Glossary

The glossary is a constant work-in-progress. If you have words you’d like to have defined let me know. Or if you have definitions that are messing, let me know that too.

3 | 4 | a | b | c | d | e | f | g | h | i | j | k | l | m | n | p | s | v | w | z
Reset list
salted hash -  A method of adding a random sequence of characters to a password before encrypting it, making them much more difficult to crack.
- Synonyms: salting
SAST -  SAST is security testing that is done on source, byte-code, or binaries but without actually executing them - thus the "static" testing. Typically this includes things like software metrics, static code analysis and even peer review. SAST provides a white-box or inside view to the application. It can both find possible vulnerabilities and weaknesses by looking for anti-patterns as well as enforcing secure software engineering standards by looking for proper patterns.
- Synonyms: Static Application Security Testing, application code scanning
SATE -  Static Analysis Tool Exposition is an effort by NIST to help people understand what static analysis tools are capable of, and what their limitations are.
- Synonyms: Problem Report System, PR, Bug Tracking, Bugzilla, Trouble Ticket
SBOM -  SBOM stands for Software Bill of Materials. It is a manifest of all the code in a system, device, or application including particular code and libraries from open source software, third parties, etc. It allows users to know what's actually in an application, and thereby do security update, recalls, etc. in the same manner that is currently done for hardware like for medical and automotive. In the USA there is an effort to better define common standards and methods around SBOM being headed by the NTIA. See https://www.ntia.gov/sbom
SCA -  SCA or software composition analysis means that you analyze what "other" software is included in your application or system. For example do you use a commercially available library, an open source library, or build OSS straight into your application. If so, then you should be scanning these from a security perspective for known vulnerabilities so you can patch and keep them up-to-date to avoid zero-day security issues.
- Synonyms: software composition analysis
SCAP -  SCAP stands for security content automation protocol. It's an open protocol used by NVD to enable easy automation of security vulnerability notification, research, tooling, etc. See https://csrc.nist.gov/projects/security-content-automation-protocol/
SCM -  Software configuration management aka SCM or Source Code Control System or Source Control aka Version Control. A system that keeps track of changes and revisions in software, as well as facilitating cooperative development.
- Synonyms: Software Configuration Management, Source Code Control System, Source Control, Version Control
security certificate -  A digital artifact used in cryptography for secure connections like SSL. The certificate is used to authenticate who a user was, letting you know that you're dealing with the person you think you are. Certificates are normally issued by authorities who take steps to ensure identity before issuing any certificate. There are also self-signed certificates that you can create for yourself but do not have the same level of trust. In essence you are saying "I am who I say I am." For more details see wikipedia.
- Synonyms: digital certificate, identity certificate, ssl certificate
SoC -  System on a chip. Rather than traditional computing where a system consists of a CPU and separate memory, graphics processor, etc, the SoC is essentially a small computer on a single chip - ideal for mobile devices.
- Synonyms: system-on-a-chip
SRG -  SRG stands for Security Requirements Guide. It is a document created and maintained through DISA and provides guidance for cybersecurity both for specific software, hardware, and devices as well as general software not covered by a specific STIG or SRG. See https://public.cyber.mil/stigs/srg-stig-tools/
static analysis -  Any form of software analysis that can be done on the code without actually executing the code. Encompasses techniques like pattern-based analysis, metrics, code review, etc.
- Synonyms: static code analysis
STIG -  STIG is an acronym for Security Technical Implementation Guide and is a document created and maintained by DISA to help organizations install, configure, deploy, and monitor applications, systems, and devices in a safe and secure manner, especially on a DoD network. See https://public.cyber.mil/stigs/
SVN -  SVN aka Subversion is a source control system or SCM, designed to work similar to CVS but with improvements to address limitations inherent in CVS.
- Synonyms: Subversion