Read the Community Blog

OSA changes

We've been very quiet at OSA for the last 18 months, as the Core Team members have been busy on other projects. However it's not long until Spring (we hope), and in line with the awakening of life in the Northern Hemisphere we are planning a spring clean and freshen up for the site.

On the list of changes are:

  • Two new patterns for PCI and Advanced Persistant Threats
  • Updates to the Cloud Pattern (one of our most popular)
  • New social features to replace the old bulletin board (PHP3 and a bit clunky)
  • New mappings for the controls catalogue to PCI-DSS and SANS critical 20
  • A refresh to simplify some of the existing patterns
  • Better unification with TOGAF and SABSA
  • More guidance on determining Risks and Control Selection
  • Last but not least we will finalise the threat catalogue

We are also pleased to welcome a new core team member who will bring a wider set of security experience in the Architecture space, as well as deep experience of building secure computing systems for a wide range of government and private organisations.

In recent months we have recieved an increased amount of interest to contribute and we'll be back in touch soon to share details on how we plan to make that easier.

Thanks- OSA Core Team

  • Created on .

Serious security holes in Siemens Control Systems

More Siemens vulnerabilities have come to light. See the article at Ars for more info http://arstechnica.com/security/news/2011/08/serious-security-holes-found-in-siemens-control-systems-targeted-by-stuxnet.ars

Seems like good security basics on securing the perimeter and general environment are key per the pattern we put together a while back

Update 3rd October 2011

One of our contributors to OSA (thanks Herbert) has studied the Siemens S7 vulnerabilities mentioned. He comments that:

"for native communication via RFC 1006 (=TCP102) you don't need any authentication, so an S7 CPU should be always protected by defense in depth".

Please see http://www.us-cert.gov/control_systems/ for more details

  • Created on .

New icons- Black Hat and iPhone

We've added a few new icons to the 11_02 set for an upcoming pattern. We now have a Black Hat to represent a 'hacker' (I place it in quotes as the term originally meant computer user who hacked together code quickly to achieve a given objective, and has somewhat changed meaning in recent years).

The black hat took it's inspiration from the Mad Spy vs Spy comic, a firm favourite when I was younger, especially the rather good game on the C64 :-) We have also added an iPhone (or possibly Android) icon as this would appear to be a necessary staple of modern life to enable us to function...and we needed it for the new pattern Tobi is building.

As usual the icons have been added to the icon library as SVG and PNG, and are included into the icons packs

  • Created on .

Sony and Amazon outages

2 high impact outages for large service providers recently. Amazon cloud services which had knock on effects for a number of large companies relying on their cloud services. Sony which suffered a major security breach and which at the time of writing is still being cleaned up with unknown total impact on customers.

It made me think again about how the importance of security (Confidentiality, Integrity, and Availability) is increasing for society as we place more and more systems within the cloud in complex chains. This chimed given the original goals for starting OSA captured in this article.

See these articles on the BBC site for summaries:

Amazon apologises for web fault one week on

PlayStation Network credit card details were encrypted

  • Created on .