• United States



UK Editor

IriusRisk launches Open Threat Model standard to secure software development lifecycle

News Analysis
Mar 23, 20223 mins
Application SecurityDevSecOpsThreat and Vulnerability Management

The OTM standard, published under a Creative Commons license, aims to generate greater connectivity and interoperability between threat modeling and the software development lifecycle.

IriusRisk has launched a new Open Threat Model (OTM) standard to allow greater connectivity and interoperability between threat modeling and other parts of the software development lifecycle (SDLC). The OTM standard has been published under a Creative Commons license and provides a tool-agnostic way of describing a threat model in a simple to use and understand format, IriusRisk said.

The standard can leverage a wide range of source formats and supports new sources of application and system design, whilst also allowing users to exchange threat model data within the SDLC and cybersecurity ecosystem. An accompanying API allows users to provide an OTM file which IriusRisk uses to build a full threat model using the rules engine, which contains an extensive library of components and risk patterns.

Standard designed to secure SDLCs, simplify threat modeling

The OTM standard is part of the 4.1 release of the IriusRisk product and designed for software architects, DevOps and DevSecOps personnel that are working towards secure design and want to contribute to the adoption of threat modeling as an industry standard, IriusRisk explained in a posting on its website. It presents threat models in a common format allowing users to utilize data through integrations and works with different source formats including Amazon Web Services Cloudformation.

Users can also write and share parsers for artefacts such as CloudFormation, Visio or Docker Compose files. “In addition, OTM facilitates exchanges between organizations,” IriusRisk added. “As it has been launched under Creative Commons, the standard can be used in open-source projects or even by commercial vendors to share threat models of their systems, in order for those in turn to be used by organizations adopting those systems.”

Commenting in a press release, Stephen De Vries, IriusRisk CEO and founder, said: “With the launch of our Open Threat Model standard, we are building a tool that will transform the threat modeling process. With the wider security and developer community contributing to the Standard, we are excited to see the combined impact we can have on secure design by making threat modeling an increasingly simple and widely adopted practice.”

OTM standard could address software development security incohesion

The standard comes at a time when the security implications surrounding SDLCs are significantly impacting organizations. Last year, a report from Osterman Research outlined considerable incohesion between software development teams and cybersecurity functions compounding the software supply chain risks faced by businesses. It revealed that 45% of development teams felt their understanding of the latest application attacks is lacking, with the vast majority admitting to knowingly pushing vulnerable code live.

What’s more, just 27% of frontline development professionals considered application security their responsibility, while only half of CISOs were confident that secure applications can be developed and 45% of security workers felt developers did not understand the latest threats to application security.

Speaking to CSO, cybersecurity consultant Harman Singh says that the OTM standard is significant for businesses because it provides a framework for threat modelling that can be used by teams and organizations of all sizes at different stages of the SDLC. “The OTM standard has been designed to be easy to use and understand so that businesses can quickly and effectively assess the risks to their systems. The OTM standard is also flexible, so businesses can adapt it to meet their specific needs,” he adds.

The benefits of using the standard include the ability to quickly and effectively assess the risks to systems, the flexibility to adapt it to meet specific needs, and the capability to prioritize risks and design relevant controls, Singh says.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author