IriusRisk maintains several security content libraries. The content for these libraries consists of threats, weaknesses and countermeasures which we group under risk patterns and is extracted from industry standards which are regularly reviewed for new or additional relevant content.
The content of the libraries tends to be aligned with security standards that generally represent Countermeasures in the IriusRisk data model. Creating content for IriusRisk libraries therefore typically involves working "backwards" from a list of defined countermeasures to a set of risk patterns that includes the countermeasure, weakness, and threat.
On a monthly basis the IriusRisk security team undertakes the following tasks:
- Run automated tests on the libraries to check for non-conformances related to threat, weakness and countermeasure associations. The following are some examples but are not limited to:
- Check all libraries have the applicable standards associated correctly
- Check mitigation values are distributed accordingly
- Checks for duplicated threats, weaknesses and countermeasures
- Check for the correct status of countermeasures
- Checks for empty, wrong or broken references
- Manual tests to ensure any new content is functioning as expected before release
- Review current library revisions against the latest revision releases from the applicable organisations
Any new content is analysed for validity and applicability to the existing library content. Additional content is subjected to an internal quality review by the IriusRisk internal security content team. The quality of this content is measured by:
- The source of the library
- Customer case studies
- Threat models created by external sources
Once the content quality has been assured it is then released with the next software version release of IriusRisk. Depending on the amount of content added will determine if the content will be released in the next minor release or major release of the software.
Library Status Example with Reference to the Source
A standards reference table is maintained to ensure the most up to date revisions are reviewed. Any new revisions of the standards are reviewed for applicable content and added to the content lifecycle for processing.