Jim Hietala announced that the Open Group's "Enterprise Security Architecture: A Framework and Template for Policy-Driven Security" is available (a minimally invasive free reg is required). The overall goal is to give security architects actionable guidance, patterns and tools they can use to design and deploy security architecture in a real world enterprise.
I contributed to some of the sections, in Principles added specifics around the concepts of Security by Design. And on the flip side the Principle of Design for Malice. I draw this distinction because the outputs of these principles are totally distinct (say access control for the former and logging for the latter) even though they both get lumped under "security."
There is some new discussion on Mobile, Federation, Virtualization and other new-ish architectures. There is some concrete examples of using Threat Models and Attack Surface for application security and some templates you can use to distill and communicate your security architecture decisions.
Comments