix vulnerabilities as early as possible (shift left) without slowing delivery.

Dynamic analysis that tests a running application like an external attacker.

DAST sends malicious requests to a deployed app to detect injections, broken auth, misconfigs. Complements SAST by testing runtime reality.

Analysis of Terraform, CloudFormation, Kubernetes files to detect dangerous configurations.

IaC scanning applies SAST logic to infrastructure: disabled encryption, open ports, over-permissive IAM, missing logs. Fixing in code rather than runtime reduces drift.

Hybrid analysis that instruments the running application to detect vulnerabilities with context.

IAST combines SAST and DAST strengths by instrumenting the app during testing. Fewer false positives but requires a dedicated runtime.

In-app runtime protection that blocks attacks in real time in production.

RASP is embedded in the app and can detect/block exploits (RCE, SQLi…) at runtime. Unlike WAFs, it has full application context.

Static source code analysis to detect vulnerabilities without running the application.

SAST scans source code (or bytecode) for vulnerable patterns: injections, XSS, deserialization, weak crypto. Fast in CI but produces false positives that must be triaged.

Open-source dependency analysis to detect known vulnerabilities and license issues.

SCA compares your project dependencies (npm, Maven, pip…) against databases like CVE/GHSA. Essential when 80–90% of a modern app's code is open source.

Detection of secrets (API keys, tokens, credentials) committed in code.

Committed secrets are the #1 cause of cloud compromises. Tools scan git (pre-commit hook, CI, history) against patterns or ML models. Must be coupled with automatic rotation.

Descriptive study benchmarking real-world security practices of mature organizations.

BSIMM is not a prescriptive model: it's a benchmark of what ~130 organizations actually do. Useful for peer comparison, less for building a program from scratch.

OWASP open-source framework to measure DevSecOps maturity by dimensions.

DSOMM structures maturity across 4 dimensions (Build & Deployment, Culture & Organization, Implementation, Test & Verification) and 4 levels. More operational than SAMM, better suited to DevOps teams.

Average time between detection of a vulnerability and its fix in production.

Central DevSecOps KPI. Typical targets: < 7 days for criticals, < 30 for highs. MTTR drops when prioritization is contextual and remediation is integrated into dev workflows.

OWASP software security maturity framework organized in 5 business functions.

SAMM covers Governance, Design, Implementation, Verification, Operations with 3 levels. More strategic than DSOMM, suited to CISOs building a complete AppSec program.

Standardized unique identifier assigned to each publicly disclosed vulnerability.

Format: CVE-YYYY-NNNNN. Maintained by MITRE. Each CVE is paired with a CVSS score and optionally an EPSS score. Foundation of vulnerability management.

Standard system to score vulnerability severity from 0 to 10.

CVSS measures theoretical impact (confidentiality, integrity, availability) and ease of exploitation. Caveat: it doesn't reflect real-world exploitability — always combine with EPSS and business context.

Probability that a vulnerability will be actively exploited in the next 30 days.

Unlike CVSS, EPSS is data-driven: based on real-world signals (exploit kits, dark web mentions, scans). Lets you focus on the ~5% of CVEs that actually matter. Maintained by FIRST.

EU directive strengthening cybersecurity obligations for critical and important entities.

NIS2 extends scope to ~160,000 EU entities, mandates risk management, incident notification within 24/72h, and personal liability for executives. Transposed into French law in 2025.

Detailed inventory of all software components in an application.

SBOM lists dependencies, versions, licenses and origins. Required by US (EO 14028) and EU (Cyber Resilience Act) regulations. Standard formats: SPDX, CycloneDX.

Program of security-minded developers embedded in product teams.

Security champions are volunteer developers who spread security culture in their team. Essential when CISO-to-dev ratio is < 1/100. Requires ongoing training and recognition.

Platform for consolidating and prioritizing application security risks across tools.

An ASPM unifies findings from SAST, DAST, SCA, secrets, IaC into a single repository, deduplicates, prioritizes by business context and tracks remediation. It's the cockpit of modern AppSec.

Unified cloud-native security platform covering workloads, configs and identities.

CNAPP combines CSPM, CWPP, CIEM and sometimes KSPM to protect cloud apps end to end. Runtime/infra-centric where ASPM is code-centric.

Securing Docker images and Kubernetes workloads at every stage.

Covers image scanning (vulns in layers), admission policies (OPA, Kyverno), runtime (Falco) and network (mTLS, service mesh). Requires an orchestrated multi-tool approach.

Detection and remediation of misconfigurations in cloud environments.

CSPM continuously monitors AWS/Azure/GCP accounts to detect dangerous configurations (public buckets, over-permissive IAM, disabled encryption) and auto-remediate them.

Application firewall filtering HTTP requests to block web attacks.

A WAF applies rules (OWASP CRS, custom) to block SQLi, XSS, path traversal. Useful as a shield but doesn't replace secure code: attackers often bypass via evasion techniques.

Move security controls as early as possible in the development cycle.

Shift left = security in the IDE, commit, PR, CI — rather than in pre-prod or prod. Drastically reduces fix cost (100× between design and production).

Structured analysis of threats on a system to identify risks and countermeasures.

Methodologies: STRIDE (Microsoft), PASTA, LINDDUN. Ideally done in the design phase, with developers. Modern tools (OWASP Threat Dragon, IriusRisk) can partially automate it.