Skip to main content

Glossary of terms


These terms are defined specifically as they apply to users of Contrast. You can hover over these terms in other topics to pull up the definition in context.

account takeover (ATO)

An account takeover is the result of an attack that steals login credentials or otherwise breaks authentication in web applications.


An agent is language-specific code that is installed in a web application to gather and analyze security data, and report findings to Contrast when necessary.


An application is a logical grouping of customer code analyzed by a Contrast agent.


An attack is made up of one or more attack events that occur within a discrete time frame.

attack event

An attack event is a violation of Protect rules or other suspicious application activity in instrumented applications. The event corresponds to a single attack vector, such as an HTTP request or SQL query. Multiple attack events make up an attack, usually in the same area of code and timeframe.

brute-force attack

A brute-force attack is the systematic submission of many passwords or passphrases with the intent of eventually guessing correctly.

chief information security officer (CISO)

The chief information security officer directs an organization's information security program to assure and demonstrate that sensitive assets are well-protected and staff can manage and prevent vulnerabilities.

command injection

Command injection attacks target the host operating system through a vulnerable application. They happen when a user passes unsafe data to a system shell through a form, cookie or HTTP header or some other part of the application.

common language runtime (CLR)

Common Language Runtime manages the execution of .NET Framework programs.

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures is a list of publicly known cybersecurity vulnerabilities, used internationally to identify and track types of vulnerabilities.

container image

A container image is a static file with executable code that can create a container on a computing system.

continuous integration/continuous delivery (CI/CD)

Agile practice that encourages continuous iterations and automation in building, testing and deployment.

Contrast command line interface (Contrast CLI)

The Contrast CLI is a text-based user interface. It can be run in the development environment to get early software composition analysis (SCA) visibility of your open-source libraries before you build and deploy. Results from the CLI can be viewed in the text-based response and they are also represented as a dependency tree in Contrast.

Contrast Hub

The Contrast Hub is where on-premises customers can download the Contrast installer and license files and check for agent updates.

Contrast service

The Contrast service is a program written in Go that connects the Contrast web interface with the Node.js, Ruby and Python agents.

credential stuffing

Credential stuffing is a brute force attack that automatically injects pairs of breached usernames and passwords to access user accounts.

cross-site scripting (XSS)

Cross-site scripting is an attack that occurs when malicious scripts are injected into a web application through user inputs that generate output without validating or encoding it.

dependency confusion

Dependency confusion, also known as a "substitution attack," is when an attacker registers the same name for an organization's internal library on a public package index in order to send vulnerable or malicious code into the organization's private code repositories.

distroless image

Distroless images contain only your application and its runtime dependencies. They do not contain package managers, shells, or any other programs you would expect to find in a standard Linux distribution.

dynamic application security testing (DAST)

A security testing technology that is designed to detect conditions that point to a security vulnerability in an application in its running state.


In Contrast, applications are organized into one of three environments: development, test (QA) and production.

environment variable

Environment variables are values you can pass to software at runtime, usually key/value pairs that you define outside of an application. In Contrast, these are used to configure the agents that instrument your applications and make sure they work within your preferred frameworks as expected and report metadata you want to see in Contrast.

Exploit Prediction Scoring System (EPSS)

Calculation based on the likelihood of a vulnerability being exploited.

EPSS provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.

The EPSS percentile is a percentage score assigned to a specific vulnerability that indicates how likely it is to be exploited compared to other vulnerabilities. For instance, a vulnerability with an EPSS percentile of 90% means it has a higher probability score than 90% of all other CVEs in the group.

false positive

A vulnerability that is falsely reported.

flow map

A flow map is a visualization of an instrumented application in Contrast that shows all back-end systems it uses and any other applications connected to it. This helps you assess risk by analyzing what else touches vulnerable applications.


Monitor applications with software agents that observe and report data at runtime. Contrast agents send security vulnerability data about your applications based on exercised routes.

interactive application security testing (IAST)

Security technology that analyzes data flows within a running application to detect and report possible security vulnerabilities.

IP allowlist

An IP allowlist is a rule that allows any HTTP request from IP addresses on that list.

IP denylist

An IP denylist is a rule that blocks any HTTP request from IP addresses on that list.


A library is any packaged code included in an application. Libraries can be public or private.

lightweight directory access protocol (LDAP)

LDAP is a lightweight client-server protocol for accessing and maintaining directory services. In Contrast, on-premises can use LDAP to manage users and logins.


Files that are stored with a project to declare which dependencies are required by a project.

National Institute of Standards and Technology (NIST)

NIST is a government agency that promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in multiple fields including cybersecurity.

Not a problem

For library status. This library has vulnerabilities that are acknowledged and the risks are acceptable.

Open Web Application Security Project (OWASP)

Open Web Application Security Project® is a nonprofit foundation that works to improve the security of software through an open platform that supports shared security projects and member education. The OWASP Top Ten lists the most critical security defects in Web applications.

path traversal

Path traversal is an attack that attempts to access critical system files and directories stored outside the web root folder. It uses variables that reference files with “dot-dot-slash" (../) sequences or absolute file paths.


A policy is the set of rules for a given application or library that triggers security violations, status changes, or notifications when certain conditions are true. Policies assure more consistent security standards across applications or teams.

profiler chaining

Profiler chaining is a way to run the .NET Framework or .NET Core agent alongside other .NET profiler agents, such as performance or APM tools.


For library status. The vulnerable library has been remediated.


For library status. Status when a library with vulnerabilities is detected by Contrast.


A route, as reported in Contrast Assess, is a function signature of the method that handles requests to one or more URL patterns. The exact format can vary, depending on the language of the Contrast agent you are using. A route can have multiple URLs associated with it.


A rule is a security control used to identify a vulnerability or attack event. If the rule matches, the agent sends a vulnerability or attack event to Contrast for the affected application.

runtime application self-protection (RASP)

Contrast uses RASP methods to monitor attacks and actively defend applications in production.


Contrast provides library and application scores that reflect the current security situation for your applications or libraries.

security assertion markup language (SAML)

SAML is an XML-based standard used to create and exchange security information between online partners, such as single sign-on authentication.

security incident event management (SIEM)

SIEM systems collect and analyze security events and related data from other systems to support threat detection, compliance, and security incident management. Contrast integrates with several leading SIEM systems.

sensitive data masking

This feature redacts sensitive data in Contrast logs and other data transmissions from the Contrast agent, without affecting how that data is processed by the application.

single sign-on (SSO)

Single sign-on is an authentication or user identification service that gives users access to multiple systems with only one set of credentials.


In data flow analysis, the sink is where data ends. A sink is any external format or location to which data is written.

Software Composition Analysis (SCA)

Identify vulnerable libraries, fail a build based on CVE severity, and view a dependency tree to understand the dependencies between libraries and where vulnerabilities have been introduced.

software development life cycle (SDLC)

The series of steps by which ideas become software that is used by people.


In data flow analysis, the source is where data starts. A source is any input data or request that enters a system.

SQL injection (SQLi)

A SQL Injection attack inserts or "injects" a SQL query within user input data from the client to get it into the application. The intent is to read or modify database data or send commands to the database (for example).

stack trace

A stack trace lists the sequence of events that led to a failure. For Contrast, the stack trace shows the events that led to a security vulnerability.

static application security testing (SAST)

A method of finding potential vulnerabilities in applications without installing or running the application.

testing coverage

This is a testing technique that monitors the number of tests that have been executed.

unused functions

Also called shadow functions. This is a function on a cloud environment that has not been invoked for over 90 days.

web application firewall (WAF)

A WAF inspects and filters web traffic to defend applications from common attacks.


Integration method that sends real-time data from one application to another via HTTP every time a specified event occurs.