The Open Threat Model (OTM) Standard by IriusRisk.

The Open Threat Model (OTM) standard is a generic and tool agnostic way of describing a threat model in a simple to use and understand format.

Secure, collaborate and automate. 

The Open Threat Model (OTM) standard is a generic and tool agnostic way of describing a threat model in a simple to use and understand format. It has been designed to allow greater connectivity and interoperability between threat modeling and other parts of the Software Development Lifecycle (SDLC) and cybersecurity ecosystem. Released under Creative Commons License, anyone can contribute or use the standard.

Threat modeling as a practice is evolving, and so must the technology that surrounds the practice. If you look at what happened with DevOps, the key to scaling the creation and management of infrastructure was a combination of culture changes as well as the commoditisation of infrastructure such as through cloud and Infrastructure as Code (IaC).

Threat modeling will inevitably go through a similar shift, and this standard has been to facilitate that evolution. By leveraging existing design artefacts such as IaC, we can automate the threat modeling process, increasing the scalability and maturity of threat modeling as a result.

Why use an open threat modeling standard?

Supports new sources of application and system design.
Anyone can write and share parsers or other tools that take source formats such as CloudFormation, Visio, or Docker Compose files.
Exchange data within the SDLC and cyber security ecosystem.
Having threat models represented in a common format means being able to use that data through integrations.
Exchange between organizations.
It would be a great outcome if open source projects or even commercial vendors were sharing threat models of their systems in a way that could be ingested and used by organisations adopting those systems.

Got your attention? Let's learn some more...

Intro to OTM

In this article we’re going to take a close look at the specification and how IriusRisk implements and uses it to automatically create threat models from CloudFormation templates.

How to create an OTM Parser

In this article we are going to create a simple Python script that parses a threat model represented as a Graphviz DOT file, and generates a threat model defined in the Open Threat Model standard. Learn more

OTM Standard launches under Creative Commons License

The Open Threat Model Standard will allow greater connectivity and interoperability between threat modeling and other parts of the Software Development Lifecycle (SDLC).