With the new release of IriusRisk – detailed here – we’re proud to announce architectural and data-flow diagramming.

Security teams can now view automatically generated threat model architecture and add new components and data-flows from within the Diagramming view.

Architectural diagramming is under continued development and planned for future releases includes the ability to export the diagram as an image and add it to reports.

For a short demonstration of diagramming capabilities and processes, please watch the below video:

We’re delighted to announce the release of IriusRisk 1.12.0

As part of this release we have added a risk pattern library for Docker. Risk patterns are re-usable collections of use-cases, threats, weaknesses and countermeasures, that can be imported into a threat model as a unit. They are the basic building blocks of threat models within IriusRisk.

This library provides a baseline set of risks, weaknesses and countermeasures for anyone implementing a Docker environment. The risk pattern contents were obtained from the CIS Benchmark “CIS Docker Community Edition Benchmark v1.1.0”. This Benchmark provides prescriptive guidance for establishing a secure configuration posture for Docker CE 17.06 or later technology.

Here’s a little of what CIS say about the Docker benchmark:

The Center for Internet Security (CIS) Docker Community Edition (CE) Benchmark is a reference document designed to assist system administrators, security and audit professionals, and other technologists in establishing a secure configuration baseline for the Docker CE Engine.

Continuum Security are certified CIS SecureSuite Product Vendor members.

Other new libraries released include:

  • OWASP Mobile ASVS: For Mobile Applications based on The OWASP Mobile Application Security Verification Standard (MASVS). This library sets forth risks and controls for anyone implementing a mobile application. This covers both Android and iOS platforms.
  • Google Cloud: For Google Cloud encompassing the entire environment including: GC Virtual Machines, GC Kubernetes, GC SQL and GC Storage. This library covers foundation services such as Governance, Identity and Access Management (IAM), Logging, Monitoring, Network, Kubernetes, Storage, Databases SQL and Virtual Machines.

It is always heartening for us when Continuum Security’s hard work, innovation and dedication to developing automated security solutions that answer industry’s hard problems is recognised.

And today is one of those days.

WhiteSource have run an article entitled: “9 Great DevSecOps Tools for Dev Teams to Integrate Throughout the DevOps Pipeline” and in number one spot is our IriusRisk Automated Threat Modeling Platform.

Here’s a little of what they say about us:

This cybersecurity company offers enterprise organizations an Application Security Requirements and Threat Management Solution with their threat modeling platform IriusRisk. This platform allows them to automate and scale their secure design activity by helping developers and security analysts deal with software vulnerabilities as early as the application design stage.

Adding this type of automated DevSecOps solution at the start of the development life cycle enables teams to address security risks early in the development process when they’re easiest and cheapest to fix.

As a company one of our underpinning drives springs from the “DevSecOps” movement with its focus on innovation, automation, scalability and seamless continuous integration. This coupled with the “Shifting Left” security approach (baking in security early in the production cycle at the design phase and continuing throughout the development life cycle) is encapsulated within our IriusRisk Platform.

Our Open Source BDD-Security Testing Framework is also highlighted in the article:

…an open source dynamic testing tool for businesses to integrate security testing into their development pipelines. The framework is compatible with most of the popular issue trackers, SAST, DAST, unit testing frameworks, and offers an open API for anything it doesn’t support natively. This allows teams to automatically synchronise their tests with issue trackers in the context of the threat model.

BDD-Security can integrate with our IriusRisk platform.

If you are interested in finding out more about what our products can bring to your organisation, please don’t hesitate to contact us.

GDPR: THE SOFTWARE DEVELOPERS PERSPECTIVE

Europe’s new General Data Protection Regulation (GDPR) became legally enforceable on the 25th May. The underlying driving force behind the regulation is the empowerment of data subjects within the EU in regard to their personal data. Underpinning this is the concept of “Privacy by Design”.

PRIVACY BY DESIGN

The principle behind privacy by design is to bake in data protection and security from the inception of the application project and throughout its lifecycle. This is primarily achieved through Privacy Impact Assessments (PIAs). This approach identifies potential problems early on in the design and development process when they are simpler and cheaper to rectify.

PRIVACY IMPACT ASSESSMENTS

There are 8 key GDPR principles to consider when undertaking an application PIA:

  1. Processing personal data fairly and lawfully
    • Do we have legitimate grounds for collection of user personal data that will not have an unjustified negative impact?
    • Have we given appropriate privacy notices?
  2. Processing personal data for specified purposes
    • Do we have a justifiable rationale for personal user data collection?
    • have we provided appropriate privacy notices including detailing uses that differ from the original purpose?
  3. The amount of personal data we may hold
    • Have we minimized our data collection to only that which we need for the purpose required?
  4. Keeping personal data accurate and up to date
    • Have we taken reasonable steps to ensure data accuracy?
    • Have we provided a mechanism by which the user may edit and update incorrect information?
  5. Retaining personal data
    • Do we have data policy retention and deletion policies and procedures in place that are in accordance with the purpose of collection?
  6. The rights of individuals – Have we put mechanisms in place to:
    • Be given a copy of the information comprising the data.
    • Object to data processing.
    • Prevent processing for direct marketing.
    • Object to automated decisions (eg profiling).
    • Have inaccurate personal data rectified, blocked, erased or destroyed.
    • Claim compensation for damages caused by a breach of the Act
  7. Information security
    • Have we designed and organised our security to fit the nature of the personal data with consideration as to the harm it would cause if breached?
    • Clearly identified personnel responsible for data security?
    • Ensured physical, technical security and robust policies and procedures are in place with adequately trained personnel?
    • Prepared for swift and effective data breach response?
  8. Sending personal data outside the European Economic Area
    • Have we ensured an adequate level of protection for user data transferred outside of the The EEA?

Although the above may – at first blush – appear daunting, there is an overarching narrative that can be encapsulated within the following questions:

  • What is the data we are collecting?
  • How are we collecting it?
  • Why are we collecting it?
  • What are we doing with it?
  • Are the data subjects expecting this?

With these questions in the back our minds during the application PIA, mapped against the 8 key GDPR principles, it becomes possible to template a framework.

Further, as many applications we develop have commonalities, we are able to create architectural risk patterns that can be applied to other applications we develop in question and answer checklist format over and again.

The key to simplification is to break down the application into individual components – for example the registration form – and then ask ourselves the above pertinent questions in relation to GDPR requirements.

This approach allows us to be proactive in ensuring GDPR application security and data protection requirements are in place and embedded from the beginning of the development process. This avoids the “bolt-on” mentality which often leads to complex and expensive changes at the end of the development cycle.

Also, breaking down our applications into manageable individual components and approaching GDPR requirements in a standardized and systemized question and answer format that is repeatable, documented and thoroughly tested, gives us a simplified, manageable, scalable framework – assuring ourselves, our users and regulatory authorities, that our applications are in compliance with GDPR.

Stay up to date with our latest news.
Subscribe now

INCIBE