Product¶
The Product asset type in the OWASP Open Asset Model (OAM) represents a commercial or open-source technology product—hardware, software, or service—that plays a role in an organization's external attack surface. Products may include server software, security appliances, cloud services, content management systems, networking gear, and more.
-
Definition: A
Productasset includes a name, type, optional category and description, and optionally a country of origin. It represents a distinct technology offering as discovered in intelligence collection, vulnerability data, or infrastructure enumeration. -
Purpose: Modeling products as first-class assets allows the OAM to associate technologies with organizations, services, or infrastructure. This helps analysts answer questions like “What products are deployed by this organization?”, “Where are certain technologies concentrated?”, or “Is this vulnerable product version publicly exposed?”
-
Design Choice: The
Productstructure is intentionally minimal to support broad applicability. While theProductReleasehandles additional information such as version, vendor, and licensing viaIdentifierassets and properties, the core type emphasizes identification and categorization. The inclusion ofcountry_of_originsupports use cases related to supply chain risk and regulatory compliance.
The Product asset type provides structured visibility into the technologies exposed in an organization's external footprint, supporting vulnerability mapping, software inventory, and strategic technology analysis.
Product Attributes¶
| Attributes | Type | Required | Description |
|---|---|---|---|
unique_id |
string | Unique identifier for the product asset | |
product_name |
string | Name of the product (e.g., nginx, Apache Tomcat, Zoom) |
|
product_type |
string | General type (software, hardware, service, etc.) |
|
category |
string | Optional category (e.g., web_server, load_balancer, crm) |
|
description |
string | Optional short description of the product | |
country_of_origin |
string | Optional ISO country code or name (e.g., US, Germany) |
Product Properties¶
| Property Type | Property Name | Description |
|---|---|---|
SimpleProperty |
last_monitored |
Tracks when a data source was last queried regarding this Product |
SourceProperty |
Source Plugin Name | Indicates that the specified data source discovered this Product |
Product Outgoing Relations¶
graph TD
product["Product (nginx)"]
ident["Identifier"]
idRel@{ shape: braces, label: "id" }
product --o idRel
idRel --> ident
org["Organization"]
vendorRel@{ shape: braces, label: "manufacturer" }
product --o vendorRel
vendorRel --> org
url["URL"]
webRel@{ shape: braces, label: "website" }
product --o webRel
webRel --> url
prodrel["ProductRelease"]
rel@{ shape: braces, label: "release" }
product --o rel
rel --> prodrel| Relation Type | Relation Label | Target Assets | Description |
|---|---|---|---|
SimpleRelation |
id |
Identifier |
Links the Product to Identifier assets, such as product identifiers |
SimpleRelation |
manufacturer |
Organization |
The organization that produces and supports the product |
SimpleRelation |
website |
URL |
The website where information can be found about the product |
SimpleRelation |
release |
ProductRelease |
Links the Product to known product releases and versions |
© 2025 Jeff Foley — Licensed under Apache 2.0.