Skip to content

Software Security knowledge

Software Security knowledge

Updated: 2025-02-21 / JRO

Terminology

  • CI/CD - DevSecOps includes automating security practices to allow teams to increase security without losing velocity
  • CVSS - Common Vulnerability Scoring System. Captures the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
  • EPSS - Exploit Prediction Scoring System. Estimating the likelihood (probability) that a software vulnerability will be exploited in the wild
  • FedRAMP - compliance framework. Federal Risk and Authorization Management Program (FedRAMP) is a governmentwide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
  • MTTR. Mean Time to Resolve (MTTR) is the average time between the start and resolution of an incident. But first you have to identify the problem.
  • Mean Time to Identify (MTTI) is also an important key performance indicator (KPI).
  • NIST. National Institute of Standards and Technology. research, develop and produce guidelines, recommendations and best practices for foundational security mechanisms, protocols and services
  • POC. Proof of concept. Earliest implementation of a threat and usually contains code that runs on new platforms and programs or takes advantage of newly discovered vulnerabilities.
  • PR. Pull Request
  • PCI
    • PCI-DSS. Payment Card Industry Data Security Standard. protecting sensitive cardholder data and reducing the risk of data breaches across the entire payment ecosystem. Firewalls, regular testing.
  • OWASP. Open Worldwide Application Security Project. Community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security.
  • RSPM ?
  • SBOM. Software Bill of Materials. nested inventory, a list of ingredients that make up software components. detailed view of open-source components that developers and security professionals can use to understand the security of third-party libraries and dependencies used in an application.
  • SAST. Static Application Security Testing. Scans an application’s source code. identifies the root cause of vulnerabilities and helps remediate the underlying security flaws. providing immediate feedback to developers on issues introduced into code during development
  • SCA. Software Composition Analysis. analysis of open source packages in use by an application. Highlights vulnerabilities and licenses in dependencies for risk and compliance assessments, and it can generate a software bill of materials (SBOM) of all resources
  • SLA. Service Level Agreements. details the duties of service providers and establishes precise expectations concerning cybersecurity, including vulnerability management and data confidentiality requirements
  • SDLC - Software Development Life Cycle. Planning. Requirements. Design & prototyping. Development. Testing. Deployment. Operations & Maintenance.
  • SSDF - ?
  • VEX. Vulnerability Exploitability eXchange. indicates whether a product or products are affected by a known vulnerability or vulnerabilities