The ISRA or Security risk assessment tool project is an Electron based application used internally in Thales Digital Identity and Security Business Unit (Thales DIS) to evaluate security risks of engineering projects.
It permits to define the primary assets, called the business assets, the associated supporting assets, the threat agents, the vulnerabilities and calculate associated risks and potential risk treatment options. This process is fully compliant with the ISO 27005 risk management standard.
Creating a security risk assessment of engineering projects involves several steps, which are quickly summarized below (you can refer to ISO 27005 for more information):
In some cases, vulnerabilities may be found before the risks are actually defined, such as through security testing, then the steps above may be modified accordingly.
Just download the zip file for your platform and unzip it and execute sratool
or SRATool
, depending on your platform. It is generic enough to be used by any organization, but some of the items may be more related to Thales DIS, in that case the json-schema.js
should be adapted accordingly to your organization needs.
To install and use the tool, the following prerequisites are required:
For developers that wish to configure the tool for their specific needs, the defaults for the application can be configured as shown and described below:
const config = {
appVersion: '1.2.0',
classification: '',
organizations: ''
};
git clone git@github.com:ThalesGroup/software-risk-assessment-tool.git
cd software-risk-assessment-tool
app & lib:
npm install
npm update
app: npm start
## Test ##
Executes all test files within test folder in lib
npm run test
## API documentation ##
Generate api documentation for lib
npm run jsdoc
## Packaging and distribution ##
The packaging for distribution uses `electron-builder`.
### Prerequisites
You need to have prepared your development environment beforehand by following the developer installation steps. You also need to ensure that the directory `dist` under `app` does not exist.
You then need to run in the `app` directory the following command:
npm install electron-builder
To create packages for linux, MacOS and Windows, you must create the packages on an Apple Mac machine, otherwise only the host platform target will be created.
### Packaging
To create the packages for the host platform, you can run from the `app` directory:
npm run dist
For all platform packaging, from the `app` directory, run :
npm run dist-all
The output files should find themselves in the `dist` directory.
## Documentation
Documentation for lib is available at [lib/doc/index.html](lib/doc/index.html).
## Contact
* Carl Eric Codere and Sebastien Petit are currently overseeing the project in Thales DIS
## Credits
* Frederic Paillart who managed the initial version of the tool using Infopath
* Megan Liow for the initial port to Electron.
* Alvin Siah for the major improvements to the Electron version.
* Sun Fang who reviewed and helped us improve the JSON Schema
* Thomas Delplanque who improved error management and corrected several issues.
* All other people including Philippe Biton, Frank Converset, Antoine Galland, Patrick George, Karen Lu, Sebastien Petit, Petr Skripal, who improved, commented and/or worked on the ISRA methodology throughout the years.
Since this methodology has been around for several years internally, we may have missed some names who contributed to it, our apologies if its the case.
## Contributing
If you are interested in contributing to the ISRA software-risk-assesssment-tool project, start by reading the [Contributing guide](/CONTRIBUTING.md).
## License
The chosen license in accordance with legal department must be defined into an explicit [LICENSE](https://github.com/ThalesGroup/template-project/blob/master/LICENSE) file at the root of the repository
You can also link this file in this README section.