This paper publishes AppSec Core v1 as a formalized bounded ontology artefact for application security. Bounded here means: an extraction of the engineering substance of heterogeneous AppSec and Regulatory sources (the development-and-maintenance practices a software engineer must satisfy on a pull request, sprint, or release at engagement scale), deliberately scoped to exclude governance substance (board reporting, vendor contractual risk management, regulatory examination response, workforce training programmes) which is routed to a complementary practitioner Manual surface. AppSec Core v1 is delivered as an OWL 2 DL ontology populated with 259 typed instances across the same ten domain slices introduced by AppSec Core v0 (75 ControlObjectives, 69 Practices, 58 Mechanisms, 57 Artifacts), accompanied by a SHACL Core constraint set published as a complementary apparatus and validated under both the SHACL Core reference-implementation validator pyshacl and an in-house bounded-subset validator at parity for the apparatus's six ontology shapes. SHACL execution against the populated graph yields sh:conforms = true with zero sh:Violation. All artefacts are SHA-256-pinned at the cycle-close release tag chain. The paper makes three contributions, each demonstrable by inspection of the published artefact and its validation outputs. (1) AppSec Core v1 as a formalized artefact — a citable, machine-validatable OWL 2 DL ontology and SHACL Core constraint set, replacing the YAML-only v0 surface. (2) Schema preservation under multi-source pressure - across the v0→v1 transition, the ten-slice partition, the four populated entity types, the EvidencePattern declarative class, and the cross-slice relation model are preserved; under expansion of the underlying source corpus from the five first-wave sources to thirty one sources at cycle close (a 6.2-fold source-count expansion absorbed by the design science cycle reported in a sibling paper), the v0→v1 entity-count delta consists exclusively of additive instance population governed by an explicit protocol. (3) The AppSec Core Change Request (ACR) protocol with its explicit four-condition promotion threshold — the protocol is published with its threshold (multi-source convergence at ≥5 independent sources from ≥3 organisational authorities; multi-method convergence; practitioner-Manual content backing; slice fit) and is demonstrated through symmetric application across four worked decisions: ACR-001 Secure Configuration Baseline Integrity (promoted), ACR-002 Security Requirements Lifecycle Management (promoted), ACR-003 Multi-anchor adjacency candidate batch (not admitted), and ACR-004 Output Rendering Safety / Context-Aware Encoding (promoted).
Pedro Farinha (Thu,) studied this question.