Skip to main content

Creating Threat Models Via API - Using OTM

Eric Rosenberg
  • Updated

 

What is OTM?

OTM stands for "Open Threat Model" and it is a platform independent way to define the threat model of any system. It allows both humans and computers to understand the components of a system and their distribution, showing the exposed security risks and their mitigation. An OTM document is itself a JSON object, which may be represented either in JSON or YAML format.

OTM allows us to create a threat model from a piece of code, like a terraform or a cloudformation files as well.

 

Using OTM with IriusRisk

Since version 4.1 of the product, IriusRisk has an OTM API that allows you to provide an OTM file and IriusRisk will automatically build a full threat model using the rules engine, an extensive library of components and risk patterns. Find below the IrisuRisk API:

Build, Collaborate & Integrate APIs | SwaggerHub

 

 

API Setup Instructions and Information

API Setup Instructions

How To Obtain Your API Key

IriusRisk Open Threat Model (OTM) Supported Specifications

 

Basic Example Using Postman

 

Screenshot at Aug 08 12-00-16.png

 

Once you have your API client setup, in this example I'll be using Postman, you want to select `api → v1 → products → otm → POST`

This will bring up the basic setup to send your yaml file.  You want to be sure you name your project in the top bar, and change the `file` selection to `file` (rather than text) as shown in the example above.

 

You can upload your own custom yaml file, however for this example I'll be using a default template provided here:

 

otmVersion: 0.1.0
project:
id: helloworld
name: Hello World

trustZones:
- name: Public
id: 6376d53e-6461-412b-8e04-7b3fe2b397de
risk:
trustRating: 10
- name: Private Secured
id: 2ab4effa-40b7-4cd2-ba81-8247d29a6f2d
risk:
trustRating: 90

components:
- name: Client
id: client
type: generic-client
parent: 
trustZone: 6376d53e-6461-412b-8e04-7b3fe2b397de
- name: REST Service
id: rest-service
type: rest-full-web-service
parent:
trustZone: 2ab4effa-40b7-4cd2-ba81-8247d29a6f2d

dataflows:
- name: Client to REST service
id: client-to-rest
source: client
destination: rest-service
tags:
- HTTPS

 

^This can be saved into a file named "hello.yaml" that you would select from the `Select Files` button in your "Values" section of Postman.

 

If you would like to run the same command without Postman, an example can be found here:

curl -X 'POST' \  
'https://<INSTANCE>.iriusrisk.com/api/v1/products/otm/' \ 
-H 'accept: application/json' \ 
-H 'api-token: <TOKEN>' \ 
-H 'Content-Type: multipart/form-data' \ 
-F 'file=@hello.yaml;type=application/x-yaml'

 

This is possible through StartLeft

 

Startleft

StartLeft is an automation tool for generating Threat Models written in the Open Threat Model (OTM) format from a variety of different sources such as IaC files, diagrams or projects exported from Threat Modeling tools.

If you are using an On-Prem instance with IriusRisk, you will want to be sure this is enabled.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk