There are a number of ways to create a new library, but if you want to modify one of the libraries provided by Continuum Security to make it your own, first you should export the Continuum Security library, modify its ref (Unique ID) and name and then disable the library and upload your modified version. To accomplish this, follow the steps below:
- First, go to the "Templates & Libraries" menu within the sidebar:
- Select the library you wish to change - in our case, we will select the library "CS-Default" - and click on the "Action" button.
- From the drop-down options select the "Export" option.
- A new window appears in which we click the "Export" button. The file will begin to download.
Use IriusRiskToolKit UI (https://github.com/continuumsecurity/iriusrisktoolkitui) to generate automatically the new library. Select the "Create a library from a default one" option:
You will see the following menu in which you need to write the following information:
- Base library: the library that you previously downloaded from IriusRisk.
- Library filename: name of the library file, ended in ".xml".
- Library name: official name of the library.
- Library ref: unique identifier of the library.
Also, there is an option to select if the new library will contain pure ASVS3 countermeasures instead of pure ASVS4. By default it will only take those controls related with ASVS4 and both ASVS3/ASVS4.
You can see an example here:
- Open the exported XML file with a text editor and change the library name and reference to your custom values. For this example we'll use:
Library Name: Customer custom library
Library Ref: customer-custom-library
- In the exported XML file, update the library references for rules using find and replace. This will change all references from the previous (now disabled) library, to your new modified version.
Find: CS-Default -> Replace: customer-custom-library
Important: note that in the manual way the only thing that changes is the name and the ref of the library, but not the countermeasures. We encourage to use the IriusRiskToolKitUI to do the clone.
- Within IriusRisk, disable the old library (in our case "CS-Default").
- Then click the "Action" button on the top-left of the panel and select the option "Import Library".
A new window appears, click the link "Select the file". The system browser appears. Select the modified XML library in the previous steps.
- The fields Name and Unique ID for the library are automatically completed.
- Finally, the new library appears alongside the other libraries and this new library is at this point a clone of the copied library having the same risk patterns and rules. Any changes you make in this library will never by overwritten by system or library upgrades.
After this, you can begin to modify the risk pattern and rules to adapt the library to your security model.
When IriusRisk is updated and a new version of the disabled library (CS-Default) is released:
- The CS-Default library stays disabled after the update.
- You can still take advantage of the new risk-patterns in CS-Default even if the CS-Default library is disabled by downloading the library as XML and inspecting the content.
We recommend using a distributed version control systems such as Git to manage your custom libraries. This way:
- Different contributors can work on the same library concurrently.
- Changes can be co-ordinated via a central server, or even on a peer-to-peer basis.
- Updates in IriusRisk default libraries can be selectively merged using diff tools.
Also, as we said before, we encourage to use the IriusRiskToolKitUI to manipulate the library instead of doing it manually. With IriusRiskToolKitUI you can:
- Convert library to Excel file format.
- Generate reports and statistics of the libraries.
- Find relations between rules and risk patterns.
- Edit library standards.