Features
- [IR-5572] - Hide unused standards
- [IR-6817] - Add confirmation when deleting weaknesses and countermeasures
- [IR-6166] - Allow to manually set N/A state for countermeasures
- [IR-6211] - Improve versions grid display
Bug Fixes
- [IR-6172] - Project XML should contain only used trust zones
- [IR-6176] - Do not redirect the user to Architecture view if the user lacks ARCHITECTURE_VIEW
- [IR-6228] - DuplicateKeyException upon deleting a custom field type with values
- [IR-6420] - New category is created when it should not
- [IR-6529] - Invited users are not shown in the user's list
- [IR-6530] - Threat detail not property updating in flat view
- [IR-6628] - Wrong permission warning when a user tries to do a bulk delete action on product's versions
- [IR-6731] - Fix the text length of a component of the diagram component list when is too long
- [IR-6744] - Fix the root cause of dataflow duplications reported by some customers
- [IR-6802] - After changing to the Products tab editing countermeasure results in an NPE
- [IR-6803] - Prevent threat risk to be out of range [0, 100]
- [IR-6820] - Wrong label under "Insert Question" rule fie
- [IR-6821] - Rule action "Set custom field value" shows the wrong label
- [IR-6838] - Error thrown when creating a product from versioning
- [IR-6843] - When saving an already existing rule, it is removed from the rules container
- [IR-6857] - Use the default Overpass font for the report generation: Technical countermeasure report
- [IR-6909] - Unexpected error after fixing a workflow state with a name that already exists
- [IR-7007] - Search bar in Threats and Countermeasures not working after renaming component
- [IR-7018] - Created product component can't be seen by product owner by default
- [IR-7035] - Unexpected error after checking the questionnaire assets
- [IR-7045] - Selecting some rules on the UI results on Duplicate Bean error
- [IR-7057] - Error is thrown when retrieving the implementation for a countermeasure
- [IR-7062] - Unexpected error after selecting a standard in Compliance Report generation
- [IR-7068] - Fix the "use case already in use in component" error when using the "IoT Application" component
- [IR-7101] - Error in architecture tab for versions of projects with no diagram
- [IR-7156] - Fix all duplicated UUID for Dataflows in the project's diagrams
- [IR-7159] - Exception when sending password reset mail
- [IR-7160] - The product search only works with the last word typed in
- [IR-7192] - Lazy Exception when editing data flows connecting nested components
- [IR-7221] - Unexpected error after saving the dataflow information if the model is not synchronized
Security Bug Fixes
- [IR-6844] - Remove sensitive metadata from exported files
- [IR-6853] - Store API token using SHA256
- [IR-6955] - Stored Cross-Site-Scripting vulnerability for imported product
- [IR-6863] - Update Vaadin from 8.8.5 to 8.12.4 to solve XSS vulnerability in Atmosphere framework
Hot Fixes included
This is also a cumulative release that also includes all the hotfixes on the 3.13.0:
API Changes
New Knowledge-base Content
New security content
- [CON-752] - New countermeasure (Hydras-AWS-IAM-2.4) and new weakness (AWS-IAM-2.8) for the AWS Lambda library.
- [CON-906] - Added six threats for the ACTIVE-DIRECTORY risk pattern in the CS-Default library.
Updated/new security standards
-
[CON-888] - New security standard: NIST Cybersecurity Framework.
-
[CON-848] - New security standard: CWE Top 25 Most Dangerous Software Weaknesses.
-
[CON-753] - Updated security standard: CIS Microsoft Azure Foundations Benchmark v1.3.0.
-
[CON-889] - Extended coverage for the OWASP API Top 10 security standard.
-
[CON-852] - Updated AWS library with the new AWS CIS Benchmark v1.4.0 security standard.
New components
-
[CON-886] - A new component in the General category: Binary File.
-
[CON-860] - New AWS components:
-
AWS Site-to-Site VPN
-
AWS Client VPN
-
AWS Firewall Manager
-
AWS PrivateLink
-
AWS Fargate
-
-
[CON-874] - New AWS components:
-
AWS Secrets Manager
-
AWS CloudHSM
-
AWS CloudSearch
-
AWS Shield
-
AWS WAF
-
AWS Managed Streaming for Apache Kafka (MSK)
-
AWS MQ
-
-
[CON-880] - New AWS components:
-
AWS SDK
-
AWS Command Line Interface
-
AWS Resource Groups / Tag Editor
-
AWS Aurora
-
AWS Managed Blockchain
-
AWS Quantum Ledger Database (QLDB)
-
AWS Glue
-
AWS Glue Schema Registry
-
-
[CON-904.] - New AWS components:
-
AWS X-Ray
-
AWS WorkSpaces
-
AWS WorkMail
-
AWS WorkLink
-
AWS WorkDocs
-
AWS Systems Manager
-
AWS Support
-
AWS Storage Gateway
-
AWS Snowball
-
AWS Simple Email Service (SES)
-
AWS Service Catalog
-
AWS Serverless Application Repository
-
AWS Server Migration Service (SMS)
-
AWS Security Hub
-
AWS Resource Access Manager (RAM)
-
AWS QuickSight
-
AWS Pinpoint
-
AWS Health
-
AWS OpsWorks
-
AWS Neptune
-
-
[CON-753] - New Azure component:
-
Microsoft Azure Kubernetes Service
-
Library refactors
-
[CON-897] - Countermeasure harden-http-headers removed from the untrusted-data-received risk pattern.
-
[CON-886.] - New question: “Is this component using third-party software components?“ for server-side category components to be able to import the CS-Default risk pattern EXT-LIBRARIES.
-
[CON-885.] - Several IoT library refactors:
-
Risk pattern rf-bluetooh-communication was merged into iot-device-wireless-interfaces.
-
Risk pattern iot-device-wireless-interfaces will be imported if the user answers “Yes” to the question “Will this component use wireless interfaces (e.g. WiFi, Bluetooth, Zigbee)?“ and if the risk pattern iot-device-operating-system has already been imported.
-
Risk pattern iot-encryption-and-key-management-for-hardware will be imported if the user answers “Yes” to the question “Will this component handle secrets?“ and if the risk pattern iot-device-operating-system has already been imported.
-
Risk pattern iot-secure-supply-chain-and-production will be part of the IoT Application component definition.
-
-
[CON-875] - Removed risk pattern MOBILE-CLIENT:SENS-DATA-STORAGE from CS-Default library because is not used by any rule and has an equivalent risk pattern in the OWASP MASVS library (MOBILE-CLIENT:SENS-DATA-STORED).
-
[CON-875] - Removed non-ASCII characters for the threat sensitive-auth-data-stealing in the PCI-DSS library.
-
[CON-875] - Mitigation values fixed for the threat UNAUTHORIZED-CONECTIONS-AWS in the AWS library.
-
[CON-859] - Several OWASP MASVS library fixes.
-
Fixed URL links for some references.
-
Removed control MASVS-6.11 from the MOBILE-CLIENT risk pattern. Now it’s placed in the IOS-CLIENT risk pattern.
-
Removed countermeasures MASVS-2.8 and MASVS-5.4 from the OWASP-MASVS-L1 and OWASP-MASVS-L1+R standards.
-
-
[CON-857] - Fixed URL links for some references in all the default libraries.
-
[CON-836] - Rules refactor for the HIPAA library.
Comments
0 comments
Article is closed for comments.