Fraser Scott
|
VP of Product
October 16, 2023

Product Update: Release 4.21

We are excited to announce the release of IriusRisk 4.21 which includes these new enhancements and features:

  • Secure your ML and AI applications with our new ML/AI library containing 12 cutting-edge components
  • Automate with a new API endpoint that exports a project’s trust zones, components, and dataflows in the Open Threat Model (OTM) format
  • Quicker filtering of countermeasures with 6 predefined Custom Views
  • Automatically create and manage Component Definitions with a new API endpoint
  • Plus more!

Secure your ML and AI applications with our new ML/AI library containing 12 cutting-edge components

Machine Learning and Artificial Intelligence (ML/AI) are now at the epicenter of a digital world that is increasingly becoming data-and-analytics-driven. However, technological developments do not only come with opportunities, they also introduce new risks and challenges to the security posture of applications and systems.

How do you build resilient models and data pipelines?

With IriusRisk.

In v4.21 we have released the first version of our new ML/AI library that contains 12 components needed to threat model the data pipeline, model building, and model deployment and operational use of Artificial Intelligence and Machine Learning systems. These include:

  • Data Pre-processing
  • Learning Algorithm
  • Trained Model
  • and more!

Here is an example threat model for a algorithmic trading system created using some of these components:

image-20231010-085515

For more information, checkout the blog here: Securing ML/AI Systems and Applications.

Automate with a new API endpoint that exports a project’s trust zones, components, and dataflows in the Open Threat Model (OTM) format

No threat model is an island. IriusRisk allows you to take any design or architecture artifact, convert it into the Open Threat Model (OTM) YAML or JSON format, and automatically build an entire threat model from it in IriusRisk. Magic.

But what if you wanted to take an existing IriusRisk threat model and generate OTM to be used elsewhere? As of v4.21 you now can with the new OTM export API. Covering the same trust zones, components, and dataflow sections of the OTM spec, you can import and export OTM as part of your automated threat modeling processes. Example use cases include storing OTM threat model files in a git repository and keep them in sync, or exporting projects as OTM to use in custom integrations with other SDLC or cybersecurity systems.

image-20231010-133239

See more with condensed labels

Assets and tags on components and dataflows gives you a very powerful way of adding metadata to your threat models. They can be used for anything from deployment status or versioning to unique identifiers, from protocols to the types of data transferred.

If you’re a heavy user of tags then having a lot of them can get visually quite noisy when looking at the the diagram. There are options to turn off showing tags or assets, but you can now condense instead. This means they remain in view, but take up less space, all at the click of a button.

In the diagramming context menu on the right, you can check the “Use condensed labels” box.

image-20231012-104838

If this was your diagram before enabling that option:

image-20231010-143413

This is what it will look like afterwards:

image-20231010-143444

A global setting has also been added to enable this feature of the artifacts generated.

image-20231012-105734

Quicker filtering of countermeasures with 6 predefined Custom Views

We understand that navigating the intricate world of threat modeling can be challenging. That's why we've crafted this feature to simplify the process. With Custom Views, you can easily apply saved filters, ensuring you see only the countermeasures that truly matter to you. It's like having a personalized roadmap through the security landscape. This functionality enables you to swiftly access the countermeasures most relevant to your needs, drastically reducing the noise in your threat model output.

image-20231011-160854

Views that are provided out-of-the-box include:

  • High priority countermeasures - List all existing countermeasures with Critical or High priority
  • High priority required countermeasures - List of required countermeasures with High or Very high priority
  • Test results about to expire - List the countermeasures with the test results to expire this week

The ability for administrators to edit the filters and create new ones will be coming in a release in the very near future.

Improved traceability of user comments in issue trackers

For many organizations, especially those with compliance requirements, traceability and audit of threat modeling outcomes is critical. For other organizations, it’s useful to just know who said what.

When a comment is added to a countermeasure with a linked issue tracker ID in IriusRisk, the details of which IriusRisk user added it is now included in the comment in the issue tracker itself. This makes it really clear who is doing what in IriusRisk, without having to leave the issue tracker.

image-20231012-101022

Automatically create and manage Component Definitions with a new API endpoint

Creating and managing Component Definitions is easily done using the IriusRisk user interface. But sometimes you need to automate. You may have an asset system containing the components you want available in IriusRisk, or perhaps you want to create the Component Definitions on the fly as part of some clever Open Threat Model integration.

We have released an API endpoint that lets you create, edit, and delete Component Definitions through code.

screenshot

For more information, take a look at the API docs on SwaggerHub.

Exciting things are coming, but first we need to change the notification alert type

We’re working hard on user experience improvements throughout the product, including how notifications are presented to users in their Project.  As part of that, Notifications will be rebranded as Alerts, and so we need to make a number of minor changes to the language of Notifications.

When editing rules, “Notifications” will now be referred to as “Alerts”, and the “Alert” event type will now be called “Error”. Warning and Info remain as they are.

image-20231012-102536

Security Content

In addition to the new ML/AI library, this release includes a load of new functional and cloud components.

We have 7 new functional components:

  • Captcha/Spam Protection
  • Financial Transaction
  • Generic Functional Component
  • Pipeline Deployment
  • Survey
  • Data Chart
  • Code Snippet Sharing

The new 5 AWS components are:

  • AWS Application Load Balancer
  • AWS NAT Gateway
  • AWS Private Certificate Authority
  • AWS ROSA (Red Hat OpenShift Service)
  • AWS VMWare Cloud

We also have 4 new Oracle Cloud components:

  • OCI Agent
  • OCI ATP (Autonomous Transaction Processing)
  • OCI Bastion
  • OCI Data Integrator

And finally, there are 2 new generic components:

  • ClamAV
  • Elasticsearch

Deprecations

ThreadFix Test Import Notice

The deprecation and removal of the ThreadFix test result import functionality has been POSTPONED until further notice.

Release notes

For more information, see the Version 4.21 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon

IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.