Terms
The following definitions are used here:
| Term | Definition |
|---|---|
| 3rd Party Dependency | Here: (usually open source) 3rd party software artifacts, used by an application (e.g. libraries, Maven artifacts). |
| API | Here: Web-based interface (e.g. a RESTful service) |
| Application | Here: Synonym for web-based application or service. |
| Change | Change to an application in production. |
| Criticality | Here: Either synonym for business criticality or criticality of vulnerability. |
| Confidential Data | Data, which consists of (1) confidential information (e.g. trademarks, sensible business logic, passwords, or personal data), (2) is explicitly declared as those, or (3) is only accessible by a restricted number of people. |
| Critical Application | Here: Business critical application |
| Dependency Repository | System that manages 3rd party dependencies (e.g. libraries, Maven artifacts). A dependency repository is often part of a general software repository system such as Nexus or Artifactory. |
| External Application | A web-based application that is accessible from the outside of the organization (e.g. via the Internet). |
| Internal Code | Source or program code that is not confidential and not public (standard). |
| Internal Application | A web-based application that is only accessible from the inside of the organization (e.g. intranet application). |
| IT Security Function | Here responsible IT security function as defined in Roles. Note that this is intended as a placeholder for the respective role name in your organization (e.g. security officer, architect, or engineer). |
| Risk Class | Basically the risk class adds the exposure as an additional dimension to the critical factor resulting in its risk. Thereby the risk class >= [HIGH] covers not only (business) critical applications and services but also those with medium criticality that are, however, exposed to the Internet. See Risk Classes. |
| Security Champion (SC) | See Roles |
| Sensitive Code | Source or program code that contains confidential information such as sensitive business logic |
| Service | Here: Synonym for a (business) application that can contain one or more ->APIs |
| Source Code Repository | System where custom code is stored (e.g. Git). |
| Web Application | Here: A software program (UI, service API, or combination of them) that is accessible via HTTP(s) protocol and fulfills a particular business case. |