IriusRisk 3.x uses an embedded draw.io diagram editor with additional custom shapes that are mapped to IriusRisk component definitions, we refer to these as mapped shapes. Diagrams can be drawn with any draw.io shapes, including shapes that have no inherent mapping to the IriusRisk threat model, we refer to these as unmapped shapes.
Building the diagram is free-form, but with the following requirements:
- All IriusRisk mapped components must be placed inside a Trust Zone
- All IriusRisk mapped components must have a name
- There is a limit of one dataflow between components
- Mapped components can only be contained by a Trust Zone, they cannot be included in a group nor belong to another component.
TrustZones, components and other shapes can be found on the drawer on the left hand side. Those in the "IriusRisk - ........" categories are mapped components.
You can click on the elements or drag and drop them to be included in the architecture diagram.
A search function is also available to search shapes by name (i.e. EC2, Lambda,...). The search function will return all the available shapes in the draw.io shape set, both mapped and unmapped.
You can use the left-side stencil to add TrustZones to the diagram. The diagram can contain multiple instances of the same TrustZone.
Another way to indirectly create TrustZones within the diagram is to edit a component’s questionnaire and to answer the TrustZone question on the questionnaire.
Adding Components and Answering Questionnaires
Components are added from the drawer on the left hand side, all IriusRisk mapped components are under sections with the “IriusRisk - ” prefix.
Un-mapped components and shapes can be added to the diagram without restriction, but they will have no effect on the generated threat model.
If you right-click on an IriusRisk mapped component in the diagram, in addition to the standard draw.io options, there are two additional IriusRisk specific options:
The “Edit Component” action will display a Component Questionnaire.
The "Edit Components Settings" will display the component settings, such as issue tracker integration and external testing tool configuration.
Adding Data flows
|Hover over the component, this will cause the data flow arrows to appear.|
|Select one of the arrows and drag and drop it onto another component to create the data flow.|
|Dataflow names, tags and asset types can be added by Editing the dataflow. Right click on the dataflow and choose "Edit dataflow" to edit these properties.|
The IriusRisk Menu
The IriusRisk menu on the main menu bar can be used to open the architecture questionnaire, show or hide tags and assets or to Import templates into the current diagram.
Mapping Un-mapped Components
Any shape on the diagram can be mapped to an IriusRisk Component. To do so, select the shape on the diagram and use the right hand side property editor to set the “IriusRisk Component” property.
Bear in mind that, because of the requirements for mapped components, you'll have to give the component a name and ensure that it is inside a TrustZone. Once this is done, you will be able to generate the threat model and will be able to answer the associated questionnaire.
Dataflows are mapped automatically, any arrows between components are treated as dataflows as long as both the source and the destination components are mapped components.
Currently, TrustZones cannot be mapped. They have to be chosen from the "IriusRisk - TrustZones" section from the left hand side drawer.
Generating the Threat Model
To generate the threat model from the diagram, click on the following button at the top of the diagram:
This will cause the rules to be executed for all mapped components and all dataflows. The message and the button will be enabled only when there are changes in the diagram that could affect the model.
The model generation is an event that will happen offline on a server-side asynchronous job. To manage the feedback about this job, IriusRisk will provide a set of messages on the upper section of the application, this section provides the states a threat model can be in (regarding the generation process):
1. The model is not synchronized, that means there are differences between the diagram and the generated threat model, we can click on the message to synchronize (see the picture above).
2. The model is being updated. This means the rules engine is being executed on the server and the results are not visible on the threat model yet.
The orange message will be shown through all the product related sections and it will dissapear as soon as the model is synchronized:
3. Whereas the model is being updated, a new modification has been created on the diagram.
In this case, when the synchronization finishes, the product will need a resynchronization. That's because the last modification was not considered on the last synchronization and a new synchronization cycle is needed.
Concurrency (several users editing the same diagram)
When two or more users are working on the same diagram and they do a modification without synchronizing the model, IriusRisk informs the user who performed the last change about this fact. At this moment, he can choose to Keep his changes and overwrite the other user’s changes, Keep other user’s changes and overwrite his changes or postpone this decision to another moment (Do nothing).