coulomb/infospace-bench
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

started a new infospace on it-sec knowledge

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-19 02:04:09 +02:00
parent b0d67ae79e
commit 08ecefe309
1 changed files with 586 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

586
infospaces/patterns-of-it-securita-architecture/genesis/InitialExploration.md Normal file
View File

@@ -0,0 +1,586 @@
# Task-Prompt
I am about to set up a multi-tenant cloud service landscape as a platform for my software product development efforts. I am close to getting most of the relevant parts to the point where i will be trying to form a well integrated system with clear boundaries on responsibilities. My emphasis will now shift towards production readiness, usermanagement, accesscontrol and it security. I want to compile a catalog of it-sec related capabilities that are needed to get to production readiness. I want to complement that with a collection or it-security-architecture and solution patterns. Can you help me setting up those collections and gather the most important elements.
# Exploration-Result
Yes. I would set this up as a **security capability catalog** plus a **security architecture pattern catalog**, with both linked to your platforms responsibility boundaries. For your landscape, the useful framing is not “security tools first,” but:
> **What must the platform reliably provide so product teams can build production services without reinventing security every time?**
A good external backbone is NIST CSF 2.0, because it organizes cybersecurity outcomes into **Govern, Identify, Protect, Detect, Respond, Recover**. That maps well to production readiness and gives your catalog a management-level structure rather than only a technical checklist. ([NIST Veröffentlichungen][1]) For cloud-native/Kubernetes environments, I would additionally align the technical side with CNCF cloud-native security guidance, NSA/CISA Kubernetes hardening guidance, CIS Controls, OWASP ASVS, OWASP API Security, and SLSA/OpenSSF for supply-chain security. ([CNCF TAG Security][2])
## 1. Suggested collection structure
I would create two repositories or two top-level sections in one security architecture space:
```text
security-catalog/
capabilities/
CAP-001-identity-and-access-management.md
CAP-002-tenant-isolation.md
CAP-003-secrets-management.md
...
patterns/
PAT-001-central-identity-provider.md
PAT-002-namespace-per-tenant.md
PAT-003-policy-as-code-admission-control.md
...
readiness-levels/
RL0-experimental.md
RL1-internal-alpha.md
RL2-private-beta.md
RL3-production.md
RL4-regulated-production.md
mappings/
nist-csf-2.0.md
cis-controls-v8.md
owasp-asvs.md
owasp-api-security.md
slsa.md
decision-records/
threat-models/
risk-register/
```
The important part is that **capabilities describe what must exist**, while **patterns describe how you may implement it**.
Example:
```text
Capability: Tenant isolation
Pattern options:
- Namespace-per-tenant
- Cluster-per-tenant
- Cell-based tenant isolation
- Data-plane/control-plane separation
- Tenant-scoped identity and policy boundary
```
That prevents premature tool lock-in.
---
# 2. Security capability catalog
Below is a strong initial catalog for a multi-tenant cloud service landscape.
## A. Security governance and production readiness
| Capability | Purpose | Production-ready when… |
| -------------------------------------- | ------------------------------------------------------------------------- | ----------------------------------------------------------------------------- |
| Security ownership model | Defines who owns security decisions, incidents, exceptions, and approvals | Every platform/product/security responsibility has an owner |
| Security architecture decision process | Keeps security-relevant decisions traceable | ADRs exist for identity, tenancy, network, data, secrets, logging, deployment |
| Risk register | Tracks accepted, mitigated, transferred, and unresolved risks | Each production service has known risks and explicit acceptance |
| Threat modeling | Identifies abuse paths before production | Core platform and tenant-critical flows have threat models |
| Security readiness gates | Blocks unsafe promotion to production | CI/CD, deployment, identity, data, and monitoring gates are enforced |
| Compliance mapping | Maps internal controls to external standards | Relevant controls are mapped to NIST, CIS, OWASP, SLSA, etc. |
For your platform, I would treat this as the **Control / CTL layer**: not just policy documents, but executable governance.
---
## B. Identity and user management
| Capability | Purpose | Production-ready when… |
| --------------------------- | --------------------------------------------------- | ------------------------------------------------------------------------- |
| Central identity provider | Single source for users, groups, service identities | All interactive access flows through central IdP |
| Multi-factor authentication | Reduces account takeover risk | Required for privileged users and admin surfaces |
| Single sign-on | Avoids fragmented local credentials | Platform, ops tools, admin tools, and product apps use SSO where possible |
| Tenant-aware identity model | Prevents cross-tenant confusion | Users, groups, roles, memberships, and invitations are tenant-scoped |
| Lifecycle management | Handles onboarding, offboarding, suspension | User deactivation reliably revokes access across systems |
| Service identities | Gives workloads explicit identities | Workload-to-workload access does not rely on shared static secrets |
| Break-glass access | Emergency access with traceability | Exists, is MFA-protected, logged, tested, and tightly limited |
Given your prior direction, this is where **privacyIDEA, Keycloak/Keycape, LLDAP/Authelia**, and later stronger IAM federation patterns can be evaluated.
---
## C. Authorization and access control
| Capability | Purpose | Production-ready when… |
| ---------------------------- | --------------------------------------- | ----------------------------------------------------------------------- |
| Role model | Defines what people and systems may do | Roles are explicit, minimal, documented, and mapped to responsibilities |
| Policy model | Enforces authorization consistently | Central or federated policy engine exists for critical decisions |
| Tenant-scoped authorization | Prevents cross-tenant access | Every access decision includes tenant/resource scope |
| Privileged access management | Controls admin and operator power | Privileged actions are time-limited, auditable, and least-privilege |
| API authorization | Secures object/resource access | Object-level and property-level authorization are tested |
| Agent access control | Separates human and AI-agent privileges | Agents have own identities, scopes, limits, and audit trails |
| Access review | Detects permission drift | Regular review exists for privileged roles and tenant admins |
This aligns strongly with your **CARING** work. CARING could become the internal modeling layer for “what kinds of access exist,” while implementation patterns map that to RBAC, ABAC, ReBAC, ACLs, OPA policies, Kubernetes RBAC, database grants, etc.
OWASP API Security is especially relevant here because modern API systems often fail at object-level and property-level authorization, not only authentication. ([OWASP][3])
---
## D. Tenant isolation
| Capability | Purpose | Production-ready when… |
| ------------------------- | ---------------------------------------- | -------------------------------------------------------------------- |
| Tenant identity boundary | Prevents tenant mix-ups | Every request and background job carries tenant context |
| Runtime isolation | Limits blast radius | Tenant workloads cannot interfere beyond intended boundaries |
| Network isolation | Prevents lateral movement | Tenant/service communication is explicitly allowed, not broadly open |
| Data isolation | Prevents data leakage | Tenant data access is enforced at storage/query layer |
| Control-plane isolation | Protects management APIs | Tenant users cannot influence global platform state unless intended |
| Noisy-neighbor protection | Maintains availability | Quotas, rate limits, and resource controls exist |
| Tenant deletion/export | Supports lifecycle and legal obligations | Tenant data can be exported and deleted predictably |
This should become one of your most central capability groups.
---
## E. Secrets, keys, and credentials
| Capability | Purpose | Production-ready when… |
| -------------------------- | --------------------------------- | ------------------------------------------------------------- |
| Central secrets management | Avoids scattered credentials | Secrets are not stored in repos, images, or plaintext config |
| Key management | Protects encryption keys | Key ownership, rotation, and access are explicit |
| Secret rotation | Reduces long-term compromise | Rotation process is automated or at least rehearsed |
| Workload secret injection | Gives services credentials safely | Secrets are injected at runtime with minimal scope |
| Certificate lifecycle | Prevents expired/weak TLS | Certificates are issued, renewed, and monitored automatically |
| Credential inventory | Knows what credentials exist | Credentials have owners, scopes, expiry, and rotation status |
---
## F. Network and edge security
| Capability | Purpose | Production-ready when… |
| ------------------------- | ---------------------------- | -------------------------------------------------------------- |
| Ingress control | Controls public entry points | All external traffic enters through known managed gateways |
| TLS everywhere | Protects traffic | TLS is enforced externally and preferably internally |
| Network segmentation | Limits lateral movement | Workloads communicate only through intended paths |
| Egress control | Limits data exfiltration | Outbound traffic is restricted, logged, or brokered |
| DDoS and abuse protection | Protects availability | Rate limits, WAF/API gateway controls, and abuse signals exist |
| Service-to-service trust | Secures internal calls | mTLS, service identity, or signed internal tokens are used |
| Admin surface protection | Reduces exposure | Admin tools are not exposed like normal public apps |
NSA/CISA Kubernetes hardening guidance emphasizes container/pod vulnerability scanning, least privilege, network separation, firewalls, strong authentication, and log auditing for Kubernetes environments. ([U.S. Department of War][4])
---
## G. Platform and Kubernetes hardening
| Capability | Purpose | Production-ready when… |
| -------------------------- | ------------------------------ | -------------------------------------------------------------------------------- |
| Cluster baseline hardening | Reduces default attack surface | Kubernetes API, nodes, kubelets, admission, and RBAC are hardened |
| Namespace governance | Makes boundaries explicit | Namespaces have owners, quotas, policies, and labels |
| Pod security enforcement | Blocks unsafe workloads | Privileged containers, hostPath, host networking, root containers are controlled |
| Admission control | Prevents bad deployments | Policy-as-code gates apply before workloads run |
| Image provenance | Ensures trusted artifacts | Only approved/signed images are deployed |
| Runtime security | Detects suspicious behavior | Runtime events are monitored and actionable |
| Backup and restore | Supports recovery | Cluster state and data stores have tested recovery paths |
| Upgrade and patch process | Reduces known exposure | Platform components are patched predictably |
---
## H. Application and API security
| Capability | Purpose | Production-ready when… |
| -------------------------- | ------------------------------------- | ----------------------------------------------------------------------- |
| Secure coding baseline | Reduces implementation flaws | Product teams follow clear app security requirements |
| Authentication integration | Avoids custom auth | Apps use standard platform identity flows |
| Authorization verification | Prevents broken access control | Object-level and tenant-level authorization tests exist |
| Input validation | Prevents injection and parser attacks | Inputs are validated at boundaries |
| Output encoding | Prevents XSS/content injection | UI/API outputs are safely encoded or typed |
| Session management | Protects user sessions | Token lifetime, refresh, revocation, and cookie settings are controlled |
| API schema governance | Keeps APIs inspectable | OpenAPI/schema definitions exist and are tested |
| Abuse protection | Prevents automated abuse | Rate limits, quotas, bot controls, and anomaly detection exist |
OWASP ASVS is useful here because it provides verifiable application security requirements rather than only a list of common vulnerabilities; the current stable ASVS line is 5.0.0. ([OWASP][5])
---
## I. Data protection and privacy
| Capability | Purpose | Production-ready when… |
| --------------------------- | -------------------------------- | ------------------------------------------------------------- |
| Data classification | Knows what needs protection | Data types are classified by sensitivity and tenant relevance |
| Data inventory | Knows where data lives | Sensitive data stores and flows are documented |
| Encryption at rest | Protects stored data | Databases, object storage, backups, and volumes are encrypted |
| Encryption in transit | Protects moving data | External and internal sensitive traffic is encrypted |
| Retention and deletion | Reduces legal/security risk | Retention periods and deletion processes exist |
| Auditability of data access | Detects misuse | Access to sensitive data is logged and reviewable |
| Backup protection | Prevents backup leakage | Backups are encrypted, access-controlled, and tested |
| Privacy-by-design checks | Avoids accidental overcollection | Product features justify personal-data collection |
CIS Controls v8 includes data protection as a major control area, including maintaining data management processes and data inventories. ([CIS][6])
---
## J. Software supply chain security
| Capability | Purpose | Production-ready when… |
| ------------------------- | ------------------------------- | ----------------------------------------------------------------- |
| Source control protection | Protects code integrity | Branch protection, review rules, signed commits/tags where useful |
| Dependency management | Controls third-party risk | Dependencies are inventoried, scanned, updated, and reviewed |
| SBOM generation | Makes components transparent | Software bills of materials are generated for releases |
| Build pipeline hardening | Prevents tampered builds | CI/CD has least privilege and isolated build contexts |
| Artifact signing | Verifies deployable artifacts | Images/packages are signed and verified before deployment |
| Provenance attestation | Shows where artifacts came from | Build provenance exists for production artifacts |
| Vulnerability management | Handles known CVEs | Findings are triaged, patched, deferred, or accepted explicitly |
| Open-source risk scoring | Evaluates dependencies | OpenSSF Scorecard or equivalent signals are considered |
SLSA is specifically designed as a software supply-chain security framework to reduce tampering risk and improve artifact integrity. ([SLSA][7]) OpenSSF Scorecard can help assess open-source dependency/project security risk through automated checks. ([openssf.org][8])
---
## K. Observability, detection, and audit
| Capability | Purpose | Production-ready when… |
| ------------------------- | --------------------------------- | ------------------------------------------------------------------------ |
| Security logging | Captures relevant security events | Auth, admin, data access, policy decisions, deployment events are logged |
| Central log collection | Makes events searchable | Logs are centralized, retained, and protected |
| Audit trail | Supports accountability | Human, service, and agent actions are distinguishable |
| Metrics and alerting | Detects abnormal states | Security-relevant alerts are routed and actionable |
| Runtime detection | Finds active compromise | Suspicious process, network, and Kubernetes events are monitored |
| Integrity monitoring | Detects unauthorized changes | Critical config, policies, and artifacts are monitored |
| Tenant-visible audit logs | Supports customer trust | Tenants can inspect relevant admin/security events |
For your agentic platform direction, I would explicitly make **agent auditability** a first-class capability, not an afterthought.
---
## L. Incident response and recovery
| Capability | Purpose | Production-ready when… |
| ------------------------- | ------------------------- | ----------------------------------------------------------------------- |
| Incident response process | Coordinates response | Severity levels, roles, communication, and escalation paths exist |
| Security runbooks | Enables fast action | Common incidents have tested playbooks |
| Forensic readiness | Preserves useful evidence | Logs and snapshots are retained with integrity controls |
| Tenant communication | Handles customer impact | Tenant notification rules and templates exist |
| Containment mechanisms | Limits damage | Accounts, tokens, tenants, workloads, and network paths can be isolated |
| Backup restore | Recovers service/data | Restore has been tested, not just configured |
| Disaster recovery | Handles larger failure | RTO/RPO targets exist for critical systems |
| Post-incident learning | Improves resilience | Incidents produce fixes, not only reports |
---
# 3. Security architecture and solution pattern catalog
I would use a template like this:
```markdown
# PAT-XXX: Pattern Name
## Problem
What recurring security problem does this solve?
## Context
Where does this apply?
## Forces
What tradeoffs exist?
## Solution
The reusable architecture idea.
## Implementation sketch
Concrete options, tools, controls.
## Failure modes
How this pattern commonly fails.
## Related capabilities
Links to CAP-XXX.
## Maturity
Experimental / Internal / Production / Regulated.
## Verification
How to prove the pattern is implemented correctly.
```
## Initial pattern set
### Identity and access patterns
| Pattern | Use when | Core idea |
| ------------------------------------------------ | ----------------------------------------------- | ---------------------------------------------------------- |
| Central Identity Provider | You need consistent login across services | All user auth flows through one IdP |
| Identity Broker | You need external/customer/federated identities | Broker maps external IdPs into platform identities |
| Tenant Membership Boundary | Multi-tenant SaaS | Membership is separate from global user identity |
| Role Composition | You need flexible roles | Roles are composed from capabilities, not hardcoded |
| Policy Decision Point / Policy Enforcement Point | Authorization must be consistent | Apps ask a policy layer; enforcement happens at boundaries |
| Time-boxed Privilege Elevation | Operators need temporary power | Privileged roles expire automatically |
| Break-glass Access | Production emergencies | Emergency path exists but is logged, alerted, and reviewed |
| Human/Agent Identity Split | AI agents act in systems | Agents never act as invisible extensions of human users |
### Tenant isolation patterns
| Pattern | Use when | Core idea |
| ----------------------------------------- | --------------------------------------- | ---------------------------------------------------- |
| Namespace-per-Tenant | Medium isolation, shared cluster | Each tenant gets scoped Kubernetes namespace(s) |
| Cluster-per-Tenant | Strong isolation or regulated customers | Each tenant gets separate cluster/control boundary |
| Cell-based Architecture | Many tenants, blast-radius control | Tenants are assigned to isolated cells/shards |
| Shared Control Plane, Isolated Data Plane | Central management with safer execution | Management is shared; tenant workloads/data isolated |
| Tenant Context Propagation | Every request/job must be tenant-aware | Tenant ID is explicit, authenticated, and logged |
| Tenant Data Partitioning | Shared database or storage | Every query/storage access enforces tenant partition |
### Kubernetes and platform patterns
| Pattern | Use when | Core idea |
| -------------------------------- | ------------------------------------ | ----------------------------------------------------------------- |
| Secure Cluster Baseline | Any production Kubernetes | Harden API server, nodes, RBAC, networking, workloads |
| Policy-as-Code Admission Control | You want safe deployment defaults | Unsafe manifests are rejected before runtime |
| Pod Security Baseline/Restricted | You need workload hardening | Enforce non-root, no privilege escalation, restricted host access |
| Network Default Deny | You need lateral movement control | No pod/service traffic unless explicitly allowed |
| Signed Image Admission | You need supply-chain integrity | Only trusted signed images can run |
| GitOps with Guardrails | You need traceable ops | Desired state comes from reviewed Git changes |
| Runtime Threat Detection | You need active compromise detection | Watch process/network/Kubernetes events for anomalies |
### Secrets and cryptography patterns
| Pattern | Use when | Core idea |
| ------------------------------------ | -------------------------------- | ------------------------------------------------ |
| External Secrets Operator | Apps need secrets from a vault | Kubernetes syncs references, not source of truth |
| Sealed Secret / Encrypted Git Secret | GitOps needs secret references | Secrets are encrypted before storage in Git |
| Short-lived Credentials | Static credentials are too risky | Tokens expire and are renewed automatically |
| Key-per-Tenant | Stronger tenant data separation | Tenant data encrypted with tenant-specific keys |
| Certificate Automation | Many services/TLS endpoints | Cert issuance and renewal are automated |
### Application/API patterns
| Pattern | Use when | Core idea |
| -------------------------------- | ----------------------------------- | ------------------------------------------------------------------- |
| API Gateway as Security Boundary | Public APIs need uniform protection | Authn, rate limiting, schema checks, and logging at the edge |
| Backend-for-Frontend | UI clients have different needs | Reduce token/data exposure by client-specific API layers |
| Object-Level Authorization Check | APIs expose tenant resources | Every object access checks ownership/scope |
| Schema-First API Security | APIs evolve quickly | OpenAPI/schema contracts drive validation and testing |
| Idempotent Command API | Retry-safe operations | Commands have IDs and safe replay semantics |
| Secure File Upload Pipeline | Users upload files | Store, scan, classify, transform, and serve via controlled pipeline |
### Supply-chain patterns
| Pattern | Use when | Core idea |
| ------------------------ | -------------------------- | ----------------------------------------------------- |
| Protected Main Branch | Any production repo | Code enters main only via review and checks |
| Dependency Update Bot | Many dependencies | Automated dependency update PRs with tests |
| SBOM-per-Release | Production artifacts | Every release includes component inventory |
| SLSA Build Provenance | Artifact integrity matters | Build system emits verifiable provenance |
| Signed Container Images | Kubernetes deployment | Admission verifies image signatures |
| Quarantined Build Runner | CI/CD hardening | Build jobs cannot freely access secrets or production |
### Detection and response patterns
| Pattern | Use when | Core idea |
| --------------------------- | ------------------------------- | -------------------------------------------------------------- |
| Security Event Taxonomy | Logs are too noisy | Define which events matter and how to classify them |
| Central Audit Ledger | You need accountability | Security-sensitive actions go to append-only/auditable storage |
| Tenant Audit Log View | Enterprise customers need trust | Tenants can inspect their own relevant security events |
| Incident Runbook Library | Response must be repeatable | Common incidents have clear runbooks |
| Kill Switch / Tenant Freeze | Compromise or abuse suspected | Disable tenant/app/API access quickly and reversibly |
| Token Revocation Sweep | Credential compromise | Revoke all tokens/keys matching scope quickly |
---
# 4. Readiness levels
This is where the catalog becomes operational.
## RL0 — Experimental
Suitable for local prototypes.
Minimum expectations:
```text
No production data
No external users
No real secrets in code
Basic repo hygiene
```
## RL1 — Internal Alpha
Suitable for internal use.
```text
Central login preferred
Basic access control
Secrets not committed
Basic logging
Known risks documented
```
## RL2 — Private Beta
Suitable for selected external users.
```text
Tenant model defined
Tenant isolation tested
Backups configured
Security logging centralized
Basic incident process exists
Dependency and image scanning active
```
## RL3 — Production
Suitable for paid customers.
```text
MFA for privileged users
Strong tenant isolation
Least-privilege access control
Policy-as-code deployment gates
Secrets management and rotation
Vulnerability management process
Auditable admin actions
Backup restore tested
Incident response runbooks tested
```
## RL4 — Regulated / High Trust Production
Suitable for stronger contractual, legal, or compliance expectations.
```text
Formal risk management
Security control mapping
Customer-facing audit logs
Artifact signing and provenance
Stronger data residency/deletion controls
Regular penetration testing
Supplier/dependency risk review
Disaster recovery exercises
```
---
# 5. How I would tailor this to your landscape
Given your existing direction, I would split the platform responsibility model like this:
| Layer | Responsibility |
| ----------------------------- | --------------------------------------------------------------------------------- |
| **NetKingdom** | Security blueprint, hardening, security architecture patterns |
| **Keycape / IAM layer** | Identity, federation, login, user lifecycle, lightweight Keycloak-compatible path |
| **privacyIDEA integration** | MFA, privileged access, stronger authentication flows |
| **OpsBridge** | Human/agent operational access paths, SSH/tunnel access, auditability |
| **CARING** | Canonical role/access modeling |
| **PECS** | Privileged execution control, allowlisting, sudo/script execution patterns |
| **OAS / VSM framing** | Architecture classification and operational control model |
| **The Custodian / state-hub** | Repository orchestration, capability state, security readiness tracking |
In other words: the catalog should not become a generic security wiki. It should become the **control map for your actual platform organism**.
---
# 6. A strong first MVP scope
For the first version, I would not try to cover everything equally. I would create a focused **Production Readiness Security Baseline v0.1** with these 12 capabilities:
1. Central identity provider
2. MFA for privileged access
3. Tenant identity and isolation model
4. Kubernetes secure baseline
5. Secrets management
6. Network default-deny and ingress control
7. API authentication and object-level authorization
8. Policy-as-code admission control
9. Container/dependency vulnerability scanning
10. Central security logging and audit trail
11. Backup/restore verification
12. Incident response runbooks
That gives you a strong bridge from “developer platform” to “production platform”.
---
# 7. Suggested document template for each capability
```markdown
# CAP-XXX: Capability Name
## Intent
What security outcome this capability provides.
## Scope
What is included and excluded.
## Threats Addressed
Which realistic risks this reduces.
## Required Controls
Concrete controls that must exist.
## Implementation Options
Possible tools, architectures, or patterns.
## Platform Responsibility
What the platform provides.
## Product Responsibility
What each product/service team must still do.
## Tenant Responsibility
What tenant admins/users may need to do.
## Readiness Criteria
RL1:
RL2:
RL3:
RL4:
## Evidence
What proves the capability is implemented.
## Related Patterns
PAT-XXX links.
## Related Standards
NIST CSF, CIS, OWASP, SLSA, internal standards.
```
This is especially important because it separates **platform responsibility** from **product responsibility**, which will become crucial once you operate multiple products on the same service landscape.
---
# 8. Recommended next artifact
The best next step would be to create a clean `SecurityCapabilityCatalog.md` with the following sections:
```markdown
# Security Capability Catalog
## 1. Purpose
## 2. Scope
## 3. Readiness Levels
## 4. Capability Taxonomy
## 5. Capability List
## 6. Pattern Catalog Linkage
## 7. Standard Mappings
## 8. Initial Production Baseline
## 9. Roadmap
```
The companion file should be:
```markdown
# Security Architecture Pattern Catalog
## 1. Purpose
## 2. Pattern Template
## 3. Identity and Access Patterns
## 4. Tenant Isolation Patterns
## 5. Kubernetes Platform Patterns
## 6. Secrets and Key Management Patterns
## 7. Application and API Security Patterns
## 8. Supply Chain Security Patterns
## 9. Detection and Response Patterns
```
My recommendation: treat this as a **living internal standard** for your platform, not just as documentation. Each capability should eventually have a machine-readable status: `missing`, `planned`, `partial`, `implemented`, `verified`, `deprecated`, `exception-accepted`.
[1]: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf?utm_source=chatgpt.com "The NIST Cybersecurity Framework (CSF) 2.0"
[2]: https://tag-security.cncf.io/community/resources/security-whitepaper/?utm_source=chatgpt.com "Cloud Native Security Whitepaper"
[3]: https://owasp.org/API-Security/editions/2023/en/0x11-t10/?utm_source=chatgpt.com "OWASP Top 10 API Security Risks 2023"
[4]: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF?utm_source=chatgpt.com "Kubernetes Hardening Guide"
[5]: https://owasp.org/www-project-application-security-verification-standard/?utm_source=chatgpt.com "OWASP Application Security Verification Standard (ASVS)"
[6]: https://www.cisecurity.org/controls/v8?utm_source=chatgpt.com "CIS Critical Security Controls Version 8"
[7]: https://slsa.dev/?utm_source=chatgpt.com "SLSA • Supply-chain Levels for Software Artifacts"
[8]: https://openssf.org/projects/scorecard/?utm_source=chatgpt.com "OpenSSF Scorecard Open Source Security Foundation"