Appendix L: Glossary
A condition that occurs because of a failure to check or to limit input data buffer sizes before data is manipulated or processed.
A set of criteria that establishes a minimum level of quality.
Designating a component for future removal from a software program.
A means of testing that causes a software program to consume deliberately malformed data to see how the program reacts.
Code that was created by external development groups in either source or object form.
Take steps to ensure no weaknesses or vulnerabilities in a software program are exposed.
An implied form of consent in certain limited home and organizational networking scenarios.
An explicitly stated form of consent that is usually provided after some form of conditions acknowledgment.
penetration testing (pen testing)
A test method in which the security of a computer program or network is subjected to deliberate simulated attack. See http://en.wikipedia.org/wiki/Penetration_Testing. for additional information.
personally identifiable information (PII)
Data that provides personal or private information that should not be publicly available. Examples include financial or medical information.
An exception to a firewall policy that specifies a certain logical port in the firewall should be opened or closed.
An internal process to communicate the details of a privacy-related incident. A privacy escalation is typically warranted for data breaches or theft, failure to meet communicated privacy commitments, privacy-related lawsuits, privacy-related regulatory inquiries, and contact from media outlets or a privacy advocacy group regarding a privacy incident.
privacy impact rating
A measurement of the sensitivity of the data a software program processes from a privacy perspective.
privacy lead or privacy champ
An individual on a software development team who is responsible for privacy for the software program being developed.
An exception to a firewall policy that exempts a specific program or programs from some aspect of the policy.
A team-wide focus on threat model updates, code review, testing, and documentation scrub. Typically, a security push occurs after a product is code/feature complete.
service pack (SP)
A means by which product updates are distributed. Service packs might contain updates for system reliability, program compatibility, security, or privacy. A service pack requires a previous version of a product before it can be installed and used. A service pack might not always be named as such; some products may refer to a service pack as a service release, update, or refresh.
An exploit of a vulnerability for which a security update does not exist.
This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.
This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.
This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2012 Microsoft Corporation. All rights reserved.