Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OTM under a standards body? #22

Open
trevor-vaughan opened this issue Nov 1, 2023 · 16 comments
Open

OTM under a standards body? #22

trevor-vaughan opened this issue Nov 1, 2023 · 16 comments

Comments

@trevor-vaughan
Copy link

Discussions aren't active so I figure I'd start the thread here.

Are there plans to pursue OTM under one of the standards bodies?

While the standard itself seems reasonable, pushing for wider adoption is difficult when the standard is vendor-housed.

@stevespringett
Copy link

I think theres community support for OTM to be an OWASP project. Also, if IriusRisk would like OTM to be an international standard, Ecma should be seriously considered. OWASP and Ecma have built a working model that's community-based while ensuring the TC is actively involved. CycloneDX is the first to leverage the working model. I can make introductions if desired.

@stephendv1
Copy link

Yes, there is always concern when a vendor is seen to control a standard/format. IMO, it is too early to go for a heavyweight standards body that adds too much bureaucratic overhead. An OWASP project seems like a faster alternative given where we are with OTM currently. There is some interest with other projects and I think it would help adoption if we had at least 2 other tools using the format. E.g. pytm, Threat Dragon.

@trevor-vaughan
Copy link
Author

That's certainly reasonable.

Is pytm still alive? Last I checked it seemed functional but not really progressing.

@jgadsden
Copy link
Contributor

jgadsden commented Nov 1, 2023

Yes, pytm is still very much alive and is referenced by other projects, @izar to update us on this maybe

@izar
Copy link

izar commented Nov 2, 2023

Yup, pytm is very much alive. We have a lot going on behind the scenes, and at some point, we will have a fresh update.
Regarding OTM, pytm needs changes to it to be able to actually use it - namely, making the x/y attributes not mandatory, as pytm has no concept of a graphical representation.

Just a couple of days ago we were discussing it at ThreatModCon and many of us agree with @stevespringett - we should work towards making OTM an external standard.

@stephendv1
Copy link

@jgadsden what say you about Threat Dragon also using OTM as a supported format?
@izar x/y co-ordinates can easily be made optional.

@izar
Copy link

izar commented Nov 7, 2023

@stephendv1 I went looking at it this morning and either there have been changes I hadn't seen or I had misread the spec (more likely....) - the x/y are only mandatory on Diagram type of Representation, which makes perfect sense.

OTOH....how about adding P to CIA ?

@jgadsden
Copy link
Contributor

jgadsden commented Nov 7, 2023

Yes, I agree @stephendv1 , and I have labelled the issue in Threat dragon for version 2.2 (which is the next minor version) - although no guarantee that we can find someone to do it

@jgadsden
Copy link
Contributor

jgadsden commented Nov 8, 2023

@stephendv1 we have some good news in that @stevespringett and Matthew McDonald are working on OTM being a supported format for Threat Dragon

@jgadsden
Copy link
Contributor

jgadsden commented Jan 30, 2024

The Threat Dragon file/JSON schema is a bit quirky, with two versions for 1.x and 2.x
If OTM becomes an open standard then Threat Dragon version 3 could use it as its file format instead of the existing incompatible versions 1.x and versions 2.x formats

@stephendv1
Copy link

stephendv1 commented Feb 1, 2024 via email

@jgadsden
Copy link
Contributor

jgadsden commented Feb 1, 2024

Good point, I have raised an issue on Threat Dragon : Use OTM as the default file format #850
and have raised an issue for OTM to identify any extensions needed by OTM to cover all the information contained within Threat Dragon files : #26

@stevespringett
Copy link

stevespringett commented Feb 3, 2024

Regarding "If OTM becomes an open standard...". OWASP is now a member of Ecma International. The CycloneDX community has worked with Ecma on developing a community-based standardization process that is going to be the model of the future. It would be possible to leverage what CycloneDX and Ecma have already created and use it as a template to create their own technical committee under Ecma with the end goal of making OTM an Ecma standard. Ecma also has liaison agreements with ISO and other standards bodies, so theoretically, OTM could also be an ISO standard by way of Ecma.

Please note that the standardization process that OWASP/Ecma created is lightweight while also ensuring full participation by both OWASP and Ecma TC member organizations.

If this is of interest to IriusRisk and the community, please let me know and we can discuss next steps.

@jgadsden
Copy link
Contributor

jgadsden commented Feb 4, 2024

certainly from my point of view this is a good way forward
Threat Dragon will be working towards full integration with OTM whatever the outcome

@jmehnle
Copy link

jmehnle commented Oct 15, 2024

What is the current license of the OTM spec? The README has a blurb saying "Creative Commons Attribution-ShareAlike 4.0 International License", but this could be seen as pertaining only to the README, and the repository as a whole specifies no license at all, which makes it proprietary.

@dfernandezvigo
Copy link
Collaborator

Thank you @jmehnle for bringing this up! The intent is for the entire OTM specification to be under the Creative Commons Attribution-ShareAlike 4.0 International License, not just the README. However, we recognize that the current repository structure might cause confusion.

To address this, we will ensure the license is explicitly clarified and added at the root of the repository to avoid ambiguity. We appreciate your feedback and will work on updating this promptly.

If you have any further suggestions or concerns, please let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants