Glossary S

Amazon S3 is the foundational object storage service of AWS, offering eleven 9s of durability (99.999999999%) by redundantly storing objects across multiple availability zones. S3 serves as the data lake storage layer, backup target, static website host, and build artifact store for countless cloud architectures. S3's event notifications, lifecycle policies, and replication features make it a versatile data platform building block.

S3 bucket policies are resource-based IAM policies attached directly to S3 buckets that control access for any AWS identity or the public. They define which principals can perform which S3 actions on the bucket and its objects. Misconfigured S3 bucket policies that grant public access (Principal: "*") have been responsible for numerous large-scale data breaches. AWS S3 Block Public Access settings provide account and bucket-level safeguards that override policies permitting public access.

SaaS is a software delivery model where applications are hosted in the cloud and accessed via subscription rather than installed on-premises. SaaS products handle infrastructure, updates, and scaling, allowing customers to focus on using the software. Enterprise SaaS typically offers SOC 2 compliance, SSO integration, and dedicated support tiers.

Safety is a Python vulnerability scanner that checks installed packages and requirements files against a curated database of known security vulnerabilities. It is commonly used in Python CI/CD pipelines and pre-commit hooks to detect vulnerable dependencies before deployment. Safety's database includes CVEs and vulnerabilities not yet in public NVD records, providing earlier detection for Python-specific security issues.

The Saga pattern manages distributed transactions across microservices by breaking them into a sequence of local transactions, each publishing an event or message that triggers the next step. If a step fails, compensating transactions roll back the preceding steps. Sagas come in two flavors: choreography (event-driven coordination) and orchestration (a central coordinator directs steps).

SAML is an XML-based standard for exchanging authentication and authorization data between identity providers and service providers. It's widely used in enterprise SSO deployments, allowing employees to access multiple SaaS applications with a single set of corporate credentials. SAML assertions carry identity claims, attributes, and authorization decisions.

SAMM is an open OWASP framework for measuring and improving an organization's software security posture. It defines 15 security practices across five business functions: Governance, Design, Implementation, Verification, and Operations — each with three maturity levels. Unlike BSIMM (descriptive), SAMM is prescriptive, providing specific activities and guidance for advancing from one maturity level to the next.

Sampling is a text generation strategy that draws the next token from the model's probability distribution rather than always selecting the highest-probability token. Temperature, top-p (nucleus), and top-k are controls that shape the sampling distribution. Sampling produces more diverse, creative outputs than greedy decoding and is the default generation mode for most chatbot and creative AI applications.

A sandbox is an isolated execution environment that runs untrusted or experimental code with restricted access to system resources, preventing it from affecting the host system. Sandboxes are used for security isolation (running third-party plugins), development previews (StackBlitz, CodeSandbox), and fuzzing test inputs. Browser-based sandboxes like WebAssembly and iframes provide lightweight isolation for untrusted code.

Sandboxing isolates code execution within a restricted environment that limits access to system resources, file systems, and network interfaces. It contains the damage from exploited vulnerabilities by preventing compromised code from affecting the broader system. Modern browsers sandbox each tab, operating systems sandbox mobile apps, and container runtimes provide process-level sandboxes for cloud workloads.

SASE converges wide-area networking (SD-WAN) with cloud-delivered security services including ZTNA, CASB, SWG, and NGFW into a single cloud-native architecture. Defined by Gartner, SASE shifts security enforcement from the data center to the network edge, providing consistent policy for users regardless of location. It's the infrastructure model underlying modern zero-trust deployments.

SAST analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. It identifies issues like SQL injection, cross-site scripting, and buffer overflows early in the development lifecycle. SAST tools integrate into IDEs and CI/CD pipelines to catch vulnerabilities before code reaches production.

An SBOM is a comprehensive inventory of all components, libraries, and dependencies in a software application. It enables organizations to track known vulnerabilities across their software supply chain and respond quickly when new CVEs are disclosed. SBOMs are increasingly required by government regulations and enterprise procurement processes.

SBOM generation in CI automatically creates a Software Bill of Materials as part of the build pipeline, capturing all components, libraries, and their versions at build time. Tools like Syft, Trivy, and CycloneDX generate SBOMs in standard formats (SPDX, CycloneDX) and attach them to container images as OCI attestations. Automated SBOM generation ensures supply chain transparency at every release.

SCA tools identify and analyze open-source components and third-party libraries used in software applications. They detect known vulnerabilities, license compliance issues, and outdated dependencies across the software supply chain. SCA is essential for managing the security risk of open-source software, which comprises the majority of modern application code.

SCIM is an open standard API specification for automating user provisioning and deprovisioning between identity providers and SaaS applications. When an employee is onboarded in an IdP like Okta or Entra ID, SCIM automatically creates their accounts in connected applications; offboarding triggers automatic deprovisioning. SCIM eliminates manual account management and reduces the risk of orphaned accounts.

Service Control Policies are AWS Organizations policies that set maximum permission guardrails for all IAM entities (users, roles) in member accounts, regardless of what those entities' identity-based policies grant. SCPs cannot grant permissions — they only restrict. They are used to enforce security baseline requirements like preventing member accounts from disabling CloudTrail, restricting which AWS regions services can be deployed in, and blocking creation of IAM users with long-lived credentials.

An SDK is a collection of tools, libraries, documentation, and code samples that developers use to build applications for a specific platform or service. SDKs abstract away low-level API details, providing language-idiomatic interfaces that accelerate development. Most developer-tools companies ship SDKs for major languages alongside their REST APIs.

Sealed Secrets is a Kubernetes operator from Bitnami that enables encrypted secrets to be stored safely in version control. The kubeseal CLI encrypts Kubernetes Secrets into SealedSecret custom resources using the cluster's public key; only the Sealed Secrets controller can decrypt them using the matching private key. This allows GitOps workflows to include secrets in Git repositories without exposing plaintext sensitive values.

Secret management provides secure storage, rotation, and distribution of sensitive credentials — API keys, database passwords, TLS certificates — to applications and pipelines. Tools like HashiCorp Vault, AWS Secrets Manager, and Google Secret Manager provide dynamic secret generation, fine-grained access control, and audit trails. Secrets injected at runtime replace hardcoded credentials in code or configuration files.

Secret rotation is the automated or manual process of periodically replacing credentials, API keys, certificates, and tokens with new values to limit the window of exposure if a secret is compromised. AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault provide automated rotation with built-in integrations for common secret types (RDS passwords, API keys). Automated rotation eliminates the operational friction that causes organizations to leave credentials unchanged for years.

Secrets scanning tools detect hardcoded credentials, API keys, private keys, and tokens in source code, commit history, and build artifacts. Exposed secrets in source code repositories are a leading cause of cloud breaches, as attackers routinely scan public and private repositories for accidentally committed credentials. Pre-commit hooks and CI checks using tools like Gitleaks, Trufflehog, and GitHub Secret Scanning prevent secrets from entering codebases.

Secure code review is a manual or tool-assisted examination of source code to identify security vulnerabilities that automated tools may miss — including business logic flaws, authentication bypasses, and complex data flow issues. Reviewers check for OWASP Top 10 issues, verify security controls are correctly implemented, and validate that sensitive operations have appropriate authorization checks. Secure code review is most effective when combined with automated SAST tooling.

Secure enclaves are isolated execution environments within a CPU that protect code and data from inspection or modification by privileged software including the operating system, hypervisor, and cloud provider. Intel SGX, AWS Nitro Enclaves, and Apple Secure Enclave are implementations of this concept. Enclaves are used for sensitive operations like cryptographic key management, biometric processing, and AI model protection where data confidentiality during computation is required.

Security by design means incorporating security requirements and controls into a system's architecture and design from the outset, rather than retrofitting them after development. This approach produces systems with smaller attack surfaces, clear trust boundaries, and well-defined security properties. Security by design practices include threat modeling, defining security requirements during specification, and selecting secure-by-default frameworks and libraries.

A security champions program embeds security-focused individuals within development teams to act as liaisons between the security team and engineering. Champions receive additional security training, participate in threat modeling and code reviews, and advocate for security best practices within their teams. This model scales security expertise across large engineering organizations without requiring every developer to become a security expert.

Security groups are stateful virtual firewalls in cloud environments (AWS, Azure, GCP) that control inbound and outbound traffic to compute instances at the instance level. They evaluate rules based on protocol, port, and source/destination IP or security group ID. As stateful firewalls, they automatically allow return traffic for established connections. Security groups are the primary network access control mechanism for individual cloud workloads and should follow least privilege principles.

HTTP security headers are response headers that instruct browsers to enable security mechanisms and restrict dangerous behaviors. Key security headers include Content-Security-Policy (XSS protection), Strict-Transport-Security (enforce HTTPS), X-Content-Type-Options (prevent MIME sniffing), X-Frame-Options (clickjacking protection), and Permissions-Policy (restrict browser features). Automated tools like securityheaders.com and observatory.mozilla.org grade header configuration.

Security misconfiguration is the most commonly found vulnerability class, encompassing improperly configured permissions, enabled default credentials, unnecessary services, verbose error messages, and missing security headers. It appears consistently in the OWASP Top 10 because misconfigurations are easy to introduce and difficult to detect through traditional code review. Automated configuration scanning and infrastructure-as-code policy enforcement are primary mitigations.

Security testing encompasses the full range of activities used to evaluate the security posture of software systems, including SAST, DAST, IAST, fuzzing, penetration testing, and security code review. Effective security testing programs combine automated continuous scanning with periodic manual assessment to find both known vulnerability patterns and novel business logic flaws. Security testing is a core component of SSDLC and DevSecOps practices.

Self-attention computes attention scores between all pairs of tokens in the same sequence, allowing each token's representation to be enriched with context from every other token. Query, key, and value projections of the input are used to compute scaled dot-product attention. Self-attention is the mechanism that gives transformers their ability to capture long-range dependencies regardless of sequence distance.

Semantic release is an automated versioning and changelog generation tool that determines the next semantic version number, generates release notes, and publishes releases based on conventional commit messages. By removing human judgment from version bumping, it ensures consistent versioning and enables fully automated release pipelines triggered by merged pull requests.

Semantic search retrieves documents based on the meaning of a query rather than exact keyword matches by comparing embedding vectors in a high-dimensional space. It handles synonyms, paraphrases, and conceptual queries that would miss exact-match keyword search. Semantic search underpins retrieval in RAG systems and is implemented using approximate nearest neighbor search over vector databases.

Semantic versioning (SemVer) is a versioning scheme with three components — MAJOR.MINOR.PATCH — where MAJOR increments on breaking changes, MINOR on new backward-compatible features, and PATCH on backward-compatible bug fixes. SemVer enables package managers to resolve compatible dependency versions automatically. Most open-source libraries and APIs use SemVer to communicate compatibility expectations.

Semgrep is a fast, open-source static analysis tool that uses pattern-matching syntax closely resembling the code being analyzed. Security teams write rules that directly express vulnerable code patterns, making it easier to create precise, low-false-positive rules compared to traditional AST-based tools. Semgrep supports 30+ languages, runs in CI pipelines, and has a public registry of thousands of community and security-team-authored rules.

Sensitive data exposure occurs when applications fail to adequately protect sensitive information like financial records, health data, or credentials from unauthorized access or disclosure. Common causes include lack of encryption at rest or in transit, weak cryptographic algorithms, data retained longer than necessary, and overly broad access controls. The OWASP Top 10 addresses this as Cryptographic Failures, emphasizing proper encryption, key management, and data minimization.

SentencePiece is a language-independent subword tokenization library that implements BPE and unigram language model tokenization directly on raw text without language-specific pre-processing. It is used by T5, LLaMA, and other models that require consistent tokenization across multilingual training data. SentencePiece models encode text as sequences of subword units selected to minimize sequence length.

Serverless computing lets developers deploy functions or applications without managing underlying servers, with the cloud provider handling provisioning, scaling, and availability. Functions execute in response to events and are billed per invocation and execution duration. Serverless reduces operational overhead and scales to zero when idle, but introduces cold start latency and limits for long-running workloads.

Serverless security addresses the unique risks of Function-as-a-Service (FaaS) platforms like AWS Lambda, Azure Functions, and Google Cloud Functions. The serverless model eliminates OS and infrastructure management but introduces risks including overly broad IAM execution roles, event injection via triggers (API Gateway, S3, SQS), vulnerable dependencies packaged with functions, and insecure handling of secrets in environment variables. Runtime application self-protection (RASP) and CWPP tools adapted for serverless provide runtime visibility.

Service discovery enables services in a dynamic environment to find each other without hardcoded network addresses. A service registry (Consul, etcd, Kubernetes DNS) maintains an up-to-date map of service locations; clients query it to get current endpoints. Client-side discovery (client queries registry then connects directly) and server-side discovery (load balancer queries registry) are the two main patterns.

A service mesh is a dedicated infrastructure layer that manages service-to-service communication in microservice architectures. It provides traffic management, mutual TLS encryption, observability (traces, metrics, logs), retries, circuit breaking, and rate limiting without requiring application code changes. Service meshes use sidecar proxies injected alongside each service container.

Service mesh security refers to the security capabilities provided by a service mesh layer — including automatic mTLS between services, fine-grained traffic authorization policies, and observability for east-west traffic. Meshes like Istio, Linkerd, and Consul Connect handle certificate lifecycle management, enforce per-service access policies, and provide audit logs of service-to-service communication.

Cloud service quotas (also called service limits) are the maximum number of resources or operations allowed per account or region — such as the number of EC2 instances, VPCs, Lambda concurrent executions, or API request rates. Quotas prevent runaway costs and protect shared infrastructure. Engineering teams must monitor quota utilization and proactively request increases before they constrain growth.

Session fixation is an attack where an adversary sets or predicts a user's session identifier before authentication, then exploits the session after the victim logs in. If an application maintains the same session ID across authentication state changes, the attacker who knew the pre-authentication ID gains an authenticated session. Prevention requires generating a new session identifier upon successful authentication.

Sharding horizontally partitions a database by distributing rows across multiple nodes based on a shard key (e.g., user ID mod number-of-shards). Each shard holds a subset of the data and can be hosted on separate hardware, enabling horizontal scaling beyond what a single machine can handle. Sharding introduces complexity around cross-shard queries, rebalancing, and transaction atomicity.

The cloud shared responsibility model defines the division of security responsibilities between cloud providers and their customers. Providers are responsible for security of the cloud (physical infrastructure, hypervisors, managed service software), while customers are responsible for security in the cloud (operating system patching, application security, IAM configuration, data encryption, network controls). Understanding this boundary is essential for building complete cloud security programs.

AWS Shield is Amazon's managed DDoS protection service with two tiers. Shield Standard is included for all AWS customers and provides automatic protection against common network and transport-layer attacks. Shield Advanced is a paid service offering enhanced detection and mitigation of sophisticated application-layer attacks, integration with WAF for automated rule creation, cost protection against scaling charges during attacks, and access to the AWS DDoS Response Team.

Shift-left security moves security testing and review activities earlier in the software development lifecycle — from post-production to design and coding phases. By detecting vulnerabilities when they are cheapest to fix (in the developer's IDE or PR), organizations reduce the cost and risk of security defects reaching production. Shift-left is enabled by integrating SAST, secrets scanning, and dependency checks directly into developer workflows.

The Sidecar pattern deploys a helper container alongside a primary application container in the same pod or host, providing supplementary capabilities without modifying the application. Common sidecar uses include logging agents, service mesh proxies (Envoy in Istio), and secret injectors. Sidecars enable cross-cutting concerns to be added to applications consistently without code changes.

A sidecar proxy is a container injected alongside each application container in a Kubernetes pod that intercepts all inbound and outbound network traffic. By processing traffic at the sidecar layer, service meshes can enforce mTLS, collect telemetry, apply rate limits, and perform traffic shaping without any application code changes. Envoy is the most widely used sidecar proxy.

SIEM systems collect, aggregate, and analyze log data from across an organization's infrastructure to detect security threats. They correlate events from firewalls, servers, applications, and endpoints to identify patterns that indicate attacks. Modern SIEMs incorporate machine learning to reduce false positives and automate threat detection.

Sigstore is a free, open-source project that makes code signing accessible for software artifacts by using short-lived certificates tied to OIDC identities instead of long-lived private keys. Signatures are recorded in a transparency log (Rekor) that provides tamper-evident proof of signing events. Sigstore is rapidly becoming the standard for signing container images, npm packages, and Python distributions.

An SLA is a contractual commitment defining the expected level of service between a provider and customer — typically specifying uptime guarantees (e.g., 99.9%), response times, and remedies for breaches. SLAs are foundational to enterprise software procurement and set expectations for reliability, support responsiveness, and data handling.

An SLI is the actual measured metric that quantifies a service's behavior — such as request latency, error rate, or throughput. SLIs are the raw data that determine whether SLOs are being met. Choosing the right SLIs is critical: they should reflect what users actually experience, not just what's easy to measure.

An SLO is an internal target for a service's reliability, expressed as a percentage or threshold (e.g., "99.95% of requests complete in under 200ms"). SLOs are more granular than SLAs and guide engineering decisions about reliability investment. Teams use error budgets — the allowed unreliability — to balance feature velocity with stability.

SLSA is a security framework that defines four progressive levels of supply chain integrity, from basic build provenance (Level 1) to hermetic, reproducible builds with verified provenance (Level 4). Achieving a given SLSA level provides assurance that artifacts were not tampered with between source code and deployment. SLSA provenance attestations are machine-verifiable and can be enforced in deployment pipelines.

A smoke test is a minimal set of automated tests that verify the most critical functionality of an application after deployment. Named after the electrical engineering practice of powering on a circuit to see if it smokes, smoke tests confirm that a deployment is fundamentally healthy before more extensive validation. They are the first gate in post-deployment verification.

Amazon SNS is a fully managed pub/sub messaging service for both application-to-application and application-to-person communication. SNS topics fan out messages to multiple subscriber endpoints including SQS queues, Lambda functions, HTTP endpoints, email, and SMS. The SNS-to-SQS pattern is a standard AWS architecture for durable, parallel processing of events.

Snyk is a developer security platform that integrates vulnerability scanning for open-source dependencies, container images, IaC configurations, and application code into developer workflows. It provides IDE plugins, CI/CD integrations, and a web dashboard with prioritized remediation guidance. Snyk's strength is actionability: it suggests specific dependency upgrades that fix vulnerabilities while minimizing breaking changes.

SOA is an architectural pattern where software functionality is decomposed into reusable services that communicate via standardized protocols, typically SOAP or enterprise service buses (ESBs). SOA predates microservices and tends toward larger, more coarse-grained services. While less fashionable today, many enterprise systems still use SOA patterns, and its principles influenced modern microservice thinking.

SOAR platforms automate repetitive security operations tasks and orchestrate incident response workflows. They integrate with SIEM, threat intelligence, and ticketing systems to execute playbooks that contain, investigate, and remediate threats with minimal human intervention. SOAR reduces mean time to respond (MTTR) and frees analysts for complex investigations.

A SOC is a centralized team and facility responsible for monitoring, detecting, analyzing, and responding to security incidents. SOC analysts use SIEM platforms, threat intelligence feeds, and automated playbooks to identify and contain threats. SOC 2 compliance (a related but distinct concept) certifies that an organization meets specific security controls.

Socket is a supply chain security tool that analyzes npm and PyPI packages for malicious behavior by examining package behavior rather than just matching against known vulnerability databases. It detects install scripts that exfiltrate data, packages with obfuscated code, newly published maintainers with suspicious history, and other supply chain attack indicators. Socket integrates as a GitHub App to block suspicious packages before they enter a project.

SOX is U.S. federal legislation requiring public companies to implement and attest to internal controls over financial reporting. Section 404 mandates management and auditor assessment of internal controls, which includes IT general controls (ITGC) around access management, change management, and data integrity. Violations can result in criminal penalties for executives.

In federated identity, a service provider is an application or system that relies on an IdP to authenticate users. The SP trusts identity assertions from the IdP and grants access based on the attributes contained in those assertions. In SAML flows, the SP consumes SAML assertions; in OIDC flows, it consumes ID tokens. Understanding the SP/IdP trust relationship is fundamental to implementing SSO correctly.

An SPA loads a single HTML shell and dynamically renders all subsequent content using JavaScript, with navigation handled client-side without full page reloads. React, Angular, and Vue are the dominant SPA frameworks. SPAs provide rich interactive UIs but have slower initial load times and require additional work for SEO. The trend is moving toward hybrid rendering (SSR + hydration) to address these limitations.

Speech-to-text (STR) systems convert audio waveforms containing spoken language into text transcriptions. Modern end-to-end neural models like OpenAI's Whisper use transformer encoders trained on large multilingual audio datasets to achieve near-human transcription accuracy. STR is a foundational component of voice interfaces, meeting transcription tools, and audio content indexing systems.

SPIFFE is an open standard for workload identity that provides cryptographically verifiable identities (SPIFFE IDs) to software services regardless of where they run. SPIFFE IDs are expressed as URIs (e.g., spiffe://example.com/service/payments) and delivered via X.509 certificates or JWTs. It solves the 'secret zero' problem by giving workloads an identity without pre-shared secrets.

Spinnaker is an open-source, multi-cloud continuous delivery platform originally developed by Netflix. It provides sophisticated deployment strategies including canary analysis, blue-green deployments, and rolling updates across AWS, GCP, Azure, and Kubernetes. While powerful, Spinnaker's operational complexity has led many organizations to migrate toward simpler GitOps tools like ArgoCD.

SPIRE is the production-grade implementation of the SPIFFE standard, providing a server and agent architecture that attests workload identity and issues SVIDs (SPIFFE Verifiable Identity Documents). Agents run on each node, attest workloads using platform-specific evidence (kernel attestation, Kubernetes pod metadata), and deliver short-lived credentials. SPIRE is widely deployed in service mesh and zero-trust environments.

Spot instances (AWS) or preemptible VMs (GCP) provide cloud compute at steep discounts (60-90% off on-demand prices) in exchange for the possibility of interruption when the provider needs capacity back. They are suitable for fault-tolerant, stateless workloads like batch processing, CI jobs, and ML training. Spot interruption handling (checkpointing, graceful shutdown) is essential for reliable spot-based workloads.

SQL is the standard language for querying and manipulating relational databases, covering data retrieval (SELECT), modification (INSERT, UPDATE, DELETE), and schema management (CREATE, ALTER, DROP). Despite being over 50 years old, SQL remains the dominant language for data work across OLTP, OLAP, and ELT pipelines. Modern SQL dialects like PostgreSQL extend the standard with JSON support, window functions, and CTEs.

SQL injection is an attack that inserts malicious SQL code into input fields that are incorporated into database queries without proper sanitization. Successful attacks can read, modify, or delete database records, bypass authentication, execute operating system commands, or exfiltrate entire database contents. It remains one of the most prevalent and damaging vulnerabilities, entirely preventable through parameterized queries and ORMs.

Amazon SQS is a fully managed message queuing service that decouples and scales microservices, distributed systems, and serverless applications. Standard queues offer maximum throughput with best-effort ordering, while FIFO queues guarantee strict ordering and exactly-once processing. SQS integrates natively with Lambda, EC2, and ECS for scalable consumer patterns.

SRE is a discipline that applies software engineering practices to operations and infrastructure, treating reliability as a software problem. Developed at Google, SRE practices include defining SLOs, managing error budgets, reducing toil through automation, blameless postmortems, and capacity planning. SRE teams own the reliability of production systems and collaborate with development teams on production readiness.

SRI is a browser security feature that allows web pages to specify cryptographic hashes for externally loaded resources like scripts and stylesheets. When a browser fetches a resource with an integrity attribute, it computes the hash and refuses to execute or apply the resource if the hash doesn't match. SRI prevents CDN-hosted content from being tampered with and protects against supply chain attacks targeting shared libraries.

Solid state drives use NAND flash memory instead of spinning magnetic platters, delivering dramatically lower latency and higher IOPS than HDDs. In cloud storage, SSD-backed volumes (AWS EBS gp3/io2, GCP SSD Persistent Disk) are the standard for database and transactional workloads. The latest NVMe SSDs in instance store configurations achieve the highest throughput for latency-sensitive applications.

SSDLC integrates security activities into every phase of the software development lifecycle, from requirements gathering through deployment and maintenance. Key activities include threat modeling during design, SAST and peer code review during development, DAST during testing, and continuous vulnerability monitoring in production. SSDLC frameworks like Microsoft SDL, SAMM, and BSIMM provide structured approaches to embedding security systematically.

SSE is a simple HTTP-based protocol for servers to push a unidirectional stream of events to browser clients over a persistent connection. Unlike WebSockets, SSE is unidirectional (server to client only) and automatically reconnects on connection loss. SSE is ideal for live feeds, progress notifications, and LLM token streaming — use cases that don't need client-to-server real-time communication.

SSG pre-renders HTML pages at build time rather than on each request, producing static files served directly from a CDN. This delivers maximum performance and reliability — no server processing required per request. Astro, Next.js, and Hugo support SSG. SSG is ideal for content-heavy sites where content changes infrequently, though dynamic personalization requires client-side fetching or ISR.

SSO allows users to authenticate once and access multiple applications without re-entering credentials. It simplifies the user experience while centralizing authentication management. Enterprise SSO typically uses protocols like SAML or OIDC to federate identity across services, reducing password fatigue and improving security posture.

SSR generates HTML on the server for each request and sends it to the browser, providing fast initial page loads and SEO-friendly markup. Unlike SPAs that render in the browser, SSR pages are interactive immediately after HTML is received and parsed. Frameworks like Next.js, Nuxt, and Astro support SSR alongside static generation for a hybrid rendering strategy.

SSRF is a vulnerability that allows attackers to induce the server to make HTTP requests to internal or external destinations of the attacker's choosing. By exploiting SSRF, attackers can bypass firewalls to reach internal services, access cloud metadata APIs to steal credentials, or conduct port scans of internal networks. SSRF became an OWASP Top 10 entry in 2021 following high-profile cloud environment compromises.

Stable Diffusion is an open-source latent diffusion model developed by Stability AI for text-to-image generation. It operates in a compressed latent space rather than pixel space, making it computationally efficient enough to run on consumer GPUs. Its open weights and active community have driven extensive fine-tuning, including models for photorealism, anime, and domain-specific image generation.

A staging environment is a pre-production environment that closely mirrors production infrastructure, data (anonymized), and configuration. Changes are validated in staging before promotion to production, catching environment-specific issues that unit tests miss. Effective staging environments have feature parity with production and receive the same deployment artifacts — not rebuilt code.

State locking prevents multiple Terraform processes from simultaneously modifying the same state file, which could cause corruption or inconsistent infrastructure. Remote backends like S3 with DynamoDB, GCS, and Terraform Cloud provide locking mechanisms. When a plan or apply is running, the state is locked and subsequent operations must wait or fail with an error.

Infrastructure state management tracks the mapping between declared infrastructure configuration and real-world cloud resources. Terraform's state file records resource IDs, dependencies, and metadata that enable it to calculate diffs on subsequent runs. Poor state management — lost, corrupted, or out-of-sync state files — is a common source of infrastructure incidents and drift.

A status page is a public or internal web page that communicates the current operational status of a service's components and displays historical incident data. During outages, status pages keep customers informed and reduce support ticket volume. Tools like Atlassian Statuspage, Instatus, and Cachet provide hosted status page solutions with automated monitoring integrations.

AWS Step Functions is a serverless workflow orchestration service that coordinates Lambda functions, ECS tasks, and other AWS services into visual state machines. It handles retries, error handling, branching, parallelism, and human approval steps through a JSON-defined workflow. Step Functions Express Workflows process millions of events per day, while Standard Workflows provide at-least-once execution with auditable history.

Storage classes tier object storage into different price-performance levels based on access frequency. S3 Standard suits frequently accessed data; S3 Infrequent Access and Glacier Instant Retrieval reduce costs for less-accessed data; Glacier Flexible Retrieval and Deep Archive provide the lowest-cost archival storage with retrieval times from minutes to hours. Lifecycle policies automate transitions between classes.

The Strangler Fig pattern incrementally replaces a legacy monolith by gradually routing functionality to new microservices while the old system continues to operate. A facade or proxy intercepts requests and routes them to either the legacy system or new services based on which functionality has been migrated. This approach reduces big-bang migration risk and allows continuous delivery during transformation.

Streaming delivers language model output to the client token-by-token as it is generated, rather than waiting for the full response to complete. This dramatically reduces perceived latency and improves user experience in chat interfaces. Streaming is implemented via server-sent events (SSE) or WebSockets and is supported by all major LLM APIs including OpenAI, Anthropic, and Google.

A subnet is a segment of a VPC's IP address range defined by a CIDR block that resources are launched into. Public subnets have routes to an internet gateway for inbound/outbound internet access; private subnets use a NAT gateway for outbound-only access. Subnets span a single availability zone, so multi-AZ architectures require one subnet per AZ per tier (web, app, database).

Software supply chain security encompasses the practices and controls that protect the integrity of code, dependencies, and build processes from source through deployment. Attacks like SolarWinds and XZ Utils demonstrated that compromising a build tool or upstream dependency can affect thousands of downstream consumers. Key controls include SBOMs, dependency pinning, provenance attestation, and signed artifacts.

A SWG proxies outbound web traffic to enforce acceptable use policies, block malware downloads, and prevent access to known malicious sites. Modern SWGs perform SSL/TLS inspection to scan encrypted traffic, apply DLP policies to uploads, and integrate with threat intelligence feeds. SWGs are a key component of SASE architectures for protecting users working outside the corporate network.

A system prompt is an instruction provided to a language model before the user conversation begins, typically by the application developer, to configure the model's persona, scope, tone, and behavioral constraints. System prompts are treated with higher trust than user messages in most model implementations. Securing the system prompt against extraction and injection is a key concern in production AI application security.