“We want to build a mobile payment application and store personal details on the device”
An adaptive questionnaire driven by an expert system guides the user through straight forward questions about the technical architecture, the planned features and security context of the application.
The questionnaire modifies itself in real-time based on the supplied answers. As it learns more about the architecture, it asks more specific questions in order to accurately identify the inherent risks.
This questionnaire is 100% editable through our graphical rules editor, so that you can customise the questions to your environment and common architectures
The model is categorized by the major components and presents a list of the potential security risks and weaknesses, along with specific recommended countermeasures. Weaknesses are regarded as potentially present, until their presence or absence has been verified through security testing. Confirmed weaknesses are highlighted as vulnerabilties.
Each threat is linked to potential Weaknesses and recommended Countermeasures from our extensive application risk database. The user can then make an informed decision about the appropriate risk response: Mitigate, Avoid or Accept. For example, a countermeasure can be applied to Mitigate the risk:
or a risk can be accepted, and the risk decision justified
The system provides risk management advice and guidance by highlighting the important next steps and the countermeasures that provide the highest return on security investment
Developers and the implementation team have a clear list of the security countermeasures that need to be implemented. Countermeasures can also be uploaded to a defect tracker like Jira, so that developers can keep using the tools they're familiar with, while the security team has a real-time risk centric view of the countermeasure progress
Countermeasure status can be managed in IriusRisk alone, or by synchronising with a defect tracker like Jira
Security testing is supported both from a control and a vulnerability perspective. The test results from negative testing, such as vulnerability assessments and penetration tests can be recorded against the listed Weaknesses. Positive security control testing such as code reviews and audit that aim to validate the implementation of controls can be recorded against the listed Countermeasures.
Compare risk ratings for products across the enterprise or within business units
IriusRisk is offered as both a hosted SaaS or on-premise solution. Pricing is tiered based on the number of applications managed by the solution. The number of users is unlimited in all the editions.