When we reflect on 2021, we will see it as a landmark year for the adoption of threat modeling solutions.
This adoption was driven by, and reflected in, a number of major industry recognitions for threat modeling as a critical software security practice over the past 12 months. This includes NIST’s recommendation for threat modeling to be undertaken as part of the Recommended Minimum Standard for Vendor or Developer Verification of Code, effectively making it a requirement for organizations that sell to the U.S. federal government.
Insecure Design was also added as a new category into the OWASP Top 10 alongside a recommendation that organizations use threat modeling to achieve secure design, and the Threat Modeling Playbook was released by the FDA and MITRE.
IriusRisk has been at the forefront of this movement and the last year has seen tremendous uptake in our threat modeling platform. Our customer base and annual recurring revenue more than doubled, as did the number of users on our Community Edition, which increased by 120% with 2,248 projects being run through the platform. You could say that we have quite literally “doubled down” on our mission in the past 12 months.
We are very proud of the breadth of companies we are helping through our platform – from small teams of developers using the Community Edition, to large international organizations with hundreds of users. Our customer base now includes six Fortune 100 companies and we have a particularly high uptake among financial services institutions – with three out of the Top 10 Global Systemically Important Banks (G-SIBs) now using IriusRisk.
Today, we are seeing increasing interest from medical device manufacturers, industrial control and critical infrastructure organizations, and the automotive industry. We also more than quadrupled our partner base last year, as VAS/GSIs are increasingly looking to capitalize on the value in consulting services based around threat modeling and our platform.
The growth of our customer base has been matched by our growth as a team. The IriusRisk engineering, R&D and customer success teams doubled in size this year, enabling us to further increase our presence across the US, UK and continental Europe. I am particularly proud of the major decision we made in December to introduce a four-day week for development staff, which my co-founder and COO Cristina Bentue discussed with Forbes. It has already had an incredible impact on accelerating our hiring process while also leading to increased productivity and better work-life balance for our staff. Together, we are all playing a part in changing the industry for the better, by making security built into software right from the beginning.
As we look to the year ahead and what 2022 will bring, we will continue growing our team, improve our product, support our customers, and share our expertise with the community. This is all undertaken with the overarching mission of making threat modeling simpler and more comprehensive – to ensure that the next generation of software released into the market is secure by design.
Stephen de Vries
Stephen is our co-founder and CEO, and leads our team in building the IriusRisk Threat Modeling platform. He has a strong background in web application and particularly Java security, with an emphasis on automated security testing and risk assessment. He has published numerous original research papers and presented at leading conferences such as Blackhat USA/Europe, DevOps Connect, and OWASP, a founding leader of the OWASP Java Project, and contributor to OWASP ASVS and Testing projects. Despite being CEO, Stephen is very much involved in all operations and functions across the company and loves to share his experience with delegates at our hosted events, and external conferences.