Glossary

DevSecOps Glossary

A plain-language reference for DevSecOps terms, security testing methods, and compliance concepts used in modern software delivery.

29 terms across 5 categories

Jump to a category

Core Concepts Testing Tools Vulnerabilities Compliance Security Tools

Terms

Core Concepts

DevSecOps

Development, Security, Operations - the practice of integrating security testing and controls into every phase of the software development lifecycle.

Shift Left Security

Moving security testing and validation earlier in the development process, ideally during coding rather than after deployment.

Security as Code

Defining security policies, configurations, and infrastructure security controls through code that can be version controlled and automated.

Threat Modeling

Systematic approach to identifying potential security threats and vulnerabilities in applications and infrastructure during design phase.

Zero Trust Architecture

Security model that assumes no implicit trust and continuously validates every transaction before granting access to systems.

Security Gates

Automated checkpoints in CI/CD pipelines that prevent insecure code from progressing to the next stage of deployment.

Terms

Testing Tools

SAST (Static Application Security Testing)

Analysis of source code for security vulnerabilities without executing the program. Performed during the coding phase.

DAST (Dynamic Application Security Testing)

Security testing performed on running applications to identify vulnerabilities that manifest during execution.

IAST (Interactive Application Security Testing)

Hybrid approach combining SAST and DAST, analyzing applications during runtime with access to source code.

SCA (Software Composition Analysis)

Analysis of open source and third-party components in applications to identify known vulnerabilities and license risks.

Container Security Scanning

Analysis of container images for vulnerabilities, misconfigurations, and compliance issues before deployment.

Secrets Scanning

Automated detection of sensitive information like passwords, API keys, and certificates in code repositories.

Infrastructure as Code (IaC) Security

Security analysis of infrastructure configuration files (Terraform, CloudFormation) for misconfigurations and vulnerabilities.

Terms

Vulnerabilities

CVE (Common Vulnerabilities and Exposures)

Standardized identifier for publicly known cybersecurity vulnerabilities, maintained by MITRE Corporation.

CVSS (Common Vulnerability Scoring System)

Industry standard for assessing the severity of computer system security vulnerabilities (scale 0-10).

OWASP Top 10

List of the most critical web application security risks, updated regularly by the Open Web Application Security Project.

Supply Chain Attack

Cyber attack that targets third-party vendors or dependencies to compromise the primary target's systems.

Terms

Compliance

SOC 2

Security compliance framework focusing on five trust principles: Security, Availability, Processing Integrity, Confidentiality, Privacy.

GDPR (General Data Protection Regulation)

European Union regulation governing data protection and privacy for individuals within the EU and EEA.

HIPAA (Health Insurance Portability and Accountability Act)

US regulation establishing standards for protecting sensitive patient health information.

PCI DSS (Payment Card Industry Data Security Standard)

Information security standard for organisations that handle credit card information.

ISO 27001

International standard for information security management systems (ISMS) providing framework for managing sensitive information.

NIST Cybersecurity Framework

Framework providing guidelines for organisations to manage and reduce cybersecurity risk through five functions: Identify, Protect, Detect, Respond, Recover.

Terms

Security Tools

SIEM (Security Information and Event Management)

Technology solution that aggregates and analyzes security data from across the enterprise to detect threats.

SOAR (Security Orchestration, Automation and Response)

Collection of software solutions that enable security teams to automate responses to security incidents.

WAF (Web Application Firewall)

Security solution that monitors, filters, and blocks HTTP traffic to and from web applications.

EDR (Endpoint Detection and Response)

Cybersecurity solution that monitors endpoints for threats and provides investigation and response capabilities.

Penetration Testing

Authorized simulated cyber attack performed to evaluate the security of a system, network, or application.

Red Team/Blue Team

Red Team simulates attacks while Blue Team defends. Exercise helps improve security posture and incident response.

Need Help Operationalizing DevSecOps?

Work with senior practitioners to embed security controls into your delivery pipeline without disrupting release flow.

Explore DevSecOps Services

Next step

Ready to get started?

Choose how you'd like to begin your engagement with Pilotcore.

Full engagement

Full consultation

Discuss your complete cloud and security strategy with the principal consultant. For comprehensive transformations and multi-quarter engagements.

Recommended start

Start with a pilot

Test the engagement with a focused 1-4 week scope. See real results, on a fixed timeline, before committing to anything larger.