IriusRisk Rules Engine

Introduction

As organizations mature their approach to secure design, automating parts of the threat modeling process is essential. While threat modeling tools can already accelerate elements such as diagramming, questionnaires, and countermeasure selection, the IriusRisk Rules Engine takes this automation a step further. It enables you to define and enforce security logic that adapts to your processes, environments, and internal policies, all without manual intervention. Sounds good, right? Let’s find out more about it. 

What exactly is our Rules Engine?

The IriusRisk Rules Engine is a powerful automation capability that allows security teams to take defined actions automatically when specific conditions are met in their threat model. Think of it as a helpful assistant where once you’ve outlined your security processes and logic, the Rules Engine ensures they’re followed every time, consistently and without previous manual effort. It helps teams enforce internal policies, and align with security standards by embedding this logic directly into the modeling process. Learn more in this Knowledge Base article.

What Can You Use It For?

The use cases are wide-ranging and impactful for scaling secure design processes, but here is a selection to give you an idea:

• Scope Management: Automate how projects are scoped based on custom inputs like questionnaires or trust zones.
• Internal Policy Enforcement: Add guardrails to ensure security requirements are met across environments and teams.
• Security Standard Application: Automatically apply internal or external security standards to projects.
• Dynamic Updates: Trigger changes—like marking threats as implemented, Required, Not Applicable, and more. Or adding new countermeasures—based on user inputs or contextual logic.

In short, if your team is repeatedly doing something manually during the threat modeling process, it’s a candidate for automation with the Rules Engine.  

How Does It Work?

Rules are built using a simple, modular approach:

1. Choose the Context: This defines where the rule applies—at the project, component, data flow, threat, or workflow level.
   
   
2. Set Conditions: These are the triggers. Examples include:
   
   • A specific answer to a questionnaire
   • A component placed in a certain Trust Zone
   • A workflow state being entered
   • A custom field being populated
     
     
3. Define Actions: These happen when the conditions are met. You can:
   
   • Mark a Countermeasure as required or implemented
   • Notify users
   • Mark a Threat as Not Applicable
   • Move a component between Trust Zones
   • Import security content
   • Assign projects or send emails

Running multiple environments? No problem. Once configured, the rule runs automatically. Better still, rules are reusable and portable—build it once, and apply it across environments like development, staging, and production without the need for duplication. 

For advanced users, IriusRisk also supports DROOLS—an open-source, Java-based rules language, which is also available within the UI, where you can edit in the code editor.

What Benefits Can It Bring?

You are already gaining benefits from automating your threat modeling process, all while generating more secure software. Layer on the Rules Engine too and you truly level up your effort even further to save time, incorporate compliance needs, all in a consistent and repeatable manner. It's a win win. 

• Time Savings: Automate repetitive tasks so your team can focus on higher-impact work.
• Consistency: Apply internal standards and rules without relying on individual memory or manual checks.
• Scalability: Enforce best practices across multiple projects or environments with minimal effort.
• Governance: Demonstrate alignment with internal or regulatory standards by hard-coding them into your threat modeling process.
• Confidence: Reduce the risk of human error and ensure your models remain robust, even as projects grow in complexity.

By embedding automation into your secure design process, the IriusRisk Rules Engine helps security teams do more with less - without compromising on quality or control. It’s an essential tool for organizations ready to scale secure software development with precision and confidence. What are you waiting for? 

‍