This documentation applies only to IriusRisk v1.x.y
Defining the Architecture
The architecture model of the system consists of Components that are located in Trust Zones. Components can be added to the model through the "Add Component" link on the Architecture Tab:
Choose the component that most closely matches the component in use by your architecture.
Ensure that both a client and a server side component are added where necessary. For example, if a server side web application makes requests to a third party web service, then add a "Generic Client" component to represent the client side of that connection, and a "Web Service" component to represent the server side.
Importing Threat Models from Microsoft Threat Modeler
Threat models defined using the Microsoft Threat Modeler tool can be imported as an Artifact from the Architecture tab:
The models can be imported as suplemental files only (without parsing them), or parsed and the components, threats and controls imported into the IriusRisk model. If you choose the latter, then a screen will be presented to define the mapping between Components already defined in the IriusRisk model and the Assets defined in the Microsoft model:
The corresponding Threats from the MS model will be imported and transformed into the IriusRisk data model using the following transformation:
- A new "General" use-case will be created for all Threats
- Threat's name and description are parsed from the model and the Unique ID is calculated as an MD5 sum of the name.
- The Impact rating for Confidentiality, Integrity and Availability are all set to the same value corresponding to the Risk rating from the MS Model
- A Control is created if the MS Threat is marked as mitigated using the following schema:
- The name of the Control is the first sentence or fragment ending in any punctuation, from the "Justification" field of the MS Model.
- The description of the control is copied from the full content of the Justification field.
- The Unique ID is the MD5 sum of the name.
- The control state is set to Required.
- Controls are not connected to any Weaknesses as these are absent from the MS model
- Threats are initially imported with the source set to "External model".
Re-importing an MS Threat Model
If a Threat imported from an MS model has the source set to "External Model", then re-importing the same model will overwrite all of the content with the content from the MS Model. However, if the threat is modified and saved from within IriusRisk, then the source is changed to "Manual". Threats with this source will not be overridden by subsequent imports of the same model.