Threat modelling joins DevSecOps processes through automation

Created by Continuum Security, IriusRisk 2.0 is a tool that enables threat modelling at scale and provides follow-up throughout the development process via integration with developer workflows and security testing tools.

As the security industry makes a move towards DevSecOps – where secure development processes are largely automated – there is an increased desire to shift security left into the design phase along with a focus to automate as much as possible. Threat modelling has been performed using costly and time consuming manual techniques, but with the pattern-based automation offered by IriusRisk, it is now possible to reduce both the time and complexity of this activity.

This allows development and operations teams access to a self-service approach to threat modelling, so that they can continue to build and release software and features at speed, while maintaining the level of security required by their organisation.

IriusRisk 2.0 offers a number of advantages:

  • It is able to model almost any system that a company might choose to build using a graphical data flow diagram and component library,
  • It covers the end-to-end process of identifying threats, recommending countermeasures and keeping track of the status of those countermeasures by syncing with issue tracker,
  • Strong graphical threat modelling capability including graphical cloud (AWS, Azure and Google) services/components,
  • An extensive API so that projects can be on-boarded and populated with information from 3rd party systems; and threat models generated from the provided data.

Stephen De Vries, CEO of Continuum Security said: “This represents the biggest release of IriusRisk and is focussed around an intuitive diagram centric view, greater ease of use, speed and complete automation of the threat modelling process through enhanced API capabilities. We believe this is a game-changer for the industry.”

Some of the new features include:

  • Component definitions and diagramming: There is now a diagram based user interface to provide the architecture of projects within IriusRisk. Users can now select architectural components from a predefined list and view the threats and countermeasures associated with them.
  • Administrative users can now create custom components with their associated threats and countermeasures so that users can work from a standard baseline set of components.
  • ISO27002, NIST 800-53 and CIS Docker standards.
  • OWASP ASVS standard updated and extended.
  • The API backend has been extended offering new integration and automation capabilities.
  • Video of the diagram-centric threat modelling approach.
  • Video of the simplified process for creating custom architectural components.

“There was clear demand from our customers to fully automate the threat modelling process from inception through development and testing. IriusRisk already had a powerful API in place and was therefore poised for the final step. By expanding the API functionality our customers are now able to truly embrace the DevSecOps philosophy with complete threat modelling automation”, added De Vries.