Four Common Security Acronyms Explained - Security Boulevard

Four Common Security Acronyms Explained

Editor’s Note: This is the first in a series of posts about the 2020 DevSecOps Reference Architecture developed by DJ Schleen. In this series DJ explains various parts of the pipeline architecture.

I just released an updated version of the DevSecOps Reference Architecture created last year that has been updated with additional components, corrections, and mobile deployment methods. Not only can it be somewhat overwhelming to look at due to its sheer size, but it is filled with acronyms that may not generally be known by those looking to integrate security controls into their DevSecOps pipelines.

Acronyms are everywhere in technology, and when automating security scanning tools in our development pipelines it is one of the first things we notice. A software security or ethical hacking team may know each acronym stands for, but outside of the security organization people may just be starting to see these terms. SAST, DAST, CSA, OSSM, SCA? What do these acronyms mean, and what exactly do they do?

Let’s take a look at some of the acronyms that you may encounter when taking a look at not just my reference architecture, but any architecture where security controls are being automated.


The first and most important of all security acronyms you will encounter is OSSM, also seen as OSS, which stands for Open Source Software Management. Sometimes this term is also seen as SCA, or Software Composition Analysis. I’ve seen both terms used in large enterprises referring to the same practice of managing open source components. You can think of these terms as referring to “what others packed in your suitcase”. That is, things that you don’t develop.

What’s the difference between the two terms? It’s subtle. Where OSSM refers to the management of components that enter the development environment and what (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by DJ Schleen. Read the original post at:

DJ Schleen

DJ is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He comes from a practitioner background and specializes in architecting DevSecOps pipelines, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software. DJ has worked to streamline development pipelines and practices for many Fortune 100 organizations by focusing on culture and technique. He uses this expertise to surface the right technology to serve business goals and support outcomes. He is an international speaker, blogger, instructor and author in the DevSecOps community where he encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.

dj-schleen has 10 posts and counting.See all posts by dj-schleen