At SimpleRisk, we typically focus on four major releases a year that roughly align with the end of the calendar quarter. The SimpleRisk 20191130-001 release was not intended to be a full feature release, like those others, and instead primarily focused on fixing various bugs and newly discovered security issues from the 20190930-001 release, but also included a handful of new features and integrations for our brand new Jira Extra currently in Beta.
New functionality added into the SimpleRisk Core with the 20191130-001 release include:
- Added a selection to view the Date Closed value on the Dynamic Risk Report.
- Updated existing multi-select dropdowns to be searchable and scrollable.
- Added the ability to search tags when filtering by tags in the Dynamic Risk Report.
- Added a new filter on the Compliance Active Audits page that allows you to filter based on the "Test Name" column.
- Added a new filter on the Compliance Past Audits page that allows you to filter based on the "Test Name" column.
- Added a new "Actions" column in the Audit Timeline report enabling the user to initiate a new audit of the test, view active audits of the test, or view past audits of the test directly from the page.
- Updated the Team field for assets to be a multi-select dropdown.
- Updated the "Associated Frameworks" under the Audit Timeline report so that only active frameworks are displayed.
- Added the ability for a user to select any document type as a parent in the Document Hierarchy on the Governance page.
- Removed the ability to create a risk subject with only whitespace characters.
- Removed the "report requires PHP >= 5.5" message if you are running PHP >= 5.5.
- Added a health check to detect an outdated version of PHP.
There were a number of bugs discovered in the 20190930-001 SimpleRisk release that were addressed in the 20191130-001 release:
- The missing "Initiate Test" functionality was added back to the Initiate Audits page.
- Fixed an issue where the pop up menus were no longer able to be scrolled through.
- Fixed an issue where filtering by an asset or asset group in the Dynamic Risk Report did not work.
- Fixed an issue where you could not make a tag that contained spaces in it.
- Fixed an issue where you could not sort by Residual Risk Score in the Dynamic Risk Report after grouping by risk level.
- Fixed an issue where the Dynamic Risk Report did not properly group by risk level when using custom risk level names.
- Fixed an issue where changing tabs in the Configure -> Settings menu caused the Risk Appetite slider to disappear until the page is refreshed.
- Fixed an issue where the "All" button on the Risk Appetite Report did not expand to show all risks under the selected tab.
- Fixed a spelling issue for "Mitigation Supporting Documenttation" under the Mitigation tab in the Configure, Extras, and Customization menus.
Security fixes included with the 20191130-001 release include:
- Added additional code to prevent a time-based account enumeration attack on login.
- Fixed a CSRF vulnerability with the new one-click-upgrade functionality.
- Fixed a SQL Injection vulnerability with audit trail logs.
- Fixed a Stored XSS vulnerability with the new risk appetite functionality.
- Fixed a Stored XSS vulnerability with the Frameworks and Controls tabs.
- Fixed an issue where any user could access the list of Framework Controls.
- Fixed an issue where an unprivileged user could change the risk levels.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release included one major new addition to our SimpleRisk Extra arsenal as well as some new functionality and bug fixes:
- Added a Beta release of our brand new Jira Extra that will enable two-way synchronization of risk, mitigation, and review data between a Jira instance and SimpleRisk.
Risk Assessment Extra:
- Created a new "Control Audit" button when viewing a questionnaire result that will show all controls mapped to the question asked, their associated frameworks, and whether the answer was a "Pass" or "Fail".
- Made it so that each time a pending risk is accepted it did not reload the entire page.
- Fixed an issue where you would receive a datatables error if you added a text filter for questionnaire questions and select a filter template.
Email Notification Extra:
- Fixed an issue where the scheduled reporting section of the Notification Extra would send e-mails to users it should not send emails to.
- Fixed an issue where the Upgrade Extra would throw an error regarding undefined available_extras when attempting to upgrade even if no upgrade was needed.
- Added an API query to update the values of a risk.
- Fixed an issue in the API Extra when attempting to create a new API key for a user.
- Fixed an issue where required asset fields would inhibit database upgrades.
- Added support for asset groups to Tenable and Rapid7 integrations.
- Fixed an issue where you could not import fields set to be encrypted using the Customization Extra.