-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OTM under a standards body? #22
Comments
I think theres community support for OTM to be an OWASP project. Also, if IriusRisk would like OTM to be an international standard, Ecma should be seriously considered. OWASP and Ecma have built a working model that's community-based while ensuring the TC is actively involved. CycloneDX is the first to leverage the working model. I can make introductions if desired. |
Yes, there is always concern when a vendor is seen to control a standard/format. IMO, it is too early to go for a heavyweight standards body that adds too much bureaucratic overhead. An OWASP project seems like a faster alternative given where we are with OTM currently. There is some interest with other projects and I think it would help adoption if we had at least 2 other tools using the format. E.g. pytm, Threat Dragon. |
That's certainly reasonable. Is pytm still alive? Last I checked it seemed functional but not really progressing. |
Yes, pytm is still very much alive and is referenced by other projects, @izar to update us on this maybe |
Yup, pytm is very much alive. We have a lot going on behind the scenes, and at some point, we will have a fresh update. Just a couple of days ago we were discussing it at ThreatModCon and many of us agree with @stevespringett - we should work towards making OTM an external standard. |
@stephendv1 I went looking at it this morning and either there have been changes I hadn't seen or I had misread the spec (more likely....) - the x/y are only mandatory on Diagram type of Representation, which makes perfect sense. OTOH....how about adding P to CIA ? |
Yes, I agree @stephendv1 , and I have labelled the issue in Threat dragon for version 2.2 (which is the next minor version) - although no guarantee that we can find someone to do it |
@stephendv1 we have some good news in that @stevespringett and Matthew McDonald are working on OTM being a supported format for Threat Dragon |
The Threat Dragon file/JSON schema is a bit quirky, with two versions for 1.x and 2.x |
That is great news! Does threat dragon need many additional changes to the
spec based on what’s published currently?
|
Good point, I have raised an issue on Threat Dragon : Use OTM as the default file format #850 |
Regarding "If OTM becomes an open standard...". OWASP is now a member of Ecma International. The CycloneDX community has worked with Ecma on developing a community-based standardization process that is going to be the model of the future. It would be possible to leverage what CycloneDX and Ecma have already created and use it as a template to create their own technical committee under Ecma with the end goal of making OTM an Ecma standard. Ecma also has liaison agreements with ISO and other standards bodies, so theoretically, OTM could also be an ISO standard by way of Ecma. Please note that the standardization process that OWASP/Ecma created is lightweight while also ensuring full participation by both OWASP and Ecma TC member organizations. If this is of interest to IriusRisk and the community, please let me know and we can discuss next steps. |
certainly from my point of view this is a good way forward |
What is the current license of the OTM spec? The README has a blurb saying "Creative Commons Attribution-ShareAlike 4.0 International License", but this could be seen as pertaining only to the README, and the repository as a whole specifies no license at all, which makes it proprietary. |
Discussions aren't active so I figure I'd start the thread here.
Are there plans to pursue OTM under one of the standards bodies?
While the standard itself seems reasonable, pushing for wider adoption is difficult when the standard is vendor-housed.
The text was updated successfully, but these errors were encountered: