We are very excited to announce the first update to the Version 4 release of IriusRisk, and the first update of the year. This release includes new features as well as improvements, including:
- A new API endpoint that creates threat models using the Open Threat Model standard
- Improved tabs and representation for threats and countermeasures
- Multiple tab support so you can use IriusRisk in multiple tabs or browsers at the same time
- The first step towards integrating our new Advanced Analytics module into the core product
- New dataflow and component rules conditions and actions
- The first release of our Functional Components library, 15 new AWS components, and 41 new Microsoft Azure components
The Open Threat Model API
The Open Threat Model (OTM) standard is a generic and tool-agnostic way of describing a threat model in a simple to use and understand format. It has been designed to allow greater connectivity and interoperability between threat modeling and other parts of the Software Development Lifecycle (SDLC) and cybersecurity ecosystem. Released under Create Commons, anyone can contribute or use the standard.
Threat modeling as a practice is evolving, and so must the technology that surrounds the practice. If you look at what happened with DevOps, the key to scaling the creation and management of infrastructure was a combination of culture changes as well as the commoditisation of infrastructure such as through cloud and Infrastructure as Code (IaC). Threat modeling will inevitably go through a similar shift, and this standard has been to facilitate that evolution. By leveraging existing design artefacts such as IaC, we can automate the threat modeling process, increasing the scalability and maturity of threat modeling as a result.
Key use cases for an open threat modeling standard include:
- Easily supporting new sources of application and system design. Anyone can write and share parsers or other tools that take source formats such as CloudFormation, Visio, or Docker Compose files.
- Exchange threat model data within the SDLC and cyber security ecosystem. Having threat models represented in a common format means being able to use that data through integrations.
- Exchange between organisations. It would be a great outcome if open source projects or even commercial vendors were sharing threat models of their systems in a way that could be ingested and used by organisations adopting those systems.
The first iteration of an OTM API endpoint has been included in this release. This API allows you to provide an OTM file and IriusRisk will automatically build a full threat model using the rules engine an extensive library of components and risk patterns. The first release of the API supports trustzones, components, and dataflows.
For more information on using the OTM API, see The Introduction to the Open Threat Model standard.
User interface improvements
This release includes a number of important user interface improvements.
Multi-tab support means you can now run IriusRisk in multiple tabs or browsers. This is useful when multitasks such as when you need to copy information from one place to another, or when you want to keep two views open at the same time. You can also quickly get the URL to any project straight from the browser’s URL bar. This is useful when sharing projects with other team members such as on Slack or email.
You can now bulk select threats and run bulk actions the selected threats. Actions include everything from accepting risks to marking threats as Not Applicable.
There is also improved filtering for threats. You can filter on components, use cases, owner, source and weakness test result.
The icons representing risk and priority for threats and countermeasures now have a clearer distinction that doesn’t rely on colour.
A flattened view is now available for countermeasures, allowing you to quickly read through all of your countermeasures without having to open up nested tree nodes.
Other improvements include the ordering of nodes in library XML.
The Advanced Analytics & Reporting module is an add-on product that gives customers better insights in to their threat modeling data. Customers can create custom reports and dashboards leveraging the full set of data available within IriusRisk, as well as integrating with other data sources.
This release includes the first step towards a full integration. In the top navigation bar you will see an “Analytics” button. For administrator users this button will present the opportunity to configure the module or request access through Customer Success. Non-administrator users are advised to reach out to their IriusRisk administrators for more information.
For more information on the Advanced Analytics & Reporting module, see Advanced Analytics and Reporting.
New Dataflow rules conditions and actions
New dataflow rule conditions and actions gives a more powerful expression of the relationships between components in a threat model. This means more accurate threat models and less work for developers when combined with actions such as “Implement countermeasure in destination”.
- 1 new component condition:
- Component category is
- 2 new data flow conditions:
- Origin Component is
- Destination Component is
- 2 new data flow actions:
- Insert Conclusion in Origin
- Insert Conclusion in Destination
A new Functional Components library that allows developers to describe the functional elements of their applications, in addition to more traditional architectural components. It includes 11 new component definitions, 20 new risk patterns, 43 new threats, and 37 new countermeasures. For more information see Threat Modeling Software Features vs Architecture.
Example components include:
- Web form
- User Registration
- Reset Password
- Exception Handler
15 new AWS components, including:
- AWS Lightsail
- AWS MediaStore
- AWS Managed Services
- AWS Global Accelerator
- AWS Launch Wizard
41 new Azure components, including:
- Azure DNS
- Azure WAF
- Azure Database for MySQL
- Azure API Management
- Azure Service Bus Messaging
- New countermeasures from the "NSA Kubernetes Hardening Guidance"
- A new 2021 OWASP Top 10 security standard
For more information, see the Version 4.1 Release Notes.