Updates, insights, and commentary from the OSA community. Tracking the evolution of security architecture since 2008.
OSA has added two new definition pages -- [IT Security Architecture](/definitions/it-security-architecture) and [IT Risk](/definitions/it-risk) -- that establish the shared vocabulary underpinning the pattern library, Capability Model, and Assessment tool.
The Foundations section of OSA has undergone a significant structural redesign. This post documents the decisions made, the rationale behind them, and the resulting changes.
The security architecture for blockchain and distributed ledger technology has matured past the point where it can be treated as a single problem. Tokenised assets, decentralised identity, zero-knowledge proofs, and central bank digital currencies are distinct architectural domains with distinct threat models, distinct regulatory regimes, and distinct control requirements. Treating them as variations of "blockchain security" is like treating API security and network segmentation as variations of "internet security" -- technically not wrong, but not useful for anyone who has to build the thing.
When we published SP-027 in early February, it was OSA's first new security pattern in over a decade. It addressed a genuine gap: how to securely integrate AI agents into enterprise environments.
The NCSC published a call for research partners this week as part of their Active Cyber Defence 2.0 programme. The focus: External Attack Surface Management. Ollie Whitehouse, the NCSC's CTO, described it as helping organisations understand their internet-facing exposure -- a problem that feels like it should be solved by now but is more nuanced than it appears.
Cloudflare announced Markdown for Agents this week -- a feature that converts HTML pages to markdown on the fly when an AI agent requests them. It is a smart solution to a real problem: AI agents waste tokens parsing HTML when they just need the content. Claude Code, OpenCode, and other coding agents already send `Accept: text/markdown` in their request headers, and Cloudflare intercepts that to serve clean markdown instead of raw HTML.
If you are a security architect, GRC manager, or compliance lead, you have almost certainly maintained a spreadsheet that maps controls from one framework to another. You have sat in meetings where someone asks which ISO 27001 clauses are satisfied by the NIST controls you have already implemented. You have spent days preparing evidence for an auditor who needs to see the same controls through the lens of a different framework.
Every security team I have worked with over the past twenty years has had the same problem. They can tell you which controls they have implemented. They can show you compliance dashboards, maturity scores, and audit findings. What they cannot do is answer the one question the board actually cares about: how much risk are we carrying, in money?
Most web applications that handle sensitive data follow a familiar pattern: collect it, transmit it over TLS, store it in a database, and promise users you will look after it. The problem with this model is that you -- the site operator -- can see everything. Your database administrators can query it. A breach exposes it. A subpoena compels it. A rogue employee exfiltrates it.
Every security team faces the same question from the board: how mature are we? Until now, answering that question meant expensive consultants, proprietary tools, or spreadsheets that go stale the moment they are completed. Today we are changing that.