Appendix L: Glossary

Appendix L: Glossary

buffer overflow
A condition that occurs because of a failure to check or to limit input data buffer sizes before data is manipulated or processed.

bug bar
A set of criteria that establishes a minimum level of quality.

Designating a component for future removal from a software program.

fuzz testing
A means of testing that causes a software program to consume deliberately malformed data to see how the program reacts.

Code that was created by external development groups in either source or object form.

Take steps to ensure no weaknesses or vulnerabilities in a software program are exposed. 

implicit consent
An implied form of consent in certain limited home and organizational networking scenarios.

informed consent
An explicitly stated form of consent that is usually provided after some form of conditions acknowledgment.

penetration testing (pen testing)
A test method in which the security of a computer program or network is subjected to deliberate simulated attack. See for additional information.

personally identifiable information (PII)
Data that provides personal or private information that should not be publicly available. Examples include financial or medical information.

port exception
An exception to a firewall policy that specifies a certain logical port in the firewall should be opened or closed.

privacy escalation
An internal process to communicate the details of a privacy-related incident. A privacy escalation is typically warranted for data breaches or theft, failure to meet communicated privacy commitments, privacy-related lawsuits, privacy-related regulatory inquiries, and contact from media outlets or a privacy advocacy group regarding a privacy incident.

privacy impact rating
A measurement of the sensitivity of the data a software program processes from a privacy perspective.

privacy lead or privacy champ
An individual on a software development team who is responsible for privacy for the software program being developed.

program exception
An exception to a firewall policy that exempts a specific program or programs from some aspect of the policy.

security push
A team-wide focus on threat model updates, code review, testing, and documentation scrub. Typically, a security push occurs after a product is code/feature complete.

service pack (SP)
A means by which product updates are distributed. Service packs might contain updates for system reliability, program compatibility, security, or privacy. A service pack requires a previous version of a product before it can be installed and used. A service pack might not always be named as such; some products may refer to a service pack as a service release, update, or refresh.

zero-day exploit
An exploit of a vulnerability for which a security update does not exist.

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.

This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft Corporation. All rights reserved.

Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

© 2015 Microsoft