The SimpleRisk 20210305-001 release is the first of many releases to come for us that will change how we do things here at SimpleRisk. Rather than aiming for a release once a quarter, our goal is to start building features and releasing them in a more agile way. Several months back, we onboarded a Senior DevSecOps Engineer to help us to re-architect our release process to automate many of the pieces that currently require manual efforts. In doing so, we've also built a platform that provides consistency in delivery along with features like vulnerability scanning, code quality checks and open source license detection. As this new pipeline is built out, you can expect us to use it to deliver smaller pieces of functionality on a more frequent cadence.
Now that we have that out of the way, let's talk about the features we introduced with this release. The biggest addition in this release is the ability to define a "Current Control Maturity" and a "Desired Control Maturity" value for each control. Similar to what you find in CMMI, we use six different maturity levels to represent the existing and desired levels of maturity for each of your controls.
We've also added a brand new "Control Gap Analysis" report which provides a higher level context around these control maturity selections. Once you select from any of your enabled control frameworks, along the top of the page it will display a spider chart showing the differences between your average current and desired maturity levels across each control family:
This helps to identify areas where you are doing well as well as areas where you could use some improvement. For example, in the sample image above, we can tell that our organization has a significant level of maturity in Asset Management that goes well beyond our desired maturity state while our Secure Engineering & Architecture practices leave a lot to be desired. Underneath that spider chart, you will see a break down of all of your controls in this framework categorized into "Below Maturity", "At Maturity" and "Above Maturity". This helps us to hone in on exactly which controls we should be looking to improve upon:
Other new features in this release which were added to enhance SimpleRisk's usability include:
- Added the ability to filter columns in the Active Audits table so that they may be searched and filtered the same way the Dynamic Risk Report works.
- Added the ability to filter by control name on the Define Tests menu of Compliance.
- Added the ability to filter by control family on the Define Tests menu of Compliance.
- When Exporting to XLS via the Dynamic Risk Report all filters and configurations are now respected.
- When using the printer friendly version of the Dynamic Risk Report column filters will now affect the generated document for printing.
- Added the Mitigation Percent field to the mitigation columns available for display in the Dynamic Risk Report.
- Added a last review date field to the Governance Document Program to bring its feature set in line with other repeating tasks in SimpleRisk.
- Added a field for Team to the Document Program.
- Level of Mitigation effort now sorts based on magnitude and no longer alphabetically.
- Updated the Asset Selection widget to show available items on the left and selected items on the right.
- Updated the OWASP Risk Scoring methodology so that the resulting risk score is reflective of their specification for Overall Risk Severity.
- Updated the Risk Catalog to match the latest from ComplianceForge.
- Added the Threat Catalog from ComplianceForge.
This release also included the following bug fixes for the SimpleRisk Core:
- Added Assessment Uploads to the Fix Encoding page. Now any broken attached files to assessments will be identified so they may be replaced. This only applies to files uploaded in version 20201005-001.
- Fixed a bug where the default custom display settings for a user would be empty.
- Fixed an issue where enabling extras in a specific order could generate an error.
- Fixed an issue where users could create a mitigation for a risk that does not exist.
- Fixed an issue where updating a risk could set the submission date to 00:00 of the current day.
- Fixed an issue where using the sorting function on the comment section of the Dynamic Risk Report did not function as intended.
- Fixed a bug where the risk appetite report would be affected by closed risks.
- Fixed a bug where Next Review Date in the Document Program did not respect the configured date format
Lastly, we enhanced the SimpleRisk Core with the following security changes:
- Fixed an issue where users could add projects to the system without the correct privilege to do so when executing a review or adding a risk after an assessment.
- When admins change a users Role or Permissions the changes will now take affect immediately instead of when the next session is set.
- Disabling a user now immediately destroys their session.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release included a ton of new functionality and bug fixes to our SimpleRisk Extras:
- Fixed an XSS vulnerability in Customization Extra Asset Field Name.
- Fixed an issue where removing the risk mapping it could no longer be restored to the original placement.
- Fixed an issue where custom fields would not sort properly in the Dynamic Risk Report.
- Fixed an issue where users may record an undefined index error when submitting a new tag with a risk assessment questionnaire question.
- Added the ability to export the list of users currently in SimpleRisk along with their roles, permissions and teams.
- Added the ability to import a list of users along with their roles, permissions and teams.
- Added the NIST 800-171 Controls to the one-click framework installation option.
- Now when exporting XLS from the Dynamic Risk Report all filters will be respected in the generated export.
- When creating a printable version of the Dynamic Risk Report the column filters will now be reflected in the printed version.
- Fixed an issue where importing control frameworks from the GitHub was not properly capturing the framework_id.
- Added the ability to map mitigating controls when importing risks.
- Fixed an issue where Close Reason could not be null when importing risks.
- Updated the user interface to use twisties to hide the details of notifications.
- Made improvements to the notification of document reviews and fixed an issue where users would not receive them at the configured time.
- Fixed an issue where notify on review and notify on close settings were not functioning.
- Added new configurations for document exception notifications to bring it in line with other scheduled notifications.
- Fixed an issue that would cause an error to be logged when submitting risks with this extra.