The OTM standard, published under a Creative Commons license, aims to generate greater connectivity and interoperability between threat modeling and the software development lifecycle. Credit: Gabriel / Toni Vaver / Getty Images IriusRisk has launched a new Open Threat Model (OTM) standard to allow greater connectivity and interoperability between threat modeling and other parts of the software development lifecycle (SDLC). The OTM standard has been published under a Creative Commons license and provides a tool-agnostic way of describing a threat model in a simple to use and understand format, IriusRisk said.The standard can leverage a wide range of source formats and supports new sources of application and system design, whilst also allowing users to exchange threat model data within the SDLC and cybersecurity ecosystem. An accompanying API allows users to provide an OTM file which IriusRisk uses to build a full threat model using the rules engine, which contains an extensive library of components and risk patterns.Standard designed to secure SDLCs, simplify threat modelingThe OTM standard is part of the 4.1 release of the IriusRisk product and designed for software architects, DevOps and DevSecOps personnel that are working towards secure design and want to contribute to the adoption of threat modeling as an industry standard, IriusRisk explained in a posting on its website. It presents threat models in a common format allowing users to utilize data through integrations and works with different source formats including Amazon Web Services Cloudformation.Users can also write and share parsers for artefacts such as CloudFormation, Visio or Docker Compose files. “In addition, OTM facilitates exchanges between organizations,” IriusRisk added. “As it has been launched under Creative Commons, the standard can be used in open-source projects or even by commercial vendors to share threat models of their systems, in order for those in turn to be used by organizations adopting those systems.” Commenting in a press release, Stephen De Vries, IriusRisk CEO and founder, said: “With the launch of our Open Threat Model standard, we are building a tool that will transform the threat modeling process. With the wider security and developer community contributing to the Standard, we are excited to see the combined impact we can have on secure design by making threat modeling an increasingly simple and widely adopted practice.”OTM standard could address software development security incohesionThe standard comes at a time when the security implications surrounding SDLCs are significantly impacting organizations. Last year, a report from Osterman Research outlined considerable incohesion between software development teams and cybersecurity functions compounding the software supply chain risks faced by businesses. It revealed that 45% of development teams felt their understanding of the latest application attacks is lacking, with the vast majority admitting to knowingly pushing vulnerable code live. What’s more, just 27% of frontline development professionals considered application security their responsibility, while only half of CISOs were confident that secure applications can be developed and 45% of security workers felt developers did not understand the latest threats to application security.Speaking to CSO, cybersecurity consultant Harman Singh says that the OTM standard is significant for businesses because it provides a framework for threat modelling that can be used by teams and organizations of all sizes at different stages of the SDLC. “The OTM standard has been designed to be easy to use and understand so that businesses can quickly and effectively assess the risks to their systems. The OTM standard is also flexible, so businesses can adapt it to meet their specific needs,” he adds.The benefits of using the standard include the ability to quickly and effectively assess the risks to systems, the flexibility to adapt it to meet specific needs, and the capability to prioritize risks and design relevant controls, Singh says. Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe