Features
- Library update and propagation to products: The library update algorithm has been improved for this release. Now Weaknesses are also updated and for all the elements of a Threat Model (Use Cases, Threats, Weaknesses and Countermeasures) we only update the information that does not affect progress and countermeasure status (see section on Library Update below).
- Issue tracker configuration per component: Now the per-component settings related to the Issue Tracker configuration are exported within the Product’s XML.
- Diagramming: This tab has become the main Architecture definition point for IriusRisk. We have added all the required options required for Architecture definition:
- Open the Architecture Questionnaire.
- Add new Component.
- Add Dataflow.
- Edit/delete component with right click.
- Edit/delete dataflow with right click.
- Move elements across the screen.
- DataBase and performance improvements: We have started a series of refactors of the Model on the database that together with an stress testing and profiling roadmap is going to improve the overall performance of the application.
Content
- OWASP Mobile ASVS: New Library with risk patterns for Mobile Applications based on The OWASP Mobile Application Security Verification Standard (MASVS).
- Docker CIS: New Library with risk patterns for Docker based on the CIS standards.
- Google Cloud: New Library with risk patterns for Google Cloud covering the whole Environment, GC Virtual Machines, GC Kubernetes, GC SQL and GC Storage.
Bugs Fixed
- [IR-2148] - "Save" description in the Countermeasures window saves all the data and closes the edit form.
- [IR-2250] - Error importing a Project when countermeasures are tracked.
- [IR-2272] - Error when adding a trailing / on the Issue Tracker configuration URL.
- [IR-2285] - If we change the workflow state of one product, the audit log is not reflecting the right state.
- [IR-2360] - Fixed a NoClassDefFound Exception due to a TFS library dependencies.
Appendix - Library update behaviour:
Changing content in a Risk Pattern within a library and then Applying it to Products will update only certain fields within the existing threat models. The specific fields that will be updated or kept with their current values are detailed below. For example, changing the Name of a weakness in a Risk Pattern and then applying it to all products, will result in the new name being used in the affected products. But changing the Test Result of a weakness and then applying to products will not result in any change to the threat models.
Threats
Update:
- Name
- Impacts
- Description
- References (only add new ones)
Keep:
- Expiry date and any UDT the user has.
- Comments
- Audit Log
Weaknesses
Update:
- Name
- Description
- Impact
- Testing steps (only if we have content in this field, else we don't update)
- Test References (only add new ones)
Keep:
- Test Result
- Result Source
- Expiry period
- Expiry date
- Notes
- Issue ID
- All the related Vulnerability Instances if any
Countermeasures
Update:
- Name
- Description
- Cost
- Standards (total update, standards are replaced with the new ones)
- References (only add new ones)
- Testing steps (only if we have content in this field, else we don't update)
- Testing References (only add new ones)
Keep:
- State
- Issue ID
- Comments
- Audit Log
- Test Result
- Result Source
- Expiry period
- Expiry date
- Notes
Comments
0 comments
Article is closed for comments.