IriusRisk creates a threat model based on the product architecture diagram, responses to the questionnaire,s and its own internal library of risk patterns.
Risk Patterns are essentially building blocks that are assembled by rules to generate threat models. They allow us to group threats together based on where we usually find them. A risk pattern is a structure with use cases, threats, weaknesses, and countermeasures each one hanging from the other as a hierarchical structure. More details about risk-patterns and rules can be found in this article.
Risk Patterns and the rules related to those patterns are grouped together in a "Library".
IriusRisk libraries are collections of reusable risk patterns and rules that are logically grouped based on different criteria, for example, technology stack or compliance applicability. Libraries are like knowledgebase containers for security content. The interfaces used to navigate and edit risk patterns are virtually identical to the interfaces used to edit the threat model of a product.
IriusRisk provides by default several libraries. Some representative IriusRisk default libraries can be seen in the following figure:
Besides the default libraries included in IriusRisk out of the box, you can create your own libraries to include custom security content in your products.
An IriusRisk standard is a set of countermeasures that belongs to the same source (i.e. a standard like ASVS or MASVS). Standards within IriusRisk are defined on the general configuration and added to each of the countermeasures as if they were tags. This allows IriusRisk to provide the Compliance view or the Compliance Report as well as apply some countermeasures that are part of the model by using the Standard as a reference.
Each library could have one or multiple standards defined for its security controls (you can also create a library without any standard defined on it). So, for example, the "Encrypt data in transit" countermeasure can be tagged with the PCI-DSS standard, the EU GDPR, and your own custom standard.
Some representative IriusRisk default standards are shown in the following figure:
IriusRisk standards are a fantastic way to mark countermeasures as required as long as they share a common standard. This is explained in the following video.
What's the difference between libraries and standards?
Libraries are used to group security content (threats, weaknesses, and countermeasures) and rules in the same logical unit. Standards are used to tag the countermeasures inside the libraries so that it's easier to group them based on different compliance views.