Start your day with intelligence. Get The OODA Daily Pulse.

In 2014, Elon Musk applied the open-source philosophy to Telsa patents (to foster innovation and “create a common, rapidly-evolving technology platform…for the advancement of electric vehicle technology…to accelerate the advent of sustainable transport”), making all the company’s patents available for public use.

The management team over at the automated threat modeling company IriusRisk may have similar motivations to Musk and the team over at Tesla for the rapid market creation of an open-standard threat modeling tools marketplace, with the added incentive of enormity and ferocity of the threat faced by CISOs and cybersecurity professionals daily.  A scalable, replicable, open-source threat modeling standard is a brilliant space for innovation  – and the timing could not be better.

Whatever the incentives are for the company, in March the Atlanta-based IriusRisk launched the Open Threat Model (OTM) Standard under a Creative Commons license as part of version 4.1 of the IriusRisk Threat Modeling Platform – Version 4.  The company describes the open-source OTM Standard as “a tool-agnostic way of describing a threat model in a simple to use and understandable format. An accompanying API allows you to provide an OTM file and IriusRisk will automatically build a full threat model using the rules engine, which contains an extensive library of components and risk patterns.  The OTM standard has been designed for the software architects, DevOps and DevSecOps personnel that are working towards secure design and want to contribute to the widespread adoption of threat modeling as an industry standard.”

According to the company, the objective of the new standard is to simplify the generation of threat models, making it a commoditized and adoptable practice.

Community, Collective Intelligence, Interoperability, and Scalability are the Vectors for Innovation

For comparison,  the closest analogy which comes to mind is the impact in the 1990s of the adoption of the Autodesk DWG file format (which is not an acronym but is derived from drawing) – which was a boon for the interoperability and standardization of visualization, development, and production in industry verticals ranging from architecture, industrial design, structural engineering, and visual effects production for film and television.

Interestingly, Autodesk has now leveraged the institutional knowledge and the success of this contribution to the creation of the computer-aided design (CAD) and computer graphics imagery (CGI)  marketplace to a next-generation platform called BIM (Building Information Modeling), making interoperable and scalable innovation a reality in the development of LEED (Leadership in Energy and Environmental Design) green building certification, with a focus on architecture, construction, infrastructure, manufacturing, and sustainability.

IriusRisk provides an overview of the promise of the OTM standard and the variety of source formats available for compatibility:

“The OTM Standard can leverage a wide range of source formats, including Amazon Web Services Cloudformation, and supports new sources of application and system design.

Users can write and share parsers for artifacts such as CloudFormation, Visio, or Docker Compose files. The standard will also allow users to exchange threat model data within the SDLC and cyber security ecosystem because threat models are represented in a common format, meaning users will be able to use this data through integrations.

Finally, OTM facilitates exchanges between organizations. As it has been launched under Creative Commons, the standard can be used in open-source projects or even by commercial vendors to share threat models of their systems, in order for those, in turn, to be used by organizations adopting those systems, the company states.”

What Next?

Stephen De Vries, CEO and founder of IriusRisk, commented, ‘With the launch of our Open Threat Model Standard we are building a tool that will transform the threat modeling process.  With the wider security and developer community contributing to the Standard, we are excited to see the combined impact we can have on secure design by making threat modeling an increasingly simple and widely adopted practice.'” (1)

The OTM API is now available in IriusRisk’s V4.1 product release.

With Autodesk’s 30 years of market impact and innovation as a template, IriusRisk’s open-source OTM Standard launch is arguably the beginnings of the Software Development Life Cycle (SDLC) and cybersecurity platforms fusing into a broader ecosystem optimized for standardization, scalability, and interoperability – positioning threat modeling for success, innovation, and status as an industry-standard practice.

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.