IriusRisk launches OTM Standard to transform threat modelling
Automated threat modelling company IriusRisk has launched its Open Threat Model (OTM) Standard under a Creative Commons licence.
The OTM Standard, released as part of version 4.1 of the IriusRisk product, is an agnostic way of describing a threat model in a simple to use and understand format.
An accompanying API allows users to provide an OTM file and IriusRisk will automatically build a full threat model using the rules engine, which contains a broad library of components and risk patterns, the company states.
The OTM standard has been designed for the software architects, DevOps and DevSecOps personnel that are working towards secure design and want to contribute to the widespread adoption of threat modelling as an industry standard, the company states.
The objective of the new standard is to simplify the generation of threat models, making it a commoditised and adoptable practice.
In addition, the OTM Standard can leverage a wide range of source formats, including Amazon Web Services Cloudformation, and supports new sources of application and system design.
Users can write and share parsers for artefacts such as CloudFormation, Visio, or Docker Compose files. The standard will also allow users to exchange threat model data within the SDLC and cyber security ecosystem because threat models are represented in a common format, meaning users will be able to use this data through integrations.
Finally, OTM facilitates exchanges between organisations. As it has been launched under Creative Commons, the standard can be used in open source projects or even by commercial vendors to share threat models of their systems, in order for those in turn to be used by organisations adopting those systems, the company states.
Stephen De Vries, CEO and founder of IriusRisk, commented, “With the launch of our Open Threat Model Standard we are building a tool that will transform the threat modelling process.
"With the wider security and developer community contributing to the Standard, we are excited to see the combined impact we can have on secure design by making threat modelling an increasingly simple and widely adopted practice.”
Fraser Scott, VP of Product at IriusRisk says, “The Open Threat Model standard represents a key step towards commoditised threat modelling, enabling further innovation and faster integration of threat modelling across the SDLC and cyber ecosystem.
"Open Threat Modelling effectively unlocks a new category of security activity, whereby we can conduct automated architectural security analysis across a huge range of developer disciplines. It is a huge step towards achieving true secure software design.”
The OTM API is now available in IriusRisks V4.1 product release, offering a way to describe threat models which can be used throughout the SDLC and cybersecurity ecosystem.
IriusRisk is a threat modelling and secure design solution utilised in Application Security. Enterprise clients including banks, payments and technology providers, can use the solution to build security into applications.