Security workflows for DevOps teams with IriusRisk
Threat Modeling and defining security requirements is just step one on the journey to building a secure system. The threat model should really inform all downstream security activities, including implementation and testing. But all too often, the model is used only during design and then becomes less and less relevant as the project progresses. This is sometimes simply due to a mismatch in tooling: the Threat Model is documented in a spreadsheet, document or other file based system – and that doesn’t travel well when developers are using issue tracker to manage requirements or automated tests to verify that they’ve been implemented.
IriusRisk is firstly a risk and requirements automation tool but for the generated model to be effective and useful for the project team it offers integration with issue trackers, automated testing and security testing tools. A threat model that’s out of date or doesn’t accurately reflect the current risk quickly loses it’s value. The diagram below illustrates a typical security workflow:
1. The security or development team creates a new product definition on IriusRisk by answering a questionnaire. The questionnaire as well as the fields that can be stored are customizable by administrative users.
2. IriusRisk creates a threat model based on the responses to the questionnaire and it’s own internal library of risk patterns. The generated model contains Risks, Weaknesses (linked to CWE) and Countermeasures. Some of the countermeasures are created as recommendations, and others as Requirements. (The security team can optionally review and edit this model before uploading the requirements to an issue tracker)
3. Developers and Operations teams will see the newly created tickets representing the security requirements on their issue tracker. They treat these as they would any other requirements and can mark them as Implemented, or Rejected. Additionally, they can choose to include the new tickets and estimate the effort required as part of their normal sprint planning.
4. IriusRisk polls the issue trackers every 5 minutes and updates the status of the Countermeasure with the status of the ticket. If the ticket has been marked as resolved or implemented, then IriusRisk will do the same for the Countermeasure in its risk model. And it will then reduce the risk rating of the risk associated with that countermeasure:
5. Run security tests against the application or source code. These could be in the form of unit tests such as are provided by BDD-Security, other Cucumber, JUnit tests or scanning results from OWASP ZAP or HP Fortify. The tests can be executed as part of the continuous build or deploy process and the results uploaded to IriusRisk through the API.
6. IriusRisk will then evaluate the test result may adjust the risk rating again. If the risk rating was reduced due to a countermeasure being marked as Implemented, but the test result indicates that a weakness still exists – then IriusRisk will increase the risk rating back to its original value. In addition it can automatically create a new ticket on the issue tracker that represents this new vulnerability:
Since the model has an established relationship between Countermeasures and Weaknesses, the newly created ticket can reflect this so that the dev/ops team understands that the two tickets are related:
Should the test status change in a subsequent test run, IriusRisk will update the ticket and can also be configured to automatically close the ticket once the test passes.
This workflow was designed to cause minimal impact to the DevOps teams. They can continue to use their existing issue tracker to plan work and resolve incidents, while the security team can use IriusRisk to orchestrate the security process and manage risk as the project progresses. The near real-time integration between IriusRisk and the issue trackers and testing tools allows the security team to stay up to date on the current risk – and to provide feedback to the DevOps teams about newly identified issues or new security requirements.
If you’d like a demo of IriusRisk please contact our sales team.
Did you like this article?
- The OWASP Summit exceeded all expectations19 June 2017I attended my first OWASP Summit last week and it has spoiled most other conferences for me. The summit is not a traditional conference where an “expert” is selected by the CFP panel and has 40 minutes to expound The Truth from a podium, while everyone else takes notes. I’d call this a “top down” […]READ MORE
- OWASP Summit 201713 June 2017It’s the Woodstock of Application Security! Our CEO Stephen de Vries is currently at the OWASP Summit in London, participating in the Threat Modeling and BDD for Cloud Security working sessions. The OWASP Summit 2017 is a 5-day participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on SecDevOps. Join […]READ MORE
- First International Workshop on Gender and Cybersecurity30 May 2017Our Chief Operating Officer Cristina Bentue will participate in a round table at the First International Workshop on Gender and Cybersecurity on the 5th of June at 5pm. The full programme can be found here. The Spanish National Cybersecurity Institute (INCIBE), in collaboration with the Organisation of American States (OAS), organises the “First International Workshop […]READ MORE