IriusRisk Team
The Threat Modeling Experts
April 4, 2024

Product Update Release 4.27


IriusRisk 4.27 includes these enhancements and improvements:

  • Issue Tracker Profiles are here! Want to send a threat to the security team backlog? Or send a bunch of countermeasures to the dev team, and another load to the CloudOps team? Or create some issues as Tasks and others as Bugs? With our new Issue Tracker Profiles that’s a breeze.
  • With diagram thumbnails, clear access to key information, and powerful search and filtering, our new Projects List and Templates List interfaces make browsing and managing your projects and templates quick, easy, and enjoyable.
  • The Components Definitions page has also been refreshed. They are now grouped by category making them quick to scan and browse, plus an improved way to view and manage the risk patterns associated with components.
  • Plus more!

Issue Tracker Profiles are here!!

Issue Tracker Profiles are a complete re-design of how issue trackers are managed in IriusRisk and how issues are created. Giving you the balance of scale and simplicity, issue tracker profiles provide a powerful new way to create issues from IriusRisk.

Sending issues from the same project to different teams

Imagine you’re a dev team threat modeling a change to your application. There are certain countermeasures that you can act on; validating input, applying access controls, safe handling of data etc. But there may be important countermeasures that you don’t have direct ownership of, and that need to be handled by a different team. For example, rate limiting, DoS protection, and network segmentation might need to be handled by centralized CloudOps or networking team.

With Issue Tracker Profiles (ITPs) this isn’t a problem. You can create ITPs for each team, and then when it’s time for you to turn countermeasures into issues, simply select the relevant ITP for the given countermeasures. You can even do it in bulk.

In the above screenshot, we can see the user is selecting Dev Team A for the selected countermeasures.

But what about the countermeasure we need to send to the CloudOps team? No problem, simply select the team’s ITP from the list:

Send tasks or bugs or anything else

You don’t have to limit yourself to an Issue Tracker Profile per team. It might make sense for a single team to have multiple ITPs. For example, you may want to raise certain countermeasures as tasks, but others as bugs. This is easy with Issue Tracker Profiles. Just create a new ITP with the specific configuration as needed.

Send threats as well as weaknesses and countermeasures

Not only can you raise issues from weaknesses and countermeasures, but you can also create them from threats. This is particularly useful if you want to send threats to a security team for further assessment or collaboration.

Configuring Issue Tracker Profiles  

Creating and managing Issue Tracker Profiles is easy and intuitive thanks for our new interface design. Accessing “Issue trackers” from the Settings menu, you’re taken straight to the list of ITPs as well as the general settings.

The list shows the state (published or draft), and icon for the type of integration, and the name of the profile.

Click “New” to create a new profile, and select from the supported platforms.

Then just give your Issue Tracker Profile a name, and configure the connection, credentials, and fields.

You can test the connection, and publish the ITP once you’re happy and it’s ready for others to use.

In order to be able to create and manage Issue Tracker Profiles, relevant users will need the ISSUE_TRACKER_PROFILE_UPDATE permission. You could for example create a new role for ITP creators, and assign that role to any users who need to be able to manage ITPs, either globally on behalf of teams or for their own projects.

Our new Projects List and Templates List interfaces make browsing and managing your projects and templates quick, easy, and enjoyable.

The new Projects and Templates list interfaces make browsing and managing projects and templates straight forward. They show key at-a-glance information including a preview of the diagram, the project name and id, as well as update status and timestamps.

Hovering over a project or template, you can click “See details” to open up the side panel. This allows you to easily edit metadata associated with the project without leaving the list. Of course, controls for search and sorting projects are also available, as are buttons for creating or importing new projects.

Clicking on the project or template in the list takes you directly to the Project Home page.

The Components definitions page refresh

The Components definitions interface has also been refreshed. Components are now grouped by category, making them easier to browse. Alternatively you can search for the relevant component. Clicking a component opens up a panel on the right where the data for the component can be edited.

The source of threats for the components has also been improved, with a nested view of the library and risk patterns associated with the component.

Global settings interface improvements

We have completed the refresh of the global settings interfaces as well. Separate menu options for Features and User Interface are available, and all of the settings have improved controls as well as updated descriptions.

Another “automazing” 100 API v2 endpoints

This release includes another massive load of new API v2 endpoints, 108 to be precise, bringing the total to over 400!

Endpoints in this release include:

  • Some Component Definitions summary endpoints
  • Issue Tracker Profiles (including Project-level)!!!
  • A bunch of library endpoints
  • Project threats, weaknesses, countermeasures, tests etc
  • Rules management
  • and more

What can you do with these components?

To help you think about how you can use these new endpoints to further enhance your threat modeling automation, consider these use cases:

  • Automatically create new Issue Tracker Profiles as new projects are created in your issue tracker
  • Create issues for a list of threats or countermeasures
  • You can even automate the library management process, including applying library changes to projects

Checkout the support article for further details Zendesk.

New network and generic components

The following new IR Network Components have been added:

  • Akamai Guardicore Segmentation
  • F5 BIG-IP
  • FortiGate FortiOS
  • Tanium Patch
  • Zscaler ZIA

The following Generic Components have also been added:

  • Elastic Stack
  • Okta


Release Notes

For more information, see the Version 4.27 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.