What's new with the SimpleRisk 20200328-001 and 20200401-001 releases?
by Josh Sokol (Creator & CEO of SimpleRisk)

For nearly four months, we have been hard at work preparing for our next major feature release.  Those features officially went live with our 20200328-001 release.  As we began to roll it out to customers, however, we ran into a handful of bugs that we didn't feel comfortable moving forward with.  The next three days were all hands on deck while we focused on bug fix and testing to make sure that the release was something that we could be proud of.  Finally, we released an updated 20200401-001 release that included all of the features of the prior release, but with fewer bugs.  What follows is a description of all of the new features, bug fixes, and security fixes that were included in these two releases.

SimpleRisk Core

The single biggest enhancement in the 20200328-001 release is with the Dynamic Risk Report.  In our previous releases, your filtering was limited to sites/locations, assets, or tags.  Now, you'll see that each column you add will have an associated way to filter the data in that column.  In the example below, the ID and Subject fields allow you to enter text to filter results, the Status is a multi-select dropdown, enabling you filter for specific values, and the Inherent and Residual Risk columns allow you to enter numeric qualifiers to filter the data.  Each of these filters work in tandem with each other, meaning you can now create a truly dynamic risk report.

Dynamic Risk Report Header Filtering

We also realized that the selections at the top of the report were beginning to drown out the report itself.  To fix this, we simplified the display of the selections into three expandable sections.  One for Grouping and Filtering, one for Columns, and one for the saved reports.

Dynamic Risk Report Selections

Other new functionality added into the SimpleRisk Core with this release includes:

  • Added a new audit log type for user events
  • The Risks and Assets report now includes the risk's locations/teams in the row instead of the asset's locations/teams.
  • Group names are now included on the Assets by Risk report in brackets.
  • The Audit Trail now includes an entry when a framework is deleted.
  • After adding a test to a control, you are now brought back to the same place you were when you clicked "Add Test".
  • Changing user permissions while a session is open will now immediately take effect without the need to logout.
  • Added the ability to control whether the "High Risk Report" is based on the Inherent or Residual risk score.
  • Added a new health check to see if an Extra is compatible with the SimpleRisk instance version.
  • Added a new health check to see if an instance is running the most recent version of an Extra.
  • Added a new health check to check for proper MySQL database user permissions.
  • Sorted the "Mitigation Controls" dropdown when planning a mitigation in alphabetical order.

There were a number of bugs that were also addressed in this release:

  • Fixed an issue in the Risks and Assets report where assets that were part of an asset group were not displayed when the asset was assigned to a risk and the asset group was not.
  • Fixed a bug where using the "Group By" feature on the Dynamic Risk Report would show both a column header and footer when that was not necessary.
  • Updated a function that caused an error when the SimpleRisk Base URL was not set.
  • Fixed a bug when updating your user profile language while selecting "--".
  • Fixed a bug where users would not receive password reset emails without setting the simplerisk_base_url value.
  • Fixed an issue where MySQL instances with STRICT_TRANS_TABLES enabled would throw an error if too many characters were entered into the Compliance related fields.
  • Fixed a bug where the risk levels for "Custom" Classic Risk scoring were not being set properly.
  • Removed Control Regulation from Add and Remove Values as this is now managed through the Governance section of SimpleRisk.
  • Fixed a UI bug that would occur when a Framework's name was too long.
  • Fixed an issue where reporting with Risks and Assets would cause an incorrect maximum quantitative loss when an asset group was attached to a risk.
  • Fixed a bug that was causing the Site/Location and Asset Valuation for assets to not accept new changes.
  • Fixed various issues that occur when SimpleRisk is run from a sub-directory of the virtualhost's web root.
  • Fixed a bug where all pages were making unnecessary calls to the SimpleRisk update server.
  • Fixed a bug where circular references could be made for Frameworks using parent/child associations.
  • Fixed undefined index errors on the Risk and Controls report.
  • Fixed a bug where the Contributing Risk popup window was named "SimpleRisk OWASP Calculator" instead of "SimpleRisk Contributing Risk Calculator".

Security fixes included with this release include:

  • Added the ability to set SimpleRisk to make requests via a proxy through the SimpleRisk UI under the "Security" tab in Configure -> Settings.
  • Fixed multiple XSS vulnerabilities.
  • Fixed multiple SQL injection vulnerabilities.
  • Open sessions are now immediately invalidated when a password is reset.
  • When account lockouts occur, any active sessions from that account are also invalidated.

SimpleRisk Extras

The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core.  This release included one major new addition to our SimpleRisk Extra arsenal as well as some new functionality and bug fixes:

ComplianceForge SCF Extra:

  • Changed the user interface for enabling and disabling frameworks.
  • Added functionality to dynamically download the current ComplianceForge SCF release and update SimpleRisk with the new controls and mappings.

Jira Extra:

  • Moved the Jira Extra to a production release state.

Risk Assessment Extra:

  • Added a new "Fill in the Blank" question type.
  • Added the ability to send questionnaires to existing SimpleRisk users in addition to Assessment Contacts.

Email Notification Extra:

  • Fixed an issue where email notifications were not sent with risk closures.

Custom Authentication Extra:

  • Added the ability to add a manager attribute through LDAP to the account created in SimpleRisk.
  • Added the ability to specify display name, email address, and manager username value attributes for SAML authentication.
  • Updated SAML authentication to handle when strict_user_validation is turned off.

Upgrade Extra:

  • Continuing to move closer to a true "one-click" upgrade process.

Customization Extra:

  • Added an option to have results in a single-select or multi-select dropdown displayed in alphabetical order.
  • Added a new "Hyperlink" custom field that allows users to create clickable hyperlinks in their templates.

Import-Export Extra:

  • Fixed a bug with importing existing assets with updated custom fields.
  • Fixed a bug where the "Export to XLS" button did not work in the Dynamic Risk Report unless a subject column was selected.
  • Added the "Date Closed" column for risk exports.
  • Added the ability to import a Mitigation Submission Date value.
  • Updated import mappings to store custom fields.
  • Added "Additional Stakeholders" to imports.