IriusRisk Team
|
The Threat Modeling Experts
January 4, 2023

Product Update: Release 4.11

Product Update: Release 4.11

We are excited to announce the release of IriusRisk 4.11 which includes these new enhancements and features:

  • Configure issue trackers at the Threat level
  • Support multiple files for Terraform and CloudFormation APIs
  • Change the color of dataflows
  • New Audit Log API endpoint
  • And more!

Projects

Create issues for threats and configure issue trackers at the threat level

In addition to countermeasures and weaknesses, you can now create issue tracker issues for threats. This can be useful for tracking purposes such as linking countermeasure issues to a parent threat issue. It can also be used where further work is needed to be done based on the threat, such as research or identifying additional countermeasures.

In addition to creating issues for threats, you can also configure the issue tracker at the threat level. This means you can for example send threat issues to a security team’s backlog, and controls to engineering teams, all from the same IriusRisk project. Or you could use a different issue type for threats and countermeasures.

Change the dataflow colors

IriusRisk v4.11 allows you to customize the colors of the dataflows in your threat model diagrams, giving you more control over the visual representation of your system. For example, you can use red to represent dataflows from high-risk trustzones, or change the color based on the assets going across the dataflow.

Open Threat Model

Support for multiple Infrastructure as Code files

For anything other than trivial examples, most Infrastructure as Code configuration is best split across multiple files or repositories. Sometimes this is just good practice, such as separating network controls from service infrastructure, and sometimes it is because different teams own different parts of the infrastructure and work in their own code repositories.

As of this release, the IriusRisk API endpoints for CloudFormation and Terraform now support multiple files, and will automatically merge them into a single threat model.

New Startleft Processors documentation

Create your own OTM parser by following new guidance on writing a Startleft Processor. Our Github documentation site for Startleft now includes a comprehensive document on creating your own parser using the Startleft Processor (SLP) architecture.

Check it out here: https://iriusrisk.github.io/startleft/development/Create-a-new-StartLeft-Processor/

Simplified Terraform mapping

We have simplified the mapping file structure for Terraform files, for example by moving a lot of the repeated configuration into reusable defaults, so now it is even easier to create or customize Terraform to IriusRisk parsing.

To get started creating your own mapping file, or modifying the IriusRisk provided one, see https://iriusrisk.github.io/startleft/startleft-processors/iac/tf/Terraform-how-to-create-a-basic-mapping-file/

Analytics and Reporting

New Entities for the Analytics module

This release of IriusRisk includes a load of new Entities that dramatically simplify creating custom queries and dashboards in the Analytics Module. Entities hide away a lot of the complexity in the data structures in IriusRisk by providing a reusable dataset for any given topic such as Projects, Threats, or Countermeasures. These can then be combined without having to deal with the complexity of Postgres join operations on the database.

This release includes the following new entities:

  • Audit Events
  • User and User Security
  • Diagram
  • Templates
  • Dataflow
  • Weaknesses

Audit Log

New Audit Events API

Following on from the new React-based Audit Log released in v4.9, we have created a new end point that allows you to access audit events over an API.

For more information, take a look at the SwaggerHub documentation: https://app.swaggerhub.com/apis/continuumsecurity/IriusRisk/1.19.0#/Audit%20Log/get_api_v1_audit_events

Security Content

New components

This release includes the following new Cloud components:

  • GCP Looker Studio
  • GCP Dataflow
  • GCP DLP (Data Loss Prevention)
  • GCP DNS (Domain Name System)
  • GCP Spanner
  • GCP Resource Manager
  • GCP Compute Engine
  • GCP Container Registry
  • GCP Data Catalog
  • GCP Secret Manager
  • GCP KMS (Key Management Service)
  • GCP Memorystore for Redis
  • GCP VPC Service Controls
  • GCP Anthos Service Mesh
  • GCP Apigee X
  • GCP Artifact Registry
  • AWS Apache Flink
  • AWS ElastiCache for Redis
  • AWS Hyperledger Fabric
  • AWS Ethereum

Updated security standards

CIS Microsoft Azure Foundations Benchmark has been updated to 1.5.0

Release notes

For more information, see the Version 4.11 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon

IriusRisk Horizon - Customer Research, Product Discovery, and Early Access