Join executives from July 26-28 for Transform’s AI & Edge Week. Hear from top leaders discuss topics surrounding AL/ML technology, conversational AI, IVA, NLP, Edge, and more. Reserve your free pass now!
Infrastructure-as-code (IaC) has been made available as a component of IriusRisk‘s automated threat-modeling platform for application security. Software-defined infrastructure may now be automatically managed and provisioned by development or operational teams using IaC, eliminating the need for human configuration.
Stephen De Vries, CEO and cofounder of IriusRisk, told VentureBeat in an email interview that the company provides automated threat modeling and secure design so that organizations can “start left” with cybersecurity in software, progressing the “shift left” movement. He noted that organizations gain visibility into potential threats in their software through the process of threat modeling within the IriusRisk platform, which then provides developers and security teams with detailed countermeasures to fix the threats and embeds security into existing developer workflows.
IriusRisk said this latest version of its threat-modeling platform is designed to make it easier for teams to generate threat models for cloud architectures. It added that customers can generate a threat model from an IaC descriptor from cloud orchestration tools, such as AWS CloudFormation and HashiCorp Terraform, as well as from diagramming tools such as Microsoft Visio, while also containing the applicable threats and prescriptive security controls.
Automated threat modeling
Due to the rapid increase in cybersecurity risks, businesses that develop applications are now paying closer attention to security solutions created using cautious principles. According to Synopsys, these guidelines include threat modeling, which is now essential for hardening applications to withstand potential attacks in the future.
According to a Security Compass report, only 25% of firms polled perform threat modeling throughout the requirements-gathering and design stages of software development, which comes before moving on to application development. However, another study says one strategy to encourage excellent security engineering is to limit the necessity of manually creating system and threat models by using automation instead to lessen the workload and satisfy the demands of the company and the security team.
Less than 10% of those polled in the Synopsys study reported that their companies undertake threat modeling on 90% or more of the applications they create, while more than 50% of companies report difficulty automating and integrating their threat-modeling operations.
De Vries said IriusRisk’s automated approach takes threat modeling from a static, slow and manual process, conducted on whiteboards, to an easily implemented security practice that is baked into the development cycle from the very beginning. He noted that IriusRisk delivers time and cost savings by identifying potential security risks earlier during design, which speeds up time to deployment. Most importantly, he added, it ensures software isn’t launched with high-risk insecure design flaws that would need to be tested for and fixed in post-production, or that potentially couldn’t be identified at all through application security scanning, leaving software vulnerable.
According to IriusRisk, its most recent updates enable customers to build fully automated end-to-end processes using cloud-native designs. The company says that this straightforward procedure makes it simpler and more scalable t to construct a threat model with built-in, usable countermeasures. An enterprise can use infrastructure-as-code to automatically generate threat models in IriusRisk if it uses AWS CloudFormation or HashiCorp Terraform.
Addressing the global shortage of talent
U.S. labor statistics estimate that as of December 2020, there were 40 million skilled workers globally who were in high demand. By 2030, businesses globally run the danger of losing $8.4 trillion in revenue due to a skills shortage, if this pattern continues. This has a number of effects, including a strong demand for developer talent and the pressure it places on security teams.
De Vries said that IriusRisk lessens the load on nonsecurity specialists, such as developers, through automation (like IaC) and its score system, which provides prioritized countermeasures and instruction as needed. De Vries noted that as security continues to move up the executive board’s list of priorities, this helps to foster a culture of secure development inside an organization and lessens the load on security specialists and bottlenecks caused by the rework needed during testing.
De Vries said IaC is a vital next step in our drive to continue pushing the boundaries of threat modeling and our mission to make it easier than ever to implement in more environments, and at scale. IaC makes further automation possible and will help to put threat modeling into the hands of more nonsecurity people.”
De Vries said that other threat modelers are major competitors in this space. However, he said the IriusRisk threat-modeling platform is differentiated by its open architecture and pattern-based approach, rather than sticking to a few methodologies such as STRIDE, PASTA or VAST. He added that it is this open approach that allows such methodologies to be incorporated but also allows organizations to define their own particular organizational threat-modeling requirements or industry-specific requirements and standards (such as OWASP or NIST recommendations).