[RFC] Cross-Foundation Glossary of terms
CRob Robinson (Intel)
Hello TAC. The Education SIG(1) would like to propose the creation of a common lexicon for terms and definitions that would be used throughout OSSF work and materials (if one does not already exist in either the OSSF or larger LF). We’d like the TAC’s assistance in soliciting contributions from across the working groups to contribute specific terminology that may exist in our respective areas (e.g. supply chain-specific terms, tooling/development-specific words, etc.) so that we have one all-inclusive set of artifacts we all can reference that establish how WE ALL are using this terminology so that internal and external collaborators understand what we are trying to convey in a given interaction.
We plan on leveraging existing definitions from such sources as NIST, ISO, or other recognized security or open source community bodies as the basis of such work wherever possible, and then augmenting as needed for our specific OSSF-usecases. We’d love your thoughts and suggestions on this initiative. Thanks for your time and feedback.
Director of Security Communications
Intel Product Assurance and Security
David A. Wheeler
Regarding a glossary (lexicon?!):toggle quoted messageShow quoted text
The NIST Computer Security Resource Center (NSRC) Glossary
<https://csrc.nist.gov/glossary> might be useful to look at. They only list various definitions
along with their sources. An important limitation of this glossary is that they
*only* list definitions from US Federal Information Processing Standards
(FIPS), various final NIST documents, and the
Committee on National Security Systems (CNSS) Instruction CNSSI-4009.
That said, it's a decent place to look for sourced definitions. A good example
of what it's like is the entry on "vulnerability":
Notice how easy it is to have a URL that jumps directly to a definition.
I think that's a key necessary feature. You can have separate pages, or one page with
named anchors (where the term is the name of the anchor), but I think that's valuable.
Some other sources:
* NIST IR 7298 "Glossary of Key Information Security Terms" - https://csrc.nist.gov/publications/detail/nistir/7298/rev-3/final
* SANS - https://www.sans.org/security-resources/glossary-of-terms/
* CISA - https://niccs.cisa.gov/cybersecurity-career-resources/glossary
I think you want to use the term "glossary" not "lexicon" (NIST uses the term "glossary").
A lexicon is often considered just a list of words, NOT necessarily including any definitions
In contrast, <https://www.google.com/search?q=define+glossary>:
"A glossary is a list of an alphabetical list of terms or words found in or relating to a specific subject, text, or dialect, with explanations; a brief dictionary".
Note that all the sources I cited above use the term "glossary".
Also: if there's going to be a lexicon/glossary, maybe it should be moved to the Best Practices WG or similar, not just within the Education SIG. That might give it more visibility. Obviously definitions aren't limited to education :-). But if others think it should be within the education SIG that's fine.
--- David A. Wheeler
On Aug 31, 2022, at 10:02 AM, CRob Robinson (Intel) <christopher.robinson@...> wrote: