SimpleRisk Core
The SimpleRisk 20221006-001 release is one of our largest releases to date in terms of shear development hours. This release includes completely new additions like the ability to schedule questionnaires to recur as well as automatically send out questionnaire results upon completion to pre-selected individuals. We also expanded the number of fields supporting rich text and made other usability enhancements along the way.
This release includes a handful of new Core features:
- Added a rich text editor to the Asset Details field in Asset Management -> Add & Delete Assets.
- Added a rich text editor to the Comments field in Risk Management -> Perform Reviews.
- Added a rich text editor to the Current Solution, Security Requirements and Security Recommendations fields in Risk Management -> Plan Mitigation.
- Added a rich text editor to the Risk Assessment and Additional Notes fields in Risk Management -> Submit Risk.
- Added a rich text editor to the Objective, Test Steps and Expected Results fields in Compliance -> Define Tests.
- Added a rich text editor to the Exception Description and Justification fields in Governance.
- Added a rich text editor to the Control Description and Supplemental Guidance fields in Governance.
The following changes were made to improve the user experience:
- Updated the Risk Average over time to update when a risk closes.
- Added the display for the Control details back to the Audit Test details page when entering results.
- Added a “Last Reviewed By” column option to the Dynamic Risk Report
A few vulnerabilities and changes were made this cycle to better secure SimpleRisk:
- Fixed Broken Access control in the create_asset_api function.
- Fixed Broken Access control in the delete_asset_api function.
- Added a limit to authentication attempts after multiple MFA failures.
- Added a time limit between Test Email sends.
- Updated 2 fields to prevent Stored XSS in Governance.
- Closed a path allowing an attacker to inject JavaScript into a page.
- SimpleRisk will now invalidate all current sessions when a password reset is completed.
- Fixed a CSRF issue involving the Password Reset page.
This release included fixes for the following bugs:
- Fixed a bug where the Risk Trend report would run machines out of memory when a submission date of 0001-01-01 was entered. Records from pre-1970 will no longer count towards the trend report.
- Fixed a bug where users were unable to edit the Close Reason “Rejected” in Add and Remove Values.
- Fixed a bug where users could not enter data into pop up fields in rich text fields such as inserting a hyperlink. This now works as intended.
- Fixed an alignment issue on the Risk Details display page. Columns and fields should align better now.
- Fixed a bug where closing a risk that had been previously re-opened would not update the close reason when looking at the Risk Dashboard Close Reason chart.
- Updated Dynamic Risk Report to handle multi-value Risk Category entries.
- Fixed an issue where instances with a high volume would be unable to view the Plan Mitigations page consistently.
- Fixed an issue where instances with a high volume would be unable to view the Review Regularly page.
- Fixed an issue where instances with a high volume would be unable to view the Perform Reviews page.
- Fixed an issue where assets connected to teams that were deleted were not properly updated to remove this association.
- Fixed an issue where Risk Mappings that contained a “,” would break.
- Fixed a bug where the default role checkbox did not properly reflect the status of the option but did save the selection.
- Fixed an issue where the Default Role dropdown value did not affect the system as intended.
- Fixed an issue causing timezones to not be reflected properly in the date closed field.
- Fixed a bug causing an asset name lookup function to always return false resulting in never locating the resource.
- Fixed a bug where a user is on the Submit Risk page and clicks the "+" to add another tab the Risk Mapping and Threat Mapping are duplicated. Now all available templates will be listed at the top from the start.
- Fixed an issue where the audit trail could not properly reflect a change in user type.
- Fixed an issue in the Risk and Assets report where the project filter did not work as intended.
- Fixed an issue where filtering on the Review Regularly page would send a request on every keypress.
- Fixed an issue where filters on the Document Program did not function properly between tabs.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release targets bugs that made it through the major updates to Import-Export as well as patching a bug and updating the Compliance Forge SCF extra.
The full list of updates to Extras are as follows:
Custom Authentication Extra
- Updated SimpleSAML libraries to remove compatibility issues.
- Fixed an issue where users could not download MetadataXML from the SimpleRisk SP.
Import/Export Extra
- Fixed an issue where XLS exports were not properly sanitized.
- Updated import asset function to handle controls.
- Fixed an issue where control Test Dates would not be updated when importing.
- Fixed an issue where Risk import update would not update mitigations if there wasn’t a change to a field that was previously empty.
- Fixed an issue where fields with multiple display names could not be updated via import.
- Fixed an issue where importing a new close reason would not be saved unless the status was also in the process of being changed to close from another status.
Notification Extra
- Fixed an issue where saving Emotes in notification templates would cause the templates to be lost Emotes can now be used with notification templates safely..
Vulnerability Management Extra
- Fixed a bug where tables were not created if a VM tool was enabled after the VM Extra was activated.
Risk Assessment Extra
- Fixed an issue where if a user is added to the Assessment Contacts field and then removed they would not be added back to the list.
- Fixed an issue where certain users could not generate assessments from SCF frameworks.
- Added new permissions to the Risk Assessment Extra allowing granular control of users access to various functionality in the extra.
- Fixed an issue where sub-questions would not be removed from the page if the answer given was retracted.
- Fixed an issue where multi-choice questions would not trigger multiple sub-templates.
- Updated display logic for multiple selected mapped controls.
- Fixed an issue displaying comparisons between multi-choice questions.
- Added a new option to automatically send the results of questionnaires to predetermined contacts upon completion.
- Fixed an issue where fill in the blank answers would show a multiple choice bubble.
- Added the ability to schedule recurring assessments with the ability set how many days after it was sent.
- Added a new notification for the Risk Assessment extra that allows you to send a notification every _ days, this email can be sent to both contact and contacts manager letting them know they have not completed that assessment. Contact will receive a link to complete it, contact manager will receive a link to the questionnaire under the questionnaire results page.
Incident Management Extra
- The system will now set the time along with the date for start_date and detection_date.
- You may no longer create playbooks with empty names.
- Fixed an issue where the “Start Date” and “Detection Date” would not sort properly when you click the header for it.