IriusRisk maintains a total of 20 libraries, current as of version 3.14.2. The content for these libraries consists of Threats, Weaknesses and Countermeasures and is extracted from industry standards which are regularly reviewed for new or additional relevant content.
The content of the libraries tends to be aligned with security standards that generally represent Countermeasures in the IriusRisk data model. Creating content for IriusRisk libraries therefore, typically involves working “backwards” from a list of defined countermeasures, to a set of risk patterns that include the Threat, Weakness and Countermeasure.
On a monthly basis the IriusRisk security team undertakes the following tasks:
- Run automated tests on the libraries to check for non-conformances related to Threat, weakness and control associations, the following are some examples but are not limited to:
- Check all libraries have the applicable standards associated correctly
- Check mitigation values are distributed accordingly
- Checks for duplicated threats, weaknesses and countermeasures
- Check for the correct status of countermeasures
- Checks for empty references
- Manual tests to ensure any new content is functioning as expected before release
- Review current library revisions against the latest revision releases from the applicable organisations
Any new content is analysed for validity and applicability to the existing library content. Additional content is subjected to an internal quality review by the IriusRisk internal security team. The quality of this content is measured by:
- The source of the library
- Customer case studies
- Threat Models created by external sources
Once the content quality has been assured it is then released with the next software version release of Iriusrisk. Depending on the amount of content added will determine if the content will be released in the next minor release or major release of the software.
E.g Minor releases contain new content related to several new threats, controls or . For major releases the new content may be related to entire new libraries, library restructuring or an entirely new security standard mapping to an existing library.
Library Status Example with Reference to the Source
A standards reference table is maintained to ensure the most up to date revisions are reviewed. Any new revisions of the standards are reviewed for applicable content and added to the content lifecycle for processing.