Projects are a central part of IriusRisk because that’s where the threat modeling happens. So it is essential that project creation and management is intuitive yet powerful. This release brings with it a major improvement to how you navigate projects:
- A simplified and intuitive navigation designed to get you where you need to be faster
- Visual indicators that guide the eye so you can see key information at a glance
- Better use of screen space so you have access to more information
For details on the differences between the old and new navigation see this support article.
This release includes quite a few new API endpoints as well as an improvement to the projects endpoint.
Following the release of our Open Threat Model (OTM) and CloudFormation endpoints, we have now released our Terraform API. This first release of the Terraform endpoint parses Hashicorp Configuration Language (HCL2) files with support for some basic AWS components in the default mapping file. We’ll continue to improve the default mapping file but if you need to customize the mapping you can provide your own mapping file to the API. See the API documentation for more details on using the API, the Startleft project on Github, and check out the OTM specification on Github as well.
Threats and Countermeasures
Automated threat modeling is what we do. But even with a powerful rules engine and extensive knowledge base, sometimes you need to add your own threats and countermeasures to a project. Until now it has only been possible to manually add threats and countermeasures to components within a project through the user interface. As of 4.3 you can also do this through the API, taking automation to a whole new level.
- Create a new threat in a use case for a component
- Create new countermeasures in a component
- Associate a countermeasure to a weakness in a component
- Associates a countermeasure to a threat in a component
See the API documentation for more information.
See if a project is currently syncing
Operations within IriusRisk happen asynchronously, so calling an API such as creating a new project will return immediately, even if the rules engine is still running in the background. The project API endpoint now includes a new field that will be true if the project threat model is in the process of being updated, and false if not. This means that you can poll the endpoint rather than wait some arbitrary amount of time, which is especially useful when automating your threat modeling through OTM.
Synchronize a project (update the threat model)
Speaking of synchronizing a project, there is now also a new API endpoint to trigger the update of a threat model based on diagram changes and the rules execution. Previously you could only execute the rules engine via the API, but if a diagram was in draft mode those changes were ignored until somebody pressed the “Update threat model” button in the UI. With this new endpoint you can trigger that same update action without going into the UI.
In addition to the project navigation improvements above, there have also been some improvements to project diagrams.
Threat modeling and IriusRisk is all about collaboration - whether that’s within the security department or between security and development teams. As the next step towards true real-time collaborative diagramming, multiple users can now concurrently edit a diagram if they are both on the same IriusRisk instance. If one user is updating the diagram, the others will see the update happen on their screen in real-time. The only limitation at the moment is that this won’t work if the users are connected to different instances in a High Availability (HA) environment - this is something we will be implemented in future.
Diagrams.net version update
The Diagrams.net version that IriusRisk uses for diagramming has been updated to 17.x giving a number of performance improvements.
Threats and Countermeasures
A key part of the threat modeling process is assessing countermeasures and deciding what is important and what is not. This can mean having to adjust the priority of countermeasures based on organizational context. In this release, you can now make bulk changes to the priority of countermeasures. This makes it much easier and faster to go through and adjust the countermeasures.
Another improvement is that countermeasure filters now support multi-select.
Reporting and Advanced Analytics
Advanced Analytics SSO
In a previous release, we described how to access the Advanced Analytics module once it was configured with the use of a second login for a specific Analytics module user. Now, it is possible to access the module with the same user logged in IriusRisk by configuring an SSO authentication token.
The Compliance Report has a new cover page that includes the project diagram as well as an improved layout of the sections throughout the report. Whereas content was previously structured using tables, this has been replaced by a much clearer heading and indentation structure. Previously the sections were structured as:
Status > Component > Countermeasure > Standard Ref
This didn’t provide a clear view of how the state of the countermeasures mapped to the corresponding standard. The new structure gives a much clearer overview of the state of the compliance with the standard:
Standard Ref > Status > Component > Countermeasure
IriusRisk provides a comprehensive knowledge base of components, threats, countermeasures, and rules. The default content cannot be edited, but this was not enforced for rules. As a result, users could accidentally add new rules to the default libraries, and those rules would disappear when the default libraries were updated. Now however, editing of rules for default libraries has been disabled.
We have also improved the performance of the rules engine, specifically the importing of risk patterns.
Finally, a new support article has been created that describes in detail all the different modules, conditions, and actions of rules.
This release includes improved threats and countermeasure content for:
- AWS ACM
- AWS KMS
- AWS SageMaker
- AWS EC2 Auto Scaling
- AWS Elastic Beanstalk
For more information, see the Version 4.3 Release Notes.
Shape the future of Threat Modeling with us!
Join IriusRisk Horizon
IriusRisk Horizon - Customer Research, Product Discovery, and Early Access
Bringing you the latest on all things threat modeling and architectural security.