References¶
Related Security Frameworks¶
NIST SSDF (Secure Software Development Framework)¶
Focus: Secure development lifecycle practices
Website: https://csrc.nist.gov/Projects/ssdf
Relationship to SF²: SF² addresses sustainable resourcing of SSDF practices at scale. Use SSDF for development security practices, SF² for sustainable implementation strategy.
OWASP SAMM (Software Assurance Maturity Model)¶
Focus: Security practice maturity progression
Website: https://owaspsamm.org/
Relationship to SF²: SF² contextualizes SAMM implementation based on organizational readiness. Implementation speed and scope vary by operational complexity and readiness level.
BSIMM (Building Security In Maturity Model)¶
Focus: Security activity measurement and benchmarking
Website: https://www.bsimm.com/
Relationship to SF²: SF² determines investment priorities for BSIMM activities based on organizational positioning. Use SF² assessment to guide BSIMM implementation scope and sequencing.
OWASP ASVS (Application Security Verification Standard)¶
Focus: Security verification requirements
Website: https://owasp.org/www-project-application-security-verification-standard/
Relationship to SF²: SF² helps sequence ASVS implementation within scaling investment strategy. Use SF² to determine risk-based ASVS subset vs. comprehensive implementation.
Industry Resources¶
Supply Chain Security¶
- SLSA (Supply-chain Levels for Software Artifacts): https://slsa.dev/
- CISA Software Supply Chain: https://www.cisa.gov/sbom
- OpenSSF (Open Source Security Foundation): https://openssf.org/
Security Scaling¶
- DevSecOps Foundation: https://www.devsecops.org/
- Cloud Security Alliance: https://cloudsecurityalliance.org/
- Security Champions Playbook: https://github.com/c0rdis/security-champions-playbook
Organizational Transformation¶
- Accelerate (DORA Metrics): https://www.devops-research.com/research.html
- Team Topologies: https://teamtopologies.com/
- Platform Engineering: https://platformengineering.org/
Further Reading¶
Security Leadership¶
- Building a Modern Security Program: Ryan McGeehan
- Security Chaos Engineering: Kelly Shortridge and Aaron Rinehart
- The Manager's Path: Camille Fournier (Technical Leadership)
Strategic Thinking¶
- Wardley Mapping: Simon Wardley (Strategic positioning)
- Good Strategy Bad Strategy: Richard Rumelt
- Principles: Ray Dalio (Organizational principles)
Academic Research¶
Adversary Evolution¶
- Internet-Wide Scanning Studies: Various papers on automated vulnerability discovery
- Bug Bounty Research: Academic studies on vulnerability discovery at scale
- Supply Chain Attack Analysis: Research on dependency confusion and typosquatting
DevSecOps Effectiveness¶
- State of DevOps Reports: Annual DORA research
- Security Testing Effectiveness: Academic studies on SAST/DAST efficacy
- Security Champions Programs: Research on distributed security models
Community Resources¶
Conferences¶
- RSA Conference: https://www.rsaconference.com/
- Black Hat: https://www.blackhat.com/
- DevSecCon: https://www.devseccon.com/
- OWASP Global AppSec: https://owasp.org/events/
Online Communities¶
- r/netsec (Reddit): Security news and discussion
- Security Weekly: Podcast network
- Risky Business: Security news podcast
- Cloud Security Podcast: Cloud security topics
Contributing Resources¶
Have suggestions for additional resources? See our Contributing Guidelines to propose additions.
About This Framework¶
Author: Julie Davila Version: 0.4.0 License: CC BY 4.0 Repository: https://gitlab.com/juliedavila/software-factory-security-framework Website: https://sf2framework.com
This framework represents my personal strategic mental models for security leadership, developed through years of experience leading product security at scale. While I currently serve as VP of Security at GitLab, SF² is not an official GitLab framework and does not formally represent GitLab's views.
That said, these mental models do inform how I approach security strategy at GitLab. To the extent I have strategic influence over GitLab's security posture, the principles in SF² reflect my underlying approach to securing software factories at scale.
This is an open source framework (CC BY 4.0) intended as a resource for the broader security community.