🔗 Reference Links

This archive was expanded using public vendor documentation, standards guidance, project documentation, and CloudSecDocs summary pages. Favor primary documentation and current vendor references when you need exact syntax or current platform behavior.

Standards and project references

• OWASP ASVS — https://github.com/OWASP/ASVS
• OWASP API Security Project — https://owasp.org/www-project-api-security/
• OWASP Cheat Sheet Series — https://cheatsheetseries.owasp.org/
• NIST SP 800-190 Application Container Security Guide
• NIST SP 800-204 and 800-204A for microservices

Identity, federation, and platform access

• GitHub OIDC — https://docs.github.com/en/actions/concepts/security/openid-connect
• GitHub cloud-provider OIDC hardening — https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
• GitLab OIDC to Google Cloud — https://docs.gitlab.com/ci/cloud_services/google_cloud/
• GitLab OIDC provider docs — https://docs.gitlab.com/integration/openid_connect_provider/
• Azure managed identities — https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview
• AKS Microsoft Entra workload identity — https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview
• Workload Identity Federation for GKE — https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
• Google Cloud workload identity federation — https://cloud.google.com/iam/docs/workload-identity-federation

Browser and frontend references

• MDN Set-Cookie SameSite — https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
• MDN CSP overview — https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• MDN CORS — https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• OWASP Session Management Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
• OWASP OAuth 2.0 Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Cheat_Sheet.html

Architecture, microservices, and logging

• OWASP Microservices Security Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html
• OWASP Logging Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

Existing archive reference families carried forward

• GitLab hardening recommendations, CI/CD components, protected environments, deployment approvals, runner security, release evidence, and GitLab secret detection
• GitHub secret scanning and push protection
• DefectDojo docs and supported parser references
• AWS Security Hub, GuardDuty, IAM, Access Analyzer, CloudTrail, ECS/EKS, and IMDS docs
• Azure Activity Log, Entra sign-in logs, managed identities, AKS, and Key Vault docs
• GCP Security Command Center, Cloud Audit Logs, Cloud IAM, and GKE docs
• Checkov, Open Policy Agent, Gatekeeper, Kyverno, Conftest, and HashiCorp Sentinel docs
• HashiCorp Vault docs and operator guidance
• Falco, Tetragon, and KubeArmor project documentation

v2.2 focused references

• MDN secure cookie configuration
• OWASP Session Management Cheat Sheet
• OWASP Cross Site Scripting Prevention Cheat Sheet
• OWASP Top 10 for Business Logic Abuse
• OWASP API Security Top 10 2023
• GitHub Actions security hardening
• GitLab CI/CD components documentation
• Next.js Content Security Policy guide

Senior-engineer and leadership references

• NIST SSDF project page — https://csrc.nist.gov/projects/ssdf
• NIST SP 800-218 (SSDF 1.1 final) — https://csrc.nist.gov/publications/detail/sp/800-218/final
• OWASP SAMM — https://owasp.org/www-project-samm/
• OWASP ASVS — https://owasp.org/www-project-application-security-verification-standard/
• DORA software delivery metrics — https://dora.dev/guides/dora-metrics/
• DORA measurement frameworks — https://dora.dev/research/2025/measurement-frameworks/
• OpenSSF Scorecard — https://openssf.org/projects/scorecard/
• SLSA — https://slsa.dev/
• TUF overview — https://theupdateframework.io/docs/overview/
• OWASP Top 10 for Business Logic Abuse — https://owasp.org/www-project-top-10-for-business-logic-abuse/

v2.4 leadership framing references

• NIST CSF 2.0 overview — https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20
• CISA Cybersecurity Performance Goals — https://www.cisa.gov/cybersecurity-performance-goals
• SEC cybersecurity governance and incident disclosure guidance — https://www.sec.gov/corpfin/secg-cybersecurity
• NIST SP 800-218 SSDF 1.1 — https://csrc.nist.gov/pubs/sp/800/218/final

Newcomer-friendly frameworks and references

• OWASP Application Security Verification Standard (ASVS)
• OWASP API Security Top 10
• Kubernetes Security Checklist
• NIST Secure Software Development Framework (SSDF)

Deliberately vulnerable learning environments

• OWASP Juice Shop — https://owasp.org/www-project-juice-shop/
• Juice Shop repository — https://github.com/juice-shop/juice-shop
• CI/CD Goat — https://github.com/cider-security-research/cicd-goat
• AWSGoat — https://github.com/ine-labs/AWSGoat
• CloudGoat — https://github.com/RhinoSecurityLabs/cloudgoat
• Kubernetes Goat — https://madhuakula.com/kubernetes-goat/docs/
• OWASP EKS Goat — https://owasp.org/www-project-eks-goat/
• TerraGoat — https://github.com/bridgecrewio/terragoat
• AzureGoat — https://github.com/ine-labs/AzureGoat
• GCPGoat — https://github.com/ine-labs/GCPGoat

v2.7 hands-on lab references

• NowSecure Academy — https://www.nowsecure.com/products/nowsecure-academy-mobile-appsec-training/
• NowSecure OWASP MAS testing overview — https://www.nowsecure.com/owasp-mobile-appsec-testing/
• OWASP MASTG AndroGoat — https://mas.owasp.org/MASTG/apps/android/MASTG-APP-0001/
• OWASP MASTG DVIA — https://mas.owasp.org/MASTG/apps/ios/MASTG-APP-0023/
• OWASP MAS crackmes — https://mas.owasp.org/crackmes/
• Redocly CLI lint — https://redocly.com/docs/cli/commands/lint
• Redocly CLI overview — https://redocly.com/docs/cli/
• 42Crunch API contract security audit — https://docs.42crunch.com/latest/content/concepts/api_contract_security_audit.htm
• 42Crunch GitHub Action for API audit — https://github.com/42Crunch/api-security-audit-action
• Prowler CLI overview — https://docs.prowler.com/getting-started/products/prowler-cli
• Prowler basic CLI usage — https://docs.prowler.com/getting-started/basic-usage/prowler-cli
• Checkov quick start — https://www.checkov.io/1.Welcome/Quick%20Start.html
• Cloud Custodian getting started — https://cloudcustodian.io/docs/aws/gettingstarted.html
• AWS Systems Manager Automation — https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html
• AWS containment runbook for EC2 — https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-containec2instance.html
• AWS containment runbook for IAM principals — https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/awssupport-contain-iam-principal.html
• Cortex XSOAR playbooks overview — https://xsoar.pan.dev/docs/playbooks/playbooks-overview

Security maturity model references

• BSIMM overview and reports — https://www.synopsys.com/software-integrity/software-security-services/bsimm.html
• BSIMM Foundations report — https://www.synopsys.com/content/dam/bsimm/reports/bsimm13-foundations.pdf
• BSIMM Questions and Answers — https://www.synopsys.com/content/dam/synopsys/bsimm/datasheets/BSIMM-questions_and-answers.pdf
• OWASP SAMM — https://owasp.org/www-project-samm/
• OWASP Developer Guide — SAMM — https://devguide.owasp.org/en/11-security-gap-analysis/01-guides/01-samm/
• OWASP SAMMwise — https://owasp.org/www-project-sammwise/

v2.9 book-informed strengthening references

• Jim Bird, DevOpsSec (2016) — secure delivery through Continuous Delivery, shift-left, self-service security, and compliance-as-code framing
• Adrian Mouat, Docker Security (2015/2016) — defense in depth, least privilege, image provenance, content trust, and host segregation
• NSA/CISA Kubernetes Hardening Guidance (March 2022, v1.1) — Pod security, control-plane protection, network separation, RBAC, audit logging, and upgrade discipline
• NIST SP 800-190 Application Container Security Guide
• CIS Docker Benchmark
• CIS Kubernetes Benchmark

Legacy-to-current tool translation references

• Prisma Cloud / Prisma Cloud Compute (Twistlock lineage)
• Docker Content Trust retirement guidance and migration considerations
• Sigstore Cosign quickstart and verification docs
• Falco documentation, Helm installation, and falcoctl
• ScoutSuite project docs and releases
• Prowler documentation
• OWASP Dependency-Check documentation
• Dependency-Track documentation
• Syft and Grype documentation
• Contrast Assess / IAST documentation
• Fastly Next-Gen WAF documentation (Signal Sciences lineage)

Editorial rule used in this archive

Where older books or courses name tools that have been retired, renamed, or displaced, this archive keeps the older name for historical understanding and adds the current practical equivalent next to it. That lets readers understand legacy screenshots and older CI examples without copying outdated patterns blindly.