SF² aims to help you scale SecOps wisely 

A recently proposed framework aims to help security leaders at organizations of all sizes figure out how to scale their security operations without simply adding staff.

The Software Factory Security Framework (SF²), developed by Julie Davila, vice president of product security at GitLab, presents security scaling as a strategic resource-allocation challenge rather than a staffing problem. 

The open-source framework provides leaders with approaches to assess their organization’s current security posture, balance immediate needs against long-term capabilities, and adapt based on organizational constraints and operational complexity.

Organizations that successfully navigate this challenge don’t just solve a scaling problem; they create competitive advantages.

Julie Davila 

Those advantages include faster time to market, higher developer productivity, better security outcomes, and better business alignment, she said.

Here what the Software Factory Security Framework aims to do — and why it matters.

See webinar: The 2025 Supply Chain Breach Roundup

The SF² framework’s components

SF² comprises four components: a universal stewardship model, a strategic positioning tool, an investment portfolio approach, and a contextual adaptation guide.

The universal stewardship model identifies five core security responsibilities that apply to every software-producing organization, regardless of size or industry.

The five responsibilities are supply chain security, process stewardship, runtime protection, third-party risk management, and continuous learning. These are areas that Davila said represent non-negotiable, baseline responsibilities for any software development organization.

SF² offers guidance on what organizations need to focus on under each stewardship area. For example, for supply chain security, the list includes dependency monitoring, vendor evaluation, and license compliance. The process stewardship list covers pipeline security controls, code review effectiveness, and secrets management, and the  runtime protection list covers production monitoring, incident response, and data protection. The framework lists similar focus areas for third-party risk management and continuous learning.

Security posture assessment

The framework’s strategic positioning tool is designed to help organizations of all sizes evaluate their current security posture and identify the optimal path forward. Eschewing a one-size-fits-all approach, the framework recognizes that the challenges that a small organization faces are going to be fundamentally different from those confronting a large multinational entity. 

As Davila put it, “Traditional security maturity models imply everyone should follow the same path. SF² recognizes that a 10-person startup with modern cloud infrastructure shouldn’t implement security the same way as a 5,000-person enterprise with legacy systems — even if both need strong security.” 

Toward that end, the strategic positioning tool helps organizations assess their security posture based on the complexity of their specific operational environment and their operational readiness. For example, legacy infrastructure, manual processes, and limited automation indicate a lower level of readiness compared to environments with modern infrastructure and automated pipelines.

Such an environment-specific assessment can help organizations make better resource-allocation decisions and determine how to better roll out security capabilities, how fast it can transform, and which security tools might work best. It’s about “what ‘good’ looks like for your organization,” said Davila.

Investment portfolio approach

The SF²’s investment portfolio approach aims to help organizations — again, regardless of size — to shift from merely reacting to growth to scaling intelligently. The goal is to get leaders to prioritize investments that pay dividends over time rather than falling back on endless hiring and more manual work.

To help decision making, the framework encourages organizations to think about constraining investments in what it calls business-as usual tasks and manual work such as security reviews and incident response. Those chores just increase as a company grows, and the framework recommends that organizations instead prioritize spending on automation, self-service tooling, and other capabilities that reduce manual work and in areas that not only bolster internal security but help customers. 

The most sustainable security investments don’t just solve immediate problems; they capture organizational effort and store it in reusable capabilities that serve future needs without additional manual work.

SF²

The focus of SF²’s contextual adaptation component is on helping technology leaders understand how to adapt implementation based on situational realities. Variables can include the intensity of threats and the organization’s attack landscape, supply chain complexity, regulatory constraints, data breaches and other crisis events and the organization’s capacity for change. Each of these elements can have either a low, moderate, or high impact that influences implementation.

SF²’s contextual adaptation framework is essential because context matters, said Davila. 

Two organizations in the same strategic position may need different implementation approaches based on their contextual modifiers. These factors help you customize the universal framework to your reality.

Julie Davila

A focus on strategic investments

Jeff Williams, co-founder and CTO of Contrast Security, sees the new framework as giving organizations a way to think strategically about security outcomes and investments.

That’s desperately needed in application security (AppSec), Williams said, because traditional approaches are expensive, wasteful, and not very effective. Small and medium-sized organizations are more likely to benefit from SF² than large enterprises that have hundreds of software development pipelines, thousands of apps, and multiple different business units, he said.

For me, the most valuable part of SF² is not the quadrants or the activity lists; it’s the idea that security needs a portfolio strategy, with explicit tradeoffs, not a never-ending list of controls. That’s the part I’d love to see more leaders adopt, regardless of which specific framework they use.

Jeff Williams

Missed opportunity?

Still, Williams believes that SF² missed an opportunity by keeping development-time and runtime security somewhat separate instead of unifying them. And based on what is happening at most software development organizations — overloaded AppSec teams, too many vulnerabilities, weak runtime visibility, and growing compliance burdens — he said he doubts that any model can by itself fix the underlying issues. 

What the industry really needs, he said, is a way to reduce the overall amount of work or make that work dramatically easier, “and SF² doesn’t attempt to solve that.”

I think the biggest challenge is getting [technology leaders] to want to do it in the first place. There are dozens of models out there, and while this is more of a meta-model, I think it’ll get viewed as yet another maturity model.

Jeff Williams

Jason Soroko, senior fellow at Sectigo, said SF² provides structure that most existing standards have left implicit. SF², for instance, explicitly presents itself as a strategic overlay that sits above standards such as NIST SSDF, OWASP SAMM, BSIMM, and ASVS. It focuses on where to invest, how to scale, and how fast to move, rather than on listing practices or controls.

The universal stewardship idea and the insistence that certain responsibilities must live somewhere are evolutions of long-running AppSec and SCRM thinking rather than entirely new concepts. Yet they are packaged in a way that is very actionable for leaders who are tired of ownership fights.

Jason Soroko

The blind spots

Like Williams, Soroko thinks SF² falls short on some fronts. The main blind spots, he said, are about depth and human systems more than coverage.

SF² pays attention to context, relationship health, and change capacity, but it does not fully solve things like long-term burnout management in small security teams, incentive misalignment between shipping velocity and risk reduction, or the deeper cultural work needed to make security a trusted partner rather than a feared gatekeeper.

Jason Soroko

Those still demand broader organizational and leadership interventions, he said.

On the technical side, the framework is highly optimized for software factories in cloud-centric environments. So hardware-centric, OT, or heavily air-gapped environments will need complementary models, even if some of the stewardship language carries over.

If a security leader tried to adopt SF² tomorrow, the hardest parts would be doing a brutally honest placement on the two axes that the strategic positioning tool offers. Where they end up might contradict existing success narratives. 

“There is also a learning curve, since the framework introduces its own vocabulary and asks leaders to talk about scaling crises, contextual modifiers, and multiyear quadrant movement while many stakeholders still think in terms of audits and control checklists,” Soroko said. 

So the practical path is likely a gradual blend where SF² informs strategy while existing standards continue to anchor detailed implementation and compliance.

Jason Soroko