Glossary¶

Core Framework Terms¶

Software Factory: An organization that bears operational responsibility for deploying, maintaining, and evolving code-based systems that deliver value to end users, including systematic risk stewardship across all components in their value delivery chain—whether directly controlled or third-party.
SF²: Software Factory Security Framework - A strategic mental model for scaling security capabilities while improving business outcomes.

Operational Complexity: The "what you manage" axis measuring organizational scale, process sophistication, and interdependencies (Simple → Complex).
Operational Readiness: The "how you operate" axis measuring automation, infrastructure modernity, and process maturity (Lower → Higher).
Visionaries: Organizations with simple operations and high operational readiness (Simple + High Readiness).
Leaders: Organizations with complex operations and high operational readiness (Complex + High Readiness).
Niche Players: Organizations with simple operations and lower operational readiness (Simple + Low Readiness).
Challengers: Organizations with complex operations and lower operational readiness (Complex + Low Readiness).

Supply Chain Stewardship: Managing security risks from all external dependencies and third-party components throughout their lifecycle. #1 priority due to adversary evolution to automated discovery.
Process Stewardship: Security embedded throughout development lifecycle with continuous validation and rapid feedback loops.
Runtime Stewardship: Maintaining security and reliability of systems in production with proactive monitoring and rapid response capabilities.
Third-Party Stewardship: Managing security risks from integrated services, platforms, and vendors throughout operational lifecycle.
Continuous Learning: Evolving security practices based on experience, incidents, and changing threat landscape while building organizational capability.

BAU (Business-as-Usual) Activities: Manual security work that scales linearly with growth (security reviews, threat modeling, incident response). Should be deliberately constrained post-scaling crisis.
Scaling Investments: Capabilities that reduce manual effort exponentially (automation platforms, self-service capabilities, policy-as-code). Primary investment focus past crisis point.
Platform Effects: Benefits that serve both internal and customer software factories, creating multiplicative value.
Scaling Crisis: The inevitable moment when demand for security services grows exponentially while team capacity grows linearly.
Paved Roads: Secure templates and patterns that engineers can use without security review, reducing manual effort while maintaining security.
Catch and Store Principle: Security investments that capture organizational effort and store it in reusable capabilities serving future needs without additional manual work.

Attack Landscape Maturity: The evolution of adversary capabilities from targeted attacks to automated discovery at internet scale. High maturity creates existential gaps for manual defender processes.
Supply Chain Complexity: The interconnected risk created by multi-tier dependencies, critical single vendors, and geopolitical constraints.
Regulatory Constraints: Compliance requirements that affect security implementation by increasing BAU workload and constraining technology choices.
Crisis Events: Security incidents, compliance failures, or business disruptions that create windows for organizational change and transformation.
Change Capacity: Organizational ability to absorb transformation, affecting transition speed and scaling investment success probability.
Relationship Health: The quality of relationships between security and engineering teams, directly affecting adoption velocity.

SBOM (Software Bill of Materials): A comprehensive inventory of software components, dependencies, and their relationships.
SAST (Static Application Security Testing): Automated analysis of source code for security vulnerabilities.
DAST (Dynamic Application Security Testing): Automated security testing of running applications.
Policy-as-Code: Security policies defined and enforced through code rather than manual processes.
Infrastructure-as-Code (IaC): Managing and provisioning infrastructure through machine-readable definition files rather than manual configuration.

Mean Time to Detect (MTTD): Average time to identify security incidents.
Mean Time to Contain (MTTC): Average time to stop incident spread.
Mean Time to Recover (MTTR): Average time to restore normal operations after an incident.
Time to Value: Duration from investment to measurable benefits.

NIST SSDF (Secure Software Development Framework): Framework for secure development lifecycle practices.
OWASP SAMM (Software Assurance Maturity Model): Framework for assessing and improving software security practices.
BSIMM (Building Security In Maturity Model): Measurement framework for software security initiatives.
OWASP ASVS (Application Security Verification Standard): Standard for testing web application technical security controls.