Software Factory Security Framework (SF²)¶
A Complete Mental Model for Securing Software Factories at Scale¶
Welcome¶
The Software Factory Security Framework (SF²) provides security leaders with a strategic approach to scaling security capabilities while improving business outcomes.
Whether you're leading security for a three-person startup or a multinational corporation, this framework helps you:
- ✅ Understand universal security responsibilities that apply to every software-producing organization
- ✅ Position your organization strategically using a two-axis assessment model
- ✅ Invest resources effectively by balancing immediate needs with long-term scaling
- ✅ Adapt to your context using modifiers that account for your specific constraints
Framework Overview¶
The Security Scaling Challenge¶
Every security leader eventually confronts the same fundamental challenge: the day when demand for security services begins to outpace your team's capacity to deliver them.
The traditional response—hiring more security professionals—provides temporary relief but becomes increasingly difficult to sustain. This framework presents a different approach: strategic resource allocation that enables sustainable security scaling while improving business outcomes.
Strategic Opportunity¶
Organizations that successfully navigate this challenge don't just solve a scaling problem—they create competitive advantages:
- Faster time-to-market
- Higher developer productivity
- More robust security postures
- Better business alignment
What This Framework Provides¶
-
Universal Stewardship Model
Five core security responsibilities that apply to every software-producing organization
-
Strategic Positioning Tool
Two-axis framework for understanding your organization's current state and optimal path forward
-
Investment Portfolio Approach
Systematic method for balancing immediate security needs with long-term scaling capabilities
-
Contextual Adaptation Guide
How to modify implementation approaches based on your specific organizational constraints and opportunities
Strategic Context¶
Adversary Evolution
In recent years, attackers shifted from targeted reconnaissance to automated discovery at internet scale—sweeping billions of assets to find vulnerabilities. Organizations using manual security processes face a fundamental capability gap: attackers can discover unknown systems faster than defenders can catalog them.
Understanding these adversary evolution patterns helps security leaders prioritize investments that shift economic advantage away from attackers.
How This Framework Complements Existing Standards¶
SF² works alongside existing security methodologies (NIST SSDF, OWASP SAMM, BSIMM) by addressing the strategic resource allocation and organizational change questions they don't answer:
| Framework | Focus | SF² Relationship |
|---|---|---|
| NIST SSDF | Secure development practices | SF² addresses sustainable resourcing at scale |
| OWASP SAMM | Security practice maturity | SF² contextualizes implementation based on readiness |
| BSIMM | Security activity benchmarking | SF² determines investment priorities |
| OWASP ASVS | Security verification requirements | SF² helps sequence implementation |
See detailed framework relationships
Quick Start¶
For Security Leaders¶
- Read the Executive Summary
- Assess your Strategic Position
- Review Implementation Guide for your quadrant
- Evaluate Contextual Modifiers
For Individual Contributors¶
- Understand Universal Stewardship Responsibilities
- Explore Use Cases relevant to your role
- Reference specific stewardship areas as needed
For Consultants & Advisors¶
- Review complete Framework Structure
- Study Strategic Positioning Model
- Understand Investment Portfolio Approach
Framework Principles¶
Executive Insight
Security scaling isn't primarily solved through capacity increases alone—it requires strategic investment in capabilities that reduce manual effort requirements. Organizations that make this shift successfully report significant improvements in both security effectiveness and business velocity.
Core Principles¶
- Scale-Agnostic: Applies from startups to enterprises
- Technology-Agnostic: Works with any tech stack or infrastructure
- Business-Aligned: Ties security investments to business outcomes
- Adaptation-Focused: Recognizes organizational context matters
- Adversary-Aware: Accounts for how attackers evolve
About This Framework¶
Author: Julie Davila License: CC BY 4.0 Version: 0.4.0
This framework represents my personal strategic mental models for security leadership, developed through years of experience leading product security at scale. While I currently serve as VP of Security at GitLab, SF² is not an official GitLab framework and does not formally represent GitLab's views.
That said, these mental models do inform how I approach security strategy at GitLab. To the extent I have strategic influence over GitLab's security posture, the principles in SF² reflect my underlying approach to securing software factories at scale.
This is an open source framework (CC BY 4.0) intended as a resource for the broader security community.
Contributing Guidelines View on GitLab
What's Next?¶
Start Here
Begin with the Executive Summary to understand the framework's strategic context and key concepts.
Assess Your Organization
Use the Two-Axis Positioning Model to determine your current state and optimal path forward.
Implement Strategically
Follow your quadrant-specific Implementation Guide for actionable next steps.