Skip to content

juliedavila/software-factory-security-framework

Repository files navigation

Software Factory Security Framework (SF²)

A Complete Mental Model for Securing Software Factories at Scale

License: CC BY 4.0 GitHub Pages


📋 Overview

The Software Factory Security Framework (SF²) provides security leaders with a strategic approach to scaling security capabilities while improving business outcomes.

This framework helps you:

  • ✅ Understand universal security responsibilities
  • ✅ Position your organization strategically
  • ✅ Invest resources effectively
  • ✅ Adapt to your specific context

👉 Read the full framework


🚀 Quick Start

For Security Leaders

  1. Read the Executive Summary
  2. Assess your Strategic Position
  3. Follow your Implementation Guide

For Contributors

  1. Read Contributing Guidelines
  2. Find a section to improve
  3. Click "Edit this page" and submit a merge request

📖 Framework Structure

Core Components

  1. Foundation - Software factory definition and core concepts
  2. Universal Stewardship - Five security responsibilities for all organizations
  3. Strategic Positioning - Two-axis model for organizational assessment
  4. Investment Portfolio - Balancing BAU work with scaling investments
  5. Contextual Modifiers - Adapting to your specific situation
  6. Implementation Guides - Quadrant-specific actionable guidance

Framework Relationships

SF² complements existing standards:

  • NIST SSDF - Addresses sustainable resourcing at scale
  • OWASP SAMM - Contextualizes implementation based on readiness
  • BSIMM - Determines investment priorities
  • OWASP ASVS - Helps sequence implementation

🛠️ Local Development

Prerequisites

  • Python 3.11+
  • pip

Setup

# Clone the repository
git clone https://github.com/juliedavila/software-factory-security-framework.git
cd software-factory-security-framework

# Install dependencies
pip install -r requirements.txt

# Serve locally with hot reload
mkdocs serve

# Visit http://127.0.0.1:8000

Build

# Build the static site (strict, with link validation). Output: site/
mkdocs build --strict

# Build the downloadable core PDF (separate, non-strict, overlay config).
# Output: pdf-build/pdf/sf2-framework.pdf
mkdocs build -f mkdocs.pdf.yml

The PDF lives in its own config (mkdocs.pdf.yml) on purpose. The with-pdf plugin collapses the whole site into one document, and weasyprint cannot resolve cross-page anchors in that combined view — those warnings would fail mkdocs build --strict, which CI runs on every branch. The overlay builds non-strict and is scoped to the core sections (Foundation, Universal Security Conditions, Strategic Positioning, Investment Portfolio), so the strict site build stays green while the core PDF still ships. CI copies it into site/pdf/sf2-framework.pdf on deploy.

Docker (CI-parity build)

No local Python needed. This mirrors the CI build environment (python:3.11 + cairo/pango + requirements.txt), so a clean --strict build here matches what the pipeline does, including broken-link and missing-anchor detection.

# Live preview with hot reload at http://localhost:8000
docker compose up serve

# Strict build — fails loudly on any broken link or missing heading anchor
docker compose run --rm build

# Build the core PDF (pdf-build/pdf/sf2-framework.pdf)
docker compose run --rm pdf

Without the Compose plugin, the same thing with plain Docker:

docker build -t sf2-docs .
docker run --rm -p 8000:8000 -v "$PWD":/docs sf2-docs                  # serve
docker run --rm -v "$PWD":/docs sf2-docs mkdocs build --strict         # validate
docker run --rm -v "$PWD":/docs sf2-docs mkdocs build -f mkdocs.pdf.yml # core PDF

🤝 Contributing

We welcome contributions! The framework is designed as a public resource for security leaders and practitioners.

Easy contribution:

  1. Visit any page on the live site
  2. Click "Edit this page"
  3. Make your changes
  4. Submit a merge request

See Contributing Guidelines for details.

Types of Contributions

  • 📝 Content improvements and clarifications
  • 🔗 Framework relationship mappings
  • 💡 Use cases and implementation stories
  • 🐛 Error reports and feedback

📝 License

Copyright (c) 2025 Julie Davila

Licensed under Creative Commons Attribution 4.0 International (CC BY 4.0)

You are free to:

  • Share and redistribute
  • Adapt and build upon

With attribution.


🔗 Links


📊 Project Status

Version: 0.1.0 (Initial Setup)

  • Repository structure
  • MkDocs + Material theme setup
  • GitHub Actions CI/CD pipeline
  • Core navigation structure
  • Content migration from source document
  • PDF export configuration
  • First public release

🙏 Acknowledgments

This framework represents years of experience leading product security at scale, distilled into a practical mental model for security leaders navigating the scaling challenge.

Special thanks to the security community for continuous feedback and contributions.


Ready to dive in? Start with the Executive Summary →

About

Software Factory Security Framework (SF²) — strategic security-scaling framework for security leaders. Live: https://sf2framework.com

Resources

License

Contributing

Stars

Watchers

Forks

Packages

 
 
 

Contributors