Heterogeneous application-security (AppSec) reference sources — frameworks, standards, regulations, attack taxonomies, and emerging AI-domain guidance — describe overlapping practices in incompatible structures, vocabularies, and granularities. This paper reports the design science cycle through which an initial AppSec normalization pipeline, bounded by design at five first-wave sources and using a keyword-first heuristic, was iteratively refined under the pressure of expansion to a thirty-one-source corpus across three iterations. Iteration 1 replaced the keyword-first heuristic with a method structured in two architectural layers — a sentence-embedding similarity pipeline computed over a hierarchy-lifted-flattening representation, plus three curation disciplines surrounding it (the v1.0 augmentation rule that integrates source-side structural context into the embedding signal, tier-based curation-effort calibration matching per-source decomposition granularity, and explicit per-item override mechanism with rationale records). Iteration 2 exercised the AppSec Core Change Request (ACR) protocol — the cycle's governance instrument for ontology change — across four candidate cases: two were promoted as carried forward from the first-wave baseline, one was decided not to apply, and one new candidate was promoted under the same threshold. Iteration 3 pressure-tested the bounded thesis — that the ontology absorbs new pressure additively without structural redesign — by extending the corpus with five AI/ML-focused sources under the author's declared assumption that ontology extension must not be driven by technological novelty alone; the ontology held under the extension and the iteration 2 ACR slate is reported as final at this stage. The cycle was accepted on a stated good-for-intended-fit criterion operationalised through four evidence pillars (structural conformance under SHACL Core; per-source coverage acceptable under independent third-party cross-references; multi-mode evaluation returning no failure-class signal; rejection of random source-claim assignment under permutation-test null model with semantic-specialisation direction), with the criterion anchored to a two-fold purpose: bounded coverage of essential AppSec concepts for an ontology-grounded code-generation consumer, and iterative completeness of the practitioner Manual that complements the ontology. Independent-research scope is declared honestly: there is no subject-matter-expert panel, no inter-rater reliability measurement, no peer-validated submission of individual mappings. The cycle's outputs — a refined method published as a reusable artefact, a thirty-one-source coverage map with three-way routing of source content (Core-mapped within the bounded ontology, Manual-only for substance outside the ontology's bounds but in the practitioner Manual's comprehensive prose corpus, out-of-AppSec), and an OLIR-compatible publication form for per-source-to-ontology mappings — are released under SHA-256-pinned configuration as the first instantiation of a workflow that is itself reusable for new-source onboarding and project-level compliance assessment going forward.
Pedro Farinha (Thu,) studied this question.