Skip to main content

Release 3.14.0 - 22-07-2021

rules
  • Updated

Features

  • [IR-5572] - Hide unused standards
  • [IR-6817] - Add confirmation when deleting weaknesses and countermeasures
  • [IR-6166] - Allow to manually set N/A state for countermeasures
  • [IR-6211] - Improve versions grid display

Bug Fixes

  • [IR-6172] - Project XML should contain only used trust zones
  • [IR-6176] - Do not redirect the user to Architecture view if the user lacks ARCHITECTURE_VIEW
  • [IR-6228] - DuplicateKeyException upon deleting a custom field type with values
  • [IR-6420] - New category is created when it should not
  • [IR-6529] - Invited users are not shown in the user's list
  • [IR-6530] - Threat detail not property updating in flat view
  • [IR-6628] - Wrong permission warning when a user tries to do a bulk delete action on product's versions
  • [IR-6731] - Fix the text length of a component of the diagram component list when is too long
  • [IR-6744] - Fix the root cause of dataflow duplications reported by some customers
  • [IR-6802] - After changing to the Products tab editing countermeasure results in an NPE
  • [IR-6803] - Prevent threat risk to be out of range [0, 100]
  • [IR-6820] - Wrong label under "Insert Question" rule fie
  • [IR-6821] - Rule action "Set custom field value" shows the wrong label
  • [IR-6838] - Error thrown when creating a product from versioning
  • [IR-6843] - When saving an already existing rule, it is removed from the rules container
  • [IR-6857] - Use the default Overpass font for the report generation: Technical countermeasure report
  • [IR-6909] - Unexpected error after fixing a workflow state with a name that already exists
  • [IR-7007] - Search bar in Threats and Countermeasures not working after renaming component
  • [IR-7018] - Created product component can't be seen by product owner by default
  • [IR-7035] - Unexpected error after checking the questionnaire assets
  • [IR-7045] - Selecting some rules on the UI results on Duplicate Bean error
  • [IR-7057] - Error is thrown when retrieving the implementation for a countermeasure
  • [IR-7062] - Unexpected error after selecting a standard in Compliance Report generation
  • [IR-7068] - Fix the "use case already in use in component" error when using the "IoT Application" component
  • [IR-7101] - Error in architecture tab for versions of projects with no diagram
  • [IR-7156] - Fix all duplicated UUID for Dataflows in the project's diagrams
  • [IR-7159] - Exception when sending password reset mail
  • [IR-7160] - The product search only works with the last word typed in
  • [IR-7192] - Lazy Exception when editing data flows connecting nested components
  • [IR-7221] - Unexpected error after saving the dataflow information if the model is not synchronized

Security Bug Fixes

  • [IR-6844] - Remove sensitive metadata from exported files
  • [IR-6853] - Store API token using SHA256
  • [IR-6955] - Stored Cross-Site-Scripting vulnerability for imported product
  • [IR-6863] - Update Vaadin from 8.8.5 to 8.12.4 to solve XSS vulnerability in Atmosphere framework

Hot Fixes included

This is also a cumulative release that also includes all the hotfixes on the 3.13.0: 

API Changes

New Knowledge-base Content

New security content

  • [CON-752] - New countermeasure (Hydras-AWS-IAM-2.4) and new weakness (AWS-IAM-2.8) for the AWS Lambda library.
  • [CON-906] - Added six threats for the ACTIVE-DIRECTORY risk pattern in the CS-Default library.

Updated/new security standards

  • [CON-888] - New security standard: NIST Cybersecurity Framework.

  • [CON-848] - New security standard: CWE Top 25 Most Dangerous Software Weaknesses.

  • [CON-753] - Updated security standard: CIS Microsoft Azure Foundations Benchmark v1.3.0.

  • [CON-889] - Extended coverage for the OWASP API Top 10 security standard.

  • [CON-852] - Updated AWS library with the new AWS CIS Benchmark v1.4.0 security standard.

New components

  • [CON-886] - A new component in the General category: Binary File.

  • [CON-860] - New AWS components:

    • AWS Site-to-Site VPN

    • AWS Client VPN

    • AWS Firewall Manager

    • AWS PrivateLink

    • AWS Fargate

  • [CON-874] - New AWS components:

    • AWS Secrets Manager

    • AWS CloudHSM

    • AWS CloudSearch

    • AWS Shield

    • AWS WAF

    • AWS Managed Streaming for Apache Kafka (MSK)

    • AWS MQ

  • [CON-880] - New AWS components:

    • AWS SDK

    • AWS Command Line Interface

    • AWS Resource Groups / Tag Editor

    • AWS Aurora

    • AWS Managed Blockchain

    • AWS Quantum Ledger Database (QLDB)

    • AWS Glue

    • AWS Glue Schema Registry

  • [CON-904.] - New AWS components:

    • AWS X-Ray

    • AWS WorkSpaces

    • AWS WorkMail

    • AWS WorkLink

    • AWS WorkDocs

    • AWS Systems Manager

    • AWS Support

    • AWS Storage Gateway

    • AWS Snowball

    • AWS Simple Email Service (SES)

    • AWS Service Catalog

    • AWS Serverless Application Repository

    • AWS Server Migration Service (SMS)

    • AWS Security Hub

    • AWS Resource Access Manager (RAM)

    • AWS QuickSight

    • AWS Pinpoint

    • AWS Health

    • AWS OpsWorks

    • AWS Neptune

  • [CON-753] - New Azure component:

    • Microsoft Azure Kubernetes Service

Library refactors

  • [CON-897] - Countermeasure harden-http-headers removed from the untrusted-data-received risk pattern.

  • [CON-886.] - New question: “Is this component using third-party software components?“ for server-side category components to be able to import the CS-Default risk pattern EXT-LIBRARIES.

  • [CON-885.] - Several IoT library refactors:

    • Risk pattern rf-bluetooh-communication was merged into iot-device-wireless-interfaces.

    • Risk pattern iot-device-wireless-interfaces will be imported if the user answers “Yes” to the question “Will this component use wireless interfaces (e.g. WiFi, Bluetooth, Zigbee)?“ and if the risk pattern iot-device-operating-system has already been imported.

    • Risk pattern iot-encryption-and-key-management-for-hardware will be imported if the user answers “Yes” to the question “Will this component handle secrets?“ and if the risk pattern iot-device-operating-system has already been imported.

    • Risk pattern iot-secure-supply-chain-and-production will be part of the IoT Application component definition.

  • [CON-875] - Removed risk pattern MOBILE-CLIENT:SENS-DATA-STORAGE from CS-Default library because is not used by any rule and has an equivalent risk pattern in the OWASP MASVS library (MOBILE-CLIENT:SENS-DATA-STORED).

  • [CON-875] - Removed non-ASCII characters for the threat sensitive-auth-data-stealing in the PCI-DSS library.

  • [CON-875] - Mitigation values fixed for the threat UNAUTHORIZED-CONECTIONS-AWS in the AWS library.

  • [CON-859] - Several OWASP MASVS library fixes.

    • Fixed URL links for some references.

    • Removed control MASVS-6.11 from the MOBILE-CLIENT risk pattern. Now it’s placed in the IOS-CLIENT risk pattern.

    • Removed countermeasures MASVS-2.8 and MASVS-5.4 from the OWASP-MASVS-L1 and OWASP-MASVS-L1+R standards.

  • [CON-857] - Fixed URL links for some references in all the default libraries.

  • [CON-836] - Rules refactor for the HIPAA library.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk