IriusRisk Team
|
The Threat Modeling Experts
September 1, 2022

Product Update: Release 4.7

Product Update: Release 4.7

New features and improvements include:

  • Template import performance improvements
  • Configuring issue trackers at the countermeasure level
  • Support for mapping Terraform modules to OTM components
  • A new Home Dashboard widget showing the top 10 countermeasures with the highest impact
  • Plus more!

Home Dashboard

Top 10 countermeasures with highest impact

One of the key values of threat modeling is helping you understand where you are over or under investing in cyber security controls. It’s important to understand which countermeasures are having the biggest impact on reducing cyber risk within your organization. In this release we have provided you with a cool new widget on the Home Dashboard that shows exactly this:

image-20220826-132530

The widget shows the top 10 countermeasure having the most impact on reducing risk, including important information such as whether they’re in an Issue Tracker. Clicking on the countermeasure shows you a breakdown by Project and Component, as well as Issue Tracker and Status details:

image-20220826-132430

Templates

Template import performance improvements

This release includes major performance improvements to the template import process. Importing a template is a complex process, and the time it takes grows with the number of components being imported. Previously this meant an exponential growth in time for very large templates (e.g. 50 or more components), resulting in an import time of anywhere up to an hour. With these improvements however, even a large template is imported in under a minute.

Better support for low resolutions

Last release (4.6) we delivered layout improvements for Projects, providing better support for low resolutions. This release we have also applied those improvements to Templates.

image-20220826-125900-1

Projects

Revert diagram changes

People make mistakes, that’s human nature. In a digital world, a lot of those mistakes can easily be undone. The Diagram in IriusRisk provides an Undo button in the context of your diagramming session. This is useful if you need to quickly undo a change while you’re diagramming. However, if you navigate to a different page and the changes are saved as draft, you can no longer use that undo button.

As of IriusRisk 4.7 you can use the new “Reset diagram changes” button available in the Project drop-down menu to revert the diagram to the draft. Once you click “Update threat model” your changes are saved permanently.

image-20220826-131111

Configure issue trackers at the countermeasure level

Using Issue Trackers are a key part of the threat model workflow as they are what turn a threat model into something actionable by development and engineering teams. IriusRisk previously supported configuring Issue Trackers at a global, project, and component level, with an inheritance model to propagate configuration between levels. However, a common use case is that some countermeasures need to be implemented by one team, and other countermeasures by another team. Another use case is creating countermeasures with different issue types such as Bug and Task.

IriusRisk 4.7 now supports configuring issue trackers at the countermeasure level, following the inheritance, which gives you full control over where to send each countermeasure and how.

image-20220826-131923

Configuring Issue Trackers at the Threat level will be coming soon!

Terraform API

Mapping Terraform modules to OTM components

Terraform Modules are a powerful way of encapsulating configuration into something simple and reusable. However, they provide an additional level of complexity when it comes to creating a threat model automatically from Terraform. This is because they can hide a lot of context and detail, plus they can be arbitrarily named.

To better support Modules we have updated Startleft and the Terraform API to be able to map their definitions directly into OTM components.

image-20220826-133320


In the example mapping file above, the new get_module_terraform help function is used to find any AWS RDS modules and map them to components of type “rds”.

Reporting

Reject and NA reasons in Compliance Report

Understanding and communicating risk decisions is a fundamental part of Governance Risk and Compliance (GRC). Our Compliance Report gives users a powerful tool to do exactly that, and the reality is that not all countermeasures are relevant in any given threat model context. Within IriusRisk, countermeasures can be rejected or marked as NA (Not Applicable), and a reason must be provided. This allows engineers and security teams to focus on what really matters, while also communicating why other countermeasures were deemed not relevant.

The Compliance Report has been updated to include the reason for the rejection or NA.

image-20220826-134501

Security Content

NIST 800-190 standard update

The NIST 800-190 standard has been updated to include 6 new countermeasures, 1 new threat, 1 new weakness, and 2 new components: Docker Registry and Docker Client.


CSVS standard update

37 new countermeasures from the OWASP Container Security Verification Standard.

Release notes

For more information, see the Version 4.7 Release Notes.

Shape the future of Threat Modeling with us!

Join IriusRisk Horizon

IriusRisk Horizon - Customer Research, Product Discovery, and Early Access