IriusRisk Team
|
The Threat Modeling Experts
April 6, 2023

Product Update: Release 4.14

Product Update: Release 4.14

We are excited to announce the release of IriusRisk 4.14 which includes these new enhancements and features:

  • Make sure rules are consistently applied over time and across different environments with the new rules validation endpoint
  • Take IaC design security to the next level by creating threat models from your Terraform Plan files
  • Action threat models faster with four new threats and countermeasures filters
  • Plus more!

Take Infrastructure as Code design security to the next level by creating threat models from your Terraform Plan files

Terraform Plan files contain the mixture of current state and configuration changes that allows Terraform to execute the necessary change actions to create or update a cloud environment. Because all of the configuration has already been parsed by Terraform, the plan file contains everything you would need to build a threat model, regardless of how the configuration files are managed. This also means its even easier to create a threat model, because all of the relationships between components are self contained within the plan file, and we don’t have to worry about modules and other features of the configuration files.

In IriusRisk v4.14 we have updated the existing Terraform API end point to support plan files.

Given this AWS example from HashiCorp:

HashiCorp Architecture

We can run the following commands to generate the plan files:

$ terraform plan -out=plan
$ terraform show -json plan >> aws-example-plan.json
$ terraform graph -type=plan -plan=plan >> aws-example-graph.gv

We can then send the plan files to IriusRisk with a simple curl command to build the IriusRisk threat model:

$ curl -L -X POST https://release.iriusrisk.com/api/v1/products/terraform \
 -H "Accept: application/json" \
 -H "api-token: $IRIUS_API_TOKEN" \
 -H "Content-Type: multipart/form-data" \
 -F "tf-file=@aws-example-plan.json,aws-example-graph.gv" \
 -F "product-id=terraform-plan-test" -F "name=terraform-plan-test"

And this is the resulting threat model in IriusRisk:

IriusRisk HashiCorp Threat Model

Action threat models faster with four new threats and countermeasures filters

For a development team, the third step in Adam Shostack’s Four Question framework is arguably the most important - What are you going to do about the threats? Threat modeling without action is just an interesting exercise, but it is the action that improves security and drives down risk.

This release of IriusRisk includes four new filters available on the Threats and Countermeasures screens, enabling you to refine and action your threat models quickly and easily.

The new Threats filter is “Countermeasure progress” and lets you filter by different ranges of countermeasure implementation progress.

New Threats Filters

The new countermeasure filters are: Priority, Owner, and Issue ID.

New Countermeasures Filters

  • Priority - use this to focus on the highest impacting countermeasures
  • Owner - for when you want to see your own countermeasures or those assigned to a colleague
  • Issue ID - really useful to see which countermeasures to send to the backlog next

Make sure rules are consistently applied over time and across different environments with the new rules validation endpoint

At the heart of IriusRisk is an intelligent Rules Engine and a huge knowledge base of risk pattern libraries and other content. With the latest release of IriusRisk you can now ensure consistency of the rules execution over time and across environments with our new Rules Verification API endpoint.

curl -L -X POST 'https://yourinstance.iriusrisk.com/api/v1/rules/verify' \

 -H 'Accept: application/json' \

 -H “api-token: $API_TOKEN“ \

 -H 'Content-Type: text/plain' \

 --data-raw '{"projectRef": "p1", "includeAllActiveRules": true }'

Some example output:

Example File Output

For a given project, you can either run all of the active rules, the rules specified in the API request, or a combination of both. The output of the API is the set of all the actions the rules engine would have taken. This lets you do some clever things, such as:

  • Run all active rules for a temporary test project on a production instance and compare the output with the previous output in order to proactively spot unexpected changes over time. These could be caused by unexpected changes to global objects such as trustzones, tags, or custom fields that result in a change in rule conditions being met.
  • Run all active rules for a temporary test project on a product and development instance, and compare the two outputs. This would help you spot differences and inconsistencies between those environments.
  • When developing new rules, run those rules against a test project to ensure they behave as expected. You can do this while those rules are still inactive so they don’t impact other projects.

New rules action to mark threats as Not Applicable

Threat modeling is highly contextual, and with a new rules action to mark threats as “Not Applicable” you can create powerful architectural or design rules that tailor your threat models to your business’s individual context.

New Rules Action (for Not Applicable)

Example use cases include:

  • Marking threats not applicable for a component in a Trusted Partner trust zone because they are mitigated by the third party.
  • A component is nested inside another component where the parent component renders certain threats in the child component as out of scope. For example, network related threats to a web service inside an EC2 instance.

Security Content

This release we have included a load of new New Oracle Cloud Infrastructure components:

  • OCI Analytics Cloud
  • OCI Autonomous Shared Databases
  • OCI Block Volumes
  • OCI Cloud Guard
  • OCI Compute
  • OCI Container Engine for Kubernetes
  • OCI Events Service
  • OCI File Storage
  • OCI Flexible Load Balancing
  • OCI Functions
  • OCI IAM
  • OCI Identity Cloud Service
  • OCI Integration Cloud
  • OCI Logging
  • OCI Notification Service
  • OCI Object Storage
  • OCI Streaming
  • OCI Vault
  • OCI VCN

As well as some new server side components:

  • Kerberos Authentication Server
  • DNS Server
  • IBM WebSphere Liberty
  • Apache HTTP Server
  • Apache Tomcat
  • Microsoft IIS
  • NGINX

Release notes

For more information, see the Version 4.14 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon

IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.