The SimpleRisk 20220106-001 release is a major revision of SimpleRisk to be compatible with PHP 8. This release also means that we no longer support PHP 7 and users will need to upgrade before they can proceed with the update. This release also introduces MFA to SimpleRisk Core and Google Authenticator support.
This release includes new authentication features:
- Added TOTP MFA to SimpleRisk Core available for all users.
- Introduced Google Authenticator support.
There were a additional usability changes as well:
- Updated utf8 conversion to use utf8mb4 instead of utf8mb3.
- Introduced a new asset management page replacing the old add/manage pages. This should allow the system to handle a much larger volume of assets as well as make the editing process easier.
- Alphabetized the list of control frameworks in Governance on the Controls tab
- Improved connection handling centralizing calls to run through the same processor.
- Add the ability to turn off SSL cert checks on the host machine as well as client machines.
We made security updates including:
- PHP 8 Support has been fully rolled out. Users will need to update to PHP 8 to run this version of SimpleRisk.
- Fixed an issue where some assessment endpoints could be accessed by a user who lacks the permission to do so, this did still require the person to have an active valid login to SimpleRisk.
This release included fixes for the following bugs:
- Fixed a bug where systems with a php memory limit of 1GB or above would be misrepresented as having insufficient memory allotted.
- Fixed an issue where deleting a test did not delete the mapped tag entries.
- Fixed an issue where the likelihood and impact report was not working.
- Fixed an issue where the labels on the Risk Advice pyramid chart did not display correctly.
- Fixed an issue where custom maturity level names would break the control gap analysis report.
- Fixed an issue that could result in controls being stored as non utf8 characters.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release targets bugs that made it through the major updates to Import-Export as well as patching a bug and updating the Compliance Forge SCF extra.
The full list of updates to Extras are as follows:
Compliance Forge SCF
- Import-Content repo now has a link to the SCF files
- SCF file is loaded via PHPSpreadsheet directly from the original SCF xlsx
- SCF now tracks the version installed
- Improved performance by adding asynchronous calls where possible
- Fixed the messaging while enabling/disabling/selecting frameworks
- Made all calls to web services so the page doesn't time out
- Added debug logging
- Fixed issues where running the SCF update didn't update existing controls or their mappings
- Added all calls through the new connectivity processor
Risk Assessment Extra
- Fixed an issue where a function is called but not defined to delete assessment keys.
- Fixed an issue where projects assigned while creating a questionnaire would not append to the generated pending risks from that assessment.
- Fixed an issue where sub questions would appear even with question logic disabled as long as there has been a sub-question previously.
- Added audit trail messages for when a template is edited.
- Updated asset import logic to only update the asset name order once the import completed(if encryption is activated)
- Fixed an issue where if the user permission column was not mapped it would halt the import. System will not assign the default role and default permissions accordingly when this field is not mapped.
- Fixed an issue where users could not install frameworks and assessments from the Content menu.
Vulnerability Management Extra
- Added support for Qualys VM tool.
- Fixed an issue where Nexpose could halt due to an array offset with tags.