This documentation applies only to IriusRisk v1.x.y
What is a "Component"?
A component refers to the top level item in a product's threat model and could conceptually refer to anything that can contain use-cases, threats and countermeasures. In the default data-set provided with IriusRisk, components typically refer to application components such as data stores, web applications, services, clients etc; as well as referring to environments such as a PCI Cardholder Data Environment. There are no built in restrictions on the definition or content of a Component, it could even refer to a process instead of an architectural component.
Creating a new Component
Creating a new component requires adding a question with a specific ID to the main and component questionnaires. This is the same as adding any other question to the questionnaire, with the only difference that the ID of the question must start with the string: "type.". This question should also be added to the main questionnaire so that it appears in both the main and component questionnaires.
For example, in order to create a new component that represents an IoT client, one would add a new question to the Question Group: "Select all of the components that will comprise this architecture" that appears in the component questionnaire:
Step 1: Create a new rule to insert a new question
The rule can be added to any library.
Test the rule out by selecting an existing product and clicking the "Add Component" button on the architecture tab, the new question should appear in the question group:
When this is selected, a new component with no threats or countermeasures should be added to the threat model:
Step 2: Add the same rule to the Main questionnaire
The question for "IoT Client" will now be displayed in both the main and the component questionnaires. When the user selects the question, a component is created with the same name as used for the question and no threats or countermeasures are imported for the component, because no rule has been created to do this. In order to import a risk pattern see the Risk Patterns section.