IriusRisk Team
|
The Threat Modeling Experts
December 11, 2023

Product Update: Release 4.23

Product Update: Release 4.23

We are excited to announce the release of IriusRisk 4.23 which includes these new enhancements and features:

  • Take automation to the next level with beta access to our new v2 API endpoints
  • Create threat models from your existing diagrams.net diagrams with our new Open Threat Model endpoint
  • Manage your Business Units easily with a shiny new interface
  • And much more!

Take automation to the next level with beta access to our new v2 API endpoints

Many of you have been using our existing API to automate and scale threat modeling. As part of the migration of the user interface to React, we have been building a whole new API layer, lovingly called API v2. These APIs offer more advanced functionalities than API v1 and far better coverage of the product - basically, if you can to it in the UI there will be an API available. 

We're thrilled to announce that in this release we have enabled the API v1 authentication method, namely user tokens, for use with API v2.

Not everything is available in API v2 yet, but there is a lot you can get started with today such as:

  • Assets
  • Audit logs
  • Business Units
  • Component definitions
  • Projects
  • Standards
  • and more!

As we migrate more of the interface, more endpoints will become available.

For the full list of what’s available, check out the documentation here: https://support.iriusrisk.com/hc/en-us/articles/15089750023709

image-20231206-095048

To use the user tokens with API v2:

  • Ensure “API Access” is enabled in the global settings.
  • The user accessing API v2 must have the API_ACCESS permission, akin to the requirements for API v1.

When making requests, send the token in the same header as used in API v1.

Be aware that if a user lacks API_ACCESS, or if the API is disabled, they will receive a generic authentication error. This is a crucial aspect to consider during troubleshooting.

Beta Version Disclaimer: Please note that this version of the API is currently in beta. While it offers advanced features for deeper integrations and flexible automations, we reserve the right to make breaking changes during this phase. Backwards compatibility may not be maintained. We encourage users to explore its capabilities but recommend caution in production environments as the API may undergo significant modifications.

This beta feature marks a significant leap in our API's evolution, bringing enhanced automation capabilities to your processes.

Create threat models from your existing diagrams.net diagrams with our new Open Threat Model endpoint

You can now import your existing Diagrams.net (formerly Draw.io) diagrams into IriusRisk. 

In addition to being able to import CloudFormation, Terraform, Visio, LucidCharts, and Microsoft Threat Modeling tool, this release includes the ability to easily create a threat model from your diagrams.net files, saving you time from having to recreate them in a dedicated threat modeling tool.

Given this complex AWS example:

image-20231206-094328

IriusRisk’s powerful import process faithfully recreates it, automatically mapping the cloud components and building a full threat model that can be acted to immediately to secure the design:

image-20231206-094625

For more information on using the draw.io endpoint, see https://app.swaggerhub.com/apis/iriusrisk/IriusRisk/1.26.0

Manage your Business Units easily with a shiny new interface

Users have expressed the need for a more efficient way to manage Business Units. This includes creating, modifying, and deleting Business Units, as well as managing the users associated with each. The goal is to simplify the process, moving away from the tedious task of individually assigning users to Business Units from the User details page.

To enhance user experience, we've migrated the Business Units page to a React-based UI. This technical update comes with a significant improvement in both the look and functionality of the Business Units management interface.

image-20231206-092357

Key features of the new interface include:

The process for creating, editing, and removing Business Units is now more intuitive and user-friendly.The ability to manage user membership at the Business Unit level, streamlining the process of adding or removing users.The Business Units page is now conveniently located in its own section within the settings menu, rather than being under "User & Permissions."Users with "ALL_USERS_UPDATE" or "MANAGE_USERS_BU" permissions can access the new Business Units section.The existing functionality to assign or remove Business Units from users within User details remains unchanged.

Here we can see the list of users associated with the Business Unit and can add and remove them directly from this view.

Manage the Custom Fields of IriusRisk provided threats through a new API

In this third instalment of improving how you manage content in IriusRisk, this release enables you to set Custom Field values for threats in IriusRisk provided libraries.

In v4.19 we released an endpoint that lets you manage the custom field values for countermeasures, and previous to that you could associate your custom Standards with IriusRisk provided countermeasures.

With this new API you can manage the metadata associated with IriusRisk provided threats, without losing updates to our content.

The follow types of custom fields can now be edited: DATE, TEXT and TEXTAREA.

image-20231206-100400

To use the API, call this v1 end point:

Screenshot 2023-12-07 at 11.50.54

This endpoint accepts a path parameter with the following data:

  • threat-id: an identifier of the library threat whose custom field values will be updated across all the libraries.

The endpoint accepts a body with the following data:

Screenshot 2023-12-07 at 11.51.35

This means you can now pre-set the values of the custom fields in libraries and have them applied automatically to all instances of the threats in projects.

For more information see the API documentation here: https://app.swaggerhub.com/apis/iriusrisk/IriusRisk/1.26.0

Read SAML signature/encryption key information from environment variables

When our clients configure SAML (or we do it for them), we among other things set up the keys that IriusRisk will use to sign the messages sent to the identity provider:

image-20231114-135527

In many scenarios, this is undesirable for security reasons, such as in the case of using a versioning system for these configuration files, you would end up with confidential information stored there.

We provided two new mechanisms to provide these values: launch parameters, and environment variables. Here you can see the equivalence between these parameters/variables and the old groovy configuration:

  • storeFile can be set via IRIUS_SAML_KEYSTORE_LOCATION
  • storePass can be set via IRIUS_SAML_KEYSTORE_PASSWORD
  • defaultKey can be set via IRIUS_SAML_KEY_NAME
  • passwords can be set via IRIUS_SAML_KEY_PASSWORD

This is a new feature and we are not dropping the support for the configuration file settings. They can be used - we simply have a new mechanism to provide this information. You can also provide only some of these keys in your environment or launch parameters - the rest will be read from other available sources in this order:

  • Environment
  • Launch parameters
  • Groovy file

For more information on configuring SAML, see this support article: https://support.iriusrisk.com/hc/en-us/articles/360050136312-SAML-authentication

Improved grouping of Custom Fields

We have improved how the grouping of Custom Fields works by associating groups with the Data type that Custom Fields are applied to.

When you create a Custom field you choose where it is shown by selecting a Data type for that custom field from Project, Countermeasure, Test or Threat. Groups however weren’t associated with a Data type, leading to scenarios such as empty groups for one data type but not for another.

In this release we have now associated Groups with the Data type, so you can now have separate groups for Project, Countermeasure, Test or Threat Data types.

image-20231107-152722

Note that Group names cannot be share between different Data types. If you have any groups with different types of Custom fields, the group will be duplicated once per type of associated Data type and the name will be [Current-Group-Name]-[Entity].

For example, “Group CF” group and “Test” Data type would become “Group CF-TEST”.

Library XML updates now executed as a background process

To improve the experience of uploading large XML library files, we have moved the process into the background. This prevents the User Interface being blocked by the update process, allowing you continue your work while the update happens in the background. It also prevents unexpected errors in the UI due to timeouts.

Security Content

The following new Cloud components have been added:

  • GCP Firewall

We have released a new Salesforce library with the following components:

  • Salesforce MCI (Marketing Cloud Intelligence) - formerly known as Datorama
  • Salesforce Marketing Cloud
  • Salesforce MuleSoft
  • Salesforce Platform
  • Salesforce Sales
  • Salesforce Service

Standards and library updates:

  • Countermeasure mappings have been refactored to use the updated NIST 800-53 Rev. 5.

Deprecations

ThreadFix Test Import Notice

UPDATE: As notified, we have removed the functionality for importing ThreadFix test results in this release.

My Portfolio

NEW: The My Portfolio section will be deprecated and removed in Q1 2024.

NEW: We will be turning off the “continuumsecurity” SwaggerHub site. Customers should continue to use https://app.swaggerhub.com/apis/iriusrisk/IriusRisk instead.

Release notes

For more information, see the Version 4.23 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon

IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.