New features and improvements include:
- Improved support for low-resolution screens, including hiding the global navigation when in projects to increase available screen space and keep focus on the content
- Dataflows created from security groups for Terraform AWS
- Easily apply a library to all projects
- and more!
Layout and Navigation
One of the big changes this release is better use of space for projects in order to reduce the visual noise, make the interface clearer, and improve support for smaller resolutions.
The biggest change is that the global navigation at the top is no longer shown when inside a project. When you’re working on a project, your focus is on the diagram, threats, and countermeasures etc. which are all available in the project menu on the left. So we’ve hidden the global navigation to give you more vertical space. If you do need to navigate to access some of the global items such as Component Definitions, clicking on the IriusRisk logo in the top left will take you back to the projects list page.
We have also made numerous other space and header optimisations, such as page titles scrolling off-page and no longer being static at the top.
Open Threat Model API
The Open Threat Model (OTM) API now includes support for bi-directional dataflows. This was always included in the OTM standard, and IriusRisk will now create two dataflows (one for each direction) when bidirectional is set to true, as in the example below.
- name: my-dataflow
This creates two dataflows:
Terraform AWS API
The Terraform AWS mapping file that is used by default by the Terraform API now includes support for creating dataflows from security groups, matching the capability of the CloudFormation API.
Trustzones are an important concept in threat modeling and are typically implemented in one of two ways; as clear boxes or zones, or as boundaries on a dataflow. IriusRisk uses trustzones because it is clearer to see which trust or security level a component is associated with, but many Visio diagrams use boundaries. The Visio API has been updated to create trustzones from boundaries.
In the below example Visio diagram you can see a boundary between the VPC and a private database.
With a single API call we can send this Visio diagram to IriusRisk to build a complete threat model.
$ curl -H "Accept: application/json" -H "api-token: $IRIUS_API_TOKEN" -H "Content-Type: multipart/form-data" -F "firstname.lastname@example.org" -F "email@example.com;type=text/yaml" -F "product-id=visio-boundary-test" -F "name=VisioBoundaryTest" https://release.iriusrisk.com/api/v1/products/visio
Note that for the Visio API, if you're using a custom mapping file (as above) then you'll need to set the type for that file as ;type=text/yaml otherwise it may be interpreted as the same format as an VSDX file.
As you can see, boundaries have been converted to clear trustzones.
The Vision API now also supports more AWS stencil shapes out of the box:
- 70 AWS components supported by IriusRisk are fully supported as Visio AWS stencil shape
- 86 Visio AWS stencil shape are mapped to an IriusRisk component
- All other Visio AWS stencil shapes are mapped to empty-component
Advanced Analytics and Reporting
The Compliance Report has been updated to include new fields for countermeasures, including:
- Countermeasure counter
- Countermeasure reference
- Issue tracker link (if exists)
- Test result (for implemented countermeasures)
In the above example, we can see the following:
- Req 1. is a counter for required countermeasures
- CSMS-M6 is the countermeasure reference
- The issue tracker link is IRIUSDEV-132579
- and the priority is “Medium priority”
In the above implemented countermeasure example, the test result is set to “Not tested”.
Risk Pattern Libraries
When making changes to a library, it is often necessary to propagate those changes to all applicable projects. While you’ve always been able to do this with the “Apply to projects” button, you previously had to select each project you wanted to apply it to. If you wanted to apply it to all of them, and if you had tens or hundreds of projects, this was a slow and painful process.
Now however you can simply click the checkbox in the table header to automatically select all projects.
Another library management change we have implemented in 4.6 is that you can now import and export disabled libraries. If a library is disable when exported, the XML will include a disabled flag. When imported, if an XML file has that flag set, then the library will be imported as disabled. This gives you much more control when it comes to developing and managing libraries.
In IriusRisk 4.6 we have released a new library called “IR Dataflows”. It is designed to take advantage of the IriusRisk rules engine to provide some dynamic behaviour to threat models. While IriusRisk users have been able to create their own dataflow rules for some time, this is the first time that we are releasing a library with dataflow rules out of the box.
The Dataflow Library implements dynamic behaviour including:
- Import new risks and countermeasures based on the protocol or file format
- Import new risks and countermeasures based on sensitive data
- Mark countermeasures as implemented
The library is disabled by default, so if you want to use it you will have to enable it first. For more information take a look the Dataflow Library article on our website.
Other library improvements in this release include:
- Container Security Verification Standard (CSVS) and NIST Special Publication (SP) 800-190 added to the Docker CIS library
- Missing levels added to CIS AWS Benchmark standards
- CIS Google Cloud Platform Benchmark updated to the latest version, including 7 new countermeasures
The following new GCP components have also been included:
- GCP Monitoring
- GCP Logging
- GCP Error Reporting
- GCP Debugger
- GCP Trace
- GCP Profiler
- GCP VPC (Virtual Private Cloud)
For more information, see the Version 4.6 Release Notes.
Shape the future of Threat Modeling with us!
Join IriusRisk Horizon
IriusRisk Horizon - Customer Research, Product Discovery, and Early Access