Duncan's Security Blog An enthusiasts musings


*Work in progress*
This page is a curated list of resources I have found useful as a security architect. I will be adding items to the list from time to time, so check back when you remember. There are more than enough "security lists" in the wild, but not many have a focus on security architecture.

I consider these resources to be recommended for anyone interested in security architecture.

Frameworks are great as a guideline, and some clients may insist you follow a particular framework. I find that having knowledge of a few complimentary frameworks provides the most well-rounded professional. Security oriented frameworks tend to be elusive, but they are out there. In order to fit in with the rest of the organisation, it is best to also be familiar with enterprise architecture frameworks.

SABSA white paper, SABSA Foundation
TOGAF, The Open Group
O-ESA, The Open Group
Visual architecting, Dana Bredemeyer and Ruth Malan. Bredemeyer consulting. Additional resource: Trace in the sand
BSIMM, Building Security In

[security engineering, design, coding]
Secure by design by Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano. Manning publications, 2017.
[security engineering]
Security engineering by Ross Anderson. Wiley, 2008.
[software engineering]
The Phoenix Project by Gene Kim, Kevin Behr, George Spafford.
[enterprise architecture]
Enterprise architecture as strategy by Jeanne Ross, Peter Weill, David Robertson. Harvard Business School Press, 2006.
Dreaming in code by Scott Rosenberg. Crown, 2007.
[Cybersecurity risk]
How to measure anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen. Wiley, 2016.


Reference patterns/designs
Open Security Architecture patterns
The Architecture of Open Source Applications

Web resources
SaaS CTO checklist
The Security Checklist: For developers
The Cutter Consortium
CAPEC: Common Attack Pattern Enumeration and Classification
Microsoft Security Development Lifecycle
OWASP Development Guide Project