IriusRisk Team
|
The Threat Modeling Experts
November 9, 2023

Product Update: Release 4.22

We are excited to announce the release of IriusRisk 4.22

Which includes these new enhancements and features:

  • Maximum canvas for maximum productivity - our updated Project navigation gives you more screen for an even better threat modeling experience.
  • Don’t miss critical project info with our improved Project Alerts (formerly Notifications).
  • Manage Custom Views for your organization and give your users quicker access to the countermeasures that matter to them.
  • And much more!!

Maximum canvas for maximum productivity - our updated project navigation gives you more screen for an even better threat modeling experience.

The latest update to our project navigation greatly increases the canvas size further, significantly enhancing the threat modeling experience with a larger, more centralized workspace. Users previously contended with a sidebar that limited their view, but now, the interface streamlines the four key tabs - Home, Diagram, Threats, and Countermeasures - at the top bar for immediate access. The repositioned actions menu and a settings dropdown have been refined to reduce clutter, allowing users to focus on what matters most without unnecessary navigation.

image-20231107-103502

You can easily switch between the Home, Diagram, Threats, and Countermeasure views.

image-20231107-103606

The settings menu gives you access to project details, ownership, and settings.

image-20231107-103518

The general menu gives you access to everything else you need for your project, from project components, artifacts, and reports to template creation.

image-20231107-103535

Don’t miss critical project info with our improved Project Alerts (formerly Notifications).

Our Project Alerts feature, formerly known as Notifications, has been revamped to keep you informed about crucial project or template updates with greater clarity. Previously, alerts lacked context and visibility, causing user frustration when trying to track team actions. The enhanced system now prominently flags alerts in a global context, making it simple to view and act upon alerts specific to a project or template. Organized by type and filterable, these alerts allow users to quickly address issues within their relevant scope, streamlining collaboration and project oversight.

You can see that Alerts are available to review by looking for the “red dot” on the Alerts icon.

image-20231107-104238

Clicking on the icon will open up the Alerts window, giving you immediate access to the Alerts without taking you away from whatever you were doing.

image-20231107-104259

You can click on the Alert type icons to filter the view to just those relevant to you.

image-20231107-104319

Manage Custom Views for your organization and give your users quicker access to the countermeasures that matter to them.

Building upon our previous "Custom Views" release, we've introduced the ability to create, edit, and save up to 10 personalized views for countermeasures. With this feature, you can now effortlessly edit names, descriptions, and default settings of Custom Views, or remove them when they're no longer needed, all within a few clicks. Quick access and customization have never been easier, providing a more efficient workflow for identifying and applying relevant countermeasures.

image-20231107-112002

To edit a Custom View, simply change the filters as a user with the  CUSTOM_VIEW_UPDATE permission.

image-20231107-112038

You’re able to give it a name, description, and set it as a the default.

image-20231107-104553

Import multiple trust zones of the same type for Visio, Lucid, and MTMT

This release tackles the challenge of importing diagrams with multiple trust zones of the same type from MTMT, Visio, and Lucid into IriusRisk. Previously, similar trust zones were merged, causing a loss of the original layout and details of related components. The enhancement includes an update to the Open Threat Modeling (OTM) specification, now incorporating a type field within the OTM trust zone element. This update has been integrated into StartLeft and the IriusRisk core, ensuring that projects imported retain their distinct trust zones, preserving the visual integrity and specifics of each zone.

This example diagram shows multiple occurrences of the same trust zones:

DEMO-OPT-524-MTMT-source

Now when it’s imported into IriusRisk you’ll see the layout persevered and the separation of different trust zones of the same type maintained:

DEMO-OPT-524-MTMT-IR-imported

For more information, see our StartLeft Github page and our API documentation on SwaggerHub.

Simplify your mapping with a catchall and skip function for LucidCharts import

We're excited to announce a new feature for LucidCharts imports into IriusRisk: a 'catchall and skip' function, designed to streamline your mapping process. Previously, when importing Lucidchart files, any unmapped shapes were excluded, potentially omitting vital components. Our new 'catch_all' functionality allows users to automatically import all shapes from specific stencils as a default component type, ensuring no critical element is missed. Conversely, the 'skip' function lets users intentionally omit certain types during import. These features can be utilized separately or together for maximum flexibility and control over your project visualization.

Here we’re mapping the catch_all to the empty-component.

image-20231107-104150

If we want to exclude AmazonEC2 from being mapped through the catch_all, we can easily do that too:

image-20231107-104203

For more information, see the StartLeft documentation on GitHub.


Distinguish between threats from different risk patterns when adding existing threats to a project

This release improves the user experience when adding existing threats to a project by addressing the issue of indistinguishable risk patterns. Users can now clearly differentiate threats sourced from various risk patterns thanks to the addition of a 'Use Case' column and the correction of the 'Component/Risk Pattern' column to display accurate information. Moreover, to align with different project contexts, we've introduced dynamic column naming that adjusts based on whether a project, template, or library is selected. This intuitive update, applied to all 'Add from existing...' dialogs, simplifies the process of identifying and incorporating relevant threats across your threat modeling projects.

Previously it wasn’t possible to tell which threats came from which risk patterns, showing a what looked like duplicate threats.

image-20231107-154941

Now you can see the Risk Pattern as a separate column.

image-20231107-112224

Get a better risk context with a new Trust Zone entity for our Analytics module

We have introduced a new Trust Zone entity to our Analytics module. This gives you easier access to risk context for components, by allowing you to associate components with their parent Trust Zone and pull in the risk rating for that Trust Zone. This is especially useful if you are implementing an alternative risk rating method on top of IriusRisk’s native one using the Analytics module.

For more information on how Trust Zone risk ratings are used, see How is inherent risk calculated?

Get easier management of your IriusRisk license with our new License page

Our new License page provides a seamless experience for managing your IriusRisk license. This revamped page offers a clear view of your available projects, how many are in use, and the percentage of your quota reached, with color-coded indicators for approaching or reaching limits. Additionally, a new progress bar tracks the days remaining until license expiration, with alerts for upcoming expiry dates. Should you need more projects, there's a direct call-to-action button that opens your default email app, ready to request an upgrade.

image-20231107-113414

Security content

The following new components have been added in this release.

New Azure components:

  • Azure Active Directory External Identities
  • Azure Communication Services
  • Azure Developer CLI
  • Azure OpenAI Service
  • Azure Spring Apps

New generic components:

  • Apache NiFi
  • Object Storage

New functional components:

  • Data Chart
  • Code Snippet
  • Build Configuration File
  • Spring Security Configuration
  • Send Email

New SAP component

  • SAP DMS (Document Management Service)

We have also refactored the Generic SaaS component to include more threats and countermeasures.

Other content changes

  • We have added Mitre ATT&CK Techniques references to the most common threats, giving users even more security context.
  • This release also includes a new standard, the SWIFT Customer Security Controls Framework. This is important for financial services organizations that are Swift users.

In case you missed it - our brand new ML/AI Library

In the previous Release 4.21 we announced our first of its kind Security Library to threat model machine learning and artificial intelligence applications. Read more about how the Library can be used in this blog. Coverage has already taken place in Dark Reading, after an exclusive interview with Dr Gary McGraw, co-founder of the Berryville Institute of Machine Learning, and Chair of our Technical Advisory Board.

Have a look at the article here: IriusRisk Brings Threat Modeling to Machine Learning Systems.

Deprecations

ThreadFix Test Import Notice

UPDATE: ThreadFix functionality for importing test results will be deprecated in the next release v4.23.

My Portfolio

NEW: The My Portfolio section will be deprecated and removed in Q1 2024.

Release notes

For more information, see the Version 4.22 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon

IriusRisk Horizon - Customer Research, Product Discovery, and Early Access. Join today.