Letter S
SAML Token
Security Assertion Markup Language (SAML) tokens are XML representations of claims. SAML tokens carry statements that are sets of claims made by one entity about another entity.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
SCADA (Supervisory Control And Data Acquisition)
SCADA systems are used to control dispersed assets where centralized data acquisition is as important as control. These systems are used in various industrial systems. SCADA systems integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information, transfer it to a central computer facility, and display the information to the operator graphically or textually, thereby allowing the operator to monitor or control an entire system from a central location in near realtime. Based on the sophistication and setup of the individual system, control of any individual system, operation, or task can be automatic, or it can be performed by operator commands.
SourcesNIST SP 800-82r2 https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
SIEM Platform
The Security Information and Event Management Platform collects, correlates, reports, on multiple security information sources to maintain situational awareness.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Business Operation Support Services (BOSS) Domain
SIS (Safety Instrumented System)
Safety Instrumented Systems are used to monitor the condition of values and parameters of a plant within the operational limits and, when risk conditions occur, they trigger alarms and place the plant in a safe condition or even at the shutdown condition. The main objective is to avoid accidents inside and outside plants.
Sourceshttp://www.smar.com/en/technical-article/sis-safety-instrumented-syst02
SOC Portal
A dashboard application maintained by the Security Operations Center to give overall visibility of the organization’s security status.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Business Operation Support Services (BOSS) Domain
SSL
SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in online communication. SSL ensures that all data transmitted between the web server and browser remains encrypted and secure, protecting sensitive information from interception.
Sourceshttps://www.isaca.org/resources/glossary#glosss
SVP
This stands for the Shortest Vector Problem, which requires the shortest vector in a lattice to be found. The problem is Non-deterministic Polynomialtime hardness (NP-hard) under randomized reduction for the Euclidean norm. This is a hard problem that occurs in lattice-based cryptography.
SourcesQuantum Safe Security Glossary : CSA
SaaS Security Posture Management (SSPM)
tools that enable organizations to manage and monitor SaaS applications, ensuring proper configuration and entitlements. These tools offer centralized visibility into security controls, configurations, and compliance status across multiple SaaS applications.
Sourceshttps://www.cloudflare.com/learning/cloud/what-is-sspm/
Sandboxing
A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
Sourceshttps://csrc.nist.gov/glossary/term/sandbox
Scheduling
As part of release management, a detailed schedule of releases and their features should be developed to bundle many change requests into a single change calendar.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Search
A presentation modality that allows users to query a single site or multiple sites for content related to the terms in the query. This modality is often used as an initial form of navigation across the internet or within the site.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain
Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE) is an emerging cybersecurity framework that combines wide-area networking (WAN) and network security services like secure web gateways, firewalls, and zero trust network access (ZTNA) into a single cloud-delivered service model. SASE aims to provide secure and fast cloud-based networking capabilities.
Sourceshttps://csrc.nist.gov/glossary/term/secure-access-service-edge
Secure Repositories
With respect to compliance and assurance processes, a repository used for storing compliance artifacts requires secure, accessible repositories that protect the integrity and confidentiality of the data. These repositories should adhere to security standards and be capable of restricting access to authorized personnel only.
Sourceshttps://github.blog/2021-10-22-github-actions-for-security-compliance/
Secure Collaboration
A technology or solution for securing collaboration service (e.g., SharePoint) to extend access to employees on the go, partners, vendors, and even customers.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
Secure Disposal of Data
Ensure that data is destroyed appropriately to preclude its recovery (e.g., through digital forensic techniques).Documentation of such destruction should be in place and should be included in information lifecycle management processes.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Business Operation Support Services (BOSS) Domain
Secure Messaging
A server-based approach to protect sensitive data when sent beyond the corporate borders and provides compliance with industry regulations such as HIPAA, GLBA and SOX.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
Secure Sandbox
An isolated environment that provides abstraction of trust concerns between custom or third party code and the underlying system. Allows applications to run in a context that does not affect each other or the host operating system and allows the enterprise to have an area with managed security controls for applications with sensitive data.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain
Secure Shell (SSH)
A protocol for secure remote login and other secure network services over an insecure network, which typically runs on top of TCP/IP. The protocol can be used as a basis for a number of secure network services. It provides strong encryption, server authentication, and integrity protection. It may also provide compression.
SDPs require using mutual TLS v1.2 and higher to enable secure connections and better management of keys that are typically not managed effectively with SSH remote logins and file transfers.
Sourceshttps://datatracker.ietf.org/doc/html/rfc4253
https://downloads.cloudsecurityalliance.org/assets/research/sdp/SDP-glossary.pdf
A popular implementation of public-key encryption, is an internet security protocol used by web browsers and servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS). You can look in your browser to determine when a website is using a secure protocol such as TLS; locations of websites that use SSL begin with the prefix “https” rather than “http,” and you will often see the icon of a closed padlock or a solid, unbroken key in your browser’s address bar to indicate that SSL is enabled.
Sourceshttps://iam.harvard.edu/glossary
Secure Web Authentication (SWA)
A compatibility layer provided by Sign-On product, allowing the integration of legacy applications that don’t support federated authentication and would not otherwise be able to take advantage of organization-wide single sign-on. The feature stores a unique password for each application, and securely posts the credentials directly to the application’s authentication handler, resulting in a near-seamless SSO user experience.
Sourceshttps://www.okta.com/resources/identity-and-access-management- glossary/
Security and Risk Management (SRM)
Security Risk Management is the process of identifying future harmful events (“threats”) that may affect the achievement of objectives. It involves assessing the likelihood and impact of these threats to determine the assessed level of risk and identifying an appropriate response. Security Risk Management involves four
key strategies: controlling, avoiding, transferring and accepting security risk. Security risks are controlled through prevention (lowering the likelihood) and mitigation (lowering the impact).
Security Application Framework
Application frameworks provide a set of components that act as the fundamental starting point of an application. Frameworks enable application developers to reuse standard components across multiple applications and focus their efforts on the specific business needs of the applications. Security Application Frameworks provide security components that extend a specific application framework. For example, the ACEGI security framework became an official part of the Spring Framework for building web applications with Java.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Application Services
Security Architecture
Represents the portion of the enterprise architecture that specifically addresses information system resilience and provides architectural information for the implementation of capabilities to meet security requirements.
SourcesGantz, S. D., & Philpott, D. R. (2013). FISMA and the Risk Management Framework. ScienceDirect.
Security Assertion Markup Language (SAML)
A language for exchanging authentication and authorization information. SAML standardizes the representation of credentials in an XML format called assertions, enhancing the interoperability between disparate applications.
Sourceshttps://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-95.pdf/
Security Code Review
Security code review capabilities from a self-service point of view refers to the ability to use a source code analyzer tool to read the source code of a program and identify areas of the code vulnerable to well-known attack patterns.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Application Services
Security Controls Overlay
An overlay is a fully-specified set of controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance to control baselines. For more information about Control Overlays, NIST Special Publication NIST SP 800-53 Rev 4., Section 3.3 Creating Overlays, and Appendix I, Overlay Template.
SourcesNIST Information Technology Laboratory: Computer Security Resource Center (CRSC). (2009, June 12). FISMA Implementation Project. https://www.nist.gov/programs-projects/federal-informationsecurity-management-act-fisma-implementation-project.
Security Design Patterns
Design Patterns are blueprints and instructions for solving commonly occurring technical challenges. Security Design Patterns focus on designs of security capabilities such as authentication, authorization, log monitoring, single sign-on, etc.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Application Services
Security FAQ
One of the outcomes from the knowledge management process would be to establish a standard and consistent answer to questions that employees ask frequently. This process captures those questions associated with information security and compliance.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Security Guidance
CSA’s flagship research document, it provides both guidance and inspiration to manage and mitigate the risks associated with the adoption of cloud computing technology while supporting business goals.
Sourceshttps://cloudsecurityalliance.org/research/guidance/
Security Job Aids
As security standards and patterns are created across the organization, they should include guidelines and processes that can help employees comply with regulatory requirements or security standards in a consistent manner.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Security Knowledge Life Cycle
To build secure applications, a development team must keep up to date with the latest threats and appropriate countermeasures in their development process. A security framework is often used to provide reusable components when a development team is building multiple applications.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Application Services
Security Monitoring
This container groups together the information sources coming from the BOSS - Security Monitoring Services.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Information Services
Security Monitoring Services
All capabilities associated with proactive security and risk management situational awareness across the organization with a business focus to prevent internal or external attacks, misuse of privilege, and data loss, while maintaining proper monitoring for the organization’s data and access regardless where these services are allocated or managed (Cloud, Internal, Hosted, etc.)
SourcesEnterprise Architecture Reference Guide v2 : CSA: Business Operation Support Services (BOSS) Domain
Security Patrols
Periodic rounds by human or animal guards to deter and detect illicit activity as well as verify the status of other security controls (e.g., verifying doors are locked).
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Security Policy
A high-level document representing an enterprise’s information security philosophy and commitment.
SourcesISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.
Security Procedure
The formal documentation of operational steps and processes that specify how security goals and objectives set forward in the security policy and standards are to be achieved.
SourcesISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.
Security Standard
Practices, directives, guidelines, principles or baselines that state what needs to be done and focus areas of current relevance and concern; they are a translation of issues already mentioned in the security policy.
SourcesISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.
Security Testing
Ensuring that the modified or new system includes appropriate controls and does not introduce any security holes that might compromise other systems or misuses of the system or its’ information.
SourcesISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.
Security information and event management (SIEM)
This technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting).
Sourceshttps://www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem
Segmentation
The process of testing small individual units of source code and integrated compartments of an application as they are developed to enable defects to be found earlier and remediated faster and at less cost. Typically, segmentation is performed as an activity by developers, and its code is prepared by developers before deployment occurs. Since it is a review-code and test-code process, it is considered a continuous activity for developers.
Sourceshttps://cloudsecurityalliance.org/
Self Assessment
A tool and process that involves performing an analysis/assessment of risk or compliance by the owner/user rather than by a third party.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
Self-Service
This capability allows anyone in the organization to report an incident and begin the incident management process.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Sensitive File Protection
The ability to protect sensitive information from being read or modified by administrators who have access to a file system but are not authorized to read the protected data within certain files. Also, the ability to monitor changes to sensitive files to audit who is making changes to them or reading them.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
Sensors
A Sensor is a device that identifies the progressions in electrical or physical or other quantities and in a way to deliver a yield as an affirmation of progress in the quantity. In simple terms, Industrial Automation and Control Sensors are input devices that provide an output (signal) with respect to a specific physical quantity (input). Examples of sensor types include temperature, pressure, vacuum, motion, and torque.
Sourceshttps://www.plantautomation-technology.com/articles/types-of-sensors-used-in-industrial-automation
Separation (Segregation of Duties)
Segregation of Duties - is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department.
Sourceshttps://www.aicpa.org/interestareas/informationtechnology/resources/value-strategy-through-segregation-of-duties.html
Separation of Duties
Separation of duties (SoD) is the concept of having more than one person required to complete a task to prevent fraud and error.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Server Application Streaming
The server-side component of an application streaming solution responsible for delivering content to multiple clients.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Server Virtualization
Concerned with creating, accessing and managing a virtual server. Controls at this level assure that a server is configured correctly, includes the proper software image, etc.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Service Networking
With respect to Kurbernetes networking, Kubernetes services provide a stable IP address and DNS name for a set of pods. Services act as load balancers, distributing traffic to the pods based on labels and selectors. There are several types of services, including ClusterIP (internal to the cluster), NodePort (exposed on each node’s IP), and LoadBalancer (externally accessible through a CSP’s load balancer).
Sourceshttps://kubernetes.io/docs/concepts/services-networking/service/
Service Catalog
Service Catalog is a list of services that an organization provides, often to its employees or customers. Each service within the catalog typically includes: Service Description, Timeframes or service level agreement for fulfilling the service, Who is entitled to request/view the service, Service Costs (if any) and how to fulfill the service.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Information Services
Service Costing
The internal function that analyzes the overall costs accrued in delivering a particular service so that revenue (whether external or internal chargeback) is adequate to support the delivery of that service.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Service Dashboard
All SLAs, OLAs, and contracts should have associated and defined Key Performance Indicators, Key Goal Indicators, and Key Risk Indicators that must be tracked periodically to manage these agreements. The service dashboard should present these metrics for decision making.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Service Delivery
Service Delivery deals with those technologies that are essential in maintaining uninterrupted technical services. Services in this category typically include those that are more appropriate to the technical staff, such as availability management, service level management, service continuity, and capacity management. Service Delivery is primarily concerned with the proactive and forward-looking services that the business requires from Information Technology to provide adequate support to the business users.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Service Discovery
Processes and procedures for identifying the services actually present (as opposed to those documented as being present) in order to assume that appropriate patches are installed.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Service Events
Information regarding services provided in support of IT operations could include deployments, changes, and maintenance events. Events can be based on key performance indicators crossing a threshold, network alarms, device metrics.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Information Services
Service Level Management
The function responsible for assuring that the level of services provided is in agreement with contractual obligations on an ongoing basis.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Service Management
Service management is a discipline for managing information technology (IT) systems, philosophically centered on the customer’s perspective of IT’s contribution to the business.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Information Services
Service Provider
A system that provides a generic service to the user in a federated system. To users, a service provider is the same thing as the application they are trying to use.
Sourceshttps://iam.harvard.edu/glossary
Service Registry
The registry contains the locations of available instances of services. Service instances are registered with the service registry on startup and deregistered on shutdown. Client of the service and/or routers query the service registry to find the available instances of a service.
SourcesBest Practices in Implementing a Secure Microservices Architecture
Service Support
Service Support is focused on the User of Information Technology services and is primarily concerned with ensuring that they have access to the appropriate services to support the business functions.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Service boundaries
Service boundaries are defined by the declarative description of the functionality provided by the service. A service - within its boundary - owns, encapsulates and protects its private data and only chooses to expose certain (business) functions outside the boundary.
SourcesHow to Design a Secure Serverless Architecture
Service-Level Agreement (SLA)
A Service-Level Agreement (SLA) is a negotiated agreement between two parties, where one is the customer (or end-user), and the other is the service provider. This can be a legally binding formal or an informal ‘contract’ (for example, internal department relationships). The SLA records a common understanding about services, priorities, responsibilities, guarantees, and warranties. The SLA may specify the levels of availability, serviceability, performance, operation, or other attributes of the service, such as billing. The ‘level of service’ can also be specified as ‘target’ and ‘minimum,’ which allows customers to be informed what to expect (the minimum) while providing a measurable (average) target value that shows the level of organization performance. In some contracts, penalties may be agreed upon in the case of non-compliance with the SLA (but see ‘internal’ customers below). It is important to note that the ‘agreement’ relates to the services the customer receives, and not how the service provider delivers that service. SLAs commonly include segments to address: a definition of services, performance measurement, problem management, customer duties, warranties, disaster recovery and termination of the agreement.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Information Services
SessionBased
A remote desktop presentation of any device where the presentation is controlled from a remote endpoint.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Shadow Access
Shadow Access is unauthorized, invisible, unsafe, and generally over permissioned access that has grown along with cloud identities, apps and data. Today, identities, human, and nonhuman are automatically created, along with access pathways to cloud data. Current tools are blind to many cloud identities and access pathways, creating vulnerabilities that are exploited to breach cloud data.
Sourceshttps://cloudsecurityalliance.org/blog/2023/03/16/shadow-access-in-your- cloud/
Shared Responsibility
The customer security team maintains some responsibilities for security as you move applications, data, containers, and workloads to the cloud. At the same time, the provider takes some responsibility, but not all. Defining the line between customer responsibilities and providers is imperative for reducing the risk of introducing vulnerabilities into your public, hybrid, and multi-cloud environments.
Sourceshttps://cloudsecurityalliance.org/blog/2020/08/26/shared-responsibility-model-explained/
Sherwood Applied Business Security Architecture (SABSA)
The Sherwood Applied Business Security Architecture (SABSA) is a comprehensive framework for developing risk-driven enterprise information security architectures. It integrates business requirements with security needs, ensuring that security measures align with business goals and strategies, providing a structured approach to designing and managing security infrastructure.
Sourceshttps://sabsa.org/sabsa-executive-summary/
Shor’s algorithm
This refers to the P.W. Shor algorithm [Shor], published in 1994, which allows integers to be factored and to find discrete logarithms in polynomial-time on a quantum computer. By using Shor’s algorithm, most of today’s commonly used asymmetric cryptosystems can be broken.
SourcesQuantum Safe Security Glossary : CSA
Signature Services
A software program or function to provide an electronic coded message which is unique to both the document and the signer and binds both of them together. The digital signature ensures the authenticity of the signer. After it is signed, any changes made to the document invalidate the signature, thereby protecting against signature forgery and information tampering.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
Silos
Teams, tools, anmd processes that isolate collaboration and result in not achieving agility with stability and quality.
Sourceshttps://devops.com/breaking-down-silos/
Single Packet Authorization (SPA)
A single packet protocol for service protection behind a defaultdrop packet filter that offers 1) asymmetric ciphers for encryption, 2) authentication with a keyed-hash message authentication code (HMAC) in the encrypt-then-authenticate model, 3) non-replayable packets that cannot be broken by trivial sequence busting attacks. Within SDP, SPA plays a key role by hiding servers (including the SDP controller and gateway) until and unless the initiating host sends a valid SPA packet as the initial connection request.
Sourceshttps://downloads.cloudsecurityalliance.org/assets/research/sdp/SDP-glossary.pdf
Single Packet Authorization OTP
Based on RFC 4226 (a document describing an algorithm to generate one-time password values, based on hashed message authentication code (HMAC)) but modified to include a counter value which ensures a different password each time. It is used to uniquely identify the IH when initiating communication to both the SDP controller and the AH.
Sourceshttps://downloads.cloudsecurityalliance.org/initiatives/sdp/SDP_Specification_1.0.pdf
Single Sign-On (SSO)
SSO provides the capability to authenticate once, and be subsequently and automatically authenticated when accessing various target systems. It eliminates the need to separately authenticate and sign on to individual applications and systems, essentially serving as a user surrogate between client workstations and target systems. Target applications and systems still maintain their own credential stores and present sign-on prompts to client devices. Behind the scenes, SSO responds to those prompts and maps the credentials to a single login/password pair. SSO is commonly deployed in enterprise, Web, and federated models.
Sourceshttps://www.gartner.com/en/information-technology/glossary/
Site Reliability Engineering (SRE)
Site reliability engineering (SRE) is the practice of using software tools to automate IT infrastructure tasks such as system management and application monitoring. Organizations use SRE to ensure their software applications remain reliable amidst frequent updates from development teams. SRE especially improves the reliability of scalable software systems because managing a large system using software is more sustainable than manually managing hundreds of machines.
Sourceshttps://aws.amazon.com/what-is/sre/
Smart Appliances
Devices whose primary purpose is not computation, but include connectivity to a network to provide real-time updates on their status or to be controlled remotely.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain
Smart Card
A smart card (aka microprocessor card, chip card, or integrated circuit card) has traditionally taken a pocket-sized card with embedded integrated circuits. Smart cards are often used in two-factor authentication solutions where the user enters a pin which is used by an operating system on the smart card to release evidence of identity such as a digital certificate or to allow a private key to sign an identity token which is sent to an enforcement agent that determines if the identity is valid.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
Smartcard Virtualization
Methods and systems that allow users to virtualize a local smart card so that they can remotely connect to a server and interact with the server as if the local smart card was physically connected to the server.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Smoke Testing
A quality assurance practice where a series of tests are performed by both the development and testing teams. The tests are the initial check on post-deployment from the development team and a very preliminary check on pretesting activity starts from the testing teams in the software industry. Smoke testing activity is helping to give more confirmation on the successful deployment for the development team if it is passed then this will give more confidence to continue the further testing activities from the testing team.
Sourceshttps://ieeexplore.ieee.org/document/10059686
Social Engineering Attacks
The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.
Sourceshttps://csrc.nist.gov/glossary/term/social_engineering
Software
A collection of data or computer instructions that tell the computer how to work. Physical hardware, from which the system is built, performs the work.
SourcesCambridge Dictionary. (2021, August 11). Software. https://dictionary.cambridge.org/dictionary/ english/software.
Software Architecture
The structure or structures of the system, which comprise software elements, the externally visible properties of those elements, and the relationships among them.
SourcesBass, L., Clements, P. C., & Kazman, R. (2012, September). Software Architecture in Practice, Third Edition. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30264.
Software Composition Analysis (SCA)
Security testing that analyzes application source code or compiled code for software components with known vulnerabilities.
Note 1 to entry: software components in software composition analysis may include open source, libraries and common code.
Note 2 to entry: known vulnerabilities may be discovered via vulnerability databases such as CVE.
The Six Pillars of DevSecOps: Automation : CSA
Software Design Pattern
A general, reusable solution to a commonly occurring problem within a given context in software design. It is not a finished design that can be transformed directly into source or machine code. Rather, it is a description or template for how to solve a problem that can be used in many different situations.
SourcesWikipedia contributors. (2021a, June 14). Software design pattern. Wikipedia. https://en.wikipedia. org/wiki/Software_design_pattern
Software Development Lifecycle (SDLC)
A formal or informal methodology for designing, creating, and maintaining software (including code built into hardware). The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.
Sourceshttps://csrc.nist.gov/glossary/term/sdlc
Software Management
The application of management activities-planning, coordinating, measuring, monitoring, controlling, and reporting-to ensure that the development and maintenance of software is systematic, disciplined, and quantified. This includes measurement at distinct points in time for the purpose of systematically controlling changes to the configuration and maintaining the integrity and traceability of the configuration throughout the system life cycle.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Software Quality Assurance
Software Quality Assurance is the process of testing software and tracking the defects found. Applications should be tested for security vulnerabilities as part of the software quality assurance process.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Application Services
Software as a Service (SaaS)
Is a full application that is managed and hosted by the provider. Consumers access it with a web browser, mobile app, or a lightweight client app.
SourcesDisaster Recovery as a Service : CSA
Software bill of materials (SBOM)
A formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.
Sourceshttps://csrc.nist.gov/glossary/term/software_bill_of_materials
Software-Defined Network (SDN)
An approach to computer networking that allows network administrators to manage network services through abstractions of higher-level functionality. SDNs manage the networking infrastructure. This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane).
SDPs secure all connections to the services running on the networking infrastructure. So, while SDN is the notion of establishing a dynamic networking infrastructure… getting users to connect point to point, fast and efficiently, with as much throughput as possible, SDP is about the ability to secure every connection at all layers of this dynamic network infrastructure.
Sourceshttps://ieeexplore.ieee.org/abstract/document/6819788
https://downloads.cloudsecurityalliance.org/assets/research/sdp/SDP-glossary.pdf
Software-Defined Perimeter (SDP)
A network security architecture that is implemented to provide security at Layers 1-7 of the OSI network stack. An SDP implementation hides assets and uses a single packet to establish trust via a separate control and data plane prior to allowing connections to hidden assets.
A secure perimeter that is created based on policies to isolate services from unsecured networks. It’s designed to provide an on-demand, dynamically provisioned air-gapped network, by first authenticating users and devices prior to authorizing the user/device combination to securely connect to the isolated services. Unauthorized users and devices are unable to connect to the protected resources. SDPs make extensive use of encryption, including mutual TLS for inter-component communications, and an HMAC within the single-packet authorization packet.
Sourceshttps://cloudsecurityalliance.org/artifacts/software-defined-perimeter-and-zero-trust/
https://downloads.cloudsecurityalliance.org/assets/research/sdp/SDP-glossary.pdf
Solution
A solution is the application of architecture, patterns, and design effort to solve a specific industry need or business problem. A solution intends to provide ongoing customer and business owner value.
SourcesMicroservices Architecture Pattern : CSA
Source Code Management
A form of version control for source code that allows for versioning of software, branching software into different releases, and controlling access to software.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Speech Recognition (IVR)
Speech recognition can translate the spoken word into computer input. Interactive Voice Response (IVR) systems provide a menu of choices that a person can respond to to interact with a system.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain
Spoofing
Impersonating, masquerading or otherwise falsely assuming an identity, characteristic or claim about oneself. In cloud testing, spoofing often takes the form of stealing cloud environment credentials to leverage their identity’s privileges.
SourcesCloud Penetration Testing : CSA
Standards & Guidelines
This capability is a complement for the Architecture Governance, outlines all the technology standards, and guidelines regarding how they can be consumed across the organization. These standards should include alignment with the organization’s strategy, industry standards, principles, patterns that can be reused across the organization, among other elements necessary to ensure consistent implementation and adoption.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Static Vulnerability Scanning
With respect to application pre-deployment testing, used to identify and mitigate potential security threats. There are two main types of scans: static and dynamic. Static scanning analyzes source code (Infrastructure as Code - IaC) and configurations at rest, including files like Virtual Machine images or templates, container images, Dockerfiles, docker-compose files, Kubernetes YAMLs, Terraform or Cloudformation files, etc.
Sourceshttps://www.isaca.org/resources/glossary#glosss
Static Application Security Testing (SAST)
Security testing that analyzes application source code for software vulnerabilities and gaps against best practices.
Note 1 to entry: Static analysis can be performed in multiple environments including the developer’s IDE, source code, and binaries.
Note 2 to entry: Also called “white box testing”
The Six Pillars of DevSecOps: Automation : CSA
Storage Services
Concerned with the provisioning, migration and sanitization of physical storage in the infrastructure. Controls at this level assure that storage is available when required, its redundancy/reliability requirements match the service requirements, etc.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Storage Virtualization
Concerned with how virtualized storage is created, allocated and managed. This includes both ‘block-based’ storage such as a SAN (Storage Area Network) and ‘file-based’ virtualization such as NAS (Network Attached Storage) whether provided by a file server or appliance. Controls at this level assure that the storage is adequate to requirements, properly segregated and secured and that its performance matches the profile specified in the service level agreement.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
StorageDevice Based
Storage device controllers may allow virtualization of disk volumes (e.g., a hardware RAID controller that groups multiple physical volumes or sections of columns into a single host-visible RAID-5 array).
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Strangle
A “Strangler” is a reference model that is used to describe the process of modernizing a monolithic application into a microservices architecture, by adding new microservices to the application over time, while decommissioning certain features of the monolith over time. It is a dissect and transition as you develop on the go model.
SourcesMicroservices Architecture Pattern : CSA
Strategy
The strategy information within ITOS represents the business and technology trends affecting the enterprise, gap analysis of current capabilities against desired capabilities, and the investments required to fill the gaps.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Information Services
Strategy Alignment
Process-oriented to understand the business needs and strategy and ensure that Information Technology and the Security and Risk Management strategies are aligned to support those objectives within the roadmap.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Information Technology Operation & Support (ITOS) Domain
Stress & Volume Testing
Performance and capacity tests seek to determine the workload level at which a service level objective is violated or the maximum workload that can be supported without violating a service level objective, respectively.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Application Services
Structured Query Language (SQL) Injection
These attacks, which are still quite common on the Internet, look for web sites that pass insufficiently processed user input to database back-ends and then send carefully-crafted input that will cause exposure of database records, and possibly allow destruction of databases.
Sourceshttps://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7682.pdf
Switched
A more complex storage area network architecture that includes a switching network to connect hosts with LUNs. Switched SANs may either be based on fibre channel or fibre channel over Ethernet (FCoE) or iSCSI.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services
Symmetric Keys
Also referred to as a symmetric cryptographic cipher, both parties must use the same key for encryption and decryption. The encryption keys must be shared between the parties before any decryption of the message can take place.
SourcesEnterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain
Syndrome decoding
This is a Non-deterministic Polynomial-time hardness (NP-hard) problem that occurs in code-based cryptography. The goal is to find a constrained solution of a linear system; that solution must have a small number of nonzero components.
SourcesQuantum Safe Security Glossary : CSA
System for Cross-Domain Identity Management (SCIM)
System for Cross-domain Identity Management (SCIM) is a standard for exchanging identity information between domains. It can be used for provisioning and deprovisioning accounts in external systems and for exchanging attribute information.
Sources