This glossary contains a list of terms relevant to the Risk Management Framework. The terms defined here are general and are not tied only to the RMF.
architectural risk assessment
A representation of system risks that exist in the software architecture, including design flaws that directly impact the security of the software. This includes a measurement of impact according to the business situation, an understanding of attacker resources, and likely attack patterns. Sometimes this activity is called threat modeling (though this is a misuse of the term threat according to the security literature).
A product or byproduct of the software development process. Examples include source code, architecture diagrams, requirements documents, a written test plan, results of code reviews, and a report of test results. Analysis of artifacts can provide evidence of a system's quality with respect to various attributes, such as security.
A review of system security (or software security) in order to provide assurance that the system's security posture is adequate. Comprehensive auditing is a good security practice, but specific kinds of auditing may also be mandated by government, regulatory, or contractual considerations. During software development, this term is often used to refer to a code review or to an architectural risk assessment. In an operational environment, auditing refers to a review of security logs or other data collected during ongoing monitoring of operations to identify actual or attempted security breaches and to evaluate the quality of a system?s security. Such auditing should be done frequently, but, unlike intrusion detection approaches, auditing is typically not expected to be a real-time activity.
A software security defect that can be detected locally through static analysis.
A manual or automated review of computer software, usually source code.
An implementation or design vulnerability. A defect may lie dormant in software for years and then surface in a fielded system with major consequences.
Federal Information Processing Standard; a set of standards, sometimes related to security, from NIST.
A software security defect at the architecture or design level. Flaws may not be apparent given only source code of a software system.
The International Electrotechnical Commission, founded in 1906. The IEC develops global standards in all areas of electrotechnology. http://www.iec.ch
The National Institute of Standards and Technology, a division of the United States Department of Commerce. NIST issues guidelines and standards for computer security. http://www.nist.gov
Flaws and bugs lead to risk. Risks are not failures. Risks capture the probability that a flaw or a bug will impact the purpose of the software. Risk measures also take into account the potential damage that can occur. A very high risk is not only likely to happen but also likely to cause great harm. Risks can be managed by technical and non-technical means.
See architectural risk assessment.
An actor or agent who exploits security vulnerabilities and risks.
See architectural risk assessment.
A defect or weakness in system security procedure, design, implementation, or internal control that an attacker can exploit. A vulnerability can exist in one or more of the components making up a system, even if those components aren't necessarily involved with security functionality.
Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.
Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.
For information regarding external or commercial use of copyrighted materials owned by Cigital, including information about “Fair Use,” contact Cigital at email@example.com.
The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.