Glossary of software security terms

Nomenclature has always been a problem in computer security, and software security is no exception. Several terms used in the BSIMM have particular meaning for us. Here are some of the most important terms used throughout the BSIMM:

Activity: Actions carried out or facilitated by the software security group (SSG) as part of a practice. Activities are divided into three levels in the BSIMM.

Domain: One of the four major groupings in the software security framework. The domains are GovernanceIntelligenceSecure Software Development Life Cycle (SSDLC) touchpoints, and Deployment.

Practice: One of the 12 categories of BSIMM activities. Each domain in the software security framework has three practices. Activities in each practice are divided into three levels.

Satellite: A group of interested and engaged developers, architects, software managers, and testers who have a natural affinity for software security and are organized by and contribute to a software security initiative.

Secure software development life cycle (SSDL): Any software development life cycle (SDLC) with integrated software security checkpoints and activities.

Security development lifecycle (SDL): A term used by Microsoft to describe their secure software development life cycle (SSDLC).

Software security framework (SSF): The basic structure underlying the BSIMM, comprising 12 practices divided into four domains. See the software security framework section.

Software security group (SSG): The internal group charged with carrying out and facilitating software security. We’ve observed that Step 1 of a software security initiative (SSI) is forming an SSG.

Software security initiative: An organizationwide program to instill, measure, manage, and evolve software security activities in a coordinated fashion. Also known in the literature as an enterprise software security program.