IriusRisk Team
|
The Threat Modeling Experts
March 25, 2023

Product Update: Release 4.16

Product Update: Release 4.16

We are excited to announce the release of IriusRisk 4.16 which includes these new enhancements and features:

  • Apply your organization’s security policies to threat modeling by attaching your Standards to IriusRisk’s countermeasures through a new API endpoint
  • Get an aggregate view of risk across Business Units and Project Components with our new dashboard available in the Analytics Module.
  • Create actionable context for developer-centric threat models with new questionnaires on functional components.
  • Plus more!

New API endpoint for Terraform Plan files

Terraform Plan files contain the mixture of current state and configuration changes that allows Terraform to execute the necessary change actions to create or update a cloud environment. Because all of the configuration has already been parsed by Terraform, the plan file contains everything you would need to build a threat model, regardless of how the configuration files are managed. This also means its even easier to create a threat model, because all of the relationships between components are self contained within the plan file, and we don’t have to worry about modules and other features of the configuration files.

In a previous release we made an update to the Terraform API end point to support plan files. This release moves that functionality to a new endpoint that allows users to create or update a project from a Terraform Plan, by passing a tf-plan and tf-graph files.

  • POST /products/tfplan - used to create a new project
  • PUT /products/tfplan/{product-id}- used to update an existing project given a project id.

For more information see the API documentation on SwaggerHub.

Quickly find Components Definitions with table filters

Two new inputs at the header of the Components Definitions Table (Objects > Components) to filter the components shown by their name and/or their category. This allows users to find quickly a component they are looking for.

Table filters

Project limits modal

If the account has reached the license limit, a modal window will be displayed whenever the user attempts to create a new project. Whilst in previous versions a similar message was displayed after the user had entered all the details of the project, now this warning is shown as soon as the user clicks on the “New Project” button. This will help save users time and avoid frustration when entering details for a project that cannot be saved.

The warning message displayed in the modal will depend on if the user has admin privileges or not. For Administrators the “License details” button will be displayed and when they click on it, they will be redirected to the License management page and will be able to enter a new License key.  

License limit
Apply your organization’s security policies to threat modeling by attaching your Standards to IriusRisk’s countermeasures through a new API endpoint

IriusRisk provides a extensive knowledge base of threats and countermeasures that continues to grow as the technology and cybersecurity landscape evolves. It also provides Standards which are mapped to those countermeasures and allow you to quickly determine which countermeasures are required in order to meet the standards they select, bringing focus to the security outcomes that matter the most.

Many organizations have internal security policies that dictate which countermeasures must be implement for different systems or application types. These can also be represented as Standards in IriusRisk. However, previously you had to either take copy of the IriusRisk content libraries and map the countermeasure to your bespoke Standard, or limit the use of the Standard to custom countermeasures.

In IriusRisk v4.16 we have released two new API endpoints, the first of which allows a specific countermeasure to be associated with one or more standards. The second API endpoint allows the removal of the association between countermeasures & standards. This means users can associate the default IriusRisk countermeasures with their own standards, allowing adaptation of the content for the individual organisation's needs.

POST /security-content/countermeasures/{countermeasure-id}/standards

For more information see the API documentation on SwaggerHub.

Get an aggregate view of risk across Business Units and Project Components with our new dashboard available in the Analytics Module

Organizations, and therefore threat models, are complex and inter-woven threads of technologies and systems. In IriusRisk, Business Units can be used to group threat model projects such as by organizational division, and Project Components allow entire threat models to be made available as components in other threat models.

It is incredibly useful to be able to see the profile of risk for a Business Unit as risk-based decisions often need to be made at the divisional levels. It is also important to see and understand how risk moves between threat models when Project Components are used.

In this release we have provided two new default dashboards for customers of the Analytics Module. The first is the Business Unit Risk Summary which allows users to see, in a single view, the current, inherent and projected risk across all projects within a Business Unit.

Analytics default dashboard

The second dashboard is the Project Risk summary, accessible by clicking on one of the Projects, gives an overall view of risk in an individual project broken down by project components and regular components.

Project risk summary dashboard

Create actionable context for developer-centric threat models with new questionnaires on functional components

Software developers are a key performer of threat modeling because they understand better than anyone the systems they are designing and building. And a lot of what software developers create sits on top of the traditional architectural view of systems, namely the functional level. That’s why IriusRisk provides Functional Components that can be used to describe the capabilities and behaviors of applications.

In IriusRisk 4.16 we have updated 5 Functional Components with a new questionnaire that will automatically transition countermeasures to different states, reducing the amount of refinement work developers need to do and saving them time.

As an example, we’ll look at a simple but typical application design, as shown in the diagram below, containing Functional Components released with the the new questionnaire scheme.

Diagram

The application is made up of a number of functional components such as Access Token and Login. By completing the questionnaire for the Login component for example, providing additional context how passwords and sensitive data is handled, the threat model is automatically updated to reflect that context.

Component: login

Because of the additional context provided in the questionnaire, certain countermeasures are automatically transitioned to either Required, Implemented, N/A, or remain in Recommended.

Countermeasures

By dynamically transitioning countermeasures to the appropriate status, IriusRisk automatically performs the actions that the user would otherwise have to do by hand. This saves users, and in particular developers, a lot of time and helps them to focus on the countermeasures that matter most.

Further releases of IriusRisk will continue to expand the availability of these new questionnaires to remaining Functional Components.

Security Content

The following new components have been added to IriusRisk:

  • SAP HANA
  • SAP S/4 HANA
  • SAP Hana Cloud
  • SAP ABAP
  • SAP GUI
  • SAP DATA
  • SAP FIORI
  • SAP NetWeaver
  • Azure Application Insights

We have also added new or improved the descriptions of every default Component Definition in IriusRisk.

Release notes

For more information, see the Version 4.16 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon

IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.