The SimpleRisk 20211230-001 release includes the ability for admin users to now manage private reports of users in the Dynamic Risk Report. They will now see all private saved selections and the users they belong to when viewing saved selections in the Dynamic Risk Report.
We have also revamped the way the Dynamic Risk Report functions on the back end to drastically reduce load times for SimpleRisk instances with a large volume of risks in the database.
We also introduced several security fixes in SimpleRisk which include:
- Fixed a SQL injection vulnerability in the Risk Assessments extra. This was only possible by a user who had direct access to SimpleRisk and was not related to any pages that were sent third party via the risk assessment extra.
- Fixed a SQL injection vulnerability in the Reporting section.
- Fixed a SQL injection vulnerability in the Risk Management section.
- Fixed a broken access control on a mitigation function.
- Fixed an issue where a user could delete another user’s saved selection in the Dynamic Risk Report.
- Fixed a broken access control in the Vulnerability Management Extra.
This release also includes a host of bug fixes and are as follows:
- Fixed an issue where users could receive a 500 error when deleting a framework.
- Fixed an issue where users could not immediately use a new Saved Selection on the Dynamic Risk Report without refreshing the page.
- Fixed an issue where users could see duplicates of risks on the High Risk Report.
- Fixed an issue where the correct framework controls would not always be displayed after filtering frameworks on and off in the Governance Controls tab.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release included a ton of new functionality and bug fixes to our SimpleRisk Extras. This includes major improvements such as the ability to create templates for questionnaires and create tabs to better organize your larger questionnaires.
We also included other fixes and updates listed below:
- Updated the Risk Assessment Extra to allow for tabular assessments with multiple pages.
- Updated The Risk Assessment Extra to support templates.
- Updated the design of the answers displayed on completed questionnaires, results, shared results and the compare results pages.
- Fixed an issue where users could no longer create “Fill in the Blank” questions.
- Fixed an issue where Assessments were no longer closing based on the time set for “Assessments Valid for”.
- Fixed an issue with the Risk Details section in Questionnaires showing the expanded icon when closed and the closed icon when expanded.
- Fixed an issue where completion emails were not sent to contacts who were SimpleRisk users.
- Updated the Questionnaire page so that it no longer appears question answers can be edited after completing a questionnaire.
- Fixed an issue where users could double submit a questionnaire.
- Fixed an issue where exporting the Dynamic Risk Report would not include all columns most notably Residual Risk Score.
- Fixed an issue where buttons would remain disabled after an import unless the user leaves or refreshed the page.
- Added the ability to create custom fields for Frameworks and Controls.
- Fixed an issue where activating the Customization extra would create a second copy of the Risk Mapping field.
- Fixed an issue where Risk and Threat Mapping would not function properly with Customization Extra active.
ComplianceForge Secure Controls Framework (SCF)
- Added a catch for SCF tables already existing when updating the Compliance Forge SCF Extra.
- Fixed an issue where the create button would be disabled after creating a business unit.
- Fixed an issue where user dropdowns would show users in all BUs that user is a member of instead of just the users in the selected BU.