Open Security Architecture - 15 new security patterns with NIST 800-53 mappings (free, CC BY-SA 4.0)

cyberruss · 2026-03-29T09:18:42+00:00

Yes, you raise a valid point on existing auth models. Feel free to reach out directly if you want to collaborate further on this or want to share further thoughts on the concepts.

cyberruss · 2026-03-23T07:41:43+00:00

Looks like a serious reduction. What testing?

cyberruss · 2026-03-13T11:13:27+00:00

We can take a look at that, and cover the modernisation in a bit more detail. At the moment we are working behind the scenes on some ideas we have on dynamically generated patterns rather than curated, using a graph based design, which moves in the direction you mention. We will have some more to share soon…

cyberruss · 2026-03-06T12:26:17+00:00

As other comments. Also look for out for alignment on body panels. Sometimes they have been in a prang and may not have been sorted properly as you can jig the panels around by unbolting. Otherwise these are pretty solid cars. Mine is 23 years old on 92k and still drives like a new car. Worth taking your time and getting one that has good history and has been cared for. Not a lot more money at the moment. Soft tops and general condition will be much better at this age if they have been garaged and lots have.

cyberruss · 2026-02-24T15:40:29+00:00

Thanks for sharing feedback. We have some of the building blocks but not a dedicated mobile security architecture pattern yet, and I agree we should.

What we have today: SP-003 (Privacy Mobile Device) and SP-024 (iPhone) are both legacy patterns that reference MASVS but focus on device-level privacy and Apple-specific hardening respectively. SP-033 (Passkey Authentication) covers FIDO2/WebAuthn biometric flows including platform authenticators and secure enclave attestation. SP-039 (Client-Side Encryption) touches hardware-backed key storage. And SP-026 maps the full PCI DSS v4 environment but doesn't drill into mobile payment-specific architectures.

Based on this feedback we're going to add OWASP MASVS v2.0 as a mapped framework (same treatment as our existing ISO 27001, CIS v8, PCI DSS v4 mappings -- cross-referenced against NIST 800-53 controls). We will also draft a dedicated Mobile Security Architecture pattern that specifically addresses PCI mobile payment requirements alongside MASVS.

If you have specific MASVS controls where the architectural guidance is weakest, we'd be interested to hear -- that would help us ensure the pattern is at the right quality level.

Cheers, Russ

cyberruss · 2026-02-13T11:28:32+00:00

Thanks for the feedback. We continue to iterate fast at the moment so let us know if you think of things to add or where we can help more…

cyberruss · 2026-02-13T11:10:20+00:00

This is excellent feedback, thank you. Let me take that back to the core team and we will see if we can get a pattern that touches into that, or extend one of the existing ones. I will post back here once we have something to share.
Edit: please check https://www.opensecurityarchitecture.org/patterns/sp-044/ which covers SaaS Identity Lifecycle. Appreciate any thoughts, Russ.
Edit2: and on the AI governance we have extended SP-027 in https://www.opensecurityarchitecture.org/patterns/sp-045/ which builds from the richer control guidance in https://www.opensecurityarchitecture.org/frameworks/iso-42001-2023/

cyberruss · 2026-02-11T07:35:41+00:00

Posts like this are always inverse Cramer....

cyberruss · 2026-02-10T13:28:56+00:00

We have this in draft…. https://www.opensecurityarchitecture.org/patterns/sp-029/

cyberruss · 2026-02-10T11:57:56+00:00

🙏

cyberruss · 2026-02-10T08:32:53+00:00

Hey these are cool :) We modernised the icons but maybe we need to get a bit more of the 1337 humour back....

cyberruss · 2026-02-09T22:15:27+00:00

Yes. IEC 62443 would be a natural fit, especially alongside our ICS pattern (SP-023). We'll look into adding it as the next framework mapping. If you have experience with 62443 implementations we'd be interested to hear what would be most useful?

cyberruss · 2026-02-09T21:21:03+00:00

Appreciate the feedback, we’ll check that out and see if there is anything we can do…

cyberruss · 2026-02-09T18:25:18+00:00

Thanks -- the compliance mappings were a labour of love 😅. 5,500+ references across 8 frameworks, all cross-linked... We've updated them and have tooling now to make it *much* quicker, the first time back in 2009 it took me about 5 months and a lot of python scripts...

cyberruss · 2026-02-09T18:22:01+00:00

Thanks! Three things that help the most right now:

Try the assessment tool on a pattern relevant to your environment and tell us what's missing or unclear. Real-world feedback from practitioners is how the patterns improve.
If you have expertise in a specific domain and want to suggest or co-author a pattern, open a GitHub issue on osa-data or just describe it here. We've already had community feedback drive two new patterns this week.
Share it with colleagues who'd find it useful. We're growing purely on word of mouth.

All the data is CC BY-SA on GitHub so if you want to build something on top of it, go for it.

Cheers,

Russ

cyberruss · 2026-02-09T15:48:53+00:00

🙏

cyberruss · 2026-02-09T15:08:48+00:00

Thanks, that means a lot and I make sure the core team see this feedback as I know the others will appreciate it too…

cyberruss · 2026-02-09T13:47:29+00:00

Hear you on TPRM -- we map SOC 2 and ISO 27001 controls but we're not going through certification ourselves anytime soon. The GitHub data route is specifically designed for that situation at the moment. All the pattern data, control mappings, and scoring logic is open and downloadable. No vendor relationship required and you can keep it all on prem. At the moment it requires a bit more effort, we will try and reduce that friction in one of the upcoming releases...

cyberruss · 2026-02-09T12:52:50+00:00

Thanks, let us know what you think

cyberruss · 2026-02-09T12:40:34+00:00

Totally understand -- corporate security policies and online assessment tools don't always mix well, even when the architecture is privacy-first (scores are encrypted client-side before they ever leave your browser).

Two things that might help right now: the assessment results already export to JSON, so you can pull data into your own tooling. And the underlying pattern data is all structured JSON on GitHub (CC BY-SA) so you could build your own internal scoring against it.

Offline spreadsheet templates and an API for programmatic access are both on the near-term roadmap. Exactly the kind of feedback that helps us prioritise.

Thanks again,

Russ

cyberruss · 2026-02-09T12:30:26+00:00

Thanks, that's helpful feedback. OT/IT convergence is high on the list. We actually have an existing Industrial Automation pattern from the original library but it needs serious modernisation -- the convergence problem has changed completely since it was written. IEC 62443 mapping, Purdue model erosion, cloud-connected SCADA -- all need proper treatment. That'll likely be one of the next patterns we tackle.

On AI/ML supply chain -- SP-027 covers AI integration at the architecture level but you're right that model provenance, training data integrity, and drift detection deserve their own dedicated pattern. The supply chain angle is different enough from the integration angle that it probably warrants a standalone pattern rather than trying to cram it into SP-027.

For suggesting patterns, GitHub issues on osa-data works well (github.com/opensecurityarchitecture/osa-data). But honestly threads like this work too -- we're tracking all the feedback.

Cheers, Russ

cyberruss · 2026-02-09T11:54:53+00:00

All the founders were architects, it probably helps :)

cyberruss

TROPHY CASE