Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

Application Security Glossary

.NET Scanner

.NET is one of the world’s leading programming languages. Secure coding in .NET ideally requires a capable .NET code review tool, which can identify today’s commonly exploited security vulnerabilities such as Cross-Site scripting (XSS), SQL injection, insecure server configurations and more. Many branded/commercial, as well as open source tools are available in the market today. They have their relative strengths and weaknesses.


Agile Security

Ideal application development involves fast builds and effective testing cycles. This is easily facilitated through the employment of agile development methods. However, if you use this development approach there is a potential pitfall – cycles/sprints are extremely short in duration (often 2-4 weeks) and this makes it very hard for developers to commit to security assurance. There are of course other methodologies that can be used to write software that offer a higher level of focus on security assurance, but the problem is that they are slow. This is where agile security comes in – it offers a straightforward platform to support agile development without compromising release cycles.



Application Programming Interface (API) are a set of functions and procedures allowing the exposure of the data and application services of a solution e.g. business application.

APIs are commonly used to automate a series of tasks or operational activities.

API Security

APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs).

Application Lifecycle Management (ALM)

Application Lifecycle Management systems, or simply management systems are systems in which the entire lifecycle of a certain product or project are being managed. Such systems include the requirements, definitions, backlog and bugs and issue tracking aspect of the developed product. Most common systems are Jira (by Atlassian), TFS (by Microsoft) and Rally (by CA)

Application Security

Application security describes the measures used to detect and remediate potential vulnerabilities in an application throughout its’ Software Development Life Cycle, or SDLC, and post-release. By carefully examining an application prior to release, it is possible to identify weaknesses in the software that could be exploited by hackers and other external threats, and mitigate these weaknesses prior to the software release.

Application Vulnerability

Malicious attackers have now turned their focus towards application layer vulnerabilities. Approximately 90% of all security vulnerabilities found in software code are located in the application layer. Applications that are not properly tested have a risk of containing vulnerabilities that can be exploited by the attackers to gain privileged access and harvest information. Vulnerabilities are dangerous to companies as they can enable malicious attackers to gain access to company accounts, sensitive financial data, customer and client contact information, social security numbers, credit card numbers and other information that can be used for personal or financial gain. Some of the most common vulnerabilities today include:

  • SQL Injection
  • Insecure Cryptographic Storage
  • LDAP Injection
  • Cross-Site Scripting
  • Cross-Site Request Forgery


Bamboo Static Code Analysis

Bamboo is a continuous integration server from Atlassian. Its purpose is to provide developers with an environment which quickly compiles code for testing so that release cycles can be quickly implemented in production, while giving full traceability from the feature request all the way to its deployment. When it comes to Bamboo Static Code Analysis there’s no native functionality, meaning developers will need to consider the use of a 3rd party Bamboo static code analysis in order to ensure that their static code analysis is conducted correctly and seamlessly.


Botnet Detection and Prevention

Botnet, a fusion of the words “robot” and “network”, is basically a group of computers that have been compromised by a malicious attacker and are under his control. Botnets are primarily used for executing Distributed Denial of Service (DDoS) attacks, where the targeted servers are crippled by overloading them with packets of data. Eventually the applications and services become unavailable to their users. Once the computer becomes a part of the botnet, attackers can remotely execute commands on it. The actual owner is usually unaware of the malicious activity taking place on his machine. Once a computer is under the attacker’s control, it becomes a “zombie computer.” In order to create a truly effective botnet, the malicious attacker must infect hundreds or even thousands of computers.

Build Server

A build server is a distinct concept to a Continuous Integration (CI) server. The CI server exists to build your projects when changes are made. By contrast a Build server exists to build the project (typically a release, against a tagged revision) on a clean environment. It ensures that no developer hacks, tweaks, unapproved config/artifact versions or uncommitted code makes it into the released code.