IriusRisk Team
|
The Threat Modeling Experts
December 19, 2024

Product Release 4.37

Overview

IriusRisk 4.37 includes these latest improvements, plus many more:

  • IAM Roles authentication for pulling projects from an AWS Cloud
  • Updated default mappings for importing external sources to V2
  • New 'OR' Conditioning in Rules

Take a look at the full list below, or go directly to the release notes.

IAM Roles authentication for pulling projects from an AWS Cloud

Threat Modelling Practitioners have raised concerns about the security risks of using static access keys to import AWS Cloud infrastructure into IriusRisk. Static credentials don't auto-expire and lack temporary permissions, increasing exposure risks. To address this, we're introducing support for IAM Role-based authentication, offering a more secure, session-based method to import AWS infrastructure with confidence.

Updated default mappings for importing external sources to V2

Threat Modelling Practitioners have expressed frustration with imports from external sources creating projects with outdated V1 IriusRisk components. This can hinder the use of the latest features and improvements. To address this, we’re updating the OTM Parsers’ default mappings to ensure imports automatically utilise the latest V2 components, keeping projects up-to-date and aligned with our most recent advancements.

Rename "General threats" to "Project threats"

Threat Modelling Practitioners have noted that the term "General Threats" for project-wide threats is unclear and misaligned with its purpose. To address this, we’re updating the name to "Project Threats" across both the UI and endpoint definitions. This change better reflects its role in grouping threats, weaknesses, and countermeasures that apply to the overall project scope, rather than being linked to specific components.

Multiple Select for Countermeasures

Threat Modelling Practitioners have expressed frustration with the inability to select multiple countermeasures at once in the current Threats view, making bulk actions like marking them as "Not Applicable" time-consuming and inefficient. To address this, we’re introducing a one-click multi-select option for countermeasures, streamlining bulk operations and significantly reducing the effort required to manage large datasets.

Show a Message when the Project has no Threats or Countermeasures

Threat Modelling Practitioners often feel confused when no threats or countermeasures appear in a project, unsure of the reason and the actions they need to take next. To address this, we’re introducing a clear message that explains why no threats or countermeasures are present and outlines the next steps, providing users with clarity and guidance to move forward with confidence.

Configure if a rule should match all conditions or any of them to be fired (OR conditioning)

To enable greater flexibility in our rules engine when creating a rule, once the rule context has been selected and a second condition has been added, the user will have the option to choose whether the rule triggers when all conditions are met (AND operator) or when any condition is met (OR operator).

There are conditions that allow users to add specific actions, so these will not be available for Match any.

The conditions that support these actions are:

  • Question exists (in the project and component context).
  • A risk pattern exists.

Security Content

In this release, we have a high number of Generic and Azure components, with the full list below.

In total, there are 130 new components in this release.

  • 65 Generic
  • 30 Azure
  • 15 Huawei Cloud
  • 8 Hardware  
  • 5 ML/AI 
  • 2 Financial Services
  • 2 Network
  • 2 AWS
  • 1 GCP

Release Notes and Documentation

For more information, see Version 4.37 Release Notes or check out our Documentation.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.

Swaggerhub & Github

Find out more of what you need in GitHub and Swaggerhub Repos:

https://app.swaggerhub.com/apis/continuumsecurity/IriusRisk/1.24.0 - We provided this featured API to allow for deeper customer integrations as well as enable very flexible automations within the many varied environments IriusRisk needs to operate.

https://app.swaggerhub.com/apis/iriusrisk/IriusRiskV2/2.0.0-beta.8 - Please note that this version of the API is currently in beta. While it offers advanced features for deeper integrations and flexible automations, we reserve the right to make breaking changes during this phase and encourage caution in production environments.

https://github.com/iriusrisk/IriusRisk-Central - Provides content useful for IriusRisk threat modelling, including templates, API scripts, libraries and more.