The dilemma: You know that threat modeling can reduce your application risk BUT you don’t have the time or skills on your team to make it a regular part of your development process for every application; or you’re performing manual threat modeling activities but can’t scale them across a large number of applications.
The solution: IriusRisk is a tool that generates threat models and their list of security requirements without having to engage with the security team. IriusRisk gives you a self-service approach to managing software security requirements without slowing your development team down, while at the same time enforcing the standardised countermeasures and security policies agreed by the security team.
IriusRisk generates a complete threat model, including Threats, Weaknesses and Recommended and Required Countermeasures, along with prioritised risk ratings.
Many of the software security techniques that have risen to prominence over the last few years, such as static analysis and bug bounties are helpful. They certainly help you find problems. But it is hard to argue that they are comprehensive if you do not have a process for thinking about where security problems will arise.
That’s where threat modeling comes in. Threat modeling approaches such as those developed by Microsoft (STRIDE) and OWASP, and the scalable automated approaches that IriusRisk brings to your engineers, can provide the essential overview of what you’re building and what can go wrong so that you can focus building it correctly from the start.
Using our platform provides a number of important benefits:
GDPR also has implications for building software applications. All software that handles personal data of EU citizens will have additional functional and non-functional requirements that were previously not necessary. Since IriusRisk is based on components, questionnaires and risk patterns – we’ve done this leg work for you. By providing accurate answers to the questions when designing a new application (or reviewing an existing one), IriusRisk will automatically apply the appropriate set of security requirements to help comply with the GDPR and automatically push those requirements to your development teams’ issue trackers. So that they have actionable tasks right in their main task dashboard.
The security and compliance teams can view the status of these requirements as well as the impact of the risks in the IriusRisk console. No more shuffling documents, spreadsheets and emails to find out what the compliance state of a piece of software is.
See a video here: https://www.youtube.com/watch?v=5hOHFCUYlNI
IriusRisk has several Security Standards embedded in the default dataset supplied with the platform: you are just 1 click away from complying with PCI standards, OWASP ASVS and EU GDPR. Also integrated in IriusRisk are security standards for deploying systems in several clouds including AWS and Azure. Continuum Security continually adds new standards to the default data set based on customer requests and market demands. The IriusRisk platform is independent of the data set, and if you need to add your own security standards and conditions for when those standards should apply, this is easily done! See this video for an example.
Traditionally, development teams create threat models and their list of security requirements through an exhausting, costly, and time-consuming process led by scarce highly-trained security team members. If you don’t have access to those resources, you miss out on this important opportunity to address security risk early in the development process when they’re easiest and cheapest to fix.
IriusRisk uses a simple, questionnaire-driven approach that can be used by any development and operations team – even those without prior security training. You can generate threat models and their list of security requirements without needing to engage with the security team. It is even possible to hide the threat model from the development team and show them only the automatically generated security requirements.
Requirements are pushed and synced directly with issue trackers so there’s no need to use yet another system to manage requirements.
IriusRisk gives your dev teams all the software security benefits of traditional full-blown threat modeling, on their own time, within their own development process, and without slowing them down.
For security teams that require more detailed threat models, they can define graphical Data Flow Diagrams within the system and base their threat modeling rules on the data flows.
As a development manager, you need to be sure that security doesn’t become a bottleneck for your projects. The business isn’t willing to wait for delivery. You need to build secure apps – but build them faster.
For development, IriusRisk automatically generates a threat model with recommended and required countermeasures and adds them to your issue tracker, like Atlassian JIRA, ServiceNow, Redmine, Rally and Microsoft TFS, so you can address security just like any other feature. We regularly expand our list of supported integrations, too. If the system you use is not currently supported, let us know and we will work with you to add support for it.
Developers complete a questionnaire, and IriusRisk automatically generates the security requirements and adds them to an issue tracker. This lets developers identify and implement important security work without involving the security team.
As a security manager, you need your team to scale. Demands placed on you are more intense than ever before, and you need to help every development team understand how to build security into their applications from the start.
For the security team, IriusRisk provides a single point to manage security throughout the entire development process. You define the risk patterns, the security standards and the rules that govern how a threat model should be generated, and the development team access that data through a questionnaire.
The security team can then review the auto-generated model, adjust it and use IriusRisk to communicate to the development team through their existing issue tracking system with a two-way sync.
IriusRisk can also import security vulnerability information from SAST and DAST tools and correlate it with the threat model, thereby providing valuable business context to those technical findings.
Automating the boring part of threat modeling also helps keep your high value security team motivated and removes the frustration of identifying and recording repetitive threats and countermeasures.
IriusRisk provides two types of tests:
Penetration Testers can use the list of weakness tests to test for the presence of vulnerabilities, in addition to their usual testing methodologies. This provides them with a checklist of tests to run.
Auditors and functional testers can use the list of tests for countermeasures to verify that specified countermeasures are in place and can easily overlay a security standard to quickly view the actual state of countermeasures.
IriusRisk is an ideal complement to automated testing tools including SAST, DAST and IAST, which are great at finding security bugs. Security bugs are typically introduced at implementation time when developers are writing code or the operations teams are configuring the servers and infrastructure. But these tools have three blind spots, that IriusRisk will help eliminate:
IriusRisk uses questionnaires to capture this information and automatically identifies threats and countermeasures based on what you’re building and how you plan to build it.
In addition to highlighting these blind spots, the most important value that IriusRisk provides to development teams is describing how to build secure systems from the start, rather than findings bugs after the fact!
Threat Modeling as an activity and IriusRisk as a platform are designed to identify architectural security risks. This applies equally to an architecture that is to be built as to one that already exists. The primary difference is that for an application that already exists, we have more accurate information about the chosen design and the security controls that have already been implemented. The process of using IriusRisk would be similar for both types of apps except that for apps that have already been implemented there would be an additional step to review all of the required countermeasures and mark them as implemented where applicable.
In both cases you can make use of IriusRisk’s compliance view to visualise compliance with our built-in standards or standards that you add to the platform.
In addition, the generated threat model can be used to inform security testing activities such as QA and penetration testing.
IriusRisk was designed to integrate with developers’ workflows and tools and since developers use issue trackers extensively to manage requirements and issues, IriusRisk includes first class integration with these tools. This means that developers less time in our platform and can instead continue to use their issue tracker as their primary planning tools.
IriusRisk can create new tickets on these systems, synchronise the status of the tickets and upload and synchronize comments.
IriusRisk can import vulnerabilities from popular testing tools and frameworks, match them to the threat model and automatically synchronise the issues with the issue tracker system.
Since Threat Modeling defines the security context at the start of the SDLC, it can also define downstream security activities including Testing. The threat model generated by IriusRisk already contains potential vulnerabilities, but until these are tested, their presence would be unconfirmed, so the platform can import results from the following testing tools in order to determine the real statuses of those potential weaknesses:
Once imported, the platform correlates the vulnerabilities with the Contextual Business Risk. In other words, the level of risks posed by vulnerabilities does not depend only on the technical impact (as provided by the testing tools) but also the value of the data at risk, the exposure of the component and the difficulty of performing the attack. These last contextual variables are provided by IriusRisk. This helps to prioritise remediation actions according to what matters most.
Yes, IriusRisk is a web application and supports a fine grained permissions model. This allows you to configure user roles that suit your needs. For example, you could create a role only for external software suppliers that will allow them to only complete the questionnaire, but not view or edit the resulting threat model. While the security team has full visibility of all the functions.
Products can also be assigned to specific users, or to groups of users and access control can be enforced between the groups.
It’s recommended to use the same issue tracker project that the team is already using to manage their other functional requirements and bugs. The tickets created by IriusRisk can be identified by using a label and/or by creating a custom type, e.g.: “Security Requirement”.
Yes, nevertheless customers have the option of installing IriusRisk in the cloud of their choice by choosing the On Prem version and managing the instance themselves.
We recommend deploying the application using Docker, while the database should be deployed natively. Supported databases are MS SQL Server and PostgreSQL. More details on the hardware requirements and installation options can be found at: https://continuumsecurity.atlassian.net/wiki/spaces/ITD/pages/26771463/Installation
Support is provided through a ticketing system and email. Continuum Security will respond to any issue raised within 24 hours and provide an analysis of the problem and the estimated time to fix. Critical risk issues which directly prevent the use of the software, or which pose a serious security risk will be addressed within 48 hours. The customer will be provided with access to our Service Desk to report and track incidents.
The Community Edition was created in order to provide a free-of-charge service for developers and security architects to share security requirements about specific types of architectures. Continuum Security cannot threat model the world, but the world can threat model itself, if we all participate!
A Community Edition user can:
A license for a commercial instance of IriusRisk is needed in order to:
The license applies to a single production instance of the core IriusRisk platform. It includes the default questionnaires, rules and risk patterns as well as maintenance and feature updates to these and the platform itself during the license period.
Multiple instances of the IriusRisk application deployed in a high availability configuration, where all users and applications exist within the same logical database is considered to be a single instance for licensing purposes.
Instances used for non-production use do not require a separate license. There is no limitation on the number of users of the system. It includes full access to the API. The user interface, as well as the default questionnaire and risk templates are provided in English.
The price is based on the number of applications that are managed in the platform and is an annual subscription for both the SaaS and OnPrem instances.