User Guide

User Guide API Sysadmin

Refer to this page for information about version-specific improvements to SD Elements and associated content.

5.15 | 5.14 | 5.13 | 5.12 | 5.11 | 5.10 | 5.9 | 5.8 | 5.7 | 5.6 | 5.5 | 5.4 | 5.3 | 5.2 | 5.1 | 5.0 | 4.23 | 4.22 | 4.21 | 4.20 | 4.19 | 4.18 | 4.17 | 4.16 | 4.15 | 4.14 | 4.13 | 4.12 | 4.11 | 4.10 | 4.9 | 4.8 | 4.7 | 4.6 | 4.5 | 4.4 | 4.3 | 4.2 | 4.1 | 4.0 | 3.9 | 3.8 | 3.7 | 3.6 | 3.5 | 3.4 | 3.3 | 3.2 | 3.1 | 3.0 | 2.39 | 2.38 | 2.37 | 2.36 | 2.35 | 2.34 | 2.33 | 2.32 | 2.31 | 2.30 | 2.29 | 2.28 | 2.27 | 2.26 | 2.25 | 2.24 | 2.23 | 2.22 | 2.21 | 2.20 | 2.19 | 2.18 | 2.17 | 2.16 | 2.15 | 2.14 | 2.13 | 2.12 | 2.11 | 2.10 | 2.9.X | 2.8 | 2.7 | 2.6 | 2.4 | 2.3 | 2.2 | 2.1 | 2.0

5.15

July 31, 2021

New features and enhancements

Library
- Problems
  - Added the ability to customize rules for built-in library Problems.
  - Added the ability to revert all customizations on a built-in library Problem.
- Content Pack Selector
  - Updated the Content Pack Selector page to be hidden by default.
    - All content pack selection functionality remains available through the API.
    - Contact support@sdelements.com to activate the Content Pack Selector page UI.
Risk Policy Widget redesign
- Updated to show the percentage of Tasks in a project that are risk-compliant.

Other product improvements

Risk Policy
- Fixed a bug where clicking the "Continue To Tasks" button on the Project Risk Policy page would navigate slowly to the Project Tasks page.

Content additions and updates (as of July 5, 2021):

Compliance Regulations and Mappings
- CSA Cloud Controls Matrix (CCM) v4.0.1
T1880: Encrypt data at rest for Lambda functions (AWS)
- I1287: How to encrypt data at rest for Lambda functions (AWS) [Updated]
  - INFO: Updated the text and language without changing the security content.
Changes to Project Properties and Profiles
- Q204: Financial Systems
  - Q161: Payment Components
    - A132: In-scope for PCI-DSS [Updated]
      - INFO: Updated tooltip.
    - A784: In-scope for PA-DSS [Updated]
      - INFO: Updated tooltip.
  - Q229: Financial Regulations
    - A1246: In-scope for NYDFS Cybersecurity Regulation [Updated]
      - INFO: Updated tooltip.
    - A1254: In-scope for MAS-TRMG Guidelines [Updated]
      - INFO: Updated tooltip.
- Q206: Privacy
  - Q160: Handles Personal Data
    - A130: Yes [Updated]
      - INFO: Updated tooltip.
    - Q224: Privacy Regulations
      - A746: PIPEDA [Updated]
        
        INFO: Updated tooltip.
      - A747: GAPP [Updated]
        
        INFO: Updated tooltip.
      - A750: ECPA [Updated]
        
        INFO: Updated tooltip.
      - A1148: GDPR [Updated]
        
        INFO: Updated tooltip.
      - A1255: CCPA [Updated]
        
        INFO: Updated tooltip.
  - Q236: In-Scope with Children's Privacy Compliance
    - Q238: In-Scope for COPPA Compliance
      - A780: Yes [Updated]
        
        INFO: Updated tooltip.
    - A779: Yes [Updated]
      - INFO: Updated tooltip.
- Q237: Compliance Scope: Other
  - Q225: Types of Emails Sent by the Application
    - A752: Advertisement or other solicitation emails [Updated]
      - INFO: Updated tooltip.
  - Q325: In-Scope for ISO 27001 Compliance
    - A1267: Yes [Updated]
      - INFO: Updated tooltip.
  - Q334: MASVS Level
    - A1296: Level 2 [Updated]
      - INFO: Updated tooltip.
    - A1297: R [Updated]
      - INFO: Updated tooltip.
  - Q336: In-Scope for China Cybersecurity Law
    - A1308: Yes [Updated]
      - INFO: Updated tooltip.
- Q254: Health Care Systems
  - Q223: Health Regulations
    - A145: In-scope for HIPAA compliance [Updated]
      - INFO: Updated tooltip.
- Q330: Cloud
  - Q319: In-Scope for FedRAMP Compliance
    - A1247: Yes [Updated]
      - INFO: Updated tooltip.
  - Q326: In-Scope for Cloud Security Matrix (CCM)
    - A1268: Yes [Updated]
      - INFO: Updated tooltip.
- Q331: US Federal and NIST
  - Q265: In-Scope for NIST 800-53 Compliance
    - A1107: Yes [Updated]
      - INFO: Updated tooltip.
  - Q328: In-Scope for CMMC
    - A1275: Yes [Updated]
      - INFO: Updated tooltip.
  - Q333: In-Scope for NIST Cybersecurity Framework
    - A1290: Yes [Updated]
      - INFO: Updated tooltip.
  - Q337: In-Scope for CNSSI Controls [Updated]
    - INFO: Updated tooltip.
    - A1309: Baseline [Updated]
      - INFO: Updated tooltip.
    - A1310: Overlays [Updated]
      - INFO: Updated tooltip.
New Just-in-Time Training
- Defending iOS (32 JITTs)
- Mobile Security Fundamentals (12 JITTs)

5.14

June 19, 2021

New features and improvements

Library
- Added the ability for Problems to be customized in the UI.
- Import / Export
  - Added the ability to import and export Compliance Regulations and their Sections.
    - Only available to a few SaaS customers as a beta release.
  - Updated JSON and YAML exported field orders to match CSV and XLSX.
- Project Overview
  - Added the ability for the Task completion widget to be filtered by Risk Policy.
Project Tasks
- Added labels for Task status in the list view, accordion expansion view, and Task detailed view.
- Added the ability to select individual Tasks via the API when accepting new content updates. This was formerly restricted to accepting all changes or none in the UI.
Dashboard
- Added the ability for the Activities Widget to track creating and modifying Business Units and applications, and archiving and unarchiving applications.
- Added a new search filter for project and application tags.

Other product improvements

Account settings
- Fixed a bug related to password recovery questions.
Project Problems
- Fixed a bug where a related manually added library Problem was not added to a project when a manually added library Task was added.
Reporting
- Fixed an issue with Risk Policy Reports not showing the correct percentage of completed Tasks when filtering by regulation.
- Updated Risk Policy Reports to show zero tasks for incomplete surveys.

Content additions and updates (as of May 25, 2021):

Compliance Regulations and Mappings
- Secure Controls Framework (SCF)
New Content Packs
- SCF
T29: Use anti-Cross-Site Request Forgery (CSRF) tokens [Updated]
- INFO: Updated links to the OWASP cheat sheet and community web site.
T186: Use recommended settings and the latest patches for third party libraries and software
- I296: Rails [Deactivated]
  - INFO: Removed T186 HowTo's.
- I297: Django [Deactivated]
  - INFO: Removed T186 HowTo's.
- I298: Spring Framework [Deactivated]
  - INFO: Removed T186 HowTo's.
- I299: Struts [Deactivated]
  - INFO: Removed T186 HowTo's.
- I300: Apache Tomcat [Deactivated]
  - INFO: Removed T186 HowTo's.
- I361: GnuTLS [Deactivated]
  - INFO: Removed T186 HowTo's.
- I362: OpenSSL [Deactivated]
  - INFO: Removed T186 HowTo's.
- I363: Apache HTTP Server [Deactivated]
  - INFO: Removed T186 HowTo's.
- I364: Apache Wicket [Deactivated]
  - INFO: Removed T186 HowTo's.
- I365: Apache MyFaces [Deactivated]
  - INFO: Removed T186 HowTo's.
- I366: Java [Deactivated]
  - INFO: Removed T186 HowTo's.
- I381: Bouncy Castle [Deactivated]
  - INFO: Removed T186 HowTo's.
- I432: Unix/Linux Bash [Deactivated]
  - INFO: Removed T186 HowTo's.
- I481: AFNetworking Library [Deactivated]
  - INFO: Removed T186 HowTo's.
- I503: Node.js [Deactivated]
  - INFO: Removed T186 HowTo's.
- I504: AngularJS/Angular [Deactivated]
  - INFO: Removed T186 HowTo's.
- I972: Docker [Deactivated]
  - INFO: Removed T186 HowTo's.
- I1040: jQuery [Deactivated]
  - INFO: Removed T186 HowTo's.
- I1495: Using SCA tools to keep third-party libraries up-to-date [Added]
T270: Follow best practices for storing application data on Android devices
- I402: Android storage options and considerations [Updated]
  - INFO: Updated the text to include the latest guidance.
T271: Prevent access to Android components if they do not need external communication [Updated]
- INFO: Updated text to include the latest guidance.
- I404: Disabling external access to Android components [Updated]
  - INFO: Updated the text.
T289: Verify that access to Android components is properly restricted [Updated]
- INFO: Updated text to include the latest guidance.
T440: Follow best practices when managing Android permissions [Updated]
- INFO: Updated text to include the latest guidance.
T2250: Implement secure authentication for connections (Bluetooth)
- P1646: Poor authentication in wireless technologies [Updated]
  - INFO: Updated the text to include the latest guidance on wireless technologies.
T2251: Implement secure authentication for connections (WiFi) [Added]
- P1646: Poor authentication in wireless technologies [Updated]
  - INFO: Updated the text to include the latest guidance on wireless technologies.
T2253: Use AES encryption in CCMP mode when WPA is applied (WiFi) [Added]
T2254: Use the most robust Security Operation Mode (WiFi) [Added]
- P1648: Weak authentication in PSK Mode [Added]
T2255: Protect personally identifiable information in wireless devices [Added]
- P1649: Lack of privacy protection in wireless technologies [Added]
Changes to Project Properties and Profiles
- Q197: Java Technologies
  - Q147: Third-Party Libraries Used
    - A165: Spring [Updated]
      - INFO: Removed Java EE / A97 from Match Conditions.
- Q276: Network Layer
  - Q339: Wireless Protocols Used
    - Q340: WiFi Persona [Added]
      - A1317: Client [Added]
      - A1318: Provider [Added]
    - A1316: WiFi [Added]
New Just-in-Time Training
- Defending Android
- Cloud Security Fundamentals

5.13

May 8, 2021

New features and improvement

Reporting
- Project Compliance Report
  - Added a checkbox for “Include Out of Scope Tasks” to filter or include out of scope tasks from the report.
Dashboard (new)
- Added the ability for Widgets to be filtered by application with a dropdown under the date range filter.

Library Import/Export
- Added a Rules field to the import and export of Answers.

Other product improvements

Library Answers
- Fixed an issue where editing Answers from the Library Question page caused the Answer field to change size.

Content additions and updates (as of April 12, 2021):

T194: Obtain user consent for tracking cookies
- TA3498: CNIL Cookie Guidelines (French Data Protection Authority) [Added]
T217: Use compiler settings to mitigate buffer overflows [Updated]
- Updated the text.
T2211: Include firmware update mechanism/feature (Hardware/Firmware)
- TA3497: Patch and upgrade software and firmware regularly (Bluetooth) [Added]
T2246: Use correct and approved cryptographic parameters and key lengths (Bluetooth) [Added]
T2247: Use the strongest Security Mode and Level in devices (Bluetooth) [Added]
- P1644: Improper implementation of Bluetooth security features [Added]
T2248: Provide appropriate range and power controls for secure communication (Bluetooth) [Added]
- P1645: Using a fixed frequency or high power levels for Bluetooth communication [Added]
T2249: Enforce strongest association model in Secure Simple Pairing (SSP) (Bluetooth) [Added]
- P1644: Improper implementation of Bluetooth security features [Added]
T2250: Implement secure authentication for connections (Bluetooth) [Added]
- P1646: Poor authentication in wireless technologies [Added]
Updated T186 with the latest security patch levels for third-party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- Apache Wicket
- Apache MyFaces
- Java
- Unix/Linux Bash
- Node.js
- AngularJS/Angular
- Docker
Updated the following code scanner mappings
- Checkmarx
- WhiteHat
Changes to Project Properties and Profiles
- Q276: Network Layer
  - Q339: Wireless Protocols Used [Added]
    - Q338: Bluetooth Persona [Added]
      - A1312: Developer [Added]
      - A1313: Manufacturer [Added]
    - A1314: Bluetooth [Added]
New Just-in-Time Training
- Privacy Fundamentals
- Defending Docker

5.12

New features and improvements

Project Survey Comments
- Added a new icon to each individual question on the project survey. Clicking on the icon opens up a new survey comments popover that displays all comments added to that question.
- The popover also contains an input field that users can use to create new comments. Each comment can be edited until the survey is saved or locked.
- A comment can be pinned to a question by clicking on the pin icon located on each comment. Pinning a comment displays that particular comment directly on the survey below the question.
- Known issues:
  - When editing or creating a comment, clicking on the edit icon again will cause all changes to be lost without warning.
  - Excessively long comments with no whitespace are pushed out and not displayed properly.
  - A double scroll bar is shown when a comment being created or edited is longer than 8 lines of text.
  - Clicking ‘Cancel’ while creating or editing a comment cancels without a warning.
Dashboard
- The CSV exports of Dashboard widgets now display a drilldown report of the data in the widget instead of aggregate counts.
- The ‘Active Entities’ widget has been renamed to ‘Activities’.
- The Activities and Active Projects widgets now show data from the last 12 months by default (changed from last 3 months).
- Widgets with no data show an empty state:
- The CSV export button is disabled.
- Widgets show a message indicating there is no data.
- Date Filtering
Added a date filter to the Dashboard.
Click on the Filter button on the Dashboard to open a panel with date range options for the filter. The filter is applied to all widgets on the dashboard.
Note: Dashboard is available only to SaaS and OSD customers on a container deployment.
Problems View
- Added a filter for filtering out problems with no related Tasks.
- Added a release carry over option for Project Specific Problems on the release carry over dialog.
- Added an option to carry over the Task status of related Tasks for Project Specific Problems.
- Added implicit release carry over behavior for Problems:
  - When a user selects retaining phases, all the status and notes of Tasks in that phase and their related Problems are carried over in the release project.
  - When a user selects Project specific Tasks retention, then the Project Specific Problems related to those Tasks are carried over in the release project.
- Added BU level behavior changes for Problems carry over.
- Added front-end messaging changes to indicate the release carry over for Problems.
Library Improvements
- Changed the default export file type to .csv format.
- Added copy improvements on import and export pages.
- Content item uuid uniqueness is now enforced.
- Rules field added to the import and export of the following content items:
  - Section
  - Subsection
  - Question
- Django multi import now supports multiple passes of saving. This allows for importing content items with bi-directional relationships.
Permissions and Roles
- Added the following global permissions:
  - View_all_business_unit: allows the user to view all business units.
  - sync_with_all_issue_tracker: allows the user to sync with an issue tracker to any project they have access to.
  - write_all_task_note: allows the user to write Task notes to any project they have access to.
  - verify_all_task: allows the user to verify Tasks to any project they have access to.
  - mark_all_task: allows the user to mark a Task status to any project they have access to.
A new global role was added:
- Sync Service: a user with this role can perform an issue tracker or verification tool sync with any project in the organization. This does not include LDAP sync.
Problem Summary Report (Project Reports)
- Added a risk policy filter checkbox to filter the report by risk relevant Tasks only.
Integrations
- JIRA Issue Tracker Plugin
  - Added support for using account IDs for JIRA user fields. JIRA has deprecated the usage of email addresses in user fields like ‘Assignee’. Integrations using email addresses need to switch to using the user’s account ID.
- Fortify Verification Tool Plugin
  - Added support for API Tokens to support Fortify v20 and later.
- Added support for Twistlock Infrastructure Scanner.

Content additions and updates (as of February 23, 2021):

T181: Validate models explicitly for fields the user is allowed to update
- I323: Rails (v3.0 and later) [Updated]
  - INFO: Updated title and text to reflect the changes in the new version.
- I1487: Rails (v3.0 and later) [Deactivated]
  - INFO: Removed as the content is covered and updated in I323.
T371: Provide unified and manageable interfaces for security settings and configuration parameters
- INFO: Updated text to fix a typo.
T2170: Ensure personal data processed by the application meets data localization requirements
- TA3485: China Cybersecurity Law (Article 37) – Data Localization [Updated]
  - INFO: Added new Match Condition "Yes - cce:/Operational Context:Compliance:China Cyber Law required, none excluded."
Updated T186 with the latest security patch levels for third-party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- OpenSSL
- Apache Wicket
- Apache MyFaces
- Java
- Bouncy Castle
- Node.js
- AngularJS/Angular
- Docker
- jQuery
Changes to Project Properties and Profiles
- Q331: US Federal and NIST
  - Q337: In-Scope for CNSSI Controls [Added]
    - A1309: Baseline [Added]
    - A1310: Overlays [Added]

5.11

New features and improvements

New Dashboard
- For administrators and users with the new View Analytics permission, a new Dashboard experience is accessible in the Reporting menu.
Project Relationship page
- Added a new table that can be toggled via the new Relationships Icon on the Applications page.
- The new table indicates a project's parent project, base project in the Application, and whether it is a release project.
Project Overview page
- The page now shows two new fields:
  - Base Project: The base project of a release project
  - release: A flag indicating if the current project is a release project
Library Import and Export
- Added support for importing and exporting survey sections, questions, and answers.
  - This does not include the import and export of rules.
- Task import is no longer possible with a Project Specific Problem's ID.
Third party attributions page
- Added a page that lists third-party sources for the SD Elements Content Library.

Other product improvements

Accessibility
- Improved the contrast of user avatars.
  - Fixed a scrolling issue on tooltips where the survey page would scroll instead of the tooltip text.
  - Fixed an issue where the notes for a Task in a project did not display until another tab was selected.
API Changes
- Added support for upcoming improvements to reporting on Business Unit, Application, Project, Task, and Problem metrics.
- Projects model and 'api/v2/projects/' have new boolean flag field 'release_project'.
Domain Length
- Increased Domain Length from 50 characters to 100.
How-Tos Import/Export
- Fixed a slug error preventing users from importing custom How-Tos.
- Fixed a slug error where the field displayed longer exported/imported values for How-Tos.
Integrations
- Fixed an issue with syncing SAST findings in Whitehat.
- Fixed an issue where the global integration connection form became uneditable.
- Fixed an issue where certain AppScan findings were not being synced.
- Fixed an issue where some JIRA instances with next-gen projects encountered 400 errors when syncing.
- Fixed an issue where Checkmarx syncs would error if the scan's timestamp was in an unexpected format.
- Note: Remote Integration Agent users must redeploy with the latest version to apply all fixes.
Project Specific Problems (PSPs) in different projects
- Fixed an issue where PSPs in different projects could not have the same title.
- Fixed an issue where if a Task were imported with a Problem Specific Problem as its Problem, the application would not correctly provide a warning.
Library Tasks detail page
- Fixed an issue where the full text of a Problem's description was not visible within the view of an associated Task.
Training Modules
- Fixed a 404 issue found on newer training modules.
Training Report
- Fixed a 504 timeout issue when generating the report on an instance with large amounts of training data.

Content additions and updates (as of January 18, 2021):

Compliance Regulations and Mappings
- China Cybersecurity Law
- NIST 800-53 Rev. 5
- NIST 800-53B [New "High", "Moderate", "Low" and "Privacy" baselines.]
- ISO 27001:2013 [Updated the mapping.]
New Content Packs
- China Cyber Law
T7: Salt and hash stored passwords [Updated]
- Updated the recommendations about the salt storage.
T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
- Deleted Match Conditions "Changes Since Last Release - Changes to inbound/outbound interfaces (OR) Changes Since Last Release - Changes to servers/frameworks and/or configuration".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T59: Use standard libraries for cryptography
- TA3490: Follow cryptography best practices (Hardware/Firmware) [Added]
T87: Verify that all data in transit is encrypted using a secure TLS channel [Updated]
- Deleted Match Conditions "Changes Since Last Release - Changes to inbound/outbound interfaces (OR) Changes Since Last Release - Changes to servers/frameworks and/or configuration".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T146: Use encryption for network communications in mobile environments [Updated]
- Updated Match Conditions from "Type of Application - Mobile client AND Changes Since Last Release - Changes to inbound/outbound interfaces" to "Type of Application - Mobile client".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T151: Use cryptographically secure random numbers
- TA3491: Ensure a true random number generator is specified and implemented (Hardware/Firmware) [Added]
T173: Test that user data is transmitted over secure channel in mobile environment [Updated]
- Updated Match Conditions from "Type of Application - Mobile client AND Changes Since Last Release - Changes to inbound/outbound interfaces" to "Type of Application - Mobile client".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T205: Avoid inter-process race conditions
- TA3494: Follow best practices to avoid Race Conditions (Hardware/Firmware) [Added]
T210: Encrypt sensitive data during transmission for rich clients [Updated]
- Updated Match Conditions from "Changes Since Last Release - Changes to inbound/outbound interfaces AND Type of Application - Rich client" to "Type of Application - Rich client".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T244: Securely delete any unprotected sensitive data before a resource is released or shared
- TA3487: Remove sensitive information before releasing resources (Hardware/Firmware) [Added]
- TA3492: Prevent improper scrubbing of sensitive data from decommissioned devices (Hardware/Firmware) [Added]
- TA3493: Prevent sensitive data exposure due to Debug/Power State Transition (Hardware/Firmware) [Added]
- TA3496: Safeguard against confidentiality breach of sensitive remanent data [Added]
T302: Test that sensitive data is transmitted over secure channel for rich clients [Updated]
- Updated Match Conditions from "Changes Since Last Release - Changes to inbound/outbound interfaces AND Type of Application - Rich client" to "Type of Application - Rich client".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T327: Review security of Node.js modules before installation [Updated]
- Updated the hyperlinks and added a note about the usage of the npm-audit tool instead of Node Security Platform.
T379: Provide sufficient documentation for security-related features
- TA3495: Restrict undocumented and non-transparent resource sharing of microarchitectural resources (Hardware/Firmware) [Added]
T394: Secure one-time passwords (OTP) [Updated]
- Updated the recommendations about the salt storage.
T521: Protect the ZigBee network infrastructure with a Network Key [Updated]
- Updated Match Conditions from "Low-Power Protocols Used - ZigBee AND Changes Since Last Release - Changes to servers/frameworks and/or configuration" to "Low-Power Protocols Used - ZigBee".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T529: Verify that a Network Key is utilized in the ZigBee network [Updated]
- Updated Match Conditions from "Low-Power Protocols Used - ZigBee AND Changes Since Last Release - Changes to servers/frameworks and/or configuration" to "Low-Power Protocols Used - ZigBee".
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T538: Disable or protect JTAG interfaces in production
- TA3489: Ensure that password checking logic is resistant to timing attacks (Hardware/Firmware) [Added]
T540: Restrict direct memory access
- TA3488: Use IOMMU to orchestrate IO access (Hardware/Firmware) [Added]
T566: Enable network layer encryption for local area network communications [Updated]
- Updated Match Conditions. See Match Conditions footnotes for more details.
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T590: Verify that network layer encryption is enabled for local area network communications [Updated]
- Updated Match Conditions. See Match Conditions footnotes for more details.
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T620: Use SSL/TLS offloading, encryption and certificates with NGINX
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T875: Secure Apache SSL/TLS (Apache HTTP Server)
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T876: Verify Apache SSL/TLS configuration (Apache HTTP Server)
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T908: Require SSL/TLS for 'forms authentication' (Microsoft IIS)
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T910: Configure transport layer security for 'basic authentication' (Microsoft IIS)
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T942: Test that 'forms authentication' require SSL/TLS (Microsoft IIS)
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T944: Test that transport layer security for 'basic authentication' is configured (Microsoft IIS)
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - Updated Match Conditions. See Match Conditions footnotes for more details.
T1915: Perform network vulnerability assessment
- TA3486: China Cybersecurity Law (Article 21) – Multi-Level Protection Scheme (MLPS) [Added]
T1925: Maintain the default behavior for anonymous access (OpenShift) [Updated]
- Updated text and title.
- P1440: Changing default behavior for anonymous access (OpenShift) [Updated]
  - Updated text and title.
T1926: Verify that the default behavior for anonymous access is maintained (OpenShift) [Updated]
- Updated text and title.
- P1440: Changing default behavior for anonymous access (OpenShift) [Updated]
  - Updated text and title.
T1927: Disable basic-auth-file method (OpenShift) [Updated]
- Updated text and title.
- P1441: Using static passwords (OpenShift) [Updated]
  - Updated text and title.
T1928: Verify that the basic-auth-file option has not been configured (OpenShift) [Updated]
- Updated text and title.
- P1441: Using static passwords (OpenShift) [Updated]
  - Updated text and title.
T1929: Secure communication between API server and master nodes (OpenShift) [Updated]
- Updated text and title.
- P1442: Unsecure connection between API server and node/kubelet (OpenShift) [Updated]
  - Updated text and title.
- I1308: OpenShift: How to see the cert and key used by the API server to sign service account tokens: [Updated]
T1930: Verify that the connection between API server and master node is secure (OpenShift) [Updated]
- Updated text and title.
- P1442: Unsecure connection between API server and node/kubelet (OpenShift) [Updated]
  - Updated text and title.
T1931: Prevent insecure bindings and insecure port access (OpenShift) [Updated]
- Updated text and title.
- P1443: Insecure binding or port access for API server (OpenShift) [Updated]
  - Updated text and title.
T1932: Verify that insecure-bind-address and insecure-port are disabled (OpenShift) [Updated]
- Updated text and title.
- P1443: Insecure binding or port access for API server (OpenShift) [Updated]
  - Updated text and title.
T1933: Do not disable secure-port for API server traffic (OpenShift) [Updated]
- Updated text and title.
- P1444: Disabled secure-port flag (OpenShift) [Updated]
  - Updated text and title.
- I1310: OpenShift: How to make sure 'secure-port' is not disabled [Updated]
T1934: Verify that 'secure-port' is not disabled (OpenShift)
- P1444: Disabled secure-port flag (OpenShift) [Updated]
  - Updated text and title.
T1939: Disable AlwaysAdmit admission controller (OpenShift) [Updated]
- Updated text and title.
- P1447: Active AlwaysAdmit admission controller (OpenShift) [Updated]
  - Updated text and title.
- I1313: OpenShift: How to disable 'AlwaysAdmit' admission controller [Updated]
T1940: Verify that AlwaysAdmit admission controller is disabled (OpenShift) [Updated]
- Updated text and title.
- P1447: Active AlwaysAdmit admission controller (OpenShift) [Updated]
  - Updated text and title.
T1941: Disable the AlwaysPullImages admission control plugin (OpenShift) [Updated]
- Updated text and title.
- P1448: Active AlwaysPullImages admission controller (OpenShift) [Updated]
  - Updated text and title.
T1942: Verify that the admission control plugin AlwaysPullImages is not set (OpenShift) [Updated]
- Updated text and title.
- P1448: Active AlwaysPullImages admission controller (OpenShift) [Updated]
  - Updated text and title.
T1943: Use Security Context Constraints instead of SecurityContextDeny admission controllers (OpenShift) [Updated]
- Updated text and title.
- P1449: Using DenyEscalatingExec or SecurityContextDeny admission controllers (OpenShift) [Updated]
  - Updated text and title.
T1944: Verify that the list of admission controllers does not include SecurityContextDeny (OpenShift) [Updated]
- Updated text and title.
- P1449: Using DenyEscalatingExec or SecurityContextDeny admission controllers (OpenShift) [Updated]
  - Updated text and title.
T1945: Do not disable NamespaceLifecycle admission controller (OpenShift) [Updated]
- Updated text and title.
- P1450: Disabled NamespaceLifecycle admission controller (OpenShift) [Updated]
  - Updated text and title.
- I1316: OpenShift: How to make sure 'NamespaceLifecycle' plugin is not disabled [Updated]
T1946: Verify that the NamespaceLifecycle plugin is not disabled (OpenShift) [Updated]
- Updated text and title.
- P1450: Disabled NamespaceLifecycle admission controller (OpenShift) [Updated]
  - Updated text and title.
T1947: Configure auditing properly on the API server (OpenShift) [Updated]
- Updated text and title.
- P1451: Lack of proper auditing or retention of audit logs for API server (OpenShift) [Updated]
  - Updated text and title.
T1948: Verify that API server auditing is configured properly (OpenShift) [Updated]
- Updated text and title.
- P1451: Lack of proper auditing or retention of audit logs for API server (OpenShift) [Updated]
  - Updated text and title.
T1949: Do not set authorization-mode flag (OpenShift) [Updated]
- Updated text and title.
- P1452: Using authorization-mode flag (OpenShift) [Updated]
  - Updated text and title.
- I1317: OpenShift: How to make sure 'authorization-mode' is not set [Updated]
T1950: Verify that the authorization-mode argument is not set to AlwaysAllow and Node authorizer is enabled (OpenShift) [Updated]
- Updated text and title.
- P1452: Using authorization-mode flag (OpenShift) [Updated]
  - Updated text and title.
T1951: Do not use static token files for authentication (OpenShift) [Updated]
- Updated text and title.
- P1453: Using static token files (OpenShift) [Updated]
  - Updated text and title.
- I1318: OpenShift: How to make sure static token files are not used [Updated]
T1952: Verify that static token files are not used (OpenShift) [Updated]
- Updated text and title.
- P1453: Using static token files (OpenShift) [Updated]
  - Updated text and title.
T1953: Ensure that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
- Updated text and title.
- P1454: Using service-account-lookup or service-account-key-file arguments (OpenShift) [Updated]
  - Updated text and title.
- I1319: OpenShift: How to see public/private keys used by the API server to sign service account tokens [Updated]
T1954: Verify that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
- Updated text and title.
- P1454: Using service-account-lookup or service-account-key-file arguments (OpenShift) [Updated]
  - Updated text and title.
T1955: Do not enable PodSecurityPolicy admission control plugin (OpenShift) [Updated]
- Updated text and title.
- P1455: Enabling PodSecurityPolicy and SecurityContextConstraints at the same time (OpenShift) [Updated]
  - Updated text and title.
T1956: Verify that the admission control plugin SecurityContextConstraint is set (OpenShift)
- P1455: Enabling PodSecurityPolicy and SecurityContextConstraints at the same time (OpenShift) [Updated]
  - Updated text and title.
T1957: Ensure that etcd arguments are properly set (OpenShift) [Updated]
- Updated text and title.
- P1456: Unsecure communication to etcd (OpenShift) [Updated]
  - Updated text and title.
- I1321: OpenShift: How to see the cert and key used by the API server for etcd communication [Updated]
T1958: Verify that etcd arguments are properly set (OpenShift) [Updated]
- Updated text and title.
- P1456: Unsecure communication to etcd (OpenShift) [Updated]
  - Updated text and title.
T1959: Do not disable ServiceAccount admission controller (OpenShift) [Updated]
- Updated text and title.
- P1457: Inactive ServiceAccount admission controller (OpenShift) [Updated]
  - Updated text and title.
T1960: Verify that the admission control plugin ServiceAccount is set (OpenShift) [Updated]
- Updated text and title.
- P1457: Inactive ServiceAccount admission controller (OpenShift) [Updated]
  - Updated text and title.
T1961: Ensure that the admission control plugin NodeRestriction is enabled (OpenShift) [Updated]
- Updated text and title.
- P1458: Disabled NodeRestriction admission plugin (OpenShift) [Updated]
  - Updated text and title.
T1962: Verify that the admission control plugin NodeRestriction is set (OpenShift) [Updated]
- Updated text and title.
- P1458: Disabled NodeRestriction admission plugin (OpenShift) [Updated]
  - Updated text and title.
T1963: Encrypt data at rest in etcd datastore with aescbc encryption (OpenShift) [Updated]
- Updated text and title.
- P1459: Unencrypted data on etcd (OpenShift) [Updated]
  - Updated text and title.
T1964: Verify data at rest on etcd datastore is encrypted with aescbc encryption provider (OpenShift) [Updated]
- Updated text and title.
- P1459: Unencrypted data on etcd (OpenShift) [Updated]
  - Updated text and title.
T1965: Enable the APIPriorityAndFairness feature gate (OpenShift) [Updated]
- Updated text and title.
- P1460: No rate limit for requests to API server (OpenShift) [Updated]
  - Updated text and title.
T1966: Verify that the APIPriorityAndFairness feature gate is enabled (OpenShift) [Updated]
- Updated text and title.
- P1460: No rate limit for requests to API server (OpenShift) [Updated]
  - Updated text and title.
T1967: Adjust the request timeout value (OpenShift) [Updated]
- Updated text and title.
- P1461: Inappropriate request timeout value (OpenShift) [Updated]
  - Updated text and title.
- I1323: OpenShift: How to change the 'request-timeout' value [Updated]
T1968: Verify that request timeout is set to an appropriate value (OpenShift) [Updated]
- Updated text and title.
- P1461: Inappropriate request timeout value (OpenShift) [Updated]
  - Updated text and title.
T1971: Adjust the terminated-pod-gc-threshold argument as needed (OpenShift) [Updated]
- Updated text and title.
- P1463: Inappropriate terminated-pod-gc-threshold value (OpenShift) [Updated]
  - Updated text and title.
T1972: Verify that the terminated-pod-gc-threshold and eviction arguments are set as appropriate (OpenShift) [Updated]
- Updated text and title.
- P1463: Inappropriate terminated-pod-gc-threshold value (OpenShift) [Updated]
  - Updated text and title.
T1973: Do not disable use-service-account-credentials argument (OpenShift) [Updated]
- Updated text and title.
- P1464: Disabling use-service-account-credentials argument (OpenShift) [Updated]
  - Updated text and title.
- I1325: OpenShift: How to make sure 'use-service-account-credentials' is not disabled [Updated]
T1974: Verify that use-service-account-credentials is not disabled (OpenShift) [Updated]
- Updated text and title.
- P1464: Disabling use-service-account-credentials argument (OpenShift) [Updated]
  - Updated text and title.
T1975: Do not change the default setting for service-account-private-key-file (OpenShift) [Updated]
- Updated text and title.
- P1465: Changing the default service-account-private-key-file (OpenShift) [Updated]
  - Updated text and title.
- I1326: OpenShift: How to make sure the 'service-account-private-key-file' argument is not set [Updated]
T1976: Verify that the service-account-private-key-file argument is properly set (OpenShift) [Updated]
- Updated text and title.
- P1465: Changing the default service-account-private-key-file (OpenShift) [Updated]
  - Updated text and title.
T1977: Ensure that root-ca-file is properly set (OpenShift) [Updated]
- Updated text and title.
- P1466: Changing the default root-ca-file (OpenShift) [Updated]
  - Updated text and title.
- I1327: OpenShift: How to make sure 'root-ca-file' argument is not set [Updated]
T1978: Verify that the root-ca-file argument is not set (OpenShift) [Updated]
- Updated text and title.
- P1466: Changing the default root-ca-file (OpenShift) [Updated]
  - Updated text and title.
T1979: Never give pods more privileges than required (OpenShift) [Updated]
- Updated text and title.
- P1467: Giving unnecessary privileges to the pods (OpenShift) [Updated]
  - Updated text and title.
T1980: Verify that Security Context Constraints get applied (OpenShift) [Updated]
- Updated text and title.
- P1467: Giving unnecessary privileges to the pods (OpenShift) [Updated]
  - Updated text and title.
T1981: Enable the RotateKubeletServerCertificate feature gate (OpenShift) [Updated]
- Updated text and title.
- P1468: Lack of certificate rotation (OpenShift) [Updated]
  - Updated text and title.
- I1328: OpenShift: How to rotate certificates [Updated]
T1982: Verify that RotateKubeletServerCertificate is set to true (OpenShift) [Updated]
- Updated text and title.
- P1468: Lack of certificate rotation (OpenShift) [Updated]
  - Updated text and title.
T1983: Set permissions for sensitive files properly (OpenShift) [Updated]
- Updated text and title.
- P1469: Improper permissions for sensitive files (OpenShift) [Updated]
  - Updated text and title.
- I1329: OpenShift: How to set the permissions for the configuration files [Updated]
T1984: Verify the permissions for the configuration files (OpenShift) [Updated]
- Updated text and title.
- P1469: Improper permissions for sensitive files (OpenShift) [Updated]
  - Updated text and title.
T1985: Secure etcd communication (OpenShift) [Updated]
- Updated text and title.
- P1470: Unsecure etcd communication (OpenShift) [Updated]
  - Updated text and title.
T1986: Verify that etcd communication is secure (OpenShift) [Updated]
- Updated text and title.
- P1470: Unsecure etcd communication (OpenShift) [Updated]
  - Updated text and title.
T1987: Follow the principle of least privilege (OpenShift) [Updated]
- Updated text and title.
- P1471: Granting excessive permissions (OpenShift) [Updated]
  - Updated text and title.
- I1493: OpenShift: How to remove 'cluster-admin' role from 'clusterrolebindings' [Added]
T1988: Verify that the cluster-admin role is only used where required (OpenShift) [Updated]
- Updated text and title.
- P1471: Granting excessive permissions (OpenShift) [Updated]
  - Updated text and title.
T1989: Run pods with the most restrictive Security Context Constraints possible (OpenShift) [Updated]
- Updated text and title.
- P1472: Loose access constraints for pods (OpenShift) [Updated]
  - Updated text and title.
T1990: Verify Security Context Constraints as in use (OpenShift) [Updated]
- Updated text and title.
- P1472: Loose access constraints for pods (OpenShift) [Updated]
  - Updated text and title.
T1991: Restrict access to projects only to the required users (OpenShift) [Updated]
- Updated text and title.
- P1473: Excessive access to projects (OpenShift) [Updated]
  - Updated text and title.
T1992: Verify that only required users are assigned to projects (OpenShift) [Updated]
- Updated text and title.
- P1473: Excessive access to projects (OpenShift) [Updated]
  - Updated text and title.
T1995: Enable and configure seccomp (OpenShift) [Updated]
- Updated text and title.
- P1475: Running containers with unconfined seccomp settings (OpenShift) [Updated]
  - Updated text and title.
T1996: Verify that Security Context Constraints have been configured with seccomp (OpenShift)
- P1475: Running containers with unconfined seccomp settings (OpenShift) [Updated]
  - Updated text and title.
T1997: Manage image provenance using ImagePolicy plugin (OpenShift) [Updated]
- Updated text and title.
- P1476: Lack of control on images run in a cluster (OpenShift) [Updated]
  - Updated text and title.
- I1330: OpenShift: How to edit the 'image.config.openshift.io/cluster' to configure Image Provenance [Updated]
T1998: Verify image policy configuration (OpenShift) [Updated]
- Updated text and title.
- P1476: Lack of control on images run in a cluster (OpenShift) [Updated]
  - Updated text and title.
T1999: Implement strong network policies (OpenShift) [Updated]
- Updated text and title.
- P1477: Lack of network access control (OpenShift) [Updated]
  - Updated text and title.
- I1492: OpenShift: How to create a network policy and and add proper NetworkPolicy objects [Added]
T2000: Verify network policies (OpenShift) [Updated]
- Updated text and title.
- P1477: Lack of network access control (OpenShift) [Updated]
  - Updated text and title.
T2001: Limit the use of privileged containers (OpenShift) [Updated]
- Updated text and title.
- P1478: Using privileged containers (OpenShift) [Updated]
  - Updated text and title.
T2002: Verify the usage of privileged containers (OpenShift) [Updated]
- Updated text and title.
- P1478: Using privileged containers (OpenShift) [Updated]
  - Updated text and title.
T2005: Do not enable the anonymous-auth flag (OpenShift) [Updated]
- Updated text and title.
- P1480: Setting the anonymous-auth flag to true (OpenShift) [Updated]
  - Updated text and title.
T2006: Verify that the anonymous-auth argument is set to false (OpenShift) [Updated]
- Updated text and title.
- P1480: Setting the anonymous-auth flag to true (OpenShift) [Updated]
  - Updated text and title.
T2007: Do not set the authorization-mode argument (OpenShift) [Updated]
- Updated text and title.
- P1481: Setting the authorization-mode argument (OpenShift) [Updated]
  - Updated text and title.
T2008: Verify that the authorization-mode argument is not set (OpenShift) [Updated]
- Updated text and title.
- P1481: Setting the authorization-mode argument (OpenShift) [Updated]
  - Updated text and title.
T2009: Do not change the default value of the client-ca-file argument (OpenShift) [Updated]
- Updated text and title.
- P1482: Improper configuration of the client-ca-file argument (OpenShift) [Updated]
  - Updated text and title.
T2010: Verify that the clientCAFile exists and is not changed (OpenShift) [Updated]
- Updated text and title.
- P1482: Improper configuration of the client-ca-file argument (OpenShift) [Updated]
  - Updated text and title.
T2011: Do not set the read-only-port argument (OpenShift) [Updated]
- Updated text and title.
- P1483: Enabling read-only port (OpenShift) [Updated]
  - Updated text and title.
T2012: Verify that the read-only port is not enabled (OpenShift) [Updated]
- Updated text and title.
- P1483: Enabling read-only port (OpenShift) [Updated]
  - Updated text and title.
T2013: Adjust the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
- Updated text and title.
- P1484: Improper value for the streaming-connection-idle-timeout argument (OpenShift) [Updated]
  - Updated text and title.
- I1332: OpenShift: How to set the 'streaming-connection-timeout' value [Updated]
T2014: Verify the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
- Updated text and title.
- P1484: Improper value for the streaming-connection-idle-timeout argument (OpenShift) [Updated]
  - Updated text and title.
T2015: Make sure that protect-kernel-defaults is not set (OpenShift) [Updated]
- Updated text and title.
- P1485: Setting the protect-kernel-defaults argument (OpenShift) [Updated]
  - Updated text and title.
T2016: Verify that protectKernelDefaults is not set (OpenShift) [Updated]
- Updated text and title.
- P1485: Setting the protect-kernel-defaults argument (OpenShift) [Updated]
  - Updated text and title.
T2017: Ensure that the make-iptables-util-chains is set to true (OpenShift) [Updated]
- Updated text and title.
- P1486: Disabling the make-iptables-util-chains flag (OpenShift) [Updated]
  - Updated text and title.
T2018: Verify that make-iptables-util-chains is set to true for each machinepool (OpenShift) [Updated]
- Updated text and title.
- P1486: Disabling the make-iptables-util-chains flag (OpenShift) [Updated]
  - Updated text and title.
T2021: Ensure that the hostname-override is not set (OpenShift) [Updated]
- Updated text and title.
- P1488: Disabling the hostname-override flag (OpenShift) [Updated]
  - Updated text and title.
T2022: Verify that hostname-override does not exist (OpenShift) [Updated]
- Updated text and title.
- P1488: Disabling the hostname-override flag (OpenShift) [Updated]
  - Updated text and title.
T2023: Set the kubeAPIQPS event-qps argument to 0 (OpenShift) [Updated]
- Updated text and title.
- P1489: Non-zero value for the event-qps argument (OpenShift) [Updated]
  - Updated text and title.
- I1491: OpenShift: How to edit 'kubeAPIQPS' parameters [Added]
T2024: Verify that the value of event-qps is set to 0 (OpenShift) [Updated]
- Updated text and title.
- P1489: Non-zero value for the event-qps argument (OpenShift) [Updated]
  - Updated text and title.
T2025: Ensure that tls-cert-file and tls-private-key-file are properly set (OpenShift) [Updated]
- Updated text and title.
- P1490: Improper value for the cert-dir argument (OpenShift) [Updated]
  - Updated text and title.
T2026: Verify that the kubelet-client-certificate and kubelet-client-key are properly set (OpenShift) [Updated]
- Updated text and title.
- P1490: Improper value for the cert-dir argument (OpenShift) [Updated]
  - Updated text and title.
T2029: Do not disable rotate-certificates (OpenShift) [Updated]
- Updated text and title.
- P1492: Disabling the RotateKubeletClientCertificate and RotateKubeletServerCertificate flags (OpenShift) [Updated]
  - Updated text and title.
T2030: Verify that rotate-certificates settings are not disabled (OpenShift) [Updated]
- Updated text and title.
- P1492: Disabling the RotateKubeletClientCertificate and RotateKubeletServerCertificate flags (OpenShift) [Updated]
  - Updated text and title.
T2170: Ensure personal data processed by the application meets data localization requirements [Added]
- TA3485: China Cybersecurity Law (Article 37) – Data Localization [Added]
T2171: Avoid observable discrepancy and side channel attacks (Hardware/Firmware) [Added]
- P1569: Observable discrepancy (Hardware/Firmware) [Added]
T2172: Enforce the principle of least privilege (Hardware/Firmware) [Added]
- P1570: Incorrect default permissions (Hardware/Firmware) [Added]
T2173: Ensure the expected behavior is implemented (Hardware/Firmware) [Added]
- P1571: Expected behavior violation (Hardware/Firmware) [Added]
T2174: Avoid unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware) [Added]
- P1572: Unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware) [Added]
T2175: Provide documentation for design (Hardware/Firmware) [Added]
- P1573: Missing documentation for design (Hardware/Firmware) [Added]
T2176: Avoid mixing agents of varying trust levels (Hardware/Firmware) [Added]
- P1574: Improper isolation of shared resources on SoC (Hardware/Firmware) [Added]
T2177: Generate unique and immutable identifiers in SoC (Hardware/Firmware) [Added]
- P1575: SoC using components without unique and immutable identifiers (Hardware/Firmware) [Added]
T2178: Ensure fabric access controls enablement before 3rd party hardware IPs (Hardware/Firmware) [Added]
- P1576: Power-on of untrusted execution core before enabling fabric access control (Hardware/Firmware) [Added]
T2179: Block write operations to reserve bits (Hardware/Firmware) [Added]
- P1577: Failure to disable reserved bits (Hardware/Firmware) [Added]
T2180: Review Access Control Policy (Hardware/Firmware) [Added]
- P1578: Insufficient granularity of access control (Hardware/Firmware) [Added]
T2181: Evaluate write-once registers for proper configuration (Hardware/Firmware) [Added]
- P1579: Race condition for write-once attributes (Hardware/Firmware) [Added]
T2182: Check lock bit protections for design consistency (Hardware/Firmware) [Added]
- P1580: Improper implementation of lock protection registers (Hardware/Firmware) [Added]
T2183: Avoid using chicken bits (Hardware/Firmware) [Added]
- P1581: Inclusion of undocumented features or chicken bits (Hardware/Firmware) [Added]
T2184: Disable access to security-sensitive information stored in fuses (Hardware/Firmware) [Added]
- P1582: Sensitive non-volatile information not protected during debug (Hardware/Firmware) [Added]
T2185: Prevent unauthorized access to sensitive data through debug or test interfaces (Hardware/Firmware) [Added]
- P1583: Improper access to sensitive information using debug and test interfaces (Hardware/Firmware) [Added]
T2186: Enforce valid Finite State Machines (FSMs) in hardware logic (Hardware/Firmware) [Added]
- P1584: Improper finite state machines (FSMs) in hardware logic (Hardware/Firmware) [Added]
T2187: Enforce proper implementation of wear leveling operations (Hardware/Firmware) [Added]
- P1585: Improper write handling in limited-write non-volatile memories (Hardware/Firmware) [Added]
T2188: Enforce proper protection against voltage and clock glitches (Hardware/Firmware) [Added]
- P1586: Missing or improperly implemented protection against voltage and clock glitches (Hardware/Firmware) [Added]
T2189: Prevent Semiconductor Defects in Hardware Logic with Security-Sensitive Implications (Hardware/Firmware) [Added]
- P1587: Semiconductor defects in hardware logic with security-sensitive implications (Hardware/Firmware) [Added]
T2190: Prevent mirroring regions with different values (Hardware/Firmware) [Added]
- P1588: Mirrored regions with different values (Hardware/Firmware) [Added]
T2191: Ensure using configured CPU hardware to support exclusivity of write and execute operations (Hardware/Firmware) [Added]
- P1589: CPU hardware not configured to support exclusivity of write and execute operations (Hardware/Firmware) [Added]
T2192: Prevent incorrect selection of fuse values (Hardware/Firmware) [Added]
- P1590: Incorrect selection of fuse values (Hardware/Firmware) [Added]
T2193: Prevent incorrect comparison logic granularity (Hardware/Firmware) [Added]
- P1591: Incorrect comparison logic granularity (Hardware/Firmware) [Added]
T2194: Prevent hardware features to enable physical attacks from Software (Hardware/Firmware) [Added]
- P1592: Hardware features enable physical attacks from software (Hardware/Firmware) [Added]
T2195: Ensure access control applied properly to Mirrored or Aliased Memory Regions (Hardware/Firmware) [Added]
- P1593: Improper access control applied to mirrored or aliased memory regions (Hardware/Firmware) [Added]
T2196: Prevent exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Added]
- P1594: Exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Added]
T2197: Prevent Improper Restriction of Security Token Assignment (Hardware/Firmware) [Added]
- P1595: Improper restriction of security token assignment (Hardware/Firmware) [Added]
T2198: Prevent improper handling of overlap between protected memory ranges (Hardware/Firmware) [Added]
- P1596: Improper handling of overlap between protected memory ranges (Hardware/Firmware) [Added]
T2199: Prevent improper handling of single-event upsets (Hardware/Firmware) [Added]
- P1597: Improper handling of single event upsets (Hardware/Firmware) [Added]
T2200: Ensure register interface does not allow software access to sensitive data (Hardware/Firmware) [Added]
- P1598: Register interface allows software access to sensitive data or security settings (Hardware/Firmware) [Added]
T2201: Enforce Physical access control (Hardware/Firmware) [Added]
- P1599: Improper physical access control (Hardware/Firmware) [Added]
T2202: Prevent hardware logic with insecure De-Synchronization between control and data channels (Hardware/Firmware) [Added]
- P1600: Hardware logic with insecure desynchronization between control and data channels (Hardware/Firmware) [Added]
T2203: Prevent policy to use obsolete encoding (Hardware/Firmware) [Added]
- P1601: Policy uses obsolete encoding (Hardware/Firmware) [Added]
T2204: Enforce policy privilege assignments consistently between control and data agents (Hardware/Firmware) [Added]
- P1602: Policy privileges are not assigned consistently between control and data agents (Hardware/Firmware) [Added]
T2205: Prevent product released in none-release configuration (Hardware/Firmware) [Added]
- P1603: Product released in non-release configuration (Hardware/Firmware) [Added]
T2206: Prevent generation of incorrect security tokens (Hardware/Firmware) [Added]
- P1604: Generation of incorrect security tokens (Hardware/Firmware) [Added]
T2207: Prevent uninitialized value on reset for registers holding security settings (Hardware/Firmware) [Added]
- P1605: Uninitialized value on reset for registers holding security settings (Hardware/Firmware) [Added]
T2208: Restrict sharing device unlocking credentials across multiple parties (Hardware/Firmware) [Added]
- P1606: Device unlock credential sharing (Hardware/Firmware) [Added]
T2209: Prevent boot code tampering in the non-volatile memory (Hardware/Firmware) [Added]
- P1607: Insufficient protections on the volatile memory containing boot code (Hardware/Firmware) [Added]
T2210: Prevent signals conflict between a hardware IP and the parent system (Hardware/Firmware) [Added]
- P1608: Hardware child block incorrectly connected to parent system (Hardware/Firmware) [Added]
T2211: Include firmware update mechanism/feature (Hardware/Firmware) [Added]
- P1609: Firmware not capable of being updated (Hardware/Firmware) [Added]
T2212: Use Integrated Circuit (IC) Imaging Techniques to protect against hardware reverse engineering (Hardware/Firmware) [Added]
- P1610: Missing protection against reverse engineering using IC imaging techniques (Hardware/Firmware) [Added]
T2213: Implement access control checks before accessing the assets (Hardware/Firmware) [Added]
- P1611: Access control check implemented after asset is accessed (Hardware/Firmware) [Added]
T2214: Protect unexpected behavior of system due to sequence of processor instructions (Halt and Catch Fire) (Hardware/Firmware) [Added]
- P1612: Sequence of processor instructions leads to unexpected behavior (halt and catch fire) (Hardware/Firmware) [Added]
T2215: Prevent modification of immutable data (Hardware/Firmware) [Added]
- P1613: Assumed-immutable data is stored in writable memory (Hardware/Firmware) [Added]
T2216: Prevent modification of measurement reporting data by an untrusted agent (Hardware/Firmware) [Added]
- P1614: Mutable attestation or measurement reporting data (Hardware/Firmware) [Added]
T2217: Prevent security identifiers from unauthorized access while decoding (Hardware/Firmware) [Added]
- P1615: Incorrect decoding of security identifiers (Hardware/Firmware) [Added]
T2218: Prevent same Public Key usage for different environments (Debug and Production) (Hardware/Firmware) [Added]
- P1616: Public key re-use for signing both debug and production code (Hardware/Firmware) [Added]
T2219: Implement secure conversion of Security Identifiers (Hardware/Firmware) [Added]
- P1617: Incorrect conversion of security identifiers (Hardware/Firmware) [Added]
T2220: Implement secure mechanism to generate Security Identifiers (Hardware/Firmware) [Added]
- P1618: Insecure security identifier mechanism (Hardware/Firmware) [Added]
T2221: Prevent debugging messages revealing sensitive Information (Hardware/Firmware) [Added]
- P1619: Debug messages revealing unnecessary information (Hardware/Firmware) [Added]
T2222: Prevent incorrect Chaining or Granularity of Debug Components (Hardware/Firmware) [Added]
- P1620: Incorrect chaining or granularity of debug components (Hardware/Firmware) [Added]
T2223: Restrict access to confidential information on device by OSAT vendors (Hardware/Firmware) [Added]
- P1621: Unprotected confidential information on device is accessible by OSAT vendors (Hardware/Firmware) [Added]
T2224: Implement protections to alternate access paths and interfaces inside the SoC (Hardware/Firmware) [Added]
- P1622: Missing protection mechanism for alternate hardware interface (Hardware/Firmware) [Added]
T2225: Data remanence within the hardware component (Hardware/Firmware) [Added]
- P1623: Insufficient or incomplete data removal within hardware component (Hardware/Firmware) [Added]
T2226: Transaction without a security identifier (Hardware/Firmware) [Added]
- P1624: Missing security identifier (Hardware/Firmware) [Added]
T2227: Preserve the integrity of hardware configuration state (Hardware/Firmware) [Added]
- P1625: Improperly preserved integrity of hardware configuration state during a power save/restore operation (Hardware/Firmware) [Added]
T2228: Include functionality to patch Read-only-Memory (ROM) Code (Hardware/Firmware) [Added]
- P1626: Missing ability to patch ROM code (Hardware/Firmware) [Added]
T2229: Prevent improper translation of security attributes by Fabric Bridge (Hardware/Firmware) [Added]
- P1627: Improper translation of security attributes by fabric bridge (Hardware/Firmware) [Added]
T2230: Protect mirrored regions in On-Chip Fabric Firewall (Hardware/Firmware) [Added]
- P1628: Missing protection for mirrored regions in on-chip fabric firewall (Hardware/Firmware) [Added]
T2231: Protect debug logic (feature) runtime alterations and sensitive data exposure (Hardware/Firmware) [Added]
- P1629: Hardware allows activation of test or debug logic at runtime (Hardware/Firmware) [Added]
T2232: Use write protection for Parametric Data values (Hardware/Firmware) [Added]
- P1630: Missing write protection for parametric data values (Hardware/Firmware) [Added]
T2233: Set proper setting of Bus Controlling Capability in Fabric end-point (Hardware/Firmware) [Added]
- P1631: Improper setting of bus controlling capability in fabric end-point (Hardware/Firmware) [Added]
T2234: Restrict mapping of unwarranted programming overlaps of protected and unprotected ranges by Fabric-Address (Hardware/Firmware) [Added]
- P1632: Fabric-address map allows programming of unwarranted overlaps of protected and unprotected ranges (Hardware/Firmware) [Added]
T2235: Put security checks in Fabric Bridge (Hardware/Firmware) [Added]
- P1633: Missing security checks in fabric bridge (Hardware/Firmware) [Added]
T2236: Put security controls in On-chip Fabrics or Buses (Hardware/Firmware) [Added]
- P1634: Missing support for security features in on-chip fabrics or buses (Hardware/Firmware) [Added]
T2237: Protect against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Added]
- P1635: Improper protection against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Added]
T2238: Protect alert signals against untrusted agents (Hardware/Firmware) [Added]
- P1636: Improper protection for out of bounds signal level alerts (Hardware/Firmware) [Added]
T2239: Tag traces to indicate owner and debugging privilege level (Hardware/Firmware) [Added]
- P1637: Improper management of sensitive trace data (Hardware/Firmware) [Added]
T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware) [Added]
- P1638: Missing immutable root of trust in hardware (Hardware/Firmware) [Added]
T2241: Ensure security version data is protected from tampering (Hardware/Firmware) [Added]
- P1639: Security version number mutable to older versions (Hardware/Firmware) [Added]
T2242: Implement priority-based arbitration inside the Network on Chips (Hardware/Firmware) [Added]
- P1640: Improper isolation of shared resources in network on chip (Hardware/Firmware) [Added]
T2243: Protect against fault injection attacks (Hardware/Firmware) [Added]
- P1641: Insufficient protection against instruction skipping via fault injection (Hardware/Firmware) [Added]
T2244: Protect against error injection errors in redundant blocks (Hardware/Firmware) [Added]
- P1642: Unauthorized error injection can degrade hardware redundancy (Hardware/Firmware) [Added]
T2245: Protect against abnormal thermal range (Hardware/Firmware) [Added]
- P1643: Improper protections against hardware overheating (Hardware/Firmware) [Added]
Updated T186 with the latest security patch levels for third-party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- Java
- Bouncy Castle
- Unix/Linux Bash
- Node.js
Changes to Project Properties and Profiles
- Q205: Geography [Updated]
  - Updated title from "Organization" to "Geography".
- Q237: Compliance Scope: Other
  - Q336: In-Scope for China Cybersecurity Law [Added]
    - A1308: Yes [Added]
- Q278: Hardware Features
  - A1300: Hardware design and manufacturing is in scope [Added]
  - A1301: Firmware and software development for hardware is in scope [Added]
  - A1302: Implements cryptographic algorithms [Added]
  - A1304: Has Access Control settings [Added]
  - A1305: Hardware/firmware update is in scope [Added]
  - A1306: Hardware configuration is in scope [Added]
- Q220: Changes Since Last Release
  - A1307: Changes to hardware design [Added]
New Just-in-Time Training
- Cloud Security (3 JITTs)

Footnotes for Match Conditions

T566: Enable network layer encryption for local area network communications [Updated]
- Updated Match Conditions from:
  - IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
  - (OR) IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to inbound/outbound interfaces
- To:
  - IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system
T590: Verify that network layer encryption is enabled for local area network communications [Updated]
- Updated Match Conditions from:
  - IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
  - (OR) IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to inbound/outbound interfaces
- To:
  - IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system
P216: Clear Text and Unencrypted Transmission of Information [Updated]
- Updated Match Conditions from:
  - Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
  - (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
  - (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - New transactions / use cases
  - (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - New transactions / use cases
- To:
  - Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
  - (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
  - (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - New transactions / use cases
  - (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - New transactions / use cases
  - (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - Changes to inbound/outbound interfaces
  - (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - Changes to inbound/outbound interfaces
  - (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - New transactions / use cases
  - (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - Changes to inbound/outbound interfaces
  - (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - Changes to servers/frameworks and/or configuration

5.10

New features and improvements

Completion Status Report (Project Reports)
- Added a priority checkbox filter to filter reports by High, Medium, and Low priority Tasks.
- Added a Regulation Dropdown to filter report by Tasks that are relevant to a given regulation.
Project Risk Policy Report
- Added a Regulation Dropdown to filter reports by Tasks that are associated with a given regulation.
All Tasks Report CSV changes
- Added new columns to the All Tasks CSV Report.
- Problem ID, Problem Title, Risk Rating, Business Unit, Application, Project, Issue Tracker Tickets (JIRA, Rally, and so on), Custom Project Attributes.
License Usage Report
- Restructured data presentation and updated nomenclature to improve usability and ease of understanding.
- Note: These changes are to the report only and not to the software license itself.
Library Import and Export
- Added support for JSON and YAML formats.
- Added human readable foreign keys to supplement UUIDs in the exported files.
- Replaced the ‘copied_from’ column with a ‘Custom’ column that can be used to differentiate built-in and custom objects.
- Added support for importing and exporting match conditions for library content.
Project Survey
- Fixed an issue where empty survey sections still appeared even after disabling all answers in those sections via content packs.
- Fixed a frontend issue where custom implied answers were not being deselected automatically when deselecting their parent answers.
Activity Logs
- Added logging for Project Problem-related operations, such as Adding and Removing Manually Added Library Problems or Creating, Updating, and Deleting Project Specific Problems from a project under the Project and Global Activity logs.

Other product improvements

Minor UI improvements:
- Implemented new toasts/notifications that utilize an icon to better convey the type of notification.
- Changed "View Latest History" link on survey questions to an icon button.
- Added UI functionality for "No Role" users to view their account information (email, first name, last name), view their password reset questions, and view and edit their password.
- Fixed an issue with Azure DevOps integration using Closed Issue Status incorrectly.
- Fixed an issue with Checkmarx scan imports.
- Restricted access to internal network resources for issue tracker and verification tool connections.
  - OSD customers that are currently syncing with internal integration services can disable this functionality via the settings file. See the user guide for more details.

Content additions and updates (as of November 24, 2020):

Compliance Regulations and Mappings
- Updated PCI-DSS v3.2.1 compliance report
- Updated PA-DSS v3.2 compliance report
- Disabled PCI-DSS v2.0 compliance report [INFO: Outdated]
- Disabled PA-DSS v2.0 compliance report [INFO: Outdated]
- Added MASVS compliance reports and mappings
- Updated ASD-STIG compliance to Version 5
- Added CNSSI 1253 - Baseline compliance report
- Added CNSSI 1253 - Classified Information Overlay compliance report
- Added CNSSI 1253 - Privacy Overlay compliance report
- Added CNSSI 1253 - Space Platform Overlay compliance report
New Content Packs
- Compliance:CNSSI
- Compliance:MASVS
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- TA2892: Mobile ASVS (section:4.8) Requirements [Added]
T6: Implement account lockout or authentication throttling
- TA2891: Mobile ASVS (section:2.15) Requirements [Added]
T46: Do not log confidential data
- I1489: Disable Logging Sensitive Information in Rails [Added]
T53: Prevent the upload of malicious files and malware
- P325: Unrestricted Upload of Unsafe File Types [Updated]
  - INFO: Updated text to include malicious file names.
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Updated]
- INFO: Updated text to include avoid reusing same key for multiple purposes, and updated recommendation for using FIPS 140-2 to FIPS 140-3.
T61: Disable default accounts or change all default passwords
- TA840: ASD-STIG requirements for T61 [Updated]
  - INFO: Not an inclusive range. 68 Additional Requirements updated.
T107: Test that application forbids uploading or transferring malware
- P325: Unrestricted Upload of Unsafe File Types [Updated]
  - INFO: Updated text to include malicious file names.
T181: Validate models explicitly for fields the user is allowed to update
- I323: Rails (v3.0 and earlier) [Updated]
  - INFO: Changed title to specify the version.
- I1487: Rails (v3.0 and later) [Added]
T189: Minimize the use of unmanaged (native) code [Updated]
- INFO: Updated text to include securely allocate/free/use memory for unmanaged code.
T278: Follow best security practices when using WebView (Android) [Updated]
- INFO: Updated text to include MASVS requirements.
T324: Follow best security practices when using WKWebView (iOS) [Updated]
- INFO: Updated text to include MASVS requirements.
T331: Enforce policies through content security policy (CSP) or XSS protection headers [Updated]
- INFO: Updated title, added XSS protection as the task text explained it as a replacement.
T335: Sanitize user input before passing to NoSQL operators
- I1490: Secure Query Generation in Rails [Added]
T340: Use an account and identity management system [Updated]
- INFO: Updated text to include deny all access by default.
T445: Verify that only approved cryptographic algorithms and key lengths are used [Updated]
- INFO: Updated recommendation for using FIPS 140-2 to FIPS 140-3.
T542: Protect hardware modules against tampering and probing [Updated]
- INFO: Updated recommendation for using FIPS 140-2 to FIPS 140-3.
T543: Verify that hardware modules are protected against tampering and probing [Updated]
- INFO: Updated recommendation for using FIPS 140-2 to FIPS 140-3.
T1541: Decide on the best CSRF defense for your application [Updated]
- INFO: Updated text to add a CSRF defense flowchart.
T2167: Secure file storage [Added]
- P325: Unrestricted Upload of Unsafe File Types [Updated]
  - INFO: Updated text to include malicious file names.
- I1488: Deep File Name Sanitization in Ruby [Added]
TA2893 to TA3484: ASD-STIG requirements [INFO: Not an inclusive range. 302 Additional Requirements added.]
TA840 to TA909: ASD-STIG requirements [INFO: Not an inclusive range. 68 Additional Requirements updated.]
Updated T186 with the latest security patch levels for third-party libraries
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- Apache Wicket
- Bouncy Castle
- Node.js
Updated the following code scanner mappings
- Checkmarx Static Code Analysis (CxSAST)
- WhiteHat Sentinel
Changes to Project Properties and Profiles
- Q202: More Features
  - Q214: Miscellaneous
    - A1288: Sends electronic messages and/or emails [Updated]
      - INFO: Changed the title from "Sends solicitation emails" to "Sends electronic messages and/or emails".
- Q237: Compliance Scope: Other
  - Q334: MASVS Level
    - A1295: Level 1 [Added]
    - A1296: Level 2 [Added]
    - A1297: R [Added]
New Just-in-Time Training
- BC/DR plan for cloud services

5.9

New features and improvements

Problems view
- Added a feature to create project-specific Problems through the New Problem form. Tasks can be added to the Problem by creating or editing project-specific Tasks.
- Added a Problem Source filter to narrow down Problems shown in the table (default content, custom content, manually added, project specific).
Tasks view
- Added a field to the New Task form for selecting the Problem the Task will belong to. Only available to project-specific tasks. Any Problem accepted into the project can be selected.
Project Survey
- Fixed an issue where disabling all content packs and deselecting an answer in the survey caused the survey to become unresponsive.
- Fixed an issue where disabling/enabling content packs failed to change the survey state accordingly (cache invalidation failed).
- Fixed an issue where disabling an answer that implied another answer that is selected in a project’s survey caused the survey to return a 500 error.
Integrations
- JIRA
  - Custom field mappings can now map to date type fields.
- Implemented SmartSync for Pivotal Tracker, reducing the number of API requests sent to Pivotal Tracker during a sync.
- Added the ability to replace strings of text in a Task description with custom values when the Task is synced to an issue tracker.
- Updated the user interface for custom field mapping to support multiline field values.
- Fixed SmartSync issue where statuses in the non-authoritative source are not synchronized if the authoritative source has not been updated.
- Deprecated APIs are no longer used when connecting to Archer.
- Fixed an issue with LDAP sync where character encoding was raising an exception when syncing users and groups.
System Settings
- Fixed a bug in the "Build Pipeline" page under the System Settings where the documentation links were not displaying.
- Fixed a security issue where LDAP credentials for superusers were exposed in the "Authentication" page under the System Settings.
Reports
- The OWASP Top 10 (2017) report title has been renamed to OWASP Top 10 (Latest).
- CSV export
  - Updated training list export so that only users with permission to Manage Users may download the CSV export.
  - Updated user list export so that only users with permission to Manage Users may download the CSV export.
- All Tasks Report
  - The CSV export now includes the following additional fields associated with the Task and Custom Project attributes: Problem ID, Problem Title, Risk rating, Application, Business Unit, Project, Issue Tracker Ticket.
- Problem Summary Report
  - Fixed a bug where duplicate rows showed for the same problem.
Manage Groups
- Fixed a bug where the page was not loading if there were a large number of LDAP groups.

Content additions and updates (as of September 18, 2020):

Compliance Regulations and Mappings
- OWASP Top 10 (2017) renamed to OWASP Top 10 (Latest)
- 2020 CWE Top 25 Most Dangerous Software Weaknesses
- NIST 800-53 Mandates compliance reports
  - Added to specify more granular sub-control mappings (Mandates) to our NIST 800-53 SDE content. The compliance reports are mapped to the NIST 800-53 impact levels:
    - NIST 800-53 Mandates (High) compliance report
    - NIST 800-53 Mandates (Moderate) compliance report
    - NIST 800-53 Mandates (Low) compliance report
T202: Prevent buffer overflow/underflow
- P21: Buffer Copy without Checking the Bounds [Updated]
  - Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
T217: Use compiler settings to mitigate buffer overflows
- P21: Buffer Copy without Checking the Bounds [Updated]
  - Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
T256: Test that compiler settings are set to mitigate buffer overflows
- P21: Buffer Copy without Checking the Bounds [Updated]
  - Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
T1146: Enable DEP and ASLR on your server
- P21: Buffer Copy without Checking the Bounds [Updated]
  - Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
T1147: Verify that DEP and ASLR are enabled on your server
- P21: Buffer Copy without Checking the Bounds [Updated]
  - Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
T1366: Identify applicable compliance regulations
- TA2889: Identify compliance regulations of the cloud infrastructure (Cloud) [Added]
T2134: Compile iOS applications with PIE and ARC flags
- P21: Buffer Copy without Checking the Bounds [Updated]
  - Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
T2158: Ensure that data is deleted securely and efficiently from storage (Cloud) [Added]
- P1558: Insecure or ineffective erasure of data [Added]
T2159: Ensure security of virtualized environments (Cloud) [Added]
- P1559: Insecure virtualization [Added]
T2160: Avoid vendor lock-in as a customer when migrating into or out of solutions (Cloud) [Added]
- P1560: Insufficient data portability in the cloud and insecure migration to the cloud (in and out) [Added]
T2161: Ensure the cloud management interface is secured properly (Cloud) [Added]
- P1561: Insecure cloud management interface [Added]
T2162: Prevent malicious insider risks and privileged user abuse in cloud providers (Cloud) [Added]
- P1562: Malicious insiders and abuse of high privilege roles [Added]
T2163: Ensure the security of hypervisors (Cloud) [Added]
- P1563: Lack of hypervisor security [Added]
T2164: N/A - Not Applicable [Added]
- Used to identify not applicable sections in the NIST Mandates compliance reports
- P1564: N/A - Not Applicable [Added]
  - Used to identify not applicable sections in the NIST Mandates compliance reports
T2165: Ensure security governance when outsourcing to cloud providers (Cloud) [Added]
- P1565: Loss of control over security of supply chain [Added]
- TA2890: Supplier security assessment (Cloud) [Added]
T2166: Ensure business continuity over cloud services (Cloud) [Added]
- P1566: Lack of business continuity and disaster recovery processes [Added]
Updated T186 with the latest security patch levels for third-party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- Apache HTTP Server
- Java
- Bouncy Castle
- Node.js
Updated the following code scanner mappings
- Checkmarx
- AppScan
- WebInspect
- WhiteHat
Changes to Project Properties and Profiles
- Q196: Web Technologies
  - Q191: Web Client Technologies Used
    - A94: Uses iFrames [Updated]
      - Updated Match Conditions from "The application is a generic web application." to "The application is a generic web application. OR Frontend"
    - A792: HTML5 [Updated]
      - Updated Match Conditions from "The application is a generic web application. OR Rich client" to "The application is a generic web application. OR Rich client OR Frontend"
    - A1192: CORS [Updated]
      - Updated Match Conditions from "The application is a generic web application." to "The application is a generic web application. OR Frontend"
- Q219: General Changes
  - Q220: Changes Since Last Release
    - A1294: Changes to processes/activities [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A1293: Cloud [Added]
- Q258: Architecture/Environment
  - Q322: Architecture
    - A1142: Contains multiple components that communicate through a network [Updated]
      - Added tooltip clarifying use case
- Q262: External Dependencies
  - Q259: External Code/Data
    - A1157: Uses remote procedure calls (RPC) or object serialization/deserialization [Updated]
      - Added tooltip clarifying use case
- Q284: Context and Characteristics
  - Q252: Application's Context and Characteristics
    - A744: The application handles health data [Updated]
      - Added tooltip describing Personal Health Information
    - A1291: Consumes cloud services [Added]
    - A1292: Provides cloud services [Added]
New Just-in-Time Training
- Defending Databases (7 JITTs)
- OWASP Top 10 (40 JITTs)

5.8

New features and improvements

Manually added Library Problems
- Added the ability to manually add Library Problems directly to a Project from the Problems View using the New Problem (+) button.
- Added the ability to delete a manually added Library Problem from the Problems View.
- Problems View
  - Added the ability to filter Tasks and Problems by Task Status, Assigned Users, and Task Priority.
User Interface
- Increased maximum character lengths for Compliance Regulation fields:
  - Compliance Regulation and Compliance Regulation Section name field increased to 500 characters.
  - Compliance Regulation Section description field increased to 5000 characters.
Activity Logs
- Added the ability to export a project’s survey history from Activity Logs:
  - Added an export button on the project survey and project activity log to download the project survey history as a CSV file.
  - Added an export button on global activity log to download the survey history of all projects as a CSV file.
- Updated Activity Log entries for project survey changes to display the number of changes instead of all individual changes.
Status mapping
- Custom status mapping fields in their supported issue tracker connections are now pre-populated with the required SD Elements status mappings on the creation form:
  - Made minor UI additions and description updates to improve user experience.
  - Changed ordering of the custom status mappings to align with updated descriptions.

Other product improvements

Fixed an issue synchronizing with Checkmarx version 8.6 and later.
Updated confirmation messages for deleting risk policy configurations.
Survey history now displays actions taken, actor, and time for each answer.
Modifying the email address or accessing the password reset link of a Super User now requires Super User permissions.
Significantly improved the load time of the Project Survey by 30-50%.

Content additions and updates (as of July 24, 2020):

Compliance Regulations and Mappings
- Added NIST Cybersecurity Framework (CSF) compliance report
- Removed the regulation for OWASP Top 10 (2013)
New Content Packs
- NIST CSF
T4: Use configurable password policies [Updated]
- Updated text
T5: Use minimum standards for passwords [Updated]
- Updated text
T20: Generate unique session IDs and reset old IDs after authentication [Updated]
- Updated text
T1144: Prevent Server-Side Template Injection (SSTI) [Updated]
- Updated text
T1145: Verify if web page template is vulnerable to SSTI [Updated]
- Updated text
T2157: Secure email and messaging in web applications [Added]
Updated T186 with the latest security patch levels for third-party libraries
- Django
- Spring Framework
- Struts
- Apache Tomcat
- Apache Wicket
- Apache MyFaces
- Java
- Bouncy Castle
- Node.js
Changes to Project Properties and Profiles
- Q193: Application Type
  - Q101: Type of Application
    - A1289: Frontend [Added]
- Q202: More Features
  - Q214: Miscellaneous
    - A1288: Sends solicitation emails [Added]
- Q237: Compliance Scope: Other
  - Q225: Type of Emails Sent by the Application
    - A752: Advertisement or other solicitation emails [Updated]
      - Updated tooltip description
- Q331: US Federal and NIST
  - Q333: In-Scope for NIST Cybersecurity Framework [Added]
    - A1290: Yes [Added]
New Just-in-Time Training
- Microservices (5 modules)
- OpSec Fundamentals (10 modules)
- Defending Android (26 modules)

5.7

New features and improvements

Advanced Project Classification mode
- Replaced the checkbox for toggling Project Classification on and off.
- Added a toggle to switch to Advanced mode in the UI.
- Added a “Factors” tab on the Project Classifications page where you can add, edit, and delete Factors.
- Added a form to create Factors in the UI.
- Updated the Project Classification documentation: https://docs.sdelements.com/release/latest/guide/docs/projects/project_classification.html
User Interface
- Project Survey
  - Changed “No Profile” to “Blank” in Profile selection and updated the description to be more informative.
  - Added a tab for the Project Survey to make it easier to locate.
- Problems View
  - Added a checkbox to filter Problem Tasks by Risk Policy relevance.
- Verification
  - The Whitesource reference field in verification notes are now clickable links.
- “Problems” string customization
  - Admins can now customize the “Problems” string from System > UI Customization.
- Forms
  - Introduced secondary buttons to forms with more than primary and Cancel actions.
API
- The Project Problems API GET endpoint calls now require {project_id}-{problem_id} instead of {problem_id}.
- Removed ‘related_tasks’. Users should now use Problem Tasks API endpoints to return related tasks for a Problem.

Other product improvements

Fixed an issue in Library Import/Export where re-importing certain content items with non-standard encodings caused a crash.
Improved error messages in Library Import/Export.
Fixed an issue where a user removed from an LDAP group was not removed from its corresponding SD Elements group following a sync.
Removed the reordering disclaimer in Project Survey subsections as the action was not possible.
Fixed a tooltip bug on the Phases page.
Fixed a bug where Project Problems were not accepting related task changes made in the library.
Fixed a bug on the Problem view caused by rapidly expanding Problems in quick succession.
Fixed long business unit name column overflow in PDF License Usage reports.
Fixed an error that caused a crash if content had empty backticks (``).
Fixed a bug that prevented Reports windows to close when transitioning between Profile and Survey Questions pages in the Project Survey.
Improved the sorting performance on Global Reports page when sorting by Task Completion %.

Content additions and updates (as of June 12, 2020):

New Content Packs
- Connected Cars
- YAML
T2: Secure the password reset mechanism
- I1455: ASP.NET Core / VB: Generic forget password request messages [Added]
T4: Use configurable password policies
- I1477: ASP.NET Core / VB: Password Requirements Configuration [Added]
T6: Implement account lockout or authentication throttling
- I1481: ASP.NET / VB account lockout [Added]
- I1483: ASP.NET Core / VB: Account lockout [Added]
T7: Salt and hash stored passwords
- I1475: ASP.NET Core / VB: String Hashing [Added]
T8: Use Consistent Error Handling for All Authentication Failures
- I1468: ASP.NET Core / VB: Generic login failure messages [Added]
- I1471: ASP.NET / VB consistent error handling [Added]
T15: Centralize authorization
- I1435: ASP.NET / VB centralized authorization [Added]
T16: Authorize every non-public page
- I1428: ASP.NET / VB non-public page authorization [Added]
- I1429: ASP.NET Core / VB: Authorize non-public pages [Added]
T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
- Updated text
- TA241: WCF - Use X509 Certificates Instead of NTLM [Updated]
  - Updated text
- TA751: Use strong encryption algorithms if credit card information is transmitted [Updated]
  - Updated text
- TA965: Choice of cipher [Updated]
  - Updated text
- I479: Apache HTTP Server [Updated]
  - Updated text
T22: Set secure flags on session cookies
- I1433: ASP.NET Core / VB: Sending cookies over HTTPS [Added]
T23: Set HttpOnly flag on session cookies
- I1459: ASP.NET Core / VB: Setting HttpOnly Flag [Added]
T25: Enforce absolute session timeouts
- I1474: ASP.NET Core / VB: Absolute session timeout [Added]
T26: Expire sessions on logout
- I1458: ASP.NET / VB clear sessions on logout [Added]
T28: Avoid 'Remember Me' features
- I1470: ASP.NET / VB: Disable 'Remember Me' functionality [Added]
- I1472: ASP.NET Core / VB: Disable 'Remember Me' functionality [Added]
T29: Use anti-Cross-Site Request Forgery (CSRF) tokens
- I1427: ASP.NET / VB Anti-CSRF tokens [Added]
T31: Validate all forms of input
- I1437: ASP.NET / VB: Request Form Validation [Added]
- I1438: ASP.NET Core / VB: Validation Attributes [Added]
T33: Verify integrity of client-supplied read-only data
- I1431: ASP.NET / VB - Using Session State [Added]
T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript
- I1440: ASP.NET / VB untrusted data escape [Added]
- I1441: ASP.NET / VB: Error message encoding with Microsoft Anti-XSS [Added]
- I1442: ASP.NET Core / VB: Character encoding [Added]
T38: Bind variables in SQL statements
- I1443: VB with Linq [Added]
- I1444: VB with SqlClient [Added]
- I1445: VB with Enterprise Library [Added]
- I1446: VB SQL variable binding with OleDB [Added]
- I1447: VB variable binding with ODBC [Added]
- I1448: ASP.NET Core / VB: Parameterize SQL Queries [Added]
- I1449: VB with Entity [Added]
T43: Avoid unsafe operating system interaction
- I1450: VB.NET safe operating system interaction [Added]
T50: Use indirect object reference maps if accessing files
- I1426: ASP.NET / VB indirect object reference map [Added]
T54: Validate file contents
- I1480: ASP.NET / VB file content validation [Added]
T55: Validate all XML input
- P12: Missing or Incorrect XML Validation [Updated]
  - Updated text
T59: Use standard libraries for cryptography
- I1456: ASP.NET Core / VB: Revoking Keys and Refreshing the Keyring [Added]
- I1462: ASP.NET Core / VB: Protecting Ephemeral Data [Added]
- I1463: ASP.NET Core / VB: Data Encryption [Added]
- I1464: ASP.NET / VB encryption libraries [Added]
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
- I1460: ASP.NET Core / VB: Setting Key Lifetime [Added]
- I1461: ASP.NET Core / VB: Choosing cryptographic algorithms [Added]
T62: Protect passwords in property and configuration files
- I1476: ASP.NET Core / VB: Accessing Application Secrets from Secret Manager [Added]
T64: Set no-cache for confidential web pages
- I1453: ASP.NET / VB Cache-Control [Added]
- I1454: ASP.NET Core / VB: Limiting Response Caching [Added]
T65: Restrict accepted HTTP verbs
- I1434: ASP.NET / VB HTTP verbs restriction [Added]
T66: Prevent web pages from being loaded inside iFrame
- I1482: ASP.NET / VB: Frame busting through JavaScript and use of headers [Added]
T67: Protect page navigation flow
- I1469: ASP.NET / VB page navigation enforcement [Added]
T68: Encrypt credit card PANs in storage
- I1478: VB.NET credit card PAN encryption [Added]
T72: Use safe arithmetic to avoid integer overflow
- I1473: VB.NET [Added]
T74: Avoid HTTP parameter pollution
- I1432: ASP.NET / VB HTTP parameters protection [Added]
T87: Verify that all data in transit is encrypted using a secure TLS channel [Updated]
- Updated text
- TA809: Verify use of security protocols wherever credit card information is transmitted or received [Updated]
  - Updated text
T137: Encrypt protected health information in storage
- I1479: ASP.Net / VB [Added]
T151: Use cryptographically secure random numbers
- I321: C# .NET cryptographically secure random number generation [Updated]
  - Updated title and text
- I1465: VB.NET cryptographically secure random number generation [Added]
T159: Follow best practices for secure error and exception handling
- I1452: ASP.NET / VB - Global error handling using HTTPModule [Added]
T162: Validate pathname before retrieving local resources
- I1439: ASP.NET Core / VB: Directory Traversal [Added]
T164: Clear session information from client upon logout
- I1457: ASP.NET Core / VB: Session expiration on logout [Added]
T178: Obtain consent from users prior to collecting Personal Data (where applicable)
- TA2883: Protect location information (Connected Cars) [Added]
T189: Minimize the use of unmanaged (native) code
- I1430: VB.NET unmanaged code avoidance [Added]
T191: Follow best practices when handling primitive data types
- I1451: VB.NET [Added]
T200: Test for validation on all untrusted XML input
- P12: Missing or Incorrect XML Validation [Updated]
  - Updated text
T256: Test that compiler settings are set to mitigate buffer overflows
- I1466: ASP.NET Core / VB: Storing session information on the server [Added]
T322: Include HTTP Strict-Transport-Security headers in HTTPS responses
- I1467: ASP.NET Core / VB: Enabling HSTS [Added]
T338: Control access to resources through user authentication and authorization
- TA2884: Enforce access control if you output sensitive data to a port (Connected Cars) [Added]
T456: Select stringent security settings and disable unnecessary services and modules
- TA2885: Properly harden the infotainment operating system (Connected Cars) [Added]
T795: Configure CloudFront correctly (AWS) [Updated]
- Updated text
- I658: How to configure CloudFront correctly (AWS) [Updated]
  - Updated text
T828: Test that CloudFront is configured correctly (AWS) [Updated]
- Updated text
T875: Secure Apache SSL/TLS (Apache HTTP Server)
- TA920: More in-depth controls [Updated]
  - Updated text
- I729: Apache HTTP Server: How to secure Apache SSL/TLS [Updated]
  - Updated text
- I734: Apache HTTP Server: How to for in-depth controls [Updated]
  - Updated text
T876: Verify Apache SSL/TLS configuration (Apache HTTP Server)
- TA921: Test in-depth controls [Updated]
  - Updated text
T925: Configure TLS/SSL securely for Microsoft IIS (Microsoft IIS) [Updated]
- Updated text
T959: Verify if TLS/SSL is securely configured for Microsoft IIS (Microsoft IIS) [Updated]
- Updated text
T1118: Restrict access to local files (MySQL) [Updated]
- Updated text
- P1051: Unrestricted access to local files (MySQL) [Updated]
  - Updated text
- I893: MySQL: How to restrict access to local files [Updated]
  - Updated text
T1119: Verify that access to local files is restricted (MySQL)
- P1051: Unrestricted access to local files (MySQL) [Updated]
  - Updated text
T2143: Enhance the security of OBD ports (Connected Cars) [Added]
- P1547: Lack of security measures in OBD port (Connected Cars) [Added]
T2144: Implement CAN bus protocol properly (Connected Cars) [Added]
- P1548: Poor implementation of CAN bus protocol (Connected Cars) [Added]
T2145: gRPC Server-Client Certificate Authentication (.NET Core 3) [Added]
- P1549: Unauthenticated gRPC client-server communication [Added]
- I1484: gRPC server-client certificate authentication (.NET Core 3-C#) [Added]
- I1485: gRPC server-client certificate authentication (.NET Core 3-VB) [Added]
T2148: Perform security checks before infotainment OS update (Connected Cars) [Added]
- P1550: Insecure software updates (Connected Cars) [Added]
T2149: Perform security checks before external infotainment communication (Connected Cars) [Added]
- P1551: Insufficient security checks between infotainment system and external devices (Connected Cars) [Added]
T2150: Verify that external infotainment communication is secure (Connected Cars) [Added]
- P1551: Insufficient security checks between infotainment system and external devices (Connected Cars) [Added]
T2151: Verify that security checks are performed before updating infotainment OS (Connected Cars) [Added]
- P1550: Insecure software updates (Connected Cars) [Added]
T2152: Protect against Denial of Service attacks (Connected Cars) [Added]
- P1553: Denial of Service in networks (Connected Cars) [Added]
T2153: Verify the security against Denial of Service attacks (Connected Cars) [Added]
- P1553: Denial of Service in networks (Connected Cars) [Added]
T2154: Validate all YAML input [Added]
- I1486: Write a schema using RX to validate YAML data [Added]
T2155: Follow security best practices for YAML parsers [Added]
- P1556: Improper serializing/deserializing of YAML data [Added]
T2156: Validate Scalable Vector Graphics (SVG) [Added]
- P12: Missing or Incorrect XML Validation [Updated]
  - Updated text
Deactivated Problems
- P30: Improper Validation of Array Index
- P38: Compiler Removal of Code to Clear Buffers
- P69: Improper Null Termination
- P154: Storing Passwords in a Recoverable Format
- P309: Use After Free
- P402: Spyware
- P518: Null Byte Interaction Error (Poison Null Byte)
- P573: Use of multiple resources with duplicate identifier
- P670: Failure to Control Generation of Code ('Code Injection')
- P691: Padding Oracle Decryption
Updated T186 w/ latest security patch level for third-party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- Java
- Node.js
- AngularJS/Angular
- Docker
- jQuery
Changes to Project Properties and Profiles
- Q195: Language and Framework
  - Q109: Programming Language
    - A1284: VB [Added]
- Q208: Data Formats
  - Q115: Generates or reads data/files in the following formats:
    - A1285: YAML [Added]
    - A1286: SVG [Added]
- Q276: Network Layer
  - Q332: Automotive Protocols Used [Added]
    - A1282: CAN [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - A1209: Kubernetes (unmanaged) [Updated]
      - Updated title and description
New Just-in-Time Training
- CCPA
- Microservices JITT: API Gateway Implementation

5.6

New features and improvements

Problem View
- Gain visibility into the risks your projects face by viewing all of their Problems in one page.
- Added a Problems tab to the Project page with a table listing all Project Problems in rows.
- Each Problem row can be expanded to display the Problem description or its related Tasks. The Related Tasks view allows you to update a Problem’s task statuses and assign users.
- Search by Problem title, Problem description, related Task description, and filter by Risk Rating.
Project Survey
- View Latest History
  - Select or change an answer in the survey to see a “View Latest History” link that displays information about the last change, when it was made, and by whom.
- Help text on Questions and Answers now support multi-line markdown and URLs.
Verification
- Added support for WhiteSource integration. Update the verification status of task T186 using dependency information tracked in a WhiteSource product.
Compliance Reports
- Added support for exporting to CSV.
- HTML, PDF, and CSV reports now have an “[edited on ]” field for updated task notes. The most recently created note appears first in descending order. Each task note ends with a semi-colon for easy parsing.
API changes
- Added endpoints for project problems and related tasks.
- Added an endpoint for retrieving a Project's survey history. The history shows changes to answers in a project survey, along with the time and date, and the user who changed it.

Other product improvements

Glossary Task tooltips now support URLs.
Updated the term “ALM” to “Issue Tracker” on the SD Elements UI and in the API. There will be backwards compatibility for the API until a future release.
Resized the solution column on the import evaluation screen to correctly view all of its contents.
Fixed export for Questions in the Content exporter.
Updated warning button styling to make them more user-friendly.
Updated Jira integration to support deprecated createmeta API calls for Jira Server 8.4 and later.

Content additions and updates (as of May 7, 2020):

Compliance Regulations and Mappings
- Added CMMC (Level 1) compliance report
- Added CMMC (Level 2) compliance report
- Added CMMC (Level 3) compliance report
- Added CMMC (Level 4) compliance report
- Added CMMC (Level 5) compliance report
- Added OWASP API compliance report
New Content Packs
- CMMC
- Flutter
- OWASP API Top 10
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- I1413: Biometric authentication (Flutter) [Added]
T21: Ensure all data in transit is encrypted using a secure TLS channel
- I1423: Data-in-transit encryption (Flutter) [Added]
T25: Enforce absolute session timeouts
- I1420: Session Invalidation (Flutter) [Added]
T45: Log potential critical security events
- TA2881: OWASP API Guidelines for Log Monitoring [Added]
T49: Disable and remove debug capabilities and code/data, and prepare application for release
- I1417: Prepare the application for release (Flutter) [Added]
T59: Use standard libraries for cryptography
- I1421: Cryptography (Flutter) [Added]
T148: Avoid caching confidential data on client
- I1408: Protect against client side caching (iOS) [Added]
- I1416: Securely store temporary camera files (Flutter) [Added]
T152: Avoid asking for and using excessive permissions
- I1412: Excessive permissions (Flutter) [Added]
T156: Validate certificate and its chain of trust properly
- I1414: Certificate pinning (Flutter) [Added]
T157: Temporary files must be cleaned up after the resource is used
- I1425: Clear cached files (Flutter) [Added]
T160: Avoid relying on jailbreak or root detection as a strong security measure
- I1422: Jailbroken and rooted device detection (Flutter) [Added]
T168: Prevent auto-snapshot from saving sensitive data (iOS) [Updated]
- Updated text
- I1405: Disable iOS application backgrounding [Added]
- I1406: Mask sensitive data in the iOS app UI (Objective-C) [Added]
- I1409: How to mask sensitive data in iOS app UI (iOS-Swift) [Added]
T248: Protect secret keys and passwords in the application
- I1418: Secure data storage (Flutter) [Added]
T261: Manage iOS Pasteboards that are used with sensitive data [Updated]
- Updated text
T282: Bind variables in SQL statements for client applications
- I1419: SQL injection prevention (Flutter) [Added]
T295: Avoid storing unencrypted confidential data without access control mechanisms
- I482: iOS data encryption with PBKDF2 (Objective-C) [Updated]
  - Updated text.
- I528: iOS data encryption with PBKDF2 (Swift) [Updated]
  - Updated text.
T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
- I1415: Disable autocorrection/keyboard extension (Flutter) [Added]
T324: Follow best security practices when using WKWebView (iOS)
- I1407: Handle universal links in the application [Added]
T608: Obfuscate your executables
- I1424: Code obfuscation (Flutter) [Added]
T1362: Perform message throttling in Web APIs [Updated]
- Updated title and text to better reflect completion conditions.
- TA2882: Web API - throttling types [Added]
T1363: Verify if message throttling is properly performed in Web APIs [Updated]
- Updated title to better reflect completion conditions.
T1539: Clear browser data on user logout [Updated]
- Updated text
T1917: Perform container security assessment [Updated]
- Updated text
T2133: Protect the security of data in iOS [Added]
- P1544: Unprotected and Unsecure Data in Mobile Applications [Added]
- I1400: Data encryption using CryptoKit framework (iOS-Swift) [Added]
- I1401: Create and validate signatures in CryptoKit framework (iOS-Swift) [Added]
- I1403: Encryption with Apple Secure Enclave (iOS-Objective C) [Added]
T2134: Compile iOS applications with PIE and ARC flags [Added]
- I1404: Enable PIE and ARC flags in Xcode [Added]
T2137: Ensure that sensitive data is not recorded (iOS) [Added]
- P1545: Information Disclosure in iOS via ReplayKit Framework [Added]
- I1410 Prevent information disclosure in iOS when mirroring/recording (Objective-C) [Added]
- I1411 Prevent information disclosure in iOS when mirroring/recording (Swift) [Added]
T2139: Prevent information exposure through APIs [Added]
T2140: Test that APIs do not expose sensitive information [Added]
T2141: Perform function level authorization in API [Added]
T2142: Verify that function level authorization is implemented in API [Added]
Updated T186 w/ latest security patch level for third-party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Bouncy Castle
- jQuery
- AFNetworking Library
- Node.js
Changes to Project Properties and Profiles
- Q195: Language and Framework
  - Q109: Programming Language
    - A1281: Flutter [Added]
- Q331: US Federal and NIST
  - Q328: In-Scope for CMMC [Added]
    - Q329: CMMC Maturity Level [Added]
      - A1276: Level 1 [Added]
      - A1277: Level 2 [Added]
      - A1278: Level 3 [Added]
      - A1279: Level 4 [Added]
      - A1280: Level 5 [Added]
    - A1275: Yes [Added]

5.5

New features and improvements

Issue tracker integrations
- Added RSA Archer issue tracker integration: synchronize SD Elements tasks as Archer findings in order to track outstanding controls.
  - Requires one Archer user account per connection.
  - Supports one-way sync with Archer as the authoritative source, with two-way sync in consideration for a future update.
  - See our documentation for more information: https://docs.sdelements.com/release/latest/guide/docs/integrations/alm_integration/supported_tools/
- Added GitLab issue tracker integration: synchronize SD Elements tasks as issues in a GitLab project.
- Added custom priority mapping to Micro Focus ALM integration
- Rally: Added support to allow the issue type “Feature” to serve as the parents of “User Stories”
API changes
- Added support for upcoming improvements to project classification.
- Updated the project classification endpoint to save and fetch a classification formula.
- New risk factor endpoint to save and fetch risk factors used by classification formulas.

Other product improvements

Restyled primary UX buttons to be more user friendly
Improved performance of the project ALM connection endpoint
Renamed HP ALM to Micro Focus ALM
Migrated Remote Integration Agent to Python 3
- If you are using the Linux RIA, you must install the new RIA package in a python 3 environment
Fixed unclear JIRA error message for invalid username or token
Fixed JIRA integration issues with On-Prem JIRA instances
- This will be backported to 5.4
Updated the error message for when implied answers create a conflict

Content additions and updates (as of March 20, 2020):

Compliance Regulations and Mappings
- Added NY SHIELD compliance report
- Added ASVS 4 compliance report
- Updated GDPR compliance report
- Updated NYDFS compliance report
- Updated PIPEDA compliance report
T7: Salt and hash stored passwords [Updated]
- Updated text and recommended hash function.
T15: Centralize authorization
- I5: Centralize authorization using AccessController interface of ESAPI [Updated]
  - Fixed the text’s formatting.
T146: Use encryption for network communications in mobile environments
- I1392: Using encrypted channels in Android (Kotlin) [Added]
- I1397: Android (Kotlin) - StrictMode for cleartext network traffic detection [Added]
T157: Temporary files must be cleaned up after the resource is used
- I1391: Android (Kotlin) [Added]
T162: Validate pathname before retrieving local resources
- I1395: Android (Kotlin) [Added]
T248: Protect secret keys and passwords in the application
- I1393: Using server-side module to store secret keys and passwords for Android applications (Kotlin) [Added]
T270: Follow best practices for storing application data on Android devices
- I1394: Android storage options and considerations (Kotlin) [Added]
T282: Bind variables in SQL statements for client applications
- I1398: Android (Kotlin): Bind parameters to content provider query [Added]
T394: Secure one-time passwords (OTP) [Updated]
- Updated text.
T408: Set secure flag on Android Activities with sensitive content [Updated]
- Updated text.
- I1396: Setting FLAG_SECURE for Android Activity (Kotlin) [Added]
T2122: Update Android Security Provider [Added]
- P1535: Lack of Verification of Up-to-date Android Security Provider [Added]
- I1399: How to update Android Security Provider in the application [Added]
T2123: Verify that Android Security Provider gets checked to be up-to-date [Added]
- P1535: Lack of Verification of Up-to-date Android Security Provider [Added]
T2124: Exercise security best practices for inducing new versions of microservices [Added]
- P1536: Insecure induction of new versions for microservices [Added]
T2125: Exercise security strategies for handling session persistence [Added]
- P1537: Lack of security strategies for handling session persistence [Added]
T2126: Exercise security strategies for preventing credential abuse and stuffing attacks [Added]
- P1538: Lack of security strategies for preventing credential abuse and stuffing attacks [Added]
T2127: Exercise security best practices for API gateway implementation [Added]
- P1539: Lack of security best practices for API gateway implementation [Added]
T2128: Notify users and regulators of breaches of personal information [Added]
- TA2879: NY SHIELD Act / Breach Notification [Updated]
T2129: Exercise security best practices for access management in microservices
- P1540: Inadequate access management in microservices [Added]
T2130: Exercise best practices for securing microservices communication
- P1541: Unsecure microservices communication [Added]
T2131: Exercise security strategies for service mesh implementation
- P1542: Lack of security strategies for service mesh implementation [Added]
T2132: Exercise security best practices for service registry
- P1543: Lack of security best practices for service registry [Added]
Updated T186 w/ latest security patch level for third-party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- OpenSSL
- Java
- Docker
- AngularJS/Angular
- Node.js
- Bouncy Castle
Changes to Project Properties and Profiles
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q224: Privacy Regulations
      - A1273: NY SHIELD [Added]

5.4

New features and improvements

Survey section and subsection reorder
- Sections and subsections can now be reordered to better fit your organization’s needs.
- Reorder these sections from Library > Project Survey.
- Note: Reordering the survey in the library affects existing and future projects. This action may also affect subsequent completions of a project's survey because the default order of the survey is designed to automatically answer some questions or make new questions available in subsequent sections. By reordering the survey and completing it again, answers and sections may become available out of an expected order and affect your project's settings.
- It is recommended that you reorder the survey with your Customer Success representative.
Performance Improvements
- Significantly improved the load time by up to 70% for the Library Tasks page.
- Improved the generation time by 15% of the All Tasks report for projects with ~800-1000 tasks.
- The Project Survey may show improved performance during answer selection.
Integrations
- Azure DevOps (TFS)
  - Added custom status mapping.
Automations:
- Automations has moved to System Settings.
- The Automations form now allows users to specify Business Unit, Application, Task, and Task Status from a dropdown list of available options or by performing a keyword search.
- Threshold values can be set for Task Status Change and Verification Tool Ran events.

Other product improvements:

JIRA Issue Tracker sync
- Resolved an issue with ALM tasks not being recreated when they were removed when the authoritative source was set to SDE or “Last Status Update”.
Process content used for Automations is no longer disabled by default during SD Elements upgrades. You can enable or disable process content in the Content Pack Selector.
Clicking on links in the Tasks Overview of a project now takes you to the correct phase.
Added a Name ID format field when configuring SAML for single sign-on.
New Just-in-Time Training
- JSP
- Continuous Compliance

Content additions and updates (as of February 13, 2020):

T1922: Use secure OAuth 2.0 and OpenID Connect integration (where applicable) [Updated]
- Changed title.
T2117: Secure microservices APIs that access sensitive data [Added]
T2118: Exercise security monitoring best practices in Microservices environments [Added]
T2119: Deploy circuit breakers in Microservices environments [Added]
T2120: Exercise security best practices for load balancing in Microservices environments [Added]
T2121: Exercise security best practices for service rate limiting in Microservices environments [Added]
Compliance Regulations and Mappings
- Added AICPA Trust Services Criteria 2017 (SOC2) compliance report
- Updated ISO 27001:2013 compliance report
- Removed outdated ISO 27001:2005 mapping and compliance report
- Added CSA Cloud Controls Matrix (CCM) v3.0.1 compliance report
Updated T186, w/ latest security patch level for third-party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Apache MyFaces
- jQuery
- Docker
- AngularJS/Angular
- AFNetworking Library
- Node.js
- Bouncy Castle
Changes to Project Properties and Profiles
- Q193: Application Type
  - Q101: Type of Application
    - A1264: Microservice [Added]
- Q237: Compliance Scope: Other
  - Q324: In-Scope for AICPA Trust Services Criteria (SOC2) [Added]
    - A1266: Yes [Added]
  - Q325: In-Scope for ISO 27001 Compliance [Added]
    - A1267: Yes [Added]
  - Q326: In-Scope for Cloud Security Matrix (CCM)
    - A1268: Yes [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A1265: Microservices - Code [Added]
    - A1269: Microservices - Non-code [Added]
- Q258: Architecture/Environment
  - Q322: Architecture [Added]
    - Q261: IoT Architecture [Updated]
      - Changed “Architecture” to new “IoT Architecture” and moved it under "Q322: Architecture".
    - Q327: Microservices Architecture [Added]
      - A1263: This is an overarching project for designing and implementing security measures in Microservices Ecosystem (select this if you are modelling the deployment of, or setting up the infrastructure for the microservices). [Added]
    - A1137: IoT ecosystem [Updated]
      - Moved it under "Q322: Architecture".
    - A1142: Contains multiple components that communicate through a network [Updated]
      - Moved it under "Q322: Architecture".
    - A1262: Microservices ecosystem [Added]
- Q289: Cloud Computing
  - Q290: Cloud Providers
    - Q298: AWS Services
      - A1270: ECS [Added]
      - A1271: DynamoDB [Added]

5.3

New features and improvements:

Performance Improvements
- SD Elements now runs in Python 3, the modern and slightly faster version of Python.
  - Older Library pages should experience improved loading times in Python 3.
- The Dashboard page should experience improved loading times.
Automations (Beta)
- The Automations feature is currently in Beta and accessible via the API and the UI.
  - See our API documentation for more details: https://docs.sdelements.com/release/latest/api/
  - See our User Guide for details about the UI: https://docs.sdelements.com/release/latest/guide/
- Added ProjectCreated and SurveyLocked automation events.
  - These events allow users to include placeholders in email notification actions that provide project- and survey-related information.
Content Pack Selector (Beta)
- The Content Pack Selector is now available from the Library.
- Privileged users can now enable and disable certain subject areas of the base SD Elements content using the application user interface.
  - The base SD Elements content is now organized into a set Content Packs. A Content Pack is a collection of related Tasks, How-Tos, Additional Requirements, Profiles, and Survey Answers covering distinct subject areas: Application Security, Compliance, Operational Security, Privacy, and Process.
  - Process content used for Automations is disabled by default but may be enabled by content administrators.
- See our documentation for more details: https://docs.sdelements.com/release/latest/guide/
Profiles
- Built-in profiles are now visible from the Profiles page within the Library.
- Deactivated Profiles will not appear in the Profile selection list.
- All Projects must have an active Profile selected.
  - The state of a Profile is now indicated on the Project Survey.
  - For existing Projects with a deactivated Profile, you can cancel out of the Project Survey to preserve your Project Survey’s Answers.
Issue Trackers
- JIRA SmartSync
  - Optimized JIRA ALM sync. Previously, the ALM sync reached out to every JIRA task to check for changes. This change detection is now done in bulk, which results in SD Elements only reaching out to JIRA tasks that have changed since the last successful sync.
Project Survey Enhancements
- Buttons now have improved clarity.
  - For example, the “Continue” button now says, “Continue To Summary”, and “Close” now says, “Continue To Tasks”.
- Cancel buttons were added to the Survey and Summary pages, which allow you to return to the Tasks page.
Remote Integration Agent (RIA)
- The Linux RIA is now available for download in SD Elements from Integrations > Remote Agent.
- A link to RIA installation guidance is now available on the RIA list and the download dialog for both Windows and Linux agents.
Project Specific Tasks
- Individual tasks identified within the blue button “New Content Updates Available” notification can now be manually added to a project using the “Add task” feature.
Risk Policy
- A Risk Policy description has been added to the Summary steps during project creation and the Project Survey page.
System Updates
- Updated the data encryption library in SD Elements.
  - SD Elements has upgraded to django cryptography, which uses the Python cryptography library for encryption.
  - Previously, SD Elements used the django-extensions library to store encrypted values in the database, which used the keyczar library. This library is now deprecated and does not support Python 3.
  - Note: Due to the cryptography library changes in this version, do not remove the system’s keyczar keys from the system until all releases of SD Elements prior to version 5.3 are no longer present on the system. For more information, contact support@sdelements.com
Tooltip Improvements
- Accessibility enhancements have been made for tooltips throughout SD Elements. The contrast between font and background colors, and the font and margin sizes have now been increased.
- Library Question and Answer Help Text now support markdown styling for bold and italicized text, ordered and unordered lists, code blocks, and indentations.
Other Product Improvements:
- Group caches now refresh on a regular interval, fixing some cache issues that required a manual cache restart.
- The Remote Integration Agent installer now only allows administrators to install apps.
- Relevant tasks can now be manually added to a project without error messages.
- Fixed an issue with incorrect browser tabs under Accounts.
- Fixed an issue with columns in compliance reports.
- Problems without a relevant CWE no longer show CWE headers.
New Just-in-Time Training
- Defending ASP.NET Core in C#
- Defending HTML5
- Defending Swift for iOS
- Defending Web API
- Defending Web Apps

Content additions and updates (December 11, 2019):

Compliance Regulations and Mappings
- Added California Consumer Privacy Act (CCPA) compliance report
- Updated California Online Privacy Protection Act compliance report
- Added Brazil Data Protection Law (LGPD) compliance report
- Added NIST 800-53 Privacy Controls (Appendix J) compliance report
Updated Tasks
- T17: Do not only rely on client-side authorization [Changed title and updated text to be more distinct from similar tasks.]
- T738: Determine the legal basis for transferring personal data [Changed title and updated text.]
- T739: Verify if transferring personal data is legitimate and in compliance with applicable privacy regulations [Changed title and updated text.]
- T1154: Secure Docker registries (Docker) [Updated the text.]
- T1155: Verify that Docker registries are secure (Docker) [Updated the text.]
- T1172: Secure daemon configuration files (Docker) [Updated the text.]
- T1173: Verify that daemon configuration files are secured (Docker) [Updated the text.]
Added Tasks
- T2105: Enforce the use of client certificate bundles for unprivileged users to access UCP (Docker)
- T2106: Verify that the use of client certificate bundles for unprivileged users is enforced (Docker)
- T2107: Configure applicable cluster role-based access control policies for UCP access (Docker)
- T2108: Verify that a valid RBAC model is configured for UCP access (Docker)
- T2109: Enable signed image enforcement (Docker)
- T2110: Verify that signed image enforcement is enabled (Docker)
- T2111: Set the 'Per-User Session Limit' to a value of '3' or lower (Docker)
- T2112: Verify that the 'Per-User Session Limit' is set to a value of '3' or lower (Docker)
- T2113: Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Docker)
- T2114: Verify that the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values are set to '15' or lower and '0' respectively (Docker)
- T2115: Enable image vulnerability scanning (Docker)
- T2116: Verify that image vulnerability scanning is enabled (Docker)
Deactivated Tasks
- T1216: Perform regular security audits of your host system and containers (Docker)
- T1217: Verify that security audits of your host system and containers are performed regularly (Docker)
- T1218: Monitor the usage, performance, and metering of Docker containers (Docker)
- T1219: Verify that the usage, performance, and metering of Docker containers are monitored (Docker)
- T1220: Back up container data (Docker)
- T1221: Verify that container data is backed up (Docker)
Added Additional Requirements
- TA2859: California Online Privacy Protection Act (CalOPPA): Privacy Policy
- TA2860: CCPA: Privacy Notice
- TA2861: CCPA: Indirect Collection of Personal Information
- TA2862: CCPA: Access Requests and Verification
- TA2863: CCPA: Requests to Delete
- TA2864: CCPA: Service Provider Obligations
- TA2865: CCPA: Requests to Opt-Out of Sale of Personal Information
- TA2866: CCPA: Record Keeping
- TA2867: CCPA: Opt-In Consent for Sale of Children's Personal Information
- TA2868: NIST 800-53 Privacy Controls: Purpose Specification and Use Limitation
- TA2869: NIST 800-53 Privacy Controls: Privacy Notice
- TA2870: NIST 800-53 Privacy Controls: Privacy Impact Assessment
- TA2872: NIST 800-53 Privacy Controls: Personal Data Inventory
- TA2873: NIST 800-53 Privacy Controls: Data Quality
- TA2874: NIST 800-53 Privacy Controls: Data Anonymization
- TA2875: NIST 800-53 Privacy Controls: Data Retention and Disposal
- TA2876: NIST 800-53 Privacy Controls: Consent
- TA2877: NIST 800-53 Privacy Controls: Individual Access
Deactivated Additional Requirements
- TA935: HTTP Public Key Pinning (HPKP) [Removed since HPKP is not supported by many browsers any more.]
Updated Problems
- P834: Lack of Certificate/Public Key Pinning [Included “A1260: Requires certificate or public key pinning” in the applicability rules.]
- P1066: Insecure Docker registries (Docker) [Updated the text.]
- P1075: Unprotected daemon configuration files (Docker) [Updated the text.]
Added Problems
- P1529: Providing direct access to UCP manager nodes by giving administrative permissions to users (Docker)
- P1530: Using the default RBAC roles provided by UCP (Docker)
- P1531: Running untrusted containers (Docker)
- P1532: Using an improper value for limiting the number of per user concurrent sessions (Docker)
- P1533: Using an improper value for limiting the duration of active sessions (Docker)
- P1534: Running Docker containers based on images with known vulnerabilities (Docker)
Deactivated Problems
- P1097: Failing to perform security audits of your host system and containers (Docker)
- P1098: Unmonitored Docker containers usage, performance, and metering (Docker)
- P1099: Failing to back up container data (Docker)
Updated HowTo's
- I922: Docker: How to secure Docker registries [Updated the text.]
- I931: Docker: How to secure daemon configuration files [Updated the text.]
Added HowTo's
- I1385: Docker: How to create client certificate bundles
- I1386: Docker: How to configure UCP RBAC components
- I1387: Docker: How to enable signed image enforcement
- I1388: Docker: How to set the 'Per-User Session Limit'
- I1389: Docker: How to set the 'Lifetime Minutes' and 'Renewal Threshold Minutes'
- I1390: Docker: How to enable image vulnerability scanning
Deactivated HowTo’s
- I908: Apache: Enabling HPKP [HPKP is not supported by many browsers.]
- I909: NGINX: Enabling HPKP [HPKP is not supported by many browsers.]
- I910: IIS: Enabling HPKP [HPKP is not supported by many browsers.]
- I954: Docker: How to monitor Docker container usage, performance, and metering
- I955: Docker: How to back up container data
Updates to T186 with the latest security patch level for third-party libraries:
- Rails
- Django
- Spring
- Struts
- Apache Tomcat
- GnuTLS
- Apache MyFaces
- Java
- Node.js
- AngularJS/Angular
- Docker
Changes to Project Properties and Profiles
- Added “Q160: Handles Personal Data” under "Q206: Privacy"
- Added “Q265: In-Scope for NIST 800-53 Compliance” under "Q237: Compliance Scope: Other"
- Added "Q321: NIST 800-53 Privacy Controls” under “Q265: In-Scope for NIST 800-53 Compliance”
- Added "A1255: CCPA” under “Q224: Handles Personal Data”
- Added "A1256: CalOPPA” under “Q224: Handles Personal Data”
- Added "A1257: Latin America” under “Q159: Organization is Subject to the Laws of:”
- Added "A1258: Brazil LGPD” under “Q224: Handles Personal Data”
- Added “A1260: Requires certificate or public key pinning” under “Q214: Miscellaneous”
- Deactivated “A1177: VPC” from the ‘Applicable When’ criteria of “P866: Relational Database Service Misconfigured (AWS)”
- Deactivated “A1171: EC2” from the ‘Applicable When’ criteria of “P866: Relational Database Service Misconfigured (AWS)”

5.2

New features and improvements

Automations (formerly Process Task Automation)
- Automations is currently in Beta and does not have any features that are visible to users. It does, however, run in the background and may affect some of your tasks. As more features become available in SD Elements, more information will follow.
Project Classification
- The classification list page has been improved. Classifications that have no policies or active answers are now greyed out, and classifications that have inactive answers now show a warning.
Existing integrations:
- HCL AppScan:
  - IBM AppScan has changed to HCL AppScan.
- HP ALM:
  - Added support for the “Not Covered” status.
New Integrations:
- Added support for ServiceNow integration.
- Added support for Coverity verification integration:
  - We are aware of the following behavior with Coverity integration with SD Elements:
    - Only flaws with the action “Ignore” are marked as pass/partial pass and removed from flaws total counts.
    - Custom Severities in Coverity are mapped to “unknown” severity in SD Elements and are counted as fails.
    - At this time, there is no method to add custom severity mappings.
Project Reports
- The All Task Report PDF export now has a limit of 1000 tasks.
Project Survey Answers
- Deactivating Answers in the Project Survey will now also set them to be hidden in the Project Survey (similarly reactivating answers result in them reappearing in the survey).
Deprecations
- Thoughtworks Mingle has been deprecated and is no longer supported in SD Elements.
- Trac has been deprecated and is no longer supported in SD Elements.
Bug fixes:
- Fortify reports with a count of 0 now correctly trigger Process Task Automation events.
- Fixed dropdown fields in the frontend from becoming deselected when escaped or clicked away from.
- Reports no longer display a unicode error when non-ASCII characters are present.
- SAML SP initiated POST requests now correctly navigate to the IdP page.
- Fixed Azure DevOps (TFS) sync error for “missing ‘fields’”.
- SD Elements no longer crashes if a large number of projects sharing the same risk policy refresh their risk policies at the same time.

Content additions and updates (as of October 25, 2019):

Compliance Regulations and Mappings
- Added FedRAMP compliance report for Low/Moderate/High baselines.
- Added FedRAMP additional requirements for Low/Moderate/High baselines.
- Added NIST 800-53 compliance report for Low/Moderate/High baselines.
- Added NYDFS compliance report.
- Updated CalOPPA compliance report and added new subsections.
Updated Tasks
- T5: Use minimum standards for passwords [Updated the text.]
- T680: Do not create IAM policies that allow full administrative privileges (AWS) [Updated the title.]
- T681: Enable CloudTrail in all regions (AWS) [Updated the text.]
- T699: Test that credentials unused for 90 days or greater are disabled (AWS) [Updated the text.]
- T700: Test that access keys are rotated every 90 days or less (AWS) [Updated the text.]
- T714: Test if any IAM policy exists that allows full administrative privileges (AWS) [Updated the title and the text.]
- T718: Test if AWS Config is enabled in all regions (AWS) [Updated the text.]
- T719: Test if S3 bucket access logging is enabled on the CloudTrail S3 bucket (AWS) [Updated the text.]
- T720: Test that log metrics and alarms are created (AWS) [Updated the text.]
- T725: Test that log file validation is enabled (AWS) [Updated the text.]
- T1053: Enable VM protection features (Microsoft Azure) [Updated the text.]
- T1054: Test that VM protection features are enabled (Microsoft Azure) [Updated the text.]
- T1056: Test that all VMs are updated (Microsoft Azure) [Updated the text.]
- T1057: Enable disk and storage encryption (Microsoft Azure) [Updated the text.]
- T1058: Test that disk and storage encryption is enabled (Microsoft Azure) [Updated the text.]
- T1059: Configure network security groups and firewalls securely (Microsoft Azure) [Updated the text.]
- T1060: Test that network security groups and firewalls are configured securely (Microsoft Azure) [Updated the text.]
- T1061: Enable SQL auditing (Microsoft Azure) [Changed the old title "Enable SQL auditing and threat detection" and updated the text.]
- T1062: Verify that SQL auditing is enabled (Microsoft Azure) [Changed the old title "Test that SQL auditing and threat detection are enabled" and updated the text.]
- T1063: Set up security contacts (Microsoft Azure) [Updated the text.]
- T1064: Verify that security contacts are set up (Microsoft Azure) [Changed the old title and updated the text.]
- T1073: Keep logs long enough (Microsoft Azure) [Updated the text.]
- T1074: Verify that logs are kept long enough (Microsoft Azure) [Updated the text.]
- T1077: Log critical events (Microsoft Azure) [Updated the text.]
- T1078: Verify that critical events are logged (Microsoft Azure) [Updated the text.]
- T1082: Verify that Key Vault is configured securely (Microsoft Azure) [Updated the text.]
- T1087: Select standard pricing tier (Microsoft Azure) [Updated the text.]
- T1088: Verify that standard pricing tier is selected (Microsoft Azure) [Updated the text.]
Deactivated Tasks
- T674: Enable Detailed Billing (AWS)
- T675: Activate IAM Master and IAM Manager roles (AWS)
- T708: Verify that detailed billing is enabled (AWS)
- T709: Verify that IAM Master and IAM Manager roles are active (AWS)
Added Tasks
- T2033: Ensure SELinux is enabled on all container instances (Amazon ECS)
- T2034: Ensure AppArmor is enabled on all container instances (Amazon ECS)
- T2035: Ensure privileged containers are not permitted on the container instance (Amazon ECS)
- T2036: Ensure containers do not run as root (Amazon ECS)
- T2037: Set root filesystems to be read-only (Amazon ECS)
- T2038: Apply resource limits on containers (Amazon ECS)
- T2039: Enable container insights on ECS clusters (Amazon ECS)
- T2040: Ensure host operating systems are up to date (Amazon ECS)
- T2041: Attach IAM roles for ECS container instances (Amazon ECS)
- T2042: Ensure virtual machines running ECS instances are inside a VPC (Amazon ECS)
- T2043: Identify and remediate vulnerabilities in container images (Amazon ECS)
- T2044: Utilize AWS parameter store for sensitive data storage (Amazon ECS)
- T2045: Ensure a VPC endpoint is used to access DynamoDB tables (Amazon DynamoDB)
- T2046: Encrypt data stored in DynamoDB at rest (Amazon DynamoDB)
- T2047: Attach IAM policies to DynamoDB resources (Amazon DynamoDB)
- T2048: Utilize client-side encryption for DynamoDB (Amazon DynamoDB)
- T2051: Configure network access rules for storage accounts (Microsoft Azure)
- T2052: Verify that network access rules are configured properly for storage accounts (Microsoft Azure)
- T2053: Ensure virtual machines running instances are inside a VPC (Amazon Aurora)
- T2054: Utilize Security Groups to restrict access to instances (Amazon Aurora)
- T2055: Enforce network ACLs for instances (Amazon Aurora)
- T2056: Encrypt data stored at rest (Amazon Aurora)
- T2057: Enforce authentication on your database engine (Amazon Aurora)
- T2058: Attach IAM policies to resources (Amazon Aurora)
- T2059: Enable App Service authentication and identity management (Microsoft Azure)
- T2060: Ensure snapshots are not public (Amazon Aurora)
- T2061: Change the default master username (Amazon Aurora)
- T2062: Use AWS Secrets Manager for connection credentials (Amazon Aurora)
- T2063: Utilize Database Activity Streams for PostgreSQL databases (Amazon Aurora)
- T2064: Verify that App Service authentication and identity management is enabled (Microsoft Azure)
- T2065: Configure TLS for secure connections to App Service (Microsoft Azure)
- T2066: Verify that TLS is configured properly for App Service (Microsoft Azure)
- T2067: Use the latest version of software on App Service (Microsoft Azure)
- T2068: Verify that the latest version of software is used on App Service (Microsoft Azure)
- T2069: Set 'Enforce SSL connection' to 'ENABLED' for database servers (Microsoft Azure)
- T2070: Verify that 'Enforce SSL connection' is set to 'ENABLED' for database servers (Microsoft Azure)
- T2071: Enable logging of important PostgreSQL security events (Microsoft Azure)
- T2072: Verify that logging of important PostgreSQL security events is enabled (Microsoft Azure)
- T2073: Enable 'log_retention_days' on PostgreSQL servers (Microsoft Azure)
- T2074: Verify that server parameter 'log_retention_days' is set to more than 3 days for PostgreSQL database server (Microsoft Azure)
- T2075: Enable 'connection_throttling' on PostgreSQL servers (Microsoft Azure)
- T2076: Verify that 'connection_throttling' on PostgreSQL servers is enabled (Microsoft Azure)
- T2077: Use strong cryptographic ciphers (Kubernetes)
- T2078: Verify that strong cryptographic ciphers are used (Kubernetes)
- T2079: Restrict Kublet nodes to access only objects associated with them. (Kubernetes)
- T2080: Verify that Kublet nodes are restricted to access only objects associated with them. (Kubernetes)
- T2081: Encrypt data at rest properly (Kubernetes)
- T2082: Verify that data at rest is encrypted properly (Kubernetes)
- T2083: Limit the rate at which the API server accepts requests (Kubernetes)
- T2084: Verify that the admission control plugin 'EventRateLimit' is set (Kubernetes)
- T2089: Turn on Role Based Access Control (Kubernetes)
- T2090: Verify that Role Based Access Control is turned on (Kubernetes)
- T2091: Do not bind the scheduler and the controller manager services to non-loopback insecure addresses (Kubernetes)
- T2092: Verify that the scheduler and controller manager services are not bound to non-loopback insecure addresses (Kubernetes)
- T2093: Enable Kubelet server certificate rotation (Kubernetes)
- T2094: Verify that Kubelet server certificate rotation is enabled (Kubernetes)
- T2095: Set the permissions properly on the sensitive configuration files (Kubernetes)
- T2096: Verify that the permissions on the sensitive configuration files are set properly (Kubernetes)
- T2097: Do not let containers to be run with excessive privileges (Kubernetes)
- T2098: Verify that containers with excessive privileges are not permitted (Kubernetes)
Updated Additional Requirements
- TA927: Test in-depth controls [Updated the text.]
Added Additional Requirements
- TA1980: Blind Server Side Request Forgery (SSRF)
- TA1981: AWS Metadata Endpoint Data Exfiltration (SSRF)
- TA2847: NYDFS Cybersecurity Regulation / Penetration Testing and Vulnerability Assessments
- TA2848: NYDFS Cybersecurity Regulation / Audit Trail
- TA2849: NYDFS Cybersecurity Regulation / Access Privileges
- TA2850: NYDFS Cybersecurity Regulation / Multi-Factor Authentication
- TA2851: Enable JIT Network Access for virtual machines - More in-depth controls
- TA2852: Verify that JIT Network Access for virtual machines is enabled - More in-depth controls
- TA2853: Enable 'Advanced Data Security' on critical SQL Servers - More in-depth controls
- TA2854: Verify that 'Advanced Data Security' is enabled on critical SQL Servers - More in-depth controls
- TA2855: Enable security alerts for SQL servers - More in-depth controls
- TA2856: Verify that security alerts for SQL servers are enabled - More in-depth controls
- TA2857: Kubernetes: Do not let containers to be run with excessive privileges - More in-depth controls
- TA2858: Kubernetes: Verify that containers with excessive privileges are not permitted - More in-depth controls
Updated Problems
- P846: Lack of CloudTrail logs for all regions (AWS) [Updated the text.]
- P1020: Inactive VM protection features (Microsoft Azure) [Updated the text.]
- P1024: No SQL auditing (Microsoft Azure) [Changed the old title "No SQL auditing or threat detection".]
- P1025: No security contacts (Microsoft Azure) [Updated the text.]
- P1030: Inadequate Log Retention (Microsoft Azure) [Updated the text.]
- P1032: Insufficient Logging (Microsoft Azure) [Updated the text.]
Deactivated Problems
- P854: Lack of Detailed Billing records (AWS)
- P855: One-person control over IAM (AWS)
Added Problems
- P1494: Unrestricted connectivity to sensitive data (Amazon ECS)
- P1495: Using unsafe container images (Amazon ECS)
- P1496: Unprotected sensitive data in containers (Amazon ECS)
- P1497: Publicly accessible database (Amazon DynamoDB)
- P1498: Missing database encryption (Amazon DynamoDB)
- P1499: Improper network access rules for storage accounts (Microsoft Azure)
- P1500: Unrestricted connectivity to sensitive data (Amazon Aurora)
- P1501: Unrestricted connectivity to sensitive data (Amazon RDS)
- P1502: Misconfigured or missing network ACLs (Amazon Aurora)
- P1503: Missing encryption mechanism (Amazon Aurora)
- P1504: Improper authentication and access control (Amazon Aurora)
- P1505: Improper App Service authentication and identity management (Microsoft Azure)
- P1506: Misconfigured IAM policies attached to instances (Amazon Aurora)
- P1507: Ensure snapshots are not public (Amazon Aurora)
- P1508: Default master usernames (Amazon Aurora)
- P1509: Improper secret or connection string management (Amazon Aurora)
- P1510: Insufficient logging or protection of logs (Amazon Aurora)
- P1511: Insecure network communication (Microsoft Azure)
- P1512: Using outdated software in App Service (Microsoft Azure)
- P1513: Insecure connection to database servers (Microsoft Azure)
- P1514: No connection throttling for PostgreSQL database server (Microsoft Azure)
- P1515: Using weak cryptographic ciphers (Kubernetes)
- P1516: Inadequate access control for Kubelet nodes (Kubernetes)
- P1517: Cleartext or weakly encrypted data at rest (Kubernetes)
- P1518: Resource Exhaustion (Kubernetes)
- P1521: Lack of Role Based Access Control (RBAC) (Kubernetes)
- P1522: Unauthorized access to the scheduler and controller manager API services (Kubernetes)
- P1523: Downtimes due to expired certificates (Kubernetes)
- P1524: Unauthorized access to the sensitive configuration files (Kubernetes)
- P1525: Allowing containers with excessive privileges (Kubernetes)
Updated HowTo's
- I609: How to delete IAM policies that allow full administrative privileges (AWS) [Updated the text.]
- I610: How to enable CloudTrail in all regions (AWS) [Updated the text.]
- I613: How to enable AWS Config in all regions (AWS) [Updated the text.]
- I615: How to create log metrics and alarms (AWS) [Updated the text.]
- I626: How to create log metrics and alarms (AWS) - In-depth controls [Updated the text.]
- I724: Apache HTTP Server: How to secure Apache access control [Updated the text.]
- I858: Microsoft Azure: How to enable VM protection features [Updated the text.]
- I859: Microsoft Azure: How to update VMs [Updated the text.]
- I860: Microsoft Azure: How to enable disk and storage encryption [Updated the text.]
- I861: Microsoft Azure: How to configure network security groups and firewalls securely [Updated the text.]
- I862: Microsoft Azure: How to enable SQL auditing [Changed the old title "Microsoft Azure: How to enable SQL auditing and threat detection" and updated the text.]
- I863: Microsoft Azure: How to set up security contacts [Updated the text.]
- I868: Microsoft Azure: Keep logs long enough [Updated the text.]
- I870: Microsoft Azure: Log critical events [Updated the text.]
- I872: Microsoft Azure: Configure Key Vault securely [Updated the text.]
- I878: Microsoft Azure: Select standard pricing tier [Updated the text.]
Deactivated HowTo's
- I603: How to enable Detailed Billing (AWS)
- I604: How to activate IAM Master and IAM Manager roles (AWS)
Added HowTo's
- I1333: Amazon ECS-optimized AMI: Configure SELinux on each container instance
- I1334: Amazon ECS: Configure AppArmor on each container instance
- I1335: Amazon ECS: Disable privileged containers on each container instance
- I1336: Amazon ECS: Configure containers to run as non-root
- I1337: Amazon ECS: Provide containers in ECS Task Definitions with read-only access to the root file system
- I1338: Amazon ECS: Configure resource limits for containers
- I1339: Amazon ECS: Enable Container Insights in a new ECS cluster
- I1340: Amazon ECS: Enable update on ECS container instances
- I1341: Amazon ECS: Configure proper IAM policies on ECS clusters
- I1343: Amazon ECS: Configure ECS instances to run in a VPC
- I1344: Amazon ECS: Configure containers to inject sensitive data at runtime
- I1345: Amazon DynamoDB: Configure DynamoDB tables to use a VPC endpoint
- I1346: Amazon DynamoDB: Use a customer-managed key (CMK) in DynamoDB
- I1347: Amazon DynamoDB: Configure IAM policies as required
- I1348: Amazon DynamoDB: Utilizing the DynamoDB Encryption Client
- I1349: Microsoft Azure: How to set network access rules for storage accounts
- I1350: Amazon Aurora: How to determine if the RDS instance is configured to run in a VPC
- I1351: Amazon Aurora: How to determine if Security Groups are configured to protect RDS resources
- I1352: Amazon Aurora: How to determine if Network ACLs are configured securely
- I1353: Amazon Aurora: How to determine if data at rest is encrypted in RDS
- I1354: Amazon Aurora: How to ensure IAM Authentication is enabled for databases
- I1355: Amazon Aurora: How to determine if an IAM account is configured securely for RDS
- I1356: Amazon Aurora: How to determine if RDS database snapshots are publicly accessible
- I1357: Amazon Aurora: How to determine if the default master username is changed
- I1358: Amazon Aurora: How to create a secret or connection string in AWS Secrets Manager
- I1359: Amazon Aurora: How to determine if Database Activity Streams are enabled
- I1360: Microsoft Azure: How to enable App Service authentication and identity management
- I1361: Microsoft Azure: How to configure TLS for secure connections to App Service
- I1362: Microsoft Azure: How to use the latest version of software on App Service
- I1363: Microsoft Azure: How to enforce SSL connection for database servers
- I1364: Microsoft Azure: How to enable logging of security events for PostgreSQL database
- I1365: Microsoft Azure: How to set log retention duration for PostgreSQL database server
- I1366: Microsoft Azure: How to enable connection throttling on PostgreSQL database servers
- I1367: Microsoft Azure: How to enable JIT Network Access for virtual machines - More in-depth controls
- I1368: Microsoft Azure: How to enable 'Advanced Data Security' on critical SQL Servers - More in-depth controls
- I1369: Microsoft Azure: How to enable security alerts for SQL servers - More in-depth controls
- I1370: Kubernetes: How to only use strong cryptographic ciphers
- I1371: Kubernetes: How to restrict Kublet nodes to access only objects associated with them.
- I1372: Kubernetes: How to encrypt data at rest properly
- I1373: Kubernetes: How to limit the rate at which the API server accepts requests
- I1376: Kubernetes: How to turn on Role Based Access Control
- I1377: Kubernetes: How to find the address of the scheduler and controller manager services
- I1378: Kubernetes: How to enable Kubelet server certificate rotation
- I1379: Kubernetes: How to set the permissions properly on the sensitive configuration files
- I1380: Kubernetes: How to not permit containers to be run with excessive privileges
- I1384: Kubernetes: How to for in-depth controls
Changes to Project Properties and Profiles
- Added "Q319: In-Scope for FedRAMP Compliance" under "Q237: Compliance Scope: Other"
- Added "Q320: FedRAMP Control Baseline" under "Q319: In-Scope for FedRAMP Compliance"
- Added "A1247: Yes" under "Q319: In-Scope for FedRAMP Compliance"
- Added "A1248: Low" under "Q320: FedRAMP Control Baseline"
- Added "A1249: Moderate" under "Q320: FedRAMP Control Baseline"
- Added "A1250: High" under "Q320: FedRAMP Control Baseline"
- Added "A1251: Aurora" under "Q298: AWS Services"
- Added "A1252: PostgreSQL" under "Q305: Database Management System (DBMS)"
- Added "A1253: Asia Pacific" under "Q159: Organization is Subject to Laws of:"
- Added "A1254: In-scope for MAS-TRMG Guidelines" under "Q229: Financial Regulations"

5.1

New features and improvements

Risk Policy and Project Classification
- Project Classification no longer shows a Project as being reclassified from Unclassified the first time a project is classified. It now only displays the initial Project Classification.
- The Project Classification filter in Global Reports now allows filtering on Projects that are Unclassified.
LDAP Sync
- LDAP Sync now supports LDAPS protocol.
Existing Integrations
- Veracode
  - Updated Veracode authentication for XML to HMAC authentication. Authentication now requires a Veracode Access Key (API ID) and Veracode Secret Key (Key).
  - Existing Veracode connections will not work until credentials are updated.
New Integrations for Verification
- OWASP Dependency Track
The beta version of PTA now supports the following verification tools:
- Threadfix
- OWASP Dependency Track
Known bugs:
- OWASP Dependency Track:
  - False positives are counted as flaws in SD Elements unless you explicitly suppress them in the OWASP Dependency Track tool.This will be corrected in a later version.
Bug Fixes
- Fixed bug that allowed Problems to be deleted.
- Fixed LDAP sync group mapping form field that was limited to 1000 groups.
- Fixed LDAP sync issue with custom certificates.
- Fixed LDAP sync failing with names longer than 30 characters.
  - First and last names longer than 30 characters are now auto-truncated.
- Fixed a bug that allowed a Project’s Classification to be updated when the Project’s Survey was saved, but incomplete.
- Fixed a bug that allowed users to name or rename their project and application to “archived”.
- Fixed a bug in the Fortify integration where suppressed issues were being included in scanner results.
- Fixed a bug where the hover zone for a tooltip on the add new Remote Agent button was too small.
Hotfixes:
- PDF Reports
  - PDF reports should be faster to produce as we have replaced the underlying engines used to build them.
- Fixed an error that was causing Veracode reports with unicode characters to fail to import.
- Fixed the modification of a Library Task’s priority

Content additions and updates (as of September 16, 2019):

Added Tasks
- T1925: Maintain the default behavior for anonymous access (OpenShift)
- T1926: Verify that the default behavior for anonymous access is maintained (OpenShift)
- T1927: Disable basic-auth-file method (OpenShift)
- T1928: Verify that the basic-auth-file option has not been configured (OpenShift)
- T1929: Secure communication between API server and master nodes (OpenShift)
- T1930: Verify that the connection between API server and master node is secure (OpenShift)
- T1931: Prevent insecure bindings and insecure port access (OpenShift)
- T1932: Verify that insecure-bind-address and insecure-port are disabled (OpenShift)
- T1933: Do not disable 'secure-port' for API server traffic (OpenShift)
- T1934: Verify that 'secure-port' is not disabled (OpenShift)
- T1935: Do not expose API server profiling data (OpenShift)
- T1936: Verify that API server profiling is not exposed (OpenShift)
- T1937: Set the 'repair-malformed-updates' value to 'true' (OpenShift)
- T1938: Verify the value of 'repair-malformed-updates' (OpenShift)
- T1939: Disable 'AlwaysAdmit' admission controller (OpenShift)
- T1940: Verify that 'AlwaysAdmit' admission controller is disabled (Open Shift)
- T1941: Disable 'AlwaysPullImages' admission controller if possible (OpenShift)
- T1942: Verify that 'AlwaysPullImages' admission controller is disabled (OpenShift)
- T1943: Use Security Context Constraints instead of 'DenyEscalatingExec' and 'SecurityContextDeny' admission controllers (OpenShift)
- T1944: Verify the user/groups that are bound to 'edit' and 'admin' roles and usage of Security Context Constraints (OpenShift)
- T1945: Do not disable 'NamespaceLifecycle' admission controller (OpenShift)
- T1946: Verify that the 'NamespaceLifecycle' plugin is not disabled (OpenShift)
- T1947: Configure auditing properly on the API server (OpenShift)
- T1948: Verify that API server auditing is configured properly (OpenShift)
- T1949: Do not set 'authorization-mode' flag (OpenShift)
- T1950: Verify that 'authorization-mode' is not set (OpenShift)
- T1951: Do not use static token files for authentication (OpenShift)
- T1952: Verify that static token files are not used (OpenShift)
- T1953: Do not set 'service-account-lookup' and 'service-account-key-file' arguments (OpenShift)
- T1954: Verify that 'service-account-lookup' and 'service-account-key-file' arguments are not set (OpenShift)
- T1955: Do not enable 'PodSecurityPolicy' admission control plugin (OpenShift)
- T1956: Verify that 'PodSecurityPolicy' is disabled (OpenShift)
- T1957: Do not set 'etcd-certfile', 'etcd-keyfile' or 'etcd-cafile' arguments (OpenShift)
- T1958: Verify that 'etcd-certfile', 'etcd-keyfile', or 'etcd-cafile' arguments are not set (OpenShift)
- T1959: Do not disable 'ServiceAccount' admission controller (OpenShift)
- T1960: Verify that 'ServiceAccount' plugin is not disabled (OpenShift)
- T1961: Do not disable 'NodeRestriction' admission controller (OpenShift)
- T1962: Test that the 'NodeRestriction' admission controller is enabled (OpenShift)
- T1963: Encrypt data at rest in etcd datastore (OpenShift)
- T1964: Verify data at rest on 'etcd' datastore is encrypted with 'aescbc' encryption provider (OpenShift)
- T1965: Enable the 'EventRateLimit' plugin (OpenShift)
- T1966: Verify that the 'EventRateLimit' plugin is enabled (OpenShift)
- T1967: Adjust the request timeout value (OpenShift)
- T1968: Verify that request timeout is set to an appropriate value (OpenShift)
- T1969: Do not expose profiling to the web (OpenShift)
- T1970: Verify that profiling is not exposed to the web (OpenShift)
- T1971: Adjust the 'terminated-pod-gc-threshold' argument as needed (OpenShift)
- T1972: Verify the 'terminated-pod-gc-threshold' value (OpenShift)
- T1973: Do not disable 'use-service-account-credentials' argument (OpenShift)
- T1974: Verify that 'use-service-account-credentials' is not disabled (OpenShift)
- T1975: Do not set 'service-account-private-key-file' argument (OpenShift)
- T1976: Verify that 'service-account-private-key-file' argument is not set (OpenShift)
- T1977: Do not set 'serviceAccountConfig.masterCA' argument (OpenShift)
- T1978: Verify that the '--root-ca-file' argument is not set (OpenShift)
- T1979: Never give pods more privileges than required (OpenShift)
- T1980: Verify that Security Context Constraints get applied (OpenShift)
- T1981: Enable the 'RotateKubeletServerCertificate' feature gate (OpenShift)
- T1982: Verify that the 'RotateKubeletServerCertificate' feature is enabled (OpenShift)
- T1983: Set permissions for sensitive files properly (OpenShift)
- T1984: Verify the permissions for the configuration files (OpenShift)
- T1985: Secure etcd communication (OpenShift)
- T1986: Verify that etcd communication is secure (OpenShift)
- T1987: Follow the principle of least privilege (OpenShift)
- T1988: Verify that the cluster-admin role is only used where required (OpenShift)
- T1989: Run pods with the most restrictive Security Context Constraints possible (OpenShift)
- T1990: Verify Security Context Constraints as in use (OpenShift)
- T1991: Restrict access to projects only to the required users (OpenShift)
- T1992: Verify that only required users are assigned to projects (OpenShift)
- T1993: Create restrictive network segmentation (OpenShift)
- T1994: Verify the network segmentation (OpenShift)
- T1995: Enable and configure seccomp (OpenShift)
- T1996: Verify that Security Context Constraints have been configured with seccomp (OpenShift)
- T1997: Manage image provenance using ImagePolicy plugin (OpenShift)
- T1998: Verify image policy configuration (OpenShift)
- T1999: Implement strong network policies (OpenShift)
- T2000: Verify network policies (OpenShift)
- T2001: Limit the use of privileged containers (OpenShift)
- T2002: Verify the usage of privileged containers (OpenShift)
- T2003: Do not disable the 'allow-privileged' flag (OpenShift)
- T2004: Verify that the 'allow-privileged' flag is not disabled (OpenShift)
- T2005: Enable the 'anonymous-auth' flag (OpenShift)
- T2006: Verify that the 'anonymous-auth' is not disabled (OpenShift)
- T2007: Do not set the 'authorization-mode' argument (OpenShift)
- T2008: Verify that the 'authorization-mode' argument is not set (OpenShift)
- T2009: Do not change the default value of the 'client-ca-file' argument (OpenShift)
- T2010: Verify that the 'client-ca-file' argument is not set (OpenShift)
- T2011: Do not set the 'read-only-port' argument (OpenShift)
- T2012: Verify that the read-only port is not enabled (OpenShift)
- T2013: Adjust the value of 'streaming-connection-idle-timeout' argument (OpenShift)
- T2014: Verify the value of 'streaming-connection-idle-timeout' argument (OpenShift)
- T2015: Do not set the 'protect-kernel-defaults' argument (OpenShift)
- T2016: Verify that the 'protect-kernel-defaults' argument is not set (OpenShift)
- T2017: Do not disable the 'make-iptables-util-changes' flag (OpenShift)
- T2018: Verify that the 'make-iptables-util-chains' argument is not disabled (OpenShift)
- T2019: Do not enable the 'keep-terminated-pod-volumes' flag (OpenShift)
- T2020: Verify that the 'keep-terminated-pod-volumes' is not enabled (OpenShift)
- T2021: Do not disable the 'hostname-override' flag (OpenShift)
- T2022: Verify that the 'hostname-override' flag is not disabled (OpenShift)
- T2023: Set the 'event-qps' argument to 0 (OpenShift)
- T2024: Verify the value of 'event-qps' argument (OpenShift)
- T2025: Do not set the 'cert-dir' argument (OpenShift)
- T2026: Verify the value of 'cert-dir' argument (OpenShift)
- T2027: Do not enable cAdvisor endpoint (OpenShift)
- T2028: Verify that cAdvisor endpoint is not enabled (OpenShift)
- T2029: Do not disable the 'RotateKubeletClientCertificate' and 'RotateKubeletServerCertificate' flags (OpenShift)
- T2030: Verify that the 'RotateKubeletClientCertificate' and 'RotateKubeletServerCertificate' are not disabled (OpenShift)
Updated Tasks
- T1053: Enable VM protection features (Microsoft Azure) [Updated text.]
- T1056: Test that all VMs are updated (Microsoft Azure) [Updated text.]
- T1057: Enable disk and storage encryption (Microsoft Azure) [Updated text.]
- T1058: Test that disk and storage encryption is enabled (Microsoft Azure) [Updated text.]
- T1059: Configure network security groups and firewalls securely (Microsoft Azure) [Updated text.]
- T1060: Test that network security groups and firewalls are configured securely (Microsoft Azure) [Updated text.]
- T1061: Enable SQL auditing and threat detection (Microsoft Azure) [Updated text.]
- T1062: Test that SQL auditing and threat detection are enabled (Microsoft Azure) [Updated text.]
- T1063: Set up security contacts (Microsoft Azure) [Updated text.]
- T1064: Test that security contacts are set up (Microsoft Azure) [Updated text.]
- T1077: Log critical events (Microsoft Azure) [Updated text.]
- T1074: Verify that logs are kept long enough (Microsoft Azure) [Updated text.]
- T1078: Verify that critical events are logged (Microsoft Azure) [Updated text.]
- T1082: Verify that Key Vault is configured securely (Microsoft Azure) [Updated text.]
- T1087: Select standard pricing tier (Microsoft Azure) [Updated text.]
- T1368: Perform security testing using SAST tools [Updated the old title "Perform SAST and triage findings" and text to better reflect completion conditions.]
- T1369: Perform security testing using DAST tools [Updated the old title "Perform DAST and triage findings" and text to better reflect completion conditions.]
- T1635: Drop connections after 3 unsuccessful login attempts (Oracle Database) [Changed the old title: "Lock out accounts after 3 unsuccessful attempts" and updated the text.]
- T1636: Verify that connections are dropped after 3 unsuccessful login attempts (Oracle Database) [Changed the old title: "Verify that accounts are locked out after 3 unsuccessful attempts" and updated the text."
- T1649: Lock out accounts after 5 unsuccessful attempts (Oracle Database) [Updated the text.]
- T1650: Verify that accounts are locked out after 5 unsuccessful attempts (Oracle Database) [Updated the text.]
- T1893: Perform a cloud solution security posture assessment [Updated text to better reflect completion conditions.]
- T1915: Perform network vulnerability assessment [Updated the old title "Perform network vulnerability assessment and triage findings" and text to better reflect completion conditions.]
- T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software [Updated title text to better reflect completion conditions.]
Added Problems
- P1440: Changing default behavior for anonymous access (OpenShift)
- P1441: Using static passwords (OpenShift)
- P1442: Unsecure connection between API server and node/kubelet (OpenShift)
- P1443: Insecure binding or port access for API server (OpenShift)
- P1444: Disabled 'secure-port' flag (OpenShift)
- P1445: Exposed API server profiling data (OpenShift)
- P1446: API incompatibility across versions (OpenShift)
- P1447: Active 'AlwaysAdmit' admission controller (OpenShift)
- P1448: Active 'AlwaysPullImages' admission controller (OpenShift)
- P1449: Using 'DenyEscalatingExec' or 'SecurityContextDeny' admission controllers (OpenShift)
- P1450: Disabled 'NamespaceLifecycle' admission controller (OpenShift)
- P1451: Lack of proper auditing or retention of audit logs for API server (OpenShift)
- P1452: Using 'authorization-mode' flag (OpenShift)
- P1453: Using static token files (OpenShift)
- P1454: Using 'service-account-lookup' or 'service-account-key-file' arguments (OpenShift)
- P1455: Enabling 'PodSecurityPolicy' and 'SecurityContextConstraints' at the same time (OpenShift)
- P1456: Unsecure communication to 'etcd' (OpenShift)
- P1457: Inactive 'ServiceAccount' admission controller (OpenShift)
- P1458: Disabled 'NodeRestriction' admission plugin (OpenShift)
- P1459: Unencrypted data on 'etcd' (OpenShift)
- P1460: No rate limit for requests to API server (OpenShift)
- P1461: Inappropriate request timeout value (OpenShift)
- P1462: Exposing profiling to the web (OpenShift)
- P1463: Inappropriate 'terminated-pod-gc-threshold' value (OpenShift)
- P1464: Disabling 'use-service-account-credentials argument' argument (OpenShift)
- P1465: Changing the default 'service-account-private-key-file' (OpenShift)
- P1466: Changing the default 'root-ca-file' (OpenShift)
- P1467: Giving unnecessary privileges to the pods (OpenShift)
- P1468: Lack of certificate rotation (OpenShift)
- P1469: Improper permissions for sensitive files (OpenShift)
- P1470: Unsecure etcd communication (OpenShift)
- P1471: Granting excessive permissions (OpenShift)
- P1472: Loose access constraints for pods (OpenShift)
- P1473: Excessive access to projects (OpenShift)
- P1474: Lack of restrictive network segmentation (OpenShift)
- P1475: Running containers with unconfined seccomp settings (OpenShift)
- P1476: Lack of control on images run in a cluster (OpenShift)
- P1477: Lack of network access control (OpenShift)
- P1478: Using privileged containers (OpenShift)
- P1479: Disabling the 'allow-privileged' flag (OpenShift)
- P1480: Disabling the 'anonymous-auth' flag (OpenShift)
- P1481: Setting the 'authorization-mode' argument (OpenShift)
- P1482: Improper configuration of the 'client-ca-file' argument (OpenShift)
- P1483: Enabling read-only port (OpenShift)
- P1484: Improper value for the 'streaming-connection-idle-timeout' argument (OpenShift)
- P1485: Setting the 'protect-kernel-defaults' argument (OpenShift)
- P1486: Disabling the 'make-iptables-util-chains' flag (OpenShift)
- P1487: Enabling the 'keep-terminated-pod-volumes' flag (OpenShift)
- P1488: Disabling the 'hostname-override' flag (OpenShift)
- P1489: Non-zero value for the 'event-qps' argument (OpenShift)
- P1490: Improper value for the 'cert-dir' argument (OpenShift)
- P1491: Enabling cAdvisor endpoint (OpenShift)
- P1492: Disabling the 'RotateKubeletClientCertificate' and 'RotateKubeletServerCertificate' flags (OpenShift)
Updated Problems
- P1169: Server Side Request Forgery (SSRF) [Corrected text errors.]
- P1306: Unlimited number of login attempts during a connection (Oracle Database) [Changed the old title: "Unlimited number of login attempts can lead to brute-force attack".]
- P1313: Unlimited failed login attempts by a user (Oracle Database) [Changed the old title: "Repeated failed login attempts" and updated the text.]
Added HowTo's
- I1307: Using Correct Cryptographic Algorithms and Parameters in Java
- I1308: OpenShift: How to see the cert and key used by the API server to sign service account tokens
- I1309: OpenShift: How to remove insecure-bind-address and insecure-port
- I1310: OpenShift: How to make sure 'secure-port' is not disabled
- I1311: OpenShift: How to disable profiling data exposure
- I1312: OpenShift: How to modify 'repair-malformed-updates' value for API compatibility
- I1313: OpenShift: How to disable 'AlwaysAdmit' admission controller
- I1314: OpenShift: How to enable 'AlwaysPullImages' plugin
- I1315: OpenShift: How to restrict usage of 'edit' and 'admin' roles
- I1316: OpenShift: How to make sure 'NamespaceLifecycle' plugin is not disabled
- I1317: OpenShift: How to make sure 'authorization-mode' is not set
- I1318: OpenShift: How to make sure static token files are not used
- I1319: OpenShift: How to see public/private keys used by the API server to sign service account tokens
- I1320: OpenShift: How to disable the 'PodSecurityPolicy' admission control plugin
- I1321: OpenShift: How to see the cert and key used by the API server for etcd communication
- I1322: OpenShift: How to enable 'ServiceAccount' admission controller
- I1323: OpenShift: How to change the 'request-timeout' value
- I1324: OpenShift: How to make sure profiling is not exposed to the web
- I1325: OpenShift: How to make sure 'use-service-account-credentials' is not disabled
- I1326: OpenShift: How to make sure 'service-account-private-key-file' argument is not set
- I1327: OpenShift: How to make sure 'root-ca-file' argument is not set
- I1328: OpenShift: How to rotate certificates
- I1329: OpenShift: How to set the permissions for the configuration files
- I1330: OpenShift: How to configure imagePolicy plugin
- I1331: OpenShift: How to make sure the 'client-ca-file' argument is not set
- I1332: OpenShift: How to set the 'streaming-connection-timeout' value
Updated HowTo's
- I1: Java with Jasypt [Change of text, Content was reviewed and updated.]
- I2: Java with Jasypt and Bouncy Castle [Change of text, Content was reviewed and updated.]
- I3: Java [Change of text, Content was reviewed and updated.]
- I4: Java with Jasypt [Change of text, Content was reviewed and updated.]
- I5: Centralize authorization using AccessController interface of ESAPI [Change of text, Content was reviewed and updated.]
- I6: Authorize every page using ESAPI AccessController interface [Change of text, Content was reviewed and updated.]
- I8: Java EE with ESAPI: Invalidate old session ID [Change of text, Content was reviewed and updated.]
- I9: Java EE [Change of text, Content was reviewed and updated.]
- I11: Java EE with Tomcat [Change of text, Content was reviewed and updated.]
- I12: Java EE with WebLogic 9.2 [Change of text, Content was reviewed and updated.]
- I14: Java EE , Servlet Spec 3+ [Change of text, Content was reviewed and updated.]
- I15: SiteMinder 6 [Change of text, Content was reviewed and updated.]
- I17: Java EE with Tomcat 6.0+ [Change of text, Content was reviewed and updated.]
- I18: Java EE with WebLogic 9.2 [Change of text, Content was reviewed and updated.]
- I19: Java EE with WebSphere 6.1+ [Change of text, Content was reviewed and updated.]
- I20: Java EE [Change of text, Content was reviewed and updated.]
- I21: SiteMinder 6 [Change of text, Content was reviewed and updated.]
- I28: Java EE, Servlet Spec 3.x [Change of text, Content was reviewed and updated.]
- I30: Java EE [Change of text, Content was reviewed and updated.]
- I32: Java [Change of text, Content was reviewed and updated.]
- I33: Java EE with ESAPI: Perform input validation on all forms of input [Change of text, Content was reviewed and updated.]
- I38: Java EE with JSF [Change of text, Content was reviewed and updated.]
- I41: Java EE with WebLogic 9.2 [Change of text, Content was reviewed and updated.]
- I42: Java EE with WebSphere 6.1+ [Change of text, Content was reviewed and updated.]
- I44: Java EE with ESAPI: Escape untrusted data [Change of text, Content was reviewed and updated.]
- I46: Java EE with JSF and Facelets [Change of text, Content was reviewed and updated.]
- I51: Java with JDBC Prepared Statements [Change of text, Content was reviewed and updated.]
- I53: Java EE with Java Persistence Architecture (JPA) [Change of text, Content was reviewed and updated.]
- I54: Java EE with ESAPI: Disallow carriage returns in HTTP response headers [Change of text, Content was reviewed and updated.]
- I55: Java with ESAPI: Use XML encoding [Change of text, Content was reviewed and updated.]
- I56: Java EE with JAXB [Change of text, Content was reviewed and updated.]
- I57: Java EE with ESAPI: Use Lightweight Directory Access Protocol (LDAP) encoding [Change of text, Content was reviewed and updated.]
- I59: Java with ESAPI: Avoid unsafe operating system interaction [Change of text, Content was reviewed and updated.]
- I60: Java EE [Change of text, Content was reviewed and updated.]
- I63: Java EE with AppSensor [Change of text, Content was reviewed and updated.]
- I68: Java with ESAPI and Jasypt: Use standard libraries for encryption [Change of text, Content was reviewed and updated.]
- I69: Java EE with Jasypt, Bouncy Castle, and Spring IOC [Change of text, Content was reviewed and updated.]
- I271: Java [Change of text, Content was reviewed and updated.]
- I366: Java [Change of text, Content was reviewed and updated.]
- I381: Bouncy Castle [Change of text, Content was reviewed and updated.]
- I420: Java or Android Keystore [Change of text, Content was reviewed and updated.]
- I507: Java Object Serialization [Change of text, Content was reviewed and updated.]
- I509: Storing cryptographic keys and data [Change of text, Content was reviewed and updated.]
- I1004: Enable encrypted connection to database engine [Updated the text.]
Updated T186, w/ latest security patch level for third-party libraries
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Java
- Bouncy Castle
- Node.js
- AngularJS/Angular
- Docker
Changes to Project Properties and Profiles
- Updated "A754: Provides web services or external APIs" [Updated tooltip description.]
- Added "A1245: OpenShift" under "Q308: Containerization Technologies"
- Added "A1236: Cloud IAM" under "Q309: Google Cloud Services"
- Added "A1237: Compute Engine" under "Q309: Google Cloud Services"
- Added "A1238: Cloud Key Management Service" under "Q309: Google Cloud Services"
- Added "A1239: Virtual Private Cloud (VPC)" under "Q309: Google Cloud Services"
- Added "A1240: Cloud Storage" under "Q309: Google Cloud Services"
- Added "A1241: Cloud Audit Logs" under "Q309: Google Cloud Services"
- Added "A1242: Cloud DNS" under "Q309: Google Cloud Services"
- Added "A1243: Cloud SQL" under "Q309: Google Cloud Services"
- Added "A1244: Stackdriver" under "Q309: Google Cloud Services"

5.0

Introducing SD Elements V5!

This release is dedicated to Mark Rathwell. Thank you for your friendship and passion.

Anticipated release dates:
- Early Access Server: August 5th, 2019
- General Availability: August 19th, 2019

New features and improvements:

V5 presents a set of major enhancements to the SD Elements platform and its content in support of Continuous Compliance.
Automated Project Classification:
- You can now better manage projects by classifying them by their potential risk.
- This feature can be enabled or disabled by the organization admin. It is disabled by default.
- Once enabled, projects may be automatically assigned a risk classification and a default Risk Policy based on the answers of the Project Survey.
- Project Classifications are reflected after completing the Project Survey, in the Activity Log, and in Global Reports. Please see the user guide for more information.
- Risk Policies may be configured after completing the Project Survey.
- Project Classifications require one answer and one Risk Policy. Deleting a custom answer from the Project Survey will remove it from Project Classifications. If that was the only answer assigned to the Classification, the Classification cannot be saved until a replacement is provided.
Enhancements to Verification Integrations:
- Analysis integration categories are now displayed on the integration forms such as Veracode (SAST, DAST).
- Added support for the following new verification integrations:
  - Sonarqube
  - OWASP Dependency Check
  - Tenable Nessus (CIS AWS Benchmarks Compliance)
Process Controls for the Software Security Lifecycle:
- Process controls enhance the coverage of SD Elements beyond software development to cover the entire security lifecycle of your software, including operations and maintenance of software being developed or purchased.
- Process controls are mapped to popular security frameworks such as NIST 800-53 and PCI-SSLC.
- This new set of content is disabled by default. Please contact your Customer Success representative to enable it.
- Process controls are added in a new phase called “Activities”.
- These new tasks take advantage of our classification system to decide on the applicability of various process activities.
- For more details, please refer to the content additions and updates below.
Process Task Automation Beta (PTA):
- The Beta version of PTA is available to customers that have activated Process Controls for the Software Security Lifecycle.
- A new event-action framework supports automatically transitioning certain SD Elements process tasks to ‘Complete’.
  - This is based on the occurrence of triggering events within SD Elements with certain predefined criteria.
  - For instance, marking the process task T1368 complete when a SAST code scanner is run and the results are imported into SD Elements with zero high and zero critical findings.
  - Or reopen a process task previously marked complete (such as T1368), if a SAST scan has not been run and results are imported into SDE within a predefined time threshold.
- The following process tasks are automatically marked ‘Complete’ when scan results are returned with zero high and zero critical vulnerabilities for the respective category:
  - T1368: Perform security testing using SAST tools
  - T1369: Perform security testing using DAST tools
  - T1893: Perform a cloud solution security posture assessment
  - T1915: Perform network vulnerability assessment
  - T1921: Avoid obtaining code (source or mobile) from untrusted sources such as public Internet
- The beta version of PTA supports the following verification tools:
  - Microfocus Fortify SSC
  - Microfocus WebInspect
  - IBM Appscan Standard
  - IBM Appscan Source
  - Sonarqube
  - OWASP Dependency Check
  - Checkmarx
  - Veracode
  - Nessus
- Support for additional events and actions will be added in future releases.
Deprecations:
- The super-user only ‘Export Logs’ feature has been removed. To retrieve log files, refer to the SSH method here: https://docs.sdelements.com/release/latest/sysadmin/docs/ongoing_tasks.html#_examine_logs
- SD Elements no longer supports legacy AppScan Standard files (9.0.3.0 and earlier).
- Fortify no longer supports XML file uploads. (It continues to support FVDL and FPR.)
- Thoughtworks Mingle support in SD Elements will be deprecated on July 31st, 2019, and it may cease to function on or after that date. Mingle support will be removed in a future version of SD Elements.
Bug Fixes
- Fixed a bug where LDAP sync table’s status did not change to ‘In progress’ when a sync was in progress.
- Task verification notes created by a verification sync will now include the report reference if available.
- Fixed a bug where the Global Reports ‘Last Modified’ column was only updated when the report was created.

Content additions and updates (as of July 23, 2019):

Updated Tasks
- T29: Use anti-Cross-Site Request Forgery (CSRF) tokens (Change of text, a note was added on generating one token per session independent of session id)
- T87: Verify that all data in transit is encrypted using a secure TLS channel (Change of text and title. Merged with content from T254)
- T422: Verify that built-in sanitization is used in Angular with limited code or markup (Change of title and text. Added test section for Angular as well)
- T496: Protect sensitive data on forward and back (reverse) RFID channels (Change of title from encrypt to protect)
- T797: Make all RDS Databases private and ensure RDS instances are inside a VPC (AWS) [Change of title and text, emphasis on VPC instance and use of EC2-VPC]
- T830: Test that RDS Databases are not publicly accessible and are defined in a VPC (AWS) [Change of title and text, emphasis on VPC instance and verifying VPC assignment for RDS]
- T1164: Secure swarm mode (Docker) [Updated text and rules]
- T1165: Verify that swarm mode is secured (Docker) [Updated text and rules)
- T1873: Prevent information leakage through HTTP response headers (Change of text)
Added Tasks
- T1887: Decide on the right OAuth 2.0 flow for your application
- T1888: Decide on the right OpenID Connect flow for your application
- T1889: Secure the configuration of the authorization server
- T1890: Implement OAuth 2.0 securely on the resource server
- T1897: Encrypt SQS queue messages (AWS)
- T1898: Verify that SQS queue messages are encrypted (AWS)
- T1899: Do not allow unauthorized access to SQS queues (AWS)
- T1900: Verify that SQS queues are only accessible from trusted AWS accounts (AWS)
- T1901: Attach IAM policies to SQS resources (AWS)
- T1902: Verify that SQS queues have IAM Policies attached (AWS)
- T1903: Enforce Network ACLs for RDS (AWS)
- T1904: Encrypt data stored in RDS at rest (AWS)
- T1905: Verify whether data at rest in RDS is encrypted (AWS)
- T1906: Enforce authentication on your relational database services (AWS)
- T1907: Verify whether IAM authentication is enabled for RDS databases (AWS)
- T1909: Change the RDS default master username (AWS)
- T1910: Verify whether the default master username is changed (AWS)
- T1911: Attach IAM policies to RDS resources (AWS)
- T1912: Verify that RDS databases have IAM policies attached (AWS)
- T1919: Use JSON Web Token (JWT) securely
- T1922: Integrate OAuth 2.0 and OpenID Connect where appropriate
- T1923: Disable swarm mode if not needed
- T1924: Verify that swarm mode is disabled
Deactivated Tasks
- T495: Send sensitive data in cover-coded mode on forward channel (Deactivated. Merged with T496: Protect sensitive data on forward and back (reverse) RFID channels)
- T254: Test that TLS/SSL communication is protected (Deactivated. Merged with T87: Verify that all data in transit is encrypted using a secure TLS channel)
Added Additional Requirements
- TA1007: Restricting the user
- TA1008: Restricting the client
- TA1009: Restricting the scope
- TA1010: Testing Security Group requirements for RDS (AWS)
- TA1011: Configuring Security Groups for RDS (AWS)
- TA1012: Use database engine authentication (AWS)
- TA1013: Purpose of each OAuth 2.0 flow
- TA1014: Using scopes as permissions
- TA1015: Understanding the Authorization Code Grant flow with PKCE
- TA1016: Understanding the Client Credentials flow
- TA1017: Proof-of-possession tokens
- TA1018: Securing client registration
- TA1019: Understanding the OIDC Authorization Code flow with PKCE
- TA1020: Understanding the OIDC Hybrid flow
- TA1023: The purpose of OAuth 2.0
- TA1021: Understanding the OIDC Implicit flow
- TA1022: Context information on OAuth 2.0 and OIDC
- TA1024: The purpose of OpenID Connect
- TA1025: Ensure RDS snapshots are not public (AWS)
- TA1026: Verify that RDS snapshots are not publicly accessible (AWS)
Updated Problems
- P1074: Unlocked swarm (Docker) [Updated rules.]
- P1102: Failing to manage secrets in Docker Swarm (Docker) [Updated rules.]
Added Problems
- P1431: Insecure use of JSON Web Token (JWT)
Updated HowTo’s
- I927: Docker: How to secure swarm mode (Updated text.)
Added HowTo’s
- I1293: Handling user involvement in OIDC
- I1294: Implementing the Authorization Code Grant flow with PKCE
- I1295: Session Management with OIDC
- I1297: Handling the Identity Token for User Authentication
- I1299: Validating reference tokens
- I1300: Validating self-contained tokens
- I1302: How to enforce ACL for RDS (AWS)
- I1303: Implementing the Client Credentials flow
- I1304: Augmenting OAuth 2.0 flows with OIDC properties
- I1305: Docker: How to disable swarm mode
Updated T186, w/ latest security patch level for third-party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- Java
- AFNetworking Library
- Node.js
- Docker
Changes to Project Properties and Profiles
- Deactivated "Q125: Authentication Backend" (This question has been disabled and all of its answers have been moved under "Q121: Authentication Method")
- Updated "A8: Stand-alone application" (Changed the description to suggest using this application type for some categories of libraries and SDKs)
- Updated "A21: Passwords stored in configuration files" (Updated matching conditions to make this applicable to all types of applications)
- Updated "A27: Uses encryption functions (not including SSL)" (Updated matching conditions to make this applicable to all types of applications)
- Updated "A39: Has file upload or file transfer functions" (Relaxed the matching conditions/applicability criteria)
- Updated "A54: Uses SSO or federated authentication" (Moved under "Q121: Authentication Method" and removed generic server application from its machine conditions)
- Updated "A55: Uses LDAP repository" (Moved under "Q121: Authentication Method" and removed generic server application from its machine conditions)
- Updated "A167: Uses database authentication" (Moved under "Q121: Authentication Method" and removed generic server application from its machine conditions)
- Updated "A194: Rich client" (Changed the description to suggest using this application type for some categories of libraries and SDKs)
- Updated "A697: Django" (Added "Generic Web Application" to the matching conditions/applicability criteria)
- Deactivated "A756: Authentication is handled through a different system" (Combined with "A758: Has direct or third party authentication for end users, devices or nodes")
- Updated "A758: Has direct or third party authentication for end users, devices or nodes" (Updated text)
- Updated "A1122: Requires non-repudiation" (Removed ‘Requires security logging’ from the matching conditions/applicability criteria)
- Added "A1227: SQS" under "Q298: AWS Services"
- Added "A1235: Swarm" under "Q308: Containerization Technologies"

We also added Oracle database content based on CIS Oracle Database 12c benchmark:

Added Tasks
- T1476: Use secure channels for remote administration (Oracle Database)
- T1477: Verify that secure channels are used for remote administration (Oracle Database)
- T1478: Remove 'extproc' from 'listener.ora' (Oracle Database)
- T1479: Verify that external procedures are not enabled (Oracle Database)
- T1480: Block unauthorized users from making changes to 'listener.ora' (Oracle Database)
- T1481: Verify that unauthorized users are not able to make alterations to remote data/service settings (Oracle Database)
- T1482: Use encrypted channels for remote connections (Oracle Database)
- T1483: Verify remote connections are established through encrypted channels (Oracle Database)
- T1613: Use latest versions and patches (Oracle Database)
- T1614: Verify that latest versions and patches are used (Oracle Database)
- T1615: Keep passwords secure (Oracle Database)
- T1616: Verify that all default passwords are changed (Oracle Database)
- T1617: Remove all sample data and sample schemas (Oracle Database)
- T1618: Verify that sample schemas are removed from the production environment (Oracle Database)
- T1619: Keep audit parameters enabled at all times (Oracle Database)
- T1620: Verify that audit parameters are enabled (Oracle Database)
- T1621: Only allow authorized domains to connect with database (Oracle Database)
- T1622: Verify that name of database link matches the remote database (Oracle Database)
- T1623: Block all unauthorized access to data structures (Oracle Database)
- T1624: Verify that the value of Dictionary_Accessibility is set to False (Oracle Database)
- T1625: Do not allow OS external groups to connect with database (Oracle Database)
- T1626: Verify that external groups are not able to connect with database (Oracle Database)
- T1627: Disable remote listener setting (Oracle Database)
- T1628: Verify that remote listener setting is empty (Oracle Database)
- T1629: Do not share login password file between databases (Oracle Database)
- T1630: Verify that remote login password file is not shared between the databases (Oracle Database)
- T1631: OS 'roles' with attendant privileges should be incapable of remote client connections (Oracle Database)
- T1632: Verify that OS 'roles' are incapable of remote client connections (Oracle Database)
- T1633: Leave the utl_file_dir setting value empty (Oracle Database)
- T1634: Verify that utl_file_dir setting value is empty (Oracle Database)
- T1635: Lock out accounts after 3 unsuccessful attempts (Oracle Database)
- T1636: Verify that accounts are locked out after 3 unsuccessful attempts (Oracle Database)
- T1637: Drop a connection after 3 bad packets from the client (Oracle Database)
- T1638: Verify that system drops a connection after 3 bad packets from the client (Oracle Database)
- T1639: Maintain server logs for bad packets received from the client (Oracle Database)
- T1640: Verify that system maintains server logs for bad packets received from the client (Oracle Database)
- T1641: Do not allow database to return current patch/update information (Oracle Database)
- T1642: Verify that database is not disclosing the current patch/update information (Oracle Database)
- T1643: User must have SELECT object privilege (Oracle Database)
- T1644: Verify that user has been granted SELECT object privilege (Oracle Database)
- T1645: Restrict trace file access by making it unreadable (Oracle Database)
- T1646: Verify that system's trace file is unreadable (Oracle Database)
- T1647: Enforce resource limit in any database profile (Oracle Database)
- T1648: Verify that resource limit has been enforced in database profile (Oracle Database)
- T1649: Lock out accounts after 5 unsuccessful attempts (Oracle Database)
- T1650: Verify that accounts are locked out after 5 unsuccessful attempts (Oracle Database)
- T1651: Accounts must be unlocked automatically after a period of time (Oracle Database)
- T1652: Verify that locked account is unlocked automatically after 1 day (Oracle Database)
- T1653: Do not allow remote OS authentication of the user (Oracle Database)
- T1654: Verify that users cannot be authenticated by remote OS for full authorization to database (Oracle Database)
- T1655: Limit the number of sessions per user (Oracle Database)
- T1656: Verify that maximum number of sessions per user is less than or equal to 10 (Oracle Database)
- T1657: Do not assign default profile to any user (Oracle Database)
- T1658: Verify that default profile has not been assigned to any user (Oracle Database)
- T1659: Revoke excessive system privileges from unauthorized users (Oracle Database)
- T1660: Verify that excessive system privileges have been revoked from unauthorized users (Oracle Database)
- T1661: Proxy users should only have connect privileges (Oracle Database)
- T1662: Verify the access privileges for proxy users (Oracle Database)
- T1663: Remove 'EXECUTE ANY PROCEDURE' from OUTLN and DBSNMP users (Oracle Database)
- T1664: Verify that 'EXECUTE ANY PROCEDURE' is revoked (Oracle Database)
- T1665: Revoke default public execute privileges from powerful packages and object types (Oracle Database)
- T1666: Verify that default public execute privileges from powerful packages and object types have been revoked (Oracle Database)
- T1667: Revoke non-default public execute privileges from powerful packages and object types (Oracle Database)
- T1668: Verify that non-default public execute privileges from powerful packages and object types have been revoked (Oracle Database)
- T1669: Revoke powerful roles where they are not likely needed (Oracle Database)
- T1670: Verify that powerful roles have been revoked from where they are not likely needed (Oracle Database)
- T1671: Revoke excessive tables and view privileges (Oracle Database)
- T1672: Verify that excessive tables and view privileges have been revoked for unauthorized users (Oracle Database)
- T1673: All traditional audit options must be enabled at all times (Oracle Database)
- T1674: Verify that all traditional audit options are enabled at all times (Oracle Database)
- T1733: Enable all unified audit options (Oracle Database)
- T1734: Verify that all unified audit options are enabled (Oracle Database)
Added Problems
- P1230: Unencrypted remote connections can result in sniffing of the control configuration (Oracle Database)
- P1231: Database can run procedures from OS libraries (Oracle Database)
- P1232: Nonprivileged users can compromise data confidentiality (Oracle Database)
- P1233: Unauthorized users can sniff unencrypted remote channels (Oracle Database)
- P1295: Using an outdated version of the database (Oracle Database)
- P1296: Attackers can gain access if default passwords are not changed (Oracle Database)
- P1297: Sample schemas can launch exploits in production database (Oracle Database)
- P1298: Not monitoring user activities (Oracle Database)
- P1299: Unauthorized domain sources connecting to the database (Oracle Database)
- P1300: Unauthorized access to critical data structures (Oracle Database)
- P1301: External groups can cause privilege overlaps (Oracle Database)
- P1302: Remote listener setting can lead to connection spoofing (Oracle Database)
- P1303: Remote login password file could permit unsecured privileged connections (Oracle Database)
- P1304: OS roles can cause connection spoofing and privilege overlaps (Oracle Database)
- P1305: utl_file_dir can impact the integrity of files (Oracle Database)
- P1306: Unlimited number of login attempts can lead to brute-force attack (Oracle Database)
- P1307: Receiving bad packets could result in a denial-of-service condition (Oracle Database)
- P1308: Receiving bad packets can indicate packet-based attack (Oracle Database)
- P1309: Disclosing release/patch numbers can reveal known weaknesses to unauthorized users (Oracle Database)
- P1310: Inadvertent information disclosure (Oracle Database)
- P1311: Disclosure of sensitive information about instance operations (Oracle Database)
- P1312: Performance impact due to resource limit (Oracle Database)
- P1313: Repeated failed login attempts (Oracle Database)
- P1314: Administrative overhead due to account lockout (Oracle Database)
- P1315: Remote OS authentication of a user can grant full access to database (Oracle Database)
- P1316: Allowing multiple sessions per user can lead to memory resource consumption or denial-of-service attack (Oracle Database)
- P1317: Default profile settings can lead to privileged access (Oracle Database)
- P1318: Unauthorized users with excessive privileges can impact confidentiality and integrity of data (Oracle Database)
- P1319: Not monitoring access of proxy users (Oracle Database)
- P1320: Granting excessive privileges (Oracle Database)
- P1321: Unauthorized users can impact confidentiality and integrity of database (Oracle Database)
- P1322: Excessive privileges can lead to unauthorized actions in the database (Oracle Database)
- P1323: Powerful roles can be configured to perform unauthorized actions in the database (Oracle Database)
- P1324: Unauthorized users can attack the confidentiality and integrity of database tables (Oracle Database)
- P1325: Not logging the pattern of unauthorized activities (Oracle Database)
- P1355: Not monitoring the activities of malicious users (Oracle Database)
Added HowTo's
- I1082: Oracle Database: How to use secure channels for remote administration
- I1083: Oracle Database: How to remove 'extproc' from 'listener.ora'
- I1084: Oracle Database: How to block unauthorized users from making alterations
- I1085: Oracle Database: How to encrypt remote connections
- I1154: Oracle Database: How to apply latest and critical patches
- I1155: Oracle Database: How to change default passwords
- I1156: Oracle Database: How to remove sample schemas
- I1157: Oracle Database: How to enable audit parameters
- I1158: Oracle Database: How to enable remote database settings
- I1159: Oracle Database: How to block unauthorized access to data structures
- I1160: Oracle Database: How to disable OS external groups settings for database management
- I1161: Oracle Database: How to make the remote listener setting empty
- I1162: Oracle Database: How to remove remote login password files between databases
- I1163: Oracle Database: How to disable remote client connections for OS 'roles'
- I1164: Oracle Database: How to make the utl_file_dir setting value empty
- I1165: Oracle Database: How to lock out an account after 3 unsuccessful attempts
- I1166: Oracle Database: How to drop a connection after receiving 3 bad packets from the client
- I1167: Oracle Database: How to log the response level for bad/malformed packets from the client
- I1168: Oracle Database: How to modify database settings so that current patch/update information is not disclosed
- I1169: Oracle Database: How to modify SELECT object privilege
- I1170: Oracle Database: How to make the system trace file unreadable
- I1171: Oracle Database: How to enforce resource limits in any database profile
- I1172: Oracle Database: How to set failed login attempt limit
- I1173: Oracle Database: How to set password lock time
- I1174: Oracle Database: How to remove remote OS authentication of a user
- I1175: Oracle Database: How to limit the number of sessions per user
- I1176: Oracle Database: How to assign function-appropriate profile to a user
- I1177: Oracle Database: How to revoke excessive system privileges from unauthorized users
- I1178: Oracle Database: How to modify the access privileges for proxy users
- I1179: Oracle Database: How to revoke excessive privileges
- I1180: Oracle Database: How to revoke default public execute privileges from powerful packages and object types
- I1181: Oracle Database: How to revoke non-default public execute privileges from powerful packages and object types
- I1182: Oracle Database: How to revoke powerful roles
- I1183: Oracle Database: How to revoke excessive tables and view privileges for unauthorized users
- I1184: Oracle Database: How to enable all audit options
- I1214: Oracle Database: How to enable all unified audit options

Continuous Compliance content:

We have added 33 tasks for continuous compliance processes that are disabled by default. Once you upgrade to 5.0, please contact your Customer Success representative for more information.

Added Tasks:
- T1366: Identify applicable compliance regulations
- T1367: Identify and classify critical assets
- T1368: Perform security testing using SAST tools
- T1369: Perform security testing using DAST tools
- T1370: Identify and track common software weaknesses and threats
- T1371: Use a software security management solution to select and track security controls
- T1372: Follow software change management process
- T1373: Maintain the integrity of all software code
- T1374: Ensure the integrity of software release and update delivery
- T1375: Properly collect and protect sensitive data
- T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
- T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications
- T1378: Release a change summary for each software update
- T1380: Enforce secure user registration and access control
- T1381: Establish secure processes for key management
- T1382: Manage performance and capacity
- T1383: Separate development, test, and operational environments
- T1384: Back up and restore securely
- T1385: Institute secure logging and event monitoring
- T1386: Regulate the use of electronic messaging
- T1387: Ensure the security of products acquired through the supply chain and contractors
- T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
- T1389: Perform penetration testing
- T1891: Perform Privacy Impact Assessment (PIA)
- T1892: Perform a Threat and Risk Assessment (TRA)
- T1893: Perform a cloud solution security posture assessment
- T1894: Perform a vendor security assessment
- T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS)
- T1915: Perform network vulnerability assessment
- T1917: Perform container security assessment
- T1918: Integrate with SSO
- T1920: Conduct security architecture and design reviews before starting code development
- T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
Added Additional Requirements
- TA993: PCI-DSS Requirements
Added Problems
- P1170: Lack of a secure process for outsourcing
- P1171: Lack of a process for identifying applicable compliance regulation
- P1172: Lack of a process for identifying critical assets
- P1173: Lack of a process for dynamic application testing
- P1174: Lack of software change management process
- P1175: Insufficient software code control
- P1177: Lack of a process for creating summary of changes upon each software update
- P1178: Lack of a process for ensuring the integrity of software release and update
- P1179: A secure backup and restore processes are missing or lacking
- P1180: Lack of process for collecting and protecting sensitive data
- P1181: Lack of guidance on secure installation, maintenance and configuration of all software components
- P1182: Lack of a communication channel for reporting security issues
- P1183: No secure processes for logging and monitoring events
- P1184: Lack of a secure process for penetration testing
- P1185: Lack of process for user registration and enforcement of access control
- P1186: Lack of a process for static application security testing (SAST)
- P1187: Lack of a process for identifying and assessing software threats
- P1188: Lack of software security management solution to track security controls
- P1190: Lack of process for performance and capacity management
- P1191: Deploying software in production on the same environment as development and testing
- P1225: Unmanaged test result findings
- P1226: Lack of a process for regulating the use of electronic messaging
- P1429: Applications not protected with Intrusion Detection / Protection System (IDS/IPS)
- P1432: Lack of security architecture and design activities
- P1433: Lack of third-party software code or dependencies management
- P1434: Lack of secure key management process
- P1435: Lack of Privacy Impact Assessment (PIA)
- P1436: Lack of cloud solution security posture assessment
- P1437: Lack of vendor security assessment
- P1438: Lack of network vulnerability assessment
- P1439: Lack of container security assessment
Added HowTo's
- I1044: Oracle
- I1045: Microsoft SQL Server

4.23

New features and improvements:

Remote Integration Agent:
- Remote Integration Agents can now be managed through the UI
- There is now a separate Remote Agent screen where admins can see the status of a remote agent.
- Updated the global level connections form for improved support of the remote integration agent.
  - The checkbox for indicating that a server is inaccessible has been moved up, and a new a warning will appear if a server is inaccessible and a remote integration agent needs to be installed.
ALM integration updates:
- Added support for Pivotal Tracker custom status mapping.
UI updates:
- You can now personalize the term "Risk Policy" as it appears on the UI in System > UI Customization.
LDAP Sync:
- You can now create/modify/remove group mappings more efficiently with a new LDAP group mapping page.
- Use the SD Elements API to manage LDAP group mappings.
- There is now a separate API endpoint used solely for modifying LDAP group mappings. This allows you to modify group mappings individually rather than having to do it in bulk every time.
- There is a known issue with the group mapping form where the SDE group field only displays the first 1000 groups. This will be addressed in a future release. The API can be used to work around this issue.
Bug Fixes:
- For verification status calculation, a Pass verification status will now take precedence over a Partial Pass verification status when both are valid. Failures continue to trump any other verification status that is applicable, or whose status has not been overwritten using either replace or replace same scanner import behaviors. This fixes a regression that arose in 4.18.
- Fixed a bug causing error messages to be cut-off when a task status being deleted is attached to a risk policy.
- Fixed a bug affecting the ability to change the order of default phases.
- Fixed a bug affecting UI text wrapping on IE 11.
Deprecation Notice:
- We would like to remind you that Jira is dropping support for username and password authentication in their cloud instances. At this time, we have not removed these fields, as customers may have hosted instances of Jira that continue to support this form of authentication.

Content additions and updates:

Updated Tasks
- T28: Avoid 'Remember Me' features [Change of text. Required non-persistent cookies for session management.]
- T53: Prevent the upload of malicious files and malware [Change of title and text. More emphasis on disabling file upload.]
- T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Change of text. Explicit mention of DES.]
- T66: Prevent web pages from being loaded inside iFrame [Change of text. More clarification and highlighting of best practices.]
- T159: Follow best practices for secure error and exception handling [Change of text. Added a note about not ignoring the return values of functions.]
- T200: Test for validation on all untrusted XML input [Change of title for added clarity.]
- T207: Provide special data protection for children's personal information [Removed GDPR from inclusion criteria.]
- T257: Secure cross origin resource sharing (CORS) [Change of text. Added recommendations and clarification around CORS policies.]
- T258: Secure web (cross domain) messaging in HTML5 [Change of text. More clarification on sender requirements and postMessage().]
- T259: Follow best practices when storing data in Local or Session Storage [Change of text. More clarification and a reference to a new task to encrypt sensitive data.]
- T286: Make sure username rules are consistent among the registration system, authentication system, and application [Change of title and text for added clarity.]
- T318: Verify security of cross origin resource sharing (CORS) [Change of text. Clearer guidelines for testing.]
- T417: Avoid passing dynamic data to trustAs or bypassSecurityTrust functions [Change of text and title. Clearer guidelines and new content for Angular 2+ and added bypassSecurityTrust.]
- T418: Use Angular's built-in sanitization for user output with limited code or markup [Change of text and title. Clearer guidelines and new content for Angular 2+.]
- T456: Select stringent security settings and disable unnecessary services and modules [Change of title and text. Added a note about selecting stringent security settings.]
- T557: Set SameSite attribute of cookies to Lax/Strict [Change of text. More explanation and clarification.]
- T599: Do not rely on mutable HTTP headers such as 'host' and 'referer' [Change of title and text. Broadened the scope to include other headers.]
- T600: Verify that HTTP header values are not used without proper validation [Change of title and text. Broadened the scope to include other headers.]
Added Tasks
- T1463: Enable ahead-of-time (AOT) compilation for Angular applications (Angular)
- T1464: Verify application compatibility with AOT compilation in Angular applications (Angular)
- T1465: Decide how to handle sessions/authorization state in your Angular application (Angular)
- T1466: Restrict sending of authorization state to approved origins in Angular (Angular)
- T1467: Verify that the Angular application does not leak the authorization state (Angular)
- T1468: Encrypt sensitive data at rest in the browser
- T1469: Prevent sensitive data leakage through Content Security Policy (CSP) reports
- T1538: Avoid DOM-based Cross-Site Scripting (XSS) in Angular applications (Angular)
- T1539: Clear browser data on user logout
- T1540: Verify that browser data is cleared upon user logout
- T1541: Decide on the best CSRF defense for your application
- T1542: Use the correct HTTP methods for making state-changing operations
- T1543: Leverage origin isolation for compartmentalization
- T1544: Isolate untrusted content in a sandbox
- T1873: Prevent information leakage through HTTP response headers
- T1874: Test that HTTP response headers do not expose any sensitive information
- T1878: Grant minimal IAM permissions (especially to Lambda functions) (AWS)
- T1880: Encrypt data at rest for Lambda functions (AWS)
- T1881: Mitigate the risk of uncontrolled data harvesting
- T1882: Verify uncontrolled data harvesting can be detected
- T1883: Enable configuration monitoring in AWS console (AWS)
- T1885: Ensure Lambda functions handle input safely (AWS)
- T1886: Do not allow anonymous invocation of Lambda functions (AWS)
Added Additional Requirements
- TA994: Manage vulnerabilities in third-party dependencies using scanners
- TA995: Protecting against CSRF in Angular applications
- TA996: Deploying Content Security Policy in Angular applications
- TA997: Use client-side validation to detect malicious behavior
- TA998: Leverage origin isolation for sensitive code
- TA999: Avoid using the sleep function for throttling in Java
- TA1000: PHP considerations for dynamic code and class loading
- TA1002: Verify that third-party dependencies in Lambda functions do not have vulnerabilities (AWS)
- TA1003: Generate log metrics and actionable alerts for Lambda functions (AWS)
- TA1004: Encrypt data in transit for Lambda functions (AWS)
- TA1005: Prevent untrusted parties from accessing admin interfaces in applications
Updated Problems
- P811: Reliance on Mutable HTTP Headers [Change of title and text. Broadened the scope to include other headers.]
Added Problems
- P1427: Uncontrolled data harvesting by web scripts
- P1428: Unmonitored changes of AWS configurations (AWS)
Added HowTo's
- I1113: Using anti-CSRF tokens in Angular
- I1114: Restricting an Angular HttpInterceptor to a set of approved URLs
- I1115: Specify the content type of requests in Angular
- I1116: Propagate cookie-based authorization state on CORS requests in Angular
- I1117: Encrypt using a key obtained from the server
- I1118: Encrypt using a key generated from a user passphrase
- I1119: Configure Nginx to clear browser data on user logout
- I1285: How to grant minimal IAM permissions
- I1286: Generating log metrics and actionable alerts for Lambda functions (AWS)
- I1287: How to encrypt data at rest for Lambda functions (AWS)
- I1288: Enable configuration management for Lambda (AWS)
- I1290: Protect Lambda functions from anonymous invocation (AWS)
Updated T186, w/ latest security patch level for third-party libraries
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache Wicket
- Apache MyFaces
- Bouncy Castle
- AFNetworking Library
- Node.js
- AngularJS/Angular
- Docker
- JQuery
Changes to Project Properties and Profiles
- Added "A1223: Angular" under "Q110: Technology/Framework"
- Added "A1226: Lambda" under "Q298: AWS Services".
Updated following code scanner mappings
- WebInspect
- AppScan
- Checkmarx
- WhiteHat

4.22

New features and improvements:

ALM Integration updates:
- Added the optional “Unmapped Status Fallback” for all ALM system connectors supporting custom status mapping (Jira, CA Agile Central, Rational Team Concert). This specifies the SD Elements status, including a “Do Not Modify” option, to use when an ALM status is not mapped in the ALM status mapping.
- On initial sync, the Jira plugin can now leave a newly created Jira task with its initial status instead of transitioning it to match the corresponding SD Elements task status. In general, transitions on initial syncs are skipped if the initial status maps to the current SD Elements status.
Project Creation Integration Improvements
- Added support for creating a New Release when using a Project Connection Plugin.
- Added a new dialog for the New Release capability that supports connection retry and skipping to the original form.
- The New Release form prepopulates with data from its source plugin upon successful connection.
API improvements:
- Added the ability to select and deselect survey answers when creating a new project or creating a new project release through the API.
Fortify Sync Configuration Changes
- “/ssc” is now more explicitly appended to Fortify URLs as part of the context root. In previous versions of SD Elements, “/ssc” was implicitly added (/ssc). Existing Fortify connectors will have their context root amended automatically by upgrading to v4.22 and no further action is required. For new connectors, “/ssc” will need to be added to the end of context root if it is part of the URL.
Project Specific Tasks
- Project and Library tasks are now cached when adding a Project Specific Task to help with loading times when the ‘add’ dialog is closed and reopened.
Bug Fixes:
- The Project Reports selection page now correctly shows all default fields.
- Fortify syncs will now work when reports are missing an audit.xml file.
- ‘Mitigation Accepted’ is now supported as a way to suppress reported flaws in a Veracode report.

Content additions and updates (April 29, 2019)

Updated Tasks
- T153: Scrub buffers holding sensitive information when releasing/deleting (Added 'Uses an unmanaged programming language' to matching conditions)
- T301: Verify that buffers holding sensitive information are scrubbed (Added 'Uses an unmanaged programming language' to matching conditions)
- T349: Protect audit information and logs against unauthorized access (Change of text: Added a requirement to store logs in a different partition)

Added Tasks
- T1393: Mitigate Struts Double Evaluation (This is a new task for mitigating the Apache Struts double evaluation vulnerability)
- T1394: Verify that the Code does not Use Vulnerable Apache Struts OGNL Double Evaluation Syntax (This is the test task of T1393: Mitigate Struts Double Evaluation)
Updated Problems
- P123: Sensitive information uncleared before release (Change of text: Added descriptions for various scenarios)
Added Problems
- P1189: Apache Struts Double Evaluation
Updated HowTo’s
- I270: Android (change of task from 'T153: Scrub buffers holding sensitive information when releasing/deleting' to 'T244: Securely delete any unprotected sensitive data before a resource is released or shared')
Updated T186, w/ latest security patch level for third-party libraries
- JQuery
- Docker
- AngularJS/Angular
- Node.js
- Java
- Apache Wicket
- Apache HTTP Server
- OpenSSL
- GnuTLS
- Apache Tomcat
- Rails
- Django
Changes to Survey:
- Added 'VPC' (A1177) and 'EC2' (A1171) answers as children of AWS answer (A1159)
- Changed A27's title to 'Uses encryption functions (not including SSL)' from 'Uses custom encryption (that is not SSL)'
New Just-in-Time Training:
- Defending Java
- Defending Mobile
- Defending C
- Defending Django
- GDPR for Developers
- OWASP Top 10 2017
- PCI SSLC
- PCI DSS

We also added content for Microsoft SQL Server based on CIS benchmarks:

Added Tasks
- T1397: Use the most recent service packs and hotfixes (Microsoft SQL Server)
- T1398: Verify that most recent service packs and hotfixes are installed (Microsoft SQL Server)
- T1399: Use a dedicated server for SQL server (Microsoft SQL Server)
- T1400: Verify that a dedicated server is used for deploying SQL server (Microsoft SQL Server)
- T1401: Disable ad hoc distributed queries (Microsoft SQL Server)
- T1402: Verify that ad hoc distributed queries are disabled (Microsoft SQL Server)
- T1403: Disable CLR (Microsoft SQL Server)
- T1404: Verify that CLR is disabled (Microsoft SQL Server)
- T1405: Disable cross-database ownership chaining across all databases or at the server level (Microsoft SQL Server)
- T1406: Verify that cross-database ownership chaining is disabled across all databases or at the server level (Microsoft SQL Server)
- T1407: Disable 'Database Mail XPs' option (Microsoft SQL Server)
- T1408: Verify that 'Database Mail XPs' option is disabled (Microsoft SQL Server)
- T1409: Disable 'Ole Automation Procedures' option (Microsoft SQL Server)
- T1410: Verify that 'Ole Automation Procedures' is disabled (Microsoft SQL Server)
- T1411: Disable 'Remote Access' option (Microsoft SQL Server)
- T1412: Verify that 'Remote Access' option is disabled (Microsoft SQL Server)
- T1413: Disable remote admin connections by default (Microsoft SQL Server)
- T1414: Verify that remote admin connections are disabled by default (Microsoft SQL Server)
- T1415: Disable scanning for startup processes (Microsoft SQL Server)
- T1416: Verify that scanning for startup processes is disabled (Microsoft SQL Server)
- T1417: Disable 'Trustworthy' database option (Microsoft SQL Server)
- T1418: Verify that 'Trustworthy' database option is disabled (Microsoft SQL Server)
- T1419: Disable unnecessary SQL server protocols (Microsoft SQL Server)
- T1420: Verify that unnecessary SQL server protocols are disabled (Microsoft SQL Server)
- T1421: Do not use default ports (Microsoft SQL Server)
- T1422: Verify that default ports are not used (Microsoft SQL Server)
- T1423: Enable 'Hide Instance' option (Microsoft SQL Server)
- T1424: Verify that 'Hide Instance' option is enabled (Microsoft SQL Server)
- T1425: Disable 'sa' login account (Microsoft SQL Server)
- T1426: Verify that 'sa' login account is disabled (Microsoft SQL Server)
- T1427: Rename 'sa' login account (Microsoft SQL Server)
- T1428: Verify that there is no 'sa' login account (Microsoft SQL Server)
- T1429: Disable 'xp_cmdshell' option (Microsoft SQL Server)
- T1430: Verify that 'xp_cmdshell' option is disabled (Microsoft SQL Server)
- T1431: Do not close the database when the connections are terminated (Microsoft SQL Server)
- T1432: Verify that the database is not closed when the connections are terminated (Microsoft SQL Server)
- T1433: Use Windows authentication mode for server authentication (Microsoft SQL Server)
- T1434: Verify that Windows authentication mode is used for server authentication (Microsoft SQL Server)
- T1435: Revoke connect permission for guest user (Microsoft SQL Server)
- T1436: Verify that connect permission for the guest user is revoked (Microsoft SQL Server)
- T1437: Remove all orphaned users from the database (Microsoft SQL Server)
- T1438: Verify that all orphaned users are removed (Microsoft SQL Server)
- T1439: Do not use SQL server authentication for contained databases (Microsoft SQL Server)
- T1440: Verify that SQL server authentication is not used for contained databases (Microsoft SQL Server)
- T1441: Do not grant administrator privileges to the service accounts (Microsoft SQL Server)
- T1442: Verify that administrator privileges are not granted to the service accounts (Microsoft SQL Server)
- T1443: Assign only Microsoft specified permissions to the 'public' role (Microsoft SQL Server)
- T1444: Verify that only Microsoft specified permissions are assigned to the 'public' role (Microsoft SQL Server)
- T1445: Do not use builtin or local Windows groups as SQL server logins (Microsoft SQL Server)
- T1446: Verify that builtin or local Windows groups are not used as SQL server logins (Microsoft SQL Server)
- T1447: Do not grant access to SQL Agent proxies to the 'public' role (Microsoft SQL Server)
- T1448: Verify that 'public' role does not have access permissions to SQL Agent proxies (Microsoft SQL Server)
- T1449: Setup a secure password policy (Microsoft SQL Server)
- T1450: Verify that a secure password policy is set up (Microsoft SQL Server)
- T1451: Maintain audit logs for all database activities (Microsoft SQL Server)
- T1452: Verify that audit logs are maintained for all database activities (Microsoft SQL Server)
- T1453: Validate user input before transmitting it to the SQL server (Microsoft SQL Server)
- T1454: Verify that user input is validated before transmitting it to the database server (Microsoft SQL Server)
- T1455: Prevent CLR assemblies for accessing external system resources (Microsoft SQL Server)
- T1456: Verify that 'SAFE_ACCESS' is set for all CLR assemblies (Microsoft SQL Server)
- T1457: Use a strong symmetric key encryption algorithm (Microsoft SQL Server)
- T1458: Verify that a strong symmetric key encryption algorithm is used (Microsoft SQL Server)
- T1459: Use asymmetric keys of at least 2048-bit long (Microsoft SQL Server)
- T1460: Verify that asymmetric encryption keys are at least 2048-bit long (Microsoft SQL Server)
- T1461: Leave 'SQL Server Browser' service disabled if it is not required (Microsoft SQL Server)
- T1462: Verify that 'SQL Server Browser' service is disabled if it is not required (Microsoft SQL Server)
Added Problems
- P1192: Outdated service packs and hotfixes (Microsoft SQL Server)
- P1193: Using a shared machine for deploying SQL server (Microsoft SQL Server)
- P1194: Enabled ad hoc distributed queries (Microsoft SQL Server)
- P1195: Enabled CLR (Microsoft SQL Server)
- P1196: Information disclosure through cross-database ownership chaining (Microsoft SQL Server)
- P1197: Enabled 'Database Mail XPs' option (Microsoft SQL Server)
- P1198: Enabled 'Ole Automation Procedures' option for executing functions external to SQL server (Microsoft SQL Server)
- P1199: Enabled 'Remote Access' option (Microsoft SQL Server)
- P1200: Allowing remote admin connections (Microsoft SQL Server)
- P1201: Running stored procedures at startup (Microsoft SQL Server)
- P1202: Allowing database objects to access objects in other databases (Microsoft SQL Server)
- P1203: Unnecessary protocols (Microsoft SQL Server)
- P1204: Using default ports (Microsoft SQL Server)
- P1205: Not hidden production SQL server instances (Microsoft SQL Server)
- P1206: Enabled SQL server account with sysadmin privileges (Microsoft SQL Server)
- P1207: Using the default 'sa' login account (Microsoft SQL Server)
- P1208: Enabled 'xp_cmdshell' option (Microsoft SQL Server)
- P1209: Closing the database after terminating the connections (Microsoft SQL Server)
- P1210: Using SQL server's internal server authentication (Microsoft SQL Server)
- P1211: Permitting the guest user to connect to the database (Microsoft SQL Server)
- P1212: Orphan users (Microsoft SQL Server)
- P1213: Using SQL server authentication for contained databases (Microsoft SQL Server)
- P1214: Administrator privileges for service accounts (Microsoft SQL Server)
- P1215: Extra permissions assigned to the 'public' role (Microsoft SQL Server)
- P1216: Using builtin or local Windows groups as login for SQL server (Microsoft SQL Server)
- P1217: Access to SQL Agent proxy for the 'public' role (Microsoft SQL Server)
- P1218: Weak password security policy (Microsoft SQL Server)
- P1219: Not logging important event (Microsoft SQL Server)
- P1220: No input validation (Microsoft SQL Server)
- P1221: Broad permissions for CLR assemblies (Microsoft SQL Server)
- P1222: Using weak symmetric encryption keys (Microsoft SQL Server)
- P1223: Using weak asymmetric encryption keys (Microsoft SQL Server)
- P1224: Enabled 'SQL Server Browser' service (Microsoft SQL Server)
Added HowTo’s
- I1046: Microsoft SQL Server: How to install the most recent service packs and hotfixes
- I1047: Microsoft SQL Server: How to assign a dedicated server for SQL server
- I1048: Microsoft SQL Server: How to disable ad hoc distributed queries
- I1049: Microsoft SQL Server: How to disable CLR
- I1050: Microsoft SQL Server: How to disable cross-database ownership chaining
- I1051: Microsoft SQL Server: How to disable 'Database Mail XPs' option
- I1052: Microsoft SQL Server: How to disable 'Ole Automation Procedures' option
- I1053: Microsoft SQL Server: How to disable 'Remote Access' option
- I1054: Microsoft SQL Server: How to disable remote admin connections by default
- I1055: Microsoft SQL Server: How to disable scanning for startup processes
- I1056: Microsoft SQL Server: How to disable 'Trustworthy' database option
- I1057: Microsoft SQL Server: How to disable unnecessary SQL server protocols
- I1058: Microsoft SQL Server: How to modify default port setting
- I1059: Microsoft SQL Server: How to enable 'Hide Instance' option for SQL server
- I1060: Microsoft SQL Server: How to disable 'sa' login account
- I1061: Microsoft SQL Server: How to rename 'sa' login account
- I1062: Microsoft SQL Server: How to disable 'xp_cmdshell' option
- I1063: Microsoft SQL Server: How to turn auto-close off for the database
- I1064: Microsoft SQL Server: How to use Windows authentication mode for server authentication
- I1065: Microsoft SQL Server: How to revoke connect permission for guest user
- I1066: Microsoft SQL Server: How to remove orphaned users from the database
- I1068: Microsoft SQL Server: How to remove administrator privileges from the service accounts
- I1069: Microsoft SQL Server: How to remove extra permissions assigned to the 'public' role
- I1070: Microsoft SQL Server: How to remove builtin or local Windows group logins
- I1071: Microsoft SQL Server: How to remove access to SQL Agent proxies for the 'public' role
- I1072: Microsoft SQL Server: How to set up a secure password policy
- I1073: Microsoft SQL Server: How to maintain audit logs for all database activity
- I1074: Microsoft SQL Server: How to validate user input before transmitting it to the database server
- I1075: Microsoft SQL Server: How to prevent CLR assemblies for accessing external system resources
- I1076: Microsoft SQL Server: How to use a strong symmetric key encryption algorithm
- I1077: Microsoft SQL Server: How to use asymmetric encryption keys of at least 2048-bit long

4.21

New features and improvements:

Project Tasks Page Improvements
- Now the tasks page of a project only shows tabs for phases that have accepted tasks.
- Now each phase displays its total task count next to the phase name. This count of total tasks accounts for any filters that are set and automatically updates as new filters are set or unset.
API
- You can now update Answers in bulk via the Survey Draft endpoint.
- Task counts can be retrieved from the tasks API endpoint, which now has a facets inclusion field.
- We display tool tips with the full names for Business Units, Applications, and Projects when they are truncated in the application. This is done in navigational drop down menus, and the Business Unit, Application, and Project list pages.
Bug Fixes:
- Fixed task counts on the Project overview completion widget and Project API endpoint. These counts were returning incorrect results when the phase of a default Task was modified.
- Sped up the Training Report for Just in Time Training customers, which resolves an issue where its export would occasionally time out.
- Hid default match condition updates if the match condition was customized. This keeps customized match conditions identical during software updates.
- When adding an 'Existing task from Library' on a project tasks page, only tasks that are not already part of the project are shown in the drop down menu.
- Max character length for Global Role and Project Role is now 64.
- Fixed error message when VersionOne ALM synchronization encounters missing fields error.
- SAML authenticated users are now redirected to a logout splash page if no logout URL is specified in SAML configuration.
- Fixed the regulations filter on the project tasks page.

Content additions and updates (March 14, 2019)

Updated Tasks
- T205: Avoid inter-process race conditions (Revised text for errors).
- T327: Review security of Node.js modules before installation (Removed the React matching condition and added it to its amendment so that it is no longer assigned to all PHP projects).

Added Tasks
- T1365: Mitigate Server Side Request Forgery
- T1392: Test for Server Side Request Forgery

Updated Task Amendments
- TA9: Human user authentication (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA10: Authentication of software processes and devices (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA13: Hardware security for public key authentication (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA14: Verification of hardware protection for private keys (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA15: Authorization enforcement (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA19: Remote session termination (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA20: Limiting the number of concurrent sessions (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA22: Non-repudiation (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA24: Zone boundary protection (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA30: Generating timestamps for audit records (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA273: Strength of symmetric-key authentication (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA214: Releasing resources (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA215: Verification of proper release of resources (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA982: Monitor and log attempts to access a component's physical diagnostic and test interfaces actively (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA984: Provide notifications of tampering attempts (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA985: Protect product supplier keys that are used as roots of trust for product validation (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA986: Verify authenticity of the boot process (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).
- TA987: Report malicious code protection software version automatically (ANSI/ISA 62443) (Added matching condition for ANSI/ISA 62443 security levels).

Added Task Amendments
- TA992: Provision and protect product supplier/owner keys that are used as roots of trust for product validation (ANSI/ISA 62443) (This is required for compliance with ANSI/ISA 62443).

Added Problems
- P1169: Server Side Request Forgery (SSRF)

Updated HowTo's
- I439: Enabling HTTPS for Node.js/Express (Updated text: certificate key length has been changed to 2048b because 1024b is no longer considered secure).
Updated T186, w/ latest security patch level for third-party libraries
- Struts
- Spring framework
- Django
- Apache Tomcat
- OpenSSL
- Apache Wicket
- Apache MyFaces
- Java
- Bouncy Castle
- Unix/Linux Bash
- AngularJS/Angular
- Node.js
- Docker

4.20

New features and improvements:

Sticky Additional Requirements
- Now you can place the Additional Requirements of a task that it belongs to above its solution in the library tasks page. This allows for greater visibility of additional requirements that could be obscured by long lists of requirements.
- You can also drag and drop the Additional Requirements of a task to reorder them. This order persists after saving.
UI and UX
- Added minor styling changes for training modules.
ALM Integration
- Added markdown for tables in tasks synchronized to Rally.
- Added support for ‘story’ issue type in Rational Team Concert connections.
Bug Fixes:
- Fixed anchor links and mail links on the project tasks page when opening new tabs.
- Fixed a bug where the rules widget on the Library task page fails to render due to a deactivated answer in the associated Problem.
- Fixed a Rally workspace issue where the Global connector was not able to be empty during a Test Connection.
- Fixed a Rally workspace issue to allow the Parent workspace to be pulled into the Child connection workspace when it is left empty.
- Fixed a bug where deactivated users in SD Elements with valid SAML credentials would end up in a redirect loop.

Content additions and updates (January 31, 2019)

Updated CWEs to 3.2
Compliance Regulations and Mappings
- ANSI/ISA-62443, Part 4-2 (Technical security requirements for IACS components) content, description and mappings were revised and updated based on the latest (Aug 2018) version of the standard.
- NIST 800-171: Added as a new regulation, and mapped its sections to relevant Tasks.
Updated Tasks
- T21: Ensure all data in transit is encrypted using a secure TLS channel (Changed text)
- T71: Capture sufficient information for each transaction in audit logs (Change of title)
- T370: Follow best practices for using third-party software libraries/modules and open source/COTS components (Changed text and title)
- T415: Develop features to allow verifying the authenticity of the product (Changed text)
- T420: Prevent Client-Side Template Injection (CSTI)
- T421: Verify if web page template is vulnerable to client side template injection (CSTI)
- T574: Prevent information exposure in HyperCat [Updated MCs.]
- T575: Verify that HyperCat catalogues are not revealing discovery information [Updated MCs.]
- T740: Provide personal data and its processing information to users in an appropriate format (Change of title and text)
- T751: Provide users with a personal data processing notification (Changed title and text)
- T752: Verify if personal data processing notification is provided to users (Changed title and text)
- T871: Log Apache errors and access (Apache HTTP Server) [Updated MCs.]
- T872: Verify Apache logging (Apache HTTP Server) [Updated MCs.]
- T877: Limit information exposed by Apache (Apache HTTP Server) [Updated MCs.]
- T878: Verify that information exposed by Apache is restricted (Apache HTTP Server) [Updated MCs.]
- T922: Enable 'Dynamic IP Address Restrictions' (Microsoft IIS) [Updated MCs.]
- T956: Test that 'Dynamic IP Address Restrictions' is enabled (Microsoft IIS) [Updated MCs.]
Added Tasks
- T1362: Perform message throttling in RESTful APIs
- T1363: Verify if message throttling is properly performed in RESTful APIs
- T1364: Verify that third party software libraries/modules and open source/COTS components are used securely
Updated Task Amendments
- TA9: Human user authentication, ANSI/ISA 62443 (Changed text)
- TA10: Authentication of software processes and devices, ANSI/ISA 62443 (Changed text)
- TA11: Password Strength, ANSI/ISA 62443 (Changed text)
- TA12: Password Strength Tests, ANSI/ISA 62443 (Changed text)
- TA13: Hardware security for public key authentication, ANSI/ISA 62443 (Changed text)
- TA14: Verification of hardware protection for private keys, ANSI/ISA 62443 (Changed text)
- TA15: Authorization enforcement, ANSI/ISA 62443 (Changed text)
- TA16: Access through untrusted networks, ANSI/ISA 62443 (Changed text)
- TA17: Portable and mobile devices, ANSI/ISA 62443 (Changed text)
- TA18: Mobile code control, ANSI/ISA 62443 (Changed text)
- TA19: Remote session termination, ANSI/ISA 62443 (Changed text)
- TA20: Limiting the number of concurrent sessions, ANSI/ISA 62443 (Changed text)
- TA21: Auditable events, ANSI/ISA 62443 (Changed text)
- TA22: Non-repudiation, ANSI/ISA 62443 (Changed text)
- TA23: Integrity verification and reporting, ANSI/ISA 62443 (Changed text)
- TA24: Zone boundary protection, ANSI/ISA 62443 (Changed text)
- TA25: Person-to-person communication, ANSI/ISA 62443 (Changed text)
- TA26: Control system backup, ANSI/ISA 62443 (Changed text)
- TA27: Verifying control system backup, recovery and reconstitution, ANSI/ISA 62443 (Changed text)
- TA28: Idle session timeout exception, ANSI/ISA 62443 (Changed text)
- TA29: Wireless use control, ANSI/ISA 62443 (Changed text)
- TA30: Generating timestamps for audit records, ANSI/ISA 62443 (Changed text)
- TA31: Network Segmentation, ANSI/ISA 62443 (Changed text)
- TA35: Access Control, ANSI/ISA 62443 (Changed text)
- TA38: Configurable and machine readable security settings, ANSI/ISA 62443 (Changed text)
- TA39: Protection of backups, ANSI/ISA 62443 (Changed text)
- TA40: Alternative routes to essential and critical functions of a control system, ANSI/ISA 62443 (Changed text)
- TA214: Releasing resources, ANSI/ISA 62443 (Changed text)
- TA215: Verification of proper release of resources, ANSI/ISA 62443 (Changed text)
- TA239: Protection of logs, ANSI/ISA 62443 (Changed text)
- TA240: Verification of log protection, ANSI/ISA 62443 (Changed text)
- TA265: Interactive login for critical services, ANSI/ISA 62443 (Changed text)
- TA266: Account and Identity Management, ANSI/ISA 62443 (Changed text)
- TA267: Testing predefined outputs, ANSI/ISA 62443 (Changed text)
- TA268: Predefined outputs, ANSI/ISA 62443 (Changed text)
- TA269: Partitioning the application or device, ANSI/ISA 62443 (Changed text)
- TA273: Strength of symmetric-key authentication, ANSI/ISA 62443 (Changed text)
- TA784: GDPR: Data portability (Now linked to T740, change of text)
Added Task Amendments
- TA940: AngularJS: Avoid mixing user data with AngularJS templates
- TA941: AngularJS: Verify that input used with trustAs functions of AngularJS's SCE are sanitized
- TA975: GDPR: Data processing notification
- TA982: Monitor and log attempts to access a component's physical diagnostic and test interfaces actively (ANSI/ISA 62443)
- TA983: Provide updates without impacting essential functions of components (ANSI/ISA 62443)
- TA984: Provide notifications of tampering attempts (ANSI/ISA 62443)
- TA985: Protect product supplier keys that are used as roots of trust for product validation (ANSI/ISA 62443)
- TA986: Verify authenticity of the boot process (ANSI/ISA 62443)
- TA987: Report malicious code protection software version automatically (ANSI/ISA 62443)
- TA988: Wireless access management (ANSI/ISA 62443)
- TA989: Detect vulnerable javascript libraries using a scanner
- TA990: Verify if vulnerable javascript dependencies are detected
Updated Problems
- P96: Information Exposure [Updated MCs.]
- P150: Running With Unnecessary Privileges [Updated MCs.]
- P161: Password Aging with Long Expiration [Updated MCs.]
- P182: Improper Access Control (Authorization) [Updated MCs.]
- P205: Single-factor Authentication [Updated MCs.]
- P218: Use of hard-coded or insecurely stored passwords and secret keys [Updated MCs.]
- P293: Uncontrolled Resource Consumption (Resource Exhaustion) [Updated MCs.]
- P408: Password Requirements Are Weak [Updated MCs.]
- P619: Insufficient Logging or Insufficient Protection of Logs [Updated MCs.]
- P700: HTTP Verb Tampering [Updated MCs.]
- P702: Session IDs Leaked Through URLs [Updated MCs.]
- P742: Unauthorized access to data through XML External Entity (XXE) references [Changed text]
- P772: Missing proof of authenticity [Changed text]
- P834: Lack of Certificate/Public Key Pinning [Updated rules.]
Added HowTo’s
- I1043: Python: Sanitizing HTML using the Bleach library
Updated T186, w/ latest security patch level for third-party libraries
- JQuery
- AngularJS/Angular
- Node.js
- Docker
- Apache Wicket
- Apache HTTP Server
- OpenSSL
- GnuTLS
- Apache Tomcat
- Struts
- Rails
- Spring Framework
- Django
Changes to Project Properties and Profiles
- Deactivated "A1069: Security Level 1 (SL1)".
- Deactivated "A1070: Security Level 2 (SL2)".
- Deactivated "A1071: Security Level 3 (SL3)".
- Deactivated "A1072: Security Level 4 (SL4)".
- A1075: This is an ICS or IACS (Changed title and description)
- A1084: Uses third-party software libraries, modules, and/or open source/COTS components (Changed title and description)
- Deactivated "A1207: DNS and CA servers are not trusted".
Updated following code scanner mappings
- Checkmarx

4.19

New features and improvements:

Analysis:
- Updated styling and UX for project analysis list pages.
- Updated styling for sync history pages for analysis.
- Renamed “analysis” and ”security tools” to “verification”, which is now reflected throughout the application.
- Verification scanner results can now be imported into a project via API.
ALM Integration:
- JIRA, Rally, and Rational Team Concert have been updated to allow more specific status mappings between the ALM and SD Elements:
  - ALM Syncs that support status mapping can now specify a mapping between any SD Elements status and ALM states, and vice-versa.
  - Existing syncs continue to work as before.
- Client-side certificates can now be added at the global connection level.
- Updated the JIRA password field label to “Password / API Token” to address the deprecation of passwords with JIRA Cloud.
CI Landing Page:
- Added a page highlighting CI/CD tools that we have plugins for in Settings > Integration > Build Pipelines.
- Added external links for installation instructions and documentation for CI/CD plugins.
- CI/CD plugins include Jenkins, XebiaLabs, and Azure Pipelines.
Bug Fixes:
- Fixed permission issues on the Project ALM connection page.
  - All users with permission to view the project have read-only access to the project’s ALM connection.
- Fixed an LDAP sync issue when performing a sync with over 500 mappings.
- Removed the 20480 character limit on the text field for Library Task, Problem, Additional Requirements, and How-To's.

Content additions and updates (November 23, 2018):

Added Problems
- P1136: Lack of managed identities for Azure resources (Microsoft Azure)
- P1137: Lack of authentication and authorization to Azure Functions (Microsoft Azure)
Updated Tasks
- T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated the text.]
- T28: Avoid 'Remember Me' features [Updated the text.]
- T253: Protect TLS/SSL communication [Moved to TA965.] [DEACTIVATED]
- T331: Enforce policies through content security policy (CSP) headers [Change of text]
- T332: Test that content security policy (CSP) headers are added [Change of text]
Added Tasks
- T1294: Use managed identities for Azure resources (Microsoft Azure)
- T1295: Verify that managed identities are used for Azure resources (Microsoft Azure)
- T1296: Implement authentication and authorization to HTTP trigger-based Azure Functions (Microsoft Azure)
- T1297: Test that access to HTTP trigger-based Azure Functions is authenticated and authorized (Microsoft Azure)
Deactivated Tasks
- T253: Protect TLS/SSL communication
Updated Task Amendments
- TA939: Considerations for Web Applications [Change of text and title]
Added Task Amendments
- TA964: Azure Function: Auditing and Logging
- TA965: Choice of cipher
Added HowTo's
- I1004: Enable encrypted connection to database engine
- I1040: JQuery
- I1005: C# with Entity
Changes to Project Properties and Profiles
- Moved "Q103: Database" from "Q253: Involved Components" to "Q304: Database Technologies".
- Moved "A1126: MongoDB" from "Q280: NoSQL Database" to "Q305: Database Management System (DBMS)".
- Deactivated "Q280: NoSQL Database".
- Moved "A765: SQLite local data storage" from "Q103: Database" to "Q305: Database Management System (DBMS)".
- Added "A1210: Azure Functions" under "Q306: Azure Services".
- Added "A1211: Entity" under "Q170: .NET Database Persistence Tools Used"
- Deactivated "Q187: Type of Client the Server Authenticates".
- Deactivated "A197: Authenticates users" under Q187.
- Deactivated "A198: Authenticates devices or nodes" under Q187.
- Added "A1212: Google Cloud" under "Q290: Cloud Providers".
- Added "Q309: Google Cloud Services" under "Q290: Cloud Providers".
- Added "A1213: Kubernetes Engine" under "Q309: Google Cloud Services".
Updated T186, w/ latest security patch level for third-party libraries
- Django
- Spring Framework
- Struts
- Apache Tomcat
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Bouncy Castle
- Node.js
- AngularJS/Angular
- Docker

We also added content for Google Cloud Platform based on CIS benchmarks:

Added Tasks
- T1298: Use corporate login credentials instead of Gmail accounts (Google Cloud)
- T1299: Verify that corporate login credentials are used instead of Gmail accounts (Google Cloud)
- T1300: Enable multi-factor authentication for all non-service accounts (Google Cloud)
- T1301: Verify that multi-factor authentication is enabled for all non-service accounts (Google Cloud)
- T1302: Use GCP-managed service account keys (Google Cloud)
- T1303: Verify that there are only GCP-managed service account keys for each service account (Google Cloud)
- T1304: Properly scope service accounts (Google Cloud)
- T1305: Verify that service accounts are scoped properly (Google Cloud)
- T1306: Rotate keys regularly (Google Cloud)
- T1307: Verify that keys are set to be rotated regularly (Google Cloud)
- T1308: Restrict usage of API keys (Google Cloud)
- T1309: Verify that usage of API keys is restricted (Google Cloud)
- T1310: Include sufficient information in the log files (Google Cloud)
- T1311: Verify that sufficient information is included in log files (Google Cloud)
- T1312: Version and backup logs (Google Cloud)
- T1313: Verify that logs are versioned and backed up (Google Cloud)
- T1314: Create log metric filters and alerts (Google Cloud)
- T1315: Verify that log metric filters and alerts are created (Google Cloud)
- T1316: Do not use default and legacy networks (Google Cloud)
- T1317: Verify that default and legacy networks are not used (Google Cloud)
- T1318: Enable and configure DNSSEC (Google Cloud)
- T1319: Verify that DNSSEC is enabled and configured (Google Cloud)
- T1320: Configure SSH Keys and Certificates (Google Cloud)
- T1321: Verify SSH Keys are configured properly (Google Cloud)
- T1322: Disable connection to serial ports for VM Instance (Google Cloud)
- T1323: Verify that 'Enable connecting to serial ports' is not enabled for VM Instance (Google Cloud)
- T1324: Disable IP forwarding on Instances (Google Cloud)
- T1325: Verify that that IP forwarding is not enabled on Instances (Google Cloud)
- T1326: Disable public or anonymous access to storage and database (Google Cloud)
- T1327: Verify that public or anonymous access to storage and database is disabled (Google Cloud)
- T1328: Configure cloud SQL database instance to require all incoming connections to use TLS (Google Cloud)
- T1329: Verify that cloud SQL database instance requires all incoming connections to use TLS (Google Cloud)
- T1330: Do not allow anyone to connect to database using root or admin privileges (Google Cloud)
- T1331: Verify that no one is allowed to connect to database using root or admin privileges (Google Cloud)
- T1332: Ensure Stackdriver Monitoring is set to enabled on Kubernetes Engine Clusters (Google Cloud)
- T1333: Verify that Stackdriver Monitoring is set to enabled on Kubernetes Engine Clusters (Google Cloud)
- T1334: Ensure legacy authorization is set to disabled on Kubernetes Engine Clusters (Google Cloud)
- T1335: Verify that legacy authorization is set to disabled on Kubernetes Engine Clusters (Google Cloud)
- T1336: Configure network settings securely for Kubernetes (Google Cloud)
- T1337: Verify that network settings are configured securely for Kubernetes (Google Cloud)
- T1338: Ensure Kubernetes clusters are configured with Labels (Google Cloud)
- T1339: Verify that Kubernetes clusters are configured with Labels (Google Cloud)
- T1340: Ensure Kubernetes web UI / Dashboard is disabled (Google Cloud)
- T1341: Verify that Ensure Kubernetes web UI / Dashboard is disabled (Google Cloud)
- T1342: Enable automatic node repair and upgrades for Kubernetes clusters (Google Cloud)
- T1343: Verify that automatic node repair and upgrades is enabled for Kubernetes clusters (Google Cloud)
- T1344: Configure authentication securely for Kubernetes cluster (Google Cloud)
- T1345: Verify if authentication is securely configured for Kubernetes cluster (Google Cloud)
- T1346: Ensure Kubernetes clusters are created with Alias IP ranges enabled (Google Cloud)
- T1347: Verify if Kubernetes clusters are created with Alias IP ranges enabled (Google Cloud)
- T1348: Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Google Cloud)
- T1349: Verify that PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Google Cloud)
- T1350: Enforce the separation of duties among users (Google Cloud)
- T1351: Verify if separation of duties is enforced among users (Google Cloud)
- T1352: Restrict remote access (Google Cloud)
- T1353: Verify if remote access is restricted (Google Cloud)
- T1354: Enable Private Google Access for all subnetwork in VPC Network (Google Cloud)
- T1355: Verify if Private Google Access is enabled for all subnetwork in VPC Network (Google Cloud)
- T1356: Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) (Google Cloud)
- T1357: Verify if VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) (Google Cloud)
- T1358: Use Container-Optimized OS (cos) for Kubernetes Engine Clusters Node image (Google Cloud)
- T1359: Verify if Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image (Google Cloud)
Added Task Amendments
- TA967: Google Cloud: Restrict usage of API keys - More in-depth controls
- TA968: Google Cloud: Verify that usage of API keys is restricted - More in-depth controls
- TA969: Google Cloud: Don't use the default service account for project access in Kubernetes clusters - More in-depth controls
- TA970: Google Cloud: Verify that the default service account is not used for project access in Kubernetes clusters.- More in-depth controls
- TA971: Google Cloud: Create Kubernetes clusters with limited service account access scopes for project access
- TA972: Google Cloud: Verify the access scopes of Kubernetes clusters
- TA973: Google Cloud: Enable Stackdriver Logging on Kubernetes Engine clusters
- TA974: Google Cloud: Verify that Stackdriver Logging on Kubernetes Engine clusters is enabled
Added Problems
- P1138: Mixing corporate and personal login credentials (Google Cloud)
- P1139: Weak Authentication (Google Cloud)
- P1140: Using user-managed service account keys (Google Cloud)
- P1141: Improper scoping of service accounts (Google Cloud)
- P1142: Lack of key rotation (Google Cloud)
- P1143: Using API keys (Google Cloud)
- P1144: Insufficient information is included in the log files (Google Cloud)
- P1145: Insufficient versioning and logs backup (Google Cloud)
- P1146: Lack of log metric filters and alerts (Google Cloud)
- P1147: Using default and legacy networks (Google Cloud)
- P1148: Problem for Enable and configure DNSSEC (Google Cloud)
- P1149: Improper Configuration of SSH Keys (Google Cloud)
- P1150: Problem for Ensure 'Enable connecting to serial ports' is not enabled for VM Instance (Google Cloud)
- P1151: Problem for Ensure that IP forwarding is not enabled on Instances (Google Cloud)
- P1152: Problem for Disable public or anonymous access to storage and database (Google Cloud)
- P1153: Unprotected connection to cloud SQL database instance (Google Cloud)
- P1154: Not restricting root or admin access to the database instance (Google Cloud)
- P1155: Disabled Stackdriver Monitoring on Kubernetes Engine Clusters (Google Cloud)
- P1156: Enabled Legacy Authorization on Kubernetes Engine Clusters (Google Cloud)
- P1157: Unsecure network settings for Kubernetes (Google Cloud)
- P1158: Kubernetes clusters are configured without Labels (Google Cloud)
- P1159: Enabled Kubernetes web UI / Dashboard (Google Cloud)
- P1160: Disabled automatic node repair and upgrades for Kubernetes clusters (Google Cloud)
- P1161: Authentication misconfiguration for Kubernetes cluster (Google Cloud)
- P1162: Kubernetes cluster is created without Alias IP ranges enabled (Google Cloud)
- P1163: PodSecurityPolicy controller is disabled on the Kubernetes Engine Clusters (Google Cloud)
- P1164: Inadequate separation of duties among users (Google Cloud)
- P1165: Unrestricted remote access (Google Cloud)
- P1166: Private Google Access is disabled for all subnetworks in VPC Network (Google Cloud)
- P1167: VM disks for critical VMs are not encrypted with Customer-Supplied Encryption Keys (CSEK) (Google Cloud)
- P1168: Container-Optimized OS (cos) is not used for Kubernetes Engine Clusters Node image (Google Cloud)
Added HowTo's
- I1008: Google Cloud: How to delete user-managed service account keys
- I1010: Google Cloud: How to rotate keys
- I1011: Google Cloud: How to restrict API keys
- I1012: Google Cloud: How to include sufficient information in the log files
- I1013: Google Cloud: Version and backup logs
- I1014: Google Cloud: How to create log metric filters and alerts
- I1015: Google Cloud: Use non-default and non-legacy networks
- I1016: Google Cloud: Enable and configure DNSSEC
- I1017: Google Cloud: Configure SSH Keys
- I1018: Google Cloud: Disable connecting to serial ports for VM Instance
- I1019: Google Cloud: Disable IP forwarding on Instances
- I1020: Google Cloud: Disable public or anonymous access to storage and database
- I1021: Google Cloud: Configure Cloud SQL database instance to require all incoming connections to use TLS
- I1022: Google Cloud: How to disallow anyone to connect to database using root or admin privileges
- I1023: Google Cloud: How to ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
- I1024: Google Cloud: How to ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
- I1025: Google Cloud: How to configure network settings securely for Kubernetes
- I1026: Google Cloud: How to ensure Kubernetes clusters are configured with Labels
- I1027: Google Cloud: How to ensure Kubernetes web UI / Dashboard is disabled
- I1028: Google Cloud: How to enable automatic node repair and upgrades for Kubernetes clusters
- I1029: Google Cloud: How to configure authentication securely for Kubernetes cluster
- I1030: Google Cloud: How to create Kubernetes cluster with Alias IP ranges enabled
- I1031: Google Cloud: How to ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
- I1032: Google Cloud: How to enforce separation of duties among users
- I1033: Google Cloud: How to delete API keys - More in-depth controls
- I1034: Google Cloud: How to restrict remote access
- I1035: Google Cloud: How to enable Private Google Access for all subnetwork in VPC Network
- I1036: Google Cloud: How to ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
- I1037: Google Cloud: How to use Container-Optimized OS (cos) for Kubernetes Engine Clusters Node image
- I1038: Google Cloud: How to ensure that the default service account is not used for project access in Kubernetes clusters - More in-depth controls
- I1039: Google Cloud: How to limit the access scope of Kubernetes clusters
- I1041: Google Cloud: How to scope service accounts properly
- I1042: Google Cloud: How to enable Stackdriver Logging on Kubernetes Engine clusters

4.18

New features and improvements:

Risk Policy
- You can now choose the regulations that tasks of a risk policy must belong to in order to be compliant.
- Each task status can now have a Minimum Verification Status that is used to set the minimum verification a task requires to be considered compliant.
ALM Syncing
- Microsoft Team Foundation Server (TFS)
  - Now supports Last Status Change in Synchronization.
Activities
- Added activities for when changes to the project survey add or remove tasks from a project. These activities are accessible through the API, but not displayed within the web application.
Report Name Changes
- Changed “Application Usage License” to "License Usage Report".
- Changed "Business Unit Usage" to "Business Unit Summary".
Bug Fixes:
- Analysis Connectors
  - Fixed an error that prevented the Global Analysis Connection Form from submitting. This fix does not affect encrypted fields.
- Fixed an unexpected server error when authenticating as an LDAP user without an email address.
Deprecations:
- Jira 4 is no longer supported.

Content additions and updates (October 12, 2018):

Updated Tasks
- T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript [Updated the text.]
Updated HowTo's
- I713: Go: CSP and XSS Protection Headers [Changed the old title "Go: XSS Protection" and the text.]
Changes to Project Properties and Profiles
- Added "A1209: Kubernetes" under "Q308: Containerization Technologies".
Updated following code scanner mappings
- Checkmarx
- Fortify
- WebInspect
Updated T186, w/ latest security patch level for third-party libraries
- Django
- Spring
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Apache MyFaces
- Java
- Node.js
- AngularJS/Angular
- Docker

We also added content for Kubernetes based on CIS benchmarks:

Added Tasks
- T1240: Do not allow privileged containers (Kubernetes)
- T1241: Verify that privileged containers are not allowed (Kubernetes)
- T1242: Configure authentication securely (Kubernetes)
- T1243: Verify that authentication is securely configured (Kubernetes)
- T1244: Do not set insecure bind address and port (Kubernetes)
- T1245: Verify that insecure bind address and port are not set (Kubernetes)
- T1246: Disable profiling (Kubernetes)
- T1247: Verify that profiling is disabled (Kubernetes)
- T1248: Disable fixing of malformed updates (Kubernetes)
- T1249: Verify that fixing malformed update is disabled (Kubernetes)
- T1250: Configure admission control policy securely (Kubernetes)
- T1251: Verify that admission control policy is configured securely (Kubernetes)
- T1252: Configure logs securely (Kubernetes)
- T1253: Verify that logs are configured securely (Kubernetes)
- T1254: Do not always authorize all requests (Kubernetes)
- T1255: Verify that all requests are always authorized (Kubernetes)
- T1256: Configure HTTPS securely (Kubernetes)
- T1257: Verify that HTTPS is configured securely (Kubernetes)
- T1258: Configure service account securely (Kubernetes)
- T1259: Verify that service account is securely configured (Kubernetes)
- T1260: Configure etcd keys and certificates securely (Kubernetes)
- T1261: Verify that etcd keys and certificates are configured correctly (Kubernetes)
- T1262: Set --terminated-pod-gc-threshold argument as appropriate (Kubernetes)
- T1263: Verify that the --terminated-pod-gc-threshold argument is set as appropriate (Kubernetes)
- T1264: Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Kubernetes)
- T1265: Verify that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Kubernetes)
- T1266: Set permissions for sensitive files properly (Kubernetes)
- T1267: Verify that permissions for sensitive files are properly set (Kubernetes)
- T1268: Use cluster-admin role only where required (Kubernetes)
- T1269: Verify that the cluster-admin role is only used where required (Kubernetes)
- T1270: Create Pod Security Policies for your cluster (Kubernetes)
- T1271: Verify the Pod Security Policies for your cluster (Kubernetes)
- T1272: Create administrative boundaries between resources using namespaces (Kubernetes)
- T1273: Verify the namespaces (Kubernetes)
- T1274: Ensure that the --read-only-port argument is set to 0 (Kubernetes)
- T1275: Verify if the --read-only-port argument is set to 0 (Kubernetes)
- T1276: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubernetes)
- T1277: Verify if the --streaming-connection-idle-timeout argument is not set to 0 (Kubernetes)
- T1278: Ensure that the --protect-kernel-defaults argument is set to true (Kubernetes)
- T1279: Verify if the --protect-kernel-defaults argument is set to true (Kubernetes)
- T1280: Configure network securely (Kubernetes)
- T1281: Verify if the network is configured securely (Kubernetes)
- T1282: Set the --keep-terminated-pod-volumes argument to false (Kubernetes)
- T1283: Verify if the --keep-terminated-pod-volumes argument is set to false (Kubernetes)
- T1284: Ensure that the --cadvisor-port argument is set to 0 (Kubernetes)
- T1285: Verify if the --cadvisor-port argument is set to 0 (Kubernetes)
- T1286: Avoid using Kubernetes Secrets (Kubernetes)
- T1287: Verify that Kubernetes Secrets are not used (Kubernetes)
- T1288: Ensure that the seccomp profile is set to docker/default in your pod definitions (Kubernetes)
- T1289: Verify that the seccomp profile is set to docker/default in your pod definitions (Kubernetes)
- T1290: Apply security context to your pods and containers (Kubernetes)
- T1291: Verify that security context is defined to your pods and containers (Kubernetes)
- T1292: Configure Image Provenance (Kubernetes)
- T1293: Verify that Image Provenance is configured properly (Kubernetes)
Added Task Amendments
- TA960: Kubernetes: Configure HTTPS securely - More in-depth controls
- TA961: Kubernetes: Verify that Configure HTTPS securely - More in-depth controls
- TA962: Kubernetes: Configure network securely - More in-depth controls
- TA963: Kubernetes: Verify that Configure network securely - More in-depth controls
Added Problems
- P1109: Running privileged containers (Kubernetes)
- P1110: Improper authentication configuration (Kubernetes)
- P1111: Insecure bind address and port (Kubernetes)
- P1112: Enabled profiling (Kubernetes)
- P1113: Malformed requests (Kubernetes)
- P1114: Improper admission control policy (Kubernetes)
- P1115: Improper logs configuration (Kubernetes)
- P1116: Always authorizing all requests (Kubernetes)
- P1117: Unsecure HTTPS configuration (Kubernetes)
- P1118: Unsecure service account configuration (Kubernetes)
- P1119: Unsecure configuration of etcd keys and certificates (Kubernetes)
- P1120: Incorrect --terminated-pod-gc-threshold argument (Kubernetes)
- P1121: Active --insecure-experimental-approve-all-kubelet-csrs-for-group argument (Kubernetes)
- P1122: Incorrect permissions for sensitive files (Kubernetes)
- P1123: Unnecessary usage of cluster-admin role (Kubernetes)
- P1124: Lack of Pod Security Policies (Kubernetes)
- P1125: No scope for user permissions (Kubernetes)
- P1126: The --read-only-port argument is not set to 0 (Kubernetes)
- P1127: The --streaming-connection-idle-timeout argument is set to 0 (Kubernetes)
- P1128: The --protect-kernel-defaults argument is not set to true (Kubernetes)
- P1129: Misconfiguring network (Kubernetes)
- P1130: The --keep-terminated-pod-volumes argument is set to true (Kubernetes)
- P1131: The --cadvisor-port argument is not set to 0 (Kubernetes)
- P1132: Using Kubernetes Secrets (Kubernetes)
- P1133: Disabled seccomp profile (Kubernetes)
- P1134: Pods and Containers without security context (Kubernetes)
- P1135: Not using Image Provenance rules (Kubernetes)
Added HowTo's
- I973: Kubernetes: How to disallow privileged containers
- I974: Kubernetes: How to configure authentication securely
- I975: Kubernetes: How to securely set bind address and port
- I976: Kubernetes: How to disable profiling
- I977: Kubernetes: How to set the --repair-malformed-updates argument to false
- I978: Kubernetes: How to configure admission control policy securely
- I979: Kubernetes: How to configure logs securely
- I980: Kubernetes: How to restrict authorizing all requests
- I981: Kubernetes: How to configure HTTPS securely
- I982: Kubernetes: How to configure service account securely
- I983: Kubernetes: How to configure etcd keys and certificates
- I984: Kubernetes: How to set the --terminated-pod-gc-threshold argument
- I985: Kubernetes: How to remove the --insecure-experimental-approve-all-kubelet-csrs-for-group argument
- I986: Kubernetes: How to set permissions for sensitive files
- I987: Kubernetes: How to remove a clusterrolebinding
- I990: Kubernetes: How to set the --read-only-port argument to 0
- I991: Kubernetes: How to set --streaming-connection-idle-timeout argument
- I992: Kubernetes: How to set the --protect-kernel-defaults argument to true
- I993: Kubernetes: How to configure network securely
- I994: Kubernetes: How to set the --keep-terminated-pod-volumes argument to false
- I995: Kubernetes: How to set the --cadvisor-port argument to 0
- I997: Kubernetes: How to configure network securely - more in-depth controls
- I999: Kubernetes: How to ensure that the seccomp profile is set to docker/default in your pod definitions
- I1000: Kubernetes: How to apply security context to your pods and containers
- I1001: Kubernetes: How to configure Image Provenance

4.17

New features and improvements:

HP ALM Integration:
- Added support for Task References.
- Added support for the LookupList field type.
CA Agile Integration:
- Added support for API Token authentication.
SAML SSO:
- Added toggle for signing logout requests from SD Elements.
- Added toggle for requiring signed responses from identity provider.
  - This is the new default value when setting up SAML for single sign on.
System Jobs:
- Added a jobs page in the System menu for viewing all current and past celery jobs.
API Improvements:
- Plaintext Credentials for ALM/LDAP/Analysis are no longer returned in the API to administrators unless the system connector is marked “is not accessible from the SD Elements server”. (As before, users without permissions to view connections never see credentials.)
Bug fixes:
- Fixed an issue with syncing Testing tasks to HP ALM.
- Fixed styling issues with rendered task content on the task detail screen in a project.
- Fixed an issue rendering PDF Compliance reports when a project task contained too many long notes.
- Risk Compliance is now recalculated for all affected projects when a custom phase is deleted.
- Sync jobs that fail in an unrecoverable way are now cleaned up so they no longer prevent further syncing.
- Addressed a regression that affected the installation of custom SSL/TLS certificates.
- Fixed an issue that prevented access to shimmed pages when a custom content security policy is set.
- Fixed an issue causing group membership details to be incorrectly cached.

Content additions and updates (August 30, 2018):

Updated Tasks
- T257: Secure cross origin resource sharing (CORS) (Change of text)
Added Tasks
- T1150: Configure container networks properly (Docker)
- T1151: Verify that container networks are configured properly (Docker)
- T1152: Configure the logging level (Docker)
- T1153: Verify that the logging level is configured properly (Docker)
- T1154: Secure Docker registries (Docker)
- T1155: Verify that Docker registries are secure (Docker)
- T1156: Do not use the aufs storage driver (Docker)
- T1157: Verify that the aufs storage driver is not used (Docker)
- T1158: Configure TLS authentication for the Docker daemon (Docker)
- T1159: Verify that TLS authentication is configured for the Docker daemon (Docker)
- T1160: Set ulimit appropriately (Docker)
- T1161: Verify that ulimit is set appropriately (Docker)
- T1162: Enable live restore (Docker)
- T1163: Verify that live restore is enabled (Docker)
- T1164: Secure swarm mode (Docker)
- T1165: Verify that swarm mode is secured (Docker)
- T1166: Encrypt data exchanged between containers on different nodes on the overlay network (Docker)
- T1167: Verify that data exchanged between containers on different nodes on the overlay network is encrypted (Docker)
- T1168: Avoid experimental features in production (Docker)
- T1169: Test that experimental features in production are avoided (Docker)
- T1170: Enable swarm auto-lock mode and rotate auto-lock key periodically (Docker)
- T1171: Test that swarm auto-lock mode is secured (Docker)
- T1172: Secure daemon configuration files (Docker)
- T1173: Verify that daemon configuration files are secured (Docker)
- T1174: Create non-root users for containers (Docker)
- T1175: Verify that containers are not run as root (Docker)
- T1176: Use trusted base images and include the latest security patches (Docker)
- T1177: Verify that secure and updated images are used (Docker)
- T1178: Do not install unnecessary packages in the container (Docker)
- T1179: Verify that unnecessary packages are not installed in the container (Docker)
- T1180: Check container health (Docker)
- T1181: Verify that container health is checked (Docker)
- T1182: Avoid image caching problems (Docker)
- T1183: Verify that image caching problems are avoided (Docker)
- T1184: Use COPY instead of ADD in Dockerfile (Docker)
- T1185: Verify that COPY is used instead of ADD in Dockerfile (Docker)
- T1186: Do not store secrets in Dockerfiles (Docker)
- T1187: Test if secrets are stored in Dockerfiles (Docker)
- T1188: Configure Linux Security Modules (Docker)
- T1189: Test if Linux Security Modules are securely configured (Docker)
- T1190: Restrict Linux Kernel Capabilities within containers (Docker)
- T1191: Test if Linux Kernel Capabilities are restricted within containers (Docker)
- T1192: Do not expose unnecessary host resources (Docker)
- T1193: Test if unnecessary host resources are exposed (Docker)
- T1194: Do not run SSH within containers (Docker)
- T1195: Test if SSH is running within containers (Docker)
- T1196: Open only needed ports on the containers (Docker)
- T1197: Test if only needed ports are open on the containers (Docker)
- T1198: Do not share the host's network namespace (Docker)
- T1199: Test that the host's network namespace is not shared (Docker)
- T1200: Limit resources used by containers (Docker)
- T1201: Test that resources used by containers are limited (Docker)
- T1202: Set container CPU priority appropriately (Docker)
- T1203: Test if container CPU priority is appropriately set (Docker)
- T1204: Mount container's root file system as read-only (Docker)
- T1205: Test if the container's root file system is mounted as read-only (Docker)
- T1206: Set the 'on-failure' container restart policy to 5 (Docker)
- T1207: Test that the 'on-failure' container restart policy is set to 5 (Docker)
- T1208: Do not set mount propagation mode to 'shared' (Docker)
- T1209: Verify that mount propagation mode is not set to 'shared' (Docker)
- T1210: Configure seccomp profile (Docker)
- T1211: Verify that seccomp profile is enabled (Docker)
- T1212: Confirm cgroup usage (Docker)
- T1213: Verify that cgroup usage is confirmed (Docker)
- T1214: Restrict containers from acquiring additional privileges (Docker)
- T1215: Verify that containers are restricted from acquiring additional privileges (Docker)
- T1216: Perform regular security audits of your host system and containers (Docker)
- T1217: Verify that security audits of your host system and containers are performed regularly (Docker)
- T1218: Monitor the usage, performance, and metering of Docker containers (Docker)
- T1219: Verify that the usage, performance, and metering of Docker containers are monitored (Docker)
- T1220: Back up container data (Docker)
- T1221: Verify that container data is backed up (Docker)
- T1222: Do not change base device size until needed (Docker)
- T1223: Verify that base device size is not changed (Docker)
- T1224: Use authorization plugin (Docker)
- T1225: Verify that authorization plugin is being used (Docker)
- T1226: Use Docker's secret management commands for managing secrets in a Swarm cluster (Docker)
- T1227: Verify that Docker's secret management commands are used (Docker)
- T1228: Remove setuid and setgid permissions in images (Docker)
- T1229: Test that images do not have setuid and setgid permissions (Docker)
- T1230: Do not use "docker exec" commands with "privileged" or "user" options (Docker)
- T1231: Test that "docker exec" commands are not used with privileged or user options (Docker)
- T1232: Create a separate partition for containers (Docker)
- T1233: Test that containers are on a separate partition (Docker)
- T1234: Only allow trusted users to control the Docker daemon (Docker)
- T1235: Test that only trusted users can control the Docker daemon (Docker)
- T1236: Audit the Docker daemon and its files (Docker)
- T1237: Test that the Docker daemon and its files are audited (Docker)
- T1238: Avoid image and container sprawl (Docker)
- T1239: Test that image and container sprawl are avoided (Docker)
Added Task Amendments
- TA948: More in-depth controls
- TA949: Test in-depth controls
- TA950: Docker: Configure logging level - More in-depth controls
- TA951: Docker: Verify that logging level is configured properly - More in-depth controls
- TA952: More in-depth controls
- TA953: Test in-depth controls
- TA954: Docker: Secure Docker registries - More in-depth controls
- TA955: Docker: Verify that Docker registries are secure - More in-depth controls
- TA956: More in-depth controls
- TA957: Test in-depth controls
- TA958: Docker: Configure container networks properly - More in-depth controls
- TA959: Docker: Verify that container networks are configured properly - More in-depth controls
Updated Problems
- P715: Client applications require excessive permissions (Change of text)
Added Problems
- P1064: Improper container network configuration (Docker)
- P1065: Inappropriate logging level (Docker)
- P1066: Insecure Docker registries (Docker)
- P1067: Using the aufs storage driver (Docker)
- P1068: Lack of proper TLS authentication for the Docker daemon (Docker)
- P1069: Improper ulimit configuration (Docker)
- P1070: Disabled live restore (Docker)
- P1071: Insecure swarm mode (Docker)
- P1072: Exchanging cleartext data between containers on different nodes on the overlay network (Docker)
- P1073: Experimental features in production (Docker)
- P1074: Unlocked swarm (Docker)
- P1075: Unprotected daemon configuration files (Docker)
- P1076: Running containers as root (Docker)
- P1077: Using unsafe container images (Docker)
- P1078: Installing unnecessary packages in the container (Docker)
- P1079: Lack of container health check (Docker)
- P1080: Missing updates because of caching (Docker)
- P1081: Using ADD in Dockerfile (Docker)
- P1082: Storing secrets in Dockerfiles (Docker)
- P1083: Misconfiguring Linux Security Modules (Docker)
- P1084: Linux kernel capabilities are not restricted within containers (Docker)
- P1085: Exposing unnecessary host resources (Docker)
- P1086: Running SSH within containers (Docker)
- P1087: Unneeded open ports on the containers (Docker)
- P1088: Sharing the host's network namespace (Docker)
- P1089: Unlimited resources used by containers (Docker)
- P1090: Container CPU priority is not set appropriately (Docker)
- P1091: Container's root file system is not mounted as read-only (Docker)
- P1092: The 'on-failure' container restart policy is not set to 5 (Docker)
- P1093: Mount propagation mode is set to 'shared' (Docker)
- P1094: Large number of system calls (Docker)
- P1095: Unmonitored cgroup usage (Docker)
- P1096: Allowing containers to acquire additional privileges (Docker)
- P1097: Failing to perform security audits of your host system and containers (Docker)
- P1098: Unmonitored Docker containers usage, performance, and metering (Docker)
- P1099: Failing to back up container data (Docker)
- P1100: Changing base device size when it's not needed (Docker)
- P1101: Failing to use the authorization plugin (Docker)
- P1102: Failing to manage secrets in Docker Swarm (Docker)
- P1103: Privilege escalation through "setuid" and "setgid" permissions in images (Docker)
- P1104: Using "docker exec" commands with "privileged" or "user" options (Docker)
- P1105: Not having a separate partition for the container (Docker)
- P1106: Privilege escalation through allowing untrusted users to control the Docker daemon (Docker)
- P1107: Lack of auditing for the Docker daemon and its files (Docker)
- P1108: Possibility of image and container sprawl (Docker)
Added HowTo's
- I920: Docker: How to configure container networks
- I921: Docker: How to configure the logging level
- I922: Docker: How to secure Docker registries
- I923: Docker: How to start Docker daemon without the aufs storage driver
- I924: Docker: How to configure TLS authentication for the Docker daemon
- I925: Docker: How to set ulimit properly
- I926: Docker: How to enable live restore
- I927: Docker: How to secure swarm mode
- I928: Docker: How to encrypt data exchanged between containers on different nodes on the overlay network
- I929: Docker: How to avoid experimental features in production
- I930: Docker: How to enable swarm auto-lock mode and rotate auto-lock key
- I931: Docker: How to secure daemon configuration files
- I932: Docker: How to create a non-root user for containers
- I933: Docker: How to rebuild images with security patches
- I935: Docker: How to check container health
- I936: Docker: How to avoid image caching problems
- I939: Docker: How to configure Linux Security Modules
- I940: Docker: How to restrict Linux Kernel Capabilities within containers
- I941: Docker: How to avoid exposing unnecessary host resources
- I942: Docker: How to uninstall SSH from containers
- I943: Docker: How to expose only needed ports on the containers
- I944: Docker: How to avoid sharing the host's network namespace
- I945: Docker: How to limit resources used by containers
- I946: Docker: How to set container CPU priority appropriately
- I947: Docker: How to mount a container's root file system as read-only
- I948: Docker: How to set the 'on-failure' container restart policy to 5
- I949: Docker: How to avoid setting mount propagation mode to 'shared'
- I950: Docker: How to enable seccomp profile
- I951: Docker: How to check cgroup parent usage
- I952: Docker: How to restrict containers from acquiring additional privileges
- I954: Docker: How to monitor Docker container usage, performance, and metering
- I955: Docker: How to back up container data
- I957: Docker: How to configure in-depth controls
- I958: Docker: How to avoid changing the base device size until needed
- I959: Docker: How to use authorization plugin
- I960: Docker: How to configure logging level - More in-depth controls
- I961: Docker: How to configure in-depth controls
- I963: Docker: How to secure Docker registries - More in-depth controls
- I964: Docker: How to remove setuid and setgid permissions in images
- I965: Docker: How to configure in-depth controls
- I966: Docker: How to avoid using "docker exec" commands with "privileged" or "user" options
- I967: Docker: How to configure container networks - More in-depth controls
- I968: Docker: How to create a separate partition for the container
- I969: Docker: How to allow only trusted users to control the Docker daemon
- I970: Docker: How to audit the Docker daemon and its files
- I971: Docker: How to avoid image and container sprawl
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- OpenSSL
- Apache Wicket
- Java EE
- Bouncy Castle
- Node.js
- AngularJS/Angular
- Docker
Changes to Project Properties and Profiles
- Added "Q307: Containerization" under "Deployment" Section.
- Added "Q308: Containerization Technologies" under "Q307: Containerization".
- Added "A1208: Docker" under "Q308: Containerization Technologies".

4.16

New features and improvements:

ALM Integration improvements:
- VersionOne:
  - Added the ability to sync to a nested VersionOne project using the project URL - See Documentation.
  - Small improvement to Rally integration performance.
- Added a retry mechanism to all ALM integration requests to reduce intermittent failures from remote timeouts or transient server errors.
- Updated global connector setup to support syncing risk-relevant tasks only.
  - This is now the default option for new configurations.
  - Existing ALM connections are unaffected by the change.
In-app UI Strings Customization for superusers (BETA):
- Customizing most UI Strings no longer requires SSH access or server restarts.
Performance improvements:
- The library tasks page loads 20% faster.
- ALM, Analysis, and LDAP Jobs API endpoints are 30-50% faster.
- Corresponding front end pages for Jobs API endpoints are also faster.
Updated SD Elements branding
- New login, header, and report images have been applied to the application. (If you have uploaded your own images, they will continue to be used.)
Bug Fixes:
- Fixed a bug that resulted in twice the number of findings being reported when an AppScan report is imported to a project.
- Fixed a bug affecting earlier versions of JIRA that caused incorrect author and time stamp to display in sync notes when the Last Status Change option is selected.

Content additions and updates:

Updated Tasks
- T270: Follow best practices for storing application data on Android devices(Problem change to P209)
- T295: Avoid storing unencrypted confidential data without access control mechanisms (Problem change to P209, Change of title, MCs and text)
- T296: Test that unencrypted confidential data is not stored without access control mechanisms (Problem change to P209, Change of title, MCs and text)
- T1144: Prevent Server-Side Template Injection (SSTI) (updated text)
- T1145: Verify if web page template is vulnerable to SSTI (updated text)
Added Tasks
- T1146: Enable DEP and ASLR on your server
- T1147: Verify that DEP and ASLR are enabled on your server
- T1148: Validate JSON files
- T1149: Test if JSON files are validated against malicious inputs
Added Task Amendments
- TA703: MQTT - Storing client secrets (Moved from T295 to T248.)
- TA817: iOS - File Provider (Added recommendations for selecting a proper protection type.)
- TA938: Test that SRI is used
- TA939: Use Subresource Integrity (SRI)
- TA942: iOS: Device Tracking
- TA943: iOS: Purpose String
- TA944: iOS: Privacy Notice
- TA945: iOS: App Transport Security (ATS)
Updated Problems
- P21: Buffer Copy without Checking the Bounds (Updated the text.)
- P209: Cleartext Storage of Sensitive Information without Access Control Mechanisms (Change of title and text, Change of CWEs)
- P384: Download of code/updates without checking its origin and/or integrity (Updated the text.)
- P673: Improper Neutralization of SSI on a Web Page (updated text)
- [Deleted] P735: Lack of Access Control in Mechanisms Used for Storage of Sensitive Data (Deactivated the problem and moved the tasks and CWEs to P209)
Added Problems
- P1063: Missing or insufficient JSON validation
Updated HowTo’s
- I429: Using iOS Keychain services for secure data storage (Objective-C) (Moved from T295 to T248.)
- I535: Using iOS Keychain services for secure data storage (Swift) (Moved from T295 to T248.)
Added HowTo’s
- I912: How to enable DEP on Windows
- I913: How to use Subresource Integrity (SRI)
- I914: Signing JAR files in Java
- I915: Implementing cipher streams in Java
- I917: How to verify DEP and ASLR status on Windows
- I918: How to verify DEP and ASLR status on Ubuntu
- I919: iOS: Certificate transparency
- I972: Docker
Updated T186, w/ latest security patch level for third party libraries
- AngularJS/Angular
- Node.js
- Unix/Linux Bash
- Bouncy Castle
- Java
- Apache HTTP Server
- GnuTLS
- Apache Tomcat
- Spring Framework
- Django

4.15

New features and improvements:

Search enhancements:
- You can now search for Business Units, Applications, and Projects from anywhere within SD Elements.
- Substantial improvement to searching on the Business Unit, Application, and Projects list pages. Search results are now much more specific.
  - Projects no longer use profile names as a search field to better accommodate the improvement to searching.
Analysis import:
- The Analysis Connector page has been redesigned to match the improved UI and usability of other SDE pages.
- Analysis file import jobs now run as the user who triggered them, rather than the new service user.
- You can now create and update Analysis Connections via the API.
UI enhancements:
- Added Project ID to the Project Overview.
- Added “Copy Project ID” to the projects list action menu.
- Enhanced Business Unit, Application, and Project drop down menus from the toolbar.
Bug fixes:
- Fixed an issue where superusers who edited project membership would occasionally receive the error: “User cannot remove themselves from a project”.
- Emails are once again sent to project administrators when there are new tasks relevant to their projects. These emails are sent once a day.
  - The performance of the project task updates API endpoint has also been improved.

The following courses have been added to our Just-in-Time Training offering:

GDPR
OWASP Top 10 2017
AppSec Fundamentals
Defending Android
Defending ASP.NET Core in C#
Defending C
Defending Cloud-based Applications
Defending Databases
Defending Django
Defending JSP
Defending Node.JS
Defending Python
Defending Swift for iOS

Content additions and updates:

Updated Tasks
- T2: Secure the password reset mechanism [Change of text]
- T8: Use Consistent Error Handling for All Authentication Failures [Added a note about response time discrepancy.]
- T16: Authorize every non-public page [Change of text]
- T31: Validate all forms of input [Updated text.]
- T32: Always perform input validation on a server [Updated text.]
- T35: Fine-tune HTTP server settings [Added notification requirement to the text.]
- T45: Log potential critical security events [Updated the text and added TLS failure note.]
- T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Change of title, text and matching conditions]
- T63: Disable auto-complete for confidential fields [Added a note about integration with password managers.]
- T64: Set no-cache for confidential web pages [Added a note about Web Cache Deception attack.]
- T67: Protect page navigation flow [Change of text and matching conditions]
- T71: Capture sufficient information for each user transaction in audit logs [Added two log protection notes.]
- T122: Test for remote file include [Updated text for better clarity.]
- T208: Perform input validation on local input sources [Moved to T31.] [DEACTIVATED]
- T338: Control access to resources through user authentication and authorization [Change of text]
- T371: Provide unified and manageable interfaces for security settings and configuration parameters [Change of text]
- T378: Authorize every request for data objects [Change of text]
- T437: Include log reduction and report generation capabilities [Added a note about log execution.]
- T553: Design secure RESTful web services [Added a note about checking content-type.]
Deactivated Tasks
- T208: Perform input validation on local input sources
Added Tasks
- T142: Test that the application's navigation flow is protected
- T1144: Prevent Server-Side Template Injection (SSTI)
- T1145: Verify if web page template is vulnerable to SSTI
Added Task Amendments
- TA935: HTTP Public Key Pinning (HPKP)
- TA936: Avoid information leak through HTTP headers
- TA937: Avoiding components with known vulnerabilities in web applications
Updated Problems
- P49: External Control of System or Configuration Setting [Moved to P95.] [DEACTIVATED]
- P95: Improper Input Validation [Updated text.]
- P100: Response Discrepancy Information Exposure [Added a note about response time discrepancy.]
- P224: Use of weak cryptographic algorithms or unsecure algorithm practices [Change of title, text and matching conditions]
- P705: Insufficient Restriction of Navigation [Changes to text and matching conditions]
- P834: Lack of Certificate/Public Key Pinning [Changes to matching conditions]
Deactivated Problems
- P49: External Control of System or Configuration Setting
Updated HowTo's
- I264: Establishing a secure channel and validating certificates in Java/Android [Change of text]
- I282: manually with browser and Burpsuite [Change of text]
- I420: Java or Android Keystore [Change of text]
Added HowTo's
- I908: Apache: Enabling HPKP
- I909: NGINX: Enabling HPKP
- I910: IIS: Enabling HPKP
- I911: Secure random numbers in Java
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring
- Tomcat
- GnuTLS
- OpenSSL
- Apache Wicket
- Apache MyFaces
- Java
- AFNetworking Library
- Node.js
- AngularJS/Angular
Updated following code scanner mappings
- AppScan
- Checkmarx
- Veracode
- Fortify
- WebInspect
- WhiteHat
Changes to Project Properties and Profiles
- Deactivated "A183: Has wizard-style page navigation"
- Added Answer "A1207: DNS and CA servers are not trusted" under Question "Q131: Encryption"
Compliance Regulations and Mappings
- CWE is updated to CWE 3.1. and CWE types are added to the library.

We also added content for MySQL based on CIS benchmarks:

Added Tasks
- T1094: Place MySQL data and logs on non-system partitions (MySQL)
- T1095: Test that MySQL data and logs are not placed on system partitions (MySQL)
- T1096: Keep MySQL separate from other services (MySQL)
- T1097: Verify that MySQL is separate from other services (MySQL)
- T1098: Keep passwords secure (MySQL)
- T1099: Verify that passwords are secure (MySQL)
- T1100: Avoid reusing database accounts (MySQL)
- T1101: Verify that database accounts are not reused (MySQL)
- T1102: Securely set file and directory permissions (MySQL)
- T1103: Test if file and directory permissions are securely set (MySQL)
- T1104: Apply the latest security patches (MySQL)
- T1105: Test if the latest security patches are applied (MySQL)
- T1106: Ensure sql_mode contains NO_AUTO_CREATE_USER (MySQL)
- T1107: Test if sql_mode contains NO_AUTO_CREATE_USER (MySQL)
- T1108: Ensure that password policy is in place (MySQL)
- T1109: Test if password policy is in place (MySQL)
- T1110: Disable MySQL Command History (MySQL)
- T1111: Verify that MySQL Command History is disabled (MySQL)
- T1112: Disable Interactive Login (MySQL)
- T1113: Verify that Disable Interactive Login (MySQL)
- T1114: Avoid using default or shared cryptographic material (MySQL)
- T1115: Verify that you do not use default or shared cryptographic material (MySQL)
- T1116: Drop the default 'test' database (MySQL)
- T1117: Verify that the 'test' database is not installed (MySQL)
- T1118: Restrict access to local files (MySQL)
- T1119: Verify that access to local files is restricted (MySQL)
- T1120: Set up secure MySQL permissions (MySQL)
- T1121: Verify that MySQL permissions are set securely (MySQL)
- T1122: Ensure symbolic links are disabled (MySQL)
- T1123: Verify that symbolic links are disabled (MySQL)
- T1124: Ensure the daemon_memcached plugin is disabled (MySQL)
- T1125: Verify that daemon_memcached plugin is disabled (MySQL)
- T1126: Log errors and critical events (MySQL)
- T1127: Test critical events and error logging is enabled (MySQL)
- T1128: Ensure raw logging of password is disabled (MySQL)
- T1129: Verify that raw logging of password is disabled (MySQL)
- T1130: Configure authentication (MySQL)
- T1131: Test authentication is configured properly (MySQL)
- T1132: Set up SSL/TLS properly (MySQL)
- T1133: Test that SSL/TLS is set up properly (MySQL)
- T1134: Prevent loading suspicious user-defined functions (MySQL)
- T1135: Verify that suspicious user-defined functions cannot be loaded (MySQL)
- T1136: Enable strict mode (MySQL)
- T1137: Verify that strict mode is enabled (MySQL)
- T1138: Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS (MySQL)
- T1139: Verify that audit_log_strategy is set to SYNCHRONOUS or SEMISYNCRONOUS (MySQL)
- T1140: Set 'master_info_repository' to 'TABLE' (MySQL)
- T1141: Verify that 'master_info_repository' is set to 'TABLE' (MySQL)
Added Task Amendments
- TA930: More in-depth controls
- TA931: Test in-depth controls
- TA932: More in-depth controls
- TA933: Test in-depth controls
Added Problems
- P1039: Denial of service due to placing MySQL data on system partitions (MySQL)
- P1040: Lack of separation between MySQL and other services (MySQL)
- P1041: Weak Password Handling (MySQL)
- P1042: Reuse of Database Accounts (MySQL)
- P1043: File and Directory Permissions Are Not Set Securely (MySQL)
- P1044: The latest security patches are not applied (MySQL)
- P1045: The sql_mode does not contain NO_AUTO_CREATE_USER (MySQL)
- P1046: Password policy is not in place (MySQL)
- P1047: Enabled MySQL Command History (MySQL)
- P1048: Enabled Interactive Login (MySQL)
- P1049: Using Default or Shared Cryptographic Material (MySQL)
- P1050: Installed 'test' Database (MySQL)
- P1051: Unrestricted access to local files (MySQL)
- P1052: Unsecure MySQL permissions (MySQL)
- P1053: Enabled symbolic links (MySQL)
- P1054: Enabled daemon_memcached plugin (MySQL)
- P1055: Disabled error logging (MySQL)
- P1056: Raw logging of password (MySQL)
- P1057: Improper authentication (MySQL)
- P1058: Missing or improperly configuring SSL/TLS (MySQL)
- P1059: Loading suspicious user-defined functions (MySQL)
- P1060: Inactive strict mode (MySQL)
- P1061: Asynchronous logging (MySQL)
- P1062: Plaintext master info repository (MySQL)
Added HowTo's
- I881: MySQL: How to place MySQL data and logs on non-system partitions
- I882: MySQL: How to keep MySQL separate from other services
- I883: MySQL: How to keep passwords secure
- I884: MySQL: How to avoid reusing database accounts
- I885: MySQL: How to securely set file and directory permissions
- I887: MySQL: How to include 'NO_AUTO_CREATE_USER in sql_mode
- I888: MySQL: How to ensure that password policy Is in place
- I889: MySQL: How to Disable MySQL Command History
- I890: MySQL: How to Disable Interactive Login
- I891: MySQL: How to avoid using default or shared cryptographic material
- I892: MySQL: How to drop the 'test' database
- I893: MySQL: How to restrict access to local files
- I894: MySQL: How to set up secure MySQL permissions
- I895: MySQL: How to disable symbolic links
- I896: MySQL: How to ensure the 'daemon_memcached' plugin is disabled
- I897: MySQL: How to log errors and critical events
- I898: MySQL: How to disable raw password logging
- I899: MySQL: How to configure authentication
- I900: MySQL: How to set up SSL/TLS
- I901: MySQL: How to set 'allow-suspicious-udfs' to 'FALSE'
- I902: MySQL: How to enable strict mode
- I903: MySQL: How to for in-depth controls
- I904: MySQL: How to for in-depth controls
- I905: MySQL: How to set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS
- I906: MySQL: How to set 'master_info_repository' to 'TABLE'
Changes to Project Properties and Profiles
- Added "Q304: Database Technologies" under "Platform and Language".
- Added "Q305: Database Management System (DBMS)" under "Q304: Database Technologies".
- Added "A1195: MySQL" under "Q305: Database Management System (DBMS)".

4.14

New features and improvements:

Tasks page redesign:
- The tasks page has been redesigned to improve both performance and usability. It now matches the other redesigned pages of SD Elements.
- You can filter your tasks list based on the criteria of your risk policies.
- You can add tags to the tasks within a project. This lets you filter tasks using tags.
Added support for Last Status Change in CA Agile Central (Rally):
- Added support for timestamp-based ALM syncing with CA Agile Central (Rally) so that regardless of where a task status is updated, the most current status is reflected in both systems. You may have used this feature previously with Jira.
Performance improvements:
- Across the board performance improvements to any page that has yet to be migrated to the new design. Some pages are up to 50% faster.
Direct linking to current documentation:
- The link within the application to the new and improved documentation will take you to the correct version. For instance, when you click the documentation link in v4.14, you’ll see the docs for v4.14.
Bug fixes:
- Fixed an issue where inactive amendments to tasks were being returned by our API.

Content additions and updates:

Compliance Regulations, Mappings, and Other General Updates
- Content, report and mapping was added for OWASP Application Security Verification Standard (ASVS) 3.0.1
Updated Tasks
- T2: Secure the password reset mechanism (updated text)
- T31: Validate all forms of input (updated text)
- T32: Always perform input validation on a server (updated text)
- T37: Avoid DOM-based Cross-Site Scripting (XSS) (Updated instructions.)
- T40: Use XML encoding when interacting with XML data (Change of text, Change of priority from 4 to 5)
- T45: Log potential critical security events (updated text)
- T95: Test for the absence of "Remember Me" features (updated text)
- T162: Validate pathname before retrieving local resources (Changed the old title "Validate workspace before retrieving local resources" and updated the text and the rules.)
- T206: Avoid TOCTOU race conditions against external resources (Moved the problem statement and case study to P265.)
- T257: Secure cross origin resource sharing (CORS) (Removed HTML5 rule. Added "A1192: CORS" rule.)
- T259: Follow best practices when storing data in Local or Session Storage (Added "A1191: HTML5 Web Storage" as the only rule.)
- T297: Verify that target pathname is validated before retrieving local resources (Changed the old title "Verify that target workspace is validated before retrieving local resources" and updated the text and the rules.)
- T318: Verify security of cross origin resource sharing (CORS) (Removed HTML5 rule. Added "A1192: CORS" rule.)
- T321: Verify that Local and Session Storage are securely used (Added "A1191: HTML5 Web Storage" as the only rule.)
- T572: Check for symlinks before opening files (Updated the text.)
- T856: Keep your web server separate from other services (Changed the old title: "Do not install a multi-use system" and updated the text.)
Added Tasks
- T1092: Do not store sensitive cleartext information in cookies
- T1093: Test that cookies do not contain sensitive cleartext information
- T1143: Verify that XML encoding is used when interacting with XML data
Updated Problems
- P116: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (Updated the text and the rules.)
- P265: Time-of-check Time-of-use (TOCTOU) Race Condition (Changed rule from "A717: The application is a generic client application" to "A1194: Consumes OS resources via framework functions". Moved some part of the task text to the problem.)
- P480: Improper Link Resolution Before File Access ('Link Following') (Updated the rules.)
Added Problems
- P209: Cleartext Storage of Sensitive Information
Updated HowTo's
- I450: Pathname Validation (Changed the old title "Workspace Validation" and updated the text.)
- I718: Red Hat: Disabling a service (Updated rules.)
Added HowTo's
- I907: OWASP Java Encoder: XML encoding
Updated T186, w/ latest security patch level for third party libraries
- Django
- Spring Framework
- Struts
- Apache Tomcat
- Apache HTTP Server
- Java
- Bouncy Castle
- Node.js
- AngularJS/Angular
Changes to Project Properties and Profiles
- Added answer "A1191: HTML5 Web Storage" to question "Q245: Advanced HTML5 Features Used".
- Added answer "A1192: CORS" to question "Q191: Web Client Technologies Used".
- Added question "Q303: OS Interactions" under "Features and Functions/More Features".
- Moved answer "A9: OS shell commands" from question "Q215: Input Validation" to question "Q303: OS Interactions".
- Added answer "A1194: System calls" to question "Q303: OS Interactions".
- Updated "Q115: Generates or reads data/files in the following formats:" (Changed the old title "Generates or Reads XML From End User or Remote System".)
- Updated "A13: XML" (Change the old title "Yes".)
- Updated "A733: JSON" (Moved under Q115.)
- Removed "A217: Other Serialization Formats"
- Added "A1193: CSV or Excel"
- Changed "Q124: Payment Service Provider" (changed the text)

We also updated rules for some Test tasks to match their corresponding development tasks:

T8, T37, T81, T85, T91, T93, T94, T98, T116, T119, T122, T124, T128, T129, T175, T227, T234, T235, T292, T293, T306, T314, T434, T478, T497, T594, T597, T605, T632, T652, T899.

We also added content for Microsoft Azure based on CIS benchmarks:

Changes to Project Properties and Profiles
- Added "Q306: Azure Services" under "Cloud Providers"
- Added "A1190: Microsoft Azure" under "Cloud Providers"
- Added "A1196: Multi-Factor Authentication" under "Azure Services"
- Added "A1197: Active Directory" under "Azure Services"
- Added "A1198: Virtual Machines" under "Azure Services"
- Added "A1199: Security Center" under "Azure Services"
- Added "A1200: Storage" under "Azure Services"
- Added "A1201: SQL Database" under "Azure Services"
- Added "A1202: Virtual Network" under "Azure Services"
- Added "A1203: Monitor" under "Azure Services"
- Added "A1204: Key Vault" under "Azure Services"
- Added "A1205: Network Watcher" under "Azure Services"
- Added "A1206: Resource Manager" under "Azure Services"
Added Tasks
- T1041: Enable multifactor authentication (Microsoft Azure)
- T1042: Test that multifactor authentication is enabled (Microsoft Azure)
- T1043: Avoid creating guest user access (Microsoft Azure)
- T1044: Test that guest user access is not allowed (Microsoft Azure)
- T1045: Perform dual identification for password reset (Microsoft Azure)
- T1046: Test that password reset process is secure (Microsoft Azure)
- T1047: Enable reconfirmation for authentication information (Microsoft Azure)
- T1048: Test that reconfirmation for authentication information is enabled (Microsoft Azure)
- T1049: Set 'Restrict access to Azure AD administration portal' to 'Yes' (Microsoft Azure)
- T1050: Test that 'Restrict access to Azure AD administration portal' is set to 'Yes' (Microsoft Azure)
- T1051: Enable "All Users" group (Microsoft Azure)
- T1052: Test "All Users" group is enabled (Microsoft Azure)
- T1053: Enable VM protection features (Microsoft Azure)
- T1054: Test that VM protection features are enabled (Microsoft Azure)
- T1055: Update VMs (Microsoft Azure)
- T1056: Test that all VMs are updated (Microsoft Azure)
- T1057: Enable disk and storage encryption (Microsoft Azure)
- T1058: Test that disk and storage encryption is enabled (Microsoft Azure)
- T1059: Configure network security groups and firewalls securely (Microsoft Azure)
- T1060: Test that network security groups and firewalls are configured securely (Microsoft Azure)
- T1061: Enable SQL auditing and threat detection (Microsoft Azure)
- T1062: Test that SQL auditing and threat detection are enabled (Microsoft Azure)
- T1063: Set up security contacts (Microsoft Azure)
- T1064: Test that security contacts are set up (Microsoft Azure)
- T1065: Enable data encryption is transit (Microsoft Azure)
- T1066: Test that 'Secure transfer required' is set to 'Enabled' (Microsoft Azure)
- T1067: Regenerate storage account access keys periodically (Microsoft Azure)
- T1068: Test that storage account access keys are periodically regenerated (Microsoft Azure)
- T1069: Configure shared access signature tokens securely (Microsoft Azure)
- T1070: Test that shared access signature tokens are configured securely (Microsoft Azure)
- T1071: Disable anonymous access to blob containers (Microsoft Azure)
- T1072: Test that anonymous access to blob containers is disabled (Microsoft Azure)
- T1073: Keep logs long enough (Microsoft Azure)
- T1074: Verify that logs are kept long enough (Microsoft Azure)
- T1075: Configure Azure Active Directory Admin (Microsoft Azure)
- T1076: Verify that Azure Active Directory Admin is configured (Microsoft Azure)
- T1077: Log critical events (Microsoft Azure)
- T1078: Verify that critical events are logged (Microsoft Azure)
- T1079: Disable unapproved VM extensions (Microsoft Azure)
- T1080: Verify that unapproved VM extensions are not used (Microsoft Azure)
- T1081: Configure Key Vault securely (Microsoft Azure)
- T1082: Verify that Key Vault is configured securely (Microsoft Azure)
- T1083: Disable non-required user capabilities (Microsoft Azure)
- T1084: Verify that non-required user capabilities are disabled (Microsoft Azure)
- T1085: Do not create custom subscription owner roles (Microsoft Azure)
- T1086: Verify that no custom subscription owner roles are created (Microsoft Azure)
- T1087: Select standard pricing tier (Microsoft Azure)
- T1088: Verify that standard pricing tier is selected (Microsoft Azure)
- T1089: Set Resource Locks for mission critical Azure resources (Microsoft Azure)
- T1090: Verify that Resource Locks are set for mission critical Azure resources (Microsoft Azure)
Added Task Amendments
- TA910: Ensure multifactor authentication is enabled - In-depth controls
- TA911: Test that multifactor authentication is enabled - In-depth controls
- TA912: Notify admins when other admins reset their password - In-depth controls
- TA913: Test that admins are notified when other admins rest their password - In-depth controls
- TA914: Ensure guest user have limited permission - In-depth controls
- TA915: Test that guest user has limited permissions - In-depth controls
- TA916: Microsoft Azure: Keep logs long enough - In-depth controls
- TA917: Microsoft Azure: Verify that logs are kept long enough - In-depth controls
Added Problems
- P1014: Disabled multifactor authentication (Microsoft Azure)
- P1015: Possibility of unintended guest user access (Microsoft Azure)
- P1016: Single identification for password reset (Microsoft Azure)
- P1017: Disabled reconfirmation for authentication information (Microsoft Azure)
- P1018: Unrestricted access to Azure AD administration portal (Microsoft Azure)
- P1019: No "All Users" group (Microsoft Azure)
- P1020: Inactive VM protection features (Microsoft Azure)
- P1021: Out of date VMs (Microsoft Azure)
- P1022: Unencrypted disk and storage (Microsoft Azure)
- P1023: Misconfiguring network security groups and firewalls (Microsoft Azure)
- P1024: No SQL auditing or threat detection (Microsoft Azure)
- P1025: No security contacts (Microsoft Azure)
- P1026: Unencrypted transmission of data (Microsoft Azure)
- P1027: Old storage account access keys (Microsoft Azure)
- P1028: Unsecure shared access signature tokens (Microsoft Azure)
- P1029: Anonymous access to blob containers (Microsoft Azure)
- P1030: Inadequate Log Retention (Microsoft Azure)
- P1031: Lack of Azure Active Directory Admin configuration (Microsoft Azure)
- P1032: Insufficient Logging (Microsoft Azure)
- P1033: Unapproved VM Extensions (Microsoft Azure)
- P1034: Improper Key Vault Configuration (Microsoft Azure)
- P1035: Running with Excessive Functionalities and Capabilities (Microsoft Azure)
- P1036: Custom Subscription Owner Roles (Microsoft Azure)
- P1037: Non-Standard Pricing Tier (Microsoft Azure)
- P1038: Lack of Resource Locks for mission critical Azure resources (Microsoft Azure)
Added HowTo's
- I852: Microsoft Azure: How to enable multifactor authentication
- I854: Microsoft Azure: How to secure password reset process
- I855: Microsoft Azure: How to ensure that re-confirmation for authentication information is enabled
- I856: Microsoft Azure: How to set 'Restrict access to Azure AD administration portal' to 'Yes'
- I857: Microsoft Azure: How to enable "All Users" group
- I858: Microsoft Azure: How to enable VM protection features
- I859: Microsoft Azure: How to update VMs
- I860: Microsoft Azure: How to enable disk and storage encryption
- I861: Microsoft Azure: How to configure network security groups and firewalls securely
- I862: Microsoft Azure: How to enable SQL auditing and threat detection
- I863: Microsoft Azure: How to set up security contacts
- I864: Microsoft Azure: How to ensure that 'Secure transfer required' is set to 'Enabled'
- I865: Microsoft Azure: How to regenerate storage account access keys
- I866: Microsoft Azure: How to configure shared access signature tokens securely
- I867: Microsoft Azure: How to set 'Public access level' to 'Private' for blob containers
- I868: Microsoft Azure: Keep logs long enough
- I869: Microsoft Azure: Configure Azure Active Directory Admin
- I870: Microsoft Azure: Log critical events
- I871: Microsoft Azure: Disable unapproved VM extensions
- I872: Microsoft Azure: Configure Key Vault securely
- I873: Microsoft Azure: How to enable multifactor authentication - In-depth controls
- I874: Microsoft Azure: How to notify all admins when other admins change their password - In-depth controls
- I875: Microsoft Azure: Disable non-required user capabilities
- I876: Microsoft Azure: How to set limited permissions for guest users - In-depth controls
- I877: Microsoft Azure: Remove custom subscription owner roles
- I878: Microsoft Azure: Select standard pricing tier
- I879: Microsoft Azure: Keep logs long enough - In-depth controls
- I880: Microsoft Azure: Set Resource Locks for mission critical Azure resources

4.13

New features and improvements:

Risk Dashboard enhancements:
- The following actions are logged in the activity log: risk policy creation and deletion, changing the policy on a project, changing the default policy of a business unit, and changing the default policy across an organization.
- You can now access the Risk Status Report from the Risk Status Summary widget.
- You will also experience performance and small interface improvements.
ALM Integrations form improvements:
- User interface improvements will make creating connections easier.
- The “Custom Priority Mapping” and “Custom Field Mappings” fields have improved help text and labels to better explain what they do and how they are used.
API endpoint report generation:
- To make report generation easier via API, the "risk_rating" field was added to the expanded problem field in Tasks, the "became_relevant" field was added to Tasks, and "last_note" and "last_verification" include filters were added to Tasks.
- See the API documentation for more information.
Bug fixes:
- A bug concerning admin user permissions not being cleared properly has been fixed.
- ALM and Analysis synchronizations are now run by a "service user" rather than the user who created the global connector. (This addresses a bug where connections would fail if the user that created the connector was deactivated, or had their permissions removed.)
- A number of minor bugs have also been fixed.

Content additions and updates:

Updated Tasks
- T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript {Merged "T48: HTML entity encode validation error messages" to T36.
- T48: HTML entity encode validation error messages {Removed T48, and merged content to T36.}
- T536: Restrict the size of incoming messages in services {Change of text}
- T537: Test that the size of incoming messages in services is restricted {Change of text}
- T731: Create log metrics and alarms (2) (AWS) {Moved to TA926.}
- T732: Test that log metrics and alarms are created (2) (AWS) {Moved to TA927.}
- T832: Configure Web and App -tier ELB correctly (2) (AWS) {Moved to TA928.}
- T833: Test if Web and App -tier Elastic Loud Balancing is correctly configured (2) (AWS) {Moved to TA929.}
- T882: Restrict Apache options and disable default content (2) {Moved to TA924.}
- T883: Verify that Apache options are restricted and the default content is removed (2) {Moved to TA925.}
- T884: Log Apache errors and access (2) {Moved to TA918.}
- T885: Verify Apache logging (2) {Moved to TA919.}
- T886: Secure Apache SSL/TLS (2) {Moved to TA920.}
- T887: Verify Apache SSL/TLS configuration (2) {Moved to TA921.}
- T888: Limit information exposed by Apache (2) {Moved to TA922.}
- T889: Verify that information exposed by Apache is restricted (2) {Moved to TA923.}
Added Task Amendments
- TA918: More in-depth controls
- TA919: Test in-depth controls
- TA920: More in-depth controls
- TA921: Test in-depth controls
- TA922: More in-depth controls
- TA923: Test in-depth controls
- TA924: More in-depth controls
- TA925: Test in-depth controls
- TA926: More in-depth controls
- TA927: Test in-depth controls
- TA928: More in-depth controls
- TA929: Test in-depth controls
Updated HowTo's
- I65: Java EE with ESAPI: Error message encoding {Moved from "T48: HTML entity encode validation error messages" to T36.}
- I103: ASP.NET / C#: Error message encoding with Microsoft Anti XSS {Moved from "T48: HTML entity encode validation error messages" to T36.}
- I234: Rails: Error message encoding {Moved from "T48: HTML entity encode validation error messages" to T36.}
- I626: How to create log metrics and alarms (AWS) - In-depth controls {Changed old title: "How to create log metrics and alarms (2) (AWS)" and moved under T686.}
- I664: How to configure Web and App -tier ELB correctly (AWS) - In-depth controls {Changed old title: "How to configure Web and App -tier ELB correctly (2) (AWS)" and moved under T769.}
- I732: Apache HTTP Server: How to for in-depth controls {Changed old title: "How to restrict Apache options and disable default content (2)" and moved under T867.}
- I733: Apache HTTP Server: How to for in-depth controls {Changed old title: "How to log Apache errors and access (2)" and moved under T871.}
- I734: Apache HTTP Server: How to for in-depth controls {Changed old title: "How to secure Apache SSL/TLS (2)" and moved under T875.}
- I735: Apache HTTP Server: How to for in-depth controls {Changed old title: "How to limit information exposed by Apache (2)" and moved under T877.}
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- Apache Wicket
- Apache MyFaces
- Java
- Node.js
- AngularJS/Angular

We also added mappings for Application Security and Development Security Technical Implementation Guide (ASD-STIG):

Compliance Regulations:
- Content, report and mapping was added for Application Security and Development Security Technical Implementation Guide (ASD-STIG)
Updated Tasks
- T71: Capture sufficient information for each user transaction in audit logs {Updated title}
- T166: Protect against JSON hijacking {Updated text}
- T599: Do not rely on HTTP Host header {Updated text}
Added Task Amendments
- TA839: ASD-STIG requirements for T340
- TA840: ASD-STIG requirements for T61
- TA841: ASD-STIG requirements for T338
- TA842: ASD-STIG requirements for T353
- TA843: ASD-STIG requirements for T152
- TA844: ASD-STIG requirements for T45
- TA845: ASD-STIG requirements for T371
- TA846: ASD-STIG requirements for T6
- TA847: ASD-STIG requirements for T751
- TA848: ASD-STIG requirements for T427
- TA849: ASD-STIG requirements for T429
- TA850: ASD-STIG requirements for T164
- TA851: ASD-STIG requirements for T24
- TA852: ASD-STIG requirements for T21
- TA853: ASD-STIG requirements for T243
- TA854: ASD-STIG requirements for T520
- TA855: ASD-STIG requirements for T571
- TA856: ASD-STIG requirements for T71
- TA857: ASD-STIG requirements for T437
- TA858: ASD-STIG requirements for T431
- TA859: ASD-STIG requirements for T349
- TA860: ASD-STIG requirements for T46
- TA861: ASD-STIG requirements for T370
- TA862: ASD-STIG requirements for T456
- TA863: ASD-STIG requirements for T186
- TA864: ASD-STIG requirements for T356
- TA865: ASD-STIG requirements for T364
- TA866: ASD-STIG requirements for T135
- TA867: ASD-STIG requirements for T1
- TA868: ASD-STIG requirements for T425
- TA869: ASD-STIG requirements for T558
- TA870: ASD-STIG requirements for T665
- TA871: ASD-STIG requirements for T5
- TA872: ASD-STIG requirements for T7
- TA873: ASD-STIG requirements for T394
- TA874: ASD-STIG requirements for T25
- TA875: ASD-STIG requirements for T248
- TA876: ASD-STIG requirements for T156
- TA877: ASD-STIG requirements for T76
- TA878: ASD-STIG requirements for T3
- TA879: ASD-STIG requirements for T12
- TA880: ASD-STIG requirements for T60
- TA881: ASD-STIG requirements for T26
- TA882: ASD-STIG requirements for T197
- TA883: ASD-STIG requirements for T205
- TA884: ASD-STIG requirements for T580
- TA885: ASD-STIG requirements for T379
- TA886: ASD-STIG requirements for T244
- TA887: ASD-STIG requirements for T55
- TA888: ASD-STIG requirements for T35
- TA889: ASD-STIG requirements for T375
- TA890: ASD-STIG requirements for T367
- TA891: ASD-STIG requirements for T158
- TA892: ASD-STIG requirements for T33
- TA893: ASD-STIG requirements for T159
- TA894: ASD-STIG requirements for T151
- TA895: ASD-STIG requirements for T23
- TA896: ASD-STIG requirements for T22
- TA897: ASD-STIG requirements for T27
- TA898: ASD-STIG requirements for T20
- TA899: ASD-STIG requirements for T347
- TA900: ASD-STIG requirements for T148
- TA901: ASD-STIG requirements for T49
- TA902: ASD-STIG requirements for T360
- TA903: ASD-STIG requirements for T453
- TA904: ASD-STIG requirements for T36
- TA905: ASD-STIG requirements for T29
- TA906: ASD-STIG requirements for T43
- TA907: ASD-STIG requirements for T31
- TA908: ASD-STIG requirements for T38
- TA909: ASD-STIG requirements for T202

We also added content for Microsoft IIS Server based on CIS benchmarks:

Added Problems
- P944: Web content on the system partition (Microsoft IIS)
- P945: Not requiring 'host headers' for a site (Microsoft IIS)
- P946: Directory Browsing (Microsoft IIS)
- P947: Insecure Application Pools (Microsoft IIS)
- P951: Unprotected cookies for form authentication (Microsoft IIS)
- P954: Deployment Method is not set to retail (Microsoft IIS)
- P955: HTTP detailed errors are displayed remotely (Microsoft IIS)
- P956: Cookies are not set with HttpOnly attribute (Microsoft IIS)
- P957: Insecure Configuration of MachineKey validation (Microsoft IIS)
- P958: Global .NET trust level is not configured securely (Microsoft IIS)
- P959: Double-encoded Requests (Microsoft IIS)
- P961: Unlisted file extensions (Microsoft IIS)
- P962: Granting Write and Script/Execute permissions at the same time to handlers (Microsoft IIS)
- P963: Running unlisted extensions (Microsoft IIS)
- P965: Misconfiguring logging (Microsoft IIS)
- P966: Misconfiguring FTP (Microsoft IIS)
- P967: Misconfiguring TLS/SSL for Microsoft IIS (Microsoft IIS)
- P970: Debug is not turned off (Microsoft IIS)
- P971: Custom error messages are off (Microsoft IIS)
- P972: ASP.NET stack tracing is enabled (Microsoft IIS)
- P973: Httpcookie mode is not securely configured for session state (Microsoft IIS)
- P975: Inadequate/improper request filters (Microsoft IIS)
- P976: HSTS Header is not set (Microsoft IIS)
Added Tasks
- T902: Put web content on a non-system partition (Microsoft IIS)
- T903: Require 'host headers' on all sites (Microsoft IIS)
- T904: Disable 'directory browsing' (Microsoft IIS)
- T905: Configure application pools securely (Microsoft IIS)
- T906: Set 'global authorization rule' to restrict access (Microsoft IIS)
- T907: Restrict access to sensitive site features to authenticated principals only (Microsoft IIS)
- T908: Require SSL/TLS for 'forms authentication' (Microsoft IIS)
- T909: Configure 'cookie protection mode' for forms authentication (Microsoft IIS)
- T910: Configure transport layer security for 'basic authentication' (Microsoft IIS)
- T911: Ensure 'passwordFormat' is not set to clear (Microsoft IIS)
- T912: Ensure deployment method retail is set (Microsoft IIS)
- T913: Ensure HTTP detailed errors are hidden from displaying remotely (Microsoft IIS)
- T914: Ensure cookies are set with HttpOnly attribute (Microsoft IIS)
- T915: Configure MachineKey validation securely (Microsoft IIS)
- T916: Ensure global .NET trust level is configured securely (Microsoft IIS)
- T917: Reject double-encoded requests (Microsoft IIS)
- T918: Disable 'HTTP Trace Method' (Microsoft IIS)
- T919: Do not allow unlisted file extensions (Microsoft IIS)
- T920: Ensure handlers are not granted Write and Script/Execute permissions at the same time (Microsoft IIS)
- T921: Restrict unlisted extensions from being run (Microsoft IIS)
- T922: Enable 'Dynamic IP Address Restrictions' (Microsoft IIS)
- T923: Configure logging securely on Microsoft IIS (Microsoft IIS)
- T924: Configure FTP securely (Microsoft IIS)
- T925: Configure TLS/SSL securely for Microsoft IIS (Microsoft IIS)
- T926: Use cookies for forms authentication (Microsoft IIS)
- T927: Do not store 'credentials' in configuration files (Microsoft IIS)
- T928: Ensure debug is turned off (Microsoft IIS)
- T929: Ensure custom error messages are not off (Microsoft IIS)
- T930: Ensure ASP.NET stack tracing is not enabled (Microsoft IIS)
- T931: Ensure httpcookie mode is configured for session state (Microsoft IIS)
- T933: Configure request filters properly (Microsoft IIS)
- T934: Ensure HSTS Header is set (Microsoft IIS)
- T936: Test that web content is on a non-system partition (Microsoft IIS)
- T937: Test that 'host headers' are on all sites (Microsoft IIS)
- T938: Test that 'directory browsing' is set to disabled (Microsoft IIS)
- T939: Test that application pools are configured securely (Microsoft IIS)
- T940: Test that 'global authorization rule' is set to restrict access (Microsoft IIS)
- T941: Test that access to sensitive site features is restricted to authenticated principals only (Microsoft IIS)
- T942: Test that 'forms authentication' require SSL/TLS (Microsoft IIS)
- T943: Test that 'cookie protection mode' is configured for forms authentication (Microsoft IIS)
- T944: Test that transport layer security for 'basic authentication' is configured (Microsoft IIS)
- T945: Test that 'passwordFormat' is not set to clear (Microsoft IIS)
- T946: Test if 'deployment method retail' is set (Microsoft IIS)
- T947: Test if HTTP detailed errors are hidden from displaying remotely (Microsoft IIS)
- T948: Test if cookies are set with HttpOnly attribute (Microsoft IIS)
- T949: Test if MachineKey validation is configured securely (Microsoft IIS)
- T950: Test if global .NET trust level is configured securely (Microsoft IIS)
- T951: Verify that double-encoded requests are rejected (Microsoft IIS)
- T952: Verify that 'HTTP Trace Method' is disabled (Microsoft IIS)
- T953: Verify that unlisted file extensions are not allowed (Microsoft IIS)
- T954: Test that handlers are not granted Write and Script/Execute permissions at the same time. (Microsoft IIS)
- T955: Verify that unlisted extensions are restricted from being run (Microsoft IIS)
- T956: Test that 'Dynamic IP Address Restrictions' is enabled (Microsoft IIS)
- T957: Test if logging is configured securely (Microsoft IIS)
- T958: Test if FTP is configured securely (Microsoft IIS)
- T959: Verify if TLS/SSL is securely configured for Microsoft IIS (Microsoft IIS)
- T960: Verify that forms authentication is configured to use cookies (Microsoft IIS)
- T961: Verify that 'credentials' are not stored in configuration files (Microsoft IIS)
- T962: Test if debug is turned off (Microsoft IIS)
- T963: Test if custom error messages are not set to off (Microsoft IIS)
- T964: Test if ASP.NET stack tracing is not enabled (Microsoft IIS)
- T965: Test that Ensure 'httpcookie' mode is configured for session state (Microsoft IIS)
- T967: Verify that request filters are configured properly (Microsoft IIS)
- T968: Test if HSTS Header is set (Microsoft IIS)
Added How-To's
- I780: IIS: How to ensure web content is on a non-system partition
- I781: IIS: How to ensure 'host headers' are on all sites
- I782: IIS: How to disable 'directory browsing'
- I783: IIS: How to configure application pools securely
- I784: IIS: How to set 'global authorization rule' to restrict access
- I785: IIS: How to restrict access to sensitive site features to authenticated principals only
- I786: IIS: How to require SSL/TLS for 'forms authentication'
- I787: IIS: How to configure 'cookie protection mode' for forms authentication
- I788: IIS: How to configure transport layer security for 'basic authentication'
- I789: IIS: How to ensure 'passwordFormat' is not set to clear
- I790: IIS: How to ensure 'deployment method retail' is set
- I791: IIS: How to ensure IIS HTTP detailed errors are hidden from displaying remotely
- I792: IIS: How to ensure cookies are set with HttpOnly attribute
- I793: IIS: How to configure MachineKey validation securely
- I794: IIS: How to ensure global .NET trust level is configured
- I795: IIS: How to reject double-encoded requests
- I796: IIS: How to disable 'HTTP Trace Method'
- I797: IIS: How to disallow unlisted file extensions
- I798: IIS: How to ensure handlers are not granted Write and Script/Execute permissions at the same time
- I799: IIS: How to restrict unlisted extensions from being run
- I800: IIS: How to enable 'Dynamic IP Address Restrictions'
- I801: IIS: How to configure logging securely
- I802: IIS: How to configure FTP securely
- I803: IIS: How to configure TLS/SSL securely
- I804: IIS: How to configure forms authentication to use cookies
- I805: IIS: How to ensure 'credentials' are not stored in configuration files
- I806: IIS: How to turn off 'debug'
- I807: IIS: How to ensure that custom error messages are not off
- I808: IIS: How to disable ASP.NET stack tracing
- I809: IIS: How to ensure 'httpcookie' mode is configured for session state
- I811: IIS: How to configure request filters properly
- I812: IIS: How to ensure HSTS Header is set

We also added content for Apache Tomcat based on CIS benchmarks:

Added Tasks
- T970: Limit server platform information leakage (Apache Tomcat)
- T971: Protect the Shutdown Port (Apache Tomcat)
- T972: Apply access restrictions in Tomcat configurations (Apache Tomcat)
- T973: Accurately set scheme (Apache Tomcat)
- T974: Restrict runtime access to sensitive packages (Apache Tomcat)
- T975: Start Tomcat with Security Manager (Apache Tomcat)
- T976: Store Web content directory on a separate partition from the Tomcat system files (Apache Tomcat)
- T977: Do not allow symbolic linking (Apache Tomcat)
- T978: Do not run applications as privileged (Apache Tomcat)
- T979: Do not allow cross context requests (Apache Tomcat)
- T980: Enable memory leak listener (Apache Tomcat)
- T981: Set Security Lifecycle Listener (Apache Tomcat)
- T982: Use logEffectiveWebXml and metadata-complete in production (Apache Tomcat)
- T983: Force TLS for manager application (Apache Tomcat)
- T984: Enable strict servlet compliance (Apache Tomcat)
- T986: Turn off session facade recycling (Apache Tomcat)
- T987: Remove extraneous resources (Apache Tomcat)
- T988: Configure Tomcat Realms securely (Apache Tomcat)
- T989: Setup Client-cert Authentication (Apache Tomcat)
- T990: Disable auto deployment (Apache Tomcat)
- T991: Configure connectionTimeout (Apache Tomcat)
- T992: Configure maxHttpHeaderSize properly (Apache Tomcat)
- T993: Force TLS for all applications (Apache Tomcat)
- T994: Do not resolve hosts on logging valves (Apache Tomcat)
- T995: Restrict access to the web administration (Apache Tomcat)
- T996: Do not allow additional path delimiters (Apache Tomcat)
- T997: Do not allow custom header status messages (Apache Tomcat)
- T998: Test that leakage is prevented for server platform information (Apache Tomcat)
- T1000: Test that the Shutdown Port is protected (Apache Tomcat)
- T1001: Verify that proper restrictions are applied in Tomcat configurations (Apache Tomcat)
- T1002: Verify that scheme is set accurately (Apache Tomcat)
- T1003: Verify that runtime access to sensitive packages is restricted (Apache Tomcat)
- T1004: Verify that Tomcat is started with Security Manager (Apache Tomcat)
- T1005: Verify that Web content directory is on a separate partition from the Tomcat system files (Apache Tomcat)
- T1006: Verify that symbolic linking is not allowed (Apache Tomcat)
- T1007: Verify that applications are not running as privileged (Apache Tomcat)
- T1008: Verify that cross context requests are not allowed (Apache Tomcat)
- T1009: Verify that memory leak listener is enabled (Apache Tomcat)
- T1010: Verify that Security Lifecycle Listener is set (Apache Tomcat)
- T1011: Verify that logEffectiveWebXml and metadata-complete are enabled in production (Apache Tomcat)
- T1012: Verify that that TLS is forced for manager application (Apache Tomcat)
- T1013: Verify that servlet Compliance is restricted (Apache Tomcat)
- T1014: Verify that session facade recycling is turned off (Apache Tomcat)
- T1015: Verify that extraneous resources are removed (Apache Tomcat)
- T1017: Test that Tomcat realms are configured securely (Apache Tomcat)
- T1018: Verify that Client-cert Authentication is set up (Apache Tomcat)
- T1019: Verify that auto deployment is disabled (Apache Tomcat)
- T1020: Verify that connectionTimeout is configured (Apache Tomcat)
- T1021: Verify that maxHttpHeaderSize is properly configured (Apache Tomcat)
- T1022: Verify that TLS is forced for all applications (Apache Tomcat)
- T1023: Verify that hosts are not resolved on logging valves (Apache Tomcat)
- T1024: Verify that access to the web administration is restricted (Apache Tomcat)
- T1025: Verify that additional path delimiters are not allowed (Apache Tomcat)
- T1026: Verify that custom header status messages are not allowed (Apache Tomcat)
- T1027: Configure TLS/SSL securely (Apache Tomcat)
- T1028: Log sufficiently and protect logs (Apache Tomcat)
- T1030: Verify that TLS/SSL is configured securely (Apache Tomcat)
- T1031: Verify that logs are captured and protected sufficiently (Apache Tomcat)
- T1034: Protect manager application (Apache Tomcat)
- T1037: Verify that manager application is protected (Apache Tomcat)
Added Task Amendments
- TA830: Apache Tomcat: Limit advertising Tomcat server platform information - In-depth controls
- TA831: Apache Tomcat: Verify that Tomcat is not advertising its server platform information - In-depth controls
- TA832: Apache Tomcat: Disable Shutdown Port if it is not used - In-depth controls
- TA833: Apache Tomcat: Verify that the Shutdown command is disabled if it's not used - In-depth controls
- TA834: Apache Tomcat: Log sufficiently and protect logs - In-depth controls
- TA835: Apache Tomcat: Verify that logs are captured and protected sufficiently - In-depth controls
Added Problems
- P978: Server Platform Information Leakage (Apache Tomcat)
- P979: Leaving Shutdown Port enabled (Apache Tomcat)
- P980: Improper Restrictions in Tomcat Configurations (Apache Tomcat)
- P981: Inaccurate Scheme Setting (Apache Tomcat)
- P982: Permissive runtime access to sensitive packages (Apache Tomcat)
- P983: Starting Tomcat without Security Manager (Apache Tomcat)
- P984: Storing Web content directory at the same partition as the Tomcat system files (Apache Tomcat)
- P985: Allowing symbolic linking (Apache Tomcat)
- P986: Running applications as privileged (Apache Tomcat)
- P987: Allowing cross context requests (Apache Tomcat)
- P988: Disabled memory leak listener (Apache Tomcat)
- P989: Disabled Security Lifecycle Listener (Apache Tomcat)
- P990: Disabled logEffectiveWebXml and metadata-complete in production (Apache Tomcat)
- P991: Plaintext communication for manager application (Apache Tomcat)
- P992: Lax servlet Compliance (Apache Tomcat)
- P994: Extraneous Resources (Apache Tomcat)
- P995: Improper Realms Configuration (Apache Tomcat)
- P996: Lack of Client-cert Authentication (Apache Tomcat)
- P997: Enabled Auto Deployment (Apache Tomcat)
- P998: Open Idle Sockets (Apache Tomcat)
- P999: Unlimited Request Header Size (Apache Tomcat)
- P1000: Clear Text and Unencrypted Transmission of Sensitive Information (Apache Tomcat)
- P1001: Resolving hosts on logging valves (Apache Tomcat)
- P1002: Unrestricted access to the web administration (Apache Tomcat)
- P1003: Allowing Additional Path Delimiters (Apache Tomcat)
- P1004: Allowing custom header status messages (Apache Tomcat)
- P1005: Session facade recycling (Apache Tomcat)
- P1007: Lack of Secure TLS/SSL Configuration (Apache Tomcat)
- P1008: Insufficient Logging or Insufficient Protection of Logs (Apache Tomcat)
- P1012: Unprotected manager application (Apache Tomcat)
Added HowTo's
- I814: Apache Tomcat: How to limit server platform information leakage
- I815: Apache Tomcat: How to set nondeterministic value for the Shutdown Port
- I816: Apache Tomcat: How to properly apply restrictions in Tomcat
- I817: Apache Tomcat: Setting scheme
- I818: Apache Tomcat: Restrict runtime access to sensitive packages
- I819: Apache Tomcat: Starting Tomcat with Security Manager
- I821: Apache Tomcat: Disabling symbolic linking
- I822: Apache Tomcat: Disabling privileged application running
- I823: Apache Tomcat: Disabling cross context requests
- I824: Apache Tomcat: Enable memory leak listener
- I825: Apache Tomcat: Setting Security Lifecycle Listener
- I826: Apache Tomcat: Enabling logEffectiveWebXml and metadata-complete
- I827: Apache Tomcat: Enforcing TLS for manager application
- I828: Apache Tomcat: Strict servlet Compliance
- I829: Apache Tomcat: Turning off session facade recycling
- I830: Apache Tomcat: How to remove extraneous resources
- I831: Apache Tomcat: How to configure Realms securely
- I832: Apache Tomcat: Client-cert Authentication
- I833: Apache Tomcat: Disable auto deployment
- I834: Apache Tomcat: Configuring connectionTimeout
- I835: Apache Tomcat: Configuring maxHttpHeaderSize
- I836: Apache Tomcat: Forcing TLS for all applications
- I837: Apache Tomcat: Disabling enableLookups
- I838: Apache Tomcat: Restricting access to the web administration
- I839: Apache Tomcat: Disallowing additional path delimiters
- I840: Apache Tomcat: Disallowing custom header status messages
- I841: Apache Tomcat: How to disable the Shutdown Port - In-depth controls
- I846: Apache Tomcat: Secure TLS/SSL configuration
- I847: Apache Tomcat: Secure logging configuration
- I848: Apache Tomcat: Secure logging configuration - In-depth controls
- I850: Apache Tomcat: How to limit Tomcat from advertising server platform information - In-depth controls
- I851: Apache Tomcat: Protecting manager application

4.12

New features and improvements:

See how your projects comply with risk policies in your organization with Risk Roll-Up Reporting. View summaries and reports of your compliant and non-compliant applications and projects to help you focus on the tasks that are important to your organization.
SAML Deep Linking. We have improved your experience when logged in through SAML, and have made URL linking more reliable.

Content additions and updates:

Added Problems
- P943: Insufficient User Consent
- P1013: Insufficient Visual Distinction of Homoglyphs Presented to User
Updated Problems
- P719: JSON Hijacking (Updated the text)
Added Tasks
- T900: Seek user consent before updating your application or installing other software in the background
- T901: Verify that you follow CASL requirements about seeking user consent
- T1038: Make homoglyphs distinguishable when showing them to users
- T1039: Test that homoglyphs are distinguishable in the application's output
Updated Tasks
- T45: Log potential critical security events (A note was added about logging deserialization failures and exceptions)
- T166: Protect against JSON hijacking (Updated the title and the text)
- T177: Allow users to review and update their personal data (updated text)
- T178: Obtain consent from users prior to collecting Personal Data (where applicable) (Changed the text and title)
- T195: Design lawful procedures to acquire and withdraw consent for processing personal data (where applicable) (updated text and title)
- T219: Avoid transmitting confidential data through URL parameters (Added a note about track IDs. Minor text updates)
- T286: Make sure username rules are consistent among registration system, authentication system, and application (Change to text. Added more clarification)
- T313: Identify and classify categories of personal data (Updated the text and title)
- T418: Enable sanitization module for AngularJS HTML user input (title changed, text revised)
- T421: Verify that input used with trustAs functions of AngularJS's SCE are sanitized (title changed, text revised)
- T484: Lock the memory of RFID tags (title changed, text revised)
- T604: Implement a consent withdrawal mechanism (Changed the text and title)
- T605: Verify if consent is obtained prior to Personal Data collection (where applicable) (Changed the text and title)
- T607: Develop automated tools/settings for destroying Personal Data when it is no longer needed (Changed the text and title)
- T734: Test if PayPal Instant Payment Notification handlers are secure (title changed, text revised)
- T735: Verify Personal Data is removed when it is no longer needed (Changed the text and title)
- T738: Determine the legal basis for transferring personal data and ensuring GDPR compliance (Changed the text and title)
- T739: Verify if transferring Personal Data is legitimate and in compliance with GDPR (Changed the text and title)
- T740: Provide users with the information about their Personal Data (Changed the text and title)
- T741: Verify if users can access information about their Personal Data (Changed the text and title)
- T742: Implement technical measures to ensure the accuracy of Personal Data (Changed the text and title)
- T743: Verify accuracy of Personal Data (Changed the text and title)
- T744: Protect pseudonymized personal data (Changed the text and title)
- T745: Verify if pseudonymized personal data is protected (Changed the text and title)
- T750: Minimize Personal Data collection and processing to the specified purpose (Changed the text and title)
- T751: Provide individuals with privacy NOTICE (Changed the text and title)
- T752: Verify if privacy NOTICE is provided to users (Changed the text and title)
- T753: Verify whether Personal Data collected only for the specified purposes (Changed the text and title)
- T754: Enable the restriction of processing Personal Data of an individual for a specific purpose (Changed the text and title)
- T755: Maintain the record of Data Processing Register (Changed the text and title)
- T756: Verify if personal data processing activities are recorded and maintained (Changed the text and title)
- T757: Verify if Personal Data processing stops when user objects to it (Changed the text and title)
- T848: Verify that goroutines are not run on closures that are bound to loop iterator variables by mistake (title changed, text revised.)
Added Task Amendments
- TA828: Follow CASL requirements for installing/updating software
- TA829: Verify that you follow CASL requirements for installing/updating software
Updated Task Amendments
- TA749: Preventing JSON Hijacking in AngularJS (Updated the text)
- TA776: GDPR conditions for data erasure (updated text and title)
- TA777: GDPR: Data classification and labeling feature in database design (updated text and title)
- TA778: GDPR: Special categories of personal data (updated text and title)
- TA779: GDPR: Circumstances of Personal Data transfer (updated text and title)
- TA780: GDPR: Incident Reporting (updated text and title)
- TA781: GDPR: Profiling techniques (updated text)
- TA784: GDPR: Data portability (updated text)
- TA787: GDPR: Right of access (updated text)
- TA815: GDPR: Protection of children's personal information (updated text)
Added HowTo's
- I741: Java EE: Securing Session Cookie
- I742: ASP.NET Core / C#: Password Requirements Configuration
- I743: ASP.NET Core / C#: New account's email address confirmation
- I744: ASP.NET Core / C#: Account lockout
- I745: ASP.NET Core / C#: Disable "Remember Me" functionality
- I746: ASP.NET Core / C#: Sending cookies over HTTPS
- I747: ASP.NET Core / C#: Session expiration on logout
- I748: ASP.NET Core / C#: Absolute session timeout
- I749: ASP.NET Core / C#: Storing session information on the server
- I750: ASP.NET Core / C#: Setting HttpOnly Flag
- I751: ASP.NET Core / C#: Anti-CSRF Tokens
- I752: ASP.NET Core / C#: Authorize non-public pages
- I753: ASP.NET Core / C#: Directory Traversal
- I754: ASP.NET Core / C#: Enabling HTTPS
- I755: ASP.NET Core / C#: Enabling HSTS
- I756: ASP.NET Core / C#: Sending cookies over HTTPS
- I757: ASP.NET Core / C#: Validation Attributes
- I758: ASP.NET Core / C#: Character encoding
- I759: ASP.NET Core / C#: Escaping XML characters
- I760: ASP.NET Core / C#: Parameterize SQL Queries
- I761: ASP.NET Core / C#: Generic login failure messages
- I762: ASP.NET Core / C#: Generic forget password request messages
- I763: ASP.NET Core / C#: Generic Default Error Page
- I764: ASP.NET Core / C#: Setting X-Frame Options
- I765: ASP.NET Core / C#: Choosing cryptographic algorithms
- I766: ASP.NET Core / C#: Data Encryption
- I767: ASP.NET Core / C#: Protecting Purpose Strings
- I768: ASP.NET Core / C#: Protecting Ephemeral Data
- I769: ASP.NET Core / C#: Setting Key Lifetime
- I770: ASP.NET Core / C#: Revoking Keys and Refreshing the Keyring
- I771: ASP.NET Core / C#: Secret Manager for Development Environments
- I772: ASP.NET Core / C#: Accessing Application Secrets from Secret Manager
- I773: ASP.NET Core / C#: Use Environment Variables for Production Environments
- I774: ASP.NET Core / C#: Limiting Response Caching
- I775: ASP.NET Core / C#: String Hashing
- I776: Java EE: Enforcing Minimum Password Requirements
- I777: Java EE: Using Non-revealing Authentication Error Messages
- I778: Java EE: Implementing Role-Based Access Control
- I779: Java EE: Implementing Centralized Access Control Using Request Filters
- I842: Preventing cross site request forgery using CSRFGuard library
- I843: Java EE: Validating Inputs
- I844: Java EE: Encoding Output Using OWASP Java Encoder
- I845: Java EE: Sanitizing Output Using OWASP Java HTML Sanitizer

Changes to Project Properties and Profiles
- Added "A1185: ASP.NET Core Web Application Framework"
- Added "A1186: Installs other applications on the user's device or gets updated in the background" under "Q214: Miscellaneous".

Updated T186, w/ latest security patch level for third party libraries
- Django
- Spring
- Apache Tomcat
- GnuTLS
- OpenSSL
- Java
- Bouncy Castle
- Unix/Linux Bash
- AFNetworking Library
- Node.js
- AngularJS/Angular

4.11

New features and improvements:

Global Reports has been redesigned for greater performance and stability.
Test your ALM connections without having to perform a sync.
Upgraded our web application framework (Django) to latest long term release.
Sped up the tasks endpoint when training information is included.
Sped up saving Profiles that contain numerous answers.

Content additions and updates:

Compliance Regulations and Mappings
- Added new GLBA mappings to SDE tasks. Revised the old mappings and renamed the following sections:
```
- 501 (b)(2) Unauthorized Access to 501 (b)(3) Unauthorized Access
- 502 (b) Opt-Opt Right to 502 (b) Opt-out Right
```
Updated Tasks
- T28: Avoid "Remember Me" features (Change of text and matching conditions)
- T50: Use indirect object reference maps if accessing files (changed the match conditions by replacing "A41: Yes" with "A718: The application is a generic server application".)
- T66: Prevent web pages from being loaded inside iFrame (Change of text and title).
- T95: Test for the absence of "Remember Me" features (revised text and title.)
- T106: Test that site is not vulnerable to direct object access attacks (changed the match conditions by replacing "A41: Yes" with "A718: The application is a generic server application".)
- T119: Test for clickjacking (Change of text).
- T171 Follow spam-free guidelines for sending solicitation emails (Change of text)
- T237 Test that solicitation emails follow spam free guidelines (Change of text)
- T243: Check the authenticity and integrity of received SOAP messages (updated text)
- T370: Follow best practices for using third-party and commercial off the shelf components (updated text and added recommendations for open source software)
- T371: Provide unified and manageable interfaces for security settings and configuration parameters (revised text and title.)
- T456: Disable unnecessary services and modules (Updated text to include application modules. Minor title change. Changed phase from Requirements to Deployment.)
- T536: Restrict the size of incoming messages in services (Change of text and title)
- T537: Perform load testing for services (Change of text and title)
- T560: Sanitize any HTML input passed to dangerouslySetInnerHTML attribute (updated text)
- T613: Mitigating DDoS attacks with NGINX (Changed phase from Requirements to Deployment.)
- T620: Use SSL/TLS offloading, encryption and certificates with NGINX (Changed phase from Requirements to Deployment.)
- T680: Do not create IAM policies that allow full "*:*" administrative privileges (AWS) (Updated the text.)
- T686: Create log metrics and alarms (AWS) (Updated the text.)
- T697: Test that "root" account is not used (AWS) (Updated the text.)
- T714: Test if any IAM policy exists that allow full "*:*" administrative privileges (AWS) (Updated the text.)
- T720: Test that log metrics and alarms are created (AWS) (Updated the text.)
- T722: Test security group requirements (AWS) (Updated the text.)
- T731: Create log metrics and alarms (2) (AWS) (Updated the text.)
- T732: Test that log metrics and alarms are created (2) (AWS) (Updated the text.)
- T770: Configure S3 buckets correctly (AWS) (Updated the text.)
- T798: Don't use the default VPC (AWS) (Changed the text.)
- T803: Test if S3 buckets are configured correctly (AWS) (Updated the text.)
- T831: Test that Don't use the default VPC (AWS) (Changed the title to "Verify that the default VPC is not used (AWS)")

Added Tasks
- T855: Do not reveal sensitive personnel information through WHOIS Domain information
- T856: Do not install a multi-use system
- T857: Test that no other service is installed on your web server
- T858: Use the vendor supplied version of binaries
- T859: Minimize Apache HTTP Server modules
- T860: Test that unnecessary Apache HTTP Server modules are disabled
- T861: Set up a non-root user account for running the Apache Web server
- T862: Test that the web server user account is set up correctly
- T863: Secure Apache directories and files
- T864: Test that Apache directories and files are secure
- T865: Secure Apache access control
- T866: Verify Apache access control
- T867: Restrict Apache options and disable default content
- T868: Verify that Apache options are restricted and the default content is removed
- T869: Limit Apache HTTP methods and versions
- T870: Verify that Apache HTTP methods and versions are limited
- T871: Log Apache errors and access
- T872: Verify Apache logging
- T873: Apply applicable patches
- T874: Verify that all applicable patches are applied
- T875: Secure Apache SSL/TLS
- T876: Verify Apache SSL/TLS configuration
- T877: Limit information exposed by Apache
- T878: Verify that information exposed by Apache is restricted
- T879: Protect Apache against DoS attacks
- T880: Verify that Apache is protected against DoS attacks
- T882: Restrict Apache options and disable default content (2)
- T883: Verify that Apache options are restricted and the default content is removed (2)
- T884: Log Apache errors and access (2)
- T885: Verify Apache logging (2)
- T886: Secure Apache SSL/TLS (2)
- T887: Verify Apache SSL/TLS configuration (2)
- T888: Limit information exposed by Apache (2)
- T889: Verify that information exposed by Apache is restricted (2)
- T890: Limit the size of Apache's request parameters
- T891: Verify the size of Apache's request parameters
- T892: Configure SELinux to restrict Apache processes
- T893: Configure AppArmor to restrict Apache processes
- T894: Verify that SELinux is configured to restrict Apache processes
- T895: Verify that AppArmor is configured to restrict Apache processes
- T896: Design a secure architecture for AWS deployment
- T897: Test if the unmanaged code is used securely
- T898: Create bastion hosts for administrative access to the resources (AWS)
- T899: Test that bastion hosts are created for administrative access to the resources (AWS)

Added Task Amendments
- TA825: Test if illegal syscalls exist in an Android O application

Updated Problems
- P228: Use of Insufficiently Random Values (changed the match conditions by replacing "A720: Uses server-provided session management" with "A37: Yes")
  - P610: Improper Neutralization of Special Elements used in a Command ('Command Injection') (removed "A723: Needs elevated execution privileges" from its match conditions)
  - P755: Lack of control over third-party hardware or software components (updated title and text to include software components)
  - P782: Running with Excessive Functionalities and Capabilities (Updated text to include application modules. Changed the rules to broaden the scope to all generic servers.)
Added Problems
- P940: Internal Employee Information Exposure
- P941: Not using vendor supplied binaries
- P942: Lack of Security Architecture

Updated HowTo’s
- I76: JavaScript frame busting (Change of title)
- I106: ASP.NET / C#: Frame busting through JavaScript and use of headers (Change of title)
- I246: Rails: Frame busting through JavaScript and use of headers (Change of title)
- I286: Apache: Setting headers to prevent clickjacking (Change of title)
- I448: Node.js: Setting X-Frame-Options(Change of title)
- I530: How to use dangerouslySetInnerHTML in React (updated text)
- I552: Django: Prevent clickjacking using headers (Change of title)
- I609: How to delete IAM policies that allow full administrative privileges (AWS) (Updated the text.)
- I615: How to create log metrics and alarms (AWS) (Updated the text.)
- I626: How to create log metrics and alarms (2) (AWS) (Updated the text.)
- I633: How to configure S3 buckets correctly (AWS) (Updated the text.)
- I696: Go: http.Handler Wrapper for error handling (Updated title.)
- I697: Go: SHA-256 Checksum
- I715: Go: Prevent clickjacking using headers (Change of title)

Added HowTo’s
- I718: Red Hat: Disabling a service
- I719: Red Hat: Installing Apache HTTP Server
- I721: How to minimize Apache HTTP Server modules
- I722: How to set up a non-root user account for running the Apache Web server
- I723: How to secure Apache directories and files
- I724: How to secure Apache access control
- I725: How to restrict Apache options and disable default content
- I726: How to limit Apache HTTP methods and versions
- I727: How to log Apache errors and access
- I728: How to apply Apache patches
- I729: How to secure Apache SSL/TLS
- I730: How to limit information exposed by Apache
- I731: How to protect Apache against DoS attacks
- I732: How to restrict Apache options and disable default content (2)
- I733: How to log Apache errors and access (2)
- I734: How to secure Apache SSL/TLS (2)
- I735: How to limit information exposed by Apache (2)
- I736: How to limit the size of Apache's request parameters
- I737: How to configure SELinux to restrict Apache processes
- I738: How to configure AppArmor to restrict Apache processes
- I739: Disable unwanted NGINX modules
- I740: Java with Jasypt: Protect passwords in property and configuration files

Updated T186, with latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- Node.js
- AngularJS/Angular
Updated following code scanner mappings
- AppScan
- Checkmarx
- Fortify
- Veracode
- WebInspect
- WhiteHat
Changes to Project Properties and Profiles
- Changed the title and added description to "Q106: OWASP Development Tool Used"
- Deactivated "Q107: Is Multi-Tiered" and removed multi-tiered answer from content.
- Changed title of "Q127:Authorizes Subjects" from "Authorizes Users" and added new description.
- Deactivated "Q128: Serves Files That Should Not Be Publicly Viewable"
  - Changed title of "Q144 :Other Open Source Libraries Used".
- Moved "Q258: Architecture/Environment" down the list in "Application General" after "Context and Characteristics".
  - Removed "Q234:Handles Sensitive Personal Data" and its answers
- Added "Q299: General" under "Deployment" Section.
- Moved "Q296: Assurance Level" from "Q289: Cloud Computing" to "Q299: General".
- Changed title of "Q152: Library Used for Cryptography"
- Added "Q301: Mandatory Access Control (MAC)" under "Q294: Platform".
  - Changed title of "A9:Runs OS Commands" from 'Interacts with the OS' and added "A8:standalone applications" and "A1077:firmware, embedded, or hardware solution" to its matching conditions.
  - Deactivated "A70:Requires "Remember Me" Functionality: Yes" and T28 text is changed as a result.
  - Added "A8:standalone applications" and "A1077:firmware, embedded, or hardware solution" to the matching conditions of "A714:iOS"
  - Added "A8:standalone applications" and "A1077:firmware, embedded, or hardware solution" to the matching conditions of "A715:Android"
  - Changed description and matching conditions of "A754:Provides web services or external APIs"
  - Changed description and matching conditions of "A1062:Authentication Method: Uses API tokens"
  - Changed title and description of "A1077. Firmware, embedded, or hardware solution"
  - Changed matching conditions and mappings of "A1084. Uses third-party or COTS components"
  - Changed the title of "A1103.:This is the core component of a multi-component IoT system" and added "IoT" to it. Changed the implications and revised its matching conditions. Replaced this answer in P786, T433, T470, T471, T475, T476, T479.
  - Changed the title of "A1138. Has a local area network between IoT devices in scope from 'local network', Moved to "Architecture/Environment->Architecture"
  - Moved "A1142: Contains multiple components that communicate through a network" to "Architecture/Environment->Architecture"
  - Added "A8.Stand-alone application" to matching conditions of "A1079:Includes a web application component"
  - Removed "A1145:This is a mainframe application" from children of "A8:Stand-alone application"
  - Removed "A760:Is a financial application handling sensitive data" and moved its children to "A759:This is a financial application"
  - Replaced "A760:Is a financial application handling sensitive data" with "A759:This is a financial application" under matching conditions of T9,T83,T396,T397,T401,T402,P757,P766
  - Removed "A123.Internal users only" answer and removed it from matching conditions of T194,P732,I488,I489
  - Removed "A68:Requires support for session rewriting" answer and removed it from matching conditions of P702
  - Removed "A717:The application is a generic client application" from matching condition of "A35:Generates temporary files"
  - Changed the title of "A94:Uses iFrames " and moved it under "Q191:Web Client Technologies Used" question
  - Removed "A161:Organization is Publicly Traded: Yes".
  - Added "A1075:This is an ICS" to the matching conditions of "A1100:ISA/IEC 62443-3-3","A1101:ISA/IEC 62443-4-2","A1116:This is an ICS: Yes".
  - Removed "A776:Handles Sensitive Personal Information".
- Removed "A774: Handles Sensitive Personal Information:Yes".
- Removed "A728:The application handles confidential or sensitive data" and removed it from matching conditions of P96,P731.
- Removed "A748:CAN-SPAM Act" and "A749:Bill C-28" and moved their titles to the description of "A752:Advertisement or other solicitation emails".
  - Added "A1180: SELinux" under Q301.
  - Added "A1181: AppArmor" under Q301.
  - Updated "A1062: Uses API tokens" .Changed "Uses API Tokens" to "Generates API tokens".
  - Changed title of "A790: Windows (Microsoft C/C++)"
  - Removed "A718: The application is a generic server application" from match conditions of "A43: Has change existing password function"
  - Removed "A718: The application is a generic server application" from match conditions of "A182: Has forgot password function"
  - Removed "A718: The application is a generic server application" from match conditions of "A184: Auto-generates passwords for new users"
  - Deactivated "A41: Server Files That Should Not Be Publicly Viewable:Yes"
  - Removed "A41: Server Files That Should Not Be Publicly Viewable:Yes" from match conditions of "A754: Provides web services or external APIs"
  - Removed "A41: Server Files That Should Not Be Publicly Viewable:Yes" from children of "A4: Web application"
  - Removed "A41: Server Files That Should Not Be Publicly Viewable:Yes" from children of "A1080: The application is a generic web application."
  - Deactivated "A720: Uses server-provided session management"
  - Removed "A720: Uses server-provided session management" from children of "A37: Has Session Management: Yes".
  - Removed "A720: Uses server-provided session management" from children of "A4: Web application"
  - Removed "A720: Uses server-provided session management" from children of "A1080: The application is a generic web application."
  - Deactivated "A723: Needs elevated execution privileges"
  - Removed "A723: Needs elevated execution privileges" from match conditions of "A9: Runs OS commands".
  - Added "A717: The application is a generic client application" to match conditions of "A9: Runs OS commands".
  - Changed title and description of "A58: ESAPI"
  - Changed title of "A92: Jasypt"
  - Added "A1184: AppSensor”

4.10

New features and improvements:

Track task status changes in Jira and Rally. You can now see a history of task changes that includes when the status changed, how the status changed, and who changed the status.
Add tasks that are not rules-based to projects. You can now add tasks from the Task library to your project even if the rules don't match.
Create dynamic links to SDE content using metadata placeholders. You can now refer to SDE content in your own business systems by creating contextual links with placeholders so you don't have to create them manually.
Hide sections of the project survey that are not relevant to you as you complete it. You can now see sections toggle off as you fill out the survey so that only sections and questions that matter to your project are seen.
Preserve your tasks when you add new mandatory questions to your project survey. Your task list will no longer reset to empty when adding mandatory questions.

Content additions and updates:

Updated Tasks
- T148: Avoid caching confidential data on client (Merged "T188: Avoid storing cached confidential data in flash memory" to T148.)
- T179: Allow access for users to remove their data from the system (Tied to P815 instead of P257.)
- T188: Avoid storing cached confidential data in flash memory (Merged T188 to T148. Deactivated T188.)
- T240: Test that users can remove their data from the system (Tied to P815 instead of P257.)
- T306: Verify that confidential data is not cached on client (Merged "T307: Verify that confidential data is not cached in flash memory" to T306.)
- T307: Verify that confidential data is not cached in flash memory (Merged to T306. Deactivated T307.)
- T340: Use an account and identity management system (Added a few steps.)
- T370: Follow best practices for using third-party and commercial off the shelf components (Added a few steps.)
- T560: Sanitize any HTML input passed to dangerouslySetInnerHTML attribute (Updated text to mention possible injection through props.)
- T677: Lack of registered security contact information (AWS) (Changed the title to "Register security contact information (AWS)".)
Added Tasks
- T847: Be careful about using goroutines on closures bound to loop iterator variable
- T848: Verify that goroutines are not run over closures that are bound to loop iterator variables by mistake
- T849: Yield more often inside all goroutines
- T850: Verify that all goroutines yield execution
- T851: Synchronize goroutines properly using channels
- T852: Verify that goroutines are synchronized correctly
- T853: Prevent tapjacking and UI misrepresentation in Android
- T854: Verify that tapjacking and UI misrepresentation are prevented in Android
Added Task Amendments
- TA817: iOS - File Provider
- TA818: Go: Error and Exception Handling
- TA819: Go: Reject invalid certificates
- TA820: iOS - File Provider
- TA824: Discover and remove illegal syscalls in Android O
Updated Problems
- P411: Information leak through client-side caching (Merged "P729: Temporary storage of confidential data in flash memory" to P411. Title and text updated.)
- P729: Temporary storage of confidential data in flash memory (Merged P729 to "P411: Information leak through client-side caching". Deactivated P729.)
Added Problems
- P341: Tapjacking and UI Misrepresentation in Android
- P937: Using Goroutines on Closures Bound to Loop Iterator Variables
- P938: Non-preemptive Goroutines
- P939: Improper Synchronization Between Goroutines
Updated HowTo’s
- I1: Java with Jasypt (Updated code sample and imported libraries.)
- I2: Java with Jasypt and Bouncy Castle (Updated code sample and imported libraries.)
- I3: Java (Updated code sample and imported libraries.)
- I9: Java EE (Updated code sample and imported libraries.)
- I10: Java EE (Updated code sample and imported libraries.)
- I24: Java EE (Updated code sample and imported libraries.)
- I25: Java EE, Servlet Spec 2.1+ (Updated code sample and imported libraries.)
- I26: Java EE, Servlet Spec older than version 2.1 (Updated code sample and imported libraries.)
- I27: Java EE, Servlet Spec 2.3+ (Updated code sample and imported libraries)
- I33: Java EE with ESAPI: Perform input validation on all forms of input (changed the text.)
- I37: Java with Jasypt (Updated code sample and imported libraries.)
- I43: Java EE with Tag Libraries (Updated code sample and imported libraries.)
- I44: Java EE with ESAPI: Escape untrusted data (Updated code sample and imported libraries.)
- I49: Java EE with Spring MVC: Escape untrusted data (Changed the text.)
- I57: Java EE with ESAPI: Use Lightweight Directory Access Protocol (LDAP) encoding (Updated code sample and imported libraries.)
- I60: Java EE (update of code sample and imported libraries)
- I63: Java EE with AppSensor (Updated code sample and imported libraries.)
- I65: Java EE with ESAPI: HTML entity encode validation error messages (Changed the text.)
- I66: Java EE with ESAPI: Use indirect object reference maps if accessing files (Updated code sample and imported libraries.)
- I68: Java with ESAPI and Jasypt: Use standard libraries for encryption (Updated code sample and imported libraries.)
- I69: Java EE with Jasypt, Bouncy Castle, and Spring IOC (Updated code sample and imported libraries.)
- I70: Java with ESAPI: Protect passwords in property and configuration files (Updated code sample and imported libraries.)
- I269: Using encrypted channels in Android (Changed the text.)
- I318: Android - Camera Images (Move to T148.)
- I512: iOS - Temporary Camera Files (Objective-C) (Move to T148.)
- I536: iOS - Temporary Camera Files (Swift) (Move to T148.)
- I551: Django XSS Protection (Changed the title to "Django: Escaping HTML" and moved X-XSS-Protection header related content to I712.)
- I552: Django: Frame busting (Changed the title to "Django: Prevent frame busting".)
- I592: How-To for T663 (AWS) (Changed the title to "How to avoid the use of the "root" account (AWS)")
- I593: How-To for T664 (AWS) (Changed the title to "How to enable multi-factor authentication (MFA) for all IAM users that have a console password (AWS)")
- I594: How-To for T665 (AWS) (Changed the title to "How to disable credentials unused for 90 days or greater (AWS)")
- I595: How-To for T666 (AWS) (Changed the title to "How to rotate access keys every 90 days or less (AWS)")
- I596: How-To for T667 (AWS) (Changed the title to "How to apply minimum IAM password policy requirements (AWS)")
- I600: How-To for T671 (AWS) (Changed the title to "How to enable MFA for the "root" account (AWS)")
- I601: How-To for T672 (AWS) (Changed the title to "How to register security questions in the AWS account (AWS)")
- I602: How-To for T673 (AWS) (Changed the title to "How to attach IAM policies only to groups or roles (AWS)")
- I603: How-To for T674 (AWS) (Changed the title to "How to enable Detailed Billing (AWS)")
- I604: How-To for T675 (AWS) (Changed the title to "How to activate IAM Master and IAM Manager roles (AWS)")
- I605: How-To for T676 (AWS) (Changed the title to "How to maintain current contact details (AWS)")
- I606: How-To for T677 (AWS) (Changed the title to "How to register security contact information (AWS)")
- I607: How-To for T678 (AWS) (Changed the title to "How to create a support role to manage incidents with AWS Support (AWS)")
- I608: How-To for T679 (AWS) (Changed the title to "How to do delete access keys that are created during initial IAM user setup (AWS)")
- I609: How-To for T680 (AWS) (Changed the title to "How to delete IAM policies that allow full administrative privileges (AWS)")
- I610: How-To for T681 (AWS) (Changed the title to "How to enable CloudTrail in all regions (AWS)")
- I611: How-To for T682 (AWS) (Changed the title to "How to make S3 bucket CloudTrail logs publicly inaccessible (AWS)")
- I612: How-To for T683 (AWS) (Changed the title to "How to integrate CloudTrail logs with CloudWatch Logs for real-time analysis (AWS)")
- I613: How-To for T684 (AWS) (Changed the title to "How to enable AWS Config in all regions (AWS)")
- I614: How-To for T685 (AWS) (Changed the title to "How to enable S3 bucket access logging on the CloudTrail S3 bucket (AWS)")
- I615: How-To for T686 (AWS) (Changed the title to "How to create log metrics and alarms (AWS)")
- I616: How-To for T687 (AWS) (Changed the title to "How to review the appropriateness of subscribers to each SNS topic (AWS)")
- I617: How-To for T688 (AWS) (Changed the title to "How to apply security group requirements (AWS)")
- I618: How-To for T689 (AWS) (Changed the title to "How to enable hardware Multi Factor Authentication (MFA) for the "root" account (AWS)")
- I619: How-To for T690 (AWS) (Changed the title to "How to use IAM instance roles for resource access from instances (AWS)")
- I620: How-To for T691 (AWS) (Changed the title to "How to enable CloudTrail log file validation (AWS)")
- I621: How-To for T692 (AWS) (Changed the title to "How to encrypt CloudTrail logs at rest using KMS CMKs (AWS)")
- I622: How-To for T693 (AWS) (Changed the title to "How to enable rotation for customer created CMKs (AWS)")
- I626: How-To for T731 (AWS) (Changed the title to "How to create log metrics and alarms (2) (AWS)")
- I623: How-To for T694 (AWS) (Changed the title to "How to enable VPC flow logging in all VPCs (AWS)")
- I624: How-To for T695 (AWS) (Changed the title to "How to restrict all traffic in the default security group of every VPC (AWS)")
- I625: How-To for T696 (AWS) (Changed the title to "How to change routing tables for VPC peering to "least access" (AWS)")
- I629: How-To for T766 (AWS) (Changed the title to "How to configure the relational database service correctly (AWS)")
- I630: How-To for T767 (AWS) (Changed the title to "How to encrypt the sensitive Elastic Block Storage volumes (AWS)")
- I631: How-To for T768 (AWS) (Changed the title to "How to remove public launch permissions from Amazon Machine Images (AWS)")
- I632: How-To for T769 (AWS) (Changed the title to "How to configure Web- and App-tier ELB correctly (AWS)")
- I633: How-To for T770 (AWS) (Changed the title to "How to configure S3 buckets correctly (AWS)")
- I634: How-To for T771 (AWS) (Changed the title to "How to create IAM roles and policies correctly for Amazon EC2 (AWS)")
- I635: How-To for T772 (AWS) (Changed the title to "How to configure Auto Scaling Group Launch correctly (AWS)")
- I636: How-To for T773 (AWS) (Changed the title to "How to create separate IAM groups and policies for administration (AWS)")
- I637: How-To for T774 (AWS) (Changed the title to "How to not allow everyone to publish/subscribe to SNS topics (AWS)")
- I638: How-To for T775 (AWS) (Changed the title to "How to associate an Elastic Load Balancer to each sensitive Auto Scaling Group (AWS)")
- I639: How-To for T776 (AWS) (Changed the title to "How to ensure each Auto Scaling Group is configured for multiple Availability Zones (AWS)")
- I640: How-To for T777 (AWS) (Changed the title to "How to use an approved Amazon Machine Image in Auto Scaling Launch Configuration (AWS)")
- I641: How-To for T778 (AWS) (Changed the title to "How to ensure required SNS topics are created (AWS)")
- I642: How-To for T779 (AWS) (Changed the title to "How to ensure Billing Alerts are enabled for increments of X spend (AWS)")
- I643: How-To for T780 (AWS) (Changed the title to "How to enable AWS Elastic Load Balancer logging (AWS)")
- I644: How-To for T781 (AWS) (Changed the title to "How to enable AWS CloudFront Logging (AWS)")
- I645: How-To for T782 (AWS) (Changed the title to "How to create CloudWatch Log Groups (AWS)")
- I646: How-To for T783 (AWS) (Changed the title to "How to install an agent for AWS CloudWatch Logs within required Auto-Scaling Groups (AWS)")
- I647: How-To for T784 (AWS) (Changed the title to "How to create required AWS Managed Config Rules (AWS)")
- I648: How-To for T785 (AWS) (Changed the title to "How to use CloudFront Content Distribution Network (AWS)")
- I649: How-To for T786 (AWS) (Changed the title to "How to create required subnets (AWS)")
- I650: How-To for T787 (AWS) (Changed the title to "How to create NAT gateways (AWS)")
- I652: How-To for T789 (AWS) (Changed the title to "How to create and configure ELB Security Groups (AWS)")
- I653: How-To for T790 (AWS) (Changed the title to "How to create and configure Security Groups (AWS)")
- I654: How-To for T791 (AWS) (Changed the title to "How to remove redundant Elastic / Public IP addresses (AWS)")
- I655: How-To for T792 (AWS) (Changed the title to "How to create required Customer Master Keys (AWS)")
- I657: How-To for T794 (AWS) (Changed the title to "How to extend all public Web-tier SSL/TLS certificates if required (AWS)")
- I658: How-To for T795 (AWS) (Changed the title to "How to configure CloudFront correctly (AWS)")
- I659: How-To for T796 (AWS) (Changed the title to "How to configure DNS for Root Domain (AWS)")
- I660: How-To for T797 (AWS) (Changed the title to "How to make all RDS Databases private (AWS)")
- I661: How-To for T798 (AWS) (Changed the title to "How to change the default VPC (AWS)")
- I664: How-To for T832 (AWS) (Changed the title to "How to configure Web and App -tier ELB correctly (2) (AWS)")
Added HowTo’s
- I692: Go: Packages For Handling User Input Strings
- I693: Go: User Input Sanitization
- I694: Go: Escaping HTML
- I695: Go: Parameterized SQL
- I696: Go: Generic Error Page
- I697: Go: MD5 Checksum
- I698: Go: AES Encryption
- I699: Go: Cache-Control
- I700: Go: TLS
- I701: Go: HTTP Strict Transport Security (HSTS) headers
- I703: Go: Character encoding
- I704: Go: Validate HTTP Origin
- I705: Go: Restrict HTTP methods
- I706: Go: Password Hashing
- I707: Go: Session ID Creation Using JWT
- I708: Go: Clear Session Cookie on Logout
- I709: Android: Bind parameters to content provider query
- I711: Go: Synchronizing Goroutines
- I712: Django: XSS Protection
- I713: Go: XSS Protection
- I714: Go: Prevent MIME sniffing
- I715: Go: Prevent frame busting
- I716: Go: Always release resources after use
- I720: Go: Detect file MIME type and decide accordingly
Updated T186 with the latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Java
- Unix/Linux Bash
- Node.js
Changes to Project Properties and Profiles
- Moved "Q296: Assurance Level" from "Q289: Cloud Computing " to "Q299: General".
- Added "Q298: AWS Services".
- Added "Q299: General" under "Deployment" Section.
- Added "A1164: Go"
- Added "A1165: RDS".
- Added "A1166: EBS".
- Added "A1167: AMI".
- Added "A1168: ELB".
- Added "A1169: S3".
- Added "A1170: IAM".
- Added "A1171: EC2".
- Added "A1172: Auto Scaling".
- Added "A1173: SNS".
- Added "A1174: CloudWatch".
- Added "A1175: CloudFront".
- Added "A1176: Config".
- Added "A1177: VPC".
- Added "A1178: KMS".
- Added "A1179: Route53".

4.9

New features and improvements:

Tags can be added to Applications. These tags are included (read-only) when interacting with a project as well, within the web-application and via the API. These tags can be used for searching.
Links to the Security Compass training modules associated with a task are now synced to ALMs along with other task data (like How-Tos). This requires a license of Security Compass Training.
Additional macros can be used when syncing tasks to ALMs: application_id, applicationt_slug, applicationt_custom_attr_*, business_unit_id, business_unit_slug, project_id, project_slug.
Custom Attributes on Applications and Projects can be searched on the application and project list pages. (They are also accessible via the API.)
The "Any of the following tasks are added to a project" notification toggle has been fixed so that users can once again select the tasks they are interested in monitoring.
FYI: Internet Explorer 9 & 10 are no longer being actively tested and should be considered unsupported.

Content additions and updates:

Compliance Regulations:
- Added a new Agile GDPR report (contains GDPR user stories, tags, and relevant mandates)
Updated Tasks
- T49: Disable and remove debug capabilities and code/data, and prepare application for release (changed title and text. More emphasis on preparing release)
- T63: Disable auto-complete for confidential fields (Added MC for web)
- T105: Verify that your application does not have unnecessary debug capability or leftover test/debug code (Updated the title and change the text.)
- T111: Test that your application turns off auto-complete for confidential data fields (Added MC for web)
- T294: Verify that client application does not have unnecessary debug capability or leftover test/debug code (Removed it and merged the content with T105.)
- T322: Include HTTP Strict-Transport-Security headers in HTTPS responses (Added preload directive. Restructured the text.)
- T324: Follow best security practices when using WKWebView (iOS) (Replaced UIWebView with WKWebView. Added SFSafariViewController suggestion.)
- T331: Enforce policies through content security policy (CSP) headers (Moved X-Xss-Protection from T36 to T331.)
- T441: Ask for Android permissions at runtime (Added notes on runtime permission granting changes in Android O and a previous bug)
- T607: Develop procedures for destroying personal data when it is no longer needed (title changed, text revised.)
- T612: Detect rooted devices and assess the runtime environment with the aid of SafetyNet Attestation API (Change of title and text)
- T615: Check your mobile application's integrity and installation source (Change of text and title, added integrity checking)
- T617: Do not rely on APN for delivering critical notifications (title changed, text revised.)
- T618: Check for iOS app notification settings changes after initial configuration (title changed, text revised.)
- T656: Test that your Android application checks for rooted devices and security/compatibility of the environment (Change of text, added debuggale, being rooted and running in emulator)
- T657: Test that your mobile application checks its integrity and installation source (Change of text and title, added integrity checking)
Added Tasks
- T837: Adhere to HTTP DNT header
- T838: Test if your application adheres to HTTP DNT header
- T839: Follow best practices for securely using Android autofill framework
- T840: Test that autofill framework is securely used
- T841: Validate iOS Drag and Drop at source and destination
- T842: Verify that iOS Drag and Drop validates data at source and destination
Updated Task Amendments
- TA281: Android preparation for release and final APK (Added notes on publishing the app and changes in Android O)
- TA771: Test the release version of Android application for debug and test leftovers (Moved it from T294 to T105.)
- TA773: Delete temporary files containing sensitive information from the mainframe (Moved it from T294 to T105.)
Added Task Amendments
- TA816: Verify that the debug code is removed from web application before release
Updated Problems
- P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) (Restructured and add a few items from T36.)
- P695: Information Leak Through Auto-Complete (Changed the text and matching conditions to cover non-browser autofill too)
- P732: Insufficient consent for user tracking (Update the text and MCs.)
- P818: Privacy Issue due to Device Token Mishandling in Apple Push Notification (APN) (title changed, text revised.)
- P825: Lack of robust game bot detection and mitigation mechanisms (title changed, text revised.)
Added Problems
- P935: Lack of iOS Drag and Drop data validation
Updated HowTos
- I173: Django (Update the title to "Django: Session Expiry Policy Middleware" and changed the text.)
- I414: Preparing Android application for release (Added notes on publishing the app)
- I480: iOS WKWebView (Objective-C) (Replaced UIWebView with WKWebView.)
- I506: Apache XSS protection (Moved from T36 to T331.)
- I524: iOS WKWebView (Swift) (Replaced UIWebView with WKWebView.)
- I568: Android: Integrity and installation source (Change of text and title, added integrity checking)
Added HowTos
- I685: Django: Content Security Policy Middleware
- I686: Django: Do Not Track (DNT) Middleware
- I687: Django: Login Required Middleware
- I688: Django: Mandatory Password Change Middleware
- I689: Django: No Confidential Caching Middleware
- I690: Django: P3P Policy Middleware
Updated T186, w/ latest security patch level for third party libraries
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- Bouncy Castle
- Node.js
- AngularJS

4.8

New Features and Improvements:

We have made big changes to how users customize content in SD Elements. Customization of tasks is now per-field. If you update the priority of one of the official SD Elements tasks, you will still get updates to the remaining fields of the task when we update our content.
- Your existing custom tasks have all been migrated to this new scheme.
The ALM integration pages have been completely redesigned for improved functionality and user experience. Of particular note:
- Each field on the connection forms has more detailed help text.
- Fields that previously required users enter raw JSON have been replaced with user friend widgets.
Updated ASoC-DAST, AppScan, Checkmarx, ThreadFix, WebInspect and WhiteHat code scanner mappings.
Improve the date selection widget in the Business Unit Usage report.

Content additions and updates:

Updated following code scanner mappings
- ASoC-DAST
- AppScan
- Checkmarx
- ThreadFix
- WebInspect
- WhiteHat
Updated Tasks
- T118: Test for default accounts and credentials (title changed, text revised.)
- T177: Allow users to review and update their personal data (tied to P815 instead of P257)
- T186: Use recommended settings and the latest patches for third party libraries and software (Change to text and title to cover mis-configuration as well)
- T195: Implement lawful procedures to acquire and withdraw consent for processing personal data (title and text are changed)
- T207: Provide special data protection for children's personal information (title changed, content updated for GDPR)
- T230: Test that sever-to-server system accounts meet minimum password requirements (title changed, text revised.)
- T241: Verify that third party libraries use secure settings and the latest patches (Change to text and title to cover mis-configuration as well)
- T253: Protect TLS/SSL communication (Removed TLS_RSA_WITH_3DES_EDE_CBC_SHA from the list of preferred ciphers.)
- T261: Manage iOS Pasteboards that are used with sensitive data (Added cross-device pasteboard content sharing note.)
- T342: Inform and warn users about using critical system services (title changed, text revised.)
- T376: Fill out the manufacturer disclosure statement for the medical device security (MDS2) form (title changed, text revised.)
- T440: Follow best practices when managing Android permissions (title changed, text revised.)
- T454: Verify the performance of security function verification processes (title changed, text revised.)
- T460: Limit the length and number of XMPP registration tags provided by IoT devices (title changed, text revised.)
- T469: Verify that established RFID usage, safety, and privacy policies are enforced (title changed, text revised.)
- T487: Minimize the amount of unencrypted data stored on RFID tags (title changed, text revised.)
- T528: Enable MAC layer security mechanisms supported in the IEEE 802.15.4 when supported by the vendor (title changed, text revised.)
- T562: Consider Doze, Standby and battery saving limitations when developing Android applications (Change of title and text. Some notes on battery saving in Android O was added)
- T563: Test that critical functions of Android applications are not affected by Doze, Standby and battery saving limitations (Change of title and text. Some notes on battery saving in Android O was added)
- T604: Apply data protection principles when handling personal data (European Version)(revised text)
Added Tasks
- T733: Secure the Paypal Instant Payment Notification handlers
- T734: Test if Paypal Instant Payment Notification handlers are secure
- T735: Determine the grounds for processing personal data
- T736: Avoid processing sensitive data that reveals someone's identity
- T737: Protect personal data processed for secondary purposes
- T738: Determine the legal grounds for transferring personal data and ensuring GDPR compliance
- T739: Implement appropriate measures for responding to data breaches
- T740: Authenticate individuals who request access to their personal data
- T741: Protect unique identifiers and treat them as PII
- T742: Ensure the accuracy of personal data with technical/organizational measures
- T743: Protect personal data that can be linked to an individual
- T744: Pseudonymise PII where applicable
- T745: Implement appropriate measures to protect PII used for archiving purposes
- T748: Perform a privacy risk assessment before processing personal data
- T749: Assess and mitigate security risks for processing personal data
- T750: Minimize personal data collection and processing to its immediate purpose
- T751: Provide individuals with access to information about how their personal data is processed
- T752: Allow individuals to update and edit their personal data
- T753: Implement measures to erase any instance of an individual's personal data at their request
- T754: Do not process or modify the personal data of an individual who objects to processing
- T755: Keep records of types of PII processing and make them available upon request
- T756: Create a code of conduct for GDPR compliance
- T757: Use transparent communication techniques when providing data processing information to individuals of all ages
- T758: Implement measures to explicitly protect the personal data of children
- T759: Provide all required information about processing personal data to individuals at the time it is collected
- T760: Use secure and lawful techniques for profiling
- T761: Implement data protection by default and by design
- T762: Provide data subjects with their personal data in machine readable format
- T764: Avoid displaying sensitive information through iOS widgets
- T765: Authorize user before launching the iOS app via a widget
- T835: Test that iOS widgets do not display sensitive information
- T836: Verify that the user is authorized before launching the iOS app via a widget
Updated Task Amendments
- TA280: Unique device IDs in Android (Added update for Android O)
Added Task Amendments
- TA795: Ruby on Rails: Preventing unwanted Remote Code Execution by using long key
- TA798: Prevent MongoDB NoSQL injection in Ruby web frameworks
- TA802: Bypassing Phone Authentication in SaaS Phone Authenticators
- TA809: Verify use of security protocols wherever credit card information is transmitted or received (Converted I400 to TA809 and removed I400.)
- TA810: PA-DSS Requirements (Converted I387 to TA810 and removed I387.)
- TA811: PA/PCI -DSS Requirements (Converted I388 to TA811 and removed I388.)
- TA812: PA-DSS Requirements (Converted I386 to TA812 and removed I386.)
- TA814: COPPA
- TA815: GDPR
Updated Problems
- P182: Improper Access Control (Authorization) (Added a note on granting privileges at the user level.)
- P757: Missing clear specification of security assumptions and capabilities(revised text)
- P802: Negative impact of Doze/Standby/Battery Saving Modes on Time-critical Functions of Android Applications (Change of title)
- P815: Lack of features that allow access and modification to personal data(revised text and title)
- P821: Lack of incident management mechanisms (revised text)
Added Problems
- P838: Insecure Paypal Instant Payment Notification Handlers
- P858: Lack of legal grounds for processing PII
- P859: Collecting personal data more than required for specified purposes
- P860: Information leak through iOS widget
- P861: Lack of documentation or records for processing PII
- P863: iOS widget unauthorized view navigation
Updated HowTos
- I386: PA-DSS Requirements (Converted I386 to TA812 and removed I386.)
- I387: PA-DSS Requirements (Converted I387 to TA810 and removed I387.)
- I388: PA/PCI -DSS Requirements (Converted I388 to TA811 and removed I388.)
- I400: Verify use of security protocols wherever credit card information is transmitted or received (Converted I400 to TA809 and removed I400.)
- I426: iOS Pasteboards (Objective-C) (Added cross-device pasteboard content sharing note.)
- I525: iOS Pasteboards (Swift) (Added cross-device pasteboard content sharing note.)
Added HowTos
- I628: Swift: Handling widget's openURL request
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Java
- Node.js
- AngularJS
Changes to Project Properties and Profiles
- Added "Q297: Payment Service Provider" under "Payment Components".
- Added "A1158: Sinatra under Technology/Framework".
- Added "A1162: Uses Phone Authentication" under "Authentication Method".
- Added "A1163: Paypal" under "Financial Systems".
- Updated "A1093: Handles payment through another service provider" (moved it under "Application General"/"Context and Characteristics"/"Application's Context and Characteristics").

We have added a new "Deployment" section with security recommendations for "Amazon Web Services (AWS)". AWS content is based upon recommendations incorporated in CIS Benchmarks developed by "Center for Internet Security, Inc."

Here are the release notes for the new deployment content:

Added Tasks
- T663: Avoid the use of the "root" account (AWS)
- T664: Enable multi-factor authentication (MFA) for all IAM users that have a console password (AWS)
- T665: Disable credentials unused for 90 days or greater (AWS)
- T666: Rotate access keys every 90 days or less (AWS)
- T667: Apply minimum IAM password policy requirements (AWS)
- T671: Enable MFA for the "root" account (AWS)
- T672: Register security questions in the AWS account (AWS)
- T673: Attach IAM policies only to groups or roles (AWS)
- T674: Enable Detailed Billing (AWS)
- T675: Activate IAM Master and IAM Manager roles (AWS)
- T676: Maintain current contact details (AWS)
- T677: Lack of registered security contact information (AWS)
- T678: Create a support role to manage incidents with AWS Support (AWS)
- T679: Do not set up access keys during initial IAM user setup (AWS)
- T680: Do not create IAM policies that allow full ":" administrative privileges (AWS)
- T681: Enable CloudTrail in all regions (AWS)
- T682: Make S3 bucket CloudTrail logs publicly inaccessible (AWS)
- T683: Integrate CloudTrail logs with CloudWatch Logs for real-time analysis (AWS)
- T684: Enable AWS Config in all regions (AWS)
- T685: Enable S3 bucket access logging on the CloudTrail S3 bucket (AWS)
- T686: Create log metrics and alarms (AWS)
- T687: Review the appropriateness of subscribers to each SNS topic (AWS)
- T688: Apply security group requirements (AWS)
- T689: Enable hardware Multi Factor Authentication (MFA) for the "root" account (AWS)
- T690: Use IAM instance roles for resource access from instances (AWS)
- T691: Enable CloudTrail log file validation (AWS)
- T692: Encrypt CloudTrail logs at rest using KMS CMKs (AWS)
- T693: Enable rotation for customer created CMKs (AWS)
- T694: Enable VPC flow logging in all VPCs (AWS)
- T695: Restrict all traffic in the default security group of every VPC (AWS)
- T696: Change routing tables for VPC peering to "least access" (AWS)
- T697: Test that "root" account is not used (AWS)
- T698: Test that multi-factor authentication (MFA) is enabled for all IAM users that have a console password (AWS)
- T699: Test that credentials unused for 90 days or greater are disabled (AWS)
- T700: Test that access keys are rotated every 90 days or less (AWS)
- T701: Test that minimum IAM password policy requirements are applied (AWS)
- T705: Test that MFA is enabled for the "root" account (AWS)
- T706: Test that security questions are registered in the AWS account (AWS)
- T707: Test that IAM policies are attached only to groups or roles (AWS)
- T708: Verify that detailed billing is enabled (AWS)
- T709: Verify that IAM Master and IAM Manager roles are active (AWS)
- T710: Verify that contact details are current (AWS)
- T711: Verify that security contact information is registered (AWS)
- T712: Test if a support role has been created to manage incidents with AWS Support (AWS)
- T713: Test if access keys have been created during initial IAM user setup (AWS)
- T714: Test if any IAM policy exists that allow full ":" administrative privileges (AWS)
- T715: Test if CloudTrail is enabled in all regions (AWS)
- T716: Test if S3 bucket CloudTrail logs are not publicly accessible (AWS)
- T717: Test that CloudTrail trails are integrated with CloudWatch Logs (AWS)
- T718: Test if AWS Config is enabled in all regions (AWS)
- T719: Test if S3 bucket access logging is enabled on the CloudTrail S3 bucket (AWS)
- T720: Test that log metrics and alarms are created (AWS)
- T721: Test the appropriateness of the subscribers to each SNS topic (AWS)
- T722: Test security group requirements (AWS)
- T723: Test that hardware Multi Factor Authentication (MFA) is enabled for the "root" account (AWS)
- T724: Test that IAM instance roles are used for resource access from instances (AWS)
- T725: Test that log file validation is enabled (AWS)
- T726: Test that CloudTrail logs are encrypted at rest using KMS CMKs (AWS)
- T727: Test that rotation is enabled for customer created CMKs (AWS)
- T728: Test that VPC flow logging is enabled in all VPCs (AWS)
- T729: Test that the default security group of every VPC restricts all traffic (AWS)
- T730: Test that routing tables for VPC peering are "least access" (AWS)
- T731: Create log metrics and alarms (2) (AWS)
- T732: Test that log metrics and alarms are created (2) (AWS)
Added Problems
- P161: Password Aging with Long Expiration
- P839: Unrestricted connectivity to remote console services (AWS)
- P840: Not disabling inactive user accounts (AWS)
- P841: Missing hardware Multi Factor Authentication (MFA) (AWS)
- P842: Failing to properly use AWS IAM roles (AWS)
- P843: Unsecure use of CloudTrail logs (AWS)
- P844: No support role or insufficient permissions to manage incidents (AWS)
- P845: Generating unnecessary access keys during initial IAM user setup (AWS)
- P846: Lack of CloudTrail logs for all regions (AWS)
- P847: No backup of passwords and no secondary ways of accessing accounts (AWS)
- P848: Unauthorized access to CloudTrail log content (AWS)
- P849: Nonintegrated CloudTrail trails with CloudWatch Logs (AWS)
- P850: Missing rotation for encryption keys (AWS)
- P851: Disabled AWS Config (AWS)
- P852: Disabled S3 bucket logging on target S3 buckets (AWS)
- P853: Inappropriate subscribers to an SNS topic (AWS)
- P854: Lack of Detailed Billing records (AWS)
- P855: One-person control over IAM (AWS)
- P856: Improper contact details associated to account (AWS)
- P857: Lack of registered security contact information (AWS)
Added HowTos
- I592: How-To for T663 (AWS)
- I593: How-To for T664 (AWS)
- I594: How-To for T665 (AWS)
- I595: How-To for T666 (AWS)
- I596: How-To for T667 (AWS)
- I600: How-To for T671 (AWS)
- I601: How-To for T672 (AWS)
- I602: How-To for T673 (AWS)
- I603: How-To for T674 (AWS)
- I604: How-To for T675 (AWS)
- I605: How-To for T676 (AWS)
- I606: How-To for T677 (AWS)
- I607: How-To for T678 (AWS)
- I608: How-To for T679 (AWS)
- I609: How-To for T680 (AWS)
- I610: How-To for T681 (AWS)
- I611: How-To for T682 (AWS)
- I612: How-To for T683 (AWS)
- I613: How-To for T684 (AWS)
- I614: How-To for T685 (AWS)
- I615: How-To for T686 (AWS)
- I616: How-To for T687 (AWS)
- I617: How-To for T688 (AWS)
- I618: How-To for T689 (AWS)
- I619: How-To for T690 (AWS)
- I620: How-To for T691 (AWS)
- I621: How-To for T692 (AWS)
- I622: How-To for T693 (AWS)
- I623: How-To for T694 (AWS)
- I624: How-To for T695 (AWS)
- I625: How-To for T696 (AWS)
- I626: How-To for T731 (AWS)
Changes to Project Properties and Profiles
- Added "Deployment" Phase.
- Added "Deployment Testing" Phase.
- Added "Deployment" Section.
- Added "Q289: Cloud Computing" under "Deployment".
- Added "Q290: Cloud Providers" under "Cloud Computing".
- Added "Q296: Assurance Level" under "Cloud Providers".
- Added "A1159: Amazon Web Services (AWS)" under "Cloud Providers".
- Added "A1161: Include more in-depth controls" under "Assurance Level".

4.7

New Features and Improvements:

Added two new (organization) reports accessible from the business units list page, visible to users who have the admin all projects permission:
- Application Usage License: This report provides a list of App licenses used in your organization during a specific time period.
- Business Unit Usage: Provides a summary of the usage of SD Elements within the business units in your company.
Users can select multiple phases or priorities when generating a Project Summary report or an All Tasks report.
Global Reports—our dynamic reporting tool—now include a verification column and a column with total tasks count (the total number of tasks matching the filter for completion percentage).
Support login via non-email based LDAP usernames. (Users created in SDE will still user an email for their username.)
CSV based reports are now generated and returned to the user as an HTTP streaming response.
Allow 'Area Path' to be set when creating a Team Foundation Server ALM sync connection.
Improve the performance of the groups API endpoint.
The permissions for business unit reports has been tightened: by default we require admin all projects or view all projects permissions.
The activity log on an individual task's page now renders its links correctly.

Content additions and updates:

Compliance Regulations:
- Added "MAS-TRMG" (Technology Risk Management Guidelines by Monetary Authority of Singapore) as a Compliance Regulation and its mapping to SDE tasks.
- Added "OWASP Mobile Top 10" as a Compliance Regulation and its mapping to SDE tasks.
Updated Tasks
- T20: Generate Unique Session IDs and Reset Old IDs After Authentication (title changed, text revised.)
- T26: Expire Sessions on Logout (title changed, text revised.)
- T28: Avoid "Remember Me" Features (title changes, text revised.)
- T29: Use Anti-Cross-Site Request Forgery (CSRF) Tokens (title changed, text revised.)
- T31: Validate All Forms of Input (title changed, text revised.)
- T32: Always Perform Input Validation on a Server (title changed, text revised.)
- T34: Refuse Overly-Long, Malformed, And Non-Printable Characters Unless Required (title changed, text revised.)
- T35: Fine-Tune HTTP Server Settings (title changed, text revised.)
- T36: Escape Untrusted Data in HTML, HTML Attributes, CSS, and JavaScript (title changed, text revised.)
- T38: Bind variables in SQL statements (title changed, text revised.)
- T39: Refuse Carriage Returns and Line Feeds When Adding Data to HTTP Response Headers (title changed, text revised.)
  - T41: Use LDAP Encoding for LDAP Data (title changes, text revised.)
  - T42: Avoid Relying on Untrusted Data for Server-Side Selection (title changed, text revised.)
  - T45: Log Potential Critical Security Events (title changed, text revised.)
  - T47: Implement a Global Error Handler and Generic Default Error Page for End Users (Merged to T159 and removed T47)
- T51: Throw an error page for unknown extensions on the web server (Merged content to T378, moved HowTo's to T378, and removed T51)
- T62: Protect Passwords in Property and Configuration Files (title changed, text revised.)
- T63: Disable Auto-Complete for Confidential Fields (title changed, text revised)
- T69: Strong Password Requirements for Server-to-Server System Accounts (title changed, text revised.)
- T77: Test for Single-Factor Authentication (title changed, text revised.)
- T87: Test that confidential data is sent over an encrypted channel (title changed, text revised.)
- T98: Test for input validation on a server (title changed, text revised.)
- T104: Test that site does not reveal detailed information in error pages (Merged to T128, moved HowTo's to T128, and removed T104)
- T107: Test that application forbids uploading or transferring malware (title changed, text revised.)
- T128: Test for access control bypass through user-controlled keys (Merged T104 to T128)
- T134: Do not send unprotected PANs in emails or text messages (title changed, text revised.)
- T159: Follow best practices for secure error and exception handling (Merged T47 to T159. Changed title from "Avoid returning unnecessary details in error messages")
- T169: Test that the site is not vulnerable to DOM-based XSS (title changed, text revised.)
- T170: Secure IPC endpoints used in clients (title changed, text revised.)
- T187: Test if the app prevents sensitive data leaks through the auto-snapshot feature of iOS (title changed, text revised.)
- T196: Avoid unsafe functions (title changed, text revised.)
- T197: Encrypt and sign any remote code/update and then validate the signature to verify its origin and integrity(Changed the title from "Encrypt and sign any remote code to validate its origin and integrity " and updated the text.)
- T326: Handle errors and exceptions securely in Node.js (Converted T326 to TA800 under T159, and removed T326)
- T328: Verify that errors and exceptions are handled securely in Node.js (Converted T328 to TA801 under T403, and removed T328)
- T378: Authorize every request for data objects (Merged T51 with T378.)
- T403: Verify that errors and exceptions are securely handled (Changed title from "Verify that error messages do not reveal unnecessary information")
- T439: Verify that the origin and integrity of remote code and updates are checked (Updated the text.)
Added Tasks
- T279: Avoid dynamically loading any code without proper security considerations (Enabled the task. Changed the title from "Avoid dynamically loading classes without proper security considerations". Updated the text. Changed the problem from P384 to P434.)
  - T305: Verify that your application dynamically loads code only from secure locations(Enabled the task. Changed the title from”Verify that classes are not dynamically loaded without proper security considerations ". Updated the text. Changed the problem from P384 to P434).
  - T655: Test that your application can detect debuggers
  - T656: Test that your application checks security and compatibility of the Android environment
  - T657: Test that your application checks its installation source
  - T658: Test that your application detects common rootkits
  - T659: Test that user-supplied inputs are validated before being passed to OS commands

Added Task Amendments

- TA274: Dynamic class loading in Android (Updated text. Changed task from T197 to T279.)
- TA275: Verifying dynamic class loading in Android (Updated text. Changed task from T439 to T305.)
- TA799: MongoDB - Passing sanitized variables to a server-side JavaScript query
- TA800: Node.js - Error and Exception Handling
- TA801: Node.js - Verify Secure Error and Exception Handling

Updated Problems

 - P216: Clear Text and Unencrypted Transmission of Sensitive Information (title changes, text revised.)
 - P325: Unrestricted Upload of Unsafe File Types (title changed, text revised.)
 - P384: Download of code/updates without checking its origin and/or integrity (Changed the title from "Download of code without origin and integrity check" and updated the text.)
 - P409: Credentials Are Not Protected (title changed, text revised.)
 - P532: Relying on Externally-Supplied File Names and Extensions (title changed, text revised.)
 - P664: Improper Neutralization of Special Elements in SQL Commands (SQL Injection) (title changed, text revised.)
 - P673: Improper Neutralization of SSI on a Web Page (title changed, text revised.)
 - P678: Session Fixation (text revised)
 - P696: Unsafe Use of XSLTs (title changed, text revised)
 - P707: No Absolute Session Timeout (title changed, text revised.)
 - P710: Session Cookie Missing 'HttpOnly' Attribute (title changed, text revised.)
 - P715: Client applications require excessive permissions (title changed, text revised.)
 - P746: Crash of Node.js single threaded event loop (Removed the error and exception handling part since T326 is added to T159 as an amendment TA800.)

Added Problems
- P434: Use of Dynamic Code/Class Loading

Updated HowTo's
- I64: Java EE - Generic Default Error Page (Moved from T47 to T159.)
- I67: Apache 2.0 - Refuse serving file with unknown extensions (Moved from T51 to T378.)
- I80: ASP.NET - Generic Default Error Page (Moved from T47 to T159.)
- I92: ASP.NET / C# - Global error handling using HTTPModule (Moved from T47 to T159.)
- I163: Manually with browser (Moved from T104 to T128.)
- I179: IIS - Refuse serving files with unknown extensions (Moved from T51 to T378.)
- I487: WCF - Generic Default Error Page (Moved from T47 to T159.)
Added HowTo's
- I591: OWASP Java Encoder Project: Escape Untrusted data
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Serve
- Apache Wicket
- Node.js

Changes to Project Properties and Profiles
- Changed "Q259: Remote Procedure Calls and Dynamic Code Loading" to "Q259: External Code/Data".
- Changed "A1102: Has remote procedure call, dynamic class loading, or object de-serialization" to "A1102: Uses dynamic code/class loading"
  - Added "A1155: Provides UDDI web service registry"
  - Added "A1157: Uses remote procedure calls (RPC) or object serialization/deserialization".
  - Added "A1104: Has software/firmware update functionality".

4.6

New Features and Improvements:

A new release of a project can optionally include all incomplete tasks from the original, regardless of the new project's survey answers. This behaviour can be turned on at the business unit level.
SD Elements phases can be renamed and re-ordered.
SD Elements now supports verification using IBM Application Security on Cloud and IBM Security AppScan Source
Performance improvements to the tasks page.
Performance improvements to LDAP user sync jobs.
Performance improvements to ALM and Analysis sync jobs.
Improvements to the SAML configuration page.

Content additions and updates:

Updated Tasks
- T4: Configurable Password Policies (title changed to Use Configurable Password Policies)
- T5: Minimum Password Standards (title changed to Use Minimum Standards for Passwords)
- T8: Consistent Error Handling for All Authentication Failures (title changed to Use Consistent Error Handling for All Authentication Failures)
- T9: Implement high-risk transaction authorization and screening (title changed to Implement Authorization and Screening for Highly Sensitive Transactions)
- T31: Perform input validation on all forms of input (Updated text for clarification)
- T33: Verify integrity of client-supplied read-only data (Change of text. Emphasized on server side storage and validation of data)
- T36: Escape untrusted data in HTML, HTML attributes, Cascading Style Sheets and JavaScript (Change of text. added more explanation and referred to Java Encoder Project)
- T37: Avoid DOM-based cross-site scripting (XSS) (Changed text and removed JavaScript MC)
- T43: Avoid unsafe operating system interaction (Reorganized text and added more notes for clarification.)
- T62: Protect passwords in property and configuration files (e.g. database connection strings) (change of text and coverage of CWE258)
- T66: Prevent web pages from being loaded inside iFrame (frame busting) (Revised and changed the text, added content and links for frame-ancestors CSP directives)
- T93: Test that sessions expire upon logout (Added more steps to the test and reorganized the text)
- T99: Test that clients cannot manipulate read-only data(Change of text. Emphasized on server side storage and validation of data)
- T119: Test for clickjacking (Change of text, Added two types of tests and restructured the test)
- T210: Encrypt sensitive data during transmission for rich clients (Update text for clarification)
- T214: Protect confidential files on operating system or server (Included server, Change of text, title, and MCs)
- T264: Do Not Use Method Swizzling in Objective-C (Change of title and text)
- T285: Restrict use of access tokens (API tokens) (Change of text, Elaborated on where to use and avoid using API tokens)
- T299: Verify That Method Swizzling is Not Being Used in Objective-C (Or is Being Used Securely) (Change of title and text)
- T331: Enforce policies through content security policy (CSP) headers (Updated text for clarification)
- T335: Sanitize user input before passing to NoSQL operators (Added a note about checking latest updates and references)
Added Tasks
- T610: Devise overall consistency measures for game
- T611: Verify that the game server checks the consistency/integrity of submitted parameters
- T614: Follow best practices to secure time in games
- T622: Assign a random revocable token/code to actions and achievements in the game
- T623: Verify that assigned game tokens or codes are secure
- T624: Implement a verifiable log for the game
- T625: Sign and encrypt important parameters sent to the game server
- T626: Verify that the game is not vulnerable to time cheats
- T627: Follow best practices for secure transactional processing in games
- T628: Test for dupes and other transactional inconsistencies in games
- T629: Authenticate the game server to the clients before logging in
- T630: Use a reliable game bot detection technique
- T631: Do not provide game client applications with unnecessary state changes
- T635: Reject profane and indecent content in games
- T636: Test that the game rejects profane and indecent content
- T637: Protect against network disruption and proxy attacks
- T638: Protect critical game variables in memory
- T639: Use secure functions to load DLL files
- T640: Design and implement some rootkit detection techniques
- T641: Limit resource consumption of WebSocket connections
- T642: Verify limits on resource consumption of WebSocket connections
- T643: Implement certificate pinning for iOS application
- T644: Verify that TLS certificate pinning is implemented for iOS application
- T645: Check for authentication before handling iOS Siri intent
- T646: Verify that your iOS application checks for authentication before handling Siri intent
- T647: Verify that game client authenticates the server before logging in
- T648: Verify that a reliable game bot detection technique is implemented
- T649: Verify that game server does not send unnecessary game state information to clients
- T650: Verify that the game server is protected against network disruption and proxy attacks
- T651: Verify that critical game variables in memory are protected
- T652: Test that secure functions are used to load DLL files
Added Task Amendments
- TA790: Time of check time of use (TOCTOU) best practices
- TA793: Encrypt network communications between game clients and servers
- TA794: Test network communications between game clients and servers are encrypted
Updated Problems
- P150: Execution with Unnecessary Privileges (title changed to Running with Unnecessary Privileges)
- P204: Improper Restriction of Excessive Authentication Attempts (title changed to Repeated Authentication Attempts Are Not Restricted)
- P205: Use of Single-Factor Authentication (title changed to Single-Factor Authentication)
- P408: Weak Password Requirement (title changed to Password Requirements Are Weak)
- P426: File and Directory Information Exposure (Change of MCs. Included server in the text)
- P438: Missing Password Field Masking (title changed to No Password Field Masking)
- P493: URL Redirection to Untrusted Site ('Open Redirect') (title changed to URL Redirects to Untrusted Site ('Open Redirect'))
- P601: Use of a one-way hash without a proper salt (title changed to One-Way Hashes Do Not Have Strong Salts)
- P692: Insufficient Authorization Check Due to Lack of Information (title changed to Insufficient Authorization Checks Due to Lack of Information)
Added Problems
- P816: Cheating through Time/State Spoofing in Games
- P817: Lack of Secure Transactional Processing in Games
- P822: Resubmission of tokens and codes in games
- P823: Submission of altered data by game clients
- P824: Lack of Game Server Authentication
- P825: Lack of a robust game bot detection and mitigation mechanisms
- P826: Game Wall and Camouflage Hacks
- P829: Liability Issues Related to Obscenity and Profanity in Games
- P830: Network disruption and proxy attacks on games
- P831: Game client's memory scanning and manipulation attacks
- P832: DLL Injection
- P833: Not Checking Kernel Integrity
- P834: Lack of TLS Certificate Pinning
- P835: SiriKit unauthorized intent handling
Updated HowTo's
- I44: Java EE with ESAPI: Escape untrusted data (Change of text. Added a reference to Java Encoder Project as alternative)
Added HowTo's
- I566: Anti-debug methods in Windows
- I582: HMAC challenge-response mutual authentication for game client and server
- I583: Digital signature for game server authentication
- I585: Using XOR for differential storage of sensitive game variables
- I588: Using message authentication code (MAC) for validating game variables
- I589: Swift: TLS Certificate Pinning
- I590: Swift: Authentication status check before dispatching intent-handler
Updated T186, w/ latest security patch level for third party libraries
- Django
- Spring Framework
- Apache Tomcat
- GnuTLS
- Java
- Bouncy Castle
- Unix/Linux Bash
- Node.js
- AngularJS
Changes to Project Properties and Profiles
- All questions and answer options have been edited, are more consistent, have more informative tooltips, have had all acronym definitions moved to the tooltips, and have had URLs removed from tooltips.
- Updated Questions:
  - Q110: Technology/Framework (change of title from platform to framework)
  - Q195: Language and Framework (change of title from platform to framework)
  - Q199: Acronym definitions have been moved to the tooltip for SSO, OTP.
  - Q204: Acronym definitions have been moved to the tooltip for EBA, PA-DSS, PCI-DSS, PSP.
  - Q205: "Organizational Information (for compliance purposes)" has been changed to "Organization".
  - Q206: Acronym definitions have been moved to the tooltip for GAPP, PIPEDA, ECPA, GDPR.
  - Q207: Acronym definitions have been moved to the tooltip for IoT.
  - Q237: Acronym definitions have been moved to the tooltip for DIACAP
  - Q249: "Industrial and Control Systems" has been changed to "Industrial Control Systems".
  - Q250: "In-Scope for ANSI/ISA 62443" has been changed to "In-Scope for ISA/IEC 62443".
  - Q255: "DIACAP" has been changed to "In-Scope for DIACAP".
  - Q309: "NIST 800-53" has been changed to "In-Scope for NIST 800-53 Compliance"
  - Q316: Acronym definitions have been moved to the tooltip for NFC, RFID.
  - Q317: "NIST 800-82" has been changed to "In-Scope for NIST 800-82 Compliance"
- Added Questions:
  - Q337: Platform/Operating System
  - Q338: Platform
  - Q339: Game applications
- Updated Answers:
  - A70: "Requires remember-me (ie. user does not have to log in next time) function" has been changed to "Requires Remember-Me Functionality".
  - A188: A188: "Burpsuite" changed to "Burp Suite".
  - A714: iOS (moved to Platform)
  - A715: Android (moved to Platform)
  - A749: The option for "Bill C-28 Canada’s Anti-Spam Legislation" has been changed to "Bill C-28".
  - A760: "High-risk financial application" has been changed to "handles sensitive data".
  - A761: "Expand the scope to include a server side in the application (read the description)" has been changed to "Expand the scope to include a server side in the application (not recommended)".
  - A1075: "Industrial or Control Systems" has been changed to "ICS" for "Industrial Control Systems", and is now defined in the tooltip.
  - A1086: "In-scope for department of defense information assurance certification and accreditation process (DIACAP)" has been changed to "Yes".
  - A1100: "ANSI/ISA 62443-3-3" has been changed to "ISA/IEC 62443-3-3".
  - A1101: "ANSI/ISA 62443-4-2" has been changed to "ISA/IEC 62443-4-2".
  - A1107: "In-scope for NIST 800-53 compliance" has been changed to "Yes".
  - A1116: "In-scope for NIST 800-82 compliance" has been changed to "Yes".
- Added Answers:
  - A1151: Windows
  - A1152: Linux/Unix
  - A1153: Has rating (under Game applications in Context and Characteristics)
  - A1154: Mac OS

4.5

New Features and Improvements:

Users can create, edit and delete new custom Phases.
Initial support for syncing users between an LDAP directory and SD Elements.
The user account profile, notifications, and API token management pages have been redesigned and improved.
API improvements and additions:
- Phases can be created, edited, or deleted.
- Password can be changed, password metadata retrieved on GET (session / basic authentication only)
- Password reset questions can be created, edited, or deleted
- API tokens can be generated, revoked or regenerated
- Email notification settings can be updated
- User Profile can be retrieved or updated via /users/me/

Content additions and updates:

Compliance Regulations, Mappings, and Other General Updates
- General Data Protection Regulation (GDPR): Added support for GDPR by creating custom mapping, added/improved tasks and creating GDPR report
- Revised all Task Priorities according to CVSS V3.0 Base Score
- Changed title and description of California Online Privacy Protection Act
Updated Tasks
- T178: Ask for consent from user prior to collecting personal information (Revised text)
- T185: Follow best practices to secure SAML implementations (Revised text)
- T205: Avoid inter-process race conditions (Updated content)
Added New Tasks
- T604: Apply data protection principles when handling personal data (European Version)
- T605: Allow individuals to access their personal data
- T607: Develop procedures for personal data destruction when they are no longer needed
- T608: Obfuscate your executables
- T609: Protect your application against debuggers
- T612: Use Android Framework's SafetyNet Attestation API to assess the Android Environment's security and compatibility
- T613: Mitigating DDoS attacks with NGINX
- T615: Check your application's installation source
- T616: Keep user iOS device token private
- T617: Do not rely on APN for delivering mission critical notifications
- T618: Check for iOS app’s notification settings change after initial configuration
- T619: Check authorization status before handling iOS app notification's custom action
- T620: Use SSL/TLS offloading, encryption and certificates with NGINX
- T621: Design incident reporting features
- T632: Test publicly available reverse engineering tools against your executables
- T633: Mitigate Deadlock and Recursion in Services
- T634: Replicate UDDI Registry to Avoid Single Point of Failure
Added Task Amendments
- TA776: GDPR: Impact assessment
- TA777: GDPR: Regulations related to third countries
- TA778: GDPR: Public access to personal data
- TA779: GDPR: Data archiving
- TA780: GDPR: Data transparency
- TA781: GDPR: Incident reporting
- TA782: GDPR: Information notices
- TA783: GDPR: Data processing restrictions
- TA784: GDPR: Data portability
- TA785: PIPEDA: Right of access
- TA786: HIPAA: Right of access
- TA787: GDPR: Right of access
- TA788: Residents of USA, California
- TA789: EU Residents
- TA791: Android: Root or Custom Build Detection
- TA792: Game Integrity
Updated Problems
- P216: Cleartext and Unencrypted Transmission of Sensitive Information (Change of title and CWEs. Combined P208 and P216 into P216.)
- P361: External Control of Assumed-Immutable Data (Change of text and title, two CWEs combined.)
- P809: Not Checking Boot/Platform Integrity (Updated title and text.)
Added Problems
- P814: Easy-to-Reverse Executable
- P815: Missing features that enable access to personal data
- P818: Privacy Issue due to Device Token Mishandle in Apple Push Notification (APN)
- P819: Reliance on Apple Push Notification (APN) for Mission Critical Applications
- P820: Apple Push Notification (APN) Unauthorized Custom Actions
- P821: Lack of incident management mechanisms
- P827: Service Deadlock and Recursion
- P828: UDDI Registry as the Single Point of Failure
Added HowTo's
- I562: GDPR: Software compliance
- I563: Obfuscation in Android
- I564: Obfuscation in .Net Framework
- I565: Obfuscation using GCC
- I567: GDPR: Data transparency
- I568: Android: Installation source
- I569: Swift:Retrieval and registration of device token for APN
- I570: Swift: Using categories for Apple Push Notification (APN)
- I571: NGINX: Limit the number of incoming requests
- I572: NGINX: Limit the number of open connections
- I573: NGINX: Closing slow connections
- I574: NGINX: Blacklisting
- I575: NGINX: Whitelisting
- I576: NGINX: Enable caching
- I577: NGINX: Block suspicious requests
- I578: NGINX: Limit the connections to backend servers
- I579: NGINX: Dealing with range-based attack
- I580: NGINX: Handling high loads
- I581: NGINX: SSL hardening
- I584: Deobfuscating .Net code
- I586: Android: Debugger Detection
- I587: iOS: Debugger Detection
Added Glossary Items
- personal data, processing, restriction of processing, profiling, pseudonymisation, filing system, controller, processor, recipient, third party, consent, personal data breach, genetic data, main establishment, representative, binding corporate rules, supervisory authority concerned, cross-border processing, relevant and reasoned objection, international organization, enterprise, Deadlock.
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- OpenSSL
- Unix/Linux Bash
- Node.js
- AngularJS
Changes to Project Properties and Profiles
- Added A1148: "General Data Protection Regulation (GDPR)" under "Privacy Regulations"
- Added A1149: "NGINX" under "Name of web server"

4.4

New Features and Additions:

The project overview page has been redesigned.
Improvements to single-sign on configuration: you no longer need to reboot the server when updating your SSO settings.
LDAP configurations can be tested in application, helping you confirm your SSO settings are correct.
Performance improvements on the training reports page and the project tasks page.

Content additions and updates:

Updated Tasks
- T49: Remove/disable debug capabilities and unused, test or debug code and data (Changes to title and text)
- T105: Verify that server application does not have unnecessary debug capability or leftover test/debug code (Changes to text and matching conditions)
- T146: Use encryption for network communications in mobile environments (Added a note on cleartext communication detection using developer tool)
- T197: Encrypt and sign any remote code to validate its origin and integrity (Changes to the text)
- T278: Follow best security practices when using WebView (Android) (Updated the "Disable access to local files" section)
- T294: Verify that client application does not have unnecessary debug capability or leftover test/debug code (Changes to the title and text)
- T564: Follow best practices for sharing data between Android applications (Added a note on how to detect file URI exposure to other apps)
Added Tasks
- T514: Prevent formula injection in CSV files
- T584: Implement update capabilities for your application
- T585: Do not expose sensitive information in the update binaries sent to devices
- T586: Implement Secure Boot if possible
- T589: Verify that all the components are authenticated explicitly
- T590: Verify that network layer encryption is enabled for local area network communications
- T591: Verify that network access control is enabled for local area network communications
- T592: Test that IoT devices are not accessible through the Internet
- T593: Test that the parent tag of the SAML assertions are signed
- T594: Verify that your application validates SAML assertions properly
- T595: Test that your application checks for symlinks before opening files
- T596: Test that your application provides update capabilities
- T597: Test that the update binaries do not expose sensitive information
- T598: Test that Secure Boot is implemented
- T599: Do not rely on HTTP Host header
- T600: Verify that HTTP Host header values are not used without proper validation
- T606: Verify that CSV files are protected against macro injection

Added Task Amendments
- TA771: Test the release version of Android application for debug and test leftovers
- TA774: Protect Django SECRET_KEY
- TA775: Verify that Django SECRET_KEY is protected

Updated Problems
- P208: Missing Encryption of Sensitive Data (Removed this problem and moved T146, T173, T210, T302 to P216 and updated all match conditions)
- P379: Unnecessary debug capabilities, debug code or files (Changes to title and text)

Added Problems
- P808: No update capabilities are provided
- P809: Boot integrity weakness exploited by bootkits
- P811: Reliance on Host Header

Updated HowTos

- I178: Django: CSRF protection (Changes to name and text, added details about CSRF middleware activation)
- I416: Using WebView Securely (Added how to disable JavaScript access to local files)
- I546: Signing data and verifying digital signatures
- I547: SAML XML-signature verification

Added HowTos
- I548: Django: Enable SecurityMiddleware
- I549: Django: Redirect to HTTPS
- I550: Enable HTTPS Strict Transport Security (HSTS) in Django
- I551: Django: XSS protection
- I552: Django: Frame busting
- I553: Django: Prevent MIME sniffing
- I554: Django: Use ALLOWED_HOSTS
- I555: Django: Parameterize SQL
- I556: Django: Cookie age
- I557: Django: Session cookie domain
- I558: Android - StrictMode for file URI exposure detection
- I559: Android - StrictMode for cleartext network traffic detection
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Apache MyFaces
- Java
- Bouncy Castle
- Unix/Linux Bash
- Node.js
- Angular JS
Changes to Project Properties and Profiles
- A new profile for “Mainframe Projects” is added
  - Added "A1144: This is an update server" under "Q263: Software updates"

4.3

New Features and Improvements:

Added diff-friendly export option for library items
Simple Library importing and exporting for Tasks, Weaknesses, Howtos, Glossary Terms, and Amendments (without "rules"). The format is CSV.
Create, edit, and delete global roles via APIv2.
Global and Project Roles pages have redesigned and updated to be more consistent with our other list pages.
Role editing is now consolidated in a single form.
Various bug fixes throughout the application.

Content additions and updates:

Compliance Regulations and Mappings
- Added "OWASP IoT Attack Surface Areas" as a Compliance Regulation and its mapping to SDE tasks
Content alignment with major security guidelines:
- Improved SDE coverage based on NIST 800-95 Guide to Secure Web Services
Updated Tasks
- T49: Remove/disable debug capabilities and unused, test or debug code and data (Change to title and text. Added debug capabilities. Added notes on annotations and metadata)
- T105: Verify that server application does not have unnecessary debug capability or leftover test/debug code (Changed the web application to server. Added/Changed the text accordingly. Added tags)
- T151: Use cryptographically secure random numbers (Added notes about SHA1PRNG)
- T156: Validate certificate and its chain of trust properly (Revised the text)
- T197: Sign the code and verify the origin and integrity of remote code with digital signatures (Revised the text and changed the name to "Encrypt and sign any remote code to validate its origin and integrity")
- T243: Check the authenticity and integrity of received SOAP messages (change of title, reference to NIST SP 800-95)
- T270: Follow best practices for storing application data on Android devices (Added notes about SharedPreferences and new file-system permission changes in Android 7)
- T294: Verify that client application does not have unnecessary debug capability or leftover test/debug code (changed the title and text. Added debug capabilities. Added tags. Added annotations)
- T456: Disable unnecessary services and capabilities (added notes on disabling unessential protocols)
Added Tasks
- T557: Set SameSite attribute of cookies to Lax/Strict
- T558: Authenticate all other components before any network communication with them
- T559: Verify that the authenticity and integrity of SOAP messages are checked
- T560: Sanitize any HTML input passed to dangerouslySetInnerHTML attribute
- T561: Verify that any HTML input passed to dangerouslySetInnerHTML attribute is sanitized
- T562: Consider Doze and Standby requirements when developing Android applications
- T563: Test that critical functions of the application are not affected by Doze and Standby modes
- T564: Follow best practices for sharing data between Android applications
- T565: Verify that data sharing between Android applications is secure
- T566: Enable network layer encryption for local area network communications
- T567: Enable network access control for local area network communications
- T568: Restrict exposure of IoT devices to the Internet
- T569: Prevent parameter tampering in web services
- T570: Sign the parent tag of the SAML assertion before forwarding
- T571: Validate SAML assertions
- T572: Check for symlinks before opening files
- T573: Prevent UDDI/ebXML spoofing
- T574: Prevent information exposure in HyperCat
- T575: Verify that HyperCat catalogues are not revealing discovery information
- T576: Verify that UDDI/ebXML spoofing is prevented
- T577: Verify that parameter tampering is prevented in web services
- T578: Execute only compiled programs in mainframe
- T580: Validate return codes in mainframe programs
- T581: Verify that return codes are evaluated in mainframe programs
- T582: Secure SYSABEND, SYSUDUMP, or SNAP dumps in mainframe
- T583: Verify the security of system dumps in mainframe
- T587: Verify that cryptographically secure algorithms are used for random number generation
Updated Task Amendments
- TA278: Using native cryptography libraries in Android NDK (change of title, text, and notes on Android 7.0)
- TA771: Test the release version of Android application for debug and test leftovers (Disabled T269: Test that release version of Android application is not debuggable. New content was added)
Added Task Amendments
- TA764: Monitor status of IoT devices and log critical incidents
- TA767: Insecure React packages
- TA768: React - Setting bundle to production mode
- TA769: React - Verify that bundle is set to production mode
- TA770: Enforce TLS/SSL on all pages
- TA772: Remove leftover code in mainframe programs
- TA773: Verify temporary files containing sensitive information are deleted in mainframe
Updated Problems
- P12: Missing or Incorrect XML Validation (change of title)
- P228: Use of Insufficiently Random Values (Important changes in MCs)
- P379: Unnecessary debug capabilities, debug code or files (Change to title and addition of debug capabilities to text, Tags were added)
Added Problems
- P480: Improper Link Resolution Before File Access ('Link Following')
- P801: Implicit trust of components that communicate through network
- P802: Negative impact of Doze/Standby modes on time-critical functions of Android applications
- P803: Using insecure methods for sharing data with other Android applications
- P804: Exposure of weak IoT devices to the Internet
- P805: Execution of non-compiled modules in mainframe programs
- P806: Failure to evaluate return codes in mainframe
- P807: Disclosure of sensitive information through system dumps in mainframe programs
- P810: Spoofing of UDDI/ebXML or other service discovery/registry entries
Updated HowTos
- I30: Java EE (Changed the default PRNG and removed SHA1PRNG in code, added note about SHA1PRNG)
- I31: Java EE with Struts 1.x (Changed the default PRNG and removed SHA1PRNG in code, added note about SHA1PRNG)
- I127: Java EE with Spring MVC: Anti cross site request forgery (CSRF) tokens (Changed the default PRNG and removed SHA1PRNG in code, added note about SHA1PRNG)
- I264: Android/Java secure channel and certificate validation (Added Java to MCs and changed the title)
- I275: iOS Certificate Validation - HTTP-based protocols (Objective-C) (change of title and matching conditions)
- I292: iOS Inter-App Communication (Objective-C)(change of title and matching conditions)
- I293: iOS Network Communications Encryption (Objective-C) (change of title and matching conditions)
- I402: Android storage options and considerations (Added notes on SharedPreferences)
- I429: Using iOS Keychain services for secure data storage (Objective-C) (change of title and matching conditions)
- I510: iOS Certificate Validation - Direct SSL (Objective-C) (change of title and matching conditions)
- I512: iOS - Temporary Camera Files (Objective-C) (change of title and matching conditions)
- I513: iOS: Disabling auto-correction and keyboard extensions (Objective-C) (change of title and matching conditions)
Added HowTos
- I530: How to use dangerouslySetInnerHTML in React
- I531: iOS Certificate Validation - HTTP-based protocols (Swift)
- I532: iOS Certificate Validation - Direct SSL (Swift)
- I533: iOS: Disabling auto-correction and keyboard extensions (Swift)
- I534: iOS Inter-App Communication (Swift)
- I535: Using iOS Keychain services for secure data storage (Swift)
- I536: iOS - Temporary Camera Files (Swift)
- I537: iOS Network Communications Encryption (Swift)
- I538: Notes on executing compiled modules in mainframe
- I539: Delete temporary files containing sensitive information in mainframe
- I540: Sample COBOL solution for evaluation of return codes on file access (mainframe)
- I541: JCL solution for protecting sensitive data in SYSABEND/SYSUDUMP (mainframe)
- I542: Compilation-Job Control Language (JCL) (mainframe)
- I543: Evaluating the return code in JCL conditional processing (mainframe)
- I544: Setting the return code (mainframe)
- I545: Using SYSABEND, SYSUDUMP in mainframe programs
Updated T186, w/ latest security patch level for third party libraries
- Django
- Spring Framework
- Apache Tomcat
- OpenSSL
- Node.js
- AngularJS
Changes to Project Properties and Profiles
- Added "Q331: Android app features"
- Added "Q332: Service chaining"
- Moved and renamed "Q231: Single Sign-On (SSO) protocol" under "Q125: Authentication backend" to "Authentication and identity exchange protocols" under "Q207: Application Layer"
- Added "A8: Standalone Application"
- Renamed "A54: Using a Single Sign On (SSO) suite" to "Using Single Sign-On (SSO) or Federated Authentication"
- Removed "A1104: Has software / firmware update functionality"
- Added "A1139: Shares data/files with other local applications"
- Added "A1140: Sends requests to remote services"
- Added "A1141: Receives user requests through third-party services"
- Added "A1143: Generates random numbers"
- Added "A1145: This is a mainframe application"

4.2

New Features and Improvements:

Redesign of the users and groups pages: they should both better accomodate a larger number of users and groups.
Enable ALM and Scanner Integration configuration via APIv2—including triggering manual sync/scan execution.
Support for task references (faster syncing) for Mingle and VersionOne.
Create, edit and delete project roles via APIv2.
Official SD Elements Answers can now be completely deactivated, rather than just hidden.
You can (once again) search for business units by their nested applications' names.
Various user experience improvements to the Business Unit Reports.
Various user experience improvements to the New Releases form.
Various performance improvements and bug fixes throughout the application.

Content additions and updates:

Compliance Regulations and Mappings:
- Added "OWASP IoT Top 10 (2014)" Compliance Regulation and its mapping to SDE tasks
- Updated "PIPEDA": Mapping is updated. Additional sections are added. The description is updated.
Updated Tasks
- T2: Secure forgotten password (Added a couple of notes and steps)
- T8: Consistent error handling for all authentication failures (Moved an item to T2 and added more notes and steps)
- T60: Only use approved cryptographic algorithms and key lengths (Added links to lists of approved cryptographic algorithms)
- T78: Test strength of password recovery mechanism (Added one more test)
- T82: Test authentication error consistency (Moved a test to T78 and added a more tests and steps)
- T184: Perform authorization checks on RESTful web services (added more information to the text)
- T367: Mitigate the security risks of power cut and power supply switch (Added power source and cabling protection instructions)
- T368: Test system/application security in the event of a power cut or power supply switch (Added physical security test)
- T445: Verify that only approved cryptographic algorithms and key lengths (Added links to lists of approved cryptographic algorithms)
Added New Tasks
- T515: Limit resource consumption of outgoing HTTP requests sent to external user-defined webhooks
- T516: Verify the limit on outgoing HTTP requests to external webhooks
- T517: Protect user registration and account modification pages against user enumeration
- T518: Test that registration and account modification pages are protected against user enumeration
- T519: Test that input validation is done on all forms of input
- T520: Design secure SOAP web services
- T521: Protect the ZigBee network infrastructure with a Network Key
- T522: Employ address filtering at the MAC layer
- T523: Designate a ZigBee Coordinator
- T524: Designate a backup ZigBee Coordinator
- T525: Pre-assign a PAN Identifier for the ZigBee network
- T526: Choose an out-of-band method for loading keys into ZigBee devices if possible
- T528: Enable MAC layer security mechanisms supported in the IEEE 802.15.4 if supported by the vendor
- T529: Verify that a Network Key is utilized in the ZigBee network
- T530: Test that MAC layer address filtering is enabled
- T531: Verify that the network has a designated ZigBee Coordinator
- T532: Test that the network has a designated backup ZigBee Coordinator
- T533: Test that ZigBee nodes only connect to a network with pre-assigned PAN Identifier
- T534: Verify that an out-of-bound method is used for loading network keys into ZigBee devices
- T535: Test that MAC frames of 802.15.4 layer are secure
- T536: Restrict the size of incoming messages in web services
- T537: Perform load testing for web services
- T538: Disable or protect JTAG interfaces in production
- T539: Test that JTAG interfaces are disabled or protected in production
- T540: Restrict direct memory access
- T541: Verify that direct memory access is restricted
- T542: Protect hardware modules against tampering and probing
- T543: Verify that hardware modules are protected against tampering and probing
- T544: Anonymize (de-identify) identifying information before using it for a secondary purpose
- T545: Verify that personally identifiable information is anonymized before being reused for secondary purposes
- T548: Protect physical data transmission channels
- T549: Verify that physical data transmission channels are protected
- T552: Verify that SOAP web services are securely designed
- T553: Design secure RESTful web services
- T554: Verify that REST web services are securely designed
- T555: Acquire a secret token from users for signing the payload of webhook notifications
- T556: Test that users can provide a secret token for signing the payload of webhook notifications
Added Task Amendments
- TA754: Validate webhook URLs
- TA757: Webhook URLs
- TA758: Use input validation for RESTful web services
- TA762: Use of no-password authentication for third party components
Updated Problems
- P526: Weak Password Recovery Mechanism for Forgotten Password (Reorganized the text and added a few notes)
- P748: Blocking of emergency actions or essential functions of a system (Added power and cabling interruption notes)
Added Problems
- P794: Uncertainty about which ZigBee node is the coordinator
- P795: Uncertainty about which ZigBee network to join
- P796: Unencrypted loading of network keys onto devices
- P797: Direct Memory Access Attack
- P798: Insufficient protection of hardware modules against tampering and probing
- P799: No MAC layer security in shared networks
- P800: Unprotected Hardware Debugging Interfaces
Updated HowTo's
- I254 iOS Auto-snapshot Prevention (Objective-C)
- I425 Disabling iOS Auto-correction and keyboard extensions (Objective-C)
- I426 iOS Pasteboards (Objective-C)
- I480 iOS UIWebView (Objective-C)
- I482 iOS data encryption with PBKDF2 (Objective-C)
- I511 iOS session cleanup (Objective-C)
- I514 iOS Universal Links (Objective-C)
Added HowTo's
- I523 Disabling iOS Auto-correction and keyboard extensions (Swift)
- I524 iOS UIWebView (Swift)
- I525 iOS Pasteboards (Swift)
- I526 iOS Universal Links (Swift)
- I527 iOS Auto-snapshot Prevention (Swift)
- I528 iOS data encryption with PBKDF2 (Swift)
- I529 iOS session cleanup (Swift)
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache Wicket
- Apache MyFaces
- Java
- Node.js
- AngularJS
Changes to Project Properties and Profiles
- Added "A1129: Swift" answer under "Programming language"
- Removed "A1085: The application connects to a server as a client" answer
- Added "Q281: Webhooks" under "External Dependencies"
- Added "A1128: Sends webhook notifications" under "Webhooks"
- Added "A1135: Receives webhook notifications" under "Webhooks"
- Added "Q276: Network Layer" Question under "Protocols"
- Added "Q282: Low-power protocols used" Question under "Network Layer"
- Added "A1130: ZigBee" Answer under "Low-power protocols used"
- Added "A1131: Thread Protocol" Answer under "Low-power protocols used"
- Added "A1134: Physical protection of hardware is in scope" under "Hardware features"
- Added "Q283: Physical protection" under "Hardware features"
- Added "A1132: Protecting hardware debugging interfaces is in scope" under "Physical protection"
- Added "A1133: Protecting direct memory access (DMA) interfaces is in scope" under "Physical protection"

4.1

New Features and Improvements:

Support additional customization of the login page.
Automatically close ALM issues if the SDE task is no longer part of the project.
Support customized ALM titles in Github
Support NTLM Authentication in Team Foundation Server.
Syncing tasks to Github now uses task references.
Add a filterable drop-down for moving applications.
Create and edit groups via APIv2.
Retrieve all users of a group via APIv2.
Create and edit project roles via APIv2.
Numerous bug fixes and small improvements: thanks for your feedback!

Content additions and updates:

Compliance Regulations and mappings:
- Added content and mapping for several new sections of HIPAA, including sections 164.312, 164.524, 164.506, and 164.520.
- CWE/Problem mapping is updated on 62 problems, and the problems are tied to their closest CWE weaknesses.
Added Tasks
- T508: Require authentication for accessing Hypercat catalogues and resources
- T509: Protect the integrity of Hypercat catalogues and resources
- T510: Test if authentication is enforced on Hypercat catalogues
- T511: Test if Hypercat resources have license and access control metadata
- T512: Restrict access to opener in the opened window
- T513: Verify that access to opener is restricted in opened window
Updated Task Amendments
- TA751: Use strong encryption algorithms if credit card information is transmitted (I399 turned into amendments)
Added Task Amendments
- TA752: Privacy consideration for personal health information
Added HowTo's
- I520: Enabling authentication in MongoDB
- I521: Using authentication metadata in Hypercat
- I522: Use digital signatures in Hypercat catalogues
Updated Problems
- P752: Missing support for integrity checks on important data and configuration files (updated the text)
Added Problems
- P792: Possibility of access to an opener page from an opened page in HTML/JavaScript
Added Glossary Items
- Log
Changes to Project Properties and Profiles
- Created "Q324: NoSQL Database" under "Q253: Involved components".
- Created "A1126: MongoDB" under "Q324: NoSQL Database".
- Created "A1127: Uses Hypercat Protocol" under "Q186: Application layer protocols used"
- Removed "Q247: Version(s) of iOS the app is maintained for" question from "Q246: Mobile Technologies" section.
Updated T186, w/ latest security patch level for third party libraries
- Rails (updated text)
- Django
- Spring
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache Wicket
- Apache MyFaces
- Java
- Bouncy Castle
- Unix/Linux bash
- Node.js
- AngularJS

4.0

New Features and Improvements:

A refreshed UI and numerous UX improvements. Expect these improvements throughout the site over the coming months.
The dashboard has been radically changed to present more useful information on login.
Task-relevant training modules from Security Compass can be delivered via SD Elements for a learn-as-you-go approach to training. (Requires clients have a training license.)
Create Project Settings via APIv2
Allow customization of the default Task Status
The Business Unit endpoint now responds to DELETE requests.
Major improvements to our support of unicode character sets.
Added an assigned tasks to APIv2.
Added a user activity log endpoint to APIv2

Content additions and updates:

Compliance Regulations:
- NIST Guide to Industrial Control Systems (ICS) Security (NIST 800-82) controls are added
- PCI/PA DSS compliance regulations are updated to v3.2.
- Common Weakness Enumeration (CWE) set is updated to v2.9.
Updated Tasks
- T38: Bind variables in SQL statements (added a note for SQL query sanitization)
- T60: Only use approved cryptographic algorithms and key lengths (promoted use of CBC instead of ECB)
- T166: Use secure JSON format (title change)
- T167: Test that the application is not vulnerable to JSON Hijacking (title change)
- T337: Include a 'break glass' feature that enables emergency functions (change to title and minor changes to the text)
- T340: Use an account and identity management system (title change)
- T364: Enable secure backup and restore capabilities (title change)
- T415: Develop features to allow verifying the authenticity of the product (change to title)
- T437: Include log reduction and report generation capabilities (change to the title and the text)
- T342: Inform and warn users about using critical services of the system (title change) [old: T342 Provide use notification for critical services of the system]
- T418: Enable sanitization module for AngularJS HTML user inputs (updated text and added server-side input validation note)
- T420: Avoid mixing user data with AngularJS templates (added $eval function usage note)
- T422: Verify that sanitization module is active for AngularJS HTML user inputs (updated text)
- T445: Verify that only approved cryptographic algorithms and key lengths are used (promoted use of CBC instead of ECB)
Added New Tasks
- T433: Design a fallback mechanism or a degraded mode for the system
- T434: Verify that the system has a fallback mechanism or a degraded mode
- T458: Keep Jabber server components local to the XMPP server
- T459: Remove factory default reset button or key metadata used for IoT device registration
- T460: Limit the length and the number of XMPP registration tags provided by IoT devices
- T461: Protect XMPP in-band registration
- T462: Limit the resources allocated to decompression of XMPP stanzas
- T463: Verify that Jabber server components are local to the XMPP server
- T464: Verify that IoT device registration using XMPP cannot be reinitiated
- T465: Test that the length and the number of XMPP registration tags provided by IoT devices are limited
- T466: Verify that XMPP's in-band registration cannot be spammed
- T467: Test that the resources allocated to decompression of XMPP stanzas are limited
- T468: Develop an RFID usage, safety and privacy policy
- T469: Verify that the established RFID usage, safety and privacy policies are enforced
- T470: Enforce physical access control in RFID systems
- T471: Verify that adequate physical access control is enforced in RFID systems
- T472: Authenticate the RFID reader before sending sensitive data or executing a command
- T473: Verify that RFID tags authenticate reader
- T474: Authenticate RFID tags
- T475: Check the integrity of RFID readings at the backend
- T476: Verify that the integrity of RFID readings is checked at the backend
- T477: Check the integrity of RFID data in transit and on tags
- T478: Verify that the integrity of RFID data in transit and on tags is checked at the reader
- T479: Mitigate the risks of RFID missed identifications
- T480: Include a tamper resistance feature for RFID tags
- T481: Verify that RFID tags are equipped with tamper resistance features
- T482: Secure password-based authentication for RFID tags
- T483: Verify the security of RFID password scheme
- T484: lock the memory of RFID tags
- T485: Sign the audit records for non-repudiation
- T486: Verify that audit records are signed to enable non-repudiation
- T487: Minimize the amount of data (especially unencrypted data) stored on RFID tags
- T488: Verify that RFID tags hold minimum required data
- T489: Minimize the information revealed by RFID tag identifiers
- T490: Verify that non-revealing identifiers are assigned to RFID tags
- T491: Include a shielding feature for RFID tags and tag containers
- T492: Test that a shielding feature is included in the design of RFID system
- T493: Design a secure process for disposal of RFID tags
- T494: Verify that a secure process is designed for disposal of RFID tags
- T495: Send sensitive data in cover-coded mode on forward channel
- T496: Encrypt sensitive data on forward and back (reverse) RFID channels
- T497: Verify that sensitive data is protected on the forward and back (reverse) channels
- T498: Determine and adjust the parameters of RF transmission
- T499: Implement a temporary activation feature on tags
- T500: Test the temporary activation feature on tags
- T501: Protect RFID authentication system against relay attacks
- T502: Limit MQTT broker resource consumption
- T503: Verify that MQTT broker resource consumption is restricted
- T504: Check the integrity of MQTT messages
- T505: Secure iOS in-app purchases
- T506: Verify that iOS in-app purchases are securely implemented
Added Task Amendments
- 30 new Task Amendments related to "NIST 800-53"
- 110 new Task Amendments related to "NIST 800-82"
- TA695: AngularJS ng-csp Directive
- TA696: Inform users of the operation of RFID system and other security/privacy concerns
- TA697: Alternative methods and fallback mechanisms for RFID Systems
- TA698: Test that the RFID backend is immune to flooding
- TA699: RFID Privacy Considerations
- TA700: MQTT - Transport Encryption
- TA701: MQTT - Payload Encryption
- TA702: MQTT - Disabling SYS-Topics
- TA703: MQTT - Storing client secrets
- TA704: MQTT - Client identifier assignment
- TA705: MQTT - Anonymous clients
- TA706: MQTT - Access Control List
- TA749: Preventing JSON Hijacking in AngularJS
Updated Problems
- P749: Opportunity for disclaimer and lack of means to achieve non-repudiation (change of title, more emphasis on non-repudiation in the text)
- P750: Denial of Service (DoS) (removed 'due to resource starvation' and added new reasons for denial of service)
Added Problems
- P783: Missing TLS and SASL Support in XMPP Server Components
- P784: IoT device hijacking through re-initiating device registration
- P785: Missing Authentication in XMPP In-band Registration
- P786: Lack of enforced usage, safety and privacy policies (for an RFID system)
- P787: Improper authentication of RFID tags/readers and possibility of spoofing
- P788: Possibility of tampering and lack of mechanisms to check the integrity of RFID data
- P789: Disclosure of sensitive information by RFID tags or readers
- P790: Possibility of relay attacks
Added HowTo's
- I516: AngularJS - HTML input sanitization
- I517: A challenge response authentication method based on HMAC for RFID tags
- I518: Authentication of RFID tags using HMAC
- I519: String Sanitization in Rails
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring Framework
- Struts
- Apache Tomcat
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Apache Wicket
- Apache MyFaces
- Java
- Unix/Linux Bash
- AFNetworking Library
- Node.js
- AngularJS
Changes to Project Properties and Profiles
- Added "NIST 800-82" related questions and answers under "Compliance Requirements - Industrial and Control Systems" Section.
- Promoted "Protocols" Question to its own new upper level "S23: Protocols" Section.
- Added "Application Layer" Question under the new "S23: Protocols" Section.
- Updated "Q186: Communication protocols used" to "Q186: Application layer protocols used".
- Updated "A758: Has direct authentication for end users, devices or nodes"
- Updated "A761: Expand the scope to include a server side in the application (read the description)"
- Updated "A1077: Embedded system or hardware solution"
- Created "A1112: Uses an XMPP-based Protocol" under "Q186: Application layer protocols used".
- Created "Q269: XMPP-based protocols used" under "Q186: Application layer protocols used".
- Created "A1115: Uses XMPP-XEP-347 (Internet of Things - Discovery)" under "Q269: XMPP-based protocols used".
- Created "Q272: Internet of Things (IoT)" under "Features and Functions" Section.
- Created "Q268: IoT features" under "Q272: Internet of Things (IoT)".
- Created "A1114: Device registration and discovery" under "Q268: IoT features".
- Created "A1121: Uses radio frequency (RF) transmission (RFID/NFC)"
- Created "A1122: Requires non-repudiation"
- Created "A1123: Modifying RFID/NFC tags' physical/hardware features is in scope"
- Created "A1124: RF system design and parameter adjustment tasks are in scope"
- Created "A1125: Uses MQTT Protocol"

3.9

New Features and Improvements:

Create Project Settings via APIv2
Allow customization of the default Task Status
The Business Unit endpoint now responds to DELETE requests.
Major improvements to our support of unicode character sets.
Added an assigned tasks to APIv2.
Addd a user activity log endpoint to APIv2

Content additions and updates:

Compliance Regulations:
- NIST Guide to Industrial Control Systems (ICS) Security (NIST 800-82)
Updated Tasks
- T60: Only use approved cryptographic algorithms and key lengths (promoted use of CBC instead of ECB)
- T445: Verify that only approved cryptographic algorithms and key lengths are used (promoted use of CBC instead of ECB)
Added New Tasks
- T433: Design a fallback mechanism or a degraded mode for the system
- T434: Verify that the system has a fallback mechanism or a degraded mode
- T458: Keep Jabber server components local to the XMPP server
- T459: Remove factory default reset button or key metadata used for IoT device registration
- T460: Limit the length and the number of XMPP registration tags provided by IoT devices
- T461: Protect XMPP in-band registration
- T462: Limit the resources allocated to decompression of XMPP stanzas
- T463: Verify that Jabber server components are local to the XMPP server
- T464: Verify that IoT device registration using XMPP cannot be reinitiated
- T465: Test that the length and the number of XMPP registration tags provided by IoT devices are limited
- T466: Verify that XMPP's in-band registration cannot be spammed
- T467: Test that the resources allocated to decompression of XMPP stanzas are limited
Added New Task Amendments
- 68 new Task Amendments related to "NIST 800-82"
Updated Problems
- P749: Opportunity for disclaimer and lack of means to achieve non-repudiation (change of title, more emphasis on non-repudiation in the text)
- P750: Denial of Service (DoS) (removed 'due to resource starvation' and added new reasons for denial of service)
Added New Problems
- P783: Missing TLS and SASL Support in XMPP Server Components
- P784: IoT device hijacking through re-initiating device registration
- P785: Missing Authentication in XMPP In-band Registration
Changes to Project Properties and Profiles
- Added "NIST 800-82" related questions and answers under "Compliance Requirements - Industrial and Control Systems" Section.
- Promoted "Protocols" Question to its own new upper level "S23: Protocols" Section.
- Added "Application Layer" Question under the new "S23: Protocols" Section.
- Updated "Q186: Communication protocols used" to "Q186: Application layer protocols used".
- Created "A1112: Uses an XMPP-based Protocol" under "Q186: Application layer protocols used".
- Created "Q269: XMPP-based protocols used" under "Q186: Application layer protocols used".
- Created "A1115: Uses XMPP-XEP-347 (Internet of Things - Discovery)" under "Q269: XMPP-based protocols used".
- Created "Q272: Internet of Things (IoT)" under "Features and Functions" Section.
- Created "Q268: IoT features" under "Q272: Internet of Things (IoT)".
- Created "A1114: Device registration and discovery" under "Q268: IoT features".

3.8

New Features and Improvements:

Add APIv2 Activity Log endpoint
Add (read-only) APIv2 Project Settings endpoint
Add APIv2 Server Information endpoint
Add APIv2 Product Information endpoint (version, connections, etc)
Add APIv2 Tags endpoint
Add APIv2 Project Tags endpoint — users can tag projects via the API.
Remember report preferences (previous selections) per-user
The APIv2 Business Unit endpoint is now writeable (users can create and update business units)
Add web services integration for ThreadFix
Update the APIv2 Project endpoint to include: profile image url, first and last name of users in the project.
Update Business Unit, Application, Project APIv2 endpoints so they can be searched.
Support "option"-based custom fields in Jira
Fix Unicode rendering bug in some PDF project reports.

Content additions and updates:

Compliance Regulations:
- NIST Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53)
Updated Tasks
- T176: Apply principles of privacy when handling personal information (added ref/link to PIPEDA Privacy Principles)
- T331: Enforce policies through content security policy (CSP) headers (added 'sandbox' for 'iframe')
- T345: Check the integrity of critical configuration and data files (added notification and automated response requirements)
- T371: Provide unified and manageable interfaces to security settings and configuration parameters (added examples and reference to standard benchmarks)
Added Tasks
- T453: Perform security function verification on a regular basis
- T454: Verify the performance of security function verification process
- T456: Disable unnecessary services and capabilities
- T457: Verify that unnecessary services and capabilities are disabled
Updated HowTo’s
- I420: Java or Android Keystore (updated to use PBKDF2WithHmacSHA512 instead of PBKDF2WithHmacSHA1, Improved code and text)
Added HowTo's
- I514: iOS Universal Links
- I515: SSL/TLS with C/C++
Added Task Amendments
- 97 new Task Amendments related to "NIST 800-53"
Added Problems
- P781: Lack of security function verification
- P782: Running with Excessive Functionalities and Capabilities
Changes to Project Properties and Profiles
- Added "NIST 800-53" related questions and answers under "Compliance Requirements - Compliance Scope: Other" section.
- Disabled "A1096: Provides a non-web command and control interface".
- Created "Q271: Interfaces and APIs" under "Features and Functions" section.
- Created "Q270: Interfaces and APIs provided" under Q271.
- Moved "A754: Provides web services or external APIs" from "Q253: Components" to Q270.
- Renamed "Q262: Update and Dependency" to "External Dependencies"
- Disabled "Q192: Needs elevated execution privileges" and moved "A723: Yes" to "Q214: Miscellaneous" and renamed it to "Needs elevated execution privileges".
Updated T186, w/ latest security patch level for third party libraries
- GnuTLS
- OpenSSL
- Apache HTTP Server
- Spring Framework
- Struts
- Apache Tomcat
- Apache MyFace
- Java
- AFNetworking Library
- Node.js
- AngularJS

3.7

New Features and Improvements:

Support AppScan Triage indicators in scanning results.
Create a web services integration for AppScan enterprise.
Rally Integration is now known as CA Agile Central.
Support for priority field when syncing with CA Agile Central.
The compliance / regulations report also displays tasks that are associated with a regulation, but are not applicable for the particular project.
Tasks can be filtered by regulations on a project's tasks page.
Expose regulations via APIv1 and APIv2.
Add a regulations widget to the task details page: view the regulations associated with a task.
Enable Epic support in Jira.
Display tags to built-in reports.
Allow notes to be included, excluded, or partially included in built-in reports.
Display the last update timestamp for each task in the all tasks report.
Allow built-in reports to be filtered by phase.
Improve PDF rendering of all the built-in reports.

Content additions and updates:

Updated Tasks
- T61: Disable default accounts or change all default passwords
- T160: Avoid relying on jailbreak or root detection as a strong security measure
- T265: Handle requests made through iOS URL schemes or Universal Links securely
- T323: Test that default accounts are disabled or default passwords are changed
- T399: Separate delegated payment pages from the rest of the application
- T400: Test that delegated payment pages are distinguished from the rest of the application
- T404: Avoid setting broad paths and domains on session cookies
- T425: Check the authenticity of external devices/applications
- T443: Protect peripheral devices against malicious remote activation
Added Tasks
- T447: Secure Android in-app purchases
- T448: Verify that Android in-app purchases are securely implemented
- T449: Manage the visibility of information and actions in iOS 3D touch preview window
- T450: Test that access to the items on the iOS 3D Touch preview is adequately restricted
- T451: Disable index and search capabilities for confidential content on iOS
- T452: Verify that index and search capabilities are disabled for confidential content on iOS
Updated HowTo’s
- I293: iOS Network Communications Encryption
- I275: iOS Certificate Validation - HTTP-based protocols
- I429: Using iOS Keychain services for secure data storage
- I431: Test that entries are securely stored in iOS Keychain
- I480: iOS UIWebView
Added HowTo's
- I510: iOS Certificate Validation - Direct SSL
- I511: iOS session cleanup
- I512: iOS - Temporary Camera Files
- I513: iOS - Disabling auto-correction and keyboard extensions
Updated Problems
- P718: Jailbreak or root detection can be circumvented
- P765: Insufficient separation of payment service provider pages from the rest of the application
Added Problems
- P780: Information Leak Through Indexing and Searching
Added Task Amendments
- TA281: Android preparation for release and final APK
- TA282: Android auto-backup of application data
- TA283: Verifying Android auto-backup of application data
- TA284: Android Fingerprint Authentication
Added Glossary Items
- G24: Setup direct file system access on iOS
Changes to Project Properties and Profiles
- A question about in-app-purchases was added under mobile features
- Dynamic class loading and remote function call, was explained and tied to rich client applications
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Django
- Spring
- GnuTLS
- OpenSSL
- Java
- Node.js
- Angular.js

3.6

New Features and Improvements:

Add support for customizing compliance regulations and sections.
- Users can create new compliance regulations, and new sections.
- Users can add new sections to SDE's official compliance regulations.
- Users can mark tasks as belonging to any compliance regulation section, both custom and official.
Add suport for timestamp based ALM syncing with Jira 6.
Upgrade the web application framework (Django) to latest long term release.
Smarter UX around "remote" integrations.
When syncing with ALMs we store absolute URLs, rather than relatives ones.
Fix issue where downloading the global activity log would produce an empty file.
Fix various issues with syncing tasks to ALMs that contain unicode characters.

Content additions and updates:

Updated Tasks
- T20: Generate unique session ID and invalidate old ID after authentication
- T49: Remove/disable unused, test or debug code and data
- T59: Use standard libraries for cryptography
- T60: Only use approved cryptographic algorithms and key lengths
- T86: Test session ID uniqueness and rotation after authentication
- T189: Minimize use of unmanaged (native) code
- T248: Protect secret keys and passwords in the application
- T249: Verify that keys and passwords are protected in the application
- T304: Verify that unique device IDs are treated as personally identifiable information
- T347: Fail to a known state with predefined outputs
Added New Tasks
- T443: Protect remote device activation capabilities
- T444: Verify that peripheral devices are protected against malicious remote activation
- T445: Verify that only approved cryptographic algorithms and key lengths are used
- T446: Verify that only standard libraries are used for cryptography
Added Task Amendments
- TA278: Using cryptography libraries with Android native code
- TA279: Checking the cryptography libraries that are used with Android native code
- TA280: Unique device IDs in Android
Updated HowTo's
- I264: Android secure channel and certificate validation
- I420: Java or Android Keystore
Updated Problems
- P218: Use of hard-coded or insecurely stored passwords and secret keys
- P379: Leftover debug code or unnecessary files
Added Problems
- P779: Improper protection of remotely accessible devices
Added HowTo's
- I509: Storing cryptographic keys and data
Updated T186, w/ latest security patch level for third party libraries
- GnuTLS
- OpenSSL
- Django
- Rails
- Spring Framework
- Apache Wicket
- Node.js
Merged the following items to eliminate duplication. Match conditions and content are updated to reflect changes:
- P713: Hard-coded secret key or password on client removed and merged into P218: Use of hard-coded or insecurely stored passwords and secret keys
- T149: Avoid hard-coded secret keys or passwords on client removed and merged into T248: Protect secret keys and passwords in the application
- T172: Test that secret keys or passwords are not hard-coded into client removed and merged into T249: Verify that keys and passwords are protected in the application

3.5

Content additions and updates:

Updated Tasks
- T36: Escape untrusted data in HTML, HTML attributes, Cascading Style Sheets and JavaScript
- T45: Log potential security-critical events
- T66: Prevent web pages from being loaded inside iframe (frame busting)
- T71: Capture sufficient information for each user transaction
- T197: Sign the code and verify the origin and integrity of remote code with digital signatures
- T232: Verify that end-user transaction logs capture sufficient information
- T244: Securely delete any unprotected sensitive data before a resource is released or shared
- T270: Follow best practices for storing application data on Android devices
- T296: Test that unencrypted confidential data is not stored on client
- T347: Fail to a known state with predefined outputs
- T348: Verify that the system fails to a known state
- T349: Protect audit information and logs against unauthorized access
Added New Tasks
- T347: Fail to a known state with predefined outputs
- T348: Verify that the system fails to a known state
- T431: Design the response to logging and other minor failures
- T432: Test that logs and other minor failures are securely handled
- T435: Prevent web browsers from MIME sniffing
- T436: Verify web browsers are prevented from MIME sniffing
- T437: Provide log reduction and report generation capabilities
- T438: Verify that log reduction and report generation capabilities exist
- T439: Verify that the origin and integrity of remote code and updates are checked
- T440: Follow best practices of managing Android permissions
- T441: Ask for Android permissions at runtime
- T442: Verify that Android permissions are properly managed
Updated HowTo’s
- I264: Android certificate validation
- I269: Using encrypted channel in Android
- I286: Apache frame busting prevention
Added HowTo's
- I505: Apache MIME sniffing prevention
- I506: Apache XSS protection
- I507: Java Object Serialization
Updated Problems
- P384: Remote code execution without origin and integrity check
- P697: Clickjacking
- P751: Failing to an unknown state with unpredictable behavior
- P762: Lack of fault tolerance or having single point of failure
Added Problems
- P776: MIME Type Confusion
- P777: Insufficient log reduction and report generation
- P778: Lacking proper strategy for management of Android permissions
Updated Task Amendments
- TA24: Zone boundary protection, ANSI/ISA 62443
Added Task Amendments
- TA274: Dynamic Class Loading in Java/Android
- TA275: Verifying dynamic class loading in Java/Android
- TA276: Test serialized objects
Changes to Project Properties and Profiles
- "Update" and "Dependency" (remote call) questions were reorganized and added under "Features and Functions"
Updated T186, w/ latest security patch level for third party libraries
- Java (Apache Common Collection note was added)
- GnuTLS
- OpenSSL
- Apache Tomcat
- Spring
- Django
- Rails
- Apache Wicket
- Apache MyFaces
- Bouncy Castle
- AFNetworking Library
- Node.js
- AngularJS

3.4

New Features and Improvements:

Superusers can now flag a task status as requiring a comment from a user before it can be selected on a project's task page.
Improvements to the layout of project reports. In addition the Project Settings section has been moved to the end of the reports.
Add support for Checkmarx Remote API.
Add support for syncing with VersionOne.
Add support for multiple transitions when syncing projects with Jira.
Add support for flagging connections as being inaccessibly from SDE (connections to be run by the external sync tool)
when creating a new release of a project you can now carry over your integrations to external systems.
Better warnings when deleting survey sections and subsections which contain questions.
The sdetools library now uses APIv2.
Add an APIv2 endpoint for running sdetools commands.
Add a manual/automatic flag to task notes to differentiate between those created by a person versus those created programatically.
Customers with a dedicated SD Elements server can add a custom header and footer to all reports.
Tighter integration with supported Security Compass computer based training modules (for customers who are paying for this service).
User creation is now recorded in the activity log.
Numerous improvements to the APIv2 endpoints.

Content additions and updates:

Updated Tasks
- T6: Implement account lockout or authentication throttling
- T14: Principle of least privilege
- T24: Enforce idle session timeout
- T26: Destroy sessions on logout
- T70: Implement account lockout or authentication throttling for system accounts
- T81: Test account lockout
- T90: Test idle session timeout
- T188: Avoid storing cached confidential data in flash memory
- T272: Restrict access to the application's exported components (Android)
- T307: Verify that confidential data is not cached in flash memory
- T324: Follow best security practices when using UIWebView (iOS)
- T338: Control access to the resources through user authentication and authorization
- T340: Provide an account and identity management system
- T342: Provide use notification for critical services of the system
- T343: Test that proper system use notification is displayed or sent for critical features
- T384: Verify that UIWebView is securely used (iOS)
Added New Tasks
- T404: Avoid setting broad paths and domains on session cookies
- T405: Verify that broad paths and domains are not set on session cookies
- T406: Secure symmetric key authentication
- T407: Verify that symmetric key authentication is secure
- T408: Set secure flag on Android Activities with sensitive content
- T409: Test that Android Activities with sensitive content set secure flag
- T410: Manage use of third-party keyboards with sensitive data
- T412: Test that use of third-party keyboards is managed
- T415: Provide proof of authenticity for the device/application
- T416: Test that the device/application provides proof of authenticity
- T417: Sanitize inputs used with strict contextual escaping (SCE) trustAs functions
- T418: Enable sanitization module for AngularJS HTML user inputs
- T419: Make sure strict contextual escaping (SCE) is enabled in AngularJS
- T420: Avoid mixing user data with AngularJS templates
- T421: Verify that inputs used SCE trustAs functions are sanitized
- T422: Verify that sanitization module is enabled for AngularJS HTML user inputs
- T423: Disable copying on Android text fields with sensitive data
- T424: Test that copying is disabled on text fields with sensitive data
- T425: Check the authenticity of external devices/applications
- T426: Verify that the authenticity of external devices/applications is properly checked
- T427: Implement previous logon (access) notification
- T428: Test that the system provides previous logon (access) notifications
- T429: Limit the number of concurrent sessions for each account
- T430: Test that the number of concurrent sessions for each account is limited
Updated HowTo’s
- I480: iOS UIWebView
Added HowTo's
- I495: Setting FLAG_SECURE for Android Activity
- I496: Android third-party keyboards
- I499: Anti CSRF tokens in AngularJS
- I500: Disabling copying capability of Android text fields
Updated Problems
- P384: Download of code without origin and integrity check
- P504: Insufficient Session Expiration
- P749: Opportunity for disclaimer and denial of responsibility
Added Problems
- P767: Setting broad domains or paths on session cookies
- P768: Weak symmetric-key authentication
- P769: Leak of sensitive data through Android snapshot and screen capture
- P770: Leak of sensitive data through Android third party keyboards
- P771: Leak of sensitive data through Android clipboard
- P774: Inadequate Logon Activity Monitoring And Notification
- P775: Lack of Concurrent Session Control
Added Task Amendments
- TA266: Account and Identity Management, ANSI/ISA 62443
- TA273: Strength of symmetric-key authentication, ANSI/ISA 62443
Added Glossary Items
- Metadata, Unstructured Data, Essential Function
Changes to Project Properties and Profiles
- Symmetric key authentication was added to authentication methods
- AngularJS was added under Technology/Platform in 'Programming language' tab
- Architecture/Component section was split to two sections(Architecture/Environment and Components)
- Has remote code execution question was added to Dependencies section in Features and Functions->Other Features
- 'Application runs at a higher access level than its users' was moved to Architecture/Environment section (new section)
- 'Kinds of users' was moved to Architecture/Environment section (new section)
Updated T186, w/ latest security patch level for third party libraries
- I296: Rails
- I297: Django
- I298: Spring Framework
- I299: Struts
- I300: Apache Tomcat
- I361: GnuTLS
- I362: OpenSSl
- I363: Apache HTTP Server
- I364: Apache Wicket
- I366: Java
- I481: AFNetworking Library
- I503: Node.js
- I504: AngularJS

3.3

New Features and Improvements:

Add support for custom project attributes: users can add additional fields to the project creation form, which are stored along with the basic project fields of name and description.
Add support for custom project creation workflow: users can create plugins that pull project data from external sources.
New verification integration with Checkmarx (beta release).
Update Veracode import to support service connection.
Add support for custom verification mappings.
Return 503 error when site is down for maintenance.

Content additions and updates:

Updated Tasks
- T159 Avoid returning unnecessary details in error messages
- T281: Follow best practices when handling access tokens (API tokens)
- T83: Verify transactional authorization and screening
- T9: Implement high-risk transaction authorization and screening
Added New Tasks
- T281: Follow best practices when handling access tokens (API tokens)
- T394: Secure one time passwords (OTP)
- T395: Verify that one time passwords (OTP) are securely used
- T396: Set maximum limits for authorized transactions
- T397: Test the limits of authorized transactions
- T399: Separate payment processes from normal business of the application
- T400: Test that payment processes are distinguished from normal business of the application
- T401: Provide users with sufficient information about payments and balances
- T402: Test that information provided about payments and balances is adequate
- T403: Verify that error messages do not reveal unnecessary information
Updated HowTo’s
- I102: ASP.NET standard encoding format for all HTML content
- I109: ASP.NET use cookies for session IDs
- I118: ASP.NET / C# encryption libraries
- I121: ASP.NET forms authentication protection
- I305: ASP.NET HTTP server parameters

Added HowTo's
- I494: WCF Service Security Audit
Updated Problems
- P698: Inadequate transaction-specific authorization and transaction monitoring
- P757: Missing clear specification of security assumptions and capabilities
- P105: Information Exposure through an Error Message
Added Problems
- P764: Insecure one-time passwords (OTP)
- P765: Insufficient separation of payment processes from normal business of the application
- P766: Failure to provide users with sufficient transaction and account information
Added Task Amendments
- TA245 to T263: EBA-Security of Internet Payments Notes for various tasks (19 task amendments)
Added Glossary Items
- WSDL, SAML, Active Directory Federation Services (ADFS), Low value payments (payment services directive), Strong Customer Authentication
Changes to Project Properties and Profiles
- One time password (OTP) question was added
- Changes to financial application questions
- EBA-Security of Internet Payments question was added

3.2

New Features and Improvements:

Expanded APIv2 with several new endpoints, including:
- Task notes
- Task changes in projects
- Library endpoints (Problems & Tasks)
- Users can now select a project's profile when creating new projects
Users can now filter Project Reports by Business Unit
Small UI tweaks throughout SDElements to improve the look and feel of the application

Content additions and updates:

Updated Tasks
- T335: Sanitize user input before passing to NoSQL operators
- T336: Verify that no unsanitized user input is passed to NoSQL operators
- T45: Log potential application security events
- T71: Capture sufficient information for each end-user transaction
- T232: Verify that end-user transaction logs capture sufficient information
- T315: Verify that potential security-critical events are logged
- T349: Protect audit information and logs against unauthorized access
- T350: Verify that audit information is sufficiently protected
- T139: Use secure channels to transmit protected health information on the Internet
- T175: Test that the client validates digital certificates
- T197: Sign the code and verify the origin and integrity of remote code with digital signatures
Updated HowTo’s
- I5: Centralize authorization using AccessController interface of ESAPI
- I6: Authorize every page using ESAPI AccessController interface
- I8: Java EE with ESAPI: Invalidate old session ID
- I33: Java EE with ESAPI: Perform input validation on all forms of input
- I44: Java EE with ESAPI: Escape untrusted data
- I49: Java EE with Spring MVC: Escape untrusted data
- I54: Java EE with ESAPI: Disallow carriage returns in HTTP response headers
- I55: Java with ESAPI: Use XML encoding
- I57: Java EE with ESAPI: Use Lightweight Directory Access Protocol (LDAP) encoding
- I59: Java with ESAPI: Avoid unsafe operating system interaction
- I65: Java EE with ESAPI: HTML entity encode validation error messages
- I66: Java EE with ESAPI: Use indirect object reference maps if accessing files
- I68: Java with ESAPI and Jasypt: Use standard libraries for encryption
- I70: Java with ESAPI: Protect passwords in property and configuration files
- I127: Java EE with Spring MVC: anti cross site request forgery (CSRF) tokens
- I128: Java EE with Spring MVC: Perform input validation on all forms of input
- I252: JavaScript with ESAPI: Avoid DOM-based cross site scripting (XSS)
- I81: ASP.NET / C# secure data transmission
- I77: ASP.NET WSDL Access Restriction
- I79: ASP.NET Debug Mode
- I80: ASP.NET Global Error Handling
- I84: ASP.NET Tracing
- I82: ASP.NET absolute session timeouts
- I83: ASP.NET HttpOnly flag
- I86: ASP.NET Request Form Validation
- I87: ASP.NET with Membership provider
- I89: ASP.NET / C# centralized authorization
Added HowTo's
- I485: WCF WSDL Access Restriction
- I486: WCF Debug Mode
- I487: WCF global error handling
- I488: WCF secure data transmission (Transport Security)
- I489: WCF secure data transmission (Message Security)
- I490: WCF authorization approaches
- I491: WCF service endpoint identity verification
- I492: Restricting Impersonation with WCF - C#
- I493: WCF - Use of local issuer
Updated Problems
- P762: Single point of failure
- P384: Download of code without origin and integrity check
- P747: Improper Neutralization of Special Elements used in a NoSQL Command ('NoSQL Injection')
Updated Task Amendments
- TA24: Zone boundary protection, ANSI/ISA 62443
Added Task Amendments
- TA214: Releasing resources, ANSI/ISA 62443 (for T244)
- TA215: Verification of proper release of resources, ANSI/ISA 62443 (for T245)
- TA215: Protection of logs, ANSI/ISA 62443 (for T349)
- TA216: Verification of log protection, ANSI/ISA 62443 (for T350)
- TA216: PCI/PA DSS Notes for T1
- TA217: PCI/PA DSS Notes for T3
- TA218: PCI/PA DSS Notes for T4
- TA219: PCI/PA DSS Notes for T5
- TA220: PCI/PA DSS Notes for T6
- TA221: PCI/PA DSS Notes for T7
- TA222: PCI/PA DSS Notes for T60
- TA223: PCI/PA DSS Notes for T68
- TA224: PCI/PA DSS Notes for T77
- TA225: PCI/PA DSS Notes for T80
- TA226: PCI/PA DSS Notes for T90
- TA227: PCI/PA DSS Notes for T133
- TA228: PCI/PA DSS Notes for T134
- TA229: PCI/PA DSS Notes for T135
- TA230: PCI/PA DSS Notes for T136
- TA231: PCI/PA DSS Notes for T154
- TA232: PCI/PA DSS Notes for T159
- TA233: PCI/PA DSS Notes for T244
- TA234: PCI/PA DSS Notes for T245
- TA235: PCI/PA DSS Notes for T246
- TA236: PCI/PA DSS Notes for T248
- TA237: PCI/PA DSS Notes for T249
- TA241: WCF - Use X509 Certificates Instead of NTLM
- TA242: Impersonation and Delegation with WCF
- TA243: WCF - SAML token size quotas
- TA244: Session timeout for SSO
Added Glossary Items
- WSDL, SAML, Active Directory Federation Services (ADFS)
Changes to Project Properties and Profiles
- WCF Framework added under ".NET application framework used"

3.1

New Features and Improvements:

Add ALM syncing support for Team Foundation Server (Visual Studio Online)
Custom Field support for IBM Rational Team Concert.
Carry over notes when creating new releases.
Download the SD Elements problems and tasks in a CSV format from the customize tasks page.
Drop view all users and groups permission. (Assigning users to a project now depends on the users within the project's business unit.)
Add read-only API v2 Business Units endpoint.
Add read-only API v2 Project Roles endpoint.
Assign users to projects via API v2.
Speed up the tasks edit page.

Content additions and updates:

Compliance Regulations:
- CWE/SANS Top 25 Most Dangerous Software Errors

Updated Tasks
- T278: Follow best security practices when using WebView (Android)
- T310: Verify that WebView is securely used (Android)
- T272: Restrict access to the application's exported components (Android)
- T290: Verify that Android permissions are properly checked
- T324: Follow best security practices when using UIWebView (iOS)
- T265: Handle requests made through iOS URL schemes securely

Added New Tasks
- T382: Manage the visibility of actions and information in the Android notification area
- T383: Test that access to items in the Android notification area is adequately restricted
- T384 Verify that UIWebView is securely used (iOS)

Added Task Amendments
- TA149 to TA213 (DIACAP Notes) are created and linked to relevant tasks.

Updated HowTo's
- I405: Using Permissions for Access Control
- I425: iOS Auto-correction Types
- I426: iOS Pasteboards
- I429: Using iOS Keychain Services for Secure Data Storage
- I480: iOS UIWebView
- I292: Handle requests made through iOS URL schemes securely - iOS Inter-App Communication

Added HowTo's
- I482: iOS data encryption with PBKDF2

Added Problems
- P758: Improper validation of content of an Android Intent
- P759: Improper authorization of source of an Android Intent
- P760: Improper verification of source and content of URL schemes
- P761: Use of WebView without sufficient protection

Updated Problems
- P203: Missing Authentication for Critical Functions
- P721: Insecure IPC Handling
- P601: Use of a one-way hash without a proper salt

Added Glossary Items
- Password-Based Key Derivation Function 2 (PBKDF2)

Changes to Survey
- WebView was added under mobile technologies to the survey.
- Zones and channels/conduits answer was added under the industrial and control systems.

3.0

New features and improvements:

Applications can now be organized in to business units.
- A business unit can be open to all users, or locked down to a particular set of users.
- You can indicate that a particular set of users in a business unit should always be assigned to projects created within that business unit.
WhiteHat Security and Fortify SSC security tool imports can now be run periodically, similar to the existing ALM sync functionality.
Answers to questions can now be re-ordered when customizing project settings.
When creating a new release of a project the user can decide whether to carry of the status of tasks from particular phases.
Users can be created via the API v2 users endpoint.

Content additions and updates:

Compliance Regulations:
- Manufacturer disclosure statement for medical device security (MDS2)
- Department of defense information assurance certification and accreditation process (DIACAP)
- OWASP Top Ten 2013 (and CWE 929-938 categories)
Common Weakness Enumeration (CWE) set is updated to v2.8.
Updated Tasks
- T15: Centralize authorization
- T24: Enforce idle session timeout
- T61: Disable default accounts or change all default passwords
- T128: Test for access control bypass through user-controlled keys
- T146: Use encryption for network communications in the mobile environments
- T168: Prevent auto-snapshot feature of iOS from saving sensitive data
- T187: Test if the app prevents leaking of sensitive data via auto-snapshot feature of iOS
- T253: Protect TLS/SSL communication
- T254: Test that TLS/SSL communication is protected
- T261: Manage iOS Pasteboards that are used with sensitive data
- T265: Handle requests made through iOS URL schemes securely
- T266: Verify that iOS URL schemes are securely handled
- T290: Verify if Android permissions are properly checked
- T292: Verify that iOS URL schemes are handled securely
- T313: Identify and classify categories of personal and confidential information
- T314: Verify that personal and confidential information is identified and classified
- T323: Test that default accounts are disabled or default passwords are changed
- T324: Follow best security practices when using UIWebView (iOS)
- T337: Provide a 'break glass' feature for access to emergency functions
- T338: Control access to the resources through user authentication and authorization
- T364: Provide secure backup and restore capability
- T365: Verify the security of backing up and restoring procedures
- T366: Protect backup data against alteration and unauthorized access
- T370: Follow best security practices for using third-party and commercial off the shelf components
- T371: Provide unified and manageable interfaces to security settings and configuration parameters
Added New Tasks
- T347: Produce a predefined output in the event of failure
- T348: Verify that various units of the control system fail with a predetermined output
- T376: Follow these guidelines to fill out manufacturer disclosure statement for medical device security (MDS2) form
- T377: De-identify protected health information before using for a secondary purpose
- T378: Authorize every request for data objects
- T379: Provide sufficient documentation for security-related features
- T380: Verify that security documents are complete
- T381: Test break-glass procedures
Updated HowTo’s
- I254: iOS Auto-snapshot Prevention
- I273: iOS Password Mask
- I275: iOS Certificate Validation
- I278: iOS devices or emulators (iPhone/iPad)
- I292: iOS Inter-App Communication
- I293: iOS Network Communications Encryption
- I303: iOS Auto-snapshot Prevention Test
- I396: iOS Secure Textfield
- I425: iOS Auto-correction Types
- I426: iOS Pasteboards
- I429: Using iOS Keychain Services for Secure Data Storage
- I431: Test that entries are securely stored in iOS Keychain
Added HowTo's
- I480: iOS UIWebView
Updated Problems
- P182: Improper Access Control (Authorization)
- P257: Privacy Violation
- P693: Use of default passwords and accounts
- P748: Blocking of emergency actions or essential functions of a system
Added Problems
- P756: Lack of system transparency and control over configuration parameters
- P757: Missing clear specification of security parameters and capabilities

Updated Task Amendments
- TA26: Control system backup, ANSI/ISA 62443
- TA27: Control system recovery and reconstitution, ANSI/ISA 62443

Added Task Amendments
- TA32: Configurable idle timeout and auto-log off invocation capability, MDS2-2013
- TA33: Audit trails, MDS2-2013
- TA35: Access Control, ANSI/ISA 62443
- TA36: Authorization, MDS2-2013
- TA37: Obtaining unrestricted administrative privileges, MDS2-2013
- TA38: Configurable and machine readable security settings, ANSI/ISA 62443
- TA39: Protection of backups, ANSI/ISA 62443
- TA42: Automatic logoff, MDS2-2013
- TA43: Session time-out, PCI/PA DSS
- TA148: AFNetworking library
Added Glossary Items
- Setup Burp Suite, Import files into Eclipse, Import files into Visual Studio, Use Notification, Unauthenticated part of application, Island Mode, Fail Close, Protected Health Information (PHI), Individually Identifiable Health Information, Personally Identifiable Information (PII), Break-glass (mode and features), CRIME attack vector

Changes to Survey
- MDS2 and emergency operation questions were added and health care system questions were moved to a new subsection: 'Health Care Systems'.
- Questions about the applications' scope were added (client/server).
- A question about use of third-party or commercial off the shelf (COTS) components was added.
- department of defense information assurance certification and accreditation process (DIACAP) question was added.
Updated T186, w/ latest security patch level for third party libraries
- Java
- Apache MyFaces
- GnuTLS
- Apache Tomcat
- Struts
- Spring Framework
- AFNetworking Library

2.39

New features and improvements:

Scanning tool integration: Fortify SSC and WhiteHat Sentinel added as new sources for analysis.
Non-admin users now have access to a read-only view of the security content within SD Elements.
Small improvements to the API v2 Tasks endpoint.

Content additions and updates:

Compliance Regulations:
Updated Tasks:
- T6: Implement account lockout or authentication throttling
- T8: Consistent error handling for all authentication failures
- T16: Authorize every non-public page
- T21: Ensure confidential data is sent over an encrypted channel
- T31: Perform input validation on all forms of input
- T35: Fine-tune the HTTP server parameters
- T42: Avoid relying on untrusted data for server side page, view, or template selection
- T45: Log potential application security events
- T55: Validate all XML input
- T65: Restrict accepted HTTP verbs
- T71: Capture sufficient information for transactional audit logging
- T75: Use regular expressions that are not vulnerable to Denial of Service
- T82: Test authentication error consistency
- T84: Test page-level authorization
- T110: Test that users cannot supply XSLTs in XML digital signatures
- T113: Test that site is not vulnerable to HTTP verb tampering
- T119: Test for clickjacking
- T228: Test that the HTTP server parameters are fine-tuned
- T253: Protect TLS/SSL communication
- T254: Test that TLS/SSL communication is protected
Added New Tasks
- T373: Design and regulate access to unauthenticated parts of the application
- T374: Hand over parts of the HTTP request-handling to the operating system or security modules
- T375: Release resources when no longer needed
Updated HowTo's
- I40: Fine-tune the HTTP server parameters - Apache 2.4
- I75: Restrict accepted HTTP verbs - Apache 2.0
- I111: Restrict accepted HTTP verbs - ASP.Net / C#
- I176: Django
- I369: PHP
- I433: CORS and access control
- I438: CORS with Node.js
Updated Additional Requirements
- AR24: Zone boundary protection, ANSI/ISA 62443
- All ANSI/ISA 62443 HowTo's are converted to additional requirements
Updated Problems
- P100: Response Discrepancy Information Exposure
- P205: Use of Single-factor Authentication (CHECK MCS +ISA62443)
- P664: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection’)
Added HowTo's
- I478: Specifying TLS parameters in Node.js
- I479: Apache HTTP Server
Updated T186, w/ latest security patch level for third party libraries
- OpenSSL (important security updates)
- Spring
- Django
- Rails
- Java
- Bouncy Castle

2.38

New features and improvements:

Tasks can be amended with additional information, using the usual SD Elements rules system (match conditions).
The permissions required to add users to a project have been split off from the permissions required to edit the rest of the project's details.
Users no longer need to refresh the page to see the status of jobs running on a project's ALM sync and analysis import pages.
API v2 Improvements:
- a preliminary version of the /tasks/ endpoint has been added to the new API. We welcome feedback on this
Tasks can be filtered based on verification status when syncing to ALM systems
Improved Jira and Rally integration: multiple SD Elements projects can be synced to the same project without relying exclusively on the task title.

Content additions and updates:

Compliance Regulations:
- ANSI/ISA 62443
- NIST 800-53
Updated Tasks
- T24: Enforce idle session timeout
- T53: Virus scan all uploaded or transferred files using an inline virus scanner
- T107: Test that application forbids uploading or transfer of malware
- T135: Assign each person using the system a unique user ID
- T233: Verify that each person using the system is assigned a unique user ID
- T245: Verify that sensitive unprotected data is securely deleted
- T244: Securely delete any unprotected sensitive data

Added New Tasks
- T337: Design alternative routes to essential and critical functions of a control system
- T338: Control access to the system through user authentication and authorization
- T340: Provide an account and identity management system
- T341: Test that certificate validation and subject identification are properly performed in PKI based authentication
- T342: Provide use notification for critical services of the system
- T343: Test that proper system use notification is displayed or sent for critical features
- T344: Enforce different rules for access to the system based on the origin, type and medium of request
- T345: Check the integrity of critical configuration and data files
- T346: Test that the integrity of important configuration and data files are checked
- T349: Protect audit information and logs against unauthorized access
- T350: Test that audit information is sufficiently protected
- T353: Control the inbound and outbound data flow across the boundaries of zones
- T355: Verify that inbound/outbound traffic is properly filtered
- T356: Break the system into zones and design the conduits
- T357: Review and verify the design of security zones
- T360: Partition the application in a way that facilitates adoption of a zoning model
- T363: Design a priority scheme for application services and operations
- T364: Provide secure backup and restore capability
- T365: Verify security of backing up and restoring procedures
- T366: Protect backup data against alteration and unauthorized access
- T367: Mitigate the security risks of power cut and power supply switch
- T368: Test system/application security in the event of a power cut or power supply switch
- T370: Follow best security practices for using third-party and commercial off the shelf components
- T371: Provide unified and manageable interfaces to security settings and configuration parameters

Added Problems
- P748: Blocking of emergency actions or essential functions of a control system
- P749: Opportunity for disclaimer and denial of responsibility
- P750: Denial of service (DoS) due to resource starvation
- P751: Unpredictable behavior of a control system in the event of an attack or failure
- P752: Missing support for integrity checks on important data and configuration files
- P753: Insufficient Control over Data Flow
- P754: Missing support for backup/restore capabilities or insufficient protection of backup data
- P755: Lack of control over third-party components
- P756: Lack of system transparency and control over configuration parameters
Updated Problems
- P182: Improper Access Control (Authorization)
- P228: Use of Insufficiently Random Values
- P619: Insufficient logging or insufficient protection of logs
- P678: Session Fixation
- P729: Temporary storage of confidential data in flash memory
Added HowTo's
- I454: Human user authentication, ANSI/ISA 62443 for T338
- I455: Authentication of software processes and devices, ANSI/ISA 62443 for T338
- I456: Password Strength, ANSI/ISA 62443 for T4
- I458: Password Strength Tests,ANSI/ISA 62443 for T80
- I459: Hardware security for public key authentication, ANSI/ISA 62443 for T156
- I460: Verification of hardware protection for private keys, ANSI/ISA 62443 for T341
- I461: Authorization enforcement, ANSI/ISA 62443 for T338
- I462: Access through untrusted networks, ANSI/ISA 62443 for T344
- I463: Wireless use control for T344
- I464: Portable and mobile devices, ANSI/ISA 62443 for T344
- I465: Mobile code control, ANSI/ISA 62443 for T197
- I466: Remote session termination, ANSI/ISA 62443 for T338
- I467: Limiting the number of concurrent sessions, ANSI/ISA 62443 for T338
- I468: Auditable events, ANSI/ISA 62443 for T71
- I469: Generating timestamps for audit records, ANSI/ISA 62443 for T71
- I470: Non-repudiation, ANSI/ISA 62443 for T135
- I471: Integrity verification and reporting, ANSI/ISA 62443 for T345
- I472: Network Segmentation, ANSI/ISA 62443 for T353
- I473: Zone boundary protection, ANSI/ISA 62443 for T353
- I474: Person-to-person communication, ANSI/ISA 62443 for T353
- I475: Control system backup, ANSI/ISA 62443 for T364
- I476: Control system restore, ANSI/ISA 62443 for T365
- I477: Idle session timeout exception, ANSI/ISA 62443 for T24
Updated T186, w/ latest security patch level for third party libraries
- Apache Tomcat (important security updates)
- Spring
- Django
- Apache HTTP Server (important security updates)
- Apache Wicket

2.37

New features and improvements:

Users can elect to only receive plaintext emails, via an options that can be set on their profile settings page. (Those customers with their own SDE server can turn off HTML emails for all users, globally.)
Users with permissions to add projects and delete projects can now move projects between applications.
It is now easier to share filtered lists of tasks for a particular project: simply share the URL. (The URL now updates as you filter your tasks.)
Users no longer need to refresh the page to see the status of jobs running on a project's ALM sync and analysis import pages.

Content additions and updates:

Updated Tasks
- T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- T4: Configurable password policies
- T5: Minimum password standards
- T24: Enforce idle session timeout
- T45: Log potential application security events
- T53: Virus scan all uploaded or transferred files using an inline virus scanner
- T77: Test if only one factor of authentication is used
- T80: Test password requirements
- T107: Test that application forbids uploading or transfer of malware
- T135: Assign each person using the system a unique user ID
- T156: Validate certificate and its chain of trust properly
- T233: Verify that each person using the system is assigned a unique user ID
- T320: Verify that WebSockets are securely used
Added Tasks
- T335: Sanitize user input before passing to NoSQL operators
- T336: Verify that no unsanitized user input is passed to NoSQL operators

Updated Problems
- P384: Download of Code without Origin and Integrity Check
- P504: Insufficient Session Expiration
- P619: Insufficient Logging
- P716: Certificate Validation Issues
Added Problems
- P747: NoSQL server-side JavaScript injection
- P749: Opportunity for disclaimer and denial of responsibility
Changes to Project Properties and Profiles
- Compliance with industrial and control system regulations (in Scope for ANSI/ISA 62443) was added to Compliance Requirements.
- Security level 1 to 4 could be chosen for ANSI/ISA 62443 compliance.
- Public key infrastructure (PKI) based authentication was added to authentication types.

Updated T186, w/ latest security patch level for third party libraries
- OpenSSL
- Struts (links updated, no software update)
- Spring
- Django
- Rails
- Apache MyFaces
- Java

2.36

New features and improvements:

Open up custom reports creation to users with the edit custom reports permission. (The reports these users can generate are limited to those projects they can see.)
A new permission allows for limiting what other users a user can see based on their group.
Improve the add users and groups widget on the project creation page.
Allow ALM integration to filter what is synced based on task tags.
Allow task statuses to be updated based on the imported results from scanning tools.
Sync task tags with issues created in Jira, Rally, and Rational with ALM integrations.
The rules that determine what applications a user can see are stricter.

Content additions and updates:

Updated Tasks
- T45: Log potential application security events
- T162: Validate workspace before retrieving local resources
- T297: Verify that target workspace is validated before retrieving local resources
- T66: Prevent web pages from being loaded inside iframe (frame busting)
- T122: Test for remote file include
- T29: Use anti cross site request forgery (CSRF) tokens
- T96: Test that site is not vulnerable to cross site request forgery (CSRF)
- T105: Verify that the web application does not contain leftover test or debug code
Added New Tasks
- T325: Use JavaScript Strict Mode
- T329: Verify that JavaScript is used in Strict Mode
- T326: Handle errors and exceptions securely in Node.js
- T327: Review security of Node.js modules before installation
- T328: Verify that errors and exceptions are securely handled in Node.js
- T330: Monitor and manage Node.js load
- T331: Enforce content policies through content security policy (CSP) headers
- T332: Test that content security policy (CSP) headers are added
- T333: Test that HTTP Strict-Transport-Security headers are sent in HTTPS responses
Updated HowTo's
- I176: Django for T21: Ensure confidential data is sent over an encrypted channel
- I145: Manually with browser and Burpsuite

Updated Problems
- P728: Insufficient patching or use of insecure third party software/libraries
- P673: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Added HowTo's
- I438: CORS with Node.js for T257: Secure Cross Origin Resource Sharing (CORS) in HTML5
- I439: Enabling HTTPS for Node.js/Express
- I440: Node.js Strict Mode
- I441: Restricting access to static resources in Node.js for T162: Validate workspace before retrieving local resources
- I442: Logging in Node.js for T45: Log potential application security events
- I445: Protecting Node.js against CSRF for T29: Use anti cross site request forgery (CSRF) tokens
- I446: Add Content Security Policy (CSP) headers in Node.js for T331
- I447: Add HTTP Strict Transport Security headers in Node.js for T322
- I448: Setting X-Frame-Options in Node.js for T66
- I450: Workspace Validation for T162: Validate workspace before retrieving local resources
Added Problems
- P745: JavaScript Global Scope of Variables and Functions
- P746: Crash of Node.js single threaded event loop
Updated T186, w/ latest security patch level for third party libraries
- Struts
- Spring

2.35

New features and improvements:

Users can be organized into groups. This makes it easier to assign roles to many users, or add many users to a project.
Users are emailed when an API token is created, revoked, or regenerated. (These events are also captured in the activity log.)
Glossary items can be created, updated, and deleted via the API
Tasks created in 3rd party ALMs via our ALM integration can now be given customized titles.

Content additions and updates:

Updated Tasks
- T281: Follow best practices when handling access tokens (API tokens)
- T278: Follow best security practices when using WebView (Android)
- T89: Test that site is not vulnerable to cross site scripting (XSS)
- T36: Escape untrusted data in HTML, HTML attributes, Cascading Style Sheets and JavaScript
- T37: Avoid DOM-based cross site scripting (XSS)
Added Tasks
- T324: Follow best security practices when using UIWebView (iOS)
Updated HowTo's
- I50: JavaScript for T37: Avoid DOM-based cross site scripting (XSS)
Updated T186, w/ latest security patch level for third party libraries
- GnuTLS
- Django
- Apache Wicket
- Apache MyFaces
- Java
- Spring

2.34

New features and improvements:

Applications can be renamed via a new edit page.
There is a search box on the rules selector found on the customize tasks and answers pages.
Project stubs can be created via the API. (Profile selection and user assignment must be done within the application, for now.)
Project names and descriptions can be updated via the API.

Content additions and updates:

Compliance Regulations:
- Payment Application Data Security Standard (PA-DSS): Version 3.0 is mapped to tasks.
- Payment Application Data Security Standard (PCI-DSS): Version 3.0 is mapped to tasks.
Updated Tasks
- T257: Secure cross origin resource sharing (CORS) in HTML5
- T258: Secure web (cross domain) messaging in HTML5
- T260: Secure usage of WebSockets
- T259: Follow best practices when storing data in Local or Session Storage
- T61: Change all default passwords
- T3: Require old passwords when users change password
- T6: Implement account lockout or authentication throttling
- T253: Protect TLS/SSL communication
- T254: Test that TLS/SSL communication is protected
Added New Tasks
- T318: Verify security of cross origin resource sharing (CORS)
- T319: Verify that web messaging is securely used
- T320: Verify that WebSockets are securely used
- T321: Verify that Local and Session Storage are securely used
- T322: Include HTML Strict-Transport-Security headers in HTTPS responses
- T323: Test that all default passwords are changed
Updated HowTo's
- I367: PHP MySQLi for T38: Bind variables in SQL statements
Added HowTo's
- I433: CORS and access control for T257: Secure Cross Origin Resource Sharing (CORS) in HTML5
- I434: CORS and anti-CSRF protection for T257: Secure Cross Origin Resource Sharing (CORS) in HTML5
- I435: HTML5 Geolocation for T178: Ask for consent from user prior to collecting personal information
Added Problems
- P743: WebSocket Hijacking
- P744: SSL Stripping
Updated T186, w/ latest security patch level for third party libraries
- GnuTLS
- OpenSSL (Important Updates)
- Django
- Rails
- Apache HTTP Server
- Apache Wicket
- Apache MyFaces
- Java

2.33

New features and improvements:

The workflow for selecting profiles for projects has been improved upon: selection happens within the project settings questionnaire, and the choice can be reset at a later time if the initial choice was incorrect.
Site administrators can set a URL to redirect to when using SAML or Trusted Authentication.
Administrators can download the list of users as a CSV

Content additions and updates:

Compliance Regulations:
- ISO 27001:2013 was added: 36 new controls. 146 mappings between tasks and controls.
Updated Tasks
- T278: Follow best security practices when using WebView
- T66: Prevent web pages from being loaded inside iframe (frame busting)
- T296: Test that unencrypted confidential data is not stored on client
Added New Tasks
- T308: Verify that session information is cleared from client upon logout
- T309: Verify that data received from server is validated before handling
- T310: Verify that WebView is securely used
- T311: Verify that sensitive data is not sent using implicit Intents or Broadcasts
- T312: Verify that inter-process communication (IPC) endpoints are secured in client
- T313: Identify and classify categories of personal and confidential information
- T314: Verify that personal and confidential information is identified and classified
- T315: Verify that potential application security events are logged
- T119: Test for clickjacking
- T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
- T317: Verify that keyboard caches and shared dictionaries do not divulge confidential information
Updated HowTo's
- I76: Javascript for T66: Prevent web pages from being loaded inside iframe (frame busting)
- I246: Rails for T66: Prevent web pages from being loaded inside iframe (frame busting)
- I106: ASP.Net / C# for T66: Prevent web pages from being loaded inside iframe (frame busting)
- I272: Using server-side module to store secret keys and passwords for Android applications for T295: Avoid storing unencrypted confidential data on client

Added HowTo's
- I420: Java or Android KeyStore for T295: Avoid storing unencrypted confidential data on client
- I421: Test for frame-busting circumvention using javascript for T119: Test for clickjacking
- I422: Test for frame-busting circumvention using double framing for T119: Test for clickjacking
- I423: Test for frame-busting circumvention using anti-XSS capabilities for T119: Test for clickjacking
- I424: Android Keyboard Suggestions for T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
- I425: iOS Auto-correction types for T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
- I426: iOS Pasteboards for T261: Manage Pasteboards that are used with sensitive data
- I427: Checking Permissions Declaratively and in Code for T273: Avoid permission re-delegation by considering caller's permissions when handling external requests
- I403: Avoiding Intent Sniffing for T275: Avoid sending sensitive data using implicit Intents or Broadcasts
- I428: How to make sure that third-party libraries are up-to-date for T186: Maintain the latest security patch level for third party libraries and software
- I430: Securing local sensitive data for T295: Avoid storing unencrypted confidential data on client
- I429: Using iOS Keychain Services for Secure Data Storage for T295: Avoid storing unencrypted confidential data on client
Updated Problems
- P697: Clickjacking
- P411: Information Leak Through Caching
Updated T186, w/ latest security patch level for third party libraries
- Spring Framework
- Django
- Apache HTTP Server (important notes on Shell Shock vulnerability)
- Apache Wicket
- Unix/Linux Bash (important notes on Shell Shock vulnerability)

2.32

New features and improvements:

You can now assign rules to the answers you create via project settings customization. This will let you disable answers if they are not applicable based on the current answers in a project's survey. (If all the answers in a question are not applicable, the question itself is not applicable, and will be displayed as greyed out.)
You can create glossary items that can be linked to from the text of your problems, tasks, or how-tos. This allows you to define common terms for your organization.
Project tasks CSV export now includes tags, priority and phase. Application and project references are removed to eliminate redundancy.
Project tasks Excel export removed due to stability issues and insufficient customer interest.
Trusted Header Authentication was added as a new single-sign on option.
Small improvements to the API v1 tasks endpoint.
API v2 supports token based authentication.

Content additions and updates:

Updated Tasks
- T38: Bind variables in SQL statements
- T45: Log potential application security events
- T49: Remove/disable unused, test or debug code and data
- T55: Validate all XML input
- T71: Capture sufficient information for transactional audit logging
- T101: Test that application is not vulnerable to SQL injection
- T105: Test that the web application does not contain leftover test or debug code
- T126: Test for XML external entity disclosure (tied to P742)
- T157: Temporary files must be cleaned up after the resource is used
- T161: Treat unique device IDs as personally identifiable information
- T162: Validate workspace before retrieving local resources
- T173: Test that user data is transmitted over secure channel in mobile environment
- T252: Configure XML Parsers for Secure Processing
Added New Tasks
- T281: Follow best practices when handling access tokens (API tokens)
- T282: Bind variables in SQL statements for client applications
- T283: Test that application is not vulnerable to SQL injection for client applications
- T284: Generate secure access tokens (API tokens)
- T285: Restrict use of access tokens (API tokens)
- T286: Make sure username rules are consistent among registration system, authentication system and application
- T287: Test that usernames are handled consistently by registration system, authentication system and application
- T288: Prevent unauthorized access to information through XML external entity (XXE) references
- T289: Verify that access to Android components is properly restricted
- T290: Verify if Android permissions are checked properly
- T291: Verify that content of received Intent is checked properly
- T292: Verify that iOS URL schemes are handled securely
- T293: Verify that requests made through Android URL schemes are handled securely
- T294: Test that client application does not contain leftover test or debug code
- T295: Avoid storing unencrypted confidential data on client tied to P735
- T296: Test that unencrypted confidential data in not stored on client tied to P735
- T297: Verify that target workspace is validated before retrieving local resources
- T298: Verify that Pasteboards are securely managed
- T299: Verify that method swizzling in securely implemented in Objective-C
- T300: Test that temporary files are cleaned up after the resource is used
- T301: Verify that buffers holding sensitive information are scrubbed
- T302: Test that sensitive user data is transmitted over secure channel for rich clients
- T304: Verify that unique device IDs are treated as personally identifiable information
- T305: Verify that classes are not dynamically loaded without proper security considerations
- T306: Verify that confidential data is not cached on client
- T307: Verify that confidential data is not cached on mobile devices
Updated HowTo's
- I315: Android SQLite tied to T282
Added HowTo's
- I417: XML input validation in Java for T55: Validate all XML input
- I418: XML input validation in .NET for T55: Validate all XML input
- I419: XML input validation for T55: Validate all XML input
Updated Problems
- P729: Temporary Storage of Confidential Data in Flash Memory tied to CWE921
Added Problems
- P740: Insufficient protection of access tokens (API tokens) to cover CWE200,331
- P741: Inconsistent handling of principal's name by authentication system and application
- P742: Unauthorized access to data through XML External Entity (XXE) references to cover CWE611

Updated T186, w/ latest security patch level for third party libraries
- OpenSSL (an important upgrade)
- Django
- Rails

2.31

New features and improvements:

You can now create tasks that are specific to a project from a project's tasks page. These project specific tasks are similar to other tasks in the system, except that they belong to a single project.
Answer questions in the survey and loading a project's tasks page should be faster.

Content additions and updates:

Updated Tasks
- T162: Validate workspace before retrieving local resources
Added New Tasks
- T269: Test that release version of Android application is not debuggable
- T270: Follow the best practices for storing application data on Android
- T271: Prevent access to Android components if they do not need external communication
- T272: Restrict access to your application's exported Android components
- T273: Avoid permission re-delegation by considering caller's permissions when handling external requests
- T274: Handle requests made through Android URL schemes securely
- T275: Avoid sending sensitive data using implicit Intents and broadcasts
- T276: Validate the type and content of received Intents
- T278: Follow best security practices when using WebView
- T279: Avoid dynamically loading classes without proper security considerations
Updated HowTo's
- I318: Android - Camera Images for T188
Added HowTo's
- I414: Preparing for Android Release for T49
- I402: Android storage options and considerations for T270
- I404: Disabling external access to Android components for T271
- I405: Using Permissions for Access Control for T272
- I408: Intent Filters and Explicit Intents for T272
- I415: Determining who has requested access to an Android exported component for T272
- I406: Android Logs for T46
- I409: Validate input received by Android broadcast receiver for T276
- I413: Android for T162
- I416: Using WebView Securely for T277
Updated Problems
- P721: Insecure IPC Handling (including handling of intents or URL schemes) to cover:
  - CWE-940 Improper Verification of Source of a Communication Channel
  - CWE-921 Improper Export of Android Application Components
  - CWE-925 Improper Verification of Intent by Broadcast Receiver
Added Problems
- P735: Lack of Access Control in Mechanisms Used for Storage of Sensitive Data tied to CWE-921: Storage of Sensitive Data in a Mechanism without Access Control
- P736: Improper permission re-delegation and tied to CWE-285: Improper Authorization
- P738: Insufficient Restriction of Intent Receivers in Android to cover:
  - CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
  - CWE-941: Incorrectly Specified Destination in a Communication Channel
  - CWE-927: Use of Implicit Intent for Sensitive Communication
Updated T186, w/ latest security patch level for third party libraries
- Rails
- Spring
- Tomcat
- Apache MyFaces
- Apache Wicket

2.30

New features and improvements:

Interacting with the survey has been sped up: it should be about twice as fast as it was previously. (Work continues on improving the speed of this portion of the application.)
The answers in a question are no longer re-arranged when changing, deleting, or moving other answers.
The changes since last release section of the project settings survey will no longer open incorrectly in heavily customized surveys.
Users with many custom task statuses should notice they are now all visible in the task status drop down without scrolling.

2.29

New features and improvements:

Initial support for generating reports about projects. Look for improvements to this feature in the coming months, and send us your feedback on what you'd like to see here. The reporting feature is backed by a very robust API, for customers that wish to generate reports external to the application.
Significant improvements to the verification functionality in SD Elements. We now support for importing verification data from multiple tools with the user deciding how the new import should interact with the previous verification data.
Updated SAML user authentication to address a flaw that created duplicate users in some cases.

Content additions and updates:

Updated CWE library in SD Elements from CWE 2.0 to CWE 2.6 (addition of 22 new CWEs and some minor title modifications).
Updated Tasks
- T11: Disallow external redirects unless the destination is verified
- T125: Test for open redirects
- T225: Test that password fields are masked by default. Text and matching conditions updated.
Added New Tasks
- T262: Mask passwords by default on mobiles but consider usability options
- T263: Test that password fields are masked by default on mobiles and usability improvement options are implemented
- T264: Follow best practices when using method swizzling in Objective-C
- T265: Handle requests made through iOS URL schemes securely
Updated HowTo's
- I273: iOS 4 and above and connected it to T262
- I292: iOS 4 and above and tied it to T265: Handle requests made through iOS URL schemes securely
- I389: Examine the contents manually using network monitoring tools
Added HowTo's
- I399: Use strong encryption algorithms if credit card information is transmitted
- I400: Verify use of security protocols wherever credit card information is transmitted or received
- I401: About URL Schemes
Updated Problems
- P493: URL Redirection to Untrusted Site ('Open Redirect'). Matching conditions updated.
- P721: Insecure IPC Handling (including handling of intents or URL schemes)
  - covers CWE-939: Improper Authorization in Handler for Custom URL Scheme
Updated T186, w/ latest security patch level for third party libraries
- GnuTLS
- Rails
- Struts
- Spring
- Tomcat
- DJango
- Java
- Apache MyFaces
- OpenSSL

2.28

New features and improvements:

Project administrators (user's with permission to update the project settings survey) are now notified by email when there are new tasks available for their projects due to content updates.
The various activity logs have been redesigned to improve their readability.
Tasks synced to a Rally instance will have their tags updated to the current values of the connection, regardless of when they were created.

Content additions and updates:

Updated T186, w/ latest security patch level for third party libraries
- Apache HTTP Server
- Bouncy Castle
- GnuTLS
- Java
- OpenSSL (updated to address CVE-2014-0160, the Heartbleed vulnerability)
- Rails
- Struts
- Tomcat

2.27

New features and improvements:

Added ALM synchronization support for Rational Collaborative Lifecycle Management
Moved in-app documentation to support.sdelements.com
Subquestions—some customers call these child questions—are now accessible for customization in the Project Settings customization section of the application.
Improvements to the speed of the Project Settings customization pages.
Small improvements to way finding within the application.

Content additions and updates:

Added Mobile Technologies subsection to survey.
Added question about version of iOS to Mobile Technologies subsection of the survey.
Updated T165: Do not rely on Unique Device ID values in security controls3
Updated T207: Obtain parental consent for users under 13 - COPPA compliance
Added T261: Lockdown Pasteboards that are used with sensitive data
Added How To I396 Avoid storing cached confidential data on mobile devices - iOS 4 and above
Added How To I397 Validate certificate and its chain of trust properly - Android WebViewClient
Updated T175: Test that the client validates SSL certificates
Updated T186, w/ latest security patch level for third party libraries
- GnuTLS

2.26

New features and improvements:

Client Administrators can now create custom values for the status of tasks in a project (beyond the default complete, incomplete, and not applicable). These new statuses can be used in much the same way as the default values: they can be filtered on, viewed in reports, queried via the API, etc.
The customize problems page now lists official content in addition to your new custom content. This should make it easier to determine if a problem you wish to add to the system already exists.
URLs contained in notes on tasks are now rendered as clickable links.
Updates to JIRA and Rally ALM integration
- SD Elements tasks can be synced as children of an existing task in the ALM
- Support added for custom fields (Please get in touch with support for help using this feature.)
- Rally only: integration now supports setting a Tag value that will be applied to all new tasks synced from SD Elements. (The default value is "SD-Elements".)
- JIRA only: integration now supports customizing the mapping between SD Elements priorities and JIRA priorities. (Please get in touch with support for help using this feature.)

Content additions and updates:

Addition of HTML5 security best practices as follows.

New HTML5 Tasks:

T257: Secure Cross Origin Resource Sharing in HTML5
T258: Secure Web (Cross Domain) Messaging in HTML5
T259: Avoid storing sensitive information in Local Storage
T260: Secure usage of Web Sockets

New HTML5 HowTos:

HowTo T258-I395: Secure Web (Cross Domain) Messaging in HTML5 - Basic Validation of origin in JavaScript

Other content updates:

Updated T186, w/ latest security patch level for third party libraries
- Apache MyFaces
- Apache Wicket
- Bouncy Castle
- Django
- GnuTLS
- Java
- OpenSSL
- Rails
- Struts
- Tomcat

2.25

New features and improvements:

Added ALM synchronization support for HP Alm 11.x
Project tasks can be organized and searched using custom tags. In the Customization section of the application, privileged users can assign short tags to standard or custom tasks. Project users can use these tags to filter project tasks. A task's tags are returned by the API.
Improvements to tag searching.
Various enhancements to improve speed and user experience.
ALM integration updated to provide more troubleshooting information for users as they setup connections.
Security tool integration updated: Fortify FPR scan import filters out issues which have been marked by Fortify Audit Workbench or Software Security Center users with "Not an Issue"

Content additions and updates:

Added test task "T256: Test that compiler settings are set to mitigate buffer overflows"
Updated matching rules for "T64: No-cache for confidential web pages" to target web application or generic server-based projects
Updated title "T101: Test that application is not vulnerable to SQL injection"
Updated test task "T127: Test for null byte injection" to address weakness "P95: Improper Input Validation"
Raised priority of "T193: Review non-categorized/miscellaneous findings from automated analysis" to 7 (High).

2.24

New features and improvements:

Added a 'Policy' field to questions in project settings customization. This field controls whether a question is Optional (default), Hidden, or Mandatory.
- Hidden questions will not be displayed in the survey when users create projects.
  - Hiding all the questions in a subsection will hide the subsection. If all the subsections in a section are hidden, the section is also hidden.
- Mandatory questions must be answered before a list of tasks is generated for a new project.
Projects can be tagged. You can assign short tags to a project from the project list page of each of your applications. A project's tags are returned by our API.

Content additions and updates:

C/C++ updates
- Added survey question to determine target environment: Standard C/C++, POSIX, Windows
- How To's are associated with one or more of the targets above
- Added How To I392 Prevent buffer overflow/underflow - C/C++ memcpy()
Updated T186, w/ latest security patch level for third party libraries
- Apache httpd
- Apache MyFaces
- Apache Wicket
- Bouncy Castle
- Django
- GnuTLS
- Java
- Spring
- Struts
- Tomcat

2.23

New features and improvements:

You can now mark tasks as being manually verified. A new verification 'ribbon' on the tasks page lets you view at a glance the state of a project, and lets you quickly toggle the verification state of a task.
Added ALM synchronization support for GitHub and Pivotal Tracker

Content additions and updates:

Updated T14: Principle of least privilege
Updated P150: Execution with Unnecessary Privileges

2.22

New features and improvements:

Added in-app support for submitting HP WebInspect and IBM AppScan Standard reports for analysis by SD Elements. (You can verify your SD Elements tasks using WebInspect and AppScan.)
Added automatic synchronization between project tasks and tasks in JIRA 6. (This is in addition to the existing support for Jira 4 and 5.)
Improved the landing page when you first log in to the site: it now lists your recent projects, assigned tasks, etc. The original applications list page is available from the Applications menu.
Small speed ups of the tasks page.

2.21

New features and improvements:

Two new file formats are supported for importing data from Fortify: FPR and FVDL.
Simplified the task status toggle: clicking the status icon will now toggle between "TODO" and "DONE". (Marking something as N/A is done via the extra statuses button that appears next to the toggle button when you hover over a task.)
Improved email notifications on events associated with tasks you are assigned to. You will be notified of status changes, team changes, and new notes, on any tasks you are assigned to.
The verification status of tasks is now displayed in the completion and compliance reports.

Content additions and updates:

Fixed rules for:

P208: Missing Encryption of Sensitive Data (related to T146 and T173)

Updated regulations reference for:

T146: Use encryption for network communications in mobile environment
T173: Test that user data are transmitted over secure channel in mobile environment

Added:

T208: Perform input validation on local input sources
T210: Encrypt sensitive data during transmission for rich clients
T252: Configure XML Parsers for Secure Processing
- How-to: I390: Java - SAX Parser
- How-to: I391: C# - XmlReader
T253: Lockdown TLS/SSL communication
T254: Test that TLS/SSL communication is locked down
T255: Test that XML parsers are not vulnerable to denial of service
How-to T87-I389: Ensure confidential data is sent over an encrypted channel - Manually with network monitoring tools

2.20

New features and improvements:

Added in-app support for submitting Fortify reports for analysis by SD Elements. (You can verify your SD Elements tasks using Fortify.)
Automatically synced jobs will notify their creators of failures to sync via email. (This can be turned off in the profile section of the application.)
The projects API endpoint now returns who originally created a project.

Content additions and updates:

Added Sarbanes-Oxley Act (SOX) to list of available compliance reports
Updated compliance reports with additional overview description
Removed empty HowTo from T232 which had been included in error

2.19

New features and improvements:

Added automatic synchronization between project tasks and connected ALM servers (JIRA, Mingle, Rally, Trac)
Task assignment emails are sent as formatted HTML and plain text, including all attached notes
Improvements to the Internet Explorer 7 browser warning
Added anonymous bind support for LDAP connections
Integration Console documentation updates
Various product enhancements

Content additions and updates:

Added a question to Project Survey under "Application General" subsection "Components/Architecture" to capture privilege escalation for clients.
Updated T186, w/ latest security patch level for third party libraries
- Apache httpd
- Apache MyFaces
- Apache Wicket
- Bouncy Castle
- Django
- GnuTLS
- Java
- Spring
- Struts
- Tomcat
Updated T21, covers all types of confidential data including credentials and session ID.
Updated PA-DSS compliance report and related tasks and guidelines:
- Added T251: Test that PAN numbers are not emailed unprotected
- Updated the description of the following requirements to include compliance topics:
  - T7: Salt and hash stored password
  - T21: Ensure confidential data is sent over an encrypted channel
  - T60: Only use approved cryptographic algorithms and key lengths
  - T71: Capture sufficient information for transactional audit logging
  - T159: Avoid sending detailed error messages to remote systems
  - T232: Verify that transactional audit logs capture sufficient information
  - T220: Verify that user password is salted and hashed
- Updated HowTos:
  - T71:I387 PA-DSS Requirements
  - T232:I388 PA/PCI -DSS Requirements
Updated PCI-DSS compliance report and related tasks and guidelines:
- Added T251: Test that PAN numbers are not emailed unprotected
- Updated the following requirements for PA-DSS references and coverage:
  - T7: Salt and hash stored password
  - T21: Ensure confidential data is sent over an encrypted channel
  - T60: Only use approved cryptographic algorithms and key lengths
  - T71: Capture sufficient information for transactional audit logging
  - T159: Avoid sending detailed error messages to remote systems
  - T220: Verify that user password is salted and hashed
- Updated HowTos:
  - T232:I388 PA/PCI -DSS Requirements
Fixes to inclusion rule for the following existing tasks and how-tos that caused them not to appear in certain cases where they should have appeared:
- T46: Do not log confidential data
- T229: Verify that logs do not contain confidential data
- T67:I152: Enforce page navigation - Java EE and Struts
- T16:I153: Authorize every page - Struts with ESAPI
- T205: Avoid inter-process race conditions

2.18

New features and improvements:

New projects no longer show the "Changes Since Last Release" survey section. This was a source of confusion for new users. (As before, it is loaded when creating a new release of a project.)
Extensive internal refactoring that will ease future development of SD Elements.

Content additions and updates:

Updated T186, w/ latest security patch level for third party libraries
- Update to the Struts HowTo (in response to new critical security vulnerabilities)
Addition of PA-DSS compliance report and related tasks and guidelines:
- Updated the description of the following requirements to include compliance topics:
  - T1: Use multi-factor authentication for remote access to high risk systems or administrative access to payment applications
  - T5: Minimum password standards
  - T59: Use standard libraries for encryption
  - T60: Only use approved cryptographic algorithms and key lengths
  - T77: Test if only one factor of authentication is used
  - T80: Test password requirements
  - T136: Do not store sensitive credit card data
  - T133: Mask credit card PAN numbers when displayed
  - T232: Verify that transactional audit logs capture sufficient information
- Added new tasks
  - T244: Securely delete any unprotected sensitive data
  - T245: Verify that sensitive unprotected data is securely deleted
  - T246: Control access to encrypted volumes independent of native operating system
  - T247: Verify logical access to encrypted volumes are managed independently of native operating system
  - T248: Protect any keys used to secure sensitive data
  - T249: Verify that keys used to secure sensitive data are protected
- Added HowTos:
  - T5:I385 PA-DSS Requirement
  - T80:I386 PA-DSS Requirements
  - T71:I387 PA-DSS Requirements
  - T232:I388 PA-DSS Requirements
Updated PCI-DSS compliance report and related tasks and guidelines:
- Updated the following requirements for PA-DSS references and coverage:
  - T1: Use multi-factor authentication for remote access to high risk systems or administrative access to payment applications
  - T77: Test if only one factor of authentication is used
  - T136: Do not store sensitive credit card data
  - T234: Verify sensitive credit card data is not stored
- Add new tasks
  - T246: Control access to encrypted volumes independent of native operating system
  - T247: Verify logical access to encrypted volumes are managed independently of native operating system
  - T248: Protect any keys used to secure sensitive data
  - T249: Verify that keys used to secure sensitive data are protected

2.17

New features and improvements:

In-app integration with Application Lifecycle Management (ALM) tools:
- Sync tasks and their status between an SD Elements project and a corresponding project in your ALM tool.
- Initial ALM tool support includes the following: Rally, JIRA, Mingle and Trac.
New permissions allow for finer grained custom roles.
- In particular, editing the status of a task and adding a note to a project are now two different permissions.

Content additions and updates:

Added guidance to prevent password re-use and setting password expiry
- T8: Minimum password standards
- T80: Test password requirements

2.16

New features and improvements:

Custom problems were once "Always applicable" to a project - now they can depend on whether certain features or technologies are in scope for an applicable, similar to custom tasks.
Various user interface improvements:
- Task-inclusion rules widget updated
- Added help text to pages without content (empty project lists, tasks lists, etc.)
- Re-organized support documentation

Content additions and updates:

Minor/Formatting fix to:
- HowTo T126-I139: Test for XML external entity disclosure - Manually with browser
Added new Problem, updated the related Task and HowTos:
- Problem: P293: Uncontrolled Resource Consumption ('Resource Exhaustion')
- Task: T35: Specify HTTP protocol limits in the server settings
- Related How-Tos:
  - I40: Apache 2.0
  - I41: Java EE with WebLogic 9.2
  - I42: Java EE with WebSphere 6.1+
  - I94: IIS
  - I305: ASP.Net

2.15

Starting with this release Internet Explorer 7 is no longer actively supported. If you use IE 7 we suggest upgrading to IE 8/9/10, or using a recent version of Mozilla Firefox, Google Chrome, or Apple Safari.

New features and improvements:

Tasks added to projects notifications: when a new project is created, or a project's settings are changed, users with the 'view all projects' permission can be notified about the addition of tasks to those projects. You can set up this feature on your account profile settings page.
Various improvements to the Veracode report importer.
The various activity logs now include timestamps.

Content additions and updates:

New tasks T243: Verify authenticity and integrity of received SOAP messages
- Added related problem P244: Insufficient Verification of Data Authenticity
Added PHP How-To's
- I375:T25 Enforce absolute session timeouts
- I378:T24 Enforce idle session timeouts
- I379:T49 Remove/disable unused, test or debug code and data
- I380:T7 Salt and hash stored password
- I382:T49 Remove/disable unused, test or debug code and data
- I383:T6 Implement account lockout or authentication throttling
- I384:T73 Use random delays in authentication failures
Updated T186, w/ latest security patch level for third party libraries
- Update to the Rails HowTo (in response to new security vulnerabilities)
- Added new HowTo:
  - I381, for Bouncy Castle (in response to the new TLS issue)
Updated in-app Integration Console documentation for newly-added Microsoft Team Foundation Server support.

2.14

New features and improvements:

Backend improvements and bug fixes.

Content additions and updates:

Added PHP how-tos:
- I367:T38: Bind variables in SQL statements
- I368:T43: Avoid unsafe operating system interaction
- I369:T54: Validate file contents
- I370:T38: Bind variables in SQL statements
- I371:T20: Invalidate old session ID after authentication
- I372:T26: Destroy sessions on logout
- I373:T27: Turn off session rewriting
- I374:T23: Set HttpOnly flag on session cookies
- I376:T22: Set secure flag on session cookies
- I377:T11: Disallow external redirects
Added PIPEDA compliance report

2.13

New features and improvements:

Added in-app support for submitting Veracode reports for analysis by SD Elements. (You can verify your SD Elements tasks using Veracode.)
Improvements to our API.

Content additions and updates:

Increased priority of T186 and T241, with regards to maintaining the latest security patches level of third party libraries, from 5 to 7.
Added Apex how-tos:
- I350:T38: Bind variables in SQL statements
- I353:T21: Ensure credentials and session ID are sent over an encrypted channel
- I354:T59: Use standard libraries for encryption
- I356:T68: Encrypt credit card PANs in storage
Updated T186, w/ latest security patch level for third party libraries
- Updates to the Rails, Spring and Tomcat HowTo
- Added new HowTos:
  - I361, for GnuTLS (in response to the new TLS issue)
  - I362, for OpenSSL (in response to the new TLS issue)
  - I363, for Apache HTTP Server
  - I364: Apache Wicket
  - I365: Apache MyFaces
  - I366: Java

2.12

New features and improvements:

Custom profiles: bootstrap new project creation with your own profiles.
Preliminary support for custom problems: create new problem beyond those supplied by SD Elements.

Content additions and updates:

Added Force.com Apex to supported programming languages in the survey
Added Apex how-tos:
- I350:T36: Escape untrusted data in HTML, HTML attributes, Cascading Style Sheets and JavaScript
- I352:T29: Use anti cross site request forgery (CSRF) tokens
- I355:T137: Encrypt protected health information in storage
- I357:T11: Disallow external redirects
- I358:T16: Authorize every page
- I359:T15: Centralize authorization
- I360:T18: Make authorization decisions using full context
Change the default for allowed test tools to "Yes": there is no policy against using these test tools internally.

2.11

New features and improvements:

Implied Choices: Custom answers can now include a list of additional answers to be selected when they are selected. This allows for smart default answer that rely on previous answers in the survey.
Verification Status filter: You can filter the project tasks page by verification status.
Improvement to content change notification: Accepting content updates will now prompt for task removal as well as addition. A project's task list will only change when a project administrator changes its settings, or accepts updates based on content changes.
The project tasks list should now load much faster.

Content additions and updates:

Updated tasks with major/significant improvements:
- T18: Make authorization decisions using full context
- T64: No-cache for confidential pages
- T135: Assign each person using the system a unique user ID
Added new test / verification tasks:
- T114: Test system-to-system authentication lockout or throttling
- T222: Verify server-to-server authentication
- T227: Verify that application's access to database is restricted
- T228: Test that application restricts HTTP message size
- T230: Test that system accounts for server to server authentication meet at least the same minimum password requirements as end users
- T233: Verify that each person using the system is assigned a unique user ID
- T234: Verify credit card CVV or PIN is not stored
- T235: Verify that application does not store protected health information insecurely
- T236: Test that the application encrypts protected health information on the internet
- T238: Test that users can review and update their personal data
- T239: Test that users must provide consent prior to collection of personal information
- T240: Test that users can remove their data from the system
- T242: Verify special provisions for sensitive personal information
Updated T186, w/ latest security patch level for third party libraries
- Updates to Rails, Django, Spring, and Struts HowTos

2.10

New features and improvements:

Import Veracode findings into SD Elements.
Navigating the site has been made easier through the use of "breadcrumbs" on each page.
Users assigned to a project are displayed in the projects list.
The relationship between CWEs and Problems has been made more robust, allowing for more interesting integrations with other services in the near future.
New API endpoints, improvements, and optimizations.
Down time during a site update (deployment) has been greatly reduced.

Content additions and updates:

Regulations added:
- California Online Privacy & Protection Act to regulations. Updated privacy tasks T177 and T178 to reflect the regulation requirements.
- Children’s Online Privacy and Protection Act (COPPA). Introduced T207 to address the requirements under this regulation.
New requirement and development tasks:
- T217: Use compiler settings to mitigate buffer overflows
- T219: Avoid transmitting confidential data through URL parameters
- T197: Verify the integrity of remote code with digital signatures
- T214: Lock down confidential files on operating system
New test / verification tasks:
- T220: Verify that user password is salted and hashed
- T225: Test that password fields are masked by default
- T226: Verify that authorization is centralized
- T229: Verify that logs do not contain confidential data
- T232: Verify that transactional audit logs capture sufficient information
- T237: Test that solicitation emails follow spam free guidelines
- T241: Verify that third party libraries do not have any outstanding security patches
- T235: Verify that application does not store protected health information
New C/C++ HowTo:
- I347: Avoiding dangerous function asctime()
- I348: Avoid Time of check time of use race conditions with symbolic links
- I349: Secure creation and destruction of temporary files
Minor change to authentication question in survey to handle multiple authentication components.

2.9.X

Not deployed.

2.8

New features and improvements:

Remaining tasks counts are displayed in the projects list.
Icons are used throughout the application to improve the clarity of possible actions available on each page.
Project tasks lists should load faster.
API Authentication can be done via a security token, in addition to basic auth and session cookies.

Content:

Added How-To content covering secure Android inter-process communication.
Added new filter/label to identify tasks that need manual verification.

2.7

New features and improvements:

An improved application and projects list.
- Each application now has a detail page that lists its projects.
- Applications and projects can be sorted by their last modified time.

Content:

Updated and improved upon the coverage of unmanaged code vulnerabilities.

2.6

New features and improvements:

Authenticate users with a custom LDAP server.
Brand the application with your own custom logo.
More effectively share task information with other users. The new project task pages include all the information related to a task; including full description, assigned users, solution, weakness, and how-to material.
Find tasks more easily and effectively with the new ability to filter by multiple criteria.
Access the complete library of how-to and task information using the API.

Content:

Added coverage for Race Condition and Time-of-Check-Time-of-Use (TOCTOU) vulnerabilities.
Updated “T7: Salt and hash stored password” to cover new requirements to salting.

2.4

New features and improvements:

Users can filter out low and/or medium priority task from the problem summary report.
Release notes are displayed on the support section of the site.
Improve the speed of the tasks API endpoint.

Content:

Addition of weaknesses and tasks for unmanaged content:
- T202: Prevent buffer overflow/underflow
- T203: Avoid uncontrolled format string
- T204: Follow security best practices when dealing with pointers
- T72: Use safe arithmetic to avoid integer overflow (minor update to)
Added C/C++ HowTo for T43 - Avoid unsafe operating system interaction
Added the following C/C++ HowTos for T196 - Avoid dangerous functions:
- C/C++ setjmp() and longjmp()
- Securing C++ istream >> operator
- C/C++ getwd()
- C/C++ String Length
- Microsoft C/C++ String Length
- C/C++ gets()
- C/C++ String Copy and Concatenation
- C/C++ String Formatting

2.3

New features and improvements:

The library customization page has an improved layout, similar to the project tasks page.
Answers can be moved between questions via the project settings question customization page. The layout of this page has also been improved.
Form field validation now also takes place in the frontend, helping users fill out forms correctly before submitting them to the server.
The new user email is clearer.
User names in all reports are now "mailto" links. Names are displayed in a consistent manner.
Numerous improvements to our API.

Content:

Introducing content on usage of inherently dangerous functions in unmanaged languages (CWE-242):
- new task T196: Avoid Dangerous Functions
- 8 new HowTos for Microsoft C/C++ string manipulation dangerous functions.
- 1 new HowTo for IsBad-style Pointer handling
Added content support for capturing automated code analysis results:
- New survey question under Development Tools: Uses static or dynamic code analysis
- New task T193: Review non-categorized/miscellaneous findings from automated analysis
Minor edits:
- T196: Obtain user consent for tracking cookies (set priority to 7)

2.2

New features included in this update are:

Project sett

results matching ""

No results matching ""