• What's a Security Taxonomy
  • Who Uses OSA?
  • Why Have OSA?
  • How do I participate?
  • Mapping requirements to systems
  • OSA Landscape
  • OSA Process v7

The OSA vision:

"OSA distills the know-how of the security architecture community and provides readily usable patterns for your application. OSA shall be a free framework that is developed and owned by the community.

OSA is licensed in accordance with Creative Commons Share-alike. We believe that Open Source principles result in more secure systems, and want the computing architectures that we depend on for our daily lives to be as secure and reliable as possible

 

 

Control catalogue

The control catalog in OSA is currently based upon NIST 800-53. There is a mapping available against ISO17799, and other prominent standards. We feel this is the best control catalog available for the IT industry. This catalog can be used without restriction.

By taking a single control catalog we allow you to clearly establish how you can meet the objectives of many standards, without having to repeatedly work out what controls are needed and how they can be implemented. In addition we map against threats and supply tests, so you can quickly establish whether a particular control is relevant for your situation, and can check it's working correctly (great for security reviews and audits).

 

Visual patterns

The visual patterns are at the core of OSA and bring together security requirements for a use case e.g. remote access with the supporting controls from the catalog. They give you the basic building blocks to make your particular solution secure. We classify visual patterns by Industry, Threats, Regulations, and Architectures.

We also provide a customized library of icons generated from the Tango project, and the patterns themselves which are available as SVG files.

 

Assessment

There are various techniques to assess the environment your solution will operate in order to determine the CIA requirements for the business processes the architecture supports. Currently we still feel that an Annual Loss Expectancy (ALE) calculation is sufficient to determine the amount you should be spending on the controls relative to the cost of the assets you are protecting. We would emphasize that availability is often the most expensive element to consider. You may want to look at the more complex methods, but in essence this step is all about a Cost Benefit Analysis for the controls identified.

 

Security Architecture

The last step, here you tailor the controls in the pattern based on the environmental assessment, to finalise the specific controls and their implementation in the solution you are developing. Your architecture will at this stage be embedded into the wider solution architecture that is being developed.