What are Product Components?
IriusRisk equips users with a comprehensive collection of out-the-box component libraries, furthermore, users can define their own custom components referencing ready-made or custom risk patterns. Often, there is a need to have components which represent a wider context included in a threat model, without exposing the deeper practicalities of that wider context. Product Components are reusable components which reference a separate threat model belonging to another IriusRisk product.
Creating Product Components is seamless and powerful, this
At IriusRisk, we are always introducing new and powerful features, often informed by the feedback and requirements of our customer base. If you are a customer and would like to suggest enhancements to this feature/product, please raise a support ticket, or reach out to your account team.
What Problem do Product Components Solve?
Consider the below example:
Threat Model A models the cloud infrastructure, providing back-end services.
Threat Model B models a legacy front-end application.
Threat Model C models a front-end application.
The developer who created Threat Model B used a Nested Component to model the back-end services. This was then linked to the front-end with a dataflow.
The developer who created Threat Model C approached his diagram similarly, however since the creation of Threat Model B, the back-end services now contain a new AWS Lambda component.
Threat Model A is maintained separately to model the back-end services. This is representative of the current infrastructure, containing the new AWS Lambda components.
It is easy to see how threat models can quickly disconnect from representing up-to-date software/infrastructure in the above example. However, if Threat Model A is linked to a separate component, called back-end infrastructure, then it can be placed for reference as a Product Component in Threat Model B & Threat Model C. Assuming the developer has the correct permissions, they can then pivot from Threat Model B & Threat Model C to the back-end infrastructure (Threat Model A) when needed. Of course, the back-end infrastructure can then be collaboratively maintained.
Related Product Permissions
There are 3 different product permissions related to product components:
PRODUCT_COMPONENT_CREATE. Allow creation of a new Product Component from a product.
PRODUCT_COMPONENT_UPDATE. Allow editing of a Product Component’s details, including sharing settings.
PRODUCT_COMPONENT_DELETE. Allow the deletion of a Product Component. This will not delete the threat model the Product Component was created from.
How to Create a Product Component?
To create a Product Component, we simply navigate to Products, and select 'Create reference component…' from one of two places:
a. From the action button on the products table itself:
b. From the Reference component tab for the product:
You will now be presented with a window to define the Product Component details. This information is important to users using your Product Component, so it is best to provide as much context as possible here.
Be sure to place your Product Component in a category that makes sense - you can create a new one directly in this window if need be. The category is referring to the component categories, exampled below in the Diagram view for a product:
Once we click Share, we will now be prompted to assign shared permissions. This will determine who can use our Product Component in their diagrams. This can be shared globally to everyone, or for specific BUs and users:
It is important to note that the permissions are for making the Product Component available to users for placement, but does not allow visibility of the referenced threat model, unless he/she has permissions to view it as a standalone product.
Using a Product Component
Now that we have our Product Component created, we can begin to use it in our other threat models, by placing the component from our corresponding component category:
We can then navigate from the component to our referenced product:
Assuming the user has permissions to view the referenced product, he/she will now be able to interact with the referenced product, otherwise they’ll be notified that they lack the appropriate permissions.
Editing/Deleting a Product Component
To edit a Product Component, such as Name, Category or sharing permissions, we can do so from the Product details tab for Reference Component, as shown below:
From this tab, we can also delete our Product Component. This will not delete the product’s threat model.
We can also edit/delete our Product Component from the Component Definitions management page: