Frequently Asked Questions | Open Security Architecture

Here are answers to the questions we get asked most often.

How do you maintain and assure quality?

Every pattern is peer-reviewed by security practitioners before publication. All patterns map to specific NIST 800-53 Rev 5 controls with defined threat scenarios, and all data is schema-validated and stored as structured JSON in our public GitHub repositories. Community feedback through comments, LinkedIn, and Reddit continuously improves the material.

If I reference controls/patterns how do I know that the site will persist?

OSA has been online continuously since 2008. The site runs on Cloudflare Pages with near-zero hosting costs, and all pattern and control data is open source on GitHub. Even if the website disappeared tomorrow, the structured data would remain freely available in our public repositories. We are committed to maintaining OSA indefinitely.

How is OSA data structured?

All patterns and controls are stored as structured JSON with formal schemas, versioned in Git, and validated automatically. This means the data is machine-readable, auditable, and can be consumed by tools and APIs as well as humans. Each NIST 800-53 control includes mappings to 80 compliance frameworks.

What should I use to create patterns?

Pattern diagrams use SVG format following OSA conventions (960x720 viewBox, OSA colour palette, clickable NIST control badges). Any SVG editor works -- we use a mix of tools including Inkscape (open source) and programmatic SVG generation.

Can I use these materials for commercial profit?

Yes, under our Creative Commons Attribution-ShareAlike license. You must share improvements back to the community and credit OSA when using patterns. See our license terms for full details.

How long has OSA been available?

The first OSA patterns were published in 2008, built on ideas developed over the preceding decade. The site has run continuously since then, attracting thousands of daily visitors. In 2026 we completed a full modernisation -- replatforming to a modern stack, enriching all patterns to a consistent standard with NIST Rev 5 mappings, and adding 15+ new patterns covering zero trust, AI security, cyber resilience, DevSecOps, and more.

How actively is OSA developed?

Very actively. As of 2026, OSA has 50+ security patterns, 315 NIST 800-53 Rev 5 controls, mappings to 80 compliance frameworks, a self-assessment tool with gap analysis and benchmarking, and a growing contributor community. We ship new patterns and framework mappings regularly -- often in response to direct community requests.

How can I contribute?

We welcome contributions from security practitioners. You can suggest new patterns, provide feedback on existing ones, contribute assessment benchmark data, or propose new compliance framework mappings. Get in touch via our GitHub repositories or leave a comment on any pattern page.