IriusRisk CEO and co-founder Stephen de Vries talks security

According to Stephen de Vries, CEO and co-founder of IriusRisk, 50% of software vulnerabilities are due to flaws in the product’s design. These are over 100 times more expensive to fix when the product has been released than at the production stage.

After its inception in 2008 as Continuum Security, IriusRisk switched its focus to the IriusRisk product and later rebranded as part of its mission to become the leading automated threat modeling platform, and to make threat modeling a common, yet integral part of every organisation's software development lifecycle.

The IriusRisk CEO and co-founder, says: “It is imperative that all software development teams, regardless of the size of their organisation, should be undertaking threat modeling to build security into their software. By shifting security left, companies are making sure their products are as secure as possible when they are released to the public. While IriusRisk is pioneering the automation of threat modeling for mature enterprises, our mission and priority is to make threat modeling a mainstream practice that is accessible and easy to use for everyone.”

He joins us to explain what they do and why every business should be taking threat modeling seriously.

What is the unique competitive advantage of IriusRisk?

Threat modeling is the process of shifting security left in the software development lifecycle. It aims to integrate security principles into the development process, helping security and engineering teams to identify potential threats and risks in a product’s design before completing development, so that they can fix them ahead of deployment.

IriusRisk uses automation to take threat modeling from a static, slow and manual security process, often conducted on whiteboards, to an easily implemented practice that can be consistently applied across an organisation’s product portfolio, creating security-by-design, at scale. 

The IriusRisk Threat Modeling Platform helps businesses “start left”, building security and privacy into applications by design. Organisations gain visibility into threats and risks in their product from the design stage of the software development life cycle (SDLC). It then provides security and engineering teams with a list of threats and detailed countermeasures to fix the vulnerabilities that they may encounter before and throughout development.

This delivers time and cost savings by relieving the burden of security workload for both security architects and engineers, speeding up time to deployment by removing the bottleneck of security testing, eliminating the need for costly development rework.

Any client case studies?

Axway, a leading IT company that provides tools for enterprise software worldwide, which has six R&D locations across North America and Europe, has integrated with IriusRisk. This has seen our Automated Threat Modeling Platform introduced to its Axway Secure Software Development Lifecycle (SSDLC), Continuous Security Review and CICD processes. Teams at Axway can now conduct threat models as needed for their products and immediately see the list of issues and potential vulnerabilities that need attention.

Brian Levine, Senior Director Product & Cloud Security at Axway Product Security Group, described how IriusRisk has helped the global information technology company empower its engineers to run threat models and transform its DevSecOps:

“Axway has over 100 enterprise products and cloud services in our catalog and each engineering group and product may have a different release cadence. Scheduling time with a product security expert to perform a threat model would cause delays and reduce engineering velocity due to an overwhelming number of requests and difficulty in coordinating calendars. We leverage IriusRisk to democratise and standardise the framework for threat modeling to ensure that each engineering team has proper training and tools to conduct their own threat model, on their schedule, and consult with product security groups as needed to address risks,” said Levine.

What makes the innovation so important?

IriusRisk’s innovation is essential because it makes threat modeling straightforward and easy to use by all teams. Over 50% of flaws and vulnerabilities identified in products are in the design. IriusRisk’s powerful automation technology ensures that products aren’t deployed with high-risk design flaws that would require fixing post-production. Critically, it detects the flaws that application-scanning tools simply cannot find. IriusRisk’s clients are therefore able to build more secure, resilient products that protect their assets, reputation, and customers – helping organisations truly, and effectively, start security left.

In addition, IriusRisk’s automated platform allows organisations to scale threat modeling across all their critical applications and software portfolio to deliver a consistent standard of more secure and resilient software at scale. 

What lies ahead for 2022?

A big focus for IriusRisk over the next few quarters is to open up the platform to the many different architectural formats and sources. To do this we have developed an Open Threat Model (OTM) standard that allows organisations to represent systems and threat models in a tool agnostic way. Converters will take AWS Cloudformation, Terraform, or even Visio diagrams and automatically generate OTM files which IriusRisk can parse to create a full threat model using the powerful rules engine and risk pattern libraries.