Threat modeling in the Secure Software development process

IriusRisk Automates

Secure software development process

1

Inception

Risk Analysis

2

Requirements Analysis

Security Requirements

3

Design

Threat Modeling and technical security requirements

4

Build

Code Review

5

Test

Security Testing

IriusRisk Manages

Why choose IriusRisk?

Create a threat model in minutes

Create a threat model and derive security requirements in minutes using a straightforward questionnaire based system.

Integrated application risk analysis and architectural security

Integrated application risk analysis and architectural security for developers using straight-forward questionnaire based approach.

Reduce the number of security vulnerabilities

Reduce the number of security vulnerabilities in applications, caused by weak security design and inadequate controls.

Measure, view and respond to application security risk

Measure, view and respond to application security risk through all of the software development and delivery steps.

Reduce the time and resources

Reduce the time and resources required to perform risk analysis and threat modelling.

Meet enterprise security requirements

Meet enterprise security requirements and constraints from the very beginning.

Manage security risk throughout the SDLC

Manage security risk throughout the SDLC by choosing a risk response and synchronising security requirements with issue trackers.

Manage risks at portfolio scale across the enterprise

Manage risks at portfolio scale across the enterprise or per business unit.

Security Teams

Create Threat models in minutes

Developers

Reduce vulnerabilities from the very beginning

Managers

Don’t let your team to be the bottleneck

Auditors

Direct acces to risk portofolio and counter-measures across the company

Ready to automate your threat modeling process?

Start now

Features

threat modeling in minutes

Threat modeling in minutes

choose a risk response

Choose a Risk Response

implement countermeasures

Implement Countermeasures

test weaknesses and countermeasures

Test Weaknesses & Countermeasures

manage application risk

Manage Application Risk

Choose a basic architecture to start with

An adaptive questionnaire driven by an expert system guides the user through straight forward questions about the technical architecture, the planned features and security context of the application.

The questionnaire modifies itself in real-time based on the supplied answers. As it learns more about the architecture, it asks more specific questions in order to accurately identify the inherent risks.

This questionnaire is 100% editable through our graphical rules editor, so that you can customise the questions to your environment and common architectures.

IriusRisk generates an initial threat model automatically

The model is categorized by the major components and presents a list of the potential security risks and weaknesses, along with specific recommended countermeasures. Weaknesses are regarded as potentially present, until their presence or absence has been verified through security testing. Confirmed weaknesses are highlighted as vulnerabilties.

Choose a risk response

Each threat is linked to potential Weaknesses and recommended Countermeasures from our extensive application risk database. The user can then make an informed decision about the appropriate risk response: Mitigate, Avoid or Accept. For example, a countermeasure can be applied to Mitigate the risk,

or a risk can be accepted, and the risk decision justified.

The system provides risk management advice and guidance by highlighting the important next steps and the countermeasures that provide the highest return on security investment.

 

Countermeasures become security requirements

Developers and the implementation team have a clear list of the security countermeasures that need to be implemented. Countermeasures can also be uploaded to a defect tracker like Jira, so that developers can keep using the tools they’re familiar with, while the security team has a real-time risk centric view of the countermeasure progress.

Countermeasure status can be managed in IriusRisk alone, or by synchronising with a defect tracker like Jira.

Test weakness and countermeasures

Security testing is supported both from a control and a vulnerability perspective. The test results from negative testing, such as vulnerability assessments and penetration tests can be recorded against the listed Weaknesses. Positive security control testing such as code reviews and audit that aim to validate the implementation of controls can be recorded against the listed Countermeasures.

Tests can be automatically imported from external test sources like JUnit, JBehave, Cucumber, OWASP ZAP and of course our BDD-Security framework.

Tests can also be updated through our REST API

Manage product risk across the enterprise

Compare risk ratings for products across the enterprise or within business units

Editions and Pricing

Security teams

Limited to 3
applications

Free

  • Threat modeling based on diagrams and questionnaires
  • Integrate with Jira, Redmine, TFS and CA Rally
  • Create Templates
  • Share Templates with other users

Sign up

SAS Hosted

Tiered pricing based on
number of apps

  • Threat modeling based on diagrams and questionnaires
  • Integrate with Jira, Redmine, TFS and CA Rally
  • Create Templates
  • Integrate with ThreadFix and HP Fortify
  • Define security classifications, Trust Zones and Data Assets
  • Customise questionnaires
  • Permissions based access control
  • Premium risk pattern libraries
  • API

Request a Demo

On premise

Tiered pricing based on
number of apps

  • Threat modeling based on diagrams and questionnaires
  • Integrate with Jira, Redmine, TFS and CA Rally
  • Create Templates
  • Integrate with ThreadFix and HP Fortify
  • Define security classifications, Trust Zones and Data Assets
  • Customise questionnaires
  • Permissions based access control
  • Premium risk pattern libraries
  • API
  • Single sign-on with SAML v2 and  LDAP/Active Directory
  • Java WAR or Docker install

Request a Demo

Stay up to date with our latest news.
Subscribe now

INCIBE