This document applies to IriusRisk versions >= 2.0.0
IriusRisk is primarily a risk management tool that helps you identify, mitigate and track security risks during the software development process. It includes templating and risk pattern based functionality that allows you to quickly create a threat model based on the answers of a series of questionnaires. This auto-generated model can then be further refined through manual review before the risk mitigation objective of each threat is defined. Although the initial onboarding process can be modified the general flow is as follows:
- Create new product and define the components in the Architecture tab with the diagramming tool. A threat model consisting of Threats, Weaknesses, and Countermeasures will be automatically generated.
- Review the Threats on the "Threats" tab and ensure that they're accurate:
- Mark those that are not applicable as "N/A" from the "Action" menu on each threat.
- Adjust the impact ratings or descriptions
- Add additional threats from the "Action" menu on the Threats Tab, either: "Add Threat" to define a completely new threat, or "Add Threat from Existing..." to add a threat from another product, or from a library such as CAPEC, PCI DSS or AWS.
- Decide on a risk response by reviewing the recommended Countermeasures:
- "Apply" a countermeasure to turn it into a security requirement. This changes the state from "Recommended" to "Required". The mitigation % can be adjusted by double-clicking on the countermeasure.
- Add new countermeasures to the Threat from the "Action" menu on the Weakness.
- Accept the risk and provide a reason, from the "Action" menu on the threat.
- Optionally apply a security standard to the threat model, so that "Recommended" countermeasures are automatically turned into "Required" countermeasures if they match the standard. Standards can be applied from the "Countermeasures" menu on the "Threats" tab.
- Optionally upload all, or some required countermeasures to an issue tracker. Once uploaded, the ticketing system will determine the countermeasure state and IriusRisk will update its own countermeasure state with bidirectional syncing with the issue tracker in a background job.
- If not using an issue tracker to manage the countermeasure state, then update the state by manually editing the countermeasure (double click on countermeasure in the Threats tab, or view the detail panel on the Countermeasure tab) and set the state to one of: Recommended, Required, Implemented or Rejected.
- Update the Weakness or Countermeasure Test results by double-clicking on the Weakness or Countermeasure respectively and changing the Test Result. Test results can also be updated through:
To speed up onboarding of new products by developers and architects there is a streamlined workflow available that will automatically prompt the user to Apply a security standard, and then upload the requirements to JIRA.