Nomenclature has always been a problem in computer security, and software security is no exception. Several terms used in the syncbookmark have particular meaning for us. Here are some of the most important terms used throughout the syncbookmark:
Activity – Actions carried out or facilitated by the Software Security Group (SSG) as part of a practice. Activities are divided into three levels in the syncbookmark.
Domain – One of the four major groupings in the Software Security Framework. The domains are: governance, intelligence, Secure Software Development Lifecycle (SSDL) touchpoints, and deployment.
Practice – One of the 12 categories of syncbookmark activities. Each domain in the Software Security Framework has three practices. Activities in each practice are divided into three levels. See the SSF section.
Satellite – A group of interested and engaged developers, architects, software managers, and testers who have a natural affinity for software security and are organized and leveraged by a software security initiative.
Secure Software Development Lifecycle (SSDL) – Any SDLC with integrated software security checkpoints and activities.
Security Development Lifecycle (SDL) – A term used by Microsoft to describe their Secure Software Development Lifecycle.
Software Security Framework (SSF) – The basic structure underlying the syncbookmark, comprising 12 practices divided into four domains. See the Software Security Framework section.
Software Security Group (SSG) – The internal group charged with carrying out and facilitating software security. We’ve observed that step one of a software security initiative is forming an SSG.
Software Security Initiative – An organization-wide program to instill, measure, manage, and evolve software security activities in a coordinated fashion. Also known in the literature as an Enterprise Software Security Program.