2023.4 | 2023.3 | 2023.2 | 2023.1

2023.4

For the latest SD Elements Release Notes, see our User Guide: https://docs.sdelements.com/release/latest/guide/docs/releasenotes.html

New features and enhancements

Diagrammatic Threat Modeling
- Added the ability for diagrams to generate Threats, Weaknesses, and Countermeasures once saved. This functionality is only available in the UI.
  - Added the ability for drawn and imported diagrams to generate content.
  - Imported diagrams are only accepted in draw.io/diagrams.net, TM7 (Microsoft Threat Modeling Tool), JSON, and XML format.
Trend Reports
- Added an advanced reporting feature called “Trend Reports” that captures changes across the application, Countermeasures, and project objects. This feature is enabled by default with its corresponding feature flag.
  - Users can represent changes in compliance counts and mean times to compliance, among many other metrics.
  - Changes are captured nightly and data can be realized as far back from July 8th, 2023.
  - Added the ability to include Trend Reports in Dashboards.
  - Added granular permissions for users interacting with Trend Reports.
  - Added the ability to export the data in CSV or JSON format.
Verification Tools Update
- Added the ability for integrations to customize the project connection names for verification tools. Any existing and future project connections for verification tools can add or edit a connection name.
Checkmarx Integration
- Added CheckmarxOne into the Integration Ecosystems. Users can connect their CheckmarxOne instance in SD Elements and map SAST scan results to project Countermeasures.
  - Requires Tenant ID and API Key for server connection.
  - Requires a project_id for project connection.

Other Product Improvements

Added pre-aggregations to Library and Application contexts for Advanced Reports.
Fixed a bug where importing how-to files in JSON or YAML format would not work.

Content improvements summary

CWE
```
  - Updated to version 4.13
```
2023 CWE Top 25 Most Dangerous Software Weaknesses
```
  - Added a new regulation
```
Compliance Regulations and Mappings
- ANSI/ISA 62443-4-2 & ISASecure CSA 311
  - Updated the ISASecure CSA 311 regulation to combine the requirements of ANSI/ISA 62443-4-2 and ISASecure CSA/SSA and deactivated the ANSI/ISA 62443-4-2 regulation.
- ANSI/ISA 62443-3-3 & ISASecure SSA 311
  - Updated the ISASecure SSA 311 regulation to combine the requirements of ANSI/ISA 62443-3-3 and ISASecure CSA/SSA and deactivated the ANSI/ISA 62443-3-3 regulation
Updated the following code scanner mappings
- Fortify
- Qualys
- SonarQube
- WebInspect

Content additions and updates (as of December 5, 2023):

Compliance Regulations and Mappings
- Added 2023 CWE Top 25 Most Dangerous Software Weaknesses
- Removed ANSI/ISA 62443-3-3
- Removed ANSI/ISA 62443-4-2
- Updated ANSI/ISA 62443-4-2 (ISASecure CSA 311) [INFO: Updated the description].
- Updated ANSI/ISA 62443-3-3 (ISASecure SSA 311) [INFO: Updated the description].
- Updated CIS Azure Kubernetes Service (AKS) 1.2.0 [INFO: Updated the description].
- Updated ISO/SAE 21434 [INFO: Updated the description].
- Updated ISO 27001 [INFO: Updated the description].
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- TA5412: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5414: ISASecure SSA 311 requirements: Levels (4) [Updated]
  - INFO: Updated the text.
T5: Use minimum standards for passwords
- TA5432: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5434: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5436: ISASecure SSA 311 requirements: Levels (4) [Updated]
  - INFO: Updated the text.
T8: Use Consistent Error Handling for All Authentication Failures
- TA5440: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T21: Ensure all data in transit is encrypted using a secure TLS channel
- TA5495: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5497: ISASecure SSA 311 requirements: Levels (4) [Updated]
  - INFO: Updated the text.
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
- TA5501: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T61: Disable default accounts or change all default passwords
- TA5422: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T70: Implement account lockout or authentication throttling for system accounts
- TA5442: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T77: Test for single-factor authentication
- TA5411: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5413: ISASecure SSA 311 requirements: Levels (4) [Updated]
  - INFO: Updated the text.
T80: Test password requirements
- TA5431: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5433: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5435: ISASecure SSA 311 requirements: Levels (4) [Updated]
  - INFO: Updated the text.
T82: Test authentication error consistency
- TA5439: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T87: Verify that all data in transit is encrypted using a secure TLS channel
- TA5494: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5496: ISASecure SSA 311 requirements: Levels (4) [Updated]
  - INFO: Updated the text.
T107: Test that application forbids uploading or transferring malware [Updated]
- INFO: Updated the text.
T114: Test system-to-system authentication lockout or throttling
- TA5441: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T156: Validate certificate and its chain of trust properly
- TA5438: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
T175: Test that the client validates digital certificates
- TA5437: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
T244: Securely delete any unprotected sensitive data before a resource is released or shared
- TA5539: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5541: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T245: Verify that sensitive unprotected data is securely deleted
- TA5538: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5540: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T248: Protect secret keys and passwords in the application
- TA5424: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5426: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5428: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
T249: Verify that keys and passwords are protected in the application
- TA5423: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5425: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5427: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
T295: Avoid storing unencrypted confidential data without access control mechanisms
- TA5537: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T296: Test that unencrypted confidential data is not stored without access control mechanisms
- TA5536: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T323: Test that default accounts are disabled or default passwords are changed
- TA5421: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T337: Include a 'break glass' feature that enables emergency functions
- TA5452: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T338: Control access to resources through user authentication and authorization
- TA5406: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5408: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5410: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T340: Use an account and identity management system
- TA5416: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5418: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5420: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
T342: Inform and warn users about using critical system services
- TA5444: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T343: Test that proper system use notification is displayed or sent for critical features
- TA5443: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T344: Enforce different rules for access to the system based on the origin, type, and medium of request
- TA5446: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5448: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5450: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T381: Test break-glass procedures
- TA5451: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T445: Verify that only approved cryptographic algorithms and key lengths are used
- TA5500: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T567: Enable network access control for local area network communications
- TA5455: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T591: Verify that network access control is enabled for local area network communications
- TA5454: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5456: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T682: Make S3 bucket CloudTrail logs publicly inaccessible (AWS) [Updated]
- INFO: Updated the text.
T1380: Enforce secure user registration and access control
- TA5453: ISASecure SSA 311 requirements: Levels (4) [Updated]
  - INFO: Updated the text.
T2254: Use the most robust Security Operation Mode (WiFi)
- TA5430: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T2275: Test to confirm that the most robust Security Operation Mode is applied (WiFi)
- TA5429: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
T2276: Test to confirm that authorization and authentication controls are in place for access to resources
- TA5405: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5407: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5409: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T2277: Test to confirm the use of an account and identity management system
- TA5415: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5417: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- TA5419: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
T2278: Test to confirm that different rules for access to the system are enforced based on the origin, type, and medium of the request
- TA5445: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5447: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
  - INFO: Updated the text.
- TA5449: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
T2359: Configure a secure user authentication (Cloud) (2/2) [Updated]
- INFO: Updated the priority from 7 to 10.
T2360: Configure a secure user authorization (Cloud) (2/2) [Updated]
- INFO: Updated the priority from 5 to 10.
T2361: Design a secure application architecture for the cloud environment (Cloud) (2/2) [Updated]
- INFO: Updated the priority from 9 to 10.
T2368: Enable logging and protect log files in your cloud environment (Cloud) (2/4) [Updated]
- INFO: Updated the priority from 7 to 9.
T2369: Enable logging and protect log files in your cloud environment (Cloud) (3/4) [Updated]
- INFO: Updated the priority from 7 to 9.
T2370: Enable logging and protect log files in your cloud environment (Cloud) (4/4) [Updated]
- INFO: Updated the priority from 7 to 9.
T2371: Enable logs and configuration monitoring in your cloud environment (Cloud) (2/4) [Updated]
- INFO: Updated the priority from 7 to 8.
T2372: Enable logs and configuration monitoring in your cloud environment (Cloud) (3/4) [Updated]
- INFO: Updated the priority from 7 to 8.
T2373: Enable logs and configuration monitoring in your cloud environment (Cloud) (4/4) [Updated]
- INFO: Updated the priority from 7 to 8.
T2374: Verify that logging is enabled and log files are protected (Cloud) (2/2) [Updated]
- INFO: Updated the priority from 7 to 9.
T2375: Verify that log monitoring and configuration monitoring are enabled (Cloud) (2/3) [Updated]
- INFO: Updated the priority from 7 to 8.
T2376: Verify that log monitoring and configuration monitoring are enabled (Cloud) (3/3) [Updated]
- INFO: Updated the priority from 7 to 8.
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A1077: Firmware, embedded, or hardware solution [Updated]
      - INFO: Updated the children.
- Q199: Authentication
  - Q120: Authentication Features
    - Q121: Authentication Method
      - A19: Uses passwords [Updated]
        
        INFO: Updated the children.
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A768: This is a software project [Updated]
      - INFO: Updated the children.
New Just-in-Time Training
- Defending Web APIs (18)

2023.3

For the latest SD Elements Release Notes, see our User Guide: https://docs.sdelements.com/release/latest/guide/docs/releasenotes.html

New features and enhancements

New content updates functionality
- Any Countermeasures removed or added to a project through the content update button will appear in global, project, and Countermeasure activity logs along with the user who took the action, and the date and time it was taken.
  - For more information, see https://docs.sdelements.com/release/latest/guide/docs/projects/project_new_content_updates_available.html
Import / Export Enhancements
- With feature flag: Import/Export Enhanced Capability turned on (off by default):
  - Added the ability to have deactivated content to be present in the export job.
  - Added the ability to mark specific content as active or deactivated via import job
  - Added the ability to set custom content as delete to remove the content completely via import job
- Enabling Import/Export of Regulations and Enabling Async API (Beta) have been migrated to feature flags so users can now toggle features on and off via the UI.
Automation Event/Action
- With Feature Flag: User Login Activity (on by default)
- Added the ability to track user login events
- Added a new action to deactivate users that have not logged in after a predefined number of days
Reactivation Function (only for SSO Users)
- With Feature Flag: Auto-Reactivate Users via SSO (off by default)
- Added the ability to auto-reactivate users using single sign-on.
Survey UX
- Added a feature flag to make survey change reviews optional before publishing. The flag is disabled by default. When enabled, users answering the survey will have a choice to publish directly or review and then publish.

Content improvements summary

AI Security
- Added new Weaknesses, Countermeasures, and Additional Requirements based on NIST AI Risk Management Framework (RMF) and OWASP Top 10 for Large Language Model Applications.
Consumer IoT: ETSI EN 303 645
- Added new Regulation and Additional Requirements based on the EN 303 645 Standard.
ISO 27001 (2022)
- Added a new Regulation.
Rust
- Added new Howtos for the Rust programming language.
Updated the following code scanner mappings:
- Appscan, Fortify, Qualys, SonarQube, WebInspect, and Nessus.

Content additions and updates (as of September 26, 2023):

Compliance Regulations and Mappings
- Added NIST AI RMF v1.0
- Added EN 303 645
- Added OWASP Top 10 for Large Language Model Applications v1.0.0
- Added ISO 27001
Content Packs
- Added NIST AI RMF
- Added AI Security
- Added EN 303 645
- Added OWASP LLM Top 10
- Added ISO 27001 (2022)
- Added Rust
T2: Secure the password reset mechanism
- TA6527: EN 303 645 requirements [Added]
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
- TA6535: EN 303 645 requirements [Added]
T72: Use safe arithmetic to avoid integer overflow
- I1880: Rust: Check calculations for integer overflows [Added]
T151: Use cryptographically secure random numbers [Updated]
- INFO: Updated the text.
T153: Scrub buffers holding sensitive information when releasing/deleting
- I1878: Rust: Clear sensitive memory after use [Added]
T159: Follow best practices for secure error and exception handling
- I1881: Rust: Return errors using the Result type and don’t panic [Added]
T176: Apply principles of privacy when handling personal information
- TA6539: EN 303 645 requirements [Added]
T189: Minimize the use of unmanaged (native) code
- I1883: Rust: Follow best practices when calling external C/C++ functions [Added]
- P730: Direct Use of Unsafe Unmanaged Code [Updated]
  - INFO: Updated the match conditions.
T196: Avoid unsafe functions
- I1882: Rust: Avoid unsafe code [Added]
T197: Validate the signature of all remote code/updates to verify their origin and integrity (client side)
- TA6532: EN 303 645 requirements [Added]
T248: Protect secret keys and passwords in the application
- TA6534: EN 303 645 requirements [Added]
T301: Verify that buffers holding sensitive information are scrubbed
- I1884: Rust: Clear sensitive memory after use. [Added]
T338: Control access to resources through user authentication and authorization
- TA6536: EN 303 645 requirements [Added]
T370: Follow best practices for using third-party software libraries/modules and open source/COTS components
- I1879: Use secure libraries and open source components in Rust [Added]
T375: Release resources when no longer needed
- I1877: Rust: Avoid memory leaks [Added]
- P293: Uncontrolled Resource Consumption (Resource Exhaustion) [Updated]
  - INFO: Updated the match conditions.
T403: Verify that errors and exceptions are securely handled
- I1886: Rust: Securely handle errors and exception. [Added]
T433: Design a fallback mechanism or a degraded mode for the system
- TA6540: EN 303 645 requirements [Added]
T456: Change default security settings to the most stringent ones and disable unnecessary services and modules
- TA6537: EN 303 645 requirements [Added]
T584: Implement update capabilities for your application
- TA6530: EN 303 645 requirements [Added]
T586: Implement Secure Boot if possible
- TA6538: EN 303 645 requirements [Added]
T897: Test if the unmanaged code is used securely
- I1887: Rust: Securely use external functions in Rust. [Added]
- P730: Direct Use of Unsafe Unmanaged Code [Updated]
  - INFO: Updated the match conditions.
T991: Configure connectionTimeout (Apache Tomcat) [Updated]
- INFO: Updated the text.
- I834: Apache Tomcat: Configuring connectionTimeout [Updated]
  - INFO: Updated the text.
T1061: Enable SQL auditing (Microsoft Azure)
- P1024: No SQL auditing (Microsoft Azure) [Updated]
  - INFO: Updated the text.
T1234: Only allow trusted users to control the Docker daemon (Docker) [Updated]
- INFO: Updated the text.
T1250: Configure admission control policy securely (Kubernetes) [Updated]
- INFO: Updated the text.
T1278: Ensure that the --protect-kernel-defaults argument is set to true (Kubernetes) [Updated]
- INFO: Updated the text.
T1352: Restrict remote access (Google Cloud) [Updated]
- INFO: Updated the text.
T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
- TA6542: EN 303 645 requirements [Added]
T1380: Enforce secure user registration and access control [Updated]
- INFO: Updated the match conditions.
T1385: Institute secure logging and event monitoring
- TA6541: EN 303 645 requirements [Added]
T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
- TA6528: EN 303 645 requirements [Added]
T1403: Disable CLR (Microsoft SQL Server)
- P1195: Enabled CLR (Microsoft SQL Server) [Updated]
  - INFO: Updated the text.
T1461: Leave 'SQL Server Browser' service disabled if it is not required (Microsoft SQL Server) [Updated]
- INFO: Updated the text.
T1915: Perform network vulnerability assessment
- P1438: Lack of network vulnerability assessment [Updated]
  - INFO: Updated the match conditions.
T1920: Conduct security architecture and design reviews before starting code development
- I1874: Evaluate if Rust is suitable for your requirements [Added]
T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
- TA6529: EN 303 645 requirements [Added]
T1961: Ensure that the admission control plugin NodeRestriction is enabled (OpenShift) [Updated]
- INFO: Updated the text.
T2115: Enable image vulnerability scanning (Docker) [Updated]
- INFO: Updated the text.
T2186: Enforce valid Finite State Machines (FSMs) in hardware logic (Hardware/Firmware) [Updated]
- INFO: Updated the text.
T2211: Include a firmware update mechanism/feature (Hardware/Firmware)
- TA6531: EN 303 645 requirements [Added]
T2296: Securely install and configure all software components
- P1669: Lack of a process for securely installing and configuring all software components [Updated]
  - INFO: Updated the match conditions.
T2344: Implement and augment supporting toolchains by automating SDLC security activities [Updated]
- INFO: Updated the content pack and match conditions.
- P1681: Lack of automation and implementation of supporting toolchains [Updated]
  - INFO: Updated the content pack.
T2347: Configure the Integrated Development Environment, Compilation, Interpreter, and Build Processes
- I1875: Prepare a secure Rust development environment [Added]
T2348: Perform code reviews
- P1685: Lack of proper code reviews [Updated]
  - INFO: Updated the match conditions.
T2349: Configure software to have secure settings by default
- P1686: Lack of secure default settings [Updated]
  - INFO: Updated the match conditions.
T2350: Create a Product Security Incident Response Team (PSIRT) [Updated]
- INFO: Updated the match conditions.
T2352: Verify that supporting toolchains are properly implemented [Updated]
- INFO: Updated the content pack and match conditions.
- P1681: Lack of automation and implementation of supporting toolchains [Updated]
  - INFO: Updated the content pack.
T2354: Verify that an organization-wide software and code repository is established and used [Updated]
- INFO: Updated the content pack and match conditions.
T2355: Verify that the IDE, compiler, interpreter, and build processes are configured securely [Updated]
- INFO: Updated the content pack and match conditions.
- I1876: Verify a secure Rust development environment [Added]
T2358: Verify that the organization has a Product Security Incident Response Team (PSIRT) [Updated]
- INFO: Updated the match conditions.
T2388: Enforce the principle of separation of duties [Updated]
- INFO: Updated the text.
T2473: Verify the presence of security constraints in all user stories and features [Updated]
- INFO: Updated the match conditions.
T2474: Include security constraints in all user stories and features [Updated]
- INFO: Updated the match conditions.
T2481: Define and apply configuration standards for Network Security Controls [Updated]
- INFO: Updated the match conditions.
T2482: Verify implementing configuration standards [Updated]
- INFO: Updated the match conditions.
T2483: Follow a control change management process [Updated]
- INFO: Updated the text.
T2498: Provide clear definitions for each component [Updated]
- INFO: Updated the match conditions.
T2499: Verify that clear definitions for each component exist [Updated]
- INFO: Updated the match conditions.
T2510: Define cybersecurity goals and requirements for a component [Updated]
- INFO: Updated the match conditions.
T2511: Define procedures for decommissioning and terminating cybersecurity support
- TA6533: EN 303 645 requirements [Added]
T2513: Verify whether cybersecurity goals and requirements are clearly defined for a component [Updated]
- INFO: Updated the match conditions.
T2514: Establish coding and testing guidelines [Updated]
- INFO: Updated the match conditions.
T2515: Verify coding and testing guidelines [Updated]
- INFO: Updated the match conditions.
T2517: Define cybersecurity specifications and post-development procedures [Updated]
- INFO: Updated the match conditions.
T2518: Verify cybersecurity specifications and post-development procedures [Updated]
- INFO: Updated the match conditions.
T2519: Prevent prompt injection in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Added]
T2520: Test the prevention of prompt injection in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Added]
T2521: Handle insecure output in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Added]
T2522: Test insecure output handling in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Added]
T2523: Prevent training data poisoning in Large Language Models [Added]
- P1735: Lack of protection against training data poisoning in Large Language Models [Added]
T2524: Test the prevention of training data poisoning in Large Language Models [Added]
- P1735: Lack of protection against training data poisoning in Large Language Models [Added]
T2525: Prevent Large Language Model Denial of Service [Added]
- P1736: Lack of protection against Large Language Model denial of service [Added]
T2526: Test the prevention Large Language Model Denial of Service [Added]
- P1736: Lack of protection against Large Language Model denial of service [Added]
T2527: Protect Large Language Models against supply chain vulnerabilities [Added]
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Added]
T2528: Test the protection of Large Language Models against supply chain vulnerabilities [Added]
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Added]
T2529: Prevent sensitive information disclosure in Large Language Models [Added]
- P1738: Sensitive information disclosure in Large Language Models [Added]
T2530: Test the prevention of sensitive information disclosure in Large Language Models [Added]
- P1738: Sensitive information disclosure in Large Language Models [Added]
T2531: Design secure plugins for Large Language Models [Added]
- P1739: Insecure plugin design in Large Language Models [Added]
T2532: Test plugin design security for Large Language Models [Added]
- P1739: Insecure plugin design in Large Language Models [Added]
T2533: Mitigate excessive agency in Large Language Models [Added]
- P1740: Excessive agency in Large Language Models [Added]
T2534: Test excessive agency mitigation in Large Language Models [Added]
- P1740: Excessive agency in Large Language Models [Added]
T2535: Mitigate overreliance in Large Language Models [Added]
- P1741: Overreliance on Large Language Models [Added]
T2536: Test overreliance in Large Language Models [Added]
- P1741: Overreliance on Large Language Models [Added]
T2537: Prevent model theft in Large Language Models [Added]
- P1742: Model theft in Large Language Models [Added]
T2538: Test model theft prevention in Large Language Models [Added]
- P1742: Model theft in Large Language Models [Added]
T2539: Provide organizational policies, processes, and procedures to ensure trustworthy and risk-aware AI integration [Added]
- P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
- TA6455: NIST AI RMF - Govern 1.1: Legal and regulatory requirements [Added]
- TA6456: NIST AI RMF - Govern 1.2: Organizational AI risk management policies [Added]
- TA6457: NIST AI RMF - Govern 1.3: Policies for AI impact measurement and risk assessment [Added]
- TA6458: NIST AI RMF - Govern 1.4: Documentation and policy standardization for AI systems [Added]
- TA6459: NIST AI RMF - Govern 1.7: Decommissioning AI systems policies [Added]
T2540: Plan mechanisms for monitoring, reviewing, and inventorying AI systems [Added]
- P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
- TA6460: NIST AI RMF - Govern 1.5: AI systems monitoring and incident response [Added]
- TA6461: NIST AI RMF - Govern 1.6: Inventory AI systems [Added]
T2541: Establish clear roles, responsibilities, accountability, and training for AI risk management [Added]
- P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
- TA6462: NIST AI RMF - Govern 2.1: AI risk roles and responsibilities [Added]
- TA6463: NIST AI RMF - Govern 2.2: Training on AI risk management [Added]
- TA6464: NIST AI RMF - Govern 2.3: Management roles and responsibilities [Added]
T2542: Address necessary human-AI configurations and oversight of AI systems [Added]
- P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
- TA6465: NIST AI RMF - Govern 3.1: Forming a diverse team [Added]
- TA6466: NIST AI RMF - Govern 3.2: Human-AI policies [Added]
T2543: Encourage critical thinking and a safety-first mindset in the lifecycle of AI systems [Added]
- P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
- TA6467: NIST AI RMF - Govern 4.1: Risk culture [Added]
- TA6468: NIST AI RMF - Govern 4.2: Impact assessments [Added]
- TA6469: NIST AI RMF - Govern 4.3: Information sharing about impacts or incidents [Added]
T2544: Collect and integrate feedback from external AI system developers [Added]
- P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
- TA6470: NIST AI RMF - Govern 5.1: Manage external stakeholder feedback [Added]
- TA6471: NIST AI RMF - Govern 5.2: Integrate feedback into system design and implementation [Added]
T2545: Address AI risks associated with third-party entities [Added]
- P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
- TA6472: NIST AI RMF - Govern 6.1: Address AI risks arising from third-party entities [Added]
- TA6473: NIST AI RMF - Govern 6.2: Handle failures or incidents in third-party data [Added]
T2546: Identify business value and business use context of AI systems [Added]
- P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
- TA6474: NIST AI RMF - Map 1.1: Identify AI system's intended and potential beneficial applications [Added]
- TA6475: NIST AI RMF - Map 1.2: AI actor participation in establishing AI system context [Added]
- TA6476: NIST AI RMF - Map 1.3: Organization's mission and relevant goals for AI technology [Added]
- TA6477: NIST AI RMF - Map 1.4: Identify AI system's business value [Added]
- TA6478: NIST AI RMF - Map 1.5: Organizational risk tolerances [Added]
- TA6479: NIST AI RMF - Map 1.6: Socio-technical implications incorporation into design decisions [Added]
T2547: Define AI system tasks and knowledge limits, and TEVV considerations [Added]
- P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
- TA6480: NIST AI RMF - Map 2.1: AI system's support [Added]
- TA6481: NIST AI RMF - Map 2.2: Identify AI system's knowledge limits [Added]
- TA6482: NIST AI RMF - Map 2.3: Identify TEVV considerations [Added]
T2548: Examine potential benefits, costs, and necessary human oversight of using AI systems [Added]
- P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
- TA6483: NIST AI RMF - Map 3.1: Identify benefits of the intended AI system [Added]
- TA6484: NIST AI RMF - Map 3.2: Identify AI system's potential costs [Added]
- TA6485: NIST AI RMF - Map 3.3: Identify AI system's application scope [Added]
- TA6486: NIST AI RMF - Map 3.4: Define operator and practitioner proficiency [Added]
- TA6487: NIST AI RMF - Map 3.5: Human oversight on AI system [Added]
T2549: Establish approaches for mapping AI technology and controlling risks [Added]
- P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
- TA6488: NIST AI RMF - Map 4.1: Identify legal risks associated with AI technology components [Added]
- TA6489: NIST AI RMF - Map 4.2: Identify and control internal risk of AI system's components [Added]
T2550: Assess the likelihood of each beneficial and harmful identified impact [Added]
- P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
- TA6490: NIST AI RMF - Map 5.1: Calculate likelihood of AI system's identified impact [Added]
- TA6491: NIST AI RMF - Map 5.2: Collect and integrate AI actor feedback [Added]
T2551: Create trustworthy AI systems [Added]
- P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
- TA6492: NIST AI RMF - Measure 1.1: Metrics framework [Added]
- TA6493: NIST AI RMF - Measure 1.2: Metrics assessment and utilization [Added]
- TA6494: NIST AI RMF - Measure 1.3: TEVV and stakeholder feedback processes [Added]
T2552: Document and monitor trustworthiness of AI systems [Added]
- P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
- TA6495: NIST AI RMF - Measure 2.1: Documentation [Added]
- TA6496: NIST AI RMF - Measure 2.2: Dataset privacy [Added]
- TA6497: NIST AI RMF - Measure 2.3: Population Context [Added]
- TA6498: NIST AI RMF - Measure 2.4: Regular monitoring [Added]
- TA6499: NIST AI RMF - Measure 2.5: Accuracy and Reliability [Added]
- TA6500: NIST AI RMF - Measure 2.6: Measuring safety [Added]
T2553: Consider resiliency, transparency, and privacy in designing AI systems [Added]
- P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
- TA6501: NIST AI RMF - Measure 2.7: Resilience [Added]
- TA6502: NIST AI RMF - Measure 2.8: Transparency [Added]
- TA6503: NIST AI RMF - Measure 2.9: Transparency, explainability, and interpretability [Added]
- TA6504: NIST AI RMF - Measure 2.10: Privacy [Added]
- TA6505: NIST AI RMF - Measure 2.11: Mitigate bias [Added]
- TA6506: NIST AI RMF - Measure 2.12: Environmental Impacts [Added]
- TA6507: NIST AI RMF - Measure 2.13: Metrics improvements [Added]
T2554: Establish effective monitoring and risk management processes for AI systems [Added]
- P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
- TA6508: NIST AI RMF - Measure 3.1: System monitoring [Added]
- TA6509: NIST AI RMF - Measure 3.2: Risk tracking [Added]
- TA6510: NIST AI RMF - Measure 3.3: Impact assessment [Added]
T2555: Enhance the trustworthiness of AI systems [Added]
- P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
- TA6511: NIST AI RMF - Measure 4.1: Engagement Processes [Added]
- TA6512: NIST AI RMF - Measure 4.2: Analyze feedback [Added]
- TA6513: NIST AI RMF - Measure 4.3: TEVV-Based Decisions [Added]
T2556: Perform risk assessment and management for AI Systems [Added]
- P1746: Lack of proper risk management for AI systems [Added]
- TA6514: NIST AI RMF - Manage 1.1: Suitability analysis [Added]
- TA6515: NIST AI RMF - Manage 1.2: Risk tolerance analysis [Added]
- TA6516: NIST AI RMF - Manage 1.3: Risk response plans [Added]
- TA6517: NIST AI RMF - Manage 1.4: Monitor and manage residual risks for AI systems [Added]
T2557: Analyze, monitor, and manage risks associated with AI systems [Added]
- P1746: Lack of proper risk management for AI systems [Added]
- TA6518: NIST AI RMF - Manage 2.1: Risk management and planning [Added]
- TA6519: NIST AI RMF - Manage 2.2: Establish risk control [Added]
- TA6520: NIST AI RMF - Manage 2.3: Treatment procedures [Added]
- TA6521: NIST AI RMF - Manage 2.4: Procedures for AI system bypass and reactivation [Added]
T2558: Manage risks associated with external dependencies and third-party resources in AI system [Added]
- P1746: Lack of proper risk management for AI systems [Added]
- TA6522: NIST AI RMF - Manage 3.1: Third-Party AI Systems [Added]
- TA6523: NIST AI RMF - Manage 3.2: Pre-trained AI Models and Components [Added]
T2559: Regularly monitor and document AI system performance and processes [Added]
- P1746: Lack of proper risk management for AI systems [Added]
- TA6524: NIST AI RMF - Manage 4.1: Performance and trustworthiness [Added]
- TA6525: NIST AI RMF - Manage 4.2: Incorporate feedback [Added]
- TA6526: NIST AI RMF - Manage 4.3: Traceability and transparency [Added]
Changes to Project Properties and Profiles
- Q195: Language and Framework
  - Q109: Programming Language
    - A1365: Rust [Added]
- Q237: Compliance Scope: Other
  - Q360: In scope for EN 303 645 [Added]
    - A1364: Yes [Added]
  - Q325: In-Scope for ISO 27001 Compliance
    - A1267: Yes [Updated]
      - INFO: Updated the description.
- Q284: Context and Characteristics
  - Q252: Application's Context and Characteristics
    - Q357: Artificial Intelligence/Machine Learning [Added]
      - A1362: Uses Large Language Models (LLMs) [Added]
      - A1363: AI governance tasks are in scope (based on NIST AI RMF) [Added]
New Just-in-Time Training
- Defending Databases (22)
- Defending Java (26)

2023.2

For the latest SD Elements Release Notes, see our User Guide: https://docs.sdelements.com/release/latest/guide/docs/releasenotes.html

New features and enhancements

Authentication
- Added SAML Group and Role Mapping via the SD Elements UI
- Introduced validation on certificate and key uploading
Reporting
- Dashboards
  - Links found in a widget on a dashboard now function as expected
Survey UX
- Added a ‘last draft’/’published’ label with a timestamp on the project Survey page
- Updated the buttons on the project Survey page
- Added an option for users to see the Survey history within the project Survey page
- All Survey answer changes are now highlighted within the Survey (until they are published)
- Users will now see a new confirmation page when they try to publish the Survey

Content improvements summary

ISO/SAE 21434
- Added new Weaknesses, Countermeasures, Additional Requirements, and a Regulation based on the standard.
OWASP IoT Top 10
- Updated the existing compliance report to the latest (2018) version of the OWASP IoT Top 10 list.
OWASP Top 10 Privacy Risks v2.0
- Updated, mapped, and added Countermeasures to reflect the OWASP Top 10 Privacy Risks v2.0 list.
General Content improvement
- Added new Countermeasures and one Amendment to enrich hardware/firmware content.
- Enhanced the language and actionability of some high-priority Countermeasures.
- Fixed and validated the match conditions of some Weaknesses and Countermeasures.

Content additions and updates (as of June 20, 2023):

Compliance Regulations and Mappings
- Added OWASP IoT Top 10 (2018)
- Added OWASP Top 10 Privacy Risks v2.0
- Added ISO/SAE 21434
- Removed OWASP IoT Top 10 (2014)
- Updated DIACAP [Archived, Use 800-53 report] [INFO: Updated the description].
- Updated OWASP IoT Attack Surface Areas [Retired] [INFO: Updated the description].
Content Packs
- Added OWASP Privacy Top 10
T25: Enforce absolute session timeouts [Updated]
- INFO: Updated the text.
T26: Expire sessions on logout [Updated]
- INFO: Updated the text.
T74: Avoid HTTP parameter pollution
- P689: HTTP Parameter Pollution [Updated]
  - INFO: Updated the match conditions.
T86: Test session ID uniqueness and rotation after authentication [Updated]
- INFO: Updated the priority.
T118: Test for default accounts and credentials [Deactivated]
T157: Temporary files must be cleaned up after the resource is used
- P348: Incomplete Cleanup [Updated]
  - INFO: Updated the text and match conditions.
T163: Handle health data securely [Updated]
- INFO: Updated the priority.
T176: Apply principles of privacy when handling personal information [Updated]
- INFO: Updated the text.
T178: Obtain consent from users prior to collecting personal information [Updated]
- INFO: Updated the text and priority.
T186: Use recommended settings and the latest patches for third party libraries and software
- P728: Insufficient patching or use of insecure third party software/libraries [Updated]
  - INFO: Updated the match conditions.
T193: Review non-categorized/miscellaneous findings from automated analysis
- P733: Potential security defects reported by automated scanners are missed or overlooked [Updated]
  - INFO: Updated the match conditions.
T235: Verify that application does not store protected health information insecurely [Updated]
- INFO: Updated the priority.
T236: Test that the application encrypts protected health information on the Internet [Updated]
- INFO: Updated the priority.
T238: Test that users can review and update their personal information [Updated]
- INFO: Updated the inclusion weakness.
T239: Test that users provide consent prior to the collection of personal information [Updated]
- INFO: Updated the priority.
T247: Verify logical access to encrypted volumes are managed independently of native operating system [Updated]
- INFO: Updated the inclusion weakness.
T275: Avoid sending sensitive data using implicit Intents or Broadcasts
- P738: Insufficient Restriction of Intent Receivers in Android [Updated]
  - INFO: Updated the match conditions.
T370: Follow best practices for using third-party software libraries/modules and open source/COTS components
- TA6437: Perform a reuse analysis and asses out-of-context components (ISO 21434) [Added]
T371: Provide unified and manageable interfaces for security settings and configuration parameters [Updated]
- INFO: Updated the text.
T545: Verify that personal information is anonymized before being reused for secondary purposes [Updated]
- INFO: Updated the priority.
T574: Prevent information exposure in HyperCat
- P96: Information Exposure [Updated]
  - INFO: Updated the match conditions.
T586: Implement Secure Boot if possible [Updated]
- INFO: Updated the text.
T605: Verify if consent is obtained prior to personal information collection (where applicable) [Updated]
- INFO: Updated the priority.
T666: Rotate access keys every 90 days or less (AWS)
- P161: Password Aging with Long Expiration [Updated]
  - INFO: Updated the match conditions.
T739: Verify if transferring personal information is legitimate and in compliance with applicable privacy regulations [Updated]
- INFO: Updated the priority.
T743: Verify accuracy of personal information [Updated]
- INFO: Updated the priority.
T745: Verify if pseudonymized personal information is protected [Updated]
- INFO: Updated the priority.
T750: Limit personal information collection and processing to the specified purpose [Updated]
- INFO: Updated the text.
T753: Verify whether personal information is collected only for specified purposes [Updated]
- INFO: Updated the priority.
T756: Verify if personal data processing activities are recorded and maintained [Updated]
- INFO: Updated the priority.
T757: Verify if personal information processing stops when user objects to it [Updated]
- INFO: Updated the priority.
T838: Test if your application adheres to HTTP DNT header [Updated]
- INFO: Updated the priority.
T1202: Set container CPU priority appropriately (Docker)
- P1090: Container CPU priority is not set appropriately (Docker) [Updated]
  - INFO: Updated the text.
T1364: Verify that third party software libraries/modules and open source/COTS components are used securely
- TA6450: Verify the reuse analysis and the analysis of out-of-context and off-the-shelf components (ISO 21434) [Added]
T1366: Identify applicable compliance regulations
- P1171: Lack of a process for identifying applicable compliance regulation [Updated]
  - INFO: Updated the match conditions.
T1367: Identify and classify critical assets
- P1172: Lack of a process for identifying critical assets [Updated]
  - INFO: Updated the match conditions.
T1368: Perform security testing using SAST tools [Updated]
- INFO: Updated the text.
- P1186: Lack of a process for static application security testing (SAST) [Updated]
  - INFO: Updated the match conditions.
T1369: Perform security testing using DAST tools [Updated]
- INFO: Updated the text.
- P1173: Lack of a process for dynamic application testing [Updated]
  - INFO: Updated the match conditions.
T1370: Identify and track common software weaknesses and threats
- TA6433: Define continual cybersecurity activities (ISO 21434) [Added]
- P1187: Lack of a process for identifying and assessing threats [Updated]
  - INFO: Updated the title and match conditions.
T1371: Use a software security management solution to select and track security controls
- P1188: Lack of software security management solution to track security controls [Updated]
  - INFO: Updated the match conditions.
T1372: Follow software change management process
- P1174: Lack of software change management process [Updated]
  - INFO: Updated the match conditions.
T1373: Maintain the integrity of all software code [Updated]
- INFO: Updated the priority.
- P1175: Insufficient software code control [Updated]
  - INFO: Updated the match conditions.
T1374: Ensure the integrity of software release and update delivery
- P1178: Lack of a process for ensuring the integrity of software release and update [Updated]
  - INFO: Updated the match conditions.
T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
- P1181: Lack of guidance on secure installation, maintenance and configuration of all software components [Updated]
  - INFO: Updated the match conditions.
T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications [Updated]
- INFO: Updated the priority.
- P1182: Lack of a communication channel for reporting security issues [Updated]
  - INFO: Updated the match conditions.
T1378: Release a change summary for each software update
- P1177: Lack of a process for creating summary of changes upon each software update [Updated]
  - INFO: Updated the match conditions.
T1380: Enforce secure user registration and access control
- P1185: Lack of process for user registration and enforcement of access control [Updated]
  - INFO: Updated the match conditions.
T1381: Establish secure processes for key management
- P1434: Lack of secure key management process [Updated]
  - INFO: Updated the match conditions.
T1382: Manage performance and capacity
- P1190: Lack of process for performance and capacity management [Updated]
  - INFO: Updated the match conditions.
T1383: Separate development, test, and operational environments
- TA6440: Create a production control plan (ISO 21434) [Added]
- P1191: Deploying software in production on the same environment as development and testing [Updated]
  - INFO: Updated the match conditions.
T1384: Back up and restore securely [Updated]
- INFO: Updated the priority.
- P1179: A secure backup and restore processes are missing or lacking [Updated]
  - INFO: Updated the match conditions.
T1385: Institute secure logging and event monitoring
- P1183: No secure processes for logging and monitoring events [Updated]
  - INFO: Updated the match conditions.
T1386: Regulate the use of electronic messaging [Updated]
- INFO: Updated the priority.
T1387: Ensure the security of products acquired through the supply chain and contractors
- P1170: Lack of a secure process for outsourcing [Updated]
  - INFO: Updated the match conditions.
T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
- P1225: Unmanaged test result findings [Updated]
  - INFO: Updated the match conditions.
T1389: Perform penetration testing [Updated]
- INFO: Updated the priority.
- P1184: Lack of a secure process for penetration testing [Updated]
  - INFO: Updated the match conditions.
T1892: Perform a Threat and Risk Assessment (TRA)
- TA6434: Perform risk analysis and treatments for a component (ISO 21434) [Added]
- TA6446: Identify assets and their damage scenarios (ISO 21434) [Added]
- TA6451: Identify threat scenarios and attack paths for assets (ISO 21434) [Added]
- TA6453: Determine an attack feasibility rating and risk value for each attack scenario (ISO 21434) [Added]
- P1187: Lack of a process for identifying and assessing threats [Updated]
  - INFO: Updated the title and match conditions.
T1893: Perform a cloud solution security posture assessment
- P1436: Lack of cloud solution security posture assessment [Updated]
  - INFO: Updated the match conditions.
T1894: Perform a vendor security assessment
- TA6435: Ensure the proper distribution of cybersecurity activities with other organizations (ISO 21434) [Added]
- P1437: Lack of vendor security assessment [Updated]
  - INFO: Updated the match conditions.
T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS) [Updated]
- INFO: Updated the priority.
- P1429: Applications not protected with Intrusion Detection / Protection System (IDS/IPS) [Updated]
  - INFO: Updated the match conditions.
T1915: Perform network vulnerability assessment [Updated]
- INFO: Updated the priority.
- P1438: Lack of network vulnerability assessment [Updated]
  - INFO: Updated the match conditions.
T1917: Perform container security assessment [Updated]
- INFO: Updated the priority.
T1920: Conduct security architecture and design reviews before starting code development [Updated]
- INFO: Updated the priority.
- P1432: Lack of security architecture and design activities [Updated]
  - INFO: Updated the match conditions.
T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software [Updated]
- INFO: Updated the priority.
- P1433: Lack of third-party software code or dependencies management [Updated]
  - INFO: Updated the match conditions.
T1925: Maintain the default behavior for anonymous access (OpenShift) [Updated]
- INFO: Updated the priority.
T1926: Verify that the default behavior for anonymous access is maintained (OpenShift) [Updated]
- INFO: Updated the priority.
T1927: Disable basic-auth-file method (OpenShift) [Updated]
- INFO: Updated the priority.
T1928: Verify that the basic-auth-file option has not been configured (OpenShift) [Updated]
- INFO: Updated the priority.
T1929: Secure communication between API server and master nodes (OpenShift) [Updated]
- INFO: Updated the priority.
T1930: Verify that the connection between API server and master node is secure (OpenShift) [Updated]
- INFO: Updated the priority.
T1931: Prevent insecure bindings and insecure port access (OpenShift) [Updated]
- INFO: Updated the priority.
T1932: Verify that insecure-bind-address and insecure-port are disabled (OpenShift) [Updated]
- INFO: Updated the priority.
T1933: Do not disable secure-port for API server traffic (OpenShift) [Updated]
- INFO: Updated the priority.
T1934: Verify that 'secure-port' is not disabled (OpenShift) [Updated]
- INFO: Updated the priority.
T1943: Use Security Context Constraints instead of SecurityContextDeny admission controllers (OpenShift) [Updated]
- INFO: Updated the priority.
T1944: Verify that the list of admission controllers does not include SecurityContextDeny (OpenShift) [Updated]
- INFO: Updated the priority.
T1945: Do not disable NamespaceLifecycle admission controller (OpenShift) [Updated]
- INFO: Updated the priority.
T1946: Verify that the NamespaceLifecycle plugin is not disabled (OpenShift) [Updated]
- INFO: Updated the priority.
T1947: Configure auditing properly on the API server (OpenShift) [Updated]
- INFO: Updated the priority.
T1948: Verify that API server auditing is configured properly (OpenShift) [Updated]
- INFO: Updated the priority.
T1949: Do not set authorization-mode flag (OpenShift) [Updated]
- INFO: Updated the priority.
T1950: Verify that the authorization-mode argument is not set to AlwaysAllow and Node authorizer is enabled (OpenShift) [Updated]
- INFO: Updated the priority.
T1951: Do not use static token files for authentication (OpenShift) [Updated]
- INFO: Updated the priority.
T1952: Verify that static token files are not used (OpenShift) [Updated]
- INFO: Updated the priority.
T1953: Ensure that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
- INFO: Updated the priority.
T1954: Verify that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
- INFO: Updated the priority.
T1955: Do not enable PodSecurityPolicy admission control plugin (OpenShift) [Updated]
- INFO: Updated the priority.
T1956: Verify that the admission control plugin SecurityContextConstraint is set (OpenShift) [Updated]
- INFO: Updated the priority.
T1957: Ensure that etcd arguments are properly set (OpenShift) [Updated]
- INFO: Updated the priority.
T1958: Verify that etcd arguments are properly set (OpenShift) [Updated]
- INFO: Updated the priority.
T1959: Do not disable ServiceAccount admission controller (OpenShift) [Updated]
- INFO: Updated the priority.
T1960: Verify that the admission control plugin ServiceAccount is set (OpenShift) [Updated]
- INFO: Updated the priority.
T1961: Ensure that the admission control plugin NodeRestriction is enabled (OpenShift) [Updated]
- INFO: Updated the priority.
T1962: Verify that the admission control plugin NodeRestriction is set (OpenShift) [Updated]
- INFO: Updated the priority.
T1963: Encrypt data at rest in etcd datastore with aescbc encryption (OpenShift) [Updated]
- INFO: Updated the priority.
T1964: Verify data at rest on etcd datastore is encrypted with aescbc encryption provider (OpenShift) [Updated]
- INFO: Updated the priority.
T1965: Enable the APIPriorityAndFairness feature gate (OpenShift) [Updated]
- INFO: Updated the priority.
T1966: Verify that the APIPriorityAndFairness feature gate is enabled (OpenShift) [Updated]
- INFO: Updated the priority.
T1967: Adjust the request timeout value (OpenShift) [Updated]
- INFO: Updated the priority.
T1968: Verify that request timeout is set to an appropriate value (OpenShift) [Updated]
- INFO: Updated the priority.
T1969: Do not expose profiling to the web (OpenShift) [Updated]
- INFO: Updated the priority.
T1970: Verify that profiling is not exposed to the web (OpenShift) [Updated]
- INFO: Updated the priority.
T1973: Do not disable use-service-account-credentials argument (OpenShift) [Updated]
- INFO: Updated the priority.
T1974: Verify that use-service-account-credentials is not disabled (OpenShift) [Updated]
- INFO: Updated the priority.
T1975: Do not change the default setting for service-account-private-key-file (OpenShift) [Updated]
- INFO: Updated the priority.
T1976: Verify that the service-account-private-key-file argument is properly set (OpenShift) [Updated]
- INFO: Updated the priority.
T1977: Ensure that root-ca-file is properly set (OpenShift) [Updated]
- INFO: Updated the priority.
T1978: Verify that the root-ca-file argument is not set (OpenShift) [Updated]
- INFO: Updated the priority.
T1979: Never give pods more privileges than required (OpenShift) [Updated]
- INFO: Updated the priority.
T1980: Verify that Security Context Constraints get applied (OpenShift) [Updated]
- INFO: Updated the priority.
T1983: Set permissions for sensitive files properly (OpenShift) [Updated]
- INFO: Updated the priority.
T1984: Verify the permissions for the configuration files (OpenShift) [Updated]
- INFO: Updated the priority.
T1985: Secure etcd communication (OpenShift) [Updated]
- INFO: Updated the priority.
T1986: Verify that etcd communication is secure (OpenShift) [Updated]
- INFO: Updated the priority.
T1989: Run pods with the most restrictive Security Context Constraints possible (OpenShift) [Updated]
- INFO: Updated the priority.
T1990: Verify Security Context Constraints as in use (OpenShift) [Updated]
- INFO: Updated the priority.
T1999: Implement strong network policies (OpenShift) [Updated]
- INFO: Updated the priority.
T2000: Verify network policies (OpenShift) [Updated]
- INFO: Updated the priority.
T2001: Limit the use of privileged containers (OpenShift) [Updated]
- INFO: Updated the priority.
T2002: Verify the usage of privileged containers (OpenShift) [Updated]
- INFO: Updated the priority.
T2003: Do not disable the 'allow-privileged' flag (OpenShift) [Updated]
- INFO: Updated the priority.
T2004: Verify that the 'allow-privileged' flag is not disabled (OpenShift) [Updated]
- INFO: Updated the priority.
T2005: Disable anonymous requests (OpenShift) [Updated]
- INFO: Updated the title and text.
T2007: Keep the default value for the authorization mode argument (OpenShift) [Updated]
- INFO: Updated the title, text, and priority.
T2008: Verify that the authorization-mode argument is not set (OpenShift) [Updated]
- INFO: Updated the priority.
T2011: Do not set the read-only-port argument (OpenShift) [Updated]
- INFO: Updated the priority.
T2012: Verify that the read-only port is not enabled (OpenShift) [Updated]
- INFO: Updated the priority.
T2013: Adjust the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
- INFO: Updated the priority.
T2014: Verify the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
- INFO: Updated the priority.
T2017: Ensure that the make-iptables-util-chains is set to true (OpenShift) [Updated]
- INFO: Updated the priority.
T2018: Verify that make-iptables-util-chains is set to true for each machinepool (OpenShift) [Updated]
- INFO: Updated the priority.
T2019: Do not enable the 'keep-terminated-pod-volumes' flag (OpenShift) [Updated]
- INFO: Updated the priority.
T2020: Verify that the 'keep-terminated-pod-volumes' is not enabled (OpenShift) [Updated]
- INFO: Updated the priority.
T2021: Ensure that the hostname-override is not set (OpenShift) [Updated]
- INFO: Updated the priority.
T2022: Verify that hostname-override does not exist (OpenShift) [Updated]
- INFO: Updated the priority.
T2023: Set the kubeAPIQPS event-qps argument to 0 (OpenShift) [Updated]
- INFO: Updated the priority.
T2024: Verify that the value of event-qps is set to 0 (OpenShift) [Updated]
- INFO: Updated the priority.
T2027: Do not enable cAdvisor endpoint (OpenShift) [Updated]
- INFO: Updated the priority.
- P1491: Enabling cAdvisor endpoint (OpenShift) [Updated]
  - INFO: Updated the text.
T2028: Verify that cAdvisor endpoint is not enabled (OpenShift) [Updated]
- INFO: Updated the priority.
- P1491: Enabling cAdvisor endpoint (OpenShift) [Updated]
  - INFO: Updated the text.
T2029: Do not disable rotate-certificates (OpenShift) [Updated]
- INFO: Updated the priority.
T2030: Verify that rotate-certificates settings are not disabled (OpenShift) [Updated]
- INFO: Updated the priority.
T2128: Notify users and regulators of breaches of personal information [Updated]
- INFO: Updated the title and text.
T2137: Ensure that sensitive data is not recorded (iOS)
- P1545: Information Disclosure in iOS via ReplayKit Framework [Updated]
  - INFO: Updated the match conditions.
T2144: Implement CAN bus protocol properly (Connected Cars)
- P1548: Poor implementation of CAN bus protocol (Connected Cars) [Updated]
  - INFO: Updated the match conditions.
T2145: Enable gRPC Server-Client Certificate Authentication (.NET Core 3)
- P1549: Unauthenticated gRPC client-server communication [Updated]
  - INFO: Updated the match conditions.
T2164: N/A - Not Applicable [Updated]
- INFO: Updated the inclusion weakness.
T2170: Ensure that personal information processed by the application meets data localization requirements [Updated]
- INFO: Updated the priority.
T2172: Enforce the principle of least privilege (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2174: Avoid unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2176: Avoid mixing agents of varying trust levels (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2177: Generate unique and immutable identifiers in SoC (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2178: Ensure fabric access controls enablement before 3rd party hardware IPs (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2179: Block write operations to reserve bits (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2180: Review Access Control Policy (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2181: Evaluate write-once registers for proper configuration (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2182: Check lock bit protections for design consistency (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2183: Avoid using chicken bits (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2184: Disable access to security-sensitive information stored in fuses (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2186: Enforce valid Finite State Machines (FSMs) in hardware logic (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2187: Enforce proper implementation of wear leveling operations (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2188: Enforce proper protection against voltage and clock glitches (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2189: Prevent Semiconductor Defects in Hardware Logic with Security-Sensitive Implications (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2190: Prevent mirroring regions with different values (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2191: Ensure using configured CPU hardware to support exclusivity of write and execute operations (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2192: Prevent incorrect selection of fuse values (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2193: Prevent incorrect comparison logic granularity (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2195: Ensure access control applied properly to Mirrored or Aliased Memory Regions (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2196: Prevent exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2197: Prevent Improper Restriction of Security Token Assignment (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2198: Prevent improper handling of overlap between protected memory ranges (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2199: Prevent improper handling of single-event upsets (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2200: Ensure register interface does not allow software access to sensitive data (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2201: Enforce physical access control (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2239: Tag traces to indicate owner and debugging privilege level (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware)
- TA6432: Validate device firmware/software at the time of manufacturing (Hardware/Firmware) [Added]
T2241: Ensure security version data is protected from tampering (Hardware/Firmware) [Updated]
- INFO: Updated the text and priority.
T2242: Implement priority-based arbitration inside the Network on Chips (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2243: Protect against fault injection attacks (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2244: Protect against error injection errors in redundant blocks (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2245: Protect against abnormal thermal range (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2256: Authenticate and log all access to registries containing sensitive or proprietary images
- P1650: Insufficient authentication for container registries [Updated]
  - INFO: Updated the match conditions.
T2257: Keep host OS components up-to-date
- P1651: Insufficient updates of host OS components [Updated]
  - INFO: Updated the match conditions.
T2258: Minimize host OS attack surface
- P1652: Large host OS attack surface [Updated]
  - INFO: Updated the match conditions.
T2262: Verify client certificate authentication is not used for users (Kubernetes) [Updated]
- INFO: Updated the priority.
T2264: Verify network policies and CNI selection are appropriate (Kubernetes) [Updated]
- INFO: Updated the priority.
T2271: Test to confirm that unauthorized access to sensitive data through debug or test interfaces is properly restricted (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2272: Test immutability of Root of Trust for storage (Hardware/Firmware) [Updated]
- INFO: Updated the priority.
T2296: Securely install and configure all software components [Updated]
- INFO: Updated the priority.
T2324: Verify whether privacy principles are applied for handling personal data [Updated]
- INFO: Updated the priority.
T2327: Verify if a Privacy Impact Assessment is performed [Updated]
- INFO: Updated the priority.
- P1435: Lack of Privacy Impact Assessment (PIA) [Updated]
  - INFO: Updated the match conditions.
T2328: Verify if proper policies exist for processing sensitive personal data [Updated]
- INFO: Updated the priority.
- P1180: Lack of process for collecting and protecting sensitive data [Updated]
  - INFO: Updated the match conditions.
T2329: Verify if health data is handled securely [Updated]
- INFO: Updated the priority.
T2330: Verify if children's personal information is handled securely [Updated]
- INFO: Updated the priority.
T2331: Verify whether any plan exists for data privacy incident response [Updated]
- INFO: Updated the priority.
T2337: Keep your infrastructure state secure (Terraform) [Updated]
- INFO: Updated the text.
T2343: Define security-related roles and provide role-base training [Updated]
- INFO: Updated the match conditions.
- P1680: Lack of defining proper security roles and responsibilities [Updated]
  - INFO: Updated the match conditions.
T2344: Implement and augment supporting toolchains by automating SDLC security activities [Updated]
- INFO: Updated the match conditions.
- P1681: Lack of automation and implementation of supporting toolchains [Updated]
  - INFO: Updated the match conditions.
T2345: Define and implement criteria for software security checks [Updated]
- INFO: Updated the match conditions.
- TA6438: Enforce product cybersecurity validation (ISO 21434) [Added]
- P1682: Lack of proper criteria for software security checks [Updated]
  - INFO: Updated the match conditions.
T2346: Establish an organization-wide software and code repository
- P1683: Lack of organization-wide software and code repository [Updated]
  - INFO: Updated the match conditions.
T2347: Configure the Integrated Development Environment, Compilation, Interpreter, and Build Processes
- P1684: Lack of proper integration of the development environment and tools [Updated]
  - INFO: Updated the cwe set and match conditions.
T2348: Perform code reviews
- P1685: Lack of proper code reviews [Updated]
  - INFO: Updated the match conditions.
T2349: Configure software to have secure settings by default
- P1686: Lack of secure default settings [Updated]
  - INFO: Updated the cwe set and match conditions.
T2350: Create a Product Security Incident Response Team (PSIRT) [Updated]
- INFO: Updated the priority and match conditions.
- P1687: Lack of a Product Security Incident Response [Updated]
  - INFO: Updated the match conditions.
T2351: Verify that security-related roles and responsibilities are properly defined and assigned [Updated]
- INFO: Updated the match conditions.
- P1680: Lack of defining proper security roles and responsibilities [Updated]
  - INFO: Updated the match conditions.
T2352: Verify that supporting toolchains are properly implemented [Updated]
- INFO: Updated the match conditions.
- P1681: Lack of automation and implementation of supporting toolchains [Updated]
  - INFO: Updated the match conditions.
T2353: Verify that proper criteria for software security checks are defined and implemented [Updated]
- INFO: Updated the match conditions.
- TA6439: Verify product cybersecuriy validation (ISO 21434) [Added]
- P1682: Lack of proper criteria for software security checks [Updated]
  - INFO: Updated the match conditions.
T2358: Verify that the organization has a Product Security Incident Response Team (PSIRT) [Updated]
- INFO: Updated the priority and match conditions.
- P1687: Lack of a Product Security Incident Response [Updated]
  - INFO: Updated the match conditions.
T2359: Configure a secure user authentication (Cloud) (2/2) [Updated]
- INFO: Updated the priority.
T2360: Configure a secure user authorization (Cloud) (2/2) [Updated]
- INFO: Updated the priority.
T2361: Design a secure application architecture for the cloud environment (Cloud) (2/2) [Updated]
- INFO: Updated the priority.
T2368: Enable logging and protect log files in your cloud environment (Cloud) (2/4) [Updated]
- INFO: Updated the priority.
T2369: Enable logging and protect log files in your cloud environment (Cloud) (3/4) [Updated]
- INFO: Updated the priority.
T2370: Enable logging and protect log files in your cloud environment (Cloud) (4/4) [Updated]
- INFO: Updated the priority.
T2371: Enable logs and configuration monitoring in your cloud environment (Cloud) (2/4) [Updated]
- INFO: Updated the priority.
T2372: Enable logs and configuration monitoring in your cloud environment (Cloud) (3/4) [Updated]
- INFO: Updated the priority.
T2373: Enable logs and configuration monitoring in your cloud environment (Cloud) (4/4) [Updated]
- INFO: Updated the priority.
T2374: Verify that logging is enabled and log files are protected (Cloud) (2/2) [Updated]
- INFO: Updated the priority.
T2375: Verify that log monitoring and configuration monitoring are enabled (Cloud) (2/3) [Updated]
- INFO: Updated the priority.
T2376: Verify that log monitoring and configuration monitoring are enabled (Cloud) (3/3) [Updated]
- INFO: Updated the priority.
T2379: Ensure compliance with ISO/SAE 21434 [Updated]
- INFO: Updated the match conditions.
- P1688: Lack of processes for the approval of vehicles with regards to cyber security and cyber security management system [Updated]
  - INFO: Updated the match conditions.
T2389: Prevent co-channel and adjacent channel interference
- P1693: Poor WiFi Settings Configuration [Updated]
  - INFO: Updated the text and match conditions.
T2392: Create an Incident Response Plan [Updated]
- INFO: Updated the text.
- TA6444: Create incident response plans (ISO 21434) [Added]
- P1687: Lack of a Product Security Incident Response [Updated]
  - INFO: Updated the match conditions.
T2396: Verify that the organization has a Product Security Incident Plan
- TA6445: Verify incident response plans (ISO 21434) [Added]
- P1687: Lack of a Product Security Incident Response [Updated]
  - INFO: Updated the match conditions.
T2419: Verify Cognito uses strong authentication requirements (Amazon Cognito) [Updated]
- INFO: Updated the match conditions.
T2423: Verify the S3 backup for Kinesis Firehose delivery failures are checked regularly (Amazon Kinesis Data Firehose) [Updated]
- INFO: Updated the match conditions.
T2428: Implement least privilege access to Kinesis streams (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the match conditions.
T2429: Verify least privilege access to Kinesis streams is implemented (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the match conditions.
T2433: Verify Kinesis events are logged (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the priority.
T2443: Verify proper permissions for files on worker nodes (Containerization) [Updated]
- INFO: Updated the priority.
T2445: Verify secure authentication to and from worker nodes (Containerization) [Updated]
- INFO: Updated the priority.
T2447: Verify the collection and protection of sensitive information on worker nodes (Containerization) [Updated]
- INFO: Updated the priority.
T2449: Verify the availability of worker nodes (Containerization) [Updated]
- INFO: Updated the priority.
T2451: Verify that worker nodes are protected with proper flags and arguments (Containerization) [Updated]
- INFO: Updated the priority.
T2456: Assign roles properly (Containerization) [Updated]
- INFO: Updated the text.
T2470: Verify CloudWatch is used to monitor Kinesis Firehose decryption failures (Amazon Kinesis Data Firehose) [Updated]
- INFO: Updated the match conditions.
T2480: Include Content-Disposition headers in API responses [Updated]
- INFO: Updated the text.
T2490: Provision device with private/public key pair securely (Hardware/Firmware) [Added]
- P1721: Insecure storage of credentials (Hardware/Firmware) [Added]
T2491: Verify that the device is securely provisioned with a private/public key pair (Hardware/Firmware) [Added]
- P1721: Insecure storage of credentials (Hardware/Firmware) [Added]
T2492: Use device-generated opaque keys to encrypt OS files and data on the device (Hardware/Firmware) [Added]
- P1722: Unsecure key generation (Hardware/Firmware) [Added]
T2493: Verify that the device can generate opaque keys to encrypt OS files and data on the device (Hardware/Firmware) [Added]
- P1722: Unsecure key generation (Hardware/Firmware) [Added]
T2494: Encrypt the bootloader (Hardware/Firmware) [Added]
- P1723: Unencrypted bootloader (Hardware/Firmware) [Added]
T2495: Verify that the bootloader is encrypted (Hardware/Firmware) [Added]
- P1723: Unencrypted bootloader (Hardware/Firmware) [Added]
T2496: Generate and forward audit logs (Hardware/Firmware) [Added]
- P1724: Lack of device-generated audit logs (Hardware/Firmware) [Added]
T2497: Verify that the device generates and forwards audit logs (Hardware/Firmware) [Added]
- P1724: Lack of device-generated audit logs (Hardware/Firmware) [Added]
T2498: Provide clear definitions for each component [Added]
- P1716: Lack of Technical Documentation [Updated]
  - INFO: Updated the text.
T2499: Verify that clear definitions for each component exist [Added]
- P1716: Lack of Technical Documentation [Updated]
  - INFO: Updated the text.
T2500: Verify that a Threat and Risk Assessment (TRA) is performed [Added]
- TA6447: Verify a proper risk analysis and treatments are performed (ISO 21434) [Added]
- TA6448: Verify the procedures for identifying assets and their damage scenarios (ISO 21434) [Added]
- TA6452: Verify that threat scenarios and attack paths are identified for each valuable asset (ISO 21434) [Added]
- TA6454: Verify the procedures for evaluating attack feasibility and risk rating (ISO 21434) [Added]
- P1187: Lack of a process for identifying and assessing threats [Updated]
  - INFO: Updated the title and match conditions.
T2501: Perform cybersecurity planning [Added]
- P1727: Lack of cybersecurity planning [Added]
T2502: Define a cybersecurity policy for your organization [Added]
- P1726: Lack of an organizational cybersecurity policy [Added]
T2503: Verify the cybersecurity policy of your organization [Added]
- P1726: Lack of an organizational cybersecurity policy [Added]
T2504: Verify the cybersecurity plan [Added]
- P1727: Lack of cybersecurity planning [Added]
T2505: Conduct cybersecurity assessments for components [Added]
- P1729: Lack of a cybersecurity assessment [Added]
T2506: Verify the cybersecurity assessment report [Added]
- P1729: Lack of a cybersecurity assessment [Added]
T2507: Verify vendor security assessment [Added]
- TA6436: Verify the proper distribution of cybersecurity activities with other organizations (ISO 21434) [Added]
- P1437: Lack of vendor security assessment [Updated]
  - INFO: Updated the match conditions.
T2509: Verify the separation of development, test, and operational environments [Added]
- TA6441: Verify your production control plan (ISO 21434) [Added]
- P1191: Deploying software in production on the same environment as development and testing [Updated]
  - INFO: Updated the match conditions.
T2510: Define cybersecurity goals and requirements for a component [Added]
- P1716: Lack of Technical Documentation [Updated]
  - INFO: Updated the text.
T2511: Define procedures for decommissioning and terminating cybersecurity support [Added]
- P1730: Lack of procedures for decommissioning and terminating cybersecurity support [Added]
T2512: Verify implemented procedures for decommissioning and terminating cybersecurity support [Added]
- P1730: Lack of procedures for decommissioning and terminating cybersecurity support [Added]
T2513: Verify whether cybersecurity goals and requirements are clearly defined for a component [Added]
- P1716: Lack of Technical Documentation [Updated]
  - INFO: Updated the text.
T2514: Establish coding and testing guidelines [Added]
- P1731: Lack of coding and testing guidelines [Added]
T2515: Verify coding and testing guidelines [Added]
- P1731: Lack of coding and testing guidelines [Added]
T2516: Verify that common software weaknesses and threats are identified and tracked. [Added]
- TA6449: Verify the continuous monitoring, evaluation and management of security vulnerabilities (ISO 21434) [Added]
- P1187: Lack of a process for identifying and assessing threats [Updated]
  - INFO: Updated the title and match conditions.
T2517: Define cybersecurity specifications and post-development procedures [Added]
- P1732: Lack of cybersecurity specifications and post-development procedures [Added]
T2518: Verify cybersecurity specifications and post-development procedures [Added]
- P1732: Lack of cybersecurity specifications and post-development procedures [Added]
P1564: N/A - Not Applicable [Deactivated]
Changes to Project Properties and Profiles
- Q284: Context and Characteristics
  - Q252: Application's Context and Characteristics
    - A1350: Include general countermeasures in the Activity phase (process engineering tasks) in this project [Updated]
      - INFO: Updated the text and description.
- Q352: Automotive [Added]
  - Q353: In-scope for Automotive Cybersecurity Regulations [Added]
    - A1358: ISO/SAE 21434 [Added]
    - A1359: WP.29 R155 [Added]
New Just-in-Time Training
- PCI DSS (16)
- Defending Node (17)

2023.1

For the latest SD Elements Release Notes, see our User Guide: https://docs.sdelements.com/release/latest/guide/docs/releasenotes.html

New features and enhancements

Advanced Reports
- Granular Permissions
  - Added the ability to control and restrict user access to specific data sets or features within a reporting tool. This level of control allows administrators to tailor the user experience, ensuring that each user has access only to the data that is relevant to their role and responsibilities.
Authentication
- SAML V2 UI & Groups & Roles Assertions via API
  - Upgraded the SAML user interface. This feature is currently disabled by default.
  - Added new API endpoints under SAML V2 that support the ability to extend SAML authentication with Group & Role assertions from an Identity Provider.
Threat Model Diagrams
- Added the ability to import diagrams (in the UI only), specifically when the Diagrams feature flag is turned on. Imported diagrams do not have an impact on Threats, Weaknesses, or Countermeasures, but they do allow SD Elements to be the centralized repository where all threat modeling documentation is stored.
Components
- Built-in components
  - Added the ability for users with customize_content permissions to edit built-in components in the SD Elements library. They can change the name, answer mapping and the Countermeasures list.

Other product improvements

Integrations
- Extended the content under Jira Integration to inform how Jira Comment Sync connects and how it is expected to work when enabled.
  - Created a new table under LDAP documentation explaining expected behavior when managing the deactivation configurations under the LDAP Synchronization feature.
Survey
- Added a banner to the project survey page showing a survey status of either published (green banner) or draft (yellow banner).
Threat Model Diagrams
- Added a Threats feature flag to hide Threats from the UI.
Library
- Addressed a bug related to new library content not inheriting the parent content pack's active status.
- Updated the Import/Export tool to use Countermeasure instead of Task and Weakness instead of Problem in the files.

Content improvements summary

PCI DSS 4.0
- Added new Countermeasures, Additional Requirements, and a Regulation based on updated standards.
ASVS 4.0
- Added new Countermeasures and Additional Requirements to cover all ASVS v4.0 controls.
CMMC 2.0
- Mapped Countermeasures to CMMC v2, added new reports for Levels 1 and 2 CMMC v2 maturity, and created survey answers for CMMC v2.
CWE 4.10
- Updated SD Elements to account for deprecated Weakness listings and mapped SD Elements Weaknesses to CWE-1395.
TypeScript
- Added new How-to's for TypeScript.
Reusable Components
- Revised the countermeasures assigned to the built-in reusable components and improved the applicability of assignments.

Content additions and updates (as of March 28, 2023):

Compliance Regulations and Mappings
- Added CMMC V2 (Level 1)
- Added CMMC V2 (Level 2)
- Updated PCI-DSS-v4.0 [INFO: Updated the regulation sections].
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- TA6415: MFA requirements (PCI-DSS 4.0) [Added]
- TA6416: Implement a strong MFA system (PCI-DSS 4.0) [Added]
T5: Use minimum standards for passwords
- TA6414: Password requirements (PCI-DSS 4.0) [Added]
T6: Implement account lockout or authentication throttling
- TA6413: Account lockout or authentication throttling requirements (PCI-DSS 4.0) [Added]
T9: Implement authorization and screening for highly sensitive transactions
- TA6403: Restrict user access to query repositories storing CHD (PCI-DSS 4.0) [Added]
T14: Enforce the principle of least privilege [Updated]
- INFO: Updated the text.
- TA6401: Review user accounts and related access privileges periodically (PCI-DSS 4.0) [Added]
- TA6402: Review application and system and related access privileges periodically (PCI-DSS 4.0) [Added]
T21: Ensure all data in transit is encrypted using a secure TLS channel
- TA6375: Safeguard PAN with strong cryptography during transmission (PCI-DSS 4.0) [Added]
T24: Enforce idle session timeout
- TA6412: Timeout requirement (PCI-DSS 4.0) [Added]
T31: Validate all forms of input
- I1867: Validate user input in TypeScript [Added]
T45: Log potential critical security events
- TA6408: Identify and address failures in critical security control systems promptly (PCI-DSS 4.0) [Added]
T53: Prevent the upload of malicious files and implement anti-malware solutions [Updated]
- INFO: Updated the title and text.
- TA6426: Evaluate system components not at risk from malware periodically (PCI-DSS 4.0) [Added]
- TA6427: Implement anti-malware solutions (PCI-DSS 4.0) [Added]
- P325: Unrestricted Upload of Unsafe File Types [Updated]
  - INFO: Updated the text.
T59: Use standard libraries for cryptography
- I1873: Encrypt sensitive data in TypeScript [Added]
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
- TA6430: Securely store and manage cryptographic keys to encrypt account data (PCI-DSS 4.0) [Added]
T66: Prevent web pages from being loaded inside iFrame
- I1869: Prevent clickjacking in TypeScript [Added]
T68: Encrypt Primary Account Number (PAN) in storage [Updated]
- INFO: Updated the title and text.
- TA6429: Manage the use of disk-level PAN encryption (PCI-DSS 4.0) [Added]
- P686: Plaintext Primary Account Number (PAN) [Updated]
  - INFO: Updated the title.
T74: Avoid HTTP parameter pollution
- I1872: Prevent HTTP parameter pollution in TypeScript [Added]
T133: Mask Primary Account Number (PAN) when displayed [Updated]
- INFO: Updated the title and text.
- P686: Plaintext Primary Account Number (PAN) [Updated]
  - INFO: Updated the title.
T151: Use cryptographically secure random numbers [Updated]
- INFO: Updated the text.
- TA6393: ASVS Requirements - GUID v4 algorithm [Added]
T186: Use recommended settings and the latest patches for third party libraries and software
- I1862: Perform Software Composition Analysis in TypeScript [Added]
- P728: Insufficient patching or use of insecure third party software/libraries [Updated]
  - INFO: Updated the cwe set.
T191: Follow best practices when handling primitive data types
- I1863: Use correct data types in TypeScript [Added]
- I1865: Use primitive types in TypeScript [Added]
T197: Validate the signature of all remote code/updates to verify their origin and integrity (client side) [Updated]
- INFO: Updated the title, text, priority, and cwe set.
- TA5247: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Software Application) [Updated]
  - INFO: Updated the text.
- TA5249: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Software Application) [Updated]
  - INFO: Updated the text.
- TA5251: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Embedded Device) [Updated]
  - INFO: Updated the text.
- TA5253: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Embedded Device) [Updated]
  - INFO: Updated the text.
- TA5255: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Host Device) [Updated]
  - INFO: Updated the text.
- TA5257: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Host Device) [Updated]
  - INFO: Updated the text.
- TA5259: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Network Device) [Updated]
  - INFO: Updated the text.
- TA5261: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Network Device) [Updated]
  - INFO: Updated the text.
- TA5463: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
  - INFO: Updated the text.
- I546: Signing data and verifying digital signatures [Updated]
  - INFO: Updated the text.
T244: Securely delete any unprotected sensitive data before a resource is released or shared
- TA6391: Securely delete any resource containing cardholder data (PCI-DSS 4.0) [Added]
T322: Include HTTP Strict-Transport-Security headers in HTTPS responses
- I1871: Set HTTP Strict Transport Security (HSTS) in TypeScript [Added]
T325: Use JavaScript Strict Mode
- I1864: Use strict mode in TypeScript [Added]
T331: Enforce policies through content security policy (CSP) or XSS protection headers
- I1868: Set Content Security Policy in TypeScript [Added]
T340: Use an account and identity management system [Updated]
- INFO: Updated the text.
- TA6410: Authorize each Lifecycle event for user IDs and authentication factors (PCI-DSS 4.0) [Added]
- TA6411: Disable inactive credentials (PCI-DSS 4.0) [Added]
- TA6417: Requirements for system or application accounts that can be used for interactive login (PCI-DSS 4.0) [Added]
T344: Enforce different rules for access to the system based on the origin, type, and medium of request [Updated]
- INFO: Updated the title and text.
T345: Check the integrity of critical configuration and data files
- TA6423: File integrity monitoring requirement (PCI-DSS 4.0) [Added]
T349: Protect audit information and logs against unauthorized access
- TA6404: Keep and protect the integrity of audit logs (PCI-DSS 4.0) [Added]
T353: Control the inbound and outbound data flow across the boundaries of zones [Updated]
- INFO: Updated the text.
- TA6369: Install NSCs between all wireless networks and the CDE (PCI-DSS 4.0) [Added]
- TA6370: Prevent direct access to cardholder data (PCI-DSS 4.0) [Added]
T370: Follow best practices for using third-party software libraries/modules and open source/COTS components
- P755: Lack of control over third-party hardware or software components [Updated]
  - INFO: Updated the cwe set.
T379: Provide sufficient documentation for security-related features [Updated]
- INFO: Updated the text.
- TA6373: Provide business justification for unsecured services (PCI-DSS 4.0) [Added]
- TA6379: Manage Cryptographic Cipher Suite (PCI-DSS 4.0) [Added]
T435: Prevent web browsers from MIME sniffing
- I1870: Prevent MIME type sniffing in TypeScript [Added]
T439: Verify that the origin and integrity of remote code and updates are checked (client side) [Updated]
- INFO: Updated the title, priority, and cwe set.
T456: Change default security settings to the most stringent ones and disable unnecessary services and modules
- TA6372: Manage primary functions requiring different security levels (PCI-DSS 4.0) [Added]
- TA6374: Reduce the risk of using unsecured services (PCI-DSS 4.0) [Added]
T542: Protect hardware modules against tampering and probing
- TA6390: Protect media with cardholder data (PCI-DSS 4.0) [Added]
- TA6392: Protect POI devices from tampering and unauthorized substitution (PCI-DSS 4.0) [Added]
T849: Yield more often inside all goroutines [Deactivated]
- P938: Non-preemptive Goroutines [Deactivated]
T850: Verify that all goroutines yield execution [Deactivated]
- P938: Non-preemptive Goroutines [Deactivated]
T896: Design a secure architecture for AWS deployment (AWS)
- P942: Lack of Security Architecture [Updated]
  - INFO: Updated the match conditions.
T1067: Regenerate storage account access keys periodically (Microsoft Azure) [Updated]
- INFO: Updated the text.
T1164: Secure swarm mode (Docker) [Updated]
- INFO: Updated the text.
T1334: Ensure legacy authorization is set to disabled on Kubernetes Engine Clusters (Google Cloud) [Updated]
- INFO: Updated the text.
T1378: Release a change summary for each software update
- TA6400: Securely manage changes to software (PCI-DSS 4.0) [Added]
T1380: Enforce secure user registration and access control
- TA6409: Give each user a unique account (PCI-DSS 4.0) [Added]
T1381: Establish secure processes for key management [Updated]
- INFO: Updated the text.
- TA6431: Define and implement key management processes (PCI-DSS 4.0) [Added]
T1384: Back up and restore securely
- TA6397: Get approval for media with cardholder data leaving the facility (PCI-DSS 4.0) [Added]
T1385: Institute secure logging and event monitoring
- TA6405: Review audit logs on a daily basis (PCI-DSS 4.0) [Added]
- TA6406: Retention policy of audit log history (PCI-DSS 4.0) [Added]
- TA6407: Configure systems to the correct and consistent time (PCI-DSS 4.0) [Added]
T1386: Regulate the use of electronic messaging [Updated]
- INFO: Updated the phase.
T1387: Ensure the security of products acquired through the supply chain and contractors
- P1170: Lack of a secure process for outsourcing [Updated]
  - INFO: Updated the cwe set.
T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
- TA6418: Internal vulnerability scans (PCI-DSS 4.0) [Added]
T1389: Perform penetration testing
- TA6419: Formal penetration testing methodology requirements (PCI-DSS 4.0) [Added]
- TA6420: Penetration testing requirements (PCI-DSS 4.0) [Added]
- TA6421: Repeat Penetration testing when required (PCI-DSS 4.0) [Added]
- TA6422: Penetration testing on CDE segmentation controls (PCI-DSS 4.0) [Added]
T1669: Revoke powerful roles where they are not likely needed (Oracle Database) [Updated]
- INFO: Updated the text.
T1890: Implement OAuth 2.0 securely on the resource server [Updated]
- INFO: Updated the text.
T1892: Perform a Threat and Risk Assessment (TRA)
- TA6377: Provide and maintain up-to-date knowledge and assessment of risks to the CDE (PCI-DSS 4.0) [Added]
- TA6378: Perform risk analysis for PCI DSS requirements satisfied with a custom approach (PCI-DSS 4.0) [Added]
T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS)
- TA6399: Protect all public payment pages (PCI-DSS 4.0) [Added]
- TA6424: Prevent intrusions into the CDE network (PCI-DSS 4.0) [Added]
T1917: Perform container security assessment [Updated]
- INFO: Updated the phase.
T1918: Integrate with SSO [Updated]
- INFO: Updated the phase.
T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
- P1433: Lack of third-party software code or dependencies management [Updated]
  - INFO: Updated the cwe set.
T1971: Adjust the terminated-pod-gc-threshold argument as needed (OpenShift) [Updated]
- INFO: Updated the text.
T2065: Configure TLS for secure connections to App Service (Microsoft Azure) [Updated]
- INFO: Updated the text.
T2128: Develop a process to notify users and regulators of breaches of personal information [Updated]
- INFO: Updated the phase.
T2170: Ensure that personal information processed by the application meets data localization requirements [Updated]
- INFO: Updated the phase.
T2281: Secure access control (GraphQL) [Updated]
- INFO: Updated the text.
T2284: Prevent DoS attacks (GraphQL) [Updated]
- INFO: Updated the text.
T2343: Define security-related roles and provide role-base training
- TA6383: Conduct a formal security awareness program (PCI-DSS 4.0) [Added]
- TA6398: Provide security training for all personas involved in software development (PCI-DSS 4.0) [Added]
T2348: Perform code reviews [Updated]
- INFO: Updated the text.
- I1866: Perform code reviews in TypeScript [Added]
T2350: Create a Product Security Incident Response Team (PSIRT) [Updated]
- INFO: Updated the match conditions.
- P1687: Lack of a Product Security Incident Response [Updated]
  - INFO: Updated the match conditions.
T2358: Verify that the organization has a Product Security Incident Response Team (PSIRT) [Updated]
- INFO: Updated the match conditions.
- P1687: Lack of a Product Security Incident Response [Updated]
  - INFO: Updated the match conditions.
T2391: Change the default value of the SSID and other wireless defaults [Updated]
- INFO: Updated the title and text.
T2392: Create an Incident Response Plan [Updated]
- INFO: Updated the text.
- TA6388: Review and test Incident Response Plans (PCI-DSS 4.0) [Added]
- TA6389: Quickly respond to cleartext PAN detection events (PCI-DSS 4.0) [Added]
- P1687: Lack of a Product Security Incident Response [Updated]
  - INFO: Updated the match conditions.
T2397: Detect rogue stations in a wireless network
- TA6425: Identify and address unauthorized wireless access (WiFi) points (PCI-DSS 4.0) [Added]
T2404: Enforce a minimum TLS version for API connections (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2405: Verify a minimum TLS version for API connections is used (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2406: Encrypt the API cache (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2407: Verify the API cache is encrypted (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2408: Ensure API Gateway actions are logged (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2409: Verify API Gateway actions are logged (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2410: Restrict outside access to internal APIs (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2411: Verify outside access to internal APIs is restricted (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2412: Protect APIs with a Web Application Firewall (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2413: Verify APIs are protected with a Web Application Firewall (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2414: Don't use API keys for authentication and authorization (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2415: Verify API keys are not the only mechanism for authentication and authorization (Amazon API Gateway) [Updated]
- INFO: Updated the match conditions.
T2416: Encrypt Kinesis Firehose delivery streams (Amazon Kinesis Data Firehose) [Updated]
- INFO: Updated the match conditions.
T2417: Verify Kinesis Firehose delivery streams are encrypted (Amazon Kinesis Data Firehose) [Updated]
- INFO: Updated the match conditions.
T2422: Check the S3 backup for Kinesis Firehose delivery failures (Amazon Kinesis Data Firehose) [Updated]
- INFO: Updated the match conditions.
T2423: Verify the S3 backup for Kinesis Firehose delivery failures are checked regularly (Amazon Kinesis Data Firehose) [Updated]
- INFO: Updated the match conditions.
T2425: Encrypt Kinesis streams on the server (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the match conditions.
T2427: Verify Kinesis streams are encrypted on the server (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the match conditions.
T2428: Implement least privilege access to Kinesis streams (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the match conditions.
T2432: Ensure Kinesis events are logged (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the match conditions.
T2433: Verify Kinesis events are logged (Amazon Kinesis Data Streams) [Updated]
- INFO: Updated the match conditions.
T2434: Enable Web Application Firewall (AWS Web Application Firewall) [Updated]
- INFO: Updated the match conditions.
T2435: Verify the Web Application Firewall is enabled (AWS Web Application Firewall) [Updated]
- INFO: Updated the match conditions.
T2438: Ensure Web Application Firewall ACLs are logged (AWS Web Application Firewall) [Updated]
- INFO: Updated the match conditions.
T2440: Verify Web Application Firewall ACLs are logged (AWS Web Application Firewall) [Updated]
- INFO: Updated the match conditions.
T2468: Manage PCI-DSS compliance
- TA6371: Ensure devices that connect to untrusted environments cannot introduce threats to the CDE (PCI-DSS 4.0) [Added]
- TA6376: Establish PCI DSS required policies (PCI-DSS 4.0) [Added]
- TA6380: Review hardware and software technologies in use (PCI-DSS 4.0) [Added]
- TA6381: Formal responsibility for the security of cardholder data (PCI-DSS 4.0) [Added]
- TA6382: Review operational effectiveness of critical PCI DSS controls (PCI-DSS 4.0) [Added]
- TA6384: Reduce risks from insider threats by screening personnel (PCI-DSS 4.0) [Added]
- TA6385: Record third-party service providers (PCI-DSS 4.0) [Added]
- TA6386: Manage Third-Party Service Providers (PCI-DSS 4.0) [Added]
- TA6387: Ensure TPSPs support the PCI DSS compliance of their customers (PCI-DSS 4.0) [Added]
- TA6394: Implement physical access controls (PCI-DSS 4.0) [Added]
- TA6395: Manage physical access for personnel (PCI-DSS 4.0) [Added]
- TA6396: Manage physical access for visitors (PCI-DSS 4.0) [Added]
- TA6428: Limit and control account data storage (PCI-DSS 4.0) [Added]
- TA6366: Identify and confirm the scope of the PCI DSS [Updated]
  - INFO: Updated the text.
- P1713: Lack of processes for the approval of compliance with PCI-DSS [Updated]
  - INFO: Updated the match conditions.
T2469: Use CloudWatch to monitor Kinesis Firehose decryption failures (Amazon Kinesis Data Firehose) [Added]
- P1714: Decryption failure [Added]
T2470: Verify CloudWatch is used to monitor Kinesis Firehose decryption failures (Amazon Kinesis Data Firehose) [Added]
- P1714: Decryption failure [Added]
T2473: Verify the presence of security constraints in all user stories and features [Added]
- P1716: Lack of Technical Documentation [Added]
T2474: Include security constraints in all user stories and features [Added]
- P1716: Lack of Technical Documentation [Added]
T2477: Test the re-deployment routines [Added]
- P1719: Lack of automated re-deployment plan [Added]
T2478: Manage re-deployment routines [Added]
- P1719: Lack of automated re-deployment plan [Added]
T2479: Test the Content-Disposition header in API responses [Added]
T2480: Include Content-Disposition headers in API responses [Added]
T2481: Define and apply configuration standards for Network Security Controls [Added]
- P1717: Lack of configuration standards for Network Security Controls [Added]
T2482: Verify implementing configuration standards [Added]
- P1717: Lack of configuration standards for Network Security Controls [Added]
T2483: Follow a control change management process [Added]
- P1718: Lack of change management for network connections and configurations [Added]
T2484: Verify a change management procedure is in place [Added]
- P1718: Lack of change management for network connections and configurations [Added]
T2485: Verify that remote code and updates are correctly encrypted and signed (server side) [Added]
- TA938: Test that SRI is used [Updated]
  - INFO: Updated the inclusion standard.
T2486: Encrypt and sign all remote code/updates (server side) [Added]
- TA179: DIACAP Notes [Updated]
  - INFO: Updated the inclusion standard.
- TA251: EBA-Security of Internet Payments Notes [Updated]
  - INFO: Updated the inclusion standard.
- TA795: Ruby on Rails: Preventing unwanted Remote Code Execution by using long key [Updated]
  - INFO: Updated the inclusion standard.
- TA882: ASD-STIG requirements [Updated]
  - INFO: Updated the text and inclusion standard.
- TA5461: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
  - INFO: Updated the text and inclusion standard.
- TA5587: PCI-SSF (S3) / Signing all terminal software files [Updated]
  - INFO: Updated the inclusion standard.
- I914: Signing JAR files in Java [Updated]
  - INFO: Updated the inclusion standard.
T2488: Detect and respond to unauthorized changes on payment pages (PCI-DSS 4.0) [Added]
- P1720: Insufficient control and response to unauthorized changes on payment pages [Added]
T2489: Test that change-detection and tamper-detection mechanisms are implemented for payment pages (PCI-DSS 4.0) [Added]
- P1720: Insufficient control and response to unauthorized changes on payment pages [Added]
Changes to Project Properties and Profiles
- Q195: Language and Framework
  - Q109: Programming Language
    - Q110: Technology/Framework
      - A1281: Flutter [Updated]
        
        INFO: Updated the question.
- Q201: Authorization
  - Q117: Allows User Controlled Page Selection [Removed]
- Q202: More Features
  - Q214: Miscellaneous
    - A33: Uses multi-threaded programming [Updated]
      - INFO: Updated the text and question.
    - A90: Performs diagnostic/debug logging [Updated]
      - INFO: Updated the text, description, and question.
- Q204: Financial Systems
  - Q161: Payment Components
    - A132: In-scope for PCI-DSS 3.2 [Updated]
      - INFO: Updated the text and description.
    - A1327: In-scope for PCI-SSS [Updated]
      - INFO: Updated the children.
    - A1357: In-scope for PCI-DSS 4.0 [Added]
- Q243: Internal Hidden Properties
  - Q113: Version of Servlet Spec Supported [Removed]
  - Q116: Uses Multi-Threaded Programming [Removed]
  - Q143: Performs Diagnostic/Debug Logging [Removed]
  - Q171: Uses Microsoft Enterprise Libraries [Removed]
- Q331: US Federal and NIST
  - Q328: In-Scope for CMMC
    - Q351: CMMC V2 Maturity Level [Added]
      - A1354: Level 1 [Added]
      - A1355: Level 2 [Added]
    - Q329: CMMC V1 Maturity Level [Updated]
      - INFO: Updated the text.
    - A1275: CMMC V1 [Updated]
      - INFO: Updated the text.
    - A1356: CMMC V2 [Added]

2023

2023.4

2023.3

2023.2

2023.1

results matching ""

No results matching ""