What is OTM?
OTM stands for "Open Threat Model" and it is a platform independent way to define the threat model of any system. It allows both humans and computers to understand the components of a system and their distribution, showing the exposed security risks and their mitigation. An OTM document is itself a JSON object, which may be represented either in JSON or YAML format.
OTM allows us to create a threat model from a piece of code, like a terraform or a cloudformation files as well.
Using OTM with IriusRisk
Since version 4.1 of the product, IriusRisk has an OTM API that allows you to provide an OTM file and IriusRisk will automatically build a full threat model using the rules engine, an extensive library of components and risk patterns. Find below the IrisuRisk API:
Build, Collaborate & Integrate APIs | SwaggerHub
API Setup Instructions and Information
IriusRisk Open Threat Model (OTM) Supported Specifications
Basic Example Using Postman
Once you have your API client setup, in this example I'll be using Postman, you want to select `api → v1 → products → otm → POST`
This will bring up the basic setup to send your yaml file. You want to be sure you name your project in the top bar, and change the `file` selection to `file` (rather than text) as shown in the example above.
You can upload your own custom yaml file, however for this example I'll be using a default template provided here:
otmVersion: 0.1.0
project:
id: helloworld
name: Hello World
trustZones:
- name: Public
id: 6376d53e-6461-412b-8e04-7b3fe2b397de
risk:
trustRating: 10
- name: Private Secured
id: 2ab4effa-40b7-4cd2-ba81-8247d29a6f2d
risk:
trustRating: 90
components:
- name: Client
id: client
type: generic-client
parent:
trustZone: 6376d53e-6461-412b-8e04-7b3fe2b397de
- name: REST Service
id: rest-service
type: rest-full-web-service
parent:
trustZone: 2ab4effa-40b7-4cd2-ba81-8247d29a6f2d
dataflows:
- name: Client to REST service
id: client-to-rest
source: client
destination: rest-service
tags:
- HTTPS
^This can be saved into a file named "hello.yaml" that you would select from the `Select Files` button in your "Values" section of Postman.
If you would like to run the same command without Postman, an example can be found here:
curl -X 'POST' \
'https://<INSTANCE>.iriusrisk.com/api/v1/products/otm/' \
-H 'accept: application/json' \
-H 'api-token: <TOKEN>' \
-H 'Content-Type: multipart/form-data' \
-F 'file=@hello.yaml;type=application/x-yaml'
This is possible through StartLeft
Startleft
StartLeft is an automation tool for generating Threat Models written in the Open Threat Model (OTM) format from a variety of different sources such as IaC files, diagrams or projects exported from Threat Modeling tools.
If you are using an On-Prem instance with IriusRisk, you will want to be sure this is enabled.
Comments
0 comments
Please sign in to leave a comment.