Release 4.0.0 - 22-11-2021

Note: Please before upgrading to version 4, read the Upgrade Guide and What has changed in the rules engine in version 4 - Migration Guide. 

Features

• [IR-6852, IR-7764, IR-7353, IR-7261] - New User Interface improvements with clearer navigation, sections and options.

• [IR-7538, IR-7412, IR-7379, IR-7163, IR-7162] -  New diagram styles that help users to identify IriusRisk mapped components. This comes with a migration assistant that allows to convert any diagram to the new styles. 

• [IR-7103, IR-7304, IR-7305] -  New notification banner about a new release features.

• [IR-6973] - New endpoints to update countermeasure states.

• [IR-6851] - Improve security for API tokens.

• [IR-7213] - Improved SSO integration by disabling some features that rely on the SSO (password reset, user profile edit...). 

• [IR-7067] - Implemented the possibility of mapping a user to a group (BU) using SAML Response attributes for SSO integration. 

• [IR-7378] - All security standards are now enabled for Community users.

Bug Fixes

• [IR-7198] - SAML default roles are now applied only when the user has no other roles on the IdP side.
• [IR-7789, IR-7786, IR-7783, IR-7777]   - Migration problems. 
• [IR-7622] - Threat UDT search not working when flatten view enabled.

• [IR-7587] - Error when importing the XML of a project without the embedded  base64 drawio diagram.

• [IR-7480, IR-7479, IR-7477, IR-7472, IR-7467, IR-7466, IR-7438, IR-7437, IR-7426, IR-7080, IR-7079] - API fixes and improvements. 

• [IR-7053] - Problem with locking a threat model before syncing it.

• [IR-7030] - Fixed Issue Tracker sync for unconfigured Components. 

• [IR-6925] - Component or product component can be created in blank categories

• [IR-6869] - Improve log messages when importing a template by a rule.

• [IR-6181] - Export Project not including default value for UDT created before the project.

• [IR-6162] - UDT deletion message shows wrong count of products & versions

Security Bug Fixes

• [IR-7100, IR-7065] Architectural framework changes to avoid XSS problems by default. 

Hot Fixes included

This is also a cumulative release that also includes all the hotfixes on the 3.14.0 branch: 

• Hotfix 3.14.7
• Hotfix 3.14.6
• Hotfix 3.14.5
• Hotfix 3.14.4
• Hotfix 3.14.3
• Hotfix 3.14.2
• Hotfix 3.14.1

API Changes

• API Release Notes 1.10.0
• API Release Notes 1.9.0

New Knowledge-base Content

New security content:

• CON-948. New countermeasure: “Detect and protect against data mining techniques” (protection-against-data-mining) in the CS-Default library for the Generic Service risk pattern.

• CON-931. New countermeasure: "Use AWS Shield for DDoS protection" (AWS-API-GW9) in the AWS library for the AWS API Gateway and AWS EC2 risk patterns.

• CON-940. New countermeasure: “Review the use of stars in Lambda Authorizer's policyDocument objects” (AWS-API-GW17) in the AWS library for the AWS API Gateway risk pattern.

• CON-978. New countermeasure: "Use IMDSv2 instead of IMDSv1" (C-AWS-EC2-IMDS) in the AWS library for the AWS EC2 risk pattern.

• CON-969. Added three countermeasures (RESTRICT-ACCESS-DATABASE, CWE-89-PREPARED, and DATA-VAL) to the NoSQL Database risk pattern in the CS-Default library.

• CON-993. Added twelve new countermeasures (C-AWS-SRA-1 to C-AWS-SRA-12) for AWS components based on the Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) set of guidelines in the AWS library.

• CON-975. Added OWASP Juice Shop challenges references for OWASP Top 10 countermeasures.

Updated/deprecated/new security standards:

• [CON-738, CON-805, CON-948]. Removing the ASVSv3 Standard Support. As the majority of our users are now using only the current version (v4) of the ASVS standard, we intend to deprecate the v3 standard on the v4.0.0 release. The impact of this change is explained in the following support article: https://support.iriusrisk.com/hc/en-us/articles/4404457348241.

• CON-890. New security standard: CSA API Security Guidelines.

• CON-910. New security standard: ISO/SAE 21434 (Road vehicles — Cybersecurity engineering).

• CON-919. New security standard: Azure Security Benchmark (ASB).

• CON-892. CIS Google Cloud Platform Foundation Benchmark standard updated to version 1.2.0.

• CON-893. CIS Kubernetes Benchmark standard updated to version 1.6.0.

• CON-976. Extended OWASP Top 10 2017 standard to the GCP library.

New components:

• CON-892. New GCP components:

  • Google Cloud PostgreSQL

  • Google Cloud SQLServer

• CON-921. New Azure components:

  • Microsoft Azure Blob Storage

  • Microsoft Azure Files

  • Microsoft Azure Queue Storage

  • Microsoft Azure Active Directory B2C

  • Microsoft Azure Active Directory Domain Services

  • Microsoft Azure VPN Gateway

• CON-930. New Azure components:

  • Microsoft Azure Data Box

  • Microsoft Azure Visual Studio

  • Microsoft Azure Powershell

  • Microsoft Azure SDK for .NET

  • Microsoft Azure SDK for Java

  • Microsoft Azure SDK for Javascript

  • Microsoft Azure SDK for Python

  • Microsoft Azure Time Series Insights

  • Microsoft Azure Import/Export

  • Microsoft Azure Synapse Analytics

  • Microsoft Azure App Service Environment

  • Microsoft Azure Event Grid

  • Microsoft Azure DDoS Protection

  • Microsoft Azure Container Registry

  • Microsoft Azure Container Instances

• CON-958. New AWS components:

  • AWS Macie

  • AWS Detective

  • AWS GuardDuty

  • AWS CloudFormation

  • AWS Certificate Manager (ACM)

  • AWS Inspector

  • AWS Config

  • AWS Cloud Map

  • AWS Cloud9

  • AWS EC2 Image Builder

  • AWS IoT Device Defender

  • AWS IoT Device Management

  • AWS IoT Events

  • AWS IoT Greengrass

  • AWS IoT SiteWise

  • AWS IoT Things Graph

  • AWS IoT 1-Click

  • AWS IoT Analytics

  • AWS IoT Core

•  

• CON-993. New AWS components:

  • AWS Network Firewall

  • AWS Organizations

Library refactors:

• [CON-804, CON-914, CON-928] Removing the “Deployment Tab” question group. The Deployment tab question group was used to import risk patterns related to cloud components (AWS, Azure, GCP). The idea was to create a single component definition that could be used to import different cloud services through a questionnaire. We determined that this would be confusing in the long run and a component-oriented approach would be a better fit for the threat model, so we decided to remove this set of questions and add the components directly, each one with their own identity so that customers can just pick the elements for their threat models from the palette. You can find more details about this change in the following support article: https://support.iriusrisk.com/hc/en-us/articles/4403779598097.

• CON-829. Adapted the rule syntax in all of our default libraries to the new format after the rule refactor that is delivered with IriusRisk v4.

• CON-923. Updated all of our default libraries to the new format of conditions and actions for rules.

• CON-917. Removed soft references (in names, descriptions, and test steps) to Hydras LTD for some AWS components.

• CON-918. Two structural changes were applied to all default libraries. First, a new XML Schema was applied. Secondly, new UUID attributes were introduced for all risk patterns.

• CON-920. Renamed the “Resource Groups / Tag Editor” AWS component to “Management Console for AWS”.

• CON-925. The countermeasure "Use Cloudfront CDN" (aws-tier-6.3) was associated with the S3, EC2, and ELB components, and was disassociated from the CloudFront component.

• CON-929. Removed trailing spaces and full stops in threat, weakness, and countermeasure names for all the default libraries.

• CON-1006. Removed one countermeasure (C-AWS-MANAGED-BLOCKCHAIN1) and added three new countermeasures (C-AWS-MANAGED-BLOCKCHAIN, C-AWS-CONTROL-ETHEREUM and C-AWS-CONTROL-HYPERLEDGERFABRIC) for the AWS Managed Blockchain component in the AWS library.

• CON-1020. Deleted the risk pattern aws-common-security-considerations and fixed one duplicated threat (AWS-LOSS-CONTROL-ENV) from the AWS component "VPC-Virtual Private Cloud" in the AWS library.