Type: Service, Product - Service
Category: Security
Sub-categories: Application Security

IriusRisk : Assess & Respond to Application Security Risks during Design; Monitor Countermeasure Progress & Test Results Continuously

With the proliferation of software and new technologies in all facets of business it is very challenging for software developers and architects to stay up to date with the latest attacks and defensive techniques. Traditional application security tools focus on scanning source code and testing applications after they've been built. We've spent 15 years working as experts in ethical hacking and security testing and found a number of problems with this approach which have been echoed by others in the application security industry: - Many applications are built with flawed security designs even before the code is written - By the time the application is production ready to be security tested, it is already too late and too costly to revisit the security design - A significant number of security flaws are introduced purely because of a lack of communication and understanding between the developers and the security teams. Enterprises face further challenges in being able to scale their software security initiatives to cope with the number of applications in their core
business. Even if they chose to address these issues by investing in manual threat modelling and security architecture reviews, the time and investment required is often not practical given the limited security resources available.

Solution (Value Proposition)
IriusRisk solution to these challenges is to provide a tool to manage application security risk right from product inception and design, through to implementation and to track the risk through to the testing phases through
integration with vulnerability scanning tools. By using a simple questionnaire to derive the threat model, the tool is accessible to architects and developers without previous security knowledge and allows them to understand the security risks and regulatory requirements during product design, before they start writing code. IriusRisk is an expert system that performs an architectural risk analysis and creates a threat model of a software application at design time. The threat model is generated based on rules defined in a rules engine, together with an internal threat and countermeasure library. The generated threat model also includes recommendations on how to address the security risk, along with specific source code examples on how to implement features securely. IriusRisk then enables the user to manage security risks throughout the rest of the software development lifecycle (SDLC) by integrating with bug tracking tools and testing frameworks. In this sense, IriusRisk is a “Product Innovation” that automates a time consuming and subjective process, while providing real time security insight into the security risks at any time during the SDLC

Key Differentiators:
IriusRisk is the first product on the market to provide an end-to-end security risk management solution for application security over the entire software development lifecycle. IriusRisk provides intelligent automation for a time-consuming and costly manual process: security risk analysis/threat modelling of applications during design time. IriusRisk allows companies to easily define a secure software architecture (Using our expert system backed by a rules engine, we automate a large part of it); Allows companies who develop software to make informed risk decisions about their architecture; IriusRisk reduces architectural risk analysis time from days to minutes; and measures risk continuously throughout the development process by integrating with bug tracking tools, to determine the completion state of the controls, as well as with security testing tools, to understand the degree of vulnerability.

Supporting Technology (the 'magic')
The product, IriusRisk, aims to address two areas of software security management:

1. Self-service threat modelling and risk analysis for developers and architects: We chose to pursue a self-service model for threat modelling, with the primary requirement of not requiring specialist security knowledge to create a threat model. This approach differs from other Threat Modelling tools such as Microsoft Threat Modeller, MyAppSecurity and Mozilla Project SeasSponge products which all require some understanding of security concepts. IriusRisk, instead takes the approach of using a questionnaire to analyse the security of the architecture and present the user with a list of threats, weaknesses and countermeasures, as well as mapping the technical weaknesses back to business risk.
2. Security Risk management throughout the product lifecycle, from design through to implementation and testing: Allows the user to make informed risk decisions about each listed threat: Accept the risk, and provide a rationale (which is stored and maintained with the risk model). Mark the risk as Not Applicable with a rationale Apply a recommended countermeasures. Calculate the Business Risk associated with each technical threat by using available formula and variables.

Team Experience

Continuum Security Stephen de Vries 2

Stephen de Vries, Founder & CTO Continuum Security
Stephen is the founder and CTO of Continuum Security. He has been active in the application security area for more than 10 years, by contributing to various OWASP projects and leading the OWASP Java project for a few years. With Continuum Security, Stephen has also contributed to the Open Source community by releasing the BDD-Security security testing framework under a GNU Afero license.

Contacts for clients, press and partners:
Continuum Security
C/ Unica S/N
Montesa, 22315
Phone: +34 974 316 951
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Web: http://www.continuumsecurity.net/

Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework