Engineering Frameworks and Reference Architectures
Reusable methodologies, reference architectures, and engineering frameworks designed for broad adoption across organizations and industries.
All frameworks and reference architectures are organization-agnostic — designed to be adopted by multiple teams, enterprises, and industries to raise the baseline of secure software engineering. The TechStream ecosystem is structured across four layers: public engineering frameworks (Layer 1 — this page), hands-on learning labs (Layer 2 — github.com/sotille/techstream-learn), structured technical publications — the TechStream Book Series (Layer 3), and enterprise-grade pipeline templates and compliance tooling for consulting clients (Layer 4).
DevSecOps Foundation Framework
The core foundation. Covers DevSecOps principles, the 8-phase lifecycle, secure SDLC model, roles & responsibilities, and security controls across the entire pipeline. The starting point for any DevSecOps program.
Secure CI/CD Reference Architecture
Reference architecture for securing CI/CD pipelines. Includes threat modeling, SAST/DAST/SCA integration, secrets management, pipeline IAM, zero-trust CI/CD design, and compliance mapping (SOC2, PCI-DSS, ISO 27001).
Release Orchestration Framework
Enterprise-grade release management. Covers environment promotion strategy, approval workflows, rollback automation, change management integration (ServiceNow/Jira), blue/green and canary orchestration, and release governance.
Software Supply Chain Security Framework
Secures the full software supply chain. Covers SBOM (CycloneDX/SPDX), artifact signing with Sigstore/Cosign, SLSA framework levels, dependency security, third-party risk management, and registry security.
TechStream DevSecOps Maturity Model
TechStream's proprietary assessment model with 5 maturity levels across 8 domains. Includes a 37-question scoring questionnaire, gap analysis methodology, and roadmaps for advancing between levels. Useful for audits and program planning.
Compliance Automation Framework
Automates security compliance across CI/CD and cloud. Maps SOC2, ISO 27001, NIST 800-53, CIS, and PCI-DSS controls to Policy as Code (OPA/Rego, Kyverno), automated evidence collection, and continuous compliance monitoring.
Secure Pipeline Templates
Ready-to-use secure pipeline templates for GitHub Actions, GitLab CI, and Jenkins. Each template includes SAST, SCA, container scanning, secrets detection, artifact signing, DAST, and deployment approval gates.
DevSecOps Transformation Methodology
Consulting-style transformation methodology. 4-phase approach (Assess → Design → Implement → Optimize), RACI matrices, toolchain selection criteria, 90-day playbook, ROI model, and organizational change management guidance.
Cloud Security & DevSecOps
Cloud security integrated with DevSecOps for AWS, Azure, and GCP. Covers IAM, network security, IaC security, Kubernetes hardening, secrets management, CSPM, logging/SIEM integration, and multi-cloud governance.
TechStream Documentation Portal
The master documentation portal. Ties all 9 frameworks together with a framework ecosystem map, adoption sequences by organizational profile, glossary of 50+ terms, and a full documentation index across all repos.