Financial Services Organization Transforms Threat Modeling Program & Meets Regulatory Requirements with IriusRisk

Company Background

The company is a financial services organization based in the United States. The company had been manually threat modeling but soon realized they needed a more consistent solution and a comprehensive threat library.   

Challenges

The current manual approach was aimed at addressing OWASP A04:2021 – Insecure Design and regulatory guidance. While this manual approach laid the foundation, the customer needed a more robust solution due to challenges: 

• The manual process led to variability in threat assessments across different projects.
• The existing method lacked a broad library to cover the diverse threats relevant to their projects.
• The shift towards security during the Design phase required more than just a manual process to gain widespread acceptance and integration.

Solutions

The organization turned to the market for a tool that could enhance its threat modeling program. After evaluating various options, IriusRisk was selected. 

• 20 threat modeling licenses implemented. 
• IriusRisk offered an extensive security library, driving consistency across reviews and providing the ability to apply the required OWASP standard to all threat models. 
• IriusRisk Threat Modeling Tool also allowed for customization to filter countermeasure output and focus on what mattered most for that user, team, or application.
• The tool's ability to integrate seamlessly with the existing program allowed the organization to quickly supplement their manual process.
• IriusRisk’s intuitive platform led to spontaneous use by application architects, beyond just the security architects, indicating organic adoption.

Benefits:

Since implementing IriusRisk, the organization has observed several positive outcomes:

• The broader threat library ensured that all relevant threats were considered, reducing the variability in threat assessments.
• IriusRisk accelerated the organization's maturity to a more structured and reliable process, marking progress in their "crawl-walk-run" journey.
• The tool has been instrumental in helping the organization meet regulatory requirements, which is crucial for ongoing audits.
• The platform's ease of use has facilitated early adoption by application architects, leading to a more collaborative approach across teams.
• The company is now better positioned to shift left, embedding security considerations early in the design phase, thereby reducing the risk of deploying insecure applications.

‍