Nomenclature has always been a problem in computer security, and software security is no exception. Several terms used in the BSIMM have particular meaning for us. Here are some of the most important terms used throughout the BSIMM:
Activity: Actions carried out or facilitated by the software security group (SSG) as part of a practice. Activities are divided into three levels in the BSIMM.
Domain: One of the four categories our framework is divided into: Governance, Intelligence, Secure Software Development Life Cycle (SSDLC) Touchpoints, and Deployment.
Practice: BSIMM activities are broken down into 12 categories or practices. Each domain in the software security framework (SSF) has three practices, and the activities in each practice are divided into an additional three levels.
Satellite: A group of interested and engaged developers, architects, software managers, testers, and people in similar roles who have a natural affinity for software security and are organized and leveraged by a software security group (SSG).
Secure software development lifecycle (SSDL): Any software life cycle with integrated software security checkpoints and activities.
Software security framework (SSF): The basic structure underlying the BSIMM, comprising 12 practices divided into four domains. See the software security framework section.
Software security group (SSG): The internal group charged with carrying out and facilitating software security. According to our observations, the first step of a software security initiative (SSI) is to form an SSG.
Software security initiative (SSI): An organization wide program to instill, measure, manage, and evolve software security activities in a coordinated fashion. Also known in the literature as an enterprise software security program.