Automated threat modeling company IriusRisk has launched its Open Threat Model (OTM) Standard under a Creative Commons license. The OTM Standard, released as part of version 4.1 of the IriusRisk product, is a tool agnostic way of describing a threat model in a simple to use and understand format. An accompanying API allows you to provide an OTM file and IriusRisk will automatically build a full threat model using the rules engine, which contains an extensive library of components and risk patterns.
The OTM standard has been designed for the software architects, DevOps and DevSecOps personnel that are working towards secure design and want to contribute to the widespread adoption of threat modeling / modelling as an industry standard. The objective of the OTM Standard is to simplify the generation of threat models, making it a commoditized and easily adoptable practice.
The OTM Standard can leverage a wide range of source formats and easily supports new sources of application and system design. Users can write and share parsers for artefacts such as CloudFormation, Visio, or Docker Compose files. The Standard will also allow users to exchange threat model data within the SDLC and cyber security ecosystem because threat models are represented in a common format, meaning users will be able to use this data through integrations.
In addition, OTM facilitates exchanges between organizations. As it has been launched under Creative Commons, the Standard can be used in open source projects or even by commercial vendors to share threat models of their systems, in order for those in turn to be used by organizations adopting those systems.
Stephen De Vries, CEO and founder of IriusRisk commented: “With the launch of our Open Threat Model Standard we are building a tool that will transform the threat modeling process. With the wider security and developer community contributing to the Standard, we are excited to see the combined impact we can have on secure design by making threat modeling an increasingly simple and widely adopted practice.”
Fraser Scott, VP of Product at IriusRisk commented: “The Open Threat Model standard represents a key step towards commoditized threat modeling, enabling further innovation and faster integration of threat modeling across the SDLC and cyber ecosystem. Open Threat Modeling effectively unlocks a new category of security activity, whereby we can conduct automated architectural security analysis across a huge range of developer disciplines. It is a huge step towards achieving true secure software design.”
The OTM API is now available in IriusRisk’s V4.1 product release, offering a flexible way to describe threat models which can be used throughout the SDLC and cybersecurity ecosystem.