IruisRisk Documention
Introduction
The Four-Question Framework for Threat Modeling
Question 1: What are we working on - Creating a threat model
Create a diagram from scratch 
Trust zones and components 
Adding Component details 
Changing Component Visibility by Business Unit
Answer our questionnaire to create a diagram 
Import a template
File Import Feature
(BETA) Import from AWS Cloud
Use our AI Assistant, Jeff 
Embedded IriusRisk Project Diagrams in external tools
Question 2: What can go wrong - Assessing Threats in IriusRisk
Analyzing the threats
Filter Threats and Countermeasures by Custom Fields
Threat Details
Fields: Threat Details
Impact: Threat Details
Risk Summary: Threat Details
Risk types and their explanations
Test State: Threat Details
Question 3: What are we going to do about it - Countermeasures
Change the Countermeasures Status
Seeing countermeasures applicable to a Standard
Create Issue Trackers from your Countermeasures
Configuring your Issue Trackers
Question 4: Did we do a good job
Reporting
Compliance Report
Current Risk Summary Report
Technical Countermeasure Report
Technical Threat Report
Export your threat model
Risk Score
Configurable Options in IriusRisk
Security Content
Risk pattern libraries
Risk Calculation
Security Classifications
Standards
Templates
Objects
Components
Assets
Trust Zones
Deleting Tags in Dataflows and Risk Pattern
Workflows
Custom Fields
Rules
Integrations & Imports
Miscellaneous
Version History
See Threat Model Output (Threats and Countermeasures) Changes Over Time
Automated Component Change Detection in IriusRisk
Copy the Project link to share with others
Audit Log
Export your Project List as XML
Deleting Tags in Dataflows and Risk Pattern
User Management
APIs to use UUID rather than Username
Using SAML as an authentication-only identity provider
Miscellaneous

Miscellaneous

P.S./we forgot to mention/one more thing/this stuff is pretty cool too...

2
min
Last updated
October 24, 2024

Contents

Version History

See Threat Model Output (Threats and Countermeasures) Changes Over Time

Automated Component Change Detection in IriusRisk

Copy the Project link to share with others 

Audit Log

Export your Project List as XML

Deleting Tags in Dataflows and Risk Pattern

User Management

APIs to use UUID rather than Username

Using SAML as an authentication-only identity provider

 

Version History

This is useful if you would like to see the history of a threat model, to know when it has changed, how frequently, and by whom. The helpful preview allows you to quickly see the differences in the diagram too. Find this option on the top left of your screen, next to the threat model name. Choose the three ellipses and then select 'Version history'. 

You will then be presented with the history of that diagram, including the name of the people who made the edits previously. You can pick between different versions and even compare two against each other by using the Pin icon. 

See Threat Model Output (Threats and Countermeasures) Changes Over Time

In the ever-evolving world of software development, keeping track of changes is critical. For organizations with large, complex systems, manually reviewing project snapshots to identify component changes can be a time-consuming and error-prone task. We know that threat model practitioners often feel frustrated by the need to manually compare snapshots, especially when dealing with extensive software portfolios.

With this enhancement, you will be now able to see the differential in Threats and Countermeasures between two versions of a project.

NOTE: Only available in the backend / API

Automated Component Change Detection in IriusRisk

For organizations with large, complex systems, manually reviewing project snapshots to identify component changes can be a time-consuming and error-prone task. We know that threat model practitioners often feel frustrated by the need to manually compare snapshots, especially when dealing with extensive software portfolios.

We aim to simplify your workflow by instantly providing a list of component changes between any two project versions.

With this feature, you can:

  • Save Time: Automatically generate a list of component changes, eliminating the need for manual reviews.
  • Reduce Errors: Ensure accuracy by automating the detection process, minimizing the risk of human error.
  • Boost Efficiency: Perfect for large-scale projects, where keeping track of every change is crucial.

How It Works

Simply provide two project versions by getting the UUID link. This can be done by opening your threat modlel, navigating to Version History in the same way as above, and then clicking the icon in the top right, which is next to the X. Here a box will appear where you can copy the Project ID. Paste this into Postman and your new endpoints will deliver a clear, detailed list of all component changes, including additions, deletions, and modifications.

Copy the Project link to share with others 

Go to the three ellipses on the top left again, here you will see the top option is to copy the project link. You can send this to team members to collaborate further. 

Audit Log

Go to the Settings Cog in the top right corner, and select ‘Audit Log’ from the drop down. Here you will see all previous ‘events’ - which means what changes have been made, in which projects, and by whom. 

Export your Project List as XML

This was reintroduced as of Release 4.34, to allow users to export their full list of Projects in this preferred format. Simply navigate to your Project List and click the option on the far right represented with an arrow as per the below screenshot.

Give the export a name and press the Export button.

Deleting Tags in Dataflows and Risk Pattern

Deleting tags in dataflows and risk patterns is now possible, via the API. Please note that deleting a tag will remove all instances of that tag across all projects. We will be introducing the ability to delete these tags in the UI coming in 4.33.

User Management 

User profile pictures can be uploaded and deleted in the UI so that it is easier to quickly identify users through the platform. Additionally there will be a warning displayed when you invite users from outside your domain, to reduce the risk of accidentally adding unauthorized users.

This can be found under the Settings Cog (top right corner) and choosing ‘Users’ from the drop down. Then you can add or change as required. 

APIs to use UUID rather than Username

To enhance security and comply with best practices for data protection, we will transition from using usernames to UUIDs in our v2 API endpoint paths. This change will prevent the logging of sensitive information in our logs and any intermediary systems like VPNs. Customers will need to ensure that any existing endpoints using usernames are updated to UUID to continue functioning. This change will be effective from Release 4.33.0. 

Using SAML as an authentication-only identity provider

Some of our clients require that only the user data is shared to IriusRisk, because they want to handle permission/role management directly through IriusRisk, instead of handling it via their identity provider, and we previously offered no way of doing so with SAML.

From Release 4.33.0, clients can now configure their SAML integration so IriusRisk ignores the roles that come from the Identity Provider. Even more, clients will be able to manage these roles manually from IriusRisk, even if the users authenticate via SAML.

Close Modal