IriusRisk Team
|
The Threat Modeling Experts
November 21, 2024

Product Release 4.36

Overview

IriusRisk 4.36 includes these latest improvements, plus many more:

  • Trust zones now optional
  • Improved Azure Cloud components with Terraform Imports
  • Faster XML Project and Template upload in the UI
  • Revamped Compliance Report

Trustzone Requirement Is Now Optional for Users

New practitioners of threat modelling often struggle with the requirement to place all components within a trust zone. Missing this step leads to errors when generating Threats and Countermeasures, disrupting workflows and causing frustration. This challenge has been a major barrier, making it difficult for IriusRisk to engage and support newer users effectively. It also risks discouraging community edition users from continuing with the tool, limiting adoption and engagement. To solve this, we’ve introduced a new option that allows users to add components without placing them in a trust zone, easing their learning curve and adoption.

Configure IriusRisk to Use the Jira “Status” or “Resolution” Field for Countermeasure Status

Admins managing complex workflows faced a major challenge: Jira tickets have two important fields, “Status” and “Resolution,” and each customer uses them differently. IriusRisk’s previous versions only synced with the “Resolution” field, leaving many users unable to align their processes and creating frustration and inefficiencies. This friction slowed user adoption and hampered their productivity. Now, admins can choose to sync Countermeasures and Threats with either the “Status” or “Resolution” field in Jira, empowering them to fully integrate IriusRisk into their customized workflows.

New Singleton Mapping for Grouping Azure Cloud Components by Category when Importing Terraform Plan

Users find OTM Parsers imports unreliable because components are often missing after importing. While the “catch-all” setting can bring in unmapped components, it imports them as empty components that do not generate threats or countermeasures and can clutter the diagram. Custom mappings were an option, but they require technical expertise many users lack and are time-consuming, as around 1,000 resources need analysis for mapping.

Now, the improvements mean that:

  • Metadata will remain as such, instead of parsing across as empty components, they will instead be recorded as tags, labels and so on
  • Only actual components will be presented as a component in the diagram
  • We now cover all Azure categories in our mappings, based on Terraform’s official documentation
  • Components are named using the category name.

Speed Up XML Project and Template Upload by Using the Endpoint's New Asynchronous Call

Big companies integrating IriusRisk need reliable performance and can’t afford time-out errors or slow responses. Goldman Sachs has shown strong interest in an integration that relies on this endpoint’s performance. To address this, we’re introducing an asynchronous call to prevent time-out errors and boost reliability. This ensures projects are initialized and accessible in IriusRisk while diagram components and threat model outputs are still being generated, offering users faster access and a smoother experience.

Configure Asset Visibility

You are now able to configure the visibility of Assets at a Business Unit level. This will allow for individual Assets to be restricted to the Business Units of users who need to see them, ensuring that sensitive items remain secure and improving user experience by allowing for more focussed user selection. By default all Assets will be visible.

Splitting of Global and Project  Roles

In the first step towards supporting project and business unit level permissions, we have split the existing roles in the system into Global Roles and Project Roles, based on the existing permissions groupings. All existing roles in the system will be migrated and split as appropriate and access will remain unaffected for all users. Both Roles can be assigned directly to the user.

To support the splitting of roles, we have updated how permission assignment in workflows works as well, rather than having to update individual permissions for a role, you can now reassign one role to another, allowing reuse and the updating of all roles in one location. Again any existing workflow permission modifications will be updated to the new format.

Compliance Report: New appearance for PDF, HTML, CSV, XLS, and XLSX formats

A newly designed Compliance Report and a new HTML format replacing the less standardized DOCX. This is the third report to get a revamp, with just one left to go - Technical Threat Report.

Deprecation and End of Life notices

Currently, you can set Custom field permissions when you are modifying the permissions for a role for a particular workflow state. As we are implementing project-level roles we are changing how permissions on a workflow status are configured and this new method doesn’t include custom fields. Additionally, some customers suggest that we should emphasize Custom Fields at the project level, which introduces more complexity. Therefore, it's essential to simplify the areas where Custom Fields are configured. Removing them from Workflows should be the first step.

Security Content

In this release there are a lot of new GCP components and many others. The list includes:

  • 61 GCP V2 Components
  • 18 Generic Components
  • 10 Hardware Components
  • 5 Service Side Components
  • 4 Financial Services
  • 4 Functional Components
  • 3 Alibaba Cloud
  • 2 Datastore Components
  • 1 Kubernetes
  • 1 Network Component
  • 1 SAP

Release Notes and Documentation

For more information, see Version 4.36 Release Notes or check out our Documentation.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.

Swaggerhub & Github

Find out more of what you need in GitHub and Swaggerhub Repos:

https://app.swaggerhub.com/apis/continuumsecurity/IriusRisk/1.24.0 - We provided this featured API to allow for deeper customer integrations as well as enable very flexible automations within the many varied environments IriusRisk needs to operate.

https://app.swaggerhub.com/apis/iriusrisk/IriusRiskV2/2.0.0-beta.8 - Please note that this version of the API is currently in beta. While it offers advanced features for deeper integrations and flexible automations, we reserve the right to make breaking changes during this phase and encourage caution in production environments.

https://github.com/iriusrisk/IriusRisk-Central - Provides content useful for IriusRisk threat modelling, including templates, API scripts, libraries and more.