We're excited to share more new functionalities in this release:
- Lock your threat models
- Introducing Product Components
- Create and restore versions of your product
- Create multiple dataflows between components
- Nesting trustzones within components
- New components in this release
- Updates to standards and library content
'Lock' your threat models
Enhance the control and management of your threat models with our new lock feature. You can now lock threat models to prevent changes to architecture diagrams and prevent the addition and/or removal of threats, countermeasures, or weaknesses. Find out how in our new support article.
This is useful when you want to prevent changes to threat models when they’re not being actively worked on. For example, an update to a standard won’t suddenly add a new set of threats and countermeasures and catch you by surprise. It also prevents unintended changes by others with access to the threat model.
Introducing Product Components
Represent an entire IriusRisk product as a component in the diagram of another product - as demonstrated here in our dedicated support article.
For example, your Identity team may own and manage the threat model for the Single Sign On (SSO) system, and your application team may own and manage the threat model for the web application that relies on SSO. In IriusRisk, your Identity team can now create a Product Component from the SSO product which the application team can drag into their threat model diagram just as with any other component.
Currently, this would display that the application product depends on the SSO product and you can follow the component to the source product. The SSO product owners can also see the list of all the products that refer to their product. In a future update, we plan to extend the feature to allow you to see the relationship between threats and countermeasures so that threat models are more accurate and reduce the number of countermeasures that teams need to focus on.
Create and restore versions of your product
Think of product versions as snapshots of which you’re now able to revert to or restore, as and when needed.
For example, you may be creating a product version for each major release of your product. If a release was rolled back for some reason, you can easily revert your threat model to the previous release by restoring the version for that release. You can also restore versions as a way of reverting to a backup in the case of unintended changes to the threat model.
Create multiple dataflows between components
Components in a threat model often communicate with each other in many different ways. You’re now able to create multiple dataflows between two components within a threat model diagram. For example, if you have two servers that communicate over HTTP and SSH, you can now create two separate dataflows - one labeled with HTTP and the other with SSH.
Nesting trustzones within components
Threat models can be complicated, and trustzones can apply at different levels. Within this new release, you can embed trustzones within components. For example, an EC2 component may exist within a VPC trustzone, but it may be necessary to have two trustzones within the EC2 instance - one for a web application component, and one for the filesystem component.
New components in this release:
- AWS Elastic Block Store (EBS)
- AWS Elastic File System (Amazon EFS)
- AWS FSx for Windows File Server
- AWS Elastic Container Registry (ECR)
- AWS Elastic Container Service (ECS)
- AWS Elastic Container Service for Kubernetes (EKS)
- AWS Elasticsearch
- AWS CloudWatch
- AWS Eventbridge
- AWS CloudTrail
Updates to standards and library content:
- A new risk pattern called HTTP-SERVICE:TOKEN:JWT with one threat and eleven new countermeasures has been created to include JWT security best practices (based on RFC8725) in the CS-Default library.
- Two new countermeasures have been added to the CS-Default library to mitigate Spectre-like side-channel attacks.
- Open Security Architecture (OSA) references have been added to NIST 800-53 controls in six libraries (AWS Lambda, CS-Default, EU-GDPR, FEDRAMP, AWS, and IoT).