Add information on integrating SAF tools into CMS projects

[wdower]

Feedback suggests that CMS devs are looking for ways to integrate InSpec into their projects, and the current Getting Started page does not clearly describe how to do this (or how InSpec relates to DevSecOps best practices).

Suggest creating a CMS-targeted "quickstart" guide to describe how the SAF tools can be integrated for CMS dev purposes.

[ejaronne]

My idea on this is to build on how we engaged teams early on to "onboard" them:

1. We asked them what they were building, with cloud, OS, DB, App Logic, Web Server, and Code type
2. We then worked with them to select which existing validation profiles showed potential, (and identified which ones were still needed)
3. Next, we looked at their pipeline or management process, and helped them pick the most sensible places to stage their InSpec runner(s).
4. Where to place the output, and how often to run, and why they could/should use InSpec_tools' compliance thresholds for efficiency
5. What form of Heimdall Lite or Server made sense, and how to feed it the jsons from InSpec
6. A parallel conversation related to other non-InSpec security tools they might be using, whose output could be converted by Heimdall_tools
7. Bringing it all together in Heimdall, how does one fix what is wrong? Consider what's happening at that "configure" stage - do you have a way to automate how you configure your stack? If not, see if a hardening script is available to help!

The above is just a rough idea I have for this.

[wdower]

Notes from today's review:

• Clarify the relationship between Heimdalls Lite and Server -- and if they're going to merge in the future as a single product, say that
• Don't ask "How is the pipeline managed?" because some teams don't have something they think of as a "pipeline"
• Clarify that teams can go ahead and use our profiles and tools without formally going through the SAF team, they are encouraged to grab the profiles and use them -- this is why we need specific explanations on how they work
• Would be nice to have an "overall" process graphic showing in a very basic sense how a profile gets used, e.g. grab a profile from this site/write your own, run it however you like, ingest the results into Heimdall (frontpage graphic is more concerned with explaining the function of every tool)