IriusRisk community edition sneak peak

[Stephen de Vries]

Hi all,

We will soon be releasing a free-to-use community version of our IriusRisk Threat Modeling and risk management tool for software (overview here: www.iriusrisk.com) and I would really value your feedback on the tool before we open to world + dog.  The threat models generated by the tool are released under a CC share alike license and are exportable to XML, so can be re-used by ThreatSpec.  The site is up at: community.iriusrisk.com

Note that it has not been security tested yet, so build that into your threat model :)

Look forward to your feedback,

Stephen

[Fraser Scott]

I've just registered, so I'll have a poke around over the next we days or so. Looks great so far - is the plan to release it as something open source that people can run themselves, or is would it be a SaaS model?

[Fraser Scott]

I've just had a quick play - very, very cool :)

I've exported the XML for my test app, so I'll have a good read through that. A quick glance does suggest it would be pretty straight forward to write a parser that could allow stuff like:

1) Referencing threats, components etc. defined in the XML (e.g. in threatspec you could do something like "@mitigates @DATABASE-SQL against ...")

2) Use threatspec tools to report on data from threatspec and the XML, by reading components, threats, mitigations etc. from both sources

3) Possibly feed back threats/mitigations etc defined in ThreatSpec into IriusRisk if the "Import automated test results" button does what I hope it will do.

My main question at the moment is how would this be used in an organisation? Do the devs/qa/architects/ops and security all get together in a room with this open and define the app together? Would devs be expected to have their own logins to make adjustments etc?

[Stephen de Vries]

I've just had a quick play - very, very cool :)

:)

 

1) Referencing threats, components etc. defined in the XML (e.g. in threatspec you could do something like "@mitigates @DATABASE-SQL against ...")

2) Use threatspec tools to report on data from threatspec and the XML, by reading components, threats, mitigations etc. from both sources

3) Possibly feed back threats/mitigations etc defined in ThreatSpec into IriusRisk if the "Import automated test results" button does what I hope it will do.

All possible.  3) is interesting.  Currently the "import automated tests" can import from BDD-Security, JUnit and ThreadFix, but these are all testing tools with an output of one of: Passed, Failed, Not-Tested, Error

I think importing the Threat and Control state themselves directly from ThreatSpec would be a neater fit.  For example importing "@mitigates" from ThreatSpec would turn an Irius Countermeasure's state to "Implemented" or add the countermeasure if it doesn't already exist.  What will be challenging is mapping ThreatSpec countermeasures back to IriusRisk.

And importing "@exposes" should cause Irius to extract the risk data text from ThreatSpec and insert it into the model as a new Threat.

If IriusRisk could pull the code base from github and was set on an auto-import interval of a few minutes, then it could effectively provide a dashboard-style UI of ThreatSpec data.

My main question at the moment is how would this be used in an organisation? Do the devs/qa/architects/ops and security all get together in a room with this open and define the app together? Would devs be expected to have their own logins to make adjustments etc?

Depends on the org and their constraints.  Orgs will typically be trading off time/cost required for security vs accuracy of the threat model.  So at the one end I can see some orgs using the fully automated workflow in the tool directly by devs, relying on the tool defaults and not doing any manual threat modeling.  At the other end, the org could use this tool just to augment their existing manual threat modeling activities, so it could support a hybrid model: devs complete the architecture, then sec + dev get together to review the auto-generated model and add new threats.

 

[Stephen de Vries]

I've just registered, so I'll have a poke around over the next we days or so. Looks great so far - is the plan to release it as something open source that people can run themselves, or is would it be a SaaS model?

The community version will be a free to use SaaS model for the time being.