- Artifact (especially, software artifact)
Those documents and objects created in the course of building software. The touchpoints in this book are software security best practices meant to be applied to common software artifacts including requirements, use cases, design documents, architecture documents, test plans, test results, code, executables, and feedback from the field.
- Attack pattern
Like a design pattern, only applicable to attacks. A high-level description of a set of software attacks. See Chapter 8.
- Bug
A bug is an implementation-level software problem. Bugs may exist in code but never be executed. Though the term bug is applied quite generally by many software practitioners, I reserve use of the term to encompass fairly simple implementation errors. Bugs are implementation-level problems that can be easily discovered and remedied. See Chapter 1.
- COTS
Commercial off-the-shelf software.
- Defect
Both implementation vulnerabilities and design vulnerabilities are defects. A defect is a problem that may lie dormant in software for years only to surface in a fielded system with major consequence.
- Exploit
A script or plan that executes against a vulnerability, leading to security compromise.
- Flaw
A design-level or architectural software defect. High-level defects cause 50% of software security problems. See Chapter 1.
- Risk
Flaws and bugs lead to risk. Risks are not failures. Risks capture the probability that a flaw or a bug will impact the purpose of the software (i.e., risk = probability x impact). Risk measures must also take into account the potential damage that can occur. A very high risk is not only likely to happen but also likely to cause great harm. Risks can be managed by technical and non-technical means. See Chapter 1.
- Software security
The idea of engineering software so that it continues to function correctly under malicious attack.
- SDL
Secure Development Lifecycle.
- SDLC
Software development lifecycle.
- Threat
The actor or agent who is the source of danger. Within information security, this is invariably the danger posed by a malicious agent (e.g., fraudster, attacker, malicious hacker) for a variety of motivations (e.g., financial gain, prestige). Threats carry out attacks on the security of the system (e.g., SQL injection, TCP/IP SYN attacks, buffer overflows, denial of service). Unfortunately, Microsoft has been misusing the term threat as a substitute for risk. This has led to some confusion in the commercial security space. See Chapter 5.
- Touchpoint
Process-agnostic software security best practice applied on a software artifact.
- Vulnerability
A defect or weakness in system security procedures, design, implementation, or internal controls that can be exercised and result in a security breach or a violation of security policy. A vulnerability may exist in one or more of the components making up a system. See Chapter 5.
|