What question did this study set out to answer?

The aim is to create a unified framework for understanding and applying security requirements from various sources.

April 18, 2026Open Access

AppSec Core: A Normalized Ontology for Security Requirements Across Heterogeneous Frameworks

Key Points

The aim is to create a unified framework for understanding and applying security requirements from various sources.
Developed a normalized ontology with 10 domain slices and 234 typed instances.
Defined four entity types (ControlObjective, Practice, Mechanism, and Artifact).
Conducted semantic normalization across five different security frameworks.
Demonstrated that AppSec Core reduces framework-specific requirements to shared ControlObjectives.
Coverage analysis operates effectively on the normalized object layer across diverse frameworks.

Abstract

AppSec Core is a normalized ontology for application security comprising 10 domain slices and 234 typed instances. The ontology defines four entity types — ControlObjective, Practice, Mechanism, and Artifact — connected by a stable set of relations that are structurally invariant across all slices. We present evidence that AppSec Core functions as a semantic normalization layer through canonical reduction: requirements from five heterogeneous frameworks (SSDF, ASVS, SLSA, CIS Controls, and CAPEC) are reduced to shared ControlObjectives, after which downstream coverage analysis operates on the normalized objective layer independently of framework vocabulary. This is Paper 1 of the SbD-ToE / AppSec Core research programme (programme prospectus: 10.17605/OSF.IO/7T849).

AppSec Core: A Normalized Ontology for Security Requirements Across Heterogeneous Frameworks

Key Points

Abstract

Cite This Study