Q: What problem does IriusRisk solve?
The dilemma: You know that threat modeling can reduce your application risk BUT you don’t have the time or skills on your team to make it a regular part of your development process for every application; or you’re performing manual threat modeling activities but can’t scale them across a large number of applications. The solution: IriusRisk is a tool that generates threat models and their list of security requirements without having to engage with the security team. IriusRisk gives you a self-service approach to managing software security requirements without slowing your development team down, while at the same time enforcing the standardised countermeasures and security policies agreed by the security team. IriusRisk generates a complete threat model, including Threats, Weaknesses and Recommended and Required Countermeasures, along with prioritised risk ratings.
Q: Why should we perform Threat Modeling?
Many of the software security techniques that have risen to prominence over the last few years, such as static analysis and bug bounties are helpful. They certainly help you find problems. But it is hard to argue that they are comprehensive if you do not have a process for thinking about where security problems will arise. That’s where threat modeling comes in. Threat modeling approaches such as those developed by Microsoft (STRIDE) and OWASP, and the scalable automated approaches that IriusRisk brings to your engineers, can provide the essential overview of what you’re building and what can go wrong so that you can focus building it correctly from the start.
Q: We already do Threat Modeling manually, why would I want to use IriusRisk?
Using our platform provides a number of important benefits:
- Scalability across development teams. Manual TM requires a huge investment in time and security skills, both of which are in short supply in modern organisations. IriusRisk reduces the time required to do TM from days to minutes.
- Save security engineers’ time. Threat models typically take into account the technical components and features that you’re building. These elements are often repeated for different applications, which means that you end up spending a lot of time repeating the same groups of threats and countermeasures. For example, an HTTP web service that allows file upload and an HTTP web service that allows entering plain text have threat models that are 90% similar. IriusRisk allows you to capture these common elements and quickly generate the associated model, allowing you to either using this auto-generated model as is; or apply further manual threat modeling in addition. In either case, using IriusRisk can be the difference between a 16 hour manual threat modeling marathon, or a 10 minute sprint using IriusRisk.
- Save developers’ time. Manual threat modeling usually involves someone from the application security team. If you’re like most organisations then they are resources with extremely limited time and could be causing bottlenecks in your development processes. IriusRisk’s questionnaire based system of threat modeling is extremely easy to use and does not require any previous experience in threat modeling, or even security! Developers can complete it themselves and IriusRisk will automatically apply the rules and security standards configured by the security team and produce a list of security requirements that can be pushed directly to the developers’ issue tracking systems. It really is self-service threat modeling.
- Generate consistent threat models and security requirements. IriusRisk uses Risk Patterns and rules to generate threat models automatically. This ensures that the security teams policies and standards are consistently applied to the same architectures. Always. And should these policies change, then they can be centrally edited and retroactively applied to all applications – ensuring that there are no security blind spots.
- Manage security risks throughout the SDLC. Creating a threat model is only the first step in building a secure application. How do you then communicate the security requirements to the development team? How do you share the threat model with the testing team? How do you keep track of which requirements have been implemented and which not? IriusRisk is more than a threat modeling tool – it’s a risk management platform for software security. With its deep integration into other appsec tools like issue trackers and testing frameworks and tools, it allows you to avoid email/word/excel hell and keep track of risk and countermeasures in a platform designed for exactly that purpose.
- Identify Architectural Flaws: 50% of security issues are flaws in the design, not security bugs. IriusRisk helps you identify these design flaws so that you can reduce your risk exposure and reduce the potential to brand damage or financial loss due to security breaches.
- Save Money: Your costs associated with security design flaws are reduced by modeling threats and establishing security requirements using a guided wizard at design time when they’re cheaper and easier to implement.
- Save Time: Empowering every development team to create their own threat models removes the AppSec team as a bottleneck that can delay development and cause missed deadlines.
- Better Utilize Resources: When you put threat modeling and security requirements management in the hands of development and operations teams, you free up the security team to supervise these activities and focus on other high – value security work.
- Satisfy Compliance Needs – You can easily provide a full audit trail to management and regulatory authorities of all risk management activities for all products. This can help to comply with regulatory requirements.
- Build DevSecOps – You can integrate with existing development and security tools so that risk management fits seamlessly into existing processes for a complete secure DevOps toolchain.
Q: How does IriusRisk help me complying with GDPR?
GDPR also has implications for building software applications. All software that handles personal data of EU citizens will have additional functional and non-functional requirements that were previously not necessary. Since IriusRisk is based on components, questionnaires and risk patterns – we’ve done this leg work for you. By providing accurate answers to the questions when designing a new application (or reviewing an existing one), IriusRisk will automatically apply the appropriate set of security requirements to help comply with the GDPR and automatically push those requirements to your development teams’ issue trackers. So that they have actionable tasks right in their main task dashboard. The security and compliance teams can view the status of these requirements as well as the impact of the risks in the IriusRisk console. No more shuffling documents, spreadsheets and emails to find out what the compliance state of a piece of software is. See a video here: https://www.youtube.com/watch?v=5hOHFCUYlNI
Q: What other security standards does IriusRisk help me complying with?
IriusRisk has several Security Standards embedded in the default dataset supplied with the platform: you are just 1 click away from complying with PCI standards, OWASP ASVS and EU GDPR. Also integrated in IriusRisk are security standards for deploying systems in several clouds including AWS and Azure. Continuum Security continually adds new standards to the default data set based on customer requests and market demands. The IriusRisk platform is independent of the data set, and if you need to add your own security standards and conditions for when those standards should apply, this is easily done! See this video for an example.
Q: What are the problems developers encounter doing manual Threat Modeling?
Traditionally, development teams create threat models and their list of security requirements through an exhausting, costly, and time-consuming process led by scarce highly-trained security team members. If you don’t have access to those resources, you miss out on this important opportunity to address security risk early in the development process when they’re easiest and cheapest to fix.
Q: What level of expertise is required to do Threat Modeling with IriusRisk?
IriusRisk uses a simple, questionnaire-driven approach that can be used by any development and operations team – even those without prior security training. You can generate threat models and their list of security requirements without needing to engage with the security team. It is even possible to hide the threat model from the development team and show them only the automatically generated security requirements. Requirements are pushed and synced directly with issue trackers so there’s no need to use yet another system to manage requirements. IriusRisk gives your dev teams all the software security benefits of traditional full-blown threat modeling, on their own time, within their own development process, and without slowing them down. For security teams that require more detailed threat models, they can define graphical Data Flow Diagrams within the system and base their threat modeling rules on the data flows.
Q: How does IriusRisk help the Development Team?
As a development manager, you need to be sure that security doesn’t become a bottleneck for your projects. The business isn’t willing to wait for delivery. You need to build secure apps – but build them faster. For development, IriusRisk automatically generates a threat model with recommended and required countermeasures and adds them to your issue tracker, like Atlassian JIRA, ServiceNow, Redmine, Rally and Microsoft TFS, so you can address security just like any other feature. We regularly expand our list of supported integrations, too. If the system you use is not currently supported, let us know and we will work with you to add support for it. Developers complete a questionnaire, and IriusRisk automatically generates the security requirements and adds them to an issue tracker. This lets developers identify and implement important security work without involving the security team.
Q: How does IriusRisk help the Security Team?
As a security manager, you need your team to scale. Demands placed on you are more intense than ever before, and you need to help every development team understand how to build security into their applications from the start. For the security team, IriusRisk provides a single point to manage security throughout the entire development process. You define the risk patterns, the security standards and the rules that govern how a threat model should be generated, and the development team access that data through a questionnaire. The security team can then review the auto-generated model, adjust it and use IriusRisk to communicate to the development team through their existing issue tracking system with a two-way sync. IriusRisk can also import security vulnerability information from SAST and DAST tools and correlate it with the threat model, thereby providing valuable business context to those technical findings. Automating the boring part of threat modeling also helps keep your high value security team motivated and removes the frustration of identifying and recording repetitive threats and countermeasures.
Q: How does IriusRisk help the QA team, Testers and Auditors?
IriusRisk provides two types of tests:
- tests for the presence of countermeasures -important for auditing purposes- and
- tests for the presence of weaknesses -important for penetration testers or red teams.
Penetration Testers can use the list of weakness tests to test for the presence of vulnerabilities, in addition to their usual testing methodologies. This provides them with a checklist of tests to run. Auditors and functional testers can use the list of tests for countermeasures to verify that specified countermeasures are in place and can easily overlay a security standard to quickly view the actual state of countermeasures.
Q: We already use a Static Application Security Testing tool like Veracode/Checkmarx/Fortify – why do I need IriusRisk?
A: IriusRisk is an ideal complement to automated testing tools including SAST, DAST and IAST, which are great at finding security bugs. Security bugs are typically introduced at implementation time when developers are writing code or the operations teams are configuring the servers and infrastructure. But these tools have three blind spots, that IriusRisk will help eliminate:
- The tools are unaware of the functional aspects of the code they’re scanning. For example, they wouldn’t be able to tell you that sensitive data stored on a mobile device is not adequately encrypted; or that certain credit card details should not be stored on certain servers at all!
- They are unaware of the architecture of the whole system. While they can scan the code of your 3 microservices independently, they could not tell you how they are connected or that one of them makes external API calls to a third party service.
- They don’t apply security context to the system that they’re scanning. A vulnerability that can result in extracting data from a database is always considered a critical risk issue regardless of the value of the data; or where the database is located (Internet, or internal secured network). Without this contextual information, it’s difficult to prioritise and you end up with hundreds of high and critical risk issues that need to be addressed. Since IriusRisk captures this information in the questionnaires it can use it to make contextual risk calculations so that you can spend time on the risks that matter.
In addition to highlighting these blind spots, the most important value that IriusRisk provides to development teams is describing how to build secure systems from the start, rather than findings bugs after the fact!
Q: What is the benefit of IriusRisk for apps that have already been developed?
Threat Modeling as an activity and IriusRisk as a platform are designed to identify architectural security risks. This applies equally to an architecture that is to be built as to one that already exists. The primary difference is that for an application that already exists, we have more accurate information about the chosen design and the security controls that have already been implemented. The process of using IriusRisk would be similar for both types of apps except that for apps that have already been implemented there would be an additional step to review all of the required countermeasures and mark them as implemented where applicable. In both cases you can make use of IriusRisk’s compliance view to visualise compliance with our built-in standards or standards that you add to the platform. In addition, the generated threat model can be used to inform security testing activities such as QA and penetration testing.
Q: Which external Issue Tracker systems does IriusRisk integrate with?
- Jira cloud and server
- Microsoft Team Foundation Server
- CA Rally
IriusRisk was designed to integrate with developers’ workflows and tools and since developers use issue trackers extensively to manage requirements and issues, IriusRisk includes first class integration with these tools. This means that developers less time in our platform and can instead continue to use their issue tracker as their primary planning tools. IriusRisk can create new tickets on these systems, synchronise the status of the tickets and upload and synchronize comments.
Q: Which external testing frameworks and tools does IriusRisk integrate with?
IriusRisk can import vulnerabilities from popular testing tools and frameworks, match them to the threat model and automatically synchronise the issues with the issue tracker system. Since Threat Modeling defines the security context at the start of the SDLC, it can also define downstream security activities including Testing. The threat model generated by IriusRisk already contains potential vulnerabilities, but until these are tested, their presence would be unconfirmed, so the platform can import results from the following testing tools in order to determine the real statuses of those potential weaknesses:
- Fortify SSC
- OWASP ZAP
Once imported, the platform correlates the vulnerabilities with the Contextual Business Risk. In other words, the level of risks posed by vulnerabilities does not depend only on the technical impact (as provided by the testing tools) but also the value of the data at risk, the exposure of the component and the difficulty of performing the attack. These last contextual variables are provided by IriusRisk. This helps to prioritise remediation actions according to what matters most.
Q: Does IriusRisk support concurrent use by multiple users, internal and external?
Yes, IriusRisk is a web application and supports a fine grained permissions model. This allows you to configure user roles that suit your needs. For example, you could create a role only for external software suppliers that will allow them to only complete the questionnaire, but not view or edit the resulting threat model. While the security team has full visibility of all the functions. Products can also be assigned to specific users, or to groups of users and access control can be enforced between the groups.
Q: Do I need to have a separate project in my issue track for the issues created by IriusRisk?
It’s recommended to use the same issue tracker project that the team is already using to manage their other functional requirements and bugs. The tickets created by IriusRisk can be identified by using a label and/or by creating a custom type, e.g.: “Security Requirement”.
Q: SaaS vs On Premises: What is the difference between both approaches?
- Price. Hosting and management costs are added to the SaaS instances.
- Data privacy and security. Since Continuum Security manages the SaaS instances, our engineers have access to the server and your data. We follow best practice guidance when it comes to managing this access, but nevertheless require some level of access. This is not the case for OnPrem instances, where we have absolutely no access to your servers or data.
Q: Do you only offer the SaaS solution on AWS?
Yes, nevertheless customers have the option of installing IriusRisk in the cloud of their choice by choosing the On Prem version and managing the instance themselves.
Q: How is the On Premises version installed? What are the hardware requirements?
We recommend deploying the application using Docker, while the database should be deployed natively. Supported databases are MS SQL Server and PostgreSQL. More details on the hardware requirements and installation options can be found at: https://continuumsecurity.atlassian.net/wiki/spaces/ITD/pages/26771463/Installation
Q: What is your Support policy?
Support is provided through a ticketing system and email. Continuum Security will respond to any issue raised within 24 hours and provide an analysis of the problem and the estimated time to fix. Critical risk issues which directly prevent the use of the software, or which pose a serious security risk will be addressed within 48 hours. The customer will be provided with access to our Service Desk to report and track incidents.
Q: What is the “Community Edition” and how does it differs from the commercial version of IriusRisk?
The Community Edition was created in order to provide a free-of-charge service for developers and security architects to share security requirements about specific types of architectures. Continuum Security cannot threat model the world, but the world can threat model itself, if we all participate! A Community Edition user can:
- Threat Model and manage the software security risk of 3 applications or projects maximum.
- Push the generated threat models to their issue trackers (limited to JIRA).
- Publish templates that are shared with other users.
- Create products using our custom Library and rule set.
- Manually extend the generated Threat Model for projects.
A license for a commercial instance of IriusRisk is needed in order to:
- Integrate with additional issue trackers (Microsoft TSF, CA Rally, ServiceNow, Redmine)
- Import results from software scanning tools and integrate with Fortify Software Security Center.
- Apply standards such as PCI and EU GDPR.
- Have access to the latest versions of our libraries
- Customise the rules
- Create or customise Risk Patterns
- Create or customise the questionnaires
Q: What is the Pricing Model for an IriusRisk license?
The license applies to a single production instance of the core IriusRisk platform. It includes the default questionnaires, rules and risk patterns as well as maintenance and feature updates to these and the platform itself during the license period. Multiple instances of the IriusRisk application deployed in a high availability configuration, where all users and applications exist within the same logical database is considered to be a single instance for licensing purposes. Instances used for non-production use do not require a separate license. There is no limitation on the number of users of the system. It includes full access to the API. The user interface, as well as the default questionnaire and risk templates are provided in English. The price is based on the number of applications that are managed in the platform and is an annual subscription for both the SaaS and OnPrem instances.