Best Practices Library

A curated collection of frameworks, methodologies, and principles for modern software engineering and migration.

AWS Well-Architected Framework

Amazon Web Services2015-11-30

A set of cloud design principles and check-lists for building secure, high-performing, resilient, and efficient workloads on AWS.

cloud-architectureresiliencecost-optimization

Azure Well-Architected Framework

Microsoft2018-03-15

Microsoft’s five-pillar guidance (reliability, security, cost, performance, ops) for designing and operating workloads on Azure.

cloud-architectureperformance-efficiencygovernance

Google Cloud Architecture Framework

Google Cloud2020-07-21

Prescriptive guidance covering reliability, cost, performance, security, and operational excellence for GCP workloads.

cloud-architecturegcpdesign-principles

CNCF Cloud-Native Definition & Principles

Cloud Native Computing Foundation2018-06-04

The CNCF’s formal definition of cloud-native computing and core principles for micro-services, containers, and dynamic orchestration.

cloud-nativemicroservicescontainers

Twelve-Factor App Methodology

Heroku (Salesforce)2015-01-01

Twelve practical guidelines for building modern, portable, cloud-ready web applications.

application-architecturestatelessdevops

Google Site Reliability Engineering Practices

Google2016-03-23

Codified principles (error budgets, toil elimination, SLIs/SLOs) for operating large-scale services reliably.

srereliability-engineeringservice-level-objectives

DORA Four Key Metrics

DevOps Research & Assessment (DORA)2018-09-15

Research-backed metrics (deployment frequency, lead time, MTTR, change failure rate) for high-performing software teams.

devopsperformance-metricssoftware-delivery

CALMS DevOps Principles

DevOps Enterprise Summit (Gene Kim et al.)2015-02-10

Framework emphasising Culture, Automation, Lean, Measurement, and Sharing as pillars of DevOps success.

devopsculturecontinuous-improvement

GitOps Principles v1

OpenGitOps (CNCF WG)2021-06-09

Declarative, verifiable and automated operations — using Git as the single source of truth for infra and apps.

gitopscontinuous-deliverykubernetes

Strangler Fig Modernization Pattern

ThoughtWorks2015-05-01

Incrementally replacing legacy systems by routing new functionality to a new service while ‘strangling’ the old.

modernizationlegacy-migrationincremental-refactor

Blue-Green Deployment Strategy

Continuous Delivery Community2016-08-20

Operating two identical production environments to achieve zero-downtime releases and quick rollbacks.

deployment-strategyzero-downtimerollback

Canary Releases Best Practice Guide

Spinnaker Community2017-04-05

Progressively rolling out new software to a small subset of users to minimise risk before full release.

deployment-strategyprogressive-deliveryrisk-mitigation

OWASP Top 10 (2023)

OWASP Foundation2023-09-24

The ten most critical web application security risks; updated community consensus.

application-securitysecure-codingrisk-management

NIST Secure Software Development Framework (SSDF)

NIST2022-02-04

Guidelines for secure software development practices across the SDLC (SP 800-218).

secure-sdlcfederal-guidancesoftware-security

Supply-chain Levels for Software Artifacts (SLSA)

OpenSSF2021-06-17

End-to-end integrity guarantees for software supply-chain; defines levels 1-4.

supply-chain-securitysbomdevsecops

CycloneDX SBOM Specification

OWASP Foundation2017-09-01

Lightweight Bill-of-Materials standard for software components, vulnerabilities, and licenses.

sbomsoftware-compositionsecurity

Infrastructure-as-Code Security Playbook

HashiCorp & Bridgecrew2020-10-11

Best practices for securing Terraform, CloudFormation, and ARM templates in CI/CD pipelines.

infrastructure-as-codesecuritydevsecops

Kubernetes Pod Security Standards

Kubernetes SIG Auth2021-11-16

Baseline, restricted, and privileged policy levels for securing pod workloads.

kubernetes-securitypolicycontainers

CNCF Cloud-Native Security Whitepaper

CNCF Security TAG2020-11-18

Guidance on building, shipping, and running secure cloud-native applications.

cloud-nativesecuritycontainers

OpenTelemetry Instrumentation Guidelines

OpenTelemetry Project2022-06-08

Best practices for generating consistent traces, metrics, and logs using OpenTelemetry.

observabilitytracingmetrics

RED & USE Monitoring Methodologies

Google SRE & Brendan Gregg2018-05-01

Standard approaches for selecting golden signals (Rate-Errors-Duration / Utilisation-Saturation-Errors).

monitoringobservabilitymetrics

Google Web Vitals

Google Chrome Team2020-05-05

Core performance metrics (LCP, FID, CLS, INP) for measuring real-world user experience.

web-performanceuser-experiencefrontend

Production-Ready Micro-services Checklist

Susan Fowler2017-07-12

A checklist covering operability, reliability, deployability, and observability of micro-services.

microservicesoperabilityarchitecture

Data Mesh Principles

ThoughtWorks (Zhamak Dehghani)2020-05-27

Domain-oriented, self-serve data infrastructure principles promoting product thinking for data.

data-architecturedistributed-ownershipanalytics

dbt Style Guide

dbt Labs2021-02-10

Community conventions for naming, structuring, and documenting dbt transformation projects.

analytics-engineeringsql-modellingdataops

Google API Design Guide

Google2022-04-19

Opinionated REST and gRPC design rules: resource-oriented URIs, plural nouns, pagination, errors.

api-designrestgrpc

Microsoft REST API Guidelines

Microsoft2021-06-30

Cross-company REST consistency rules (nouns, verbs, versioning, errors).

api-designrestversioning

Stripe API Versioning Policy

Stripe2019-11-14

Backwards-compatible evolution strategy and pinned versions for API consumers.

api-versioningproduct-managementsaas

Semantic Versioning 2.0.0

SemVer.Org2017-06-20

Consistent MAJOR.MINOR.PATCH versioning rules for APIs and packages.

versioningpackage-managementrelease-management

Conventional Commits Spec

Conventional Commits Initiative2019-02-16

Machine-readable Git commit messages enabling automated changelogs and semantic releases.

gitrelease-automationsemver

Trunk-Based Development Guidelines

Paul Hammant2017-01-10

Branching strategy promoting short-lived branches, frequent commits to trunk, and feature flags.

ci-cdbranching-strategydevops

Feature Flag Best Practices

LaunchDarkly2018-09-03

Operational guidelines for creating, managing, and retiring feature toggles safely.

feature-flagsrelease-managementprogressive-delivery

Shift-Left Testing Manifesto

Testing Community2016-04-22

Encourages earlier testing (unit, security, performance) in the SDLC to catch defects sooner.

testing-strategyquality-assurancedevops

Contract-Driven Development with Pact

Pact Foundation2019-05-11

Consumer-driven contract testing methodology to ensure micro-service compatibility.

testingmicroservicescontracts

Chaos Engineering Principles

PrinciplesOfChaos.org2017-09-19

Run controlled experiments to build confidence in system resilience under turbulent conditions.

resilience-testingsrefailure-mode

FinOps Cloud Cost Best Practices

FinOps Foundation2020-06-30

Shared responsibility model for cloud spend: Inform, Optimize, Operate phases.

cloud-costgovernanceoptimization

IBM Garage Methodology

IBM2019-04-01

End-to-end practices merging agile, DevOps, and design thinking for cloud transformation.

digital-transformationagilecloud-native

SAFe Continuous Delivery Pipeline

Scaled Agile Inc.2018-10-02

Scaled Agile Framework’s model for continuous exploration, integration, deployment, and release on demand.

scaled-agileci-cdvalue-stream

ISO/IEC 27001:2022 Annex A Controls

ISO/IEC JTC 1/SC 272022-10-25

Industry baseline for information-security policies and management controls.

information-securitycontrolscompliance

NIST AI Risk Management Framework 1.0

NIST2023-01-26

Guidelines to integrate trustworthiness considerations into the design, development, and deployment of AI systems.

ai-governancerisk-managementresponsible-ai

EU AI Act (Political Agreement)

European Parliament & Council2024-02-13

First comprehensive regulatory framework for trustworthy AI in the European Union.

regulationai-governancecompliance

Google Responsible AI Principles

Google2018-06-07

Seven commitments guiding the ethical development and deployment of AI at Google.

ai-ethicsresponsible-aipolicy

Microsoft Responsible AI Standard v2

Microsoft2022-06-21

Company-wide governance framework translating principles into measurable requirements.

ai-governancepolicyethics

OpenAI Safety & Alignment Best Practices

OpenAI2023-03-14

Mitigation strategies (RLHF, red-teaming, tiered access) for large language model deployment.

ai-safetyalignmentllm

Terraform Module Design Patterns

HashiCorp2020-08-12

Guidelines for writing reusable, versioned, and documented Terraform modules.

iacterraformmodule-best-practices

Helm Chart Best Practices

Helm Maintainers2019-10-05

Recommendations for structure, naming, versioning, and values of Helm charts.

kubernetespackage-managementhelm

Container Image Hardening Guide

CIS & Docker2021-05-18

Steps to build minimal, non-root, signed container images with SBOMs.

containerssecurityhardening

Zero Trust Architecture Principles (NIST SP 800-207)

NIST2020-08-11

Conceptual zero-trust model: continuous verification, least privilege, assume breach.

zero-trustnetwork-securityarchitecture

Privacy by Design 7 Principles

International Assembly for Privacy Commissioners2018-01-15

Framework embedding privacy into systems engineering from the outset.

privacydesign-principlesgdpr

Continuous Modernization Playbook

Vibgrate (Draft)2024-05-01

Iterative roadmap for refactoring, re-platforming, and replacing legacy systems using automation and AI.

legacy-migrationai-assistedproject-management