OpenThreatModel icon indicating copy to clipboard operation
OpenThreatModel copied to clipboard

Published 20 hours ago verified publisher icon iriusrisk

OTM under a standards body?

Open trevor-vaughan opened this issue 1 year ago • 14 comments

Discussions aren't active so I figure I'd start the thread here.

Are there plans to pursue OTM under one of the standards bodies?

While the standard itself seems reasonable, pushing for wider adoption is difficult when the standard is vendor-housed.

trevor-vaughan avatar Nov 01 '23 11:11 trevor-vaughan

I think theres community support for OTM to be an OWASP project. Also, if IriusRisk would like OTM to be an international standard, Ecma should be seriously considered. OWASP and Ecma have built a working model that's community-based while ensuring the TC is actively involved. CycloneDX is the first to leverage the working model. I can make introductions if desired.

stevespringett avatar Nov 01 '23 12:11 stevespringett

Yes, there is always concern when a vendor is seen to control a standard/format. IMO, it is too early to go for a heavyweight standards body that adds too much bureaucratic overhead. An OWASP project seems like a faster alternative given where we are with OTM currently. There is some interest with other projects and I think it would help adoption if we had at least 2 other tools using the format. E.g. pytm, Threat Dragon.

stephendv1 avatar Nov 01 '23 17:11 stephendv1

That's certainly reasonable.

Is pytm still alive? Last I checked it seemed functional but not really progressing.

trevor-vaughan avatar Nov 01 '23 17:11 trevor-vaughan

Yes, pytm is still very much alive and is referenced by other projects, @izar to update us on this maybe

jgadsden avatar Nov 01 '23 17:11 jgadsden

Yup, pytm is very much alive. We have a lot going on behind the scenes, and at some point, we will have a fresh update. Regarding OTM, pytm needs changes to it to be able to actually use it - namely, making the x/y attributes not mandatory, as pytm has no concept of a graphical representation.

Just a couple of days ago we were discussing it at ThreatModCon and many of us agree with @stevespringett - we should work towards making OTM an external standard.

izar avatar Nov 02 '23 14:11 izar

@jgadsden what say you about Threat Dragon also using OTM as a supported format? @izar x/y co-ordinates can easily be made optional.

stephendv1 avatar Nov 07 '23 17:11 stephendv1

@stephendv1 I went looking at it this morning and either there have been changes I hadn't seen or I had misread the spec (more likely....) - the x/y are only mandatory on Diagram type of Representation, which makes perfect sense.

OTOH....how about adding P to CIA ?

izar avatar Nov 07 '23 17:11 izar

Yes, I agree @stephendv1 , and I have labelled the issue in Threat dragon for version 2.2 (which is the next minor version) - although no guarantee that we can find someone to do it

jgadsden avatar Nov 07 '23 20:11 jgadsden

@stephendv1 we have some good news in that @stevespringett and Matthew McDonald are working on OTM being a supported format for Threat Dragon

jgadsden avatar Nov 08 '23 05:11 jgadsden

The Threat Dragon file/JSON schema is a bit quirky, with two versions for 1.x and 2.x If OTM becomes an open standard then Threat Dragon version 3 could use it as its file format instead of the existing incompatible versions 1.x and versions 2.x formats

jgadsden avatar Jan 30 '24 07:01 jgadsden

That is great news! Does threat dragon need many additional changes to the spec based on what’s published currently?

stephendv1 avatar Feb 01 '24 11:02 stephendv1

Good point, I have raised an issue on Threat Dragon : Use OTM as the default file format #850 and have raised an issue for OTM to identify any extensions needed by OTM to cover all the information contained within Threat Dragon files : #26

jgadsden avatar Feb 01 '24 12:02 jgadsden

Regarding "If OTM becomes an open standard...". OWASP is now a member of Ecma International. The CycloneDX community has worked with Ecma on developing a community-based standardization process that is going to be the model of the future. It would be possible to leverage what CycloneDX and Ecma have already created and use it as a template to create their own technical committee under Ecma with the end goal of making OTM an Ecma standard. Ecma also has liaison agreements with ISO and other standards bodies, so theoretically, OTM could also be an ISO standard by way of Ecma.

Please note that the standardization process that OWASP/Ecma created is lightweight while also ensuring full participation by both OWASP and Ecma TC member organizations.

If this is of interest to IriusRisk and the community, please let me know and we can discuss next steps.

stevespringett avatar Feb 03 '24 19:02 stevespringett

certainly from my point of view this is a good way forward Threat Dragon will be working towards full integration with OTM whatever the outcome

jgadsden avatar Feb 04 '24 05:02 jgadsden