[SR3.4: 24] Create standards for technology stacks.
The organization standardizes on specific technology stacks. For the SSG, this means a reduced workload because the group doesn’t have to explore new technology risks for every new project. Ideally, the organization will create a secure base configuration for each technology stack, further reducing the amount of work required to use the stack safely. A stack might include an operating system, a database, an application server, and a runtime environment (e.g., a LAMP stack). In other cases, the stack might be an application server and development framework bundle (e.g., MEAN) or even layers 1 through 6 in a cloud environment (e.g., functions-as-a-service). The security frontier is a good place to find traction; mobile technology stacks and platforms, IoT devices, and cloud-based technology stacks are areas where specific attention to security particularly pays off. Container-based approaches can make standardization more scalable (see [SE3.4 Use application containers]).