Reference and Selective Reading
You do not need to read any source front-to-back for this module. Use the concept pages first; use practice pages second; use this reference only when a concept plus its See also (external) link has not closed the gap.
This module relies on external official docs on purpose. The local semester books are loosely related.
Source Roles
| Source | Role | Why it is here |
|---|---|---|
| OWASP Threat Modeling + Cheat Sheet Series | Primary security reference | Best canonical framing of threat modeling and the widest-use checklists |
| NIST SP 800-207 | Primary identity / Zero Trust reference | Authoritative definition adopted by most cloud security programs |
| AWS / GCP / Azure Well-Architected (Security Pillar) | Primary cloud-specific reference | Concrete patterns and checklists tied to real services |
| HashiCorp Vault docs | Primary secrets reference | Dynamic secrets, auth methods, leases, and rotation concepts |
| Google Cloud KMS (envelope encryption) | Primary encryption reference | Clearest short explanation of DEK/KEK |
| SLSA, Sigstore | Primary supply-chain reference | Framework + signing / transparency log |
| OpenTelemetry docs | Primary observability reference | Signals, semantic conventions, sampling |
| Prometheus docs | Primary metrics reference | Naming, cardinality, instrumentation |
| Google SRE Book (free online) | Primary ops reference | Monitoring, alerting, incident response |
| Grafana Labs blog, Honeycomb, charity.wtf | Selective support | Cardinality in the real world, observability realism |
Local books (Pro Git, The Linux Command Line, Git from the Bottom Up) | Light support | Shell and Git hygiene that sharpen operational habits |
Read Only If Stuck
Threat Modeling and Foundations
- OWASP: Threat Modeling -- canonical four-question framing
- OWASP Cheat Sheet: Threat Modeling -- compact step-by-step reference
- Microsoft Learn: Threat Modeling Tool -- STRIDE in its original practitioner form
- NIST SP 800-207: Zero Trust Architecture -- definition and deployment models
Cloud Security (per provider)
- AWS Well-Architected: Security Pillar
- Google Cloud Well-Architected: Security, Privacy, and Compliance
- Azure Well-Architected: Security
Secrets and Keys
Network, Runtime, Supply Chain
Observability Pillars
- OpenTelemetry Concepts
- OpenTelemetry Traces
- OpenTelemetry Sampling
- CNCF: OpenTelemetry
- Prometheus: Instrumentation
- Prometheus: Metric and label naming
- OWASP Cheat Sheet: Logging
Operating Under Observation
- Google SRE Book: Monitoring Distributed Systems
- Google SRE Book: Practical Alerting
- Google SRE Book: Table of Contents
Optional Deep Dive
- Grafana Labs: What are cardinality spikes and why do they matter? -- the real operational cost of careless labels
- Honeycomb: Observability Glossary -- working definitions you will see in interviews and incidents
- charity.wtf: Observability is a Many-Splendored Definition -- an opinionated case for what observability actually buys you
Concept-to-Source Map
| Primary concept | Best source if stuck | Why this source |
|---|---|---|
| Threat Modeling (STRIDE) | OWASP: Threat Modeling | Canonical four-question framing + STRIDE reference |
| Identity-Centric Security | NIST SP 800-207 | Authoritative Zero Trust definition |
| Defense in Depth | AWS Well-Architected Security Pillar | Layered security with concrete service mappings |
| Secret Management | HashiCorp Vault docs | Dynamic secrets and leases are first-class concepts |
| Envelope Encryption | Google Cloud KMS: Envelope encryption | Clearest short DEK/KEK walkthrough |
| Data Classification / Minimization | Google Cloud Well-Architected: Security | Explicit classification / protection-by-class guidance |
| Network Moat (SG/NACL/VPC endpoint) | AWS Well-Architected Security Pillar | Direct mapping to the primitives the concept covers |
| Image Hardening / Supply Chain | SLSA + Sigstore | Framework and signing implementation together |
| Runtime Detection (CSPM/CWPP) | Google Cloud Well-Architected: Security | Detect-and-respond patterns aligned with SCC |
| Metrics / Cardinality / USE/RED | Prometheus: Naming + Prometheus: Instrumentation | Canonical rules and examples |
| Structured Logging and Routing | OWASP Logging Cheat Sheet | What to log, what to protect, how the pipeline fails |
| Distributed Tracing / OTel / Sampling | OpenTelemetry Concepts + Sampling | Model + strategy in one arc |
| Dashboards That Answer Questions | Google SRE Book: Monitoring Distributed Systems | Four golden signals + design principles |
| Symptom-based Alerting | Google SRE Book: Practical Alerting | Canonical chapter this concept page is built on |
| Runbooks and On-Call Hygiene | Google SRE Book: ToC | Incident response and post-mortem chapters cover the hygiene dimension |