Skip to content

Latest commit

 

History

History
25 lines (22 loc) · 5.26 KB

7. Glossary of terms.md

File metadata and controls

25 lines (22 loc) · 5.26 KB
Raw

7 Glossary of Terms

This glossary covers a list of words that are frequently used while threat modeling and their meaning.

  • ASVS: The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. (OWASP Application Security Verification Standard, n.d.)
  • Attack tree: Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes (Schneier, 1999)
  • Azure DevOps: Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications. Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. Azure DevOps Server was formerly named Visual Studio Team Foundation Server (TFS). (What is Azure DevOps, n.d.)
  • CVSS: The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes (Common Vulnerability Scoring System SIG, n.d.)
  • DevOps: DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality
  • DevSecOps: DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. (What is DevSecOps, n.d.)
  • G-suite: G Suite—formerly known as Google Apps for Work—is a Software as a Service (SaaS) product that groups all the cloud-based productivity and collaboration tools developed by Google for businesses, institutes, and non-profits (Gavin, 2019)
  • JIRA: Jira Software is part of a family of products designed to help teams of all types manage work. Originally, Jira was designed as a bug and issue tracker. But today, Jira has evolved into a powerful work management tool for all kinds of use cases, from requirements and test case management to agile software development (What is Jira used for, n.d.)
  • LINDDUN: A privacy threat modeling methodology that supports analyst systematically eliciting and mitigating privacy threats in software architectures. LINDDUNN is a mnemonic for the privacy threat categories it supports: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance (LINDDUN privacy engineering, n.d.)
  • MS teams: Microsoft Teams is a communication and collaboration platform that combines workplace chat, video meetings, file storage, and application integration. The service integrates with the Office 365 subscription office productivity suite and features extensions that can integrate with non-Microsoft products (Microsoft Teams, 2020)
  • OWASP risk rating methodology: Risk rating methodology introduced by OWASP which approaches risk rating in six steps: Identifying a risk, factors for estimating likelihood, factors for estimating impact, determining severity of the risk, deciding what to fix, and customizing your risk rating model.
  • Playbook: A book containing a team's strategies and plays. A set of rules or suggestions that are suitable for a particular activity, industry, or job.
  • SAMM: OWASP SAMM stands for Software Assurance Maturity Model. This is an open source project from OWASP, more details are available on https://owaspsamm.org/about/
  • Security champion: Security Champions are active members of a team that may help to make decisions about when to engage the Security Team. They act as a core element of security assurance process within the product or service and hold the role of the Single Point of Contact (SPOC) within the team. More details are available at: https://github.com/c0rdis/security-champions-playbook
  • Sharepoint: Organizations use Microsoft SharePoint to create websites. You can use it as a secure place to store, organize, share, and access information from different devices
  • STRIDE: a model of threats developed by Microsoft for identifying computer security threats. It provides a mnemonic for security threats in six categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege
  • Squad: Similar to a scrum team, Squads are cross-functional, autonomous teams (typically 6-12 individuals) that focus on one feature area. Each Squad has a unique mission that guides the work they do, an agile coach for support, and a product owner for guidance.
  • Threat Modeling: Threat modeling is the activity of identifying and managing application risks. Also known as architectural risk analysis.
<< Previous page Main page Glossary of terms >>