Glossary

Term Definition
Application Administrator An employee responsible for the functioning of the System in terms of Application Software, administration of the System users
IS Administrator An employee ensuring compliance with the requirements and exercising control in terms of information security during the implementation and operation of the system
Application Security The ISO/IEC 27034 standard covers all aspects of secure software development (http://www.iso27001security.com/html/27034.html)
Application Security Strategy A system of approaches, techniques, practices, and steps for seamless implementation of secure software development processes into the existing software release cycle. Organizational, technological, and methodological specifics of software delivery organization are taken into account
Vulnerability A software vulnerability is a glitch, flaw, or weakness in the software that can be exploited to break functionality or gain unauthorized access to application resources.
Application Security Testing Application testing to identify software security defects and vulnerabilities. It includes execution of automated testing using practices such as SAST / DAST / IAST / SCA / BCA 
SAST (Static Application Security Testing) Static application source code analysis using specialized tools. It allows identification of software source code vulnerabilities at the early stages of software development. It identifies vulnerabilities by analyzing data flows in an application, determining the full path from the data source to all possible branches within the code
Dynamic Application ‎Security Testing (DAST) Dynamic application analysis using specialized tools allows discovering software vulnerabilities within the application already deployed on the stand. It identifies possible vulnerabilities within the system by simulating the user's interaction with the system, sending requests with specifically formed data, and validating responses sent by the server
Open Source Analysis (OSA) / Software Composition Analysis (SCA) Analysis of open-source libraries and components that are just entering the software engineering perimeter and are already used as artifacts within an application. Analysis is performed in terms of known security vulnerabilities and license violations
Runtime Application Self-Protection (RASP) A class of automated tools and techniques for protection of applications and services from vulnerabilities in a production environment
Bytecode and Container Analysis (BCA) Automated analysis of compiled build artifacts, software distributions and docker containers using designated tools, including but not limited to cases where source code isn’t available for security analysis in the latter stages of SDLC
Web Application ‎Firewall (WAF) Automated tool for identification of attacks and blocking of exploits for web applications, including zero-day vulnerabilities
Building Security In Maturity Model (BSIMM) Application security maturity model, a framework that provides an overview of currently existing practices and initiatives in software security  (https://www.bsimm.com/)
openSAMM (Software Assurance Maturity Model) An open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization (http://www.opensamm.org)
Open Web Application Security Project (OWASP) An open community, supporting and developing practices, tools, techniques, and initiatives for Application Security domain (https://www.owasp.org)
Secure Software Development Lifecycle (SSDL) The lifecycle of security assurance applied to software engineering, the process focused on decreasing the number of software vulnerabilities and the level of their severity, and assuring security and confidentiality at all stages of the development process
Development and ‎Operations (DevOps) Software engineering practices, tools, and techniques focused on decreasing release cycle, time-to-market, and increasing overall effectiveness of software development
Security, Development, and Operations (DevSecOps) The concept of making software security a core part of the overall software delivery process
DevSecOps Ecosystem A collection of tools and process workflows created and executed on the tools to support all the activities throughout the full DevSecOps lifecycle. DevSecOps workflows may be fully automated, semi-automated, or manual
Source Code Software instructions for a computer, written in a programming language. These instructions may be in the form of either human-readable source code, or machine code, which is source code that has been compiled into machine-executable instructions
Codebase A collection of source code used to build a particular software system, application, or software component. Typically, a codebase includes only human-written source code files; thus, a codebase usually doesn’t include source code files generated by tools (generated files) or binary library files (object files), as they can be built from the human-written source code. However, it usually includes configuration and property files, as they are the data necessary for the build
Software Artifact An artifact is a work that has been documented and stored in a repository so that it can be retrieved upon demand. Artifacts include, but aren’t limited to, virtual machine (VM) images, container images, binary executables, open-source libraries and components, distributions, and archives
Containers A standard unit of software that packages up code and all its dependencies, down to, but not including the Operating System (OS). It’s a lightweight, standalone, executable package of software that includes everything needed to run an application except the OS: code, runtime, system tools, system libraries, and settings. Several containers can run in the same OS without conflicting with one another. Containers are run on the OS, so no hypervisor (virtualization) is necessary (though the OS itself may be running on a hypervisor)
Software Factory

Software Factory is a structured set of software artifacts installed in a development environment that makes it easier for architects and developers to predictably, efficiently, and accurately build a particular type of application.

A Software Factory that contains multiple pipelines, which are equipped with a set of tools, process workflows, scripts, and environments, to produce a set of deployable software artifacts with minimal human intervention. It automates the activities in the development, build, test, release, and deliver phases. The software factory supports multi-tenancy

Artifact Repository

A local repository tied to the software factory. It stores artifacts pulled from a centralized artifact repository as well as locally developed artifacts to be used in DevSecOps processes. It supports multi-tenancy.

Note that programs may have a single artifact repository and use tags to distinguish the content types. It’s also possible to have separate artifact repositories to store local artifacts and released artifacts

Application Security Testing Orchestration (ASTO) The approach to building a fully automated, end-to-end orchestration process for the entire DevSecOps tool chain and managing security CI/CD pipelines. The DevSecOps perimeter is formed within ASTO practice. It helps to manage the software application portfolio, ensure seamless integration of the security tools to the software development infrastructure, and implement data collection and consolidation mechanisms for process visibility and continuous monitoring
Environment Sets a runtime boundary for the software component to be deployed and executed. Typical environments include development, integration, test, pre-production, and production
Standard A set of requirements or categories of information security requirements against which an application can be checked. Standards can be both global and internal company ones.
Defects A defect is a confirmed vulnerability recorded in a Software Defect Tracking system. Each defect has a type, description, and recommendations for elimination
CI/CD (Continuous Integration / Continuous Delivery) It’s a system of continuous integration and continuous delivery of software. TeamCity can be considered as an example of such a system.
Machine Learning Machine learning algorithms
Knowledge Management Practice for Application Security requirements and knowledge management within the SSDL process. Knowledgebase of application security standards and guidelines in terms of secure architecture design, programming languages specifics, and software frameworks
AST Application Security Testing