Read the Community Blog

Server module updated

Just uploaded the updated Server module to align with the role changes we made to the client. I found a few additional errors as I went through that I corrected, and hopefully these should now be quite stable.

We'll now put the focus on creating some more specific patterns such as wireless access that use these modules. We'll also try and move forward on the ISO mapping that is needed for the Beta release.

  • Created on .

Security Requirements

During my discussion with Claudiu (whom I appreciate as great expert in the area of secure development), we came up with some further thoughts on what drives security requirements. Also we agreed that the currently posted categorization in the Security Requirements article (under Foundations->Definitions) is not orthogonal. Meaning that a requirement can ambigously belong to two categories. However we believe that it is never the less valuable to understand what are the potential sources for requirements. I hope the added illustration will help here.
  • Created on .

Client Module updated

Finally got the Client module uploaded tonight after messing around all evening with it. There are so many controls that it takes ages to be sure that you have them correctly assigned to the roles, labelled and hyperlinked. If you are using IE I really encourage you to try with Firefox, Safari or Opera which support SVG graphics. That way you get the links to controls on the diagram itself, along with tooltips.

I ended up going with the ITIL roles for the actors and I started to get quite happy with these towards the end. I think that many of them will remain unused apart from esoteric patterns, but I like the fact that they cover the lifecycle in depth and will be familiar to most IT people who are used to working in large structured (or often unstructured!) organisations. For those users who don't fall into this space, you can still use the control definitions and ignore the extra information that the roles bring you.

Therefore my vote is to standardise on ITILv3 roles, and map against other standards as needed.

  • Created on .

Which actors for which controls?

I'm working at the moment on the Client and Server modules. These form the foundations of the OSA pattern library as they will be used and referenced many times. It's taking time to get these modules rights which is slowing progress.

Why are they hard to build?

  • We are still trying to decide on the best set of actors to use; CLASP or ITIL v3. I think I prefer ITIL v3 but there are almost too many and it's hard to decide which ones to use.
  • When you have the actors in place you need to figure out which controls relate to which actors...this is not always obvious and makes me realise how much trial and error there is in many organisation structures.
  • The client and server modules have many controls (100+) and the sheer number means that it takes a long session to get anything meaningful accomplished.

I hope to have more to report by the end of the week, with finalised patterns posted.

  • Created on .