Default Libraries

This page has been moved to Zendesk. Please, refer to this link for the latest version.

In Irius Risk, there are several additional libraries with the necessary information to give more information to the questionnaire and provide more risk patterns, threats, weaknesses, countermeasures, rules and standards to give more security information to each component. The additional libraries are the following:

  • Amazon Web Services (AWS): the Hydras-AWS-Foundation library was created to provide the risk pattern and the rules for the AWS environment and the additional risk patterns to configure the AWS deployment in each component. 
  • Microsoft Azure (MS Azure): the Microsoft-Azure library was created to provide the risk pattern and the rules for the Microsoft Azure environment and the additional risk patterns to configure the MS Azure deployment in each component. 
  • Docker library: the Docker library was created to provide the risk pattern and the rules for the Docker containers in the internal infrastructure or in the cloud environment and give additional information about security risks and controls to configure the deployment of the containers.
  • OWASP Mobile Application Security Verification Standard (OWASP MASVS): the OWASP MASVS library was created to provide the risk pattern and the rules for the Mobile Device Client component. Also, the necessary countermeasures to apply the OWASP MASVS standard are provided in this library.
  • EU General Data Protection Regulation (GDPR): the EU GDPR library was created to provide the risk patterns and the rules to apply the EU GDPR standard in the components and as new regulatory component. With these library the risk patterns can be imported and the standard can be selected and the state of the controls from the standard change to Required.

Amazon Web Services (AWS):

Amazon Web Services is a cloud services platform, who offer compute power, database storage and content delivery to help businesses to scale and grow. This library contains the steps to configure the AWS environment and components in the cloud platform to mitigate the threats and avoid posible attacks against the cloud systems.

For Amazon Web Services, we can get the risk pattern of the complete environment or only the risk pattern for each component, when the component is deployment in a public cloud. We have several scenarios to show:

  • Amazon Web Services environment: when we select this component in the main questionnaire or in the component questionnaire, the following risk pattern are imported: AWS Governance, AWS Identity and Access Management, AWS Logging, AWS Monitoring and AWS Networking.
  • Client components and service components: when a client component or service component is selected and the Public Cloud trust zone is answered, new questions in the Deployment tab are shown with the option: Amazon Elastic Compute Cloud (Amazon EC2) and if we select this answer, the AWS EC2 risk pattern is imported.
  • Data stores: when a data store is selected and the Public Cloud trust zone is answered, the drools engine show us the following posible questions in the deployment tab: Amazon Elastic Compute Cloud (Amazon EC2), Simple Storage Service (S3) or/and Relational Database Service (RDS). Each of these question when they are answered import the correspond risk pattern: AWS EC2, AWS S3, AWS RDS.

Microsoft Azure (MS Azure): 

Microsoft Azure is a service set in the cloud for developers and IT professional to create, implement and manage the apps in anyplace and anywhere. This library contains the steps to configure the MS Azure environment and components in the cloud platform to mitigate the threats and avoid posible attacks against the cloud systems.

For Microsoft Azure, we can get the risk pattern of the complete environment or only the risk pattern for each component, when the component is deployment in a public cloud. We have several scenarios to show:

  • Microsoft Azure environment: when we select this component in the questionnaire, the following risk pattern are imported: Azure Governance, Azure Identity and Access Management, Azure Logging, Azure Monitoring, Networking VNets and Azure Networking.
  • For all components (except environment or regulatory components): when a component is selected and the Public Cloud trust zone is answered, new questions in the Deployment tab are shown with the option: Azure Virtual Machines and if we select this answer, the Azure Virtual Machines risk pattern is imported.
  • Data stores: when a SQL data store is selected and the Public Cloud trust zone is answered, the drools engine show us the next additional question in the deployment tab: Azure SQL and when one of the other data stores is selected the Azure Storage question is shown. Each of these questions import the correspondent risk pattern: Azure SQL or Azure Storage.

Docker library: 

Docker is the company who drives the use of the containers to develop and implement the applications in an hybrid cloud. Docker provides a true independence between applications and infrastructure, and  between the developers and the IT professionals to create a model for better collaboration and innovation. The library provides a guide for developers to configure the Docker containers to avoid the weaknesses in their cloud infrastructures.

We created the docker library to give information about the risk pattern for the container when we select the option in the deployment tab, the risk pattern to import are the following: Docker - Container Images and Docker Runtime.

OWASP Mobile Application Security Verification Standard (OWASP MASVS):

The MASVS give a baseline security requirements to develop mobile apps. The risk patterns were created on the basis of the OWASP MASVS and it give us three standard OWASP MASVS levels:

  • MASVS-L1 (Standard Security): this standard level include the best practice for the mobile application development. The basic requirements are in terms of the code quality, handling of sensitive data and the interaction with the mobile environment.
  • MASVS-L2 (Defense-in-Depth): introduces advanced security controls, this level is appropriate for mobile applications that handle sensitive data, such as mobile banking.
  • MASVS-R (Resiliency Against Reverse Engineering and Tampering): the app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data. Such an app either leverages hardware security features or sufficiently strong and verifiable software protection techniques. MASVS-R is applicable to apps that handle highly sensitive data and may serve as a means of protecting intellectual property or tamper-proofing an app.

The risk pattern to import depends on the type of the Operating System (OS): Android, iOS or Windows Mobile, and also depends of the sensitive data level.

EU General Data Protection Regulation (EU GDPR)

The EU General Data Protection Regulation (GDPR) replaces the old Data Protection Directive 95/46/EC and it was designed to unify the data privacy laws in Europe and to protect all EU citizens data privacy from the organizations. This library only contains the risk patterns and the countermeasures to mitigate the IT risks in the app developments.

The EU GDPR library and standard contains the risk pattern and the rules to import these risk patterns when one of the next cases occurs:

  • EU GDPR Regulatory Environment: when you select this option as new component the EU GDPR - Governance risk pattern is imported with the threats, weaknesses and controls for this case.
  • Select Personal Data Stored or Processed (not Data Store): when the personal data is stored or processed and the component is not a data store, the EU GDPR - Component risk pattern is imported with the correspond threats, weaknesses and countermeasures for these components.
  • Select Personal Data Stored or Processed (Data Store): when the personal data is stored or processed and the component is a data store, the EU GDPR - Component and the EU GDPR - Data store risk patterns are imported with the correspond threats, weaknesses and countermeasures for this kind of components.