The OTM standard, published under a Creative Commons license, aims to generate greater connectivity and interoperability between threat modeling and the software development lifecycle. Credit: Gabriel / Toni Vaver / Getty Images IriusRisk has launched a new Open Threat Model (OTM) standard to allow greater connectivity and interoperability between threat modeling and other parts of the software development lifecycle (SDLC). The OTM standard has been published under a Creative Commons license and provides a tool-agnostic way of describing a threat model in a simple to use and understand format, IriusRisk said.The standard can leverage a wide range of source formats and supports new sources of application and system design, whilst also allowing users to exchange threat model data within the SDLC and cybersecurity ecosystem. An accompanying API allows users to provide an OTM file which IriusRisk uses to build a full threat model using the rules engine, which contains an extensive library of components and risk patterns.Standard designed to secure SDLCs, simplify threat modelingThe OTM standard is part of the 4.1 release of the IriusRisk product and designed for software architects, DevOps and DevSecOps personnel that are working towards secure design and want to contribute to the adoption of threat modeling as an industry standard, IriusRisk explained in a posting on its website. It presents threat models in a common format allowing users to utilize data through integrations and works with different source formats including Amazon Web Services Cloudformation.Users can also write and share parsers for artefacts such as CloudFormation, Visio or Docker Compose files. “In addition, OTM facilitates exchanges between organizations,” IriusRisk added. “As it has been launched under Creative Commons, the standard can be used in open-source projects or even by commercial vendors to share threat models of their systems, in order for those in turn to be used by organizations adopting those systems.” Commenting in a press release, Stephen De Vries, IriusRisk CEO and founder, said: “With the launch of our Open Threat Model standard, we are building a tool that will transform the threat modeling process. With the wider security and developer community contributing to the Standard, we are excited to see the combined impact we can have on secure design by making threat modeling an increasingly simple and widely adopted practice.”OTM standard could address software development security incohesionThe standard comes at a time when the security implications surrounding SDLCs are significantly impacting organizations. Last year, a report from Osterman Research outlined considerable incohesion between software development teams and cybersecurity functions compounding the software supply chain risks faced by businesses. It revealed that 45% of development teams felt their understanding of the latest application attacks is lacking, with the vast majority admitting to knowingly pushing vulnerable code live. What’s more, just 27% of frontline development professionals considered application security their responsibility, while only half of CISOs were confident that secure applications can be developed and 45% of security workers felt developers did not understand the latest threats to application security.Speaking to CSO, cybersecurity consultant Harman Singh says that the OTM standard is significant for businesses because it provides a framework for threat modelling that can be used by teams and organizations of all sizes at different stages of the SDLC. “The OTM standard has been designed to be easy to use and understand so that businesses can quickly and effectively assess the risks to their systems. The OTM standard is also flexible, so businesses can adapt it to meet their specific needs,” he adds.The benefits of using the standard include the ability to quickly and effectively assess the risks to systems, the flexibility to adapt it to meet specific needs, and the capability to prioritize risks and design relevant controls, Singh says. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe