A Complete Mental Model for Securing Software Factories at Scale
The Software Factory Security Framework (SF²) provides security leaders with a strategic approach to scaling security capabilities while improving business outcomes.
This framework helps you:
- ✅ Understand universal security responsibilities
- ✅ Position your organization strategically
- ✅ Invest resources effectively
- ✅ Adapt to your specific context
- Read the Executive Summary
- Assess your Strategic Position
- Follow your Implementation Guide
- Read Contributing Guidelines
- Find a section to improve
- Click "Edit this page" and submit a merge request
- Foundation - Software factory definition and core concepts
- Universal Stewardship - Five security responsibilities for all organizations
- Strategic Positioning - Two-axis model for organizational assessment
- Investment Portfolio - Balancing BAU work with scaling investments
- Contextual Modifiers - Adapting to your specific situation
- Implementation Guides - Quadrant-specific actionable guidance
SF² complements existing standards:
- NIST SSDF - Addresses sustainable resourcing at scale
- OWASP SAMM - Contextualizes implementation based on readiness
- BSIMM - Determines investment priorities
- OWASP ASVS - Helps sequence implementation
- Python 3.11+
- pip
# Clone the repository
git clone https://github.com/juliedavila/software-factory-security-framework.git
cd software-factory-security-framework
# Install dependencies
pip install -r requirements.txt
# Serve locally with hot reload
mkdocs serve
# Visit http://127.0.0.1:8000# Build the static site (strict, with link validation). Output: site/
mkdocs build --strict
# Build the downloadable core PDF (separate, non-strict, overlay config).
# Output: pdf-build/pdf/sf2-framework.pdf
mkdocs build -f mkdocs.pdf.ymlThe PDF lives in its own config (mkdocs.pdf.yml) on purpose. The with-pdf
plugin collapses the whole site into one document, and weasyprint cannot resolve
cross-page anchors in that combined view — those warnings would fail
mkdocs build --strict, which CI runs on every branch. The overlay builds
non-strict and is scoped to the core sections (Foundation, Universal Security
Conditions, Strategic Positioning, Investment Portfolio), so the strict site
build stays green while the core PDF still ships. CI copies it into
site/pdf/sf2-framework.pdf on deploy.
No local Python needed. This mirrors the CI build environment (python:3.11 + cairo/pango + requirements.txt), so a clean --strict build here matches what the pipeline does, including broken-link and missing-anchor detection.
# Live preview with hot reload at http://localhost:8000
docker compose up serve
# Strict build — fails loudly on any broken link or missing heading anchor
docker compose run --rm build
# Build the core PDF (pdf-build/pdf/sf2-framework.pdf)
docker compose run --rm pdfWithout the Compose plugin, the same thing with plain Docker:
docker build -t sf2-docs .
docker run --rm -p 8000:8000 -v "$PWD":/docs sf2-docs # serve
docker run --rm -v "$PWD":/docs sf2-docs mkdocs build --strict # validate
docker run --rm -v "$PWD":/docs sf2-docs mkdocs build -f mkdocs.pdf.yml # core PDFWe welcome contributions! The framework is designed as a public resource for security leaders and practitioners.
Easy contribution:
- Visit any page on the live site
- Click "Edit this page"
- Make your changes
- Submit a merge request
See Contributing Guidelines for details.
- 📝 Content improvements and clarifications
- 🔗 Framework relationship mappings
- 💡 Use cases and implementation stories
- 🐛 Error reports and feedback
Copyright (c) 2025 Julie Davila
Licensed under Creative Commons Attribution 4.0 International (CC BY 4.0)
You are free to:
- Share and redistribute
- Adapt and build upon
With attribution.
- Documentation: https://sf2framework.com
- Repository: https://github.com/juliedavila/software-factory-security-framework
- Issues: https://github.com/juliedavila/software-factory-security-framework/issues
- Author: Julie Davila
Version: 0.1.0 (Initial Setup)
- Repository structure
- MkDocs + Material theme setup
- GitHub Actions CI/CD pipeline
- Core navigation structure
- Content migration from source document
- PDF export configuration
- First public release
This framework represents years of experience leading product security at scale, distilled into a practical mental model for security leaders navigating the scaling challenge.
Special thanks to the security community for continuous feedback and contributions.
Ready to dive in? Start with the Executive Summary →