At the recent OWASP Switzerland chapter meeting, I have presented OSA. We have got some positive and constructive feedback and look forward to more contributors :-). Most importantly we have heard again that also for security architecture pattern applies: "the more the merrier"
You can find the presentation here:
OSA Presentation 2009 April
I've spent the last couple of days adding ISO17799 and COBIT mappings to the controls catalog. If you check any of the controls you will now see the mapping details at the bottom. You can also search for ISO or COBIT references using the search function in the menu bar to return a list of controls if you want to do a reverse lookup!
In the coming week I will also generate a table that lists controls and mappings in a single table.
We've been meaning to do this for a while now, but it's taken some time, as it made sense to get the underlying controls into a database so we can easily add mappings in future and regenerate the catalog really fast. Now the control catalog is in the database we can start to consider some neat tricks with web services and client side queries, which would allow us to start thinking about browser based design tools.
If you have any thoughts on additional mappings, or ways we could develop in the coming months let us know.
We just started the discussion on secure development lifecycle.
We would be very happy if you could post your experience in this field.
Which expectations are realistic?
Which activities paid back?
the OSA core team
Please find a short summary of recent changes on the Open Security Architecture website:
-> We have just published a draft of the Cloud Computing pattern. This covers the issues you will face if you are looking to exploit the new wave Cloud Computing services. We would still welcome additional comments before the pattern is finally approved.
-> A secure development pattern is being started.
-> The new icon packs and templates have been uploaded which make the patterns clearer to understand and use.
-> We continue to work on the first release of the OSA threat catalog. Progress has been slow but we hope to have something ready for the first quarter of 2009.
The OSA core team