IruisRisk Documention
Introduction
The Four-Question Framework for Threat Modeling
Question 1: What are we working on - Creating a threat model
Create a diagram from scratch 
Trust zones and components 
Adding Component details 
Changing Component Visibility by Business Unit
Answer our questionnaire to create a diagram 
Import a template
File Import Feature
Use our AI Assistant, Jeff 
Embedded IriusRisk Project Diagrams in external tools
Question 2: What can go wrong - Assessing Threats in IriusRisk
Analyzing the threats
Filter Threats and Countermeasures by Custom Fields
Threat Details
Fields: Threat Details
Impact: Threat Details
Risk Summary: Threat Details
Risk types and their explanations
Test State: Threat Details
Question 3: What are we going to do about it - Countermeasures
Change the Countermeasures Status
Seeing countermeasures applicable to a Standard
Create Issue Trackers from your Countermeasures
Configuring your Issue Trackers
Question 4: Did we do a good job
Reporting
Compliance Report
Current Risk Summary Report
Technical Countermeasure Report
Technical Threat Report
Export your threat model
Risk Score
Configurable Options in IriusRisk
Security Content
Risk pattern libraries
Risk Calculation
Security Classifications
Standards
Templates
Objects
Components
Assets
Trust Zones
Deleting Tags in Dataflows and Risk Pattern
Workflows
Custom Fields
Rules
Integrations & Imports
Miscellaneous
Version History
See Threat Model Output (Threats and Countermeasures) Changes Over Time
Automated Component Change Detection in IriusRisk
Copy the Project link to share with others
Audit Log
Deleting Tags in Dataflows and Risk Pattern
User Management
APIs to use UUID rather than Username
Using SAML as an authentication-only identity provider
Question 4: Did we do a good job

Question 4: Did we do a good job

Don't worry, no one is judging, IriusRisk is here to help!

6
min
Last updated
September 24, 2024
Configurable Options in IriusRisk

Contents

Reporting

Compliance Report

Current Risk Summary Report

Technical Countermeasure Report

Technical Threat Report

Export your threat model

Risk Score

Threat modeling isn't a one and done activity. As your application, architecture or micro service evolves, so should your threat model. And so it is important that you revisit and review what has been done, to answer the final of Adam Shostack’s Four Questions; Did we do a good job? 

Reporting

Find this option on the top left of your screen, next to the threat model name. Choose the three ellipses and then select 'Reporting'. 

There are four default reports to choose from and can be exported in a variety of formats, including PDF, XLS, XLSX, DOCX and CSV. And most recently, HTML has been added to the Technical Countermeasures Report, as of release 4.31 (July 2024). With the other three reports to following during September and October:

  1. Compliance Report - is designed to evaluate the conformity of your threat model against specific security standards.
  2. Current Risk Summary Report - is designed to provide an overview of the risks in a threat model. 
  3. Technical Countermeasure Report - provides a comprehensive evaluation of the security measures implemented and tested across various components of a threat model.
  4. Technical Threat Report - delves into the specifics of threats across different components of your threat model.

Choose the report from the drop down and select the ‘Create report’ button. The only one which differs, is the Compliance Report, as you can choose a Standard such as PCI DSS and export based upon that compliance need.  

Compliance Report 

Open from your Downloads Folder. The report will show you an image of your Project diagram, and then will align your Required Countermeasures to chapters within the PCI DSS Standard. This is done in both a graph format and then on a separate page with a description in relation to the component. See example below:

Current Risk Summary Report

In version 4.33.0 of IriusRisk, you will find a newly designed Current Risk Summary Reports and a new HTML format replacing the less standardized DOCX.  The spreadsheet formats (CSV, XLS, and XLSX) have also been adapted. The HTML format makes copying information and repurposing it much easier.

Content

  • Components: The section to list the components is now called “Components” instead of “Architecture”.
  • Architectural Diagrams: this section has been removed since the architectural diagrams are shown in a previous section.

Report Structure Enhancements

  • Sleeker Tables: We've revamped the table structures to ensure clear and easy comprehension.
  • Enhanced Tracking: Added identifiers (e.g., CR 1) within the document for better tracking across different sections.

In the following image appears the improved version (right side) versus current version (left side):

 

Technical Countermeasure Report 

In version 4.31.0 of IriusRisk, you will find a newly designed Technical Countermeasure Reports along with a new HTML format replacing the less standardized DOCX because it is less portable and HTML can be easily integrated into various tools, such as email platforms. Additionally, the spreadsheet formats (CSV, XLS, and XLSX) have been adapted to contain more precise information.

Report Structure Enhancements

  • Sleeker Tables: We've revamped the table structures to ensure clear and easy comprehension.
  • Enhanced Tracking: Added identifiers (e.g., Req 1) within the document for better tracking across different sections.
  • Countermeasure References: Included specific references to countermeasures for more detailed insights.
  • Prioritization: Each item now comes with a priority tag, helping you focus on what's most important.

Here is an example to show the previous report view on the left, and the new improved view on the right. 

More Fashion-Forward Detailed Content in the Test Results Breakdown

  • Non-Tested Countermeasures: Now clearly listed for transparency.
  • Clear Icons: Distinct icons based on test results for quick visual reference.
  • Testing Steps Section: A dedicated section to detail each step of the testing process clearly.

Appendix Improvements

  • Improved Table Readability: Tables are now more readable and user-friendly.
  • Component Context: More context about where each component is placed, including:some text
    • Trust Zone Location
    • Data Flow Source
    • Data Flow From

Total Countermeasures: Clear display of the total countermeasures.

 

Technical Threat Report

The final report shows you your risk summary and distribution in the form of a chart like the below.

In addition, it provides a Risk Mitigation Summary with risk ratings and the percentage of implemented countermeasures. It then lists the threats per component where all countermeasures are not implemented or the weaknesses test result failed.

Finally, customers can also use their own Business Intelligence (BI) tools to pull the data from IriusRisk, using API endpoints to export into other tools and software.

Export your threat model 

We don't hold your data to ransom! If you’d like to export all your threat model data, the diagram, threats etc. then you can do so no problem. Under the ellipses, choose ‘Export data model’, name the threat model, and it will then download in an XML format. We have customers that then use this data in other tools such as PowerBI, and ASPM tools like ArmorCode for a single source of truth. 

Risk Score

If you navigate to ‘Home’ then you are presented with a dashboard. The top left shows your risk score, which should have reduced based upon implemented countermeasures to mitigate your threats effectively. It also highlights test results, countermeasures states and your threat risk distribution.

Close Modal