DOMAIN:SECURITY:THOUGHT_LEADERS¶
OWNER: victoria
ALSO_USED_BY: pol, hugo, piotr, julian
UPDATED: 2026-03-24
SCOPE: reference material for continuous learning and authority citation
NOTE: existing reading-list.md covers books and newsletters — this page covers people, organizations, and key resources in depth
CORE_PRINCIPLE¶
RULE: cite authoritative sources when making security decisions
RULE: follow primary sources — not blog summaries of standards
RULE: security landscape changes constantly — check publication dates
RULE: prefer resources with practical implementation guidance over theory-only
ORGANIZATIONS¶
OWASP_FOUNDATION¶
FULL_NAME: Open Worldwide Application Security Project
URL: owasp.org
TYPE: non-profit, community-driven
RELEVANCE: primary authority for web application security
KEY_PROJECTS:
- OWASP Top 10 (2021) — industry standard vulnerability classification
- OWASP ASVS 4.0.3 — Application Security Verification Standard — 286 security requirements across 14 categories, 3 assurance levels
- OWASP Testing Guide v4.2 — comprehensive testing methodology (66 controls)
- OWASP Cheat Sheet Series — practical implementation guides (60+ cheat sheets)
- OWASP API Security Top 10 (2023) — API-specific vulnerability classification
- OWASP SAMM — Software Assurance Maturity Model — assess and improve security practices
- OWASP ZAP — free DAST tool, maintained by community
- OWASP Dependency-Check — SCA tool (prefer Trivy for broader coverage)
- OWASP Threat Dragon — open-source threat modeling tool
HOW_GE_USES_OWASP:
- ASVS as baseline security requirements for ALL client projects
- Top 10 as minimum testing coverage for every security assessment
- Cheat Sheet Series as implementation reference during development
- Testing Guide as methodology for penetration testing
URL: owasp.org/www-project-application-security-verification-standard/
URL: owasp.org/www-project-web-security-testing-guide/
URL: cheatsheetseries.owasp.org/
NIST¶
FULL_NAME: National Institute of Standards and Technology (US)
RELEVANCE: foundational security frameworks, widely adopted globally
KEY_PUBLICATIONS:
- NIST CSF 2.0 (Cybersecurity Framework) — Identify, Protect, Detect, Respond, Recover, Govern
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls — comprehensive control catalog
- NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle — defines AAL1/AAL2/AAL3
- NIST SP 800-123 — Guide to General Server Security
- NIST SP 800-190 — Application Container Security Guide
- NIST SP 800-204 — Security Strategies for Microservices-based Application Systems
HOW_GE_USES_NIST:
- CSF 2.0 as organizational security program structure
- SP 800-63B for authentication assurance level decisions (WebAuthn = AAL3)
- SP 800-190 for container security baseline
- SP 800-53 mapping for ISO 27001 cross-reference
URL: nist.gov/cyberframework
URL: csrc.nist.gov/publications
CIS¶
FULL_NAME: Center for Internet Security
RELEVANCE: practical, prescriptive security benchmarks
KEY_RESOURCES:
- CIS Controls v8 — 18 prioritized security controls, 3 implementation groups
- CIS Benchmarks — hardening guides for specific technologies:
- CIS Kubernetes Benchmark (v1.8) — tested by kube-bench
- CIS PostgreSQL Benchmark (v1.0)
- CIS Docker Benchmark (v1.5)
- CIS Debian/Ubuntu Benchmark
- CIS NGINX Benchmark
HOW_GE_USES_CIS:
- CIS Kubernetes Benchmark as k3s hardening baseline (kube-bench)
- CIS Controls as security program prioritization guide
- CIS Docker Benchmark for container image hardening
URL: cisecurity.org/controls
URL: cisecurity.org/benchmark
TOOL: kube-bench — automates CIS Kubernetes Benchmark checks
SANS_INSTITUTE¶
FULL_NAME: SysAdmin, Audit, Network, and Security Institute
RELEVANCE: security training, certifications, research
KEY_RESOURCES:
- SANS Top 25 (CWE/SANS) — most dangerous software weaknesses
- SANS Critical Controls — now aligned with CIS Controls v8
- Internet Storm Center (ISC) — daily security intelligence
- SANS Reading Room — free security whitepapers
- SANS Holiday Hack — annual CTF/learning challenge
CERTIFICATIONS (reference, not required for GE agents):
- GIAC GWEB — Web Application Penetration Tester
- GIAC GWAPT — Web Application Penetration Testing
- GIAC GSEC — Security Essentials
URL: sans.org
URL: isc.sans.edu (Internet Storm Center)
CNCF¶
FULL_NAME: Cloud Native Computing Foundation
RELEVANCE: Kubernetes and cloud-native security
KEY_RESOURCES:
- CNCF Security Whitepaper — cloud-native security best practices
- CNCF Software Supply Chain Best Practices — SLSA, SBOM, attestation
- Kubernetes Security (book, free) — comprehensive k8s security guide
- Falco — runtime security monitoring (CNCF project)
- Open Policy Agent — policy-as-code for k8s
URL: cncf.io
URL: kubernetes.io/docs/concepts/security/
NSA_CISA¶
KEY_PUBLICATION: Kubernetes Hardening Guide v1.2 (2022)
RELEVANCE: authoritative government guidance on k8s security
COVERS: threat model, pod security, network policies, authentication, audit logging, updates
TOOL: kubescape scans against this guide
URL: media.defense.gov (search "Kubernetes Hardening")
PEOPLE¶
TROY_HUNT¶
ROLE: security researcher, founder of Have I Been Pwned (HIBP)
EXPERTISE: data breaches, password security, web security awareness
KEY_CONTRIBUTION: Have I Been Pwned — breach notification service, password API
RELEVANCE_TO_GE: breach database check for password validation (Keycloak integration)
URL: troyhunt.com (blog), haveibeenpwned.com
KEY_TOPICS:
- credential stuffing and breach data reuse
- password storage best practices (bcrypt/Argon2, never SHA-256)
- responsible disclosure practices
- HTTPS everywhere advocacy
FOLLOW: blog (troyhunt.com), weekly video updates, Pluralsight courses
TANYA_JANCA¶
ROLE: AppSec engineer, author, founder of We Hack Purple
EXPERTISE: application security, DevSecOps, threat modeling, secure SDLC
KEY_CONTRIBUTION: "Alice and Bob Learn Application Security" (2020) — on GE reading list
RELEVANCE_TO_GE: security integration into development process (GE's anti-LLM pipeline)
URL: wehackpurple.com, shehackspurple.ca
KEY_TOPICS:
- shifting security left — into design phase
- threat modeling for developers (not just security teams)
- security champions programs
- DevSecOps pipeline integration
- communicating security findings to non-security audiences
FOLLOW: blog, conference talks (OWASP Global AppSec, DevSecCon), YouTube channel
PORTSWIGGER_WEB_SECURITY_ACADEMY¶
CREATOR: Dafydd Stuttard (author of "The Web Application Hacker's Handbook")
TYPE: free online security training with interactive labs
RELEVANCE_TO_GE: practical vulnerability testing training for pol (penetration testing)
URL: portswigger.net/web-security
KEY_LABS:
- SQL injection (17 labs, beginner to expert)
- Cross-site scripting (30+ labs)
- Authentication vulnerabilities (14 labs)
- Access control (13 labs)
- SSRF (7 labs)
- WebSocket vulnerabilities
- OAuth authentication (6 labs)
- JWT attacks (8 labs)
- Prototype pollution (10 labs)
USE_FOR: skill development, understanding vulnerability mechanics before testing client projects
NOTE: all labs are hands-on with real vulnerable applications — superior to reading-only resources
TOOL: Burp Suite Community Edition (free) — required for labs
SCOTT_HELME¶
ROLE: security researcher, founder of securityheaders.com and report-uri.com
EXPERTISE: HTTP security headers, CSP, TLS configuration, browser security
RELEVANCE_TO_GE: security header configuration for all Next.js projects
URL: scotthelme.co.uk
KEY_CONTRIBUTIONS:
- securityheaders.com — free header scanning tool
- report-uri.com — CSP/HPKP reporting service
- Certificate Transparency monitoring
- regular TLS/HTTP security blog posts
KEY_TOPICS:
- Content Security Policy deep dives (reporting, nonce-based, strict-dynamic)
- HSTS and HSTS preloading
- Subresource Integrity (SRI)
- Certificate Transparency
- Expect-CT, Feature-Policy/Permissions-Policy
FOLLOW: blog (scotthelme.co.uk), Twitter
LIRAN_TAL¶
ROLE: developer advocate (Snyk), Node.js security researcher
EXPERTISE: Node.js security, supply chain attacks, open source security
RELEVANCE_TO_GE: Node.js-specific security patterns (GE's primary runtime)
URL: lirantal.com
KEY_CONTRIBUTIONS:
- "Awesome Node.js Security" — curated resource list
- Node.js security best practices guide
- supply chain attack research and disclosure
- eslint-plugin-security contributions
- Snyk vulnerability database contributions
KEY_TOPICS:
- prototype pollution in Node.js
- dependency confusion attacks
- npm supply chain security
- Node.js-specific CVEs and mitigations
FOLLOW: blog, GitHub (lirantal), npm security advisories
DANIEL_MIESSLER¶
ROLE: security researcher, author of Unsupervised Learning newsletter
EXPERTISE: security + AI intersection, security program building, vulnerability assessment
URL: danielmiessler.com
KEY_TOPICS:
- AI security implications (prompt injection, model attacks)
- security program maturity frameworks
- bug bounty program design
- security tool evaluation methodology
FOLLOW: newsletter (Unsupervised Learning), blog, podcast
JIM_MANICO¶
ROLE: OWASP volunteer, AppSec educator
EXPERTISE: OWASP ASVS, secure coding, application security verification
KEY_CONTRIBUTION: OWASP ASVS 4.0 lead, OWASP Cheat Sheet Series contributor
RELEVANCE_TO_GE: ASVS is GE's security requirements baseline
FOLLOW: conference talks, OWASP community
KEY_BOOKS¶
NOTE: see reading-list.md for full reading list with procurement status
| book | author | year | primary use |
|---|---|---|---|
| Alice and Bob Learn Application Security | Tanya Janca | 2020 | security in development lifecycle |
| Secure by Design | Johnsson, Deogun, Sawano | 2019 | domain-driven security (PROCESSED — see secure-design-patterns.md) |
| The Web Application Hacker's Handbook | Stuttard, Pinto | 2011 | foundational pen testing (dated — supplement with PortSwigger Academy) |
| Bug Bounty Bootcamp | Vickie Li | 2021 | modern vulnerability patterns |
| Real-World Cryptography | David Wong | 2021 | practical cryptography |
| Software Supply Chain Security | Cassie Crossley | 2024 | SBOM, SLSA, EU CRA compliance |
| Container Security | Liz Rice | 2020 | container and k8s security fundamentals |
| Threat Modeling | Adam Shostack | 2014 | STRIDE methodology, systematic threat analysis |
KEY_CONFERENCES¶
| conference | focus | location | relevance |
|---|---|---|---|
| OWASP Global AppSec EU | web application security | Europe (rotating) | PRIMARY — GE's core security domain |
| Black Hat Europe | all security domains | London | advanced techniques, industry trends |
| BSides (various) | community security | worldwide | accessible, practical talks |
| One Conference | Dutch security | The Hague | local networking, Dutch regulatory context |
| KubeCon EU | cloud-native + security track | Europe (rotating) | k8s security, supply chain |
| DevSecCon | DevSecOps | online + London | pipeline security, shift-left practices |
| FOSDEM Security Track | open source security | Brussels | free, open source security tools |
FREE_TRAINING_RESOURCES¶
| resource | type | focus | url |
|---|---|---|---|
| PortSwigger Web Security Academy | interactive labs | web app vulns | portswigger.net/web-security |
| OWASP Juice Shop | vulnerable app for practice | OWASP Top 10 | owasp.org/www-project-juice-shop/ |
| Hack The Box | CTF platform | all security domains | hackthebox.com |
| TryHackMe | guided learning paths | beginner-friendly | tryhackme.com |
| PentesterLab | progressive exercises | web app pen testing | pentesterlab.com |
| CryptoHack | interactive puzzles | cryptography | cryptohack.org |
| SANS Cyber Aces | free courses | security fundamentals | cyberaces.org |
| Kubernetes Goat | vulnerable k8s lab | k8s security | madhuakula.com/kubernetes-goat |
NEWSLETTERS_AND_FEEDS¶
| source | frequency | focus | url |
|---|---|---|---|
| tl;dr sec | weekly | AppSec news curated | tldrsec.com |
| Risky Business | weekly podcast | infosec news analysis | risky.biz |
| PortSwigger Daily Swig | daily | web security news | portswigger.net/daily-swig |
| Snyk Blog | weekly | vulnerability research, Node.js | snyk.io/blog |
| NCSC-NL | as-needed | Dutch security advisories | ncsc.nl |
| Kubernetes Security Newsletter | bi-weekly | k8s CVEs, hardening | kubernetes-security.info |
| Troy Hunt Blog | weekly | breaches, authentication | troyhunt.com |
| Scott Helme Blog | monthly | HTTP security, CSP | scotthelme.co.uk |
| Daniel Miessler (Unsupervised Learning) | weekly | security + AI | danielmiessler.com |
| Adrian Roselli | as-needed | deep accessibility analysis | adrianroselli.com |
DECISION:WHICH_AUTHORITY_FOR_WHAT¶
IF question about web vulnerability classification
→ OWASP Top 10, OWASP ASVS
IF question about testing methodology
→ OWASP Testing Guide, PortSwigger Academy
IF question about security program structure
→ NIST CSF 2.0, CIS Controls v8
IF question about Kubernetes hardening
→ CIS Kubernetes Benchmark, NSA/CISA Guide
IF question about authentication standards
→ NIST SP 800-63B, OWASP ASVS Ch. 2
IF question about HTTP security headers
→ Scott Helme, Mozilla Observatory, OWASP Secure Headers
IF question about Node.js specific security
→ Liran Tal, Snyk advisories, Node.js security WG
IF question about supply chain security
→ Cassie Crossley book, CNCF SSCP, Snyk/Socket.dev
IF question about privacy/GDPR
→ EDPB guidelines, Dutch DPA, GDPRhub.eu (see reading-list.md)
IF question about container security
→ Liz Rice, CIS Docker Benchmark, NIST SP 800-190
IF question about threat modeling
→ Adam Shostack, Tanya Janca, OWASP Threat Dragon
SELF_CHECK¶
WHEN_CITING_SECURITY_GUIDANCE:
- [ ] using primary source (not blog summary)?
- [ ] publication date recent enough to be relevant?
- [ ] standard version is current (not outdated)?
- [ ] guidance applicable to GE's specific stack?
- [ ] practical implementation guidance included (not just theory)?
READ_ALSO: domains/security/reading-list.md, domains/security/index.md (SECURITY:AUTHORITIES)