Skip to content

References

NIST SSDF (Secure Software Development Framework)

Focus: Secure development lifecycle practices

Website: https://csrc.nist.gov/Projects/ssdf

Relationship to SF²: SF² addresses sustainable resourcing of SSDF practices at scale. Use SSDF for development security practices, SF² for sustainable implementation strategy.

OWASP SAMM (Software Assurance Maturity Model)

Focus: Security practice maturity progression

Website: https://owaspsamm.org/

Relationship to SF²: SF² contextualizes SAMM implementation based on organizational readiness. Implementation speed and scope vary by blast radius and readiness level.

BSIMM (Building Security In Maturity Model)

Focus: Security activity measurement and benchmarking

Website: https://www.bsimm.com/

Relationship to SF²: SF² determines investment priorities for BSIMM activities based on organizational positioning. Use SF² assessment to guide BSIMM implementation scope and sequencing.

OWASP ASVS (Application Security Verification Standard)

Focus: Security verification requirements

Website: https://owasp.org/www-project-application-security-verification-standard/

Relationship to SF²: SF² helps sequence ASVS implementation within scaling investment strategy. Use SF² to determine risk-based ASVS subset vs. comprehensive implementation.

Foundational References

SF² is built on prior work. These are the thinkers whose arguments the framework rests on, grouped by the part of SF² they anchor. Each entry names the work, where to find it, and what it carries for the framework.

Software factory lineage and the case against the factory

The term SF² governs has a fifty-year industrial paper trail, and the framework owes the strongest counter-framings, from AI-democratized creation to the flat artist colony, a real answer. These anchor The Atelier and the Factory.

Capability and least-privilege

Agentic security: capability control and the confused deputy

The 2025-2026 agentic-security literature carries the two anchors above, least privilege and the confused deputy, into autonomous AI systems. It converges on boundary enforcement with per-request attenuation, in the same vocabulary SF² uses.

Verified boundaries and AI-found vulnerabilities

The substrate guarantee is provable by construction only for as long as a component cannot reach the layer that bounds it. These anchor the dating of that claim: what a verified boundary buys that an asserted one does not, and the evidence that AI now finds exploitable flaws in enforcement-layer code.

  • Klein et al. (2009), "seL4: Formal Verification of an OS Kernel." SOSP 2009 (full proof account). A machine-checked proof, in Isabelle/HOL, that a general-purpose OS kernel's C implementation refines its specification, carrying functional correctness, access-control enforcement, and information-flow noninterference. The existence proof that a boundary can be proven rather than asserted, and the reason verification is the one defensive property attacker cleverness cannot erode.
  • DARPA, "AI Cyber Challenge (AIxCC) Final Results" (2025). Autonomous cyber-reasoning systems found 18 real vulnerabilities across 54 million lines of open-source code and patched the majority of injected ones, at roughly $152 per task. DARPA's own framing calls it an inflection point. The evidence that finding a path through enforcement-layer code is now a machine-scale capability, currently led by defenders.
  • Google, "Big Sleep" agent (Project Zero and DeepMind, 2024-2025). The first AI agent to find a live, previously-unknown vulnerability in widely-deployed substrate software (SQLite, CVE-2025-6965), then more across open-source projects. The symmetric capability made concrete: AI reaching flaws in exactly the primitive code that sits below applications.
  • CSIS, "Beyond Autonomous Attacks: The Reality of AI-Enabled Cyber Threats" (2026). The measured counter to the autonomous-attack narrative: AI's offensive contribution today is efficiency rather than new capability, with most attacks still relying on existing tactics. The grounding for dating the symmetric-capability balance as contested but not yet flipped.
  • Saxe, "AI Security Notes" (2025). The generalization asymmetry between offense and defense: offensive AI is built on public, transferable knowledge, while defensive efficacy depends on the private, idiosyncratic shape of a given enterprise environment, the regime where machine learning generalizes worst. The structural reason a defender cannot reach parity by pointing the same class of model at defense, and a second argument, independent of review speed, for containment over an AI arms race.

Prompt injection and input trust

The prompt-injection literature this chapter draws on, from the naming of the category through the first production exploit to the system-layer defenses that answer it.

  • Greshake et al. (2023), "Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection." Named indirect prompt injection as a category. The operational lesson: anything the agent reads is part of the agent's attack surface.
  • Bargury (2024), "Living off Microsoft Copilot." Black Hat USA 2024. Indirect prompt injection that turns Copilot against its own user through content the agent reads automatically; "remote copilot execution." The trust boundary moves to wherever the agent reads.
  • Aim Labs (2025), "EchoLeak" (CVE-2025-32711). The first zero-click prompt-injection exploit in a production LLM system: a single crafted email achieved remote, unauthenticated data exfiltration from Microsoft 365 Copilot. Technical analysis: arXiv:2509.10540.
  • Schulhoff et al. (2023), "Ignore This Title and HackAPrompt." EMNLP 2023. The first community-scale prompt-injection taxonomy: roughly 3,000 participants, some 600,000 adversarial prompts. Defense in the prompt does not generalize; defense at the boundary does.
  • OWASP (2025), "Top 10 for Agentic Applications" (ASI06: Memory & Context Poisoning). Names the persistent escalation as its own class: memory, retrieval, or context shaped to steer the agent's steps long after the initial interaction, with the consequence appearing at runtime rather than training time. Its governance prescription is the one this chapter reaches on its own, provenance metadata on every memory write.
  • "A Practical Memory Injection Attack against LLM Agents" (MINJA, 2025). Injects malicious records into an agent's long-term memory through ordinary queries alone, with no privileged access, so the poison is retrieved later as the agent's own remembered experience. The demonstration that stored-token poisoning needs no write privilege, only a conversation.
  • AgentPoison (NeurIPS 2024), "Red-teaming LLM Agents via Poisoning Memory or Knowledge Bases." Optimizes a backdoor trigger so a poisoned long-term memory or RAG store returns malicious demonstrations whenever the trigger appears, while benign queries behave normally and hide the compromise. The retrieval-time half of the threat: the poison is prioritized when it matters and dormant otherwise.
  • Google DeepMind & ETH Zürich (2025), "Defeating Prompt Injections by Design" (CaMeL). Gives up on hardening the model and moves the defense to a system layer around it: track where each value came from and block the disallowed flow. A privileged model plans but never reads untrusted data, a quarantined model reads that data but holds no authority, and an interpreter enforces policy on the flow between them. Control-flow integrity under untrusted input, a distinct invariant from the credential attenuation above. The research instance of substrate-plus-provenance containment.
  • Tallam & Miller (2025), "Operationalizing CaMeL: Strengthening LLM Defenses for Enterprise Deployment" (arXiv:2505.22852). The deployment cost of the dual-model design, which "effectively doubles the number of model invocations" and spends more tokens by construction, since the privileged model re-queries to produce clean interpreter code and the quarantined model reads every untrusted artifact. Workflows where the quarantined model processes multiple artifacts, reviewing ten emails for instance, can exceed ten seconds of latency, "often unacceptable in interactive applications like customer-facing chatbots or support agents"; caching plus deterministic parsers recover up to half the overhead. The reason containment by construction is a workload choice rather than a universal default.
  • Lan et al. (2026), "Silent Egress" (arXiv:2602.22450). Implicit prompt injection drives an agent to exfiltrate its runtime context through ordinary outbound requests while the user-facing response stays harmless; output-based checks miss the great majority of successful leaks. The empirical case that an agent run is judged from outside rather than from what it shows the user.
  • Observability, from control theory to production. Kálmán (1960) defined a system as observable when its internal state can be reconstructed from its external outputs over time; Charity Majors carries the idea into software practice as the ability to ask any question of a running system from the outside, including the ones you did not anticipate. The external-correctness criterion for agent runs descends from this.

Resilience and adaptive capacity

Economic reasoning in security

  • Geer et al. (2003), "CyberInsecurity: The Cost of Monopoly." The monoculture argument: security risk priced as a market property rather than a moral one.
  • Geer (2010), "Cybersecurity and National Policy." Security reasoned about in economic terms. SF²'s investment portfolio needs Geer as its economic spine, or it reads as opinion rather than argument.
  • Schneier (1999), "Attack Trees." Dr. Dobb's Journal. An attacker's cost through an attack tree resolves at its OR-nodes by the cheapest branch rather than the average. The formal reason an investment that raises the average toll can leave the cost to breach you unchanged, and the arithmetic behind the Adversary Economics criterion's coverage-over-price test.
  • Varian (2004), "System Reliability and Free Riding." Security is the weakest-link case of system reliability: protection tracks the least-defended path rather than the sum or average of effort. The economic statement of the one-seam correction, with the added bite that weakest-link structure invites underinvestment in the very seam that decides the outcome.
  • Anderson & Moore (2006), "The Economics of Information Security." Science 314(5799):610-613. Ties weakest-link economics to systematic security underinvestment under misaligned incentives. Why spend chases the visible average rather than the binding minimum.
  • Gordon & Loeb (2002), "The Economics of Information Security Investment." ACM TISSEC 5(4):438-457. Anchors optimal security spend to expected loss reduction rather than to cost imposed on the attacker. The model behind judging an investment by the surface it closes rather than the toll it adds.
  • Collier et al. (2023), "On Metrics and Prioritization of Investments in Hardware Security." Systems Engineering (INCOSE). Finds ratio metrics like ROSI do not correlate with risk reduction, while expected net benefit does: expected net benefit equals risk reduction minus cost. The reason a defender's stopping rule reasons in net benefit rather than a ratio, and the guard against a control that posts a flattering ratio while retiring little real risk.
  • Naylor et al. (2014), "The Cost of the 'S' in HTTPS." CoNEXT '14, 133-140 (DOI). Measures the costs HTTPS imposes beyond dollars: communication latency, data usage, energy, and lost in-network caching. The empirical anchor for treating performance as a first-class mitigation cost, the column a dollar-based model prices at zero.
  • Goodhart's Law. When a measure becomes a target, it ceases to be a good measure. The reason the investment criteria treat hours saved as a proxy and gate it behind a risk override: a metric carrying decision weight is one the organization learns to satisfy, so effort-hours optimized as a target drift away from the value they were meant to stand for.
  • HackerOne (2023), "As Economy Slows, Headcount and Resource Cuts Harm Security Teams." Survey finding 63% of security organizations had budgets cut and 39% cut headcount in a single downturn year, with two-thirds reporting it degraded their ability to operate. The empirical basis for position durability: scaling investment is the discretionary spend a shock cuts first, so a capex shock unwinds Lean in a budget cycle rather than over quarters. (See also TechCrunch's 2023 roundup: 110+ security firms cut staff that year.)

Absorption capacity and investment timing

  • Cohen & Levinthal (1990), "Absorptive Capacity: A New Perspective on Learning and Innovation." Administrative Science Quarterly 35(1):128-152. A firm's ability to recognize, assimilate, and apply new knowledge is a function of what it already understands. The academic spine for absorption capacity as the variable that sets how fast a paved road actually returns, and the reason the organization that already understands its own platform absorbs the next capability faster.
  • Rogers, Diffusion of Innovations. The perceived attributes of an innovation, its relative advantage, compatibility, complexity, trialability, and observability, explain most of the variance in its rate of adoption. The mechanism behind timing set by how fast a practice spreads across teams rather than by a fixed calendar.
  • DORA (2024), Accelerate State of DevOps Report. Standing up a platform measured a temporary dip in throughput and stability before it matured, the gain arriving only after the absorption cost is paid. The measured face of absorption lag, and the J-curve behind the portfolio chapter's claim that timing is paced by adoption rather than by the date of the rollout.

Coverage, deception, and retiring attack classes

  • Bejtlich (2009), "The Defender's Dilemma and the Intruder's Dilemma." The asymmetry usually quoted against defenders, inverted: where the attacker needs only one way in, the defender needs only one indicator of the intruder's presence. The reason deception belongs to the detection surface, scored as coverage of whether you would notice rather than as cost imposed.
  • MITRE Engage. MITRE's framework for adversary engagement and deception. Honeypots, canary tokens, and honeytokens earn their keep through a high-fidelity signal rather than through the friction they add: a decoy has no legitimate use, so any touch is a near-certain alarm. The canonical case for the rule that cost-imposition counts only when it ships a signal and a way to contain what trips it.
  • Google Security (2024), "Eliminating Memory Safety Vulnerabilities at the Source." As Android moved new code to memory-safe languages, the share of its vulnerabilities that were memory-safety bugs fell from roughly three-quarters to under a quarter over six years. The trend line for retiring a whole attack class at the source rather than catching instances one at a time.
  • Let's Encrypt Statistics. Free certificates and browser pressure moved the web to encryption by default, retiring mass interception of cleartext web sessions as an economical attack. The completed transport-layer instance of a field closing a path so thoroughly that attackers move on.

Operational and program design

Strategic positioning and contingency theory

The two-axis model rests on a body of organizational theory: there is no single best way to organize, only the structure that fits an organization's environment, scale, and technology. SF² carries that logic into security program design, which is why it replaces the maturity ladder with a position.

  • Donaldson (2001), The Contingency Theory of Organizations. SAGE. The consolidated statement of contingency theory, descending from Lawrence & Lorsch's Organization and Environment (1967) and Burns & Stalker's mechanistic-versus-organic distinction (1961): organizational fit rather than a universal maturity ladder predicts performance. The intellectual parent of SF²'s claim that security posture is position-contingent rather than a level to climb.
  • Horne, Maynard & Ahmad (2017), "Organisational Information Security Strategy: Review, Discussion and Future Research." Australasian Journal of Information Systems 21. Argues information security strategy must move from internally-focused protection toward a view that weighs the organization's resources, capabilities, and external environment. The closest precedent for SF²: it calls for environment-contingent security strategy; SF² supplies the operational construct, position and portfolio and movement, that makes the call actionable.

AI-era code generation, comprehension, and review

The comprehension crisis in the Coadaptive Security layer rests on a documented direction of travel rather than a fixed multiple. These are the sources that establish it.

  • DORA (2025), State of AI-assisted Software Development. AI adoption now shows a positive relationship with delivery throughput but continues to show a negative relationship with delivery stability, and 30% of respondents report little or no trust in AI-generated code. The report's frame is that AI is an amplifier, magnifying an organization's existing strengths and weaknesses rather than fixing them. The empirical grounding for AI Saturation as a contextual modifier: adoption that varies by team rather than by size, and shifts the binding constraint downstream to review.
  • Veracode (2025), GenAI Code Security Report. Across more than 100 models and 80 security-relevant tasks, 45% of AI-generated samples failed the associated security test, with Java the worst at 72%, and the failure rate did not improve as the models grew more capable at functional code. The evidence behind the AI Saturation warning that this is a security problem you cannot wait out with the next model.
  • GitClear (2025), AI Copilot Code Quality. Analysis of 211 million lines: copy-pasted code rose from 8.3% to 12.3% (2021-2024) while refactored lines fell from 24.1% to 9.5%, a maintainability erosion consistent with generation outrunning comprehension.
  • DX, "Measuring AI's impact on developer productivity." Experience-sampling that asks reviewers directly whether AI-generated code was harder to understand; the closest industry instrument for the comprehension gap itself.
  • Osmani (2026), "Comprehension Debt: The Hidden Cost of AI-Generated Code." O'Reilly Radar. Names the per-codebase accrual of the comprehension crisis: the growing gap between how much code exists and how much any human genuinely understands. Distinct from technical debt because it breeds false confidence rather than the mounting friction of slow builds and tangled dependencies.
  • Dorner et al. (2025), "Quo Vadis, Code Review?" (arXiv:2508.06879) Practitioners expect LLMs as active review participants and name the long-term risk of eroding human understanding, accountability, and trust.
  • Tilbury & Flowerday (2026), "The Vigilance Paradox: Automation Reliance Inside the Modern SOC." Information & Computer Security. A survey of 696 security analysts plus 29 interviews finds that automation complacency reduces monitoring of automated output and that systematic verification procedures are what mitigate it. The security-domain evidence that the comprehension gap is closed by verifying rather than consuming.
  • Sutskever (2024), NeurIPS keynote: "pre-training as we know it will end." The OpenAI co-founder's argument that pretraining-compute scaling faces a ceiling because the public human-text corpus, the "fossil fuel of AI," is finite and being exhausted roughly between 2026 and 2032. The grounding for the plateau caveat in BAU vs Scaling: the demand exponential rests on a mechanism that may stall, which is why the framework's case is built on return-shape rather than on continued scaling. (Primary coverage: Kylie Robison, The Verge, Dec 2024.)

Comprehension as a queryable model of behavior

The comprehension a software factory needs is an authoritative, queryable model of how the system behaves, reconciled against the code as it changes, rather than knowledge held in any one person's head. These sources establish both the shape of that model and the guard rail on it: a model built from example assertions records what was checked rather than what the system was meant to do.

Agent and MCP supply chain

  • OWASP MCP Security Cheat Sheet. Treats untrusted or compromised MCP server packages as a supply-chain attack, and names tool poisoning (malicious instructions hidden in tool descriptions, parameter schemas, or return values), rug pulls (a server changing its tool definitions after approval), and tool shadowing. Its core defense is the inventory-and-pin discipline the rest of the supply chain already needs: pin tool definitions by cryptographic hash and alert on any change.
  • The Hacker News (2025), "First Malicious MCP Server Found Stealing Emails in Rogue Postmark-MCP Package." The first malicious MCP server found in the wild, identified by Koi Security: an npm package, postmark-mcp, that silently BCC'd every outgoing email to an attacker-controlled address across more than 1,600 installs before it was pulled. The in-the-wild proof that an agent's toolchain is a supply-chain target rather than a hypothetical one.

Post-quantum cryptography and crypto-agility

Emergent organizational design

Crisis windows and staged response

Regulation as drag and driver, and the compliance-security gap

Compliance crosswalk and jurisdiction conflict

  • Secure Controls Framework (SCF) and the efficacy of control rationalization. The SCF is a free metaframework that normalizes 200+ laws, regulations, and frameworks into one common control set, mapped with NIST IR 8477 Set Theory Relationship Mapping: build a control once, satisfy many regimes. The major frameworks overlap heavily (SOC 2 and ISO 27001 align on the large majority of criteria; SOC 2 and NIST 800-53 share most controls; FedRAMP is NIST 800-53 adapted for cloud), which is why a crosswalked control set absorbs a new mandate as the delta it adds rather than a build from zero. The academic record is consistent and candid about the limits: Hayden (2009) sets out the rationalization strategy and where it stops; Wang, Sadjadi & Rishe (2024) validate the SCF unified mapping across seven frameworks; Cadet et al. (2024) extend it to scalable cross-industry architectures for organizations under a large matrix of regulators.
  • Where regulations genuinely conflict. The US CLOUD Act and FISA 702 compel US providers to produce data they control wherever it is stored; the CJEU's Schrems II (C-311/18) and the EDPB's Recommendations 01/2020 treat that exposure as a GDPR violation unless the data is put technically beyond reach, which is why customer-held keys and sovereign environments became architectural requirements rather than options. GDPR's right to erasure can collide head-on with a US litigation hold that compels preserving the same record (Kennedys, the OpenAI cross-border dilemma, 2025). The EU AI Act against the US state patchwork fragments rather than contradicts: both can be met, but only with per-jurisdiction configuration. These are the conflicts a cross-walk cannot dissolve.

Operator versus provider, and authorization granularity

The operator/provider split in Third-Party rests on a single principle: an operator can confine an agent only as finely as the platform's own authorization model allows. These are the anchors for that claim; the EU AI Act's provider-versus-deployer line, codifying the same split in law, is listed under regulation above.

  • Schneider (2003), "Least Privilege and More." IEEE Security & Privacy 1(5):55-59. Least privilege is bounded by what the enforcement mechanism can express: you confine a component only as finely as the underlying model allows. The academic anchor for the claim that a provider defines what is expressible in the authorization vocabulary, and the operator answers for the residual the vocabulary cannot remove.
  • GitHub (2022), "Introducing fine-grained personal access tokens for GitHub." Classic personal access tokens "provided very coarse-grained permissions, granting access to all of the repositories and organizations that the owning user can access." The lived form of platform-set scope, where the token that reads one project reads them all until the platform ships a finer primitive. The concrete grounding for counting coarse primitives as a real cost when you choose what to build on.

Adoption velocity, paved roads, and guardrails

Relationship Health turns on adoption velocity, and the platform-engineering field has already worked out how to raise it without trust: make the secure path the default path. These are the anchors for the friction-over-mandate reframe.

  • DORA, "Platform engineering" capability. An internal developer platform provides "golden paths" and a "paved road that scales these benefits securely," making the supported, secure option the self-service default. The grounding for adoption velocity as the binding constraint, and for the secure default that is mandatory and low-friction at once.
  • DORA, "Transformational leadership" capability. DORA finds leadership moves delivery performance indirectly, by enabling the practices teams adopt rather than adopting for them, and is blunt on the limit: even the strongest leaders cannot reach high performance on their own. The grounding for the security-and-engineering-leadership relationship as the upstream enabler of a funded, durable capability boundary rather than its competitor, and for reading that relationship as a multiplier on the forcing function rather than a replacement for it.
  • Howard (2018), "Less Gates, More Guardrails." Sonatype. Security controls "cannot take the form of toll gates; instead, they must take the form of guardrails": automated, embedded in the pipeline, fast by default. The case that friction rather than whether a control is mandatory is what predicts adoption.
  • Singhal, "Scaling Appsec at Netflix." Netflix Technology Blog. A paved-road platform baked security in by default rather than leaving it to a checklist, so a team could reach a production-ready, authenticated service in minutes. The worked example of a low-friction default carrying full adoption without a relationship to lean on.

Change capacity, absorption, and concurrent overload

Change Capacity is the absorb clock, and it is a shared, depletable pool. These anchor the claim that concurrent change contends for one budget and that pricing a move on the install date inherits an absorption gap.

  • The absorption pool is finite, and concurrent change depletes it. Bernerth, Walker & Harris (2011), Work & Stress, build and validate a change-fatigue measure: multiple concurrent changes drive exhaustion, lower commitment, and turnover. Cox et al. (2022) show change frequency predicts fatigue, which lowers performance through reduced satisfaction and commitment. Kanitz, Huy, Backmann & Hoegl (2021), Academy of Management Journal, "No Change Is an Island," find that interferences between concurrent initiatives undermine implementation. Spring (2021) proposes a measure of initiative magnitude and "organizational limits beyond which performance will suffer." The empirical basis for change capacity as a shared, depletable budget.
  • Concurrent overload degrades throughput (the contention mechanism). Flow and portfolio research finds that running too many initiatives at once raises context-switching cost and resource contention and lowers delivery; capping work in progress consistently improves throughput. SAFe portfolio WIP guidance states value streams "can only absorb so much work before context switching and resource contention degrade delivery," and industry data (Lean Enterprise Institute) put the lead-time cost of capping contributors at no more than two assignments at up to 40 percent. The portfolio-side grounding for sequencing by the absorption budget rather than the install calendar. Portfolio-logical, distinct from the measured human-fatigue pool above; both feed the same budget.
  • The deployment-adoption gap and shelfware. Standing a tool up and getting the organization to run on it are different milestones, often months apart; absent adoption a tool becomes "shelfware," paid for and idle. Industry data put a large share of software licenses as never used, and training delivered at rollout decays before the real work arrives weeks later (WalkMe, software usage vs. adoption). The empirical face of pricing a change on the install date and inheriting an absorption gap.

The autonomous task horizon

The unit-of-defense chapter dates the routine-gate migration against a measured rate rather than a guess.

  • METR (2026), "Time Horizon 1.1." and METR (2025), "Measuring AI Ability to Complete Long Tasks." The frontier task horizon, the length of task a model completes unsupervised at fifty-percent reliability, doubled about every seven months across 2019-2025 and roughly every four months across 2024-2025. The falsifiable pace behind the five-to-ten-year routine-gate window: if the doubling stalls, the migration slows with it. This rate is the perishable number in the forecast; re-check it against METR's latest each release.

Accountability and liability for autonomous action

The high-criticality gates in the unit-of-defense chapter run on a liability clock rather than a competence clock. These sources establish why a human is retained at the gate, what makes that retention meaningful rather than nominal, what moves a gate like it, and the market that could move it from the other direction.

  • Santoni de Sio & van den Hoven (2018), "Meaningful Human Control over Autonomous Systems." Frontiers in Robotics and AI. The principle that humans rather than algorithms must remain ultimately responsible for high-stakes decisions, formalized as two conditions: the system tracks the reasons of the humans who deploy it, and every outcome can be traced back to a responsible human. The grounding for keeping a human at the high-criticality gate as the point responsibility traces to.
  • Elish (2019), "Moral Crumple Zones: Cautionary Tales in Human-Robot Interaction." Engaging Science, Technology, and Society. In a highly automated system the nearest human can become the component that absorbs the moral and legal responsibility for failures they had little control over, protecting the system at the operator's expense. The caution that makes the gate a matter of meaningful control rather than a name on the form.
  • IMDA Singapore (2026), Model AI Governance Framework for Agentic AI. Launched at the World Economic Forum, 22 January 2026; the first national framework for autonomous agents. Compliance is voluntary, but organizations remain legally accountable for their agents' actions: accountability concentrates on the deployer rather than transferring to the agent.
  • U.S. Payments Forum (2017), "Understanding the U.S. EMV Fraud Liability Shifts." In October 2015 counterfeit card-present fraud liability shifted to whichever party, merchant or issuer, had not adopted chip technology. The precedent for a liability change moving a long-standing human-gated process quickly, with no improvement in the underlying detection capability.
  • Zhu (2026), "Insurance of Agentic AI." Characterizes agentic AI as a continuum of autonomy and delegated authority and argues for a layered insurance ecosystem covering autonomous-agent action. The early shape of the liability market whose maturation is the third falsifier: if coverage for autonomous action is underwritten by level of authority, a high-criticality gate could empty on a liability clock rather than a capability one.

Industry Resources

Supply Chain Security

  • SLSA (Supply-chain Levels for Software Artifacts): https://slsa.dev/
  • CISA Software Supply Chain: https://www.cisa.gov/sbom
  • OpenSSF (Open Source Security Foundation): https://openssf.org/

Security Scaling

  • DevSecOps Foundation: https://www.devsecops.org/
  • Cloud Security Alliance: https://cloudsecurityalliance.org/
  • Security Champions Playbook: https://github.com/c0rdis/security-champions-playbook

Organizational Transformation

  • Accelerate (DORA Metrics): https://www.devops-research.com/research.html
  • Team Topologies: https://teamtopologies.com/
  • Platform Engineering: https://platformengineering.org/

Further Reading

Security Leadership

  • Building a Modern Security Program: Ryan McGeehan
  • The Manager's Path: Camille Fournier (Technical Leadership)

(Kelly Shortridge & Aaron Rinehart's Security Chaos Engineering moved up to Foundational References.)

Strategic Thinking

  • Wardley Mapping: Simon Wardley (Strategic positioning)
  • Good Strategy Bad Strategy: Richard Rumelt
  • Principles: Ray Dalio (Organizational principles)

Community Resources

Conferences

  • RSA Conference: https://www.rsaconference.com/
  • Black Hat: https://www.blackhat.com/
  • DevSecCon: https://www.devseccon.com/
  • OWASP Global AppSec: https://owasp.org/events/

Online Communities

  • r/netsec (Reddit): Security news and discussion
  • Security Weekly: Podcast network
  • Risky Business: Security news podcast
  • Cloud Security Podcast: Cloud security topics

Contributing Resources

Have suggestions for additional resources? See our Contributing Guidelines to propose additions.


About This Framework

Author: Julie Davila Version: 1.3.2 License: CC BY 4.0 Repository: https://github.com/juliedavila/software-factory-security-framework Website: https://sf2framework.com

This framework represents my personal strategic mental models for security leadership, developed through years of experience leading product security at scale. SF² is an independent framework and does not represent the views of any employer.

Version 1.0 is the first complete, usable release. The 0.x series was me finding the shape; 1.0 is the shape, ready to use. It stays a living document, and I'll keep refining it as adversaries evolve and practice catches up. A 1.0 tag means established, never finished.

This is an open source framework (CC BY 4.0) intended as a resource for the broader security community.


Back to Glossary View on GitHub