# Security terms

Here are some of common security terms that are used within the tool:

### **Common Vulnerability Enumeration (CVE)** <a href="#whatiscommonvulnerabilityenumeration-cve" id="whatiscommonvulnerabilityenumeration-cve"></a>

This is a vulnerability published in an open database by NVD, with an assigned vulnerability ID known as CVE ID. Examples include Heartbleed (CVE-2014-0160) and Shellshock (CVE-2014-6271).

{% embed url="<https://www.youtube.com/watch?v=nwsFEuCXyxI>" %}

### **Common Vulnerability Scoring System (CVSS)** <a href="#whatiscommonvulnerabilityscoringsystem-cvss" id="whatiscommonvulnerabilityscoringsystem-cvss"></a>

An open framework for describing the severity of vulnerabilities, where each vulnerability is given a score between 0 and 10, with 10 being critical.

{% embed url="<https://www.youtube.com/watch?v=SYio0CH6-Mo>" %}

### **Common Weakness Enumeration (CWE)** <a href="#whatuscommonweaknessenumeration-cwe" id="whatuscommonweaknessenumeration-cwe"></a>

This is a weakness, either in software or in hardware, that may be exploited in a specific system. The CWE list is a tree hierarchy with different levels of abstraction. An example of a CWE tree chain, from high to low abstraction, may look like:

"Improper Restriction of Operations within the Bounds of a Memory Buffer" (CWE-119) -> "Buffer Copy without Checking Size of Input" (CWE-120) -> "Stack-based Buffer Overflow" (CWE-121).

{% embed url="<https://www.youtube.com/watch?v=GJNaEpv3Ok0>" %}

### **Common Platform Enumeration (CPE)** <a href="#whatiscommonplatformenumeration-cpe" id="whatiscommonplatformenumeration-cpe"></a>

This is a naming scheme for IT systems, software, and packages. An example of a CPE string for the React framework, version 16, is:

*cpe:2.3:a:facebook:react:16.0.0:\*:\*:\*:\*:\*:\*:\**.

{% embed url="<https://www.youtube.com/watch?v=Pfn74NDTs78>" %}

### **Node Package Manager (npm)** <a href="#whatisthe-nodepackagemanager-npm" id="whatisthe-nodepackagemanager-npm"></a>

A package manager for JavaScript consisting of a command line client **npm**, along with an online database of packages known as the **npm registry**. npm handles local dependencies, as well as global JavaScript tools. As of 2023, npm has joined forces with GitHub.

### **National Vulnerability Database (NVD)** <a href="#whatisthe-nationalvulnerabilitydatabase-nvd" id="whatisthe-nationalvulnerabilitydatabase-nvd"></a>

An open database, managed by the U.S. government, for management of vulnerabilities. The information displayed is an aggregation of multiple sources along with a severity scoring using CVSS, the type of vulnerability as a CWE, and affected products as a CPE.

### Understanding security vulnerabilities - video series

Have a look at the online course giving you an overview of security vulnerabilities and related topics. In this series, you will learn about:

* Different types of security vulnerabilities
* How to identify and mitigate them
* Common attacks and how to protect your team from it

Whether you are a beginner or an experienced developer or a security professional, this series is designed to help you enhance your knowledge of open-source security and keep your code secure.

[**Check it out**](https://www.youtube.com/playlist?list=PLZQ5U-W8XnxMCnOWqBccsShZJxz8kV53h)**,** improve your skills and stay ahead in the fast-changing world of technology.