Refer to this page for information about version-specific improvements to SD Elements and associated content.

2023.4 | 2023.3 | 2023.2 | 2023.1 | 2022.4 | 2022.3 | 2022.2 | 5.20 | 5.19 | 5.18 | 5.17 | 5.16 | 5.15 | 5.14 | 5.13 | 5.12 | 5.11 | 5.10 | 5.9 | 5.8 | 5.7 | 5.6 | 5.5 | 5.4 | 5.3 | 5.2 | 5.1 | 5.0

2023.4

For the latest SD Elements Release Notes, see our User Guide: https://docs.sdelements.com/release/latest/guide/docs/releasenotes.html

New features and enhancements

  • Diagrammatic Threat Modeling

    • Threat Model Diagrams can now generate Threats, Weaknesses, and Countermeasures. This is a beta for the 2023.4 release and must be enabled via API or through your Customer Success Manager.
    • Imported diagrams are only accepted in draw.io/diagrams.net, TM7 (Microsoft Threat Modeling Tool), JSON, and XML format.
  • Trend Reports

    • Added an advanced reporting feature called "Trend Reports" that captures changes across the application, Countermeasures, and project objects. This feature is enabled by default with its corresponding feature flag.
      • Users can represent changes in compliance counts and mean times to compliance, among many other metrics.
      • Changes are captured nightly and data can be realized as far back from July 8th, 2023.
      • Added the ability to include Trend Reports in Dashboards.
      • Added granular permissions for users interacting with Trend Reports.
      • Added the ability to export the data in CSV or JSON format.
  • Verification Tools Update

    • Added the ability for integrations to customize the project connection names for verification tools. Any existing and future project connections for verification tools can add or edit a connection name.
  • Checkmarx Integration

    • Added CheckmarxOne into the Integration Ecosystems. Users can connect their CheckmarxOne instance in SD Elements and map SAST scan results to project Countermeasures.
      • Requires Tenant ID and API Key for server connection.
      • Requires a project_id for project connection.

Other Product Improvements

  • Added pre-aggregations to Library and Application contexts for Advanced Reports.
  • Fixed a bug where importing how-to files in JSON or YAML format would not work.

Content improvements summary

  • CWE

    • Updated to version 4.13
  • 2023 CWE Top 25 Most Dangerous Software Weaknesses

    • Added a new regulation
  • Compliance Regulations and Mappings

    • ANSI/ISA 62443-4-2 & ISASecure CSA 311
      • Updated the ISASecure CSA 311 regulation to combine the requirements of ANSI/ISA 62443-4-2 and ISASecure CSA/SSA and deactivated the ANSI/ISA 62443-4-2 regulation.
    • ANSI/ISA 62443-3-3 & ISASecure SSA 311
      • Updated the ISASecure SSA 311 regulation to combine the requirements of ANSI/ISA 62443-3-3 and ISASecure CSA/SSA and deactivated the ANSI/ISA 62443-3-3 regulation
  • Updated the following code scanner mappings

    • Fortify
    • Qualys
    • SonarQube
    • WebInspect

Content additions and updates (as of December 5, 2023):

  • Compliance Regulations and Mappings

    • Added 2023 CWE Top 25 Most Dangerous Software Weaknesses
    • Removed ANSI/ISA 62443-3-3
    • Removed ANSI/ISA 62443-4-2
    • Updated ANSI/ISA 62443-4-2 (ISASecure CSA 311) [INFO: Updated the description].
    • Updated ANSI/ISA 62443-3-3 (ISASecure SSA 311) [INFO: Updated the description].
    • Updated CIS Azure Kubernetes Service (AKS) 1.2.0 [INFO: Updated the description].
    • Updated ISO/SAE 21434 [INFO: Updated the description].
    • Updated ISO 27001 [INFO: Updated the description].
  • T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services

    • TA5412: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5414: ISASecure SSA 311 requirements: Levels (4) [Updated]
      • INFO: Updated the text.
  • T5: Use minimum standards for passwords
    • TA5432: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5434: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5436: ISASecure SSA 311 requirements: Levels (4) [Updated]
      • INFO: Updated the text.
  • T8: Use Consistent Error Handling for All Authentication Failures
    • TA5440: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T21: Ensure all data in transit is encrypted using a secure TLS channel
    • TA5495: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5497: ISASecure SSA 311 requirements: Levels (4) [Updated]
      • INFO: Updated the text.
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
    • TA5501: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T61: Disable default accounts or change all default passwords
    • TA5422: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T70: Implement account lockout or authentication throttling for system accounts
    • TA5442: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T77: Test for single-factor authentication
    • TA5411: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5413: ISASecure SSA 311 requirements: Levels (4) [Updated]
      • INFO: Updated the text.
  • T80: Test password requirements
    • TA5431: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5433: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5435: ISASecure SSA 311 requirements: Levels (4) [Updated]
      • INFO: Updated the text.
  • T82: Test authentication error consistency
    • TA5439: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T87: Verify that all data in transit is encrypted using a secure TLS channel
    • TA5494: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5496: ISASecure SSA 311 requirements: Levels (4) [Updated]
      • INFO: Updated the text.
  • T107: Test that application forbids uploading or transferring malware [Updated]
    • INFO: Updated the text.
  • T114: Test system-to-system authentication lockout or throttling
    • TA5441: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T156: Validate certificate and its chain of trust properly
    • TA5438: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T175: Test that the client validates digital certificates
    • TA5437: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T244: Securely delete any unprotected sensitive data before a resource is released or shared
    • TA5539: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5541: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T245: Verify that sensitive unprotected data is securely deleted
    • TA5538: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5540: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T248: Protect secret keys and passwords in the application
    • TA5424: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5426: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5428: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T249: Verify that keys and passwords are protected in the application
    • TA5423: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5425: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5427: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T295: Avoid storing unencrypted confidential data without access control mechanisms
    • TA5537: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T296: Test that unencrypted confidential data is not stored without access control mechanisms
    • TA5536: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T323: Test that default accounts are disabled or default passwords are changed
    • TA5421: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T337: Include a 'break glass' feature that enables emergency functions
    • TA5452: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T338: Control access to resources through user authentication and authorization
    • TA5406: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5408: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5410: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T340: Use an account and identity management system
    • TA5416: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5418: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5420: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T342: Inform and warn users about using critical system services
    • TA5444: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T343: Test that proper system use notification is displayed or sent for critical features
    • TA5443: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T344: Enforce different rules for access to the system based on the origin, type, and medium of request
    • TA5446: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5448: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5450: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T381: Test break-glass procedures
    • TA5451: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T445: Verify that only approved cryptographic algorithms and key lengths are used
    • TA5500: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T567: Enable network access control for local area network communications
    • TA5455: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T591: Verify that network access control is enabled for local area network communications
    • TA5454: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5456: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T682: Make S3 bucket CloudTrail logs publicly inaccessible (AWS) [Updated]
    • INFO: Updated the text.
  • T1380: Enforce secure user registration and access control
    • TA5453: ISASecure SSA 311 requirements: Levels (4) [Updated]
      • INFO: Updated the text.
  • T2254: Use the most robust Security Operation Mode (WiFi)
    • TA5430: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T2275: Test to confirm that the most robust Security Operation Mode is applied (WiFi)
    • TA5429: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T2276: Test to confirm that authorization and authentication controls are in place for access to resources
    • TA5405: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5407: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5409: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T2277: Test to confirm the use of an account and identity management system
    • TA5415: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5417: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • TA5419: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
  • T2278: Test to confirm that different rules for access to the system are enforced based on the origin, type, and medium of the request
    • TA5445: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5447: ISASecure SSA 311 requirements: Levels (2, 3, 4) [Updated]
      • INFO: Updated the text.
    • TA5449: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T2359: Configure a secure user authentication (Cloud) (2/2) [Updated]
    • INFO: Updated the priority from 7 to 10.
  • T2360: Configure a secure user authorization (Cloud) (2/2) [Updated]
    • INFO: Updated the priority from 5 to 10.
  • T2361: Design a secure application architecture for the cloud environment (Cloud) (2/2) [Updated]
    • INFO: Updated the priority from 9 to 10.
  • T2368: Enable logging and protect log files in your cloud environment (Cloud) (2/4) [Updated]
    • INFO: Updated the priority from 7 to 9.
  • T2369: Enable logging and protect log files in your cloud environment (Cloud) (3/4) [Updated]
    • INFO: Updated the priority from 7 to 9.
  • T2370: Enable logging and protect log files in your cloud environment (Cloud) (4/4) [Updated]
    • INFO: Updated the priority from 7 to 9.
  • T2371: Enable logs and configuration monitoring in your cloud environment (Cloud) (2/4) [Updated]
    • INFO: Updated the priority from 7 to 8.
  • T2372: Enable logs and configuration monitoring in your cloud environment (Cloud) (3/4) [Updated]
    • INFO: Updated the priority from 7 to 8.
  • T2373: Enable logs and configuration monitoring in your cloud environment (Cloud) (4/4) [Updated]
    • INFO: Updated the priority from 7 to 8.
  • T2374: Verify that logging is enabled and log files are protected (Cloud) (2/2) [Updated]
    • INFO: Updated the priority from 7 to 9.
  • T2375: Verify that log monitoring and configuration monitoring are enabled (Cloud) (2/3) [Updated]
    • INFO: Updated the priority from 7 to 8.
  • T2376: Verify that log monitoring and configuration monitoring are enabled (Cloud) (3/3) [Updated]

    • INFO: Updated the priority from 7 to 8.
  • Changes to Project Properties and Profiles

    • Q193: Components
      • Q101: Components In Development
        • A1077: Firmware, embedded, or hardware solution [Updated]
          • INFO: Updated the children.
    • Q199: Authentication
      • Q120: Authentication Features
        • Q121: Authentication Method
          • A19: Uses passwords [Updated]
            • INFO: Updated the children.
    • Q243: Internal Hidden Properties
      • Q189: Internal Properties (Use this, for all hidden answers)
        • A768: This is a software project [Updated]
          • INFO: Updated the children.
  • New Just-in-Time Training

    • Defending Web APIs (18)

2023.3

For the latest SD Elements Release Notes, see our User Guide: https://docs.sdelements.com/release/latest/guide/docs/releasenotes.html

New features and enhancements

  • New content updates functionality

  • Import / Export Enhancements

    • With feature flag: Import/Export Enhanced Capability turned on (off by default):
      • Added the ability to have deactivated content to be present in the export job.
      • Added the ability to mark specific content as active or deactivated via import job
      • Added the ability to set custom content as delete to remove the content completely via import job
    • Enabling Import/Export of Regulations and Enabling Async API (Beta) have been migrated to feature flags so users can now toggle features on and off via the UI.
  • Automation Event/Action

    • With Feature Flag: User Login Activity (on by default)
    • Added the ability to track user login events
    • Added a new action to deactivate users that have not logged in after a predefined number of days
  • Reactivation Function (only for SSO Users)

    • With Feature Flag: Auto-Reactivate Users via SSO (off by default)
    • Added the ability to auto-reactivate users using single sign-on.
  • Survey UX

    • Added a feature flag to make survey change reviews optional before publishing. The flag is disabled by default. When enabled, users answering the survey will have a choice to publish directly or review and then publish.

Content improvements summary

  • AI Security

    • Added new Weaknesses, Countermeasures, and Additional Requirements based on NIST AI Risk Management Framework (RMF) and OWASP Top 10 for Large Language Model Applications.
  • Consumer IoT: ETSI EN 303 645

    • Added new Regulation and Additional Requirements based on the EN 303 645 Standard.
  • ISO 27001 (2022)

    • Added a new Regulation.
  • Rust

    • Added new Howtos for the Rust programming language.
  • Updated the following code scanner mappings:

    • Appscan, Fortify, Qualys, SonarQube, WebInspect, and Nessus.

Content additions and updates (as of September 26, 2023):

  • Compliance Regulations and Mappings

    • Added NIST AI RMF v1.0
    • Added EN 303 645
    • Added OWASP Top 10 for Large Language Model Applications v1.0.0
    • Added ISO 27001
  • Content Packs

    • Added NIST AI RMF
    • Added AI Security
    • Added EN 303 645
    • Added OWASP LLM Top 10
    • Added ISO 27001 (2022)
    • Added Rust
  • T2: Secure the password reset mechanism

    • TA6527: EN 303 645 requirements [Added]
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
    • TA6535: EN 303 645 requirements [Added]
  • T72: Use safe arithmetic to avoid integer overflow
    • I1880: Rust: Check calculations for integer overflows [Added]
  • T151: Use cryptographically secure random numbers [Updated]
    • INFO: Updated the text.
  • T153: Scrub buffers holding sensitive information when releasing/deleting
    • I1878: Rust: Clear sensitive memory after use [Added]
  • T159: Follow best practices for secure error and exception handling
    • I1881: Rust: Return errors using the Result type and don’t panic [Added]
  • T176: Apply principles of privacy when handling personal information
    • TA6539: EN 303 645 requirements [Added]
  • T189: Minimize the use of unmanaged (native) code
    • I1883: Rust: Follow best practices when calling external C/C++ functions [Added]
    • P730: Direct Use of Unsafe Unmanaged Code [Updated]
      • INFO: Updated the match conditions.
  • T196: Avoid unsafe functions
    • I1882: Rust: Avoid unsafe code [Added]
  • T197: Validate the signature of all remote code/updates to verify their origin and integrity (client side)
    • TA6532: EN 303 645 requirements [Added]
  • T248: Protect secret keys and passwords in the application
    • TA6534: EN 303 645 requirements [Added]
  • T301: Verify that buffers holding sensitive information are scrubbed
    • I1884: Rust: Clear sensitive memory after use. [Added]
  • T338: Control access to resources through user authentication and authorization
    • TA6536: EN 303 645 requirements [Added]
  • T370: Follow best practices for using third-party software libraries/modules and open source/COTS components
    • I1879: Use secure libraries and open source components in Rust [Added]
  • T375: Release resources when no longer needed
    • I1877: Rust: Avoid memory leaks [Added]
    • P293: Uncontrolled Resource Consumption (Resource Exhaustion) [Updated]
      • INFO: Updated the match conditions.
  • T403: Verify that errors and exceptions are securely handled
    • I1886: Rust: Securely handle errors and exception. [Added]
  • T433: Design a fallback mechanism or a degraded mode for the system
    • TA6540: EN 303 645 requirements [Added]
  • T456: Change default security settings to the most stringent ones and disable unnecessary services and modules
    • TA6537: EN 303 645 requirements [Added]
  • T584: Implement update capabilities for your application
    • TA6530: EN 303 645 requirements [Added]
  • T586: Implement Secure Boot if possible
    • TA6538: EN 303 645 requirements [Added]
  • T897: Test if the unmanaged code is used securely
    • I1887: Rust: Securely use external functions in Rust. [Added]
    • P730: Direct Use of Unsafe Unmanaged Code [Updated]
      • INFO: Updated the match conditions.
  • T991: Configure connectionTimeout (Apache Tomcat) [Updated]
    • INFO: Updated the text.
    • I834: Apache Tomcat: Configuring connectionTimeout [Updated]
      • INFO: Updated the text.
  • T1061: Enable SQL auditing (Microsoft Azure)
    • P1024: No SQL auditing (Microsoft Azure) [Updated]
      • INFO: Updated the text.
  • T1234: Only allow trusted users to control the Docker daemon (Docker) [Updated]
    • INFO: Updated the text.
  • T1250: Configure admission control policy securely (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1278: Ensure that the --protect-kernel-defaults argument is set to true (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1352: Restrict remote access (Google Cloud) [Updated]
    • INFO: Updated the text.
  • T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
    • TA6542: EN 303 645 requirements [Added]
  • T1380: Enforce secure user registration and access control [Updated]
    • INFO: Updated the match conditions.
  • T1385: Institute secure logging and event monitoring
    • TA6541: EN 303 645 requirements [Added]
  • T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
    • TA6528: EN 303 645 requirements [Added]
  • T1403: Disable CLR (Microsoft SQL Server)
    • P1195: Enabled CLR (Microsoft SQL Server) [Updated]
      • INFO: Updated the text.
  • T1461: Leave 'SQL Server Browser' service disabled if it is not required (Microsoft SQL Server) [Updated]
    • INFO: Updated the text.
  • T1915: Perform network vulnerability assessment
    • P1438: Lack of network vulnerability assessment [Updated]
      • INFO: Updated the match conditions.
  • T1920: Conduct security architecture and design reviews before starting code development
    • I1874: Evaluate if Rust is suitable for your requirements [Added]
  • T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
    • TA6529: EN 303 645 requirements [Added]
  • T1961: Ensure that the admission control plugin NodeRestriction is enabled (OpenShift) [Updated]
    • INFO: Updated the text.
  • T2115: Enable image vulnerability scanning (Docker) [Updated]
    • INFO: Updated the text.
  • T2186: Enforce valid Finite State Machines (FSMs) in hardware logic (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
  • T2211: Include a firmware update mechanism/feature (Hardware/Firmware)
    • TA6531: EN 303 645 requirements [Added]
  • T2296: Securely install and configure all software components
    • P1669: Lack of a process for securely installing and configuring all software components [Updated]
      • INFO: Updated the match conditions.
  • T2344: Implement and augment supporting toolchains by automating SDLC security activities [Updated]
    • INFO: Updated the content pack and match conditions.
    • P1681: Lack of automation and implementation of supporting toolchains [Updated]
      • INFO: Updated the content pack.
  • T2347: Configure the Integrated Development Environment, Compilation, Interpreter, and Build Processes
    • I1875: Prepare a secure Rust development environment [Added]
  • T2348: Perform code reviews
    • P1685: Lack of proper code reviews [Updated]
      • INFO: Updated the match conditions.
  • T2349: Configure software to have secure settings by default
    • P1686: Lack of secure default settings [Updated]
      • INFO: Updated the match conditions.
  • T2350: Create a Product Security Incident Response Team (PSIRT) [Updated]
    • INFO: Updated the match conditions.
  • T2352: Verify that supporting toolchains are properly implemented [Updated]
    • INFO: Updated the content pack and match conditions.
    • P1681: Lack of automation and implementation of supporting toolchains [Updated]
      • INFO: Updated the content pack.
  • T2354: Verify that an organization-wide software and code repository is established and used [Updated]
    • INFO: Updated the content pack and match conditions.
  • T2355: Verify that the IDE, compiler, interpreter, and build processes are configured securely [Updated]
    • INFO: Updated the content pack and match conditions.
    • I1876: Verify a secure Rust development environment [Added]
  • T2358: Verify that the organization has a Product Security Incident Response Team (PSIRT) [Updated]
    • INFO: Updated the match conditions.
  • T2388: Enforce the principle of separation of duties [Updated]
    • INFO: Updated the text.
  • T2473: Verify the presence of security constraints in all user stories and features [Updated]
    • INFO: Updated the match conditions.
  • T2474: Include security constraints in all user stories and features [Updated]
    • INFO: Updated the match conditions.
  • T2481: Define and apply configuration standards for Network Security Controls [Updated]
    • INFO: Updated the match conditions.
  • T2482: Verify implementing configuration standards [Updated]
    • INFO: Updated the match conditions.
  • T2483: Follow a control change management process [Updated]
    • INFO: Updated the text.
  • T2498: Provide clear definitions for each component [Updated]
    • INFO: Updated the match conditions.
  • T2499: Verify that clear definitions for each component exist [Updated]
    • INFO: Updated the match conditions.
  • T2510: Define cybersecurity goals and requirements for a component [Updated]
    • INFO: Updated the match conditions.
  • T2511: Define procedures for decommissioning and terminating cybersecurity support
    • TA6533: EN 303 645 requirements [Added]
  • T2513: Verify whether cybersecurity goals and requirements are clearly defined for a component [Updated]
    • INFO: Updated the match conditions.
  • T2514: Establish coding and testing guidelines [Updated]
    • INFO: Updated the match conditions.
  • T2515: Verify coding and testing guidelines [Updated]
    • INFO: Updated the match conditions.
  • T2517: Define cybersecurity specifications and post-development procedures [Updated]
    • INFO: Updated the match conditions.
  • T2518: Verify cybersecurity specifications and post-development procedures [Updated]
    • INFO: Updated the match conditions.
  • T2519: Prevent prompt injection in Large Language Models [Added]
    • P1733: Lack of protection against prompt injection in Large Language Models [Added]
  • T2520: Test the prevention of prompt injection in Large Language Models [Added]
    • P1733: Lack of protection against prompt injection in Large Language Models [Added]
  • T2521: Handle insecure output in Large Language Models [Added]
    • P1733: Lack of protection against prompt injection in Large Language Models [Added]
  • T2522: Test insecure output handling in Large Language Models [Added]
    • P1733: Lack of protection against prompt injection in Large Language Models [Added]
  • T2523: Prevent training data poisoning in Large Language Models [Added]
    • P1735: Lack of protection against training data poisoning in Large Language Models [Added]
  • T2524: Test the prevention of training data poisoning in Large Language Models [Added]
    • P1735: Lack of protection against training data poisoning in Large Language Models [Added]
  • T2525: Prevent Large Language Model Denial of Service [Added]
    • P1736: Lack of protection against Large Language Model denial of service [Added]
  • T2526: Test the prevention Large Language Model Denial of Service [Added]
    • P1736: Lack of protection against Large Language Model denial of service [Added]
  • T2527: Protect Large Language Models against supply chain vulnerabilities [Added]
    • P1737: Presence of supply chain vulnerabilities in Large Language Models [Added]
  • T2528: Test the protection of Large Language Models against supply chain vulnerabilities [Added]
    • P1737: Presence of supply chain vulnerabilities in Large Language Models [Added]
  • T2529: Prevent sensitive information disclosure in Large Language Models [Added]
    • P1738: Sensitive information disclosure in Large Language Models [Added]
  • T2530: Test the prevention of sensitive information disclosure in Large Language Models [Added]
    • P1738: Sensitive information disclosure in Large Language Models [Added]
  • T2531: Design secure plugins for Large Language Models [Added]
    • P1739: Insecure plugin design in Large Language Models [Added]
  • T2532: Test plugin design security for Large Language Models [Added]
    • P1739: Insecure plugin design in Large Language Models [Added]
  • T2533: Mitigate excessive agency in Large Language Models [Added]
    • P1740: Excessive agency in Large Language Models [Added]
  • T2534: Test excessive agency mitigation in Large Language Models [Added]
    • P1740: Excessive agency in Large Language Models [Added]
  • T2535: Mitigate overreliance in Large Language Models [Added]
    • P1741: Overreliance on Large Language Models [Added]
  • T2536: Test overreliance in Large Language Models [Added]
    • P1741: Overreliance on Large Language Models [Added]
  • T2537: Prevent model theft in Large Language Models [Added]
    • P1742: Model theft in Large Language Models [Added]
  • T2538: Test model theft prevention in Large Language Models [Added]
    • P1742: Model theft in Large Language Models [Added]
  • T2539: Provide organizational policies, processes, and procedures to ensure trustworthy and risk-aware AI integration [Added]
    • P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
    • TA6455: NIST AI RMF - Govern 1.1: Legal and regulatory requirements [Added]
    • TA6456: NIST AI RMF - Govern 1.2: Organizational AI risk management policies [Added]
    • TA6457: NIST AI RMF - Govern 1.3: Policies for AI impact measurement and risk assessment [Added]
    • TA6458: NIST AI RMF - Govern 1.4: Documentation and policy standardization for AI systems [Added]
    • TA6459: NIST AI RMF - Govern 1.7: Decommissioning AI systems policies [Added]
  • T2540: Plan mechanisms for monitoring, reviewing, and inventorying AI systems [Added]
    • P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
    • TA6460: NIST AI RMF - Govern 1.5: AI systems monitoring and incident response [Added]
    • TA6461: NIST AI RMF - Govern 1.6: Inventory AI systems [Added]
  • T2541: Establish clear roles, responsibilities, accountability, and training for AI risk management [Added]
    • P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
    • TA6462: NIST AI RMF - Govern 2.1: AI risk roles and responsibilities [Added]
    • TA6463: NIST AI RMF - Govern 2.2: Training on AI risk management [Added]
    • TA6464: NIST AI RMF - Govern 2.3: Management roles and responsibilities [Added]
  • T2542: Address necessary human-AI configurations and oversight of AI systems [Added]
    • P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
    • TA6465: NIST AI RMF - Govern 3.1: Forming a diverse team [Added]
    • TA6466: NIST AI RMF - Govern 3.2: Human-AI policies [Added]
  • T2543: Encourage critical thinking and a safety-first mindset in the lifecycle of AI systems [Added]
    • P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
    • TA6467: NIST AI RMF - Govern 4.1: Risk culture [Added]
    • TA6468: NIST AI RMF - Govern 4.2: Impact assessments [Added]
    • TA6469: NIST AI RMF - Govern 4.3: Information sharing about impacts or incidents [Added]
  • T2544: Collect and integrate feedback from external AI system developers [Added]
    • P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
    • TA6470: NIST AI RMF - Govern 5.1: Manage external stakeholder feedback [Added]
    • TA6471: NIST AI RMF - Govern 5.2: Integrate feedback into system design and implementation [Added]
  • T2545: Address AI risks associated with third-party entities [Added]
    • P1743: Lack of organizational policies and procedures for internal and third-party entities [Added]
    • TA6472: NIST AI RMF - Govern 6.1: Address AI risks arising from third-party entities [Added]
    • TA6473: NIST AI RMF - Govern 6.2: Handle failures or incidents in third-party data [Added]
  • T2546: Identify business value and business use context of AI systems [Added]
    • P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
    • TA6474: NIST AI RMF - Map 1.1: Identify AI system's intended and potential beneficial applications [Added]
    • TA6475: NIST AI RMF - Map 1.2: AI actor participation in establishing AI system context [Added]
    • TA6476: NIST AI RMF - Map 1.3: Organization's mission and relevant goals for AI technology [Added]
    • TA6477: NIST AI RMF - Map 1.4: Identify AI system's business value [Added]
    • TA6478: NIST AI RMF - Map 1.5: Organizational risk tolerances [Added]
    • TA6479: NIST AI RMF - Map 1.6: Socio-technical implications incorporation into design decisions [Added]
  • T2547: Define AI system tasks and knowledge limits, and TEVV considerations [Added]
    • P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
    • TA6480: NIST AI RMF - Map 2.1: AI system's support [Added]
    • TA6481: NIST AI RMF - Map 2.2: Identify AI system's knowledge limits [Added]
    • TA6482: NIST AI RMF - Map 2.3: Identify TEVV considerations [Added]
  • T2548: Examine potential benefits, costs, and necessary human oversight of using AI systems [Added]
    • P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
    • TA6483: NIST AI RMF - Map 3.1: Identify benefits of the intended AI system [Added]
    • TA6484: NIST AI RMF - Map 3.2: Identify AI system's potential costs [Added]
    • TA6485: NIST AI RMF - Map 3.3: Identify AI system's application scope [Added]
    • TA6486: NIST AI RMF - Map 3.4: Define operator and practitioner proficiency [Added]
    • TA6487: NIST AI RMF - Map 3.5: Human oversight on AI system [Added]
  • T2549: Establish approaches for mapping AI technology and controlling risks [Added]
    • P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
    • TA6488: NIST AI RMF - Map 4.1: Identify legal risks associated with AI technology components [Added]
    • TA6489: NIST AI RMF - Map 4.2: Identify and control internal risk of AI system's components [Added]
  • T2550: Assess the likelihood of each beneficial and harmful identified impact [Added]
    • P1744: Lack of recognizing context and failure to identify context-related risks for AI systems [Added]
    • TA6490: NIST AI RMF - Map 5.1: Calculate likelihood of AI system's identified impact [Added]
    • TA6491: NIST AI RMF - Map 5.2: Collect and integrate AI actor feedback [Added]
  • T2551: Create trustworthy AI systems [Added]
    • P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
    • TA6492: NIST AI RMF - Measure 1.1: Metrics framework [Added]
    • TA6493: NIST AI RMF - Measure 1.2: Metrics assessment and utilization [Added]
    • TA6494: NIST AI RMF - Measure 1.3: TEVV and stakeholder feedback processes [Added]
  • T2552: Document and monitor trustworthiness of AI systems [Added]
    • P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
    • TA6495: NIST AI RMF - Measure 2.1: Documentation [Added]
    • TA6496: NIST AI RMF - Measure 2.2: Dataset privacy [Added]
    • TA6497: NIST AI RMF - Measure 2.3: Population Context [Added]
    • TA6498: NIST AI RMF - Measure 2.4: Regular monitoring [Added]
    • TA6499: NIST AI RMF - Measure 2.5: Accuracy and Reliability [Added]
    • TA6500: NIST AI RMF - Measure 2.6: Measuring safety [Added]
  • T2553: Consider resiliency, transparency, and privacy in designing AI systems [Added]
    • P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
    • TA6501: NIST AI RMF - Measure 2.7: Resilience [Added]
    • TA6502: NIST AI RMF - Measure 2.8: Transparency [Added]
    • TA6503: NIST AI RMF - Measure 2.9: Transparency, explainability, and interpretability [Added]
    • TA6504: NIST AI RMF - Measure 2.10: Privacy [Added]
    • TA6505: NIST AI RMF - Measure 2.11: Mitigate bias [Added]
    • TA6506: NIST AI RMF - Measure 2.12: Environmental Impacts [Added]
    • TA6507: NIST AI RMF - Measure 2.13: Metrics improvements [Added]
  • T2554: Establish effective monitoring and risk management processes for AI systems [Added]
    • P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
    • TA6508: NIST AI RMF - Measure 3.1: System monitoring [Added]
    • TA6509: NIST AI RMF - Measure 3.2: Risk tracking [Added]
    • TA6510: NIST AI RMF - Measure 3.3: Impact assessment [Added]
  • T2555: Enhance the trustworthiness of AI systems [Added]
    • P1745: Lack of proper framework for measuring trustworthiness of AI systems [Added]
    • TA6511: NIST AI RMF - Measure 4.1: Engagement Processes [Added]
    • TA6512: NIST AI RMF - Measure 4.2: Analyze feedback [Added]
    • TA6513: NIST AI RMF - Measure 4.3: TEVV-Based Decisions [Added]
  • T2556: Perform risk assessment and management for AI Systems [Added]
    • P1746: Lack of proper risk management for AI systems [Added]
    • TA6514: NIST AI RMF - Manage 1.1: Suitability analysis [Added]
    • TA6515: NIST AI RMF - Manage 1.2: Risk tolerance analysis [Added]
    • TA6516: NIST AI RMF - Manage 1.3: Risk response plans [Added]
    • TA6517: NIST AI RMF - Manage 1.4: Monitor and manage residual risks for AI systems [Added]
  • T2557: Analyze, monitor, and manage risks associated with AI systems [Added]
    • P1746: Lack of proper risk management for AI systems [Added]
    • TA6518: NIST AI RMF - Manage 2.1: Risk management and planning [Added]
    • TA6519: NIST AI RMF - Manage 2.2: Establish risk control [Added]
    • TA6520: NIST AI RMF - Manage 2.3: Treatment procedures [Added]
    • TA6521: NIST AI RMF - Manage 2.4: Procedures for AI system bypass and reactivation [Added]
  • T2558: Manage risks associated with external dependencies and third-party resources in AI system [Added]
    • P1746: Lack of proper risk management for AI systems [Added]
    • TA6522: NIST AI RMF - Manage 3.1: Third-Party AI Systems [Added]
    • TA6523: NIST AI RMF - Manage 3.2: Pre-trained AI Models and Components [Added]
  • T2559: Regularly monitor and document AI system performance and processes [Added]

    • P1746: Lack of proper risk management for AI systems [Added]
    • TA6524: NIST AI RMF - Manage 4.1: Performance and trustworthiness [Added]
    • TA6525: NIST AI RMF - Manage 4.2: Incorporate feedback [Added]
    • TA6526: NIST AI RMF - Manage 4.3: Traceability and transparency [Added]
  • Changes to Project Properties and Profiles

    • Q195: Language and Framework
      • Q109: Programming Language
        • A1365: Rust [Added]
    • Q237: Compliance Scope: Other
      • Q360: In scope for EN 303 645 [Added]
        • A1364: Yes [Added]
      • Q325: In-Scope for ISO 27001 Compliance
        • A1267: Yes [Updated]
          • INFO: Updated the description.
    • Q284: Context and Characteristics
      • Q252: Application's Context and Characteristics
        • Q357: Artificial Intelligence/Machine Learning [Added]
          • A1362: Uses Large Language Models (LLMs) [Added]
          • A1363: AI governance tasks are in scope (based on NIST AI RMF) [Added]
  • New Just-in-Time Training

    • Defending Databases (22)
    • Defending Java (26)

2023.2

July 8, 2023

For the latest SD Elements Release Notes, see our User Guide: https://docs.sdelements.com/release/latest/guide/docs/releasenotes.html

New features and enhancements

  • Authentication

    • Added SAML Group and Role Mapping via the SD Elements UI
    • Introduced validation on certificate and key uploading
  • Reporting

    • Dashboards
      • Links found in a widget on a dashboard now function as expected
  • Survey UX

    • Added a ‘last draft’/’published’ label with a timestamp on the project Survey page
    • Updated the buttons on the project Survey page
    • Added an option for users to see the Survey history within the project Survey page
    • All Survey answer changes are now highlighted within the Survey (until they are published)
    • Users will now see a new confirmation page when they try to publish the Survey

Content improvements summary

  • ISO/SAE 21434

    • Added new Weaknesses, Countermeasures, Additional Requirements, and a Regulation based on the standard.
  • OWASP IoT Top 10

    • Updated the existing compliance report to the latest (2018) version of the OWASP IoT Top 10 list.
  • OWASP Top 10 Privacy Risks v2.0

    • Updated, mapped, and added Countermeasures to reflect the OWASP Top 10 Privacy Risks v2.0 list.
  • General Content improvement

    • Added new Countermeasures and one Amendment to enrich hardware/firmware content.
    • Enhanced the language and actionability of some high-priority Countermeasures.
    • Fixed and validated the match conditions of some Weaknesses and Countermeasures.

Content additions and updates (as of June 20, 2023):

  • Compliance Regulations and Mappings

    • Added OWASP IoT Top 10 (2018)
    • Added OWASP Top 10 Privacy Risks v2.0
    • Added ISO/SAE 21434
    • Removed OWASP IoT Top 10 (2014)
    • Updated DIACAP [Archived, Use 800-53 report] [INFO: Updated the description].
    • Updated OWASP IoT Attack Surface Areas [Retired] [INFO: Updated the description].
  • Content Packs

    • Added OWASP Privacy Top 10
  • T25: Enforce absolute session timeouts [Updated]

    • INFO: Updated the text.
  • T26: Expire sessions on logout [Updated]
    • INFO: Updated the text.
  • T74: Avoid HTTP parameter pollution
    • P689: HTTP Parameter Pollution [Updated]
      • INFO: Updated the match conditions.
  • T86: Test session ID uniqueness and rotation after authentication [Updated]
    • INFO: Updated the priority.
  • T118: Test for default accounts and credentials [Deactivated]
  • T157: Temporary files must be cleaned up after the resource is used
    • P348: Incomplete Cleanup [Updated]
      • INFO: Updated the text and match conditions.
  • T163: Handle health data securely [Updated]
    • INFO: Updated the priority.
  • T176: Apply principles of privacy when handling personal information [Updated]
    • INFO: Updated the text.
  • T178: Obtain consent from users prior to collecting personal information [Updated]
    • INFO: Updated the text and priority.
  • T186: Use recommended settings and the latest patches for third party libraries and software
    • P728: Insufficient patching or use of insecure third party software/libraries [Updated]
      • INFO: Updated the match conditions.
  • T193: Review non-categorized/miscellaneous findings from automated analysis
    • P733: Potential security defects reported by automated scanners are missed or overlooked [Updated]
      • INFO: Updated the match conditions.
  • T235: Verify that application does not store protected health information insecurely [Updated]
    • INFO: Updated the priority.
  • T236: Test that the application encrypts protected health information on the Internet [Updated]
    • INFO: Updated the priority.
  • T238: Test that users can review and update their personal information [Updated]
    • INFO: Updated the inclusion weakness.
  • T239: Test that users provide consent prior to the collection of personal information [Updated]
    • INFO: Updated the priority.
  • T247: Verify logical access to encrypted volumes are managed independently of native operating system [Updated]
    • INFO: Updated the inclusion weakness.
  • T275: Avoid sending sensitive data using implicit Intents or Broadcasts
    • P738: Insufficient Restriction of Intent Receivers in Android [Updated]
      • INFO: Updated the match conditions.
  • T370: Follow best practices for using third-party software libraries/modules and open source/COTS components
    • TA6437: Perform a reuse analysis and asses out-of-context components (ISO 21434) [Added]
  • T371: Provide unified and manageable interfaces for security settings and configuration parameters [Updated]
    • INFO: Updated the text.
  • T545: Verify that personal information is anonymized before being reused for secondary purposes [Updated]
    • INFO: Updated the priority.
  • T574: Prevent information exposure in HyperCat
    • P96: Information Exposure [Updated]
      • INFO: Updated the match conditions.
  • T586: Implement Secure Boot if possible [Updated]
    • INFO: Updated the text.
  • T605: Verify if consent is obtained prior to personal information collection (where applicable) [Updated]
    • INFO: Updated the priority.
  • T666: Rotate access keys every 90 days or less (AWS)
    • P161: Password Aging with Long Expiration [Updated]
      • INFO: Updated the match conditions.
  • T739: Verify if transferring personal information is legitimate and in compliance with applicable privacy regulations [Updated]
    • INFO: Updated the priority.
  • T743: Verify accuracy of personal information [Updated]
    • INFO: Updated the priority.
  • T745: Verify if pseudonymized personal information is protected [Updated]
    • INFO: Updated the priority.
  • T750: Limit personal information collection and processing to the specified purpose [Updated]
    • INFO: Updated the text.
  • T753: Verify whether personal information is collected only for specified purposes [Updated]
    • INFO: Updated the priority.
  • T756: Verify if personal data processing activities are recorded and maintained [Updated]
    • INFO: Updated the priority.
  • T757: Verify if personal information processing stops when user objects to it [Updated]
    • INFO: Updated the priority.
  • T838: Test if your application adheres to HTTP DNT header [Updated]
    • INFO: Updated the priority.
  • T1202: Set container CPU priority appropriately (Docker)
    • P1090: Container CPU priority is not set appropriately (Docker) [Updated]
      • INFO: Updated the text.
  • T1364: Verify that third party software libraries/modules and open source/COTS components are used securely
    • TA6450: Verify the reuse analysis and the analysis of out-of-context and off-the-shelf components (ISO 21434) [Added]
  • T1366: Identify applicable compliance regulations
    • P1171: Lack of a process for identifying applicable compliance regulation [Updated]
      • INFO: Updated the match conditions.
  • T1367: Identify and classify critical assets
    • P1172: Lack of a process for identifying critical assets [Updated]
      • INFO: Updated the match conditions.
  • T1368: Perform security testing using SAST tools [Updated]
    • INFO: Updated the text.
    • P1186: Lack of a process for static application security testing (SAST) [Updated]
      • INFO: Updated the match conditions.
  • T1369: Perform security testing using DAST tools [Updated]
    • INFO: Updated the text.
    • P1173: Lack of a process for dynamic application testing [Updated]
      • INFO: Updated the match conditions.
  • T1370: Identify and track common software weaknesses and threats
    • TA6433: Define continual cybersecurity activities (ISO 21434) [Added]
    • P1187: Lack of a process for identifying and assessing threats [Updated]
      • INFO: Updated the title and match conditions.
  • T1371: Use a software security management solution to select and track security controls
    • P1188: Lack of software security management solution to track security controls [Updated]
      • INFO: Updated the match conditions.
  • T1372: Follow software change management process
    • P1174: Lack of software change management process [Updated]
      • INFO: Updated the match conditions.
  • T1373: Maintain the integrity of all software code [Updated]
    • INFO: Updated the priority.
    • P1175: Insufficient software code control [Updated]
      • INFO: Updated the match conditions.
  • T1374: Ensure the integrity of software release and update delivery
    • P1178: Lack of a process for ensuring the integrity of software release and update [Updated]
      • INFO: Updated the match conditions.
  • T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
    • P1181: Lack of guidance on secure installation, maintenance and configuration of all software components [Updated]
      • INFO: Updated the match conditions.
  • T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications [Updated]
    • INFO: Updated the priority.
    • P1182: Lack of a communication channel for reporting security issues [Updated]
      • INFO: Updated the match conditions.
  • T1378: Release a change summary for each software update
    • P1177: Lack of a process for creating summary of changes upon each software update [Updated]
      • INFO: Updated the match conditions.
  • T1380: Enforce secure user registration and access control
    • P1185: Lack of process for user registration and enforcement of access control [Updated]
      • INFO: Updated the match conditions.
  • T1381: Establish secure processes for key management
    • P1434: Lack of secure key management process [Updated]
      • INFO: Updated the match conditions.
  • T1382: Manage performance and capacity
    • P1190: Lack of process for performance and capacity management [Updated]
      • INFO: Updated the match conditions.
  • T1383: Separate development, test, and operational environments
    • TA6440: Create a production control plan (ISO 21434) [Added]
    • P1191: Deploying software in production on the same environment as development and testing [Updated]
      • INFO: Updated the match conditions.
  • T1384: Back up and restore securely [Updated]
    • INFO: Updated the priority.
    • P1179: A secure backup and restore processes are missing or lacking [Updated]
      • INFO: Updated the match conditions.
  • T1385: Institute secure logging and event monitoring
    • P1183: No secure processes for logging and monitoring events [Updated]
      • INFO: Updated the match conditions.
  • T1386: Regulate the use of electronic messaging [Updated]
    • INFO: Updated the priority.
  • T1387: Ensure the security of products acquired through the supply chain and contractors
    • P1170: Lack of a secure process for outsourcing [Updated]
      • INFO: Updated the match conditions.
  • T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
    • P1225: Unmanaged test result findings [Updated]
      • INFO: Updated the match conditions.
  • T1389: Perform penetration testing [Updated]
    • INFO: Updated the priority.
    • P1184: Lack of a secure process for penetration testing [Updated]
      • INFO: Updated the match conditions.
  • T1892: Perform a Threat and Risk Assessment (TRA)
    • TA6434: Perform risk analysis and treatments for a component (ISO 21434) [Added]
    • TA6446: Identify assets and their damage scenarios (ISO 21434) [Added]
    • TA6451: Identify threat scenarios and attack paths for assets (ISO 21434) [Added]
    • TA6453: Determine an attack feasibility rating and risk value for each attack scenario (ISO 21434) [Added]
    • P1187: Lack of a process for identifying and assessing threats [Updated]
      • INFO: Updated the title and match conditions.
  • T1893: Perform a cloud solution security posture assessment
    • P1436: Lack of cloud solution security posture assessment [Updated]
      • INFO: Updated the match conditions.
  • T1894: Perform a vendor security assessment
    • TA6435: Ensure the proper distribution of cybersecurity activities with other organizations (ISO 21434) [Added]
    • P1437: Lack of vendor security assessment [Updated]
      • INFO: Updated the match conditions.
  • T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS) [Updated]
    • INFO: Updated the priority.
    • P1429: Applications not protected with Intrusion Detection / Protection System (IDS/IPS) [Updated]
      • INFO: Updated the match conditions.
  • T1915: Perform network vulnerability assessment [Updated]
    • INFO: Updated the priority.
    • P1438: Lack of network vulnerability assessment [Updated]
      • INFO: Updated the match conditions.
  • T1917: Perform container security assessment [Updated]
    • INFO: Updated the priority.
  • T1920: Conduct security architecture and design reviews before starting code development [Updated]
    • INFO: Updated the priority.
    • P1432: Lack of security architecture and design activities [Updated]
      • INFO: Updated the match conditions.
  • T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software [Updated]
    • INFO: Updated the priority.
    • P1433: Lack of third-party software code or dependencies management [Updated]
      • INFO: Updated the match conditions.
  • T1925: Maintain the default behavior for anonymous access (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1926: Verify that the default behavior for anonymous access is maintained (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1927: Disable basic-auth-file method (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1928: Verify that the basic-auth-file option has not been configured (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1929: Secure communication between API server and master nodes (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1930: Verify that the connection between API server and master node is secure (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1931: Prevent insecure bindings and insecure port access (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1932: Verify that insecure-bind-address and insecure-port are disabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1933: Do not disable secure-port for API server traffic (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1934: Verify that 'secure-port' is not disabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1943: Use Security Context Constraints instead of SecurityContextDeny admission controllers (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1944: Verify that the list of admission controllers does not include SecurityContextDeny (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1945: Do not disable NamespaceLifecycle admission controller (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1946: Verify that the NamespaceLifecycle plugin is not disabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1947: Configure auditing properly on the API server (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1948: Verify that API server auditing is configured properly (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1949: Do not set authorization-mode flag (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1950: Verify that the authorization-mode argument is not set to AlwaysAllow and Node authorizer is enabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1951: Do not use static token files for authentication (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1952: Verify that static token files are not used (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1953: Ensure that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1954: Verify that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1955: Do not enable PodSecurityPolicy admission control plugin (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1956: Verify that the admission control plugin SecurityContextConstraint is set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1957: Ensure that etcd arguments are properly set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1958: Verify that etcd arguments are properly set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1959: Do not disable ServiceAccount admission controller (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1960: Verify that the admission control plugin ServiceAccount is set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1961: Ensure that the admission control plugin NodeRestriction is enabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1962: Verify that the admission control plugin NodeRestriction is set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1963: Encrypt data at rest in etcd datastore with aescbc encryption (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1964: Verify data at rest on etcd datastore is encrypted with aescbc encryption provider (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1965: Enable the APIPriorityAndFairness feature gate (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1966: Verify that the APIPriorityAndFairness feature gate is enabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1967: Adjust the request timeout value (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1968: Verify that request timeout is set to an appropriate value (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1969: Do not expose profiling to the web (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1970: Verify that profiling is not exposed to the web (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1973: Do not disable use-service-account-credentials argument (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1974: Verify that use-service-account-credentials is not disabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1975: Do not change the default setting for service-account-private-key-file (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1976: Verify that the service-account-private-key-file argument is properly set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1977: Ensure that root-ca-file is properly set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1978: Verify that the root-ca-file argument is not set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1979: Never give pods more privileges than required (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1980: Verify that Security Context Constraints get applied (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1983: Set permissions for sensitive files properly (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1984: Verify the permissions for the configuration files (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1985: Secure etcd communication (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1986: Verify that etcd communication is secure (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1989: Run pods with the most restrictive Security Context Constraints possible (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1990: Verify Security Context Constraints as in use (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T1999: Implement strong network policies (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2000: Verify network policies (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2001: Limit the use of privileged containers (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2002: Verify the usage of privileged containers (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2003: Do not disable the 'allow-privileged' flag (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2004: Verify that the 'allow-privileged' flag is not disabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2005: Disable anonymous requests (OpenShift) [Updated]
    • INFO: Updated the title and text.
  • T2007: Keep the default value for the authorization mode argument (OpenShift) [Updated]
    • INFO: Updated the title, text, and priority.
  • T2008: Verify that the authorization-mode argument is not set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2011: Do not set the read-only-port argument (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2012: Verify that the read-only port is not enabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2013: Adjust the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2014: Verify the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2017: Ensure that the make-iptables-util-chains is set to true (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2018: Verify that make-iptables-util-chains is set to true for each machinepool (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2019: Do not enable the 'keep-terminated-pod-volumes' flag (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2020: Verify that the 'keep-terminated-pod-volumes' is not enabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2021: Ensure that the hostname-override is not set (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2022: Verify that hostname-override does not exist (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2023: Set the kubeAPIQPS event-qps argument to 0 (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2024: Verify that the value of event-qps is set to 0 (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2027: Do not enable cAdvisor endpoint (OpenShift) [Updated]
    • INFO: Updated the priority.
    • P1491: Enabling cAdvisor endpoint (OpenShift) [Updated]
      • INFO: Updated the text.
  • T2028: Verify that cAdvisor endpoint is not enabled (OpenShift) [Updated]
    • INFO: Updated the priority.
    • P1491: Enabling cAdvisor endpoint (OpenShift) [Updated]
      • INFO: Updated the text.
  • T2029: Do not disable rotate-certificates (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2030: Verify that rotate-certificates settings are not disabled (OpenShift) [Updated]
    • INFO: Updated the priority.
  • T2128: Notify users and regulators of breaches of personal information [Updated]
    • INFO: Updated the title and text.
  • T2137: Ensure that sensitive data is not recorded (iOS)
    • P1545: Information Disclosure in iOS via ReplayKit Framework [Updated]
      • INFO: Updated the match conditions.
  • T2144: Implement CAN bus protocol properly (Connected Cars)
    • P1548: Poor implementation of CAN bus protocol (Connected Cars) [Updated]
      • INFO: Updated the match conditions.
  • T2145: Enable gRPC Server-Client Certificate Authentication (.NET Core 3)
    • P1549: Unauthenticated gRPC client-server communication [Updated]
      • INFO: Updated the match conditions.
  • T2164: N/A - Not Applicable [Updated]
    • INFO: Updated the inclusion weakness.
  • T2170: Ensure that personal information processed by the application meets data localization requirements [Updated]
    • INFO: Updated the priority.
  • T2172: Enforce the principle of least privilege (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2174: Avoid unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2176: Avoid mixing agents of varying trust levels (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2177: Generate unique and immutable identifiers in SoC (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2178: Ensure fabric access controls enablement before 3rd party hardware IPs (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2179: Block write operations to reserve bits (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2180: Review Access Control Policy (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2181: Evaluate write-once registers for proper configuration (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2182: Check lock bit protections for design consistency (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2183: Avoid using chicken bits (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2184: Disable access to security-sensitive information stored in fuses (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2186: Enforce valid Finite State Machines (FSMs) in hardware logic (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2187: Enforce proper implementation of wear leveling operations (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2188: Enforce proper protection against voltage and clock glitches (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2189: Prevent Semiconductor Defects in Hardware Logic with Security-Sensitive Implications (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2190: Prevent mirroring regions with different values (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2191: Ensure using configured CPU hardware to support exclusivity of write and execute operations (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2192: Prevent incorrect selection of fuse values (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2193: Prevent incorrect comparison logic granularity (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2195: Ensure access control applied properly to Mirrored or Aliased Memory Regions (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2196: Prevent exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2197: Prevent Improper Restriction of Security Token Assignment (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2198: Prevent improper handling of overlap between protected memory ranges (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2199: Prevent improper handling of single-event upsets (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2200: Ensure register interface does not allow software access to sensitive data (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2201: Enforce physical access control (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2239: Tag traces to indicate owner and debugging privilege level (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware)
    • TA6432: Validate device firmware/software at the time of manufacturing (Hardware/Firmware) [Added]
  • T2241: Ensure security version data is protected from tampering (Hardware/Firmware) [Updated]
    • INFO: Updated the text and priority.
  • T2242: Implement priority-based arbitration inside the Network on Chips (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2243: Protect against fault injection attacks (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2244: Protect against error injection errors in redundant blocks (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2245: Protect against abnormal thermal range (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2256: Authenticate and log all access to registries containing sensitive or proprietary images
    • P1650: Insufficient authentication for container registries [Updated]
      • INFO: Updated the match conditions.
  • T2257: Keep host OS components up-to-date
    • P1651: Insufficient updates of host OS components [Updated]
      • INFO: Updated the match conditions.
  • T2258: Minimize host OS attack surface
    • P1652: Large host OS attack surface [Updated]
      • INFO: Updated the match conditions.
  • T2262: Verify client certificate authentication is not used for users (Kubernetes) [Updated]
    • INFO: Updated the priority.
  • T2264: Verify network policies and CNI selection are appropriate (Kubernetes) [Updated]
    • INFO: Updated the priority.
  • T2271: Test to confirm that unauthorized access to sensitive data through debug or test interfaces is properly restricted (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2272: Test immutability of Root of Trust for storage (Hardware/Firmware) [Updated]
    • INFO: Updated the priority.
  • T2296: Securely install and configure all software components [Updated]
    • INFO: Updated the priority.
  • T2324: Verify whether privacy principles are applied for handling personal data [Updated]
    • INFO: Updated the priority.
  • T2327: Verify if a Privacy Impact Assessment is performed [Updated]
    • INFO: Updated the priority.
    • P1435: Lack of Privacy Impact Assessment (PIA) [Updated]
      • INFO: Updated the match conditions.
  • T2328: Verify if proper policies exist for processing sensitive personal data [Updated]
    • INFO: Updated the priority.
    • P1180: Lack of process for collecting and protecting sensitive data [Updated]
      • INFO: Updated the match conditions.
  • T2329: Verify if health data is handled securely [Updated]
    • INFO: Updated the priority.
  • T2330: Verify if children's personal information is handled securely [Updated]
    • INFO: Updated the priority.
  • T2331: Verify whether any plan exists for data privacy incident response [Updated]
    • INFO: Updated the priority.
  • T2337: Keep your infrastructure state secure (Terraform) [Updated]
    • INFO: Updated the text.
  • T2343: Define security-related roles and provide role-base training [Updated]
    • INFO: Updated the match conditions.
    • P1680: Lack of defining proper security roles and responsibilities [Updated]
      • INFO: Updated the match conditions.
  • T2344: Implement and augment supporting toolchains by automating SDLC security activities [Updated]
    • INFO: Updated the match conditions.
    • P1681: Lack of automation and implementation of supporting toolchains [Updated]
      • INFO: Updated the match conditions.
  • T2345: Define and implement criteria for software security checks [Updated]
    • INFO: Updated the match conditions.
    • TA6438: Enforce product cybersecurity validation (ISO 21434) [Added]
    • P1682: Lack of proper criteria for software security checks [Updated]
      • INFO: Updated the match conditions.
  • T2346: Establish an organization-wide software and code repository
    • P1683: Lack of organization-wide software and code repository [Updated]
      • INFO: Updated the match conditions.
  • T2347: Configure the Integrated Development Environment, Compilation, Interpreter, and Build Processes
    • P1684: Lack of proper integration of the development environment and tools [Updated]
      • INFO: Updated the cwe set and match conditions.
  • T2348: Perform code reviews
    • P1685: Lack of proper code reviews [Updated]
      • INFO: Updated the match conditions.
  • T2349: Configure software to have secure settings by default
    • P1686: Lack of secure default settings [Updated]
      • INFO: Updated the cwe set and match conditions.
  • T2350: Create a Product Security Incident Response Team (PSIRT) [Updated]
    • INFO: Updated the priority and match conditions.
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the match conditions.
  • T2351: Verify that security-related roles and responsibilities are properly defined and assigned [Updated]
    • INFO: Updated the match conditions.
    • P1680: Lack of defining proper security roles and responsibilities [Updated]
      • INFO: Updated the match conditions.
  • T2352: Verify that supporting toolchains are properly implemented [Updated]
    • INFO: Updated the match conditions.
    • P1681: Lack of automation and implementation of supporting toolchains [Updated]
      • INFO: Updated the match conditions.
  • T2353: Verify that proper criteria for software security checks are defined and implemented [Updated]
    • INFO: Updated the match conditions.
    • TA6439: Verify product cybersecuriy validation (ISO 21434) [Added]
    • P1682: Lack of proper criteria for software security checks [Updated]
      • INFO: Updated the match conditions.
  • T2358: Verify that the organization has a Product Security Incident Response Team (PSIRT) [Updated]
    • INFO: Updated the priority and match conditions.
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the match conditions.
  • T2359: Configure a secure user authentication (Cloud) (2/2) [Updated]
    • INFO: Updated the priority.
  • T2360: Configure a secure user authorization (Cloud) (2/2) [Updated]
    • INFO: Updated the priority.
  • T2361: Design a secure application architecture for the cloud environment (Cloud) (2/2) [Updated]
    • INFO: Updated the priority.
  • T2368: Enable logging and protect log files in your cloud environment (Cloud) (2/4) [Updated]
    • INFO: Updated the priority.
  • T2369: Enable logging and protect log files in your cloud environment (Cloud) (3/4) [Updated]
    • INFO: Updated the priority.
  • T2370: Enable logging and protect log files in your cloud environment (Cloud) (4/4) [Updated]
    • INFO: Updated the priority.
  • T2371: Enable logs and configuration monitoring in your cloud environment (Cloud) (2/4) [Updated]
    • INFO: Updated the priority.
  • T2372: Enable logs and configuration monitoring in your cloud environment (Cloud) (3/4) [Updated]
    • INFO: Updated the priority.
  • T2373: Enable logs and configuration monitoring in your cloud environment (Cloud) (4/4) [Updated]
    • INFO: Updated the priority.
  • T2374: Verify that logging is enabled and log files are protected (Cloud) (2/2) [Updated]
    • INFO: Updated the priority.
  • T2375: Verify that log monitoring and configuration monitoring are enabled (Cloud) (2/3) [Updated]
    • INFO: Updated the priority.
  • T2376: Verify that log monitoring and configuration monitoring are enabled (Cloud) (3/3) [Updated]
    • INFO: Updated the priority.
  • T2379: Ensure compliance with ISO/SAE 21434 [Updated]
    • INFO: Updated the match conditions.
    • P1688: Lack of processes for the approval of vehicles with regards to cyber security and cyber security management system [Updated]
      • INFO: Updated the match conditions.
  • T2389: Prevent co-channel and adjacent channel interference
    • P1693: Poor WiFi Settings Configuration [Updated]
      • INFO: Updated the text and match conditions.
  • T2392: Create an Incident Response Plan [Updated]
    • INFO: Updated the text.
    • TA6444: Create incident response plans (ISO 21434) [Added]
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the match conditions.
  • T2396: Verify that the organization has a Product Security Incident Plan
    • TA6445: Verify incident response plans (ISO 21434) [Added]
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the match conditions.
  • T2419: Verify Cognito uses strong authentication requirements (Amazon Cognito) [Updated]
    • INFO: Updated the match conditions.
  • T2423: Verify the S3 backup for Kinesis Firehose delivery failures are checked regularly (Amazon Kinesis Data Firehose) [Updated]
    • INFO: Updated the match conditions.
  • T2428: Implement least privilege access to Kinesis streams (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the match conditions.
  • T2429: Verify least privilege access to Kinesis streams is implemented (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the match conditions.
  • T2433: Verify Kinesis events are logged (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the priority.
  • T2443: Verify proper permissions for files on worker nodes (Containerization) [Updated]
    • INFO: Updated the priority.
  • T2445: Verify secure authentication to and from worker nodes (Containerization) [Updated]
    • INFO: Updated the priority.
  • T2447: Verify the collection and protection of sensitive information on worker nodes (Containerization) [Updated]
    • INFO: Updated the priority.
  • T2449: Verify the availability of worker nodes (Containerization) [Updated]
    • INFO: Updated the priority.
  • T2451: Verify that worker nodes are protected with proper flags and arguments (Containerization) [Updated]
    • INFO: Updated the priority.
  • T2456: Assign roles properly (Containerization) [Updated]
    • INFO: Updated the text.
  • T2470: Verify CloudWatch is used to monitor Kinesis Firehose decryption failures (Amazon Kinesis Data Firehose) [Updated]
    • INFO: Updated the match conditions.
  • T2480: Include Content-Disposition headers in API responses [Updated]
    • INFO: Updated the text.
  • T2490: Provision device with private/public key pair securely (Hardware/Firmware) [Added]
    • P1721: Insecure storage of credentials (Hardware/Firmware) [Added]
  • T2491: Verify that the device is securely provisioned with a private/public key pair (Hardware/Firmware) [Added]
    • P1721: Insecure storage of credentials (Hardware/Firmware) [Added]
  • T2492: Use device-generated opaque keys to encrypt OS files and data on the device (Hardware/Firmware) [Added]
    • P1722: Unsecure key generation (Hardware/Firmware) [Added]
  • T2493: Verify that the device can generate opaque keys to encrypt OS files and data on the device (Hardware/Firmware) [Added]
    • P1722: Unsecure key generation (Hardware/Firmware) [Added]
  • T2494: Encrypt the bootloader (Hardware/Firmware) [Added]
    • P1723: Unencrypted bootloader (Hardware/Firmware) [Added]
  • T2495: Verify that the bootloader is encrypted (Hardware/Firmware) [Added]
    • P1723: Unencrypted bootloader (Hardware/Firmware) [Added]
  • T2496: Generate and forward audit logs (Hardware/Firmware) [Added]
    • P1724: Lack of device-generated audit logs (Hardware/Firmware) [Added]
  • T2497: Verify that the device generates and forwards audit logs (Hardware/Firmware) [Added]
    • P1724: Lack of device-generated audit logs (Hardware/Firmware) [Added]
  • T2498: Provide clear definitions for each component [Added]
    • P1716: Lack of Technical Documentation [Updated]
      • INFO: Updated the text.
  • T2499: Verify that clear definitions for each component exist [Added]
    • P1716: Lack of Technical Documentation [Updated]
      • INFO: Updated the text.
  • T2500: Verify that a Threat and Risk Assessment (TRA) is performed [Added]
    • TA6447: Verify a proper risk analysis and treatments are performed (ISO 21434) [Added]
    • TA6448: Verify the procedures for identifying assets and their damage scenarios (ISO 21434) [Added]
    • TA6452: Verify that threat scenarios and attack paths are identified for each valuable asset (ISO 21434) [Added]
    • TA6454: Verify the procedures for evaluating attack feasibility and risk rating (ISO 21434) [Added]
    • P1187: Lack of a process for identifying and assessing threats [Updated]
      • INFO: Updated the title and match conditions.
  • T2501: Perform cybersecurity planning [Added]
    • P1727: Lack of cybersecurity planning [Added]
  • T2502: Define a cybersecurity policy for your organization [Added]
    • P1726: Lack of an organizational cybersecurity policy [Added]
  • T2503: Verify the cybersecurity policy of your organization [Added]
    • P1726: Lack of an organizational cybersecurity policy [Added]
  • T2504: Verify the cybersecurity plan [Added]
    • P1727: Lack of cybersecurity planning [Added]
  • T2505: Conduct cybersecurity assessments for components [Added]
    • P1729: Lack of a cybersecurity assessment [Added]
  • T2506: Verify the cybersecurity assessment report [Added]
    • P1729: Lack of a cybersecurity assessment [Added]
  • T2507: Verify vendor security assessment [Added]
    • TA6436: Verify the proper distribution of cybersecurity activities with other organizations (ISO 21434) [Added]
    • P1437: Lack of vendor security assessment [Updated]
      • INFO: Updated the match conditions.
  • T2509: Verify the separation of development, test, and operational environments [Added]
    • TA6441: Verify your production control plan (ISO 21434) [Added]
    • P1191: Deploying software in production on the same environment as development and testing [Updated]
      • INFO: Updated the match conditions.
  • T2510: Define cybersecurity goals and requirements for a component [Added]
    • P1716: Lack of Technical Documentation [Updated]
      • INFO: Updated the text.
  • T2511: Define procedures for decommissioning and terminating cybersecurity support [Added]
    • P1730: Lack of procedures for decommissioning and terminating cybersecurity support [Added]
  • T2512: Verify implemented procedures for decommissioning and terminating cybersecurity support [Added]
    • P1730: Lack of procedures for decommissioning and terminating cybersecurity support [Added]
  • T2513: Verify whether cybersecurity goals and requirements are clearly defined for a component [Added]
    • P1716: Lack of Technical Documentation [Updated]
      • INFO: Updated the text.
  • T2514: Establish coding and testing guidelines [Added]
    • P1731: Lack of coding and testing guidelines [Added]
  • T2515: Verify coding and testing guidelines [Added]
    • P1731: Lack of coding and testing guidelines [Added]
  • T2516: Verify that common software weaknesses and threats are identified and tracked. [Added]
    • TA6449: Verify the continuous monitoring, evaluation and management of security vulnerabilities (ISO 21434) [Added]
    • P1187: Lack of a process for identifying and assessing threats [Updated]
      • INFO: Updated the title and match conditions.
  • T2517: Define cybersecurity specifications and post-development procedures [Added]
    • P1732: Lack of cybersecurity specifications and post-development procedures [Added]
  • T2518: Verify cybersecurity specifications and post-development procedures [Added]
    • P1732: Lack of cybersecurity specifications and post-development procedures [Added]
  • P1564: N/A - Not Applicable [Deactivated]

  • Changes to Project Properties and Profiles

    • Q284: Context and Characteristics
      • Q252: Application's Context and Characteristics
        • A1350: Include general countermeasures in the Activity phase (process engineering tasks) in this project [Updated]
          • INFO: Updated the text and description.
    • Q352: Automotive [Added]
      • Q353: In-scope for Automotive Cybersecurity Regulations [Added]
        • A1358: ISO/SAE 21434 [Added]
        • A1359: WP.29 R155 [Added]
  • New Just-in-Time Training

    • PCI DSS (16)
    • Defending Node (17)

2023.1

April 15, 2023

New features and enhancements

  • Advanced Reports

    • Granular Permissions
      • Added the ability to control and restrict user access to specific data sets or features within a reporting tool. This level of control allows administrators to tailor the user experience, ensuring that each user has access only to the data that is relevant to their role and responsibilities.
  • Authentication

    • SAML V2 UI & Groups & Roles Assertions via API
      • Upgraded the SAML user interface. This feature is currently disabled by default.
      • Added new API endpoints under SAML V2 that support the ability to extend SAML authentication with Group & Role assertions from an Identity Provider.
  • Threat Model Diagrams

    • Added the ability to import diagrams (in the UI only), specifically when the Diagrams feature flag is turned on. Imported diagrams do not have an impact on Threats, Weaknesses, or Countermeasures, but they do allow SD Elements to be the centralized repository where all threat modeling documentation is stored.
  • Components

    • Built-in components
      • Added the ability for users with customize_content permissions to edit built-in components in the SD Elements library. They can change the name, answer mapping and the Countermeasures list.

Other product improvements

  • Integrations

    • Extended the content under Jira Integration to inform how Jira Comment Sync connects and how it is expected to work when enabled.
      • Created a new table under LDAP documentation explaining expected behavior when managing the deactivation configurations under the LDAP Synchronization feature.
  • Survey

    • Added a banner to the project survey page showing a survey status of either published (green banner) or draft (yellow banner).
  • Threat Model Diagrams

    • Added a Threats feature flag to hide Threats from the UI.
  • Library

    • Addressed a bug related to new library content not inheriting the parent content pack's active status.
    • Updated the Import/Export tool to use Countermeasure instead of Task and Weakness instead of Problem in the files.

Content improvements summary

  • PCI DSS 4.0

    • Added new Countermeasures, Additional Requirements, and a Regulation based on updated standards.
  • ASVS 4.0

    • Added new Countermeasures and Additional Requirements to cover all ASVS v4.0 controls.
  • CMMC 2.0

    • Mapped Countermeasures to CMMC v2, added new reports for Levels 1 and 2 CMMC v2 maturity, and created survey answers for CMMC v2.
  • CWE 4.10

    • Updated SD Elements to account for deprecated Weakness listings and mapped SD Elements Weaknesses to CWE-1395.
  • TypeScript

    • Added new How-to's for TypeScript.

Content additions and updates (as of March 28, 2023):

  • Compliance Regulations and Mappings

    • Added CMMC V2 (Level 1)
    • Added CMMC V2 (Level 2)
    • Updated PCI-DSS-v4.0 [INFO: Updated the regulation sections].
  • T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services

    • TA6415: MFA requirements (PCI-DSS 4.0) [Added]
    • TA6416: Implement a strong MFA system (PCI-DSS 4.0) [Added]
  • T5: Use minimum standards for passwords
    • TA6414: Password requirements (PCI-DSS 4.0) [Added]
  • T6: Implement account lockout or authentication throttling
    • TA6413: Account lockout or authentication throttling requirements (PCI-DSS 4.0) [Added]
  • T9: Implement authorization and screening for highly sensitive transactions
    • TA6403: Restrict user access to query repositories storing CHD (PCI-DSS 4.0) [Added]
  • T14: Enforce the principle of least privilege [Updated]
    • INFO: Updated the text.
    • TA6401: Review user accounts and related access privileges periodically (PCI-DSS 4.0) [Added]
    • TA6402: Review application and system and related access privileges periodically (PCI-DSS 4.0) [Added]
  • T21: Ensure all data in transit is encrypted using a secure TLS channel
    • TA6375: Safeguard PAN with strong cryptography during transmission (PCI-DSS 4.0) [Added]
  • T24: Enforce idle session timeout
    • TA6412: Timeout requirement (PCI-DSS 4.0) [Added]
  • T31: Validate all forms of input
    • I1867: Validate user input in TypeScript [Added]
  • T45: Log potential critical security events
    • TA6408: Identify and address failures in critical security control systems promptly (PCI-DSS 4.0) [Added]
  • T53: Prevent the upload of malicious files and implement anti-malware solutions [Updated]
    • INFO: Updated the title and text.
    • TA6426: Evaluate system components not at risk from malware periodically (PCI-DSS 4.0) [Added]
    • TA6427: Implement anti-malware solutions (PCI-DSS 4.0) [Added]
    • P325: Unrestricted Upload of Unsafe File Types [Updated]
      • INFO: Updated the text.
  • T59: Use standard libraries for cryptography
    • I1873: Encrypt sensitive data in TypeScript [Added]
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
    • TA6430: Securely store and manage cryptographic keys to encrypt account data (PCI-DSS 4.0) [Added]
  • T66: Prevent web pages from being loaded inside iFrame
    • I1869: Prevent clickjacking in TypeScript [Added]
  • T68: Encrypt Primary Account Number (PAN) in storage [Updated]
    • INFO: Updated the title and text.
    • TA6429: Manage the use of disk-level PAN encryption (PCI-DSS 4.0) [Added]
    • P686: Plaintext Primary Account Number (PAN) [Updated]
      • INFO: Updated the title.
  • T74: Avoid HTTP parameter pollution
    • I1872: Prevent HTTP parameter pollution in TypeScript [Added]
  • T133: Mask Primary Account Number (PAN) when displayed [Updated]
    • INFO: Updated the title and text.
    • P686: Plaintext Primary Account Number (PAN) [Updated]
      • INFO: Updated the title.
  • T151: Use cryptographically secure random numbers [Updated]
    • INFO: Updated the text.
    • TA6393: ASVS Requirements - GUID v4 algorithm [Added]
  • T186: Use recommended settings and the latest patches for third party libraries and software
    • I1862: Perform Software Composition Analysis in TypeScript [Added]
    • P728: Insufficient patching or use of insecure third party software/libraries [Updated]
      • INFO: Updated the cwe set.
  • T191: Follow best practices when handling primitive data types
    • I1863: Use correct data types in TypeScript [Added]
    • I1865: Use primitive types in TypeScript [Added]
  • T197: Validate the signature of all remote code/updates to verify their origin and integrity (client side) [Updated]
    • INFO: Updated the title, text, priority, and cwe set.
    • TA5247: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Software Application) [Updated]
      • INFO: Updated the text.
    • TA5249: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Software Application) [Updated]
      • INFO: Updated the text.
    • TA5251: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Embedded Device) [Updated]
      • INFO: Updated the text.
    • TA5253: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Embedded Device) [Updated]
      • INFO: Updated the text.
    • TA5255: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Host Device) [Updated]
      • INFO: Updated the text.
    • TA5257: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Host Device) [Updated]
      • INFO: Updated the text.
    • TA5259: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Network Device) [Updated]
      • INFO: Updated the text.
    • TA5261: ISASecure CSA 311 requirements: Levels (2, 3, 4), Components (Network Device) [Updated]
      • INFO: Updated the text.
    • TA5463: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
    • I546: Signing data and verifying digital signatures [Updated]
      • INFO: Updated the text.
  • T244: Securely delete any unprotected sensitive data before a resource is released or shared
    • TA6391: Securely delete any resource containing cardholder data (PCI-DSS 4.0) [Added]
  • T322: Include HTTP Strict-Transport-Security headers in HTTPS responses
    • I1871: Set HTTP Strict Transport Security (HSTS) in TypeScript [Added]
  • T325: Use JavaScript Strict Mode
    • I1864: Use strict mode in TypeScript [Added]
  • T331: Enforce policies through content security policy (CSP) or XSS protection headers
    • I1868: Set Content Security Policy in TypeScript [Added]
  • T340: Use an account and identity management system [Updated]
    • INFO: Updated the text.
    • TA6410: Authorize each Lifecycle event for user IDs and authentication factors (PCI-DSS 4.0) [Added]
    • TA6411: Disable inactive credentials (PCI-DSS 4.0) [Added]
    • TA6417: Requirements for system or application accounts that can be used for interactive login (PCI-DSS 4.0) [Added]
  • T344: Enforce different rules for access to the system based on the origin, type, and medium of request [Updated]
    • INFO: Updated the title and text.
  • T345: Check the integrity of critical configuration and data files
    • TA6423: File integrity monitoring requirement (PCI-DSS 4.0) [Added]
  • T349: Protect audit information and logs against unauthorized access
    • TA6404: Keep and protect the integrity of audit logs (PCI-DSS 4.0) [Added]
  • T353: Control the inbound and outbound data flow across the boundaries of zones [Updated]
    • INFO: Updated the text.
    • TA6369: Install NSCs between all wireless networks and the CDE (PCI-DSS 4.0) [Added]
    • TA6370: Prevent direct access to cardholder data (PCI-DSS 4.0) [Added]
  • T370: Follow best practices for using third-party software libraries/modules and open source/COTS components
    • P755: Lack of control over third-party hardware or software components [Updated]
      • INFO: Updated the cwe set.
  • T379: Provide sufficient documentation for security-related features [Updated]
    • INFO: Updated the text.
    • TA6373: Provide business justification for unsecured services (PCI-DSS 4.0) [Added]
    • TA6379: Manage Cryptographic Cipher Suite (PCI-DSS 4.0) [Added]
  • T435: Prevent web browsers from MIME sniffing
    • I1870: Prevent MIME type sniffing in TypeScript [Added]
  • T439: Verify that the origin and integrity of remote code and updates are checked (client side) [Updated]
    • INFO: Updated the title, priority, and cwe set.
  • T456: Change default security settings to the most stringent ones and disable unnecessary services and modules
    • TA6372: Manage primary functions requiring different security levels (PCI-DSS 4.0) [Added]
    • TA6374: Reduce the risk of using unsecured services (PCI-DSS 4.0) [Added]
  • T542: Protect hardware modules against tampering and probing
    • TA6390: Protect media with cardholder data (PCI-DSS 4.0) [Added]
    • TA6392: Protect POI devices from tampering and unauthorized substitution (PCI-DSS 4.0) [Added]
  • T849: Yield more often inside all goroutines [Deactivated]
    • P938: Non-preemptive Goroutines [Deactivated]
  • T850: Verify that all goroutines yield execution [Deactivated]
    • P938: Non-preemptive Goroutines [Deactivated]
  • T896: Design a secure architecture for AWS deployment (AWS)
    • P942: Lack of Security Architecture [Updated]
      • INFO: Updated the match conditions.
  • T1067: Regenerate storage account access keys periodically (Microsoft Azure) [Updated]
    • INFO: Updated the text.
  • T1164: Secure swarm mode (Docker) [Updated]
    • INFO: Updated the text.
  • T1334: Ensure legacy authorization is set to disabled on Kubernetes Engine Clusters (Google Cloud) [Updated]
    • INFO: Updated the text.
  • T1378: Release a change summary for each software update
    • TA6400: Securely manage changes to software (PCI-DSS 4.0) [Added]
  • T1380: Enforce secure user registration and access control
    • TA6409: Give each user a unique account (PCI-DSS 4.0) [Added]
  • T1381: Establish secure processes for key management [Updated]
    • INFO: Updated the text.
    • TA6431: Define and implement key management processes (PCI-DSS 4.0) [Added]
  • T1384: Back up and restore securely
    • TA6397: Get approval for media with cardholder data leaving the facility (PCI-DSS 4.0) [Added]
  • T1385: Institute secure logging and event monitoring
    • TA6405: Review audit logs on a daily basis (PCI-DSS 4.0) [Added]
    • TA6406: Retention policy of audit log history (PCI-DSS 4.0) [Added]
    • TA6407: Configure systems to the correct and consistent time (PCI-DSS 4.0) [Added]
  • T1386: Regulate the use of electronic messaging [Updated]
    • INFO: Updated the phase.
  • T1387: Ensure the security of products acquired through the supply chain and contractors
    • P1170: Lack of a secure process for outsourcing [Updated]
      • INFO: Updated the cwe set.
  • T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
    • TA6418: Internal vulnerability scans (PCI-DSS 4.0) [Added]
  • T1389: Perform penetration testing
    • TA6419: Formal penetration testing methodology requirements (PCI-DSS 4.0) [Added]
    • TA6420: Penetration testing requirements (PCI-DSS 4.0) [Added]
    • TA6421: Repeat Penetration testing when required (PCI-DSS 4.0) [Added]
    • TA6422: Penetration testing on CDE segmentation controls (PCI-DSS 4.0) [Added]
  • T1669: Revoke powerful roles where they are not likely needed (Oracle Database) [Updated]
    • INFO: Updated the text.
  • T1890: Implement OAuth 2.0 securely on the resource server [Updated]
    • INFO: Updated the text.
  • T1892: Perform a Threat and Risk Assessment (TRA)
    • TA6377: Provide and maintain up-to-date knowledge and assessment of risks to the CDE (PCI-DSS 4.0) [Added]
    • TA6378: Perform risk analysis for PCI DSS requirements satisfied with a custom approach (PCI-DSS 4.0) [Added]
  • T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS)
    • TA6399: Protect all public payment pages (PCI-DSS 4.0) [Added]
    • TA6424: Prevent intrusions into the CDE network (PCI-DSS 4.0) [Added]
  • T1917: Perform container security assessment [Updated]
    • INFO: Updated the phase.
  • T1918: Integrate with SSO [Updated]
    • INFO: Updated the phase.
  • T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
    • P1433: Lack of third-party software code or dependencies management [Updated]
      • INFO: Updated the cwe set.
  • T1971: Adjust the terminated-pod-gc-threshold argument as needed (OpenShift) [Updated]
    • INFO: Updated the text.
  • T2065: Configure TLS for secure connections to App Service (Microsoft Azure) [Updated]
    • INFO: Updated the text.
  • T2128: Develop a process to notify users and regulators of breaches of personal information [Updated]
    • INFO: Updated the phase.
  • T2170: Ensure that personal information processed by the application meets data localization requirements [Updated]
    • INFO: Updated the phase.
  • T2281: Secure access control (GraphQL) [Updated]
    • INFO: Updated the text.
  • T2284: Prevent DoS attacks (GraphQL) [Updated]
    • INFO: Updated the text.
  • T2343: Define security-related roles and provide role-base training
    • TA6383: Conduct a formal security awareness program (PCI-DSS 4.0) [Added]
    • TA6398: Provide security training for all personas involved in software development (PCI-DSS 4.0) [Added]
  • T2348: Perform code reviews [Updated]
    • INFO: Updated the text.
    • I1866: Perform code reviews in TypeScript [Added]
  • T2350: Create a Product Security Incident Response Team (PSIRT) [Updated]
    • INFO: Updated the match conditions.
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the match conditions.
  • T2358: Verify that the organization has a Product Security Incident Response Team (PSIRT) [Updated]
    • INFO: Updated the match conditions.
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the match conditions.
  • T2391: Change the default value of the SSID and other wireless defaults [Updated]
    • INFO: Updated the title and text.
  • T2392: Create an Incident Response Plan [Updated]
    • INFO: Updated the text.
    • TA6388: Review and test Incident Response Plans (PCI-DSS 4.0) [Added]
    • TA6389: Quickly respond to cleartext PAN detection events (PCI-DSS 4.0) [Added]
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the match conditions.
  • T2397: Detect rogue stations in a wireless network
    • TA6425: Identify and address unauthorized wireless access (WiFi) points (PCI-DSS 4.0) [Added]
  • T2404: Enforce a minimum TLS version for API connections (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2405: Verify a minimum TLS version for API connections is used (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2406: Encrypt the API cache (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2407: Verify the API cache is encrypted (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2408: Ensure API Gateway actions are logged (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2409: Verify API Gateway actions are logged (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2410: Restrict outside access to internal APIs (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2411: Verify outside access to internal APIs is restricted (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2412: Protect APIs with a Web Application Firewall (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2413: Verify APIs are protected with a Web Application Firewall (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2414: Don't use API keys for authentication and authorization (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2415: Verify API keys are not the only mechanism for authentication and authorization (Amazon API Gateway) [Updated]
    • INFO: Updated the match conditions.
  • T2416: Encrypt Kinesis Firehose delivery streams (Amazon Kinesis Data Firehose) [Updated]
    • INFO: Updated the match conditions.
  • T2417: Verify Kinesis Firehose delivery streams are encrypted (Amazon Kinesis Data Firehose) [Updated]
    • INFO: Updated the match conditions.
  • T2422: Check the S3 backup for Kinesis Firehose delivery failures (Amazon Kinesis Data Firehose) [Updated]
    • INFO: Updated the match conditions.
  • T2423: Verify the S3 backup for Kinesis Firehose delivery failures are checked regularly (Amazon Kinesis Data Firehose) [Updated]
    • INFO: Updated the match conditions.
  • T2425: Encrypt Kinesis streams on the server (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the match conditions.
  • T2427: Verify Kinesis streams are encrypted on the server (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the match conditions.
  • T2428: Implement least privilege access to Kinesis streams (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the match conditions.
  • T2432: Ensure Kinesis events are logged (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the match conditions.
  • T2433: Verify Kinesis events are logged (Amazon Kinesis Data Streams) [Updated]
    • INFO: Updated the match conditions.
  • T2434: Enable Web Application Firewall (AWS Web Application Firewall) [Updated]
    • INFO: Updated the match conditions.
  • T2435: Verify the Web Application Firewall is enabled (AWS Web Application Firewall) [Updated]
    • INFO: Updated the match conditions.
  • T2438: Ensure Web Application Firewall ACLs are logged (AWS Web Application Firewall) [Updated]
    • INFO: Updated the match conditions.
  • T2440: Verify Web Application Firewall ACLs are logged (AWS Web Application Firewall) [Updated]
    • INFO: Updated the match conditions.
  • T2468: Manage PCI-DSS compliance
    • TA6371: Ensure devices that connect to untrusted environments cannot introduce threats to the CDE (PCI-DSS 4.0) [Added]
    • TA6376: Establish PCI DSS required policies (PCI-DSS 4.0) [Added]
    • TA6380: Review hardware and software technologies in use (PCI-DSS 4.0) [Added]
    • TA6381: Formal responsibility for the security of cardholder data (PCI-DSS 4.0) [Added]
    • TA6382: Review operational effectiveness of critical PCI DSS controls (PCI-DSS 4.0) [Added]
    • TA6384: Reduce risks from insider threats by screening personnel (PCI-DSS 4.0) [Added]
    • TA6385: Record third-party service providers (PCI-DSS 4.0) [Added]
    • TA6386: Manage Third-Party Service Providers (PCI-DSS 4.0) [Added]
    • TA6387: Ensure TPSPs support the PCI DSS compliance of their customers (PCI-DSS 4.0) [Added]
    • TA6394: Implement physical access controls (PCI-DSS 4.0) [Added]
    • TA6395: Manage physical access for personnel (PCI-DSS 4.0) [Added]
    • TA6396: Manage physical access for visitors (PCI-DSS 4.0) [Added]
    • TA6428: Limit and control account data storage (PCI-DSS 4.0) [Added]
    • TA6366: Identify and confirm the scope of the PCI DSS [Updated]
      • INFO: Updated the text.
    • P1713: Lack of processes for the approval of compliance with PCI-DSS [Updated]
      • INFO: Updated the match conditions.
  • T2469: Use CloudWatch to monitor Kinesis Firehose decryption failures (Amazon Kinesis Data Firehose) [Added]
    • P1714: Decryption failure [Added]
  • T2470: Verify CloudWatch is used to monitor Kinesis Firehose decryption failures (Amazon Kinesis Data Firehose) [Added]
    • P1714: Decryption failure [Added]
  • T2473: Verify the presence of security constraints in all user stories and features [Added]
    • P1716: Lack of Technical Documentation [Added]
  • T2474: Include security constraints in all user stories and features [Added]
    • P1716: Lack of Technical Documentation [Added]
  • T2477: Test the re-deployment routines [Added]
    • P1719: Lack of automated re-deployment plan [Added]
  • T2478: Manage re-deployment routines [Added]
    • P1719: Lack of automated re-deployment plan [Added]
  • T2479: Test the Content-Disposition header in API responses [Added]
  • T2480: Include Content-Disposition headers in API responses [Added]
  • T2481: Define and apply configuration standards for Network Security Controls [Added]
    • P1717: Lack of configuration standards for Network Security Controls [Added]
  • T2482: Verify implementing configuration standards [Added]
    • P1717: Lack of configuration standards for Network Security Controls [Added]
  • T2483: Follow a control change management process [Added]
    • P1718: Lack of change management for network connections and configurations [Added]
  • T2484: Verify a change management procedure is in place [Added]
    • P1718: Lack of change management for network connections and configurations [Added]
  • T2485: Verify that remote code and updates are correctly encrypted and signed (server side) [Added]
    • TA938: Test that SRI is used [Updated]
      • INFO: Updated the inclusion standard.
  • T2486: Encrypt and sign all remote code/updates (server side) [Added]
    • TA179: DIACAP Notes [Updated]
      • INFO: Updated the inclusion standard.
    • TA251: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the inclusion standard.
    • TA795: Ruby on Rails: Preventing unwanted Remote Code Execution by using long key [Updated]
      • INFO: Updated the inclusion standard.
    • TA882: ASD-STIG requirements [Updated]
      • INFO: Updated the text and inclusion standard.
    • TA5461: ISASecure SSA 311 requirements: Levels (1, 2, 3, 4) [Updated]
      • INFO: Updated the text and inclusion standard.
    • TA5587: PCI-SSF (S3) / Signing all terminal software files [Updated]
      • INFO: Updated the inclusion standard.
    • I914: Signing JAR files in Java [Updated]
      • INFO: Updated the inclusion standard.
  • T2488: Detect and respond to unauthorized changes on payment pages (PCI-DSS 4.0) [Added]
    • P1720: Insufficient control and response to unauthorized changes on payment pages [Added]
  • T2489: Test that change-detection and tamper-detection mechanisms are implemented for payment pages (PCI-DSS 4.0) [Added]

    • P1720: Insufficient control and response to unauthorized changes on payment pages [Added]
  • Changes to Project Properties and Profiles

    • Q195: Language and Framework
      • Q109: Programming Language
        • Q110: Technology/Framework
          • A1281: Flutter [Updated]
            • INFO: Updated the question.
    • Q201: Authorization
      • Q117: Allows User Controlled Page Selection [Removed]
    • Q202: More Features
      • Q214: Miscellaneous
        • A33: Uses multi-threaded programming [Updated]
          • INFO: Updated the text and question.
        • A90: Performs diagnostic/debug logging [Updated]
          • INFO: Updated the text, description, and question.
    • Q204: Financial Systems
      • Q161: Payment Components
        • A132: In-scope for PCI-DSS 3.2 [Updated]
          • INFO: Updated the text and description.
        • A1327: In-scope for PCI-SSS [Updated]
          • INFO: Updated the children.
        • A1357: In-scope for PCI-DSS 4.0 [Added]
    • Q243: Internal Hidden Properties
      • Q113: Version of Servlet Spec Supported [Removed]
      • Q116: Uses Multi-Threaded Programming [Removed]
      • Q143: Performs Diagnostic/Debug Logging [Removed]
      • Q171: Uses Microsoft Enterprise Libraries [Removed]
    • Q331: US Federal and NIST
      • Q328: In-Scope for CMMC
        • Q351: CMMC V2 Maturity Level [Added]
          • A1354: Level 1 [Added]
          • A1355: Level 2 [Added]
        • Q329: CMMC V1 Maturity Level [Updated]
          • INFO: Updated the text.
        • A1275: CMMC V1 [Updated]
          • INFO: Updated the text.
        • A1356: CMMC V2 [Added]

2022.4

January 7, 2023

New features and enhancements

  • Integrations

    • Added Snyk Open Source (SCA) as a supported Verification Tool.
    • Introduced an ability to upload and overwrite default Countermeasure mapping files under all Verification Tools.
    • Currently, you cannot upload a file with special characters. See the User Guide for instructions on what is supported until a fix is released.
  • Advanced Reports

    • Reporting Contexts
      • Users can choose the context that forms the basis of their report request to create more robust advanced reports.
    • Join paths from Countermeasures to threats and Countermeasures to components have been added in the Countermeasure context. Users can now reliably report on the Countermeasures required to mitigate a threat.
    • You will receive the error "Invalid Token" while executing an advanced report if it takes longer than 60 seconds to execute. Add additional filters to the report to reduce the number of returned results.
  • Components

    • Connected Components
      • Enables SD Elements project users to create a component from a project or release.
      • Information from the project is preloaded in the component creation dialog.
      • Components created from projects still need to be enabled by a content admin (approval workflow).
  • Threat Model diagrams

    • Added the ability to add notes to the diagram.
    • Added the ability to nest zones.
    • Added the ability to apply Risk Policies to filter Countermeasures on the Threats List page.

Other product improvements

  • Comment syncing via SD Elements to Jira was expanded to support all authoritative sources.

    • This feature was originally only available to users using SD Elements as an authoritative source.
  • Added support for network isolation security features in containerized setups of SD Elements.

    • This feature enables SD Elements administrators to filter out unauthorized network traffic between Kubernetes pods.

Content improvements summary

PCI DSS

  • Added new Countermeasures and a Regulation based on PCI DSS v4.0.

Azure AKS

  • Added new Countermeasures, Amendments, and How-tos based on CIS Azure Kubernetes Service (AKS) Benchmark version 1.2.0.

Android

  • Added and/or updated Countermeasures, Weaknesses, and How-tos, and Amendments based on Android versions 11, 12 and 13.

TypeScript

  • Added new How-tos for TypeScript.

AWS Services

  • Added content for AWS API Gateway, AWS Cognito, AWS Kinesis Data Firehose, Amazon Kinesis Data Streams, and AWS WAF.

.Net 6 Update

  • Added new How-tos for .Net 6.

Golang

  • Added new How-tos for Golang.

CWE Top 25

  • Added the latest CWE Top 25 (2022) mapping to SD Elements content.

Content additions and updates (as of December 6, 2022):

  • Compliance Regulations and Mappings

    • Added 2022 CWE Top 25 Most Dangerous Software Weaknesses
    • Added CIS Azure Kubernetes Service (AKS) 1.2.0
    • Added PCI-DSS-v4.0
  • Content Packs

    • Added TypeScript
    • Added AKS
  • Updated the following code scanner mappings

    • Fortify
  • New Just-in-Time Training

    • Secure Software Requirements (18)
    • Defending Django (23)
    • CCPA for Developers (5)
    • Defending Ansible (20)
    • Defending .NET6 (15)
    • PCI SSLC (10)
  • T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services

    • I1858: Configure 2FA in ASP.NET [Added]
  • T5: Use minimum standards for passwords [Updated]
    • INFO: Updated the text.
    • TA6364: Prevent the use of pwned passwords [Added]
  • T21: Ensure all data in transit is encrypted using a secure TLS channel
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • INFO: Updated the match conditions.
  • T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript
    • I1852: Avoid XSS in TypeScript [Added]
  • T43: Avoid unsafe operating system interaction
    • I1853: Avoid Command Injection in TypeScript [Added]
  • T59: Use standard libraries for cryptography
    • I1860: Go: Triple DES Encryption [Added]
  • T62: Protect passwords in property and configuration files
    • TA6368: Protecting secrets in Test/Development environments. [Added]
    • I771: ASP.NET Core / C#: Secret Manager for Development Environments [Updated]
      • INFO: Updated the text and match conditions.
    • P158: Password in configuration files [Updated]
      • INFO: Updated the title.
  • T73: Use random delays in authentication failures
    • I1856: Protect against timing attacks in TypeScript [Added]
  • T76: Do not hardcode passwords [Updated]
    • INFO: Updated the title.
  • T161: Treat unique device IDs as personal information [Updated]
    • INFO: Updated the text.
    • TA280: Unique device IDs in Android [Updated]
      • INFO: Updated the text.
    • P257: Privacy Violation [Updated]
      • INFO: Updated the text.
  • T162: Validate pathname before retrieving local resources
    • I1855: Protect against path traversal in TypeScript [Added]
  • T194: Obtain user consent for tracking cookies
    • P732: Insufficient consent for user tracking [Updated]
      • INFO: Updated the match conditions.
  • T204: Follow security best practices when dealing with pointers
    • TA6367: Avoid granting direct access to the memory [Added]
  • T261: Manage iOS Pasteboards that are used with sensitive data
    • P213: Plaintext Storage in Memory [Updated]
      • INFO: Updated the match conditions.
  • T270: Follow best practices for storing application data on Android devices [Updated]
    • INFO: Updated the text.
    • I1805: EncryptedSharedPreferences [Added]
    • I402: Android storage options and considerations [Updated]
      • INFO: Updated the text.
  • T272: Restrict access to the application's exported components (Android) [Updated]
    • INFO: Updated the text.
  • T331: Enforce policies through content security policy (CSP) or XSS protection headers [Updated]
    • INFO: Updated the text.
    • TA6365: X-XSS-Protection for old browser versions [Added]
  • T340: Use an account and identity management system
    • I1857: Use extensibility points in the ASP.NET identity system [Added]
  • T423: Disable copying on Android text fields with sensitive data [Updated]
    • INFO: Updated the text.
    • I1806: Mask sensitive information in the Android clipboard [Added]
  • T440: Follow best practices when managing Android permissions
    • I1807: Granular data access permissions [Added]
    • TA6256: Location permissions [Added]
  • T442: Test that Android permissions are properly managed
    • TA6257: Test location permissions [Added]
  • T528: Enable MAC layer security mechanisms supported in the IEEE 802.15.4 when supported by the vendor
    • P799: No MAC layer security in shared networks [Updated]
      • INFO: Updated the match conditions.
  • T564: Follow best practices for sharing data between Android applications [Updated]
    • INFO: Updated the text.
  • T615: Check your mobile application's integrity and installation source [Updated]
    • INFO: Updated the text.
    • I568: Android: Integrity and installation source [Updated]
      • INFO: Updated the text.
  • T643: Implement certificate pinning in a hostile environment
    • I1861: GoLang: Certificate pinning [Added]
  • T975: Use a sandboxing alternative to Security Manager (Apache Tomcat) [Updated]
    • INFO: Updated the text.
    • I819: Apache Tomcat: Starting Tomcat with Security Manager [Updated]
      • INFO: Updated the text.
    • P983: Lack of a sandboxing mechanism or relying on the deprecated Security Manager (Apache Tomcat) [Updated]
      • INFO: Updated the text.
  • T1004: Verify that a sandboxing alternative to Security Manager is used (Apache Tomcat) [Updated]
    • INFO: Updated the text.
    • P983: Lack of a sandboxing mechanism or relying on the deprecated Security Manager (Apache Tomcat) [Updated]
      • INFO: Updated the text.
  • T1300: Enable multi-factor authentication for all non-service accounts (Google Cloud)
    • P1139: Weak Authentication [Updated]
      • INFO: Updated the title, text, and match conditions.
  • T1366: Identify applicable compliance regulations
    • P1171: Lack of a process for identifying applicable compliance regulation [Updated]
      • INFO: Updated the match conditions.
  • T1367: Identify and classify critical assets
    • P1172: Lack of a process for identifying critical assets [Updated]
      • INFO: Updated the match conditions.
  • T1368: Perform security testing using SAST tools
    • I1851: Analyze TypeScript code using a SAST tool [Added]
    • P1186: Lack of a process for static application security testing (SAST) [Updated]
      • INFO: Updated the match conditions.
  • T1369: Perform security testing using DAST tools
    • P1173: Lack of a process for dynamic application testing [Updated]
      • INFO: Updated the match conditions.
  • T1370: Identify and track common software weaknesses and threats
    • P1187: Lack of a process for identifying and assessing software threats [Updated]
      • INFO: Updated the match conditions.
  • T1371: Use a software security management solution to select and track security controls
    • P1188: Lack of software security management solution to track security controls [Updated]
      • INFO: Updated the match conditions.
  • T1372: Follow software change management process
    • P1174: Lack of software change management process [Updated]
      • INFO: Updated the match conditions.
  • T1373: Maintain the integrity of all software code
    • P1175: Insufficient software code control [Updated]
      • INFO: Updated the match conditions.
  • T1374: Ensure the integrity of software release and update delivery
    • P1178: Lack of a process for ensuring the integrity of software release and update [Updated]
      • INFO: Updated the match conditions.
  • T1375: Properly collect and protect sensitive data
    • P1180: Lack of process for collecting and protecting sensitive data [Updated]
      • INFO: Updated the match conditions.
  • T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
    • P1181: Lack of guidance on secure installation, maintenance and configuration of all software components [Updated]
      • INFO: Updated the match conditions.
  • T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications
    • P1182: Lack of a communication channel for reporting security issues [Updated]
      • INFO: Updated the match conditions.
  • T1378: Release a change summary for each software update
    • P1177: Lack of a process for creating summary of changes upon each software update [Updated]
      • INFO: Updated the match conditions.
  • T1380: Enforce secure user registration and access control
    • P1185: Lack of process for user registration and enforcement of access control [Updated]
      • INFO: Updated the match conditions.
  • T1381: Establish secure processes for key management
    • P1434: Lack of secure key management process [Updated]
      • INFO: Updated the match conditions.
  • T1382: Manage performance and capacity
    • P1190: Lack of process for performance and capacity management [Updated]
      • INFO: Updated the match conditions.
  • T1383: Separate development, test, and operational environments
    • P1191: Deploying software in production on the same environment as development and testing [Updated]
      • INFO: Updated the match conditions.
  • T1384: Back up and restore securely
    • P1179: A secure backup and restore processes are missing or lacking [Updated]
      • INFO: Updated the match conditions.
  • T1385: Institute secure logging and event monitoring
    • P1183: No secure processes for logging and monitoring events [Updated]
      • INFO: Updated the match conditions.
  • T1387: Ensure the security of products acquired through the supply chain and contractors
    • P1170: Lack of a secure process for outsourcing [Updated]
      • INFO: Updated the match conditions.
  • T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
    • P1225: Unmanaged test result findings [Updated]
      • INFO: Updated the match conditions.
  • T1389: Perform penetration testing
    • P1184: Lack of a secure process for penetration testing [Updated]
      • INFO: Updated the match conditions.
  • T1541: Decide on the best CSRF defense for your application
    • I1854: Protect against CSRF in TypeScript [Added]
  • T1891: Perform Privacy Impact Assessment (PIA)
    • P1435: Lack of Privacy Impact Assessment (PIA) [Updated]
      • INFO: Updated the match conditions.
  • T1893: Perform a cloud solution security posture assessment
    • P1436: Lack of cloud solution security posture assessment [Updated]
      • INFO: Updated the match conditions.
  • T1894: Perform a vendor security assessment
    • P1437: Lack of vendor security assessment [Updated]
      • INFO: Updated the match conditions.
  • T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS)
    • P1429: Applications not protected with Intrusion Detection / Protection System (IDS/IPS) [Updated]
      • INFO: Updated the match conditions.
  • T1915: Perform network vulnerability assessment
    • P1438: Lack of network vulnerability assessment [Updated]
      • INFO: Updated the match conditions.
  • T1920: Conduct security architecture and design reviews before starting code development
    • P1432: Lack of security architecture and design activities [Updated]
      • INFO: Updated the match conditions.
  • T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
    • P1433: Lack of third-party software code or dependencies management [Updated]
      • INFO: Updated the match conditions.
  • T2052: Verify that network access rules are configured properly for storage accounts (Microsoft Azure) [Updated]
    • INFO: Updated the text.
  • T2118: Exercise security monitoring best practices in Microservices environments [Updated]
    • INFO: Updated the inclusion weakness.
    • P1712: Lack of security monitoring in Microservices environments [Added]
  • T2119: Deploy circuit breakers in Microservices environments [Updated]
    • INFO: Updated the inclusion weakness.
    • P1711: Lack of strategies to limit resource consumption in Microservices environments [Added]
  • T2120: Exercise security best practices for load balancing in Microservices environments [Updated]
    • INFO: Updated the inclusion weakness.
    • P1711: Lack of strategies to limit resource consumption in Microservices environments [Added]
  • T2121: Exercise security best practices for service rate limiting in Microservices environments [Updated]
    • INFO: Updated the inclusion weakness.
    • P1711: Lack of strategies to limit resource consumption in Microservices environments [Added]
  • T2210: Prevent signals conflict between a hardware IP and the parent system (Hardware/Firmware) [Updated]
    • INFO: Updated the phase.
  • T2214: Protect unexpected behavior of system due to sequence of processor instructions (Halt and Catch Fire) (Hardware/Firmware) [Updated]
    • INFO: Updated the phase.
  • T2221: Prevent debugging messages revealing sensitive Information (Hardware/Firmware) [Updated]
    • INFO: Updated the phase.
  • T2294: Enable logs and configuration monitoring in your cloud environment (Cloud) (1/4)
    • P1667: Lack of monitoring (Cloud) [Updated]
      • INFO: Updated the match conditions.
  • T2296: Securely install and configure all software components
    • P1669: Lack of a process for securely installing and configuring all software components [Updated]
      • INFO: Updated the match conditions.
  • T2309: Securely configure worker nodes (Containerization) [Deactivated]
  • T2310: Implement proper authentication and authorization (Containerization) (1/2) [Deactivated]
  • T2311: Ensure proper network settings and configuration (Containerization)
    • I1840: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.4.2) [Added]
    • I1849: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.4.2) [Added]
    • I1850: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.4.3) [Added]
    • TA6320: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.4.2) [Added]
    • TA6348: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.4.2) [Added]
    • TA6350: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.4.3) [Added]
    • TA6352: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.4.4) [Added]
    • TA6354: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.4.5) [Added]
    • P1673: Improper network settings and configuration (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2312: Ensure proper logging and security monitoring (Containerization)
    • I1809: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 2.1.1) [Added]
    • TA6258: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 2.1.1) [Added]
    • P1674: Inadequate logging and security monitoring (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2313: Keep data and secrets safe (Containerization)
    • I1826: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.2) [Added]
    • I1841: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.5.1) [Added]
    • I1842: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.5.2) [Added]
    • TA6292: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.2) [Added]
    • TA6322: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.5.1) [Added]
    • TA6324: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.5.2) [Added]
    • TA6344: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.3.1) [Added]
    • P1675: Lack of data and secrets protection (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2314: Enforce secure policies (Containerization)
    • I1839: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.4.1) [Added]
    • I1843: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.7.1) [Added]
    • I1844: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.7.2) [Added]
    • TA6318: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.4.1) [Added]
    • TA6326: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.6.1) [Added]
    • TA6328: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.7.1) [Added]
    • TA6330: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.7.2) [Added]
    • TA6362: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.6.2) [Added]
    • P1676: Lack of secure policies (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2315: Use managed services (Containerization) [Deactivated]
  • T2317: Verify worker nodes are configured securely (Containerization) [Deactivated]
  • T2318: Verify proper authentication and authorization are implemented (Containerization) [Deactivated]
  • T2319: Verify proper network settings and configuration (Containerization)
    • TA6321: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.4.2) [Added]
    • P1673: Improper network settings and configuration (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2321: Verify data and secrets are kept safe (Containerization)
    • TA6293: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.2) [Added]
    • TA6323: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.5.1) [Added]
    • TA6325: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.5.2) [Added]
    • P1675: Lack of data and secrets protection (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2322: Verify secure policies are enforced (Containerization)
    • TA6319: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.4.1) [Added]
    • TA6327: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.6.1) [Added]
    • TA6329: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.7.1) [Added]
    • TA6331: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.7.2) [Added]
    • P1676: Lack of secure policies (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2323: Verify managed services are used (Containerization) [Deactivated]
  • T2332: Adhere to an appropriate Global Privacy Control (GPC) header [Updated]
    • INFO: Updated the match conditions.
    • P732: Insufficient consent for user tracking [Updated]
      • INFO: Updated the match conditions.
  • T2377: Implement proper authentication and authorization (Containerization) (2/2) [Deactivated]
  • T2378: Ensure compatibility with the United Nations automotive cybersecurity regulation WP.29
    • P1688: Lack of processes for the approval of vehicles with regards to cyber security and cyber security management system [Updated]
      • INFO: Updated the text.
  • T2380: Review and verify playbooks (Ansible) [Updated]
    • INFO: Updated the text.
  • T2399: Perform a data access audit for sensitive data (Android) [Added]
    • P1703: Lack of sensitive data access audits [Added]
    • I1808: Performing data audit access inside an activity [Added]
  • T2400: Verify data access audits (Android) [Added]
    • P1703: Lack of sensitive data access audits [Added]
  • T2404: Enforce a minimum TLS version for API connections (Amazon API Gateway) [Added]
    • P1694: Using deprecated encryption protocols [Added]
  • T2405: Verify a minimum TLS version for API connections is used (Amazon API Gateway) [Added]
    • P1694: Using deprecated encryption protocols [Added]
  • T2406: Encrypt the API cache (Amazon API Gateway) [Added]
    • P1695: Lack of encryption for server-side cached data [Added]
  • T2407: Verify the API cache is encrypted (Amazon API Gateway) [Added]
    • P1695: Lack of encryption for server-side cached data [Added]
  • T2408: Ensure API Gateway actions are logged (Amazon API Gateway) [Added]
    • P1667: Lack of monitoring (Cloud) [Updated]
      • INFO: Updated the match conditions.
  • T2409: Verify API Gateway actions are logged (Amazon API Gateway) [Added]
    • P1667: Lack of monitoring (Cloud) [Updated]
      • INFO: Updated the match conditions.
  • T2410: Restrict outside access to internal APIs (Amazon API Gateway) [Added]
    • P1696: Exposed APIs with public endpoints [Added]
  • T2411: Verify outside access to internal APIs is restricted (Amazon API Gateway) [Added]
    • P1696: Exposed APIs with public endpoints [Added]
  • T2412: Protect APIs with a Web Application Firewall (Amazon API Gateway) [Added]
    • P1697: API endpoints without basic firewall protections [Added]
  • T2413: Verify APIs are protected with a Web Application Firewall (Amazon API Gateway) [Added]
    • P1697: API endpoints without basic firewall protections [Added]
  • T2414: Don't use API keys for authentication and authorization (Amazon API Gateway) [Added]
    • P1139: Weak Authentication [Updated]
      • INFO: Updated the title, text, and match conditions.
  • T2415: Verify API keys are not the only mechanism for authentication and authorization (Amazon API Gateway) [Added]
    • P1139: Weak Authentication [Updated]
      • INFO: Updated the title, text, and match conditions.
  • T2416: Encrypt Kinesis Firehose delivery streams (Amazon Kinesis Data Firehose) [Added]
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • INFO: Updated the match conditions.
  • T2417: Verify Kinesis Firehose delivery streams are encrypted (Amazon Kinesis Data Firehose) [Added]
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • INFO: Updated the match conditions.
  • T2418: Ensure Cognito uses strong authentication requirements (Amazon Cognito) [Added]
    • P1139: Weak Authentication [Updated]
      • INFO: Updated the title, text, and match conditions.
  • T2419: Verify Cognito uses strong authentication requirements (Amazon Cognito) [Added]
    • P1139: Weak Authentication [Updated]
      • INFO: Updated the title, text, and match conditions.
  • T2420: Add advanced security to user pool (Amazon Cognito) [Added]
  • T2421: Verify Cognito user pools are protected by adaptive security (AWS) [Added]
  • T2422: Check the S3 backup for Kinesis Firehose delivery failures (Amazon Kinesis Data Firehose) [Added]
    • P1699: Transfer failure that leads to orphaned data [Added]
  • T2423: Verify the S3 backup for Kinesis Firehose delivery failures are checked regularly (Amazon Kinesis Data Firehose) [Added]
    • P1699: Transfer failure that leads to orphaned data [Added]
  • T2424: Defend Cognito user pools with a WAF (Amazon Cognito) [Added]
    • P1698: Not using a WAF to protect web applications and services against common attacks [Added]
  • T2425: Encrypt Kinesis streams on the server (Amazon Kinesis Data Streams) [Added]
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • INFO: Updated the match conditions.
  • T2426: Verify WAF is enabled for Cognito user pools (Amazon Cognito) [Added]
    • P1698: Not using a WAF to protect web applications and services against common attacks [Added]
  • T2427: Verify Kinesis streams are encrypted on the server (Amazon Kinesis Data Streams) [Added]
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • INFO: Updated the match conditions.
  • T2428: Implement least privilege access to Kinesis streams (Amazon Kinesis Data Streams) [Added]
    • P1700: Unnecessary and excessive privileges [Added]
  • T2429: Verify least privilege access to Kinesis streams is implemented (Amazon Kinesis Data Streams) [Added]
    • P1700: Unnecessary and excessive privileges [Added]
  • T2430: Use IAM policy to safeguard Cognito user records against accidents (Amazon Cognito) [Added]
    • P1700: Unnecessary and excessive privileges [Added]
  • T2431: Verify IAM policies to safeguard Cognito user records against accidents is used (Amazon Cognito) [Added]
    • P1700: Unnecessary and excessive privileges [Added]
  • T2432: Ensure Kinesis events are logged (Amazon Kinesis Data Streams) [Added]
    • P1667: Lack of monitoring (Cloud) [Updated]
      • INFO: Updated the match conditions.
  • T2433: Verify Kinesis events are logged (Amazon Kinesis Data Streams) [Added]
    • P1667: Lack of monitoring (Cloud) [Updated]
      • INFO: Updated the match conditions.
  • T2434: Enable Web Application Firewall (AWS Web Application Firewall) [Added]
    • P1698: Not using a WAF to protect web applications and services against common attacks [Added]
  • T2435: Verify the Web Application Firewall is enabled (AWS Web Application Firewall) [Added]
    • P1698: Not using a WAF to protect web applications and services against common attacks [Added]
  • T2436: Ensure Cognito events are logged (Amazon Cognito) [Added]
    • P1667: Lack of monitoring (Cloud) [Updated]
      • INFO: Updated the match conditions.
  • T2437: Verify Cognito events are logged (Amazon Cognito) [Added]
    • P1667: Lack of monitoring (Cloud) [Updated]
      • INFO: Updated the match conditions.
  • T2438: Ensure Web Application Firewall ACLs are logged (AWS Web Application Firewall) [Added]
    • P1702: Lack of collecting log data for WAF rules [Added]
  • T2439: Review Web Application Firewall logs for issues (AWS Web Application Firewall) [Added]
    • P1701: Lack of monitoring WAF for false positives and suspicious activity [Added]
  • T2440: Verify Web Application Firewall ACLs are logged (AWS Web Application Firewall) [Added]
    • P1702: Lack of collecting log data for WAF rules [Added]
  • T2441: Verify WAF logs are reviewed in a timely manner for issues (AWS Web Application Firewall) [Added]
    • P1701: Lack of monitoring WAF for false positives and suspicious activity [Added]
  • T2442: Ensure proper permissions for files on worker nodes (Containerization) [Added]
    • P1704: Lack of proper access rights for configuration files (Containerization) [Added]
    • I1810: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.1) [Added]
    • I1811: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.2) [Added]
    • I1812: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.3) [Added]
    • I1813: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.4) [Added]
    • TA6260: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.1) [Added]
    • TA6262: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.2) [Added]
    • TA6264: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.3) [Added]
    • TA6266: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.4) [Added]
    • TA5962: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5964: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5966: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5968: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1654: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1655: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1656: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1657: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.4) [Updated]
      • INFO: Updated the inclusion standard.
  • T2443: Verify proper permissions for files on worker nodes (Containerization) [Added]
    • P1704: Lack of proper access rights for configuration files (Containerization) [Added]
    • TA6261: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.1) [Added]
    • TA6263: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.2) [Added]
    • TA6265: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.3) [Added]
    • TA6267: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.1.4) [Added]
    • TA5963: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5965: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5967: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5969: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.4) [Updated]
      • INFO: Updated the inclusion standard.
  • T2444: Secure authentication to and from worker nodes (Containerization) [Added]
    • P1705: Insecure authentication to and from worker nodes (Containerization) [Added]
    • I1814: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.1) [Added]
    • I1816: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Added]
    • TA6268: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.1) [Added]
    • TA6272: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Added]
    • TA5970: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5974: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1658: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1659: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.3) [Updated]
      • INFO: Updated the inclusion standard.
  • T2445: Verify secure authentication to and from worker nodes (Containerization) [Added]
    • P1705: Insecure authentication to and from worker nodes (Containerization) [Added]
    • TA6269: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.1) [Added]
    • TA6273: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Added]
    • TA5971: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5975: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.3) [Updated]
      • INFO: Updated the inclusion standard.
  • T2446: Collect and protect sensitive information on worker nodes (Containerization) [Added]
    • P1706: Poor collection and protection of sensitive information on worker nodes (Containerization) [Added]
    • I1817: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.4) [Added]
    • I1822: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 3.2.9) [Added]
    • TA6274: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.4) [Added]
    • TA6284: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 3.2.9) [Added]
    • TA5976: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6033: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1660: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1666: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.9) [Updated]
      • INFO: Updated the inclusion standard.
  • T2447: Verify the collection and protection of sensitive information on worker nodes (Containerization) [Added]
    • P1706: Poor collection and protection of sensitive information on worker nodes (Containerization) [Added]
    • TA6275: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.4) [Added]
    • TA6285: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 3.2.9) [Added]
    • TA5977: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6034: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.9) [Updated]
      • INFO: Updated the inclusion standard.
  • T2448: Ensure the availability of worker nodes (Containerization) [Added]
    • P1707: Unavailabilty of worker nodes (Containerization) [Added]
    • I1818: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.5) [Added]
    • I1823: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 3.2.10) [Added]
    • I1824: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.11) [Added]
    • TA6276: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.5) [Added]
    • TA6286: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 3.2.10) [Added]
    • TA6288: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.11) [Added]
    • TA5978: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5986: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6035: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1661: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1665: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • I1667: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.10) [Updated]
      • INFO: Updated the inclusion standard.
  • T2449: Verify the availability of worker nodes (Containerization) [Added]
    • P1707: Unavailabilty of worker nodes (Containerization) [Added]
    • TA6277: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.5) [Added]
    • TA6287: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 3.2.10) [Added]
    • TA6289: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.11) [Added]
    • TA5979: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5987: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6036: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.10) [Updated]
      • INFO: Updated the inclusion standard.
  • T2450: Protect worker nodes with proper flags and arguments (Containerization) [Added]
    • P1708: Failure to protect worker nodes with proper flags and arguments (Containerization) [Added]
    • I1819: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Added]
    • I1820: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Added]
    • I1821: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Added]
    • TA6278: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Added]
    • TA6280: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Added]
    • TA6282: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Added]
    • TA5980: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5982: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5984: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1662: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1663: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1664: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.8) [Updated]
      • INFO: Updated the inclusion standard.
  • T2451: Verify that worker nodes are protected with proper flags and arguments (Containerization) [Added]
    • P1708: Failure to protect worker nodes with proper flags and arguments (Containerization) [Added]
    • TA6279: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Added]
    • TA6281: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Added]
    • TA6283: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Added]
    • TA5981: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5983: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5985: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.8) [Updated]
      • INFO: Updated the inclusion standard.
  • T2452: Use managed components (Containerization) [Added]
    • P1710: Using unmanaged components (Containerization) [Added]
    • I1848: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.2.1) [Added]
    • TA6342: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.2.1) [Added]
    • TA6360: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.6.1) [Added]
    • TA6023: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6031: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.6.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1699: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1700: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.6.1) [Updated]
      • INFO: Updated the inclusion standard.
  • T2453: Verify that managed components are used (Containerization). [Added]
    • P1710: Using unmanaged components (Containerization) [Added]
    • TA6343: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.2.1) [Added]
    • TA6024: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6032: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.6.1) [Updated]
      • INFO: Updated the inclusion standard.
  • T2454: Verify that managed container registries are securely configured (Containerization) [Added]
    • P1709: Insecurely configured managed container registries (Containerization) [Added]
    • TA6341: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.1.4) [Added]
    • TA6019: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6022: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.3) [Updated]
      • INFO: Updated the inclusion standard.
  • T2455: Securely configure managed container registries (Containerization) [Added]
    • P1709: Insecurely configured managed container registries (Containerization) [Added]
    • I1846: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.1.2) [Added]
    • I1847: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.1.4) [Added]
    • TA6334: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.1.1) [Added]
    • TA6336: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.1.2) [Added]
    • TA6338: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.1.3) [Added]
    • TA6340: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.1.4) [Added]
    • TA6018: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6020: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6021: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6053: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.1.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1681: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1697: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1698: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.3) [Updated]
      • INFO: Updated the inclusion standard.
  • T2456: Assign roles properly (Containerization) [Added]
    • I1825: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.1) [Added]
    • I1827: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.3) [Added]
    • TA6290: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.1) [Added]
    • TA6294: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.3) [Added]
    • TA6356: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.5.1) [Added]
    • TA6358: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 5.5.2) [Added]
    • TA5988: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5992: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6056: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1669: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1670: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1686: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2457: Verify roles are assigned Properly(Containerization) [Added]
    • TA6291: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.1) [Added]
    • TA6295: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.3) [Added]
    • TA5989: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5993: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6057: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2458: Restrict user access (Containerization) [Added]
    • I1828: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.4) [Added]
    • TA6296: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.4) [Added]
    • TA6346: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 5.4.1) [Added]
    • TA5994: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6027: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1671: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1682: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2459: Verify user access is restricted (Containerization) [Added]
    • TA6297: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.4) [Added]
    • TA5995: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6028: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2460: Restrict service access (Containerization) [Added]
    • I1815: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.2) [Added]
    • I1829: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.5) [Added]
    • I1830: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.6) [Added]
    • TA6270: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.2) [Added]
    • TA6298: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.5) [Added]
    • TA6300: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.6) [Added]
    • TA5972: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5996: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5998: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1668: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1672: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1673: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.6) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2461: Verify service access is restricted (Containerization) [Added]
    • TA6271: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.2) [Added]
    • TA6299: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.5) [Added]
    • TA6301: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.1.6) [Added]
    • TA5973: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5997: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5999: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.6) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2462: Minimize the admission of high-privileged containers (Containerization) [Added]
    • I1831: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.1) [Added]
    • I1835: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.5) [Added]
    • I1836: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.6) [Added]
    • TA6302: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.1) [Added]
    • TA6310: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.5) [Added]
    • TA6312: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.6) [Added]
    • TA6000: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6008: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6037: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1674: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1678: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1683: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2463: Verify that containers with excessive privileges are minimized (Containerization) [Added]
    • TA6303: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.1) [Added]
    • TA6311: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.5) [Added]
    • TA6313: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.6) [Added]
    • TA6001: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6009: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6038: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2464: Minimize the admission of containers wishing to share namespaces (Containerization) [Added]
    • I1832: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.2) [Added]
    • I1833: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.3) [Added]
    • I1834: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.4) [Added]
    • I1845: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.7.3) [Added]
    • TA6304: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.2) [Added]
    • TA6306: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.3) [Added]
    • TA6308: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.4) [Added]
    • TA6332: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.7.3) [Added]
    • TA6002: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6004: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6006: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6051: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1675: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1676: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1677: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1685: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2465: Verify that containers wishing to share namespaces are minimized (Containerization) [Added]
    • TA6305: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.2) [Added]
    • TA6307: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.3) [Added]
    • TA6309: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.4) [Added]
    • TA6333: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.7.3) [Added]
    • TA6003: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6005: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6007: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6052: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2466: Minimize the admission of containers with undesired capabilities (Containerization) [Added]
    • I1837: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.7) [Added]
    • I1838: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.8) [Added]
    • TA6314: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.7) [Added]
    • TA6316: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.8) [Added]
    • TA6010: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6012: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6039: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1679: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1680: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1684: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2467: Verify that containers with undesired capabilities are minimized (Containerization) [Added]
    • TA6315: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.7) [Added]
    • TA6317: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.8) [Added]
    • TA6011: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6013: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6040: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2468: Manage PCI-DSS compliance [Added]

    • P1713: Lack of processes for the approval of compliance with PCI-DSS [Added]
    • TA6366: Identify and confirm the scope of the PCI DSS [Added]
  • Changes to Project Properties and Profiles

    • Q193: Components
      • Q101: Components In Development
        • A1077: Firmware, embedded, or hardware solution [Updated]
          • INFO: Updated the children.
    • Q195: Language and Framework
      • Q109: Programming Language
        • Q110: Technology/Framework
          • A1223: Technology/Framework - Angular [Updated]
            • INFO: Updated the children.
        • A1352: TypeScript [Added]
    • Q243: Internal Hidden Properties
      • Q189: Internal Properties (Use this, for all hidden answers)
        • A1061: Set of default answers for all profiles [Updated]
          • INFO: Updated the children.
    • Q284: Context and Characteristics
      • Q252: Application's Context and Characteristics
        • A1350: Include countermeasures in the Activity phase (process engineering tasks) in this project [Added]
    • Q289: Cloud Computing
      • Q290: Cloud Providers
        • Q298: AWS Services
          • A1331: EKS [Updated]
            • INFO: Updated the children.
          • A1345: API Gateway [Added]
          • A1346: Cognito [Added]
          • A1347: Kinesis Data Streams [Added]
          • A1348: Kinesis Data Firehose [Added]
          • A1349: WAF [Added]
        • Q306: Azure Services
          • A1351: AKS [Added]
    • Q307: Containerization
      • Q308: Containerization Technologies
        • A1329: Managed Kubernetes [Updated]
          • INFO: Updated the children.

2022.3

October 15, 2022

New features and enhancements

  • Project Threats

    • Introduced Project Threats, which are created per project based on survey answers and match conditions.
    • Threats are automatically generated and presented on the threats page within the side panel of the diagram.
    • Each threat consists of weaknesses and countermeasures.
    • Where applicable, threats are mapped to reusable components.
  • Language change

    • Changed default terminology in our platform from problems and tasks to weaknesses and countermeasures, to stay in line with the industry.
    • To allow flexibility, users can customize weaknesses and countermeasures in the UI.
      • For existing customers who have changed the Problems label, we will be migrating that language in this release (SaaS only).
  • Advanced Reporting dashboards

    • Introduced the ability for users to create their own dashboards based on visualizations from Advanced Reports.
      • Users with appropriate permissions will see the new Dashboard List page, which allows them to view existing dashboards or create a new dashboard.
      • Users can set a default dashboard for their homepage and organize their Dashboard List page with the ability to pin dashboards.
  • Advanced Reports

    • Added four new tables to Advanced Reports.
      • Added Library Threats and Project Threats. Users can create reporting on threats across their entire security portfolio or focus more granularly at the project level.
      • Added Training (JITT) and Training enablement tables. Users can now create training-based reports to better understand the courses or modules into which users have enrolled.
  • Project survey

    • Added Comments Required
      • Library users with customize_content permissions will be able to mark questions and subquestions as comments required. Once a question and sub question is marked as comments required, project users who are answering the survey will need to add at least one comment before saving the survey. Questions and subquestions that require a comment will have a visual indicator and a textbox attached to it in the survey.
    • Improved mandatory indicators
      • Project users answering the survey will be able to better understand which questions and subquestions require an answer or comment when the survey initially appears. Sections and subsections will have a counter and each question or subquestion will have a red outline.
  • Integrations

    • Added Fortify on Demand integration under Verification Tools.

Other product improvements

  • Integrations
    • Fixed a bug on the JIRA integration that prevented custom field mappings from appearing correctly in JIRA Labels field.
    • Addressed an issue while parsing data from Prisma Cloud formerly Twistlock.
    • Renamed Twistlock to Prisma Cloud formerly Twistlock
    • Renamed Whitesource to Mend formerly Whitesource
  • API
    • Updated the feature Flags API to allow all authenticated users the ability to view the list of feature flags.

Content improvements summary

  • Countermeasure (Task) Priority

    • Countermeasure priority levels may change as SD Elements revises its content. These changes may affect your risk policies. Ensure that you review changes to your risk policies after accepting changes from new releases.
  • Ansible

    • Added new Weaknesses, Countermeasures, Additional Requirements, and How-tos for Ansible security.
  • Automotive industry (WP.29-Rev.3 and ISO/SAE 21434)

    • Added new Weaknesses and Countermeasures to cover the WP.29-Rev.3 regulation.
    • Added an activity Countermeasure for ISO/SAE 21434.
  • EO 14028: Critical Software & Verification Req. (NISTIR 8397)

    • Added two regulations and Countermeasures to cover the requirements of the Executive Order.
  • Improved hardware, WiFi, and bluetooth content

    • Added new Countermeasures and Additional Requirements.
  • Threat Modeling

    • Updated terminology used from Task/Problem to Countermeasure/Weakness.
  • Control Correlation Identifier (CCI)

    • Added a regulation for Control Correlation Identifier (CCI) and mapped relevant countermeasures to it.
  • Reusable components

    • Mapped reusable components to Countermeasures.

Content additions and updates (as of September 13, 2022):

  • Compliance Regulations and Mappings

    • Added WP.29-Rev.3
    • Added NIST-EO-Critical-Software
    • Added NIST-EO-Software-Verification
    • Added Control Correlation Identifier (CCI)
  • Content Packs

    • Added WP.29
    • Added NIST EO Critical Software
    • Added NIST EO Software-Verification
    • Added CCI
    • Added ISO/SAE 21434
    • Added Ansible
  • T13: Change Automatically Generated Passwords [Updated]

    • INFO: Updated the text.
  • T15: Centralize authorization
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
    • INFO: Updated the text.
    • TA6253: Secure files transfer [Added]
    • TA6254: Connect to a remote system securely [Added]
  • T26: Expire sessions on logout
    • P694: Sessions Not Expired Upon Logout [Updated]
      • INFO: Updated the text.
  • T27: Turn off session rewriting [Updated]
    • INFO: Updated the text.
  • T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Updated the text.
  • T40: Use XML encoding when interacting with XML data [Updated]
    • INFO: Updated the text.
  • T45: Log potential critical security events [Updated]
    • INFO: Updated the text.
  • T49: Disable and remove debug capabilities and code/data, and prepare application for release [Updated]
    • INFO: Updated the text.
    • TA6247: Deploy the product with a secure initial configuration [Added]
  • T50: Use indirect object reference maps if accessing files [Updated]
    • INFO: Updated the text.
  • T53: Prevent the upload of malicious files and malware
    • TA6243: Avoid the use of removable media [Added]
  • T62: Protect passwords in property and configuration files [Updated]
    • INFO: Updated the text.
  • T71: Capture sufficient information for each transaction in audit logs [Updated]
    • INFO: Updated the text.
    • TA6245: Enable USB event tracing and logging [Added]
  • T119: Test for clickjacking [Updated]
    • INFO: Updated the text.
  • T135: Assign each person using the system a unique user ID [Updated]
    • INFO: Updated the text.
  • T146: Use encryption for network communications in mobile environments
    • TA6250: Enabling Confidentiality on the Air Interface [Added]
    • TA6251: Ensure Confidentiality Protection of S1 Interface [Added]
    • TA6252: Employ a SIM/USIM PIN [Added]
  • T156: Validate certificate and its chain of trust properly
    • P716: Certificate Validation Issues [Updated]
      • INFO: Updated the text.
  • T161: Treat unique device IDs as personal information [Updated]
    • INFO: Updated the text.
  • T171: Follow spam-free guidelines for sending solicitation emails [Updated]
    • INFO: Updated the text.
  • T177: Allow users to review and update their personal information [Updated]
    • INFO: Updated the text.
  • T178: Obtain consent from users prior to collecting personal information [Updated]
    • INFO: Updated the text.
  • T186: Use recommended settings and the latest patches for third party libraries and software [Updated]
    • INFO: Updated the text.
  • T193: Review non-categorized/miscellaneous findings from automated analysis [Updated]
    • INFO: Updated the text.
  • T194: Obtain user consent for tracking cookies [Updated]
    • INFO: Updated the text and priority.
  • T195: Design lawful procedures to obtain consent for processing personal information and to withdraw it when requested [Updated]
    • INFO: Updated the text.
  • T197: Encrypt and sign any remote code/update and then validate the signature to verify its origin and integrity [Updated]
    • INFO: Updated the text.
  • T203: Avoid uncontrolled format strings
    • P35: Uncontrolled Format String [Updated]
      • INFO: Updated the text.
  • T207: Provide special data protection for children's personal information [Updated]
    • INFO: Updated the text and priority.
  • T226: Verify that authorization is centralized [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T227: Verify that application's access to database is restricted [Updated]
    • INFO: Updated the text.
  • T240: Test whether users can remove their data from the system [Updated]
    • INFO: Updated the text.
  • T248: Protect secret keys and passwords in the application [Updated]
    • INFO: Updated the text.
  • T257: Secure cross origin resource sharing (CORS) [Updated]
    • INFO: Updated the text.
  • T259: Follow best practices when storing data in Local or Session Storage [Updated]
    • INFO: Updated the text.
  • T262: Mask passwords by default on mobiles but consider usability options [Updated]
    • INFO: Updated the text.
  • T270: Follow best practices for storing application data on Android devices [Updated]
    • INFO: Updated the text.
  • T272: Restrict access to the application's exported components (Android) [Updated]
    • INFO: Updated the text.
  • T298: Verify that Pasteboards are securely managed [Updated]
    • INFO: Updated the text.
  • T304: Verify that unique device IDs are treated as personal information [Updated]
    • INFO: Updated the text.
  • T312: Verify that inter-process communication (IPC) endpoints are secured in client [Updated]
    • INFO: Updated the text.
  • T313: Identify and classify categories of personal information [Updated]
    • INFO: Updated the text.
  • T338: Control access to resources through user authentication and authorization [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T344: Enforce different rules for access to the system based on the origin, type and medium of request [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T349: Protect audit information and logs against unauthorized access [Updated]
    • INFO: Updated the text.
  • T353: Control the inbound and outbound data flow across the boundaries of zones [Updated]
    • INFO: Updated the text.
  • T370: Follow best practices for using third-party software libraries/modules and open source/COTS components [Updated]
    • INFO: Updated the text.
  • T374: Offload HTTP request handling to dedicated modules [Updated]
    • INFO: Updated the text.
  • T376: Fill out the manufacturer disclosure statement for the medical device security (MDS2) form [Updated]
    • INFO: Updated the text.
  • T379: Provide sufficient documentation for security-related features
    • TA6248: Document insecure settings [Added]
  • T408: Set secure flag on Android Activities with sensitive content [Updated]
    • INFO: Updated the text.
  • T410: Manage use of Android third-party keyboards with sensitive data [Updated]
    • INFO: Updated the text.
  • T417: Avoid passing dynamic data to trustAs or bypassSecurityTrust functions [Updated]
    • INFO: Updated the text.
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Updated the text.
  • T418: Use Angular's built-in sanitization for user output with limited code or markup [Updated]
    • INFO: Updated the text.
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Updated the text.
  • T420: Prevent Client-Side Template Injection (CSTI) [Updated]
    • INFO: Updated the text.
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Updated the text.
  • T422: Verify that built-in sanitization is used in Angular with limited code or markup [Updated]
    • INFO: Updated the text.
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Updated the text.
  • T427: Implement previous login (access) notification [Updated]
    • INFO: Updated the title and text.
    • P774: Inadequate Login Activity Monitoring and Notification [Updated]
      • INFO: Updated the title and text.
  • T428: Test that the system provides previous login (access) notifications [Updated]
    • INFO: Updated the title and text.
    • P774: Inadequate Login Activity Monitoring and Notification [Updated]
      • INFO: Updated the title and text.
  • T429: Limit the number of concurrent sessions for each account [Updated]
    • INFO: Updated the text.
  • T456: Change default security settings to the most stringent ones and disable unnecessary services and modules [Updated]
    • INFO: Updated the text.
    • TA6244: Secure the use of USB ports when they are enabled [Added]
    • TA6249: Disable Bluetooth when it is unnecessary [Added]
  • T472: Authenticate RFID reader before sending sensitive data or executing a command [Updated]
    • INFO: Updated the text.
  • T482: Secure password-based authentication for RFID tags [Updated]
    • INFO: Updated the text.
  • T508: Require authentication for accessing HyperCat catalogs and resources [Updated]
    • INFO: Updated the title and text.
  • T509: Protect the integrity of HyperCat catalogs and resources [Updated]
    • INFO: Updated the title and text.
  • T510: Test if authentication is enforced on HyperCat catalogs [Updated]
    • INFO: Updated the title and text.
  • T511: Test if HyperCat resources have license and access control metadata [Updated]
    • INFO: Updated the title and text.
  • T520: Design secure SOAP web services [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T536: Restrict the size of incoming messages in services [Updated]
    • INFO: Updated the text.
  • T537: Test that the size of incoming messages in services is restricted [Updated]
    • INFO: Updated the text.
  • T552: Verify that SOAP web services are securely designed [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T554: Verify that REST web services are securely designed [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T564: Follow best practices for sharing data between Android applications [Updated]
    • INFO: Updated the text.
  • T565: Verify that data sharing between Android applications is secure [Updated]
    • INFO: Updated the text.
  • T566: Enable network layer encryption for local area network communications [Updated]
    • INFO: Updated the text.
  • T574: Prevent information exposure in HyperCat
    • P96: Information Exposure [Updated]
      • INFO: Updated the text.
  • T578: Execute only compiled programs in mainframe [Updated]
    • INFO: Updated the text.
  • T580: Validate return codes in mainframe programs [Updated]
    • INFO: Updated the text.
  • T581: Verify that return codes are evaluated in mainframe programs [Updated]
    • INFO: Updated the text.
  • T605: Verify if consent is obtained prior to personal information collection (where applicable) [Updated]
    • INFO: Updated the text.
  • T612: Detect rooted devices and assess the runtime environment with the aid of SafetyNet Attestation API [Updated]
    • INFO: Updated the text.
  • T613: Mitigate DDoS attacks with NGINX [Updated]
    • INFO: Updated the text.
  • T616: Keep user iOS device token private
    • P818: Privacy Issue due to Device Token Mishandling in Apple Push Notifications (APNs) [Updated]
      • INFO: Updated the text.
  • T629: Authenticate the game server to the clients before logging in [Updated]
    • INFO: Updated the text.
  • T633: Mitigate Deadlock and Recursion in Services
    • P827: Service Deadlock and Recursion [Updated]
      • INFO: Updated the text.
  • T683: Integrate CloudTrail logs with CloudWatch Logs for real-time analysis (AWS) [Updated]
    • INFO: Updated the text.
  • T735: Verify that personal information is removed when it is no longer needed [Updated]
    • INFO: Updated the text.
  • T750: Limit personal information collection and processing to the specified purpose [Updated]
    • INFO: Updated the text and priority.
  • T752: Verify if users are notified about processing their personal information [Updated]
    • INFO: Updated the text.
  • T757: Verify if personal information processing stops when user objects to it [Updated]
    • INFO: Updated the text.
  • T858: Use the vendor supplied version of binaries
    • P941: Not using vendor supplied binaries [Updated]
      • INFO: Updated the text.
  • T867: Restrict Apache options and disable default content (Apache HTTP Server) [Updated]
    • INFO: Updated the text.
  • T871: Log Apache errors and access (Apache HTTP Server) [Updated]
    • INFO: Updated the text.
  • T873: Apply applicable patches (Apache HTTP Server) [Updated]
    • INFO: Updated the text.
  • T896: Design a secure architecture for AWS deployment (AWS) [Updated]
    • INFO: Updated the text.
  • T928: Ensure debug is turned off (Microsoft IIS) [Updated]
    • INFO: Updated the text.
  • T975: Use a sandboxing alternative to Security Manager (Apache Tomcat) [Updated]
    • INFO: Updated the title and text.
    • P983: Lack of a sandboxing mechanism or relying on the deprecated Security Manager (Apache Tomcat) [Updated]
      • INFO: Updated the title and text.
  • T977: Do not allow symbolic linking (Apache Tomcat)
    • P985: Allowing symbolic linking (Apache Tomcat) [Updated]
      • INFO: Updated the text.
  • T1004: Verify that a sandboxing alternative to Security Manager is used (Apache Tomcat) [Updated]
    • INFO: Updated the title and text.
    • P983: Lack of a sandboxing mechanism or relying on the deprecated Security Manager (Apache Tomcat) [Updated]
      • INFO: Updated the title and text.
  • T1028: Log sufficiently and protect logs (Apache Tomcat)
    • P1008: Insufficient Logging or Insufficient Protection of Logs (Apache Tomcat) [Updated]
      • INFO: Updated the text.
  • T1034: Protect manager application (Apache Tomcat)
    • P1012: Unprotected manager application (Apache Tomcat) [Updated]
      • INFO: Updated the text.
  • T1051: Enable 'All Users' group (Microsoft Azure)
    • P1019: Not using "All Users" for permissions (Microsoft Azure) [Updated]
      • INFO: Updated the title and text.
  • T1130: Configure authentication (MySQL)
    • P1057: Improper authentication (MySQL) [Updated]
      • INFO: Updated the text.
  • T1144: Prevent Server-Side Template Injection (SSTI) [Updated]
    • INFO: Updated the text.
  • T1158: Configure TLS authentication for the Docker daemon (Docker)
    • P1068: Lack of proper TLS authentication for the Docker daemon (Docker) [Updated]
      • INFO: Updated the text.
  • T1164: Secure swarm mode (Docker)
    • P1071: Insecure swarm mode (Docker) [Updated]
      • INFO: Updated the text.
  • T1176: Use trusted base images and include the latest security patches (Docker) [Updated]
    • INFO: Updated the text.
  • T1182: Avoid image caching weakness (Docker) [Updated]
    • INFO: Updated the title.
  • T1222: Do not change base device size until needed (Docker)
    • P1100: Changing base device size when it's not needed (Docker) [Updated]
      • INFO: Updated the text.
  • T1224: Use authorization plugin (Docker)
    • P1101: Failing to use the authorization plugin (Docker) [Updated]
      • INFO: Updated the text.
  • T1258: Configure service account securely (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1286: Avoid using Kubernetes Secrets (Kubernetes)
    • P1132: Using Kubernetes Secrets (Kubernetes) [Updated]
      • INFO: Updated the text.
  • T1310: Include sufficient information in the log files (Google Cloud)
    • P1144: Insufficient information included in the log files (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1318: Enable and configure DNSSEC (Google Cloud)
    • P1148: Insecure DNS configuration (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1322: Disable connection to serial ports for VM Instance (Google Cloud)
    • P1150: Enabling interactive serial console access (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1324: Disable IP forwarding on Instances (Google Cloud)
    • P1151: Enabling IP forwarding on Instances (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1326: Disable public or anonymous access to storage and database (Google Cloud)
    • P1152: Allowing public access to storage and database (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1338: Ensure Kubernetes clusters are configured with Labels (Google Cloud)
    • P1158: Kubernetes clusters configured without Labels (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1346: Ensure Kubernetes clusters are created with Alias IP ranges enabled (Google Cloud)
    • P1162: Kubernetes cluster created without Alias IP ranges enabled (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1348: Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Google Cloud)
    • P1163: Disabled PodSecurityPolicy controller on Kubernetes Engine Clusters (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1354: Enable Private Google Access for all subnetwork in VPC Network (Google Cloud)
    • P1166: Disabled Private Google Access for all subnetworks in VPC Network (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1356: Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) (Google Cloud)
    • P1167: VM disks for critical VMs not encrypted with Customer-Supplied Encryption Keys (CSEK) (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1358: Use Container-Optimized OS (cos) for Kubernetes Engine Clusters Node image (Google Cloud)
    • P1168: Container-Optimized OS (cos) not used for Kubernetes Engine Clusters Node image (Google Cloud) [Updated]
      • INFO: Updated the title.
  • T1362: Perform message throttling in Web APIs [Updated]
    • INFO: Updated the text.
  • T1365: Mitigate Server Side Request Forgery
    • P1169: Server Side Request Forgery (SSRF) [Updated]
      • INFO: Updated the text.
  • T1368: Perform security testing using SAST tools [Updated]
    • INFO: Updated the text.
    • TA6239: Review hardcoded secrets using Heuristic tools [Added]
  • T1369: Perform security testing using DAST tools [Updated]
    • INFO: Updated the text.
    • TA6241: Run the product with various test cases [Added]
  • T1370: Identify and track common software weaknesses and threats [Updated]
    • INFO: Updated the text.
  • T1373: Maintain the integrity of all software code
    • P1175: Insufficient software code control [Updated]
      • INFO: Updated the text.
  • T1380: Enforce secure user registration and access control [Updated]
    • INFO: Updated the text.
  • T1381: Establish secure processes for key management [Updated]
    • INFO: Updated the text.
  • T1382: Manage performance and capacity
    • P1190: Lack of process for performance and capacity management [Updated]
      • INFO: Updated the text.
  • T1383: Separate development, test, and operational environments [Updated]
    • INFO: Updated the text.
  • T1385: Institute secure logging and event monitoring [Updated]
    • INFO: Updated the text.
  • T1421: Do not use default ports (Microsoft SQL Server)
    • P1204: Using default ports (Microsoft SQL Server) [Updated]
      • INFO: Updated the text.
  • T1425: Disable 'sa' login account (Microsoft SQL Server)
    • P1206: Enabled SQL server account with sysadmin privileges (Microsoft SQL Server) [Updated]
      • INFO: Updated the text.
  • T1451: Maintain audit logs for all database activities (Microsoft SQL Server) [Updated]
    • INFO: Updated the text.
    • P1219: Not logging important events (Microsoft SQL Server) [Updated]
      • INFO: Updated the title and text.
  • T1465: Decide how to handle sessions/authorization state in your Angular application (Angular) [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T1466: Restrict sending of authorization state to approved origins in Angular (Angular) [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T1468: Encrypt sensitive data at rest in the browser [Updated]
    • INFO: Updated the text.
  • T1469: Prevent sensitive data leakage through Content Security Policy (CSP) reports [Updated]
    • INFO: Updated the text.
  • T1538: Avoid DOM-based Cross-Site Scripting (XSS) in Angular applications (Angular) [Updated]
    • INFO: Updated the text.
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Updated the text.
  • T1541: Decide on the best CSRF defense for your application [Updated]
    • INFO: Updated the text.
  • T1542: Use the correct HTTP methods for making state-changing operations [Updated]
    • INFO: Updated the text.
  • T1544: Isolate untrusted content in a sandbox [Updated]
    • INFO: Updated the text.
  • T1619: Keep audit parameters enabled at all times (Oracle Database)
    • P1298: Not monitoring user activities (Oracle Database) [Updated]
      • INFO: Updated the text.
  • T1621: Only allow authorized domains to connect with database (Oracle Database)
    • P1299: Unauthorized domain sources connecting to the database (Oracle Database) [Updated]
      • INFO: Updated the text.
  • T1659: Revoke excessive system privileges from unauthorized users (Oracle Database)
    • P1318: Unauthorized users with excessive privileges can impact confidentiality and integrity of data (Oracle Database) [Updated]
      • INFO: Updated the text.
  • T1887: Decide on the right OAuth 2.0 flow for your application [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T1889: Secure the configuration of the authorization server [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T1890: Implement OAuth 2.0 securely on the resource server [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T1893: Perform a cloud solution security posture assessment [Updated]
    • INFO: Updated the text.
  • T1906: Enforce authentication on your relational database services (AWS)
    • P1430: Improper authentication on your database engine [Updated]
      • INFO: Updated the text.
  • T1915: Perform network vulnerability assessment [Updated]
    • INFO: Updated the text.
  • T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software [Updated]
    • INFO: Updated the text.
  • T1922: Use secure OAuth 2.0 and OpenID Connect integration (where applicable) [Updated]
    • INFO: Updated the text.
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Updated the text.
  • T1973: Do not disable use-service-account-credentials argument (OpenShift)
    • P1464: Disabling use-service-account-credentials argument (OpenShift) [Updated]
      • INFO: Updated the text.
  • T2081: Encrypt data at rest properly (Kubernetes)
    • P1517: Cleartext or weakly encrypted data at rest (Kubernetes) [Updated]
      • INFO: Updated the text.
  • T2124: Exercise security best practices for inducing new versions of microservices
    • P1536: Insecure induction of new versions for microservices [Updated]
      • INFO: Updated the text.
  • T2160: Avoid vendor lock-in as a customer when migrating into or out of solutions (Cloud)
    • P1560: Insufficient data portability in the cloud and insecure migration to the cloud (in and out) [Updated]
      • INFO: Updated the text.
  • T2206: Prevent the generation of incorrect security tokens (Hardware/Firmware)
    • P1604: Generation of incorrect security tokens (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2208: Restrict sharing device unlocking credentials across multiple parties (Hardware/Firmware)
    • P1606: Device unlock credential sharing (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2218: Prevent same Public Key usage for different environments (Debug and Production) (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
  • T2247: Use the strongest Security Mode and Level in devices (Bluetooth) [Updated]
    • INFO: Updated the text.
  • T2259: Minimize access rights assigned to RBAC roles and Service Accounts (Kubernetes)
    • P1653: Inappropriate access settings for RBAC roles and Service Accounts (Kubernetes) [Updated]
      • INFO: Updated the text.
  • T2296: Securely install and configure all software components [Updated]
    • INFO: Updated the text.
  • T2309: Securely configure worker nodes (Containerization)
    • P1671: Insecure configuration of worker nodes (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2310: Implement proper authentication and authorization (Containerization) (1/2)
    • P1672: Lack of proper authentication and authorization (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2311: Ensure proper network settings and configuration (Containerization)
    • P1673: Improper network settings and configuration (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2312: Ensure proper logging and security monitoring (Containerization) [Updated]
    • INFO: Updated the text.
    • P1674: Inadequate logging and security monitoring (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2313: Keep data and secrets safe (Containerization)
    • P1675: Lack of data and secrets protection (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2314: Enforce secure policies (Containerization)
    • P1676: Lack of secure policies (Containerization) [Updated]
      • INFO: Updated the match conditions.
  • T2315: Use managed services (Containerization)
    • P1677: Using unmanaged services (Containerization) [Updated]
      • INFO: Updated the text and match conditions.
  • T2335: Securely automate your infrastructure provisioning process (Terraform)
    • P1678: Unsafe infrastructure as code (IaC) processes [Updated]
      • INFO: Updated the title and text.
  • T2336: Use a remote backend to securely store your infrastructure state (Terraform)
    • P1679: Unsafe infrastructure as code (IaC) state [Updated]
      • INFO: Updated the title and text.
  • T2343: Define security-related roles and provide role-base training [Updated]
    • INFO: Updated the title and text.
    • TA6238: Train all users of EO-critical software (NIST-EO-Critical-Software) [Added]
    • P1680: Lack of defining proper security roles and responsibilities [Updated]
      • INFO: Updated the title, text, and match conditions.
  • T2344: Implement and augment supporting toolchains by automating SDLC security activities [Updated]
    • INFO: Updated the text.
  • T2350: Create a Product Security Incident Response Team (PSIRT)
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the title.
  • T2351: Verify that security-related roles and responsibilities are properly defined and assigned [Updated]
    • INFO: Updated the title and text.
    • P1680: Lack of defining proper security roles and responsibilities [Updated]
      • INFO: Updated the title, text, and match conditions.
  • T2378: Ensure compatibility with the United Nations automotive cybersecurity regulation WP.29 [Added]
    • P1688: Lack of processes for the approval of vehicles with regards to cyber security and cyber security management system [Added]
  • T2379: Ensure compliance with ISO/SAE 21434 [Added]
    • P1688: Lack of processes for the approval of vehicles with regards to cyber security and cyber security management system [Added]
  • T2380: Review and verify playbooks (Ansible) [Added]
    • P1691: Insecure Ansible playbooks [Added]
    • I1792: Deploy playbooks to store configurations and tasks (Ansible) [Added]
  • T2381: Follow a secure and guided workflow process (Ansible) [Added]
    • P1691: Insecure Ansible playbooks [Added]
  • T2382: Automate the workflow (Ansible) [Added]
    • P1691: Insecure Ansible playbooks [Added]
  • T2383: Avoid using the 'root' account (Ansible) [Added]
    • I1794: Use Accounts with Limited Privileges (Ansible) [Added]
  • T2384: Use public-private key authentication for SSH (Ansible) [Added]
    • P1692: Weak authentication (Ansible) [Added]
    • I1795: Use public-private key pair authentication (Ansible) [Added]
  • T2385: Use Ansible Vault (Ansible) [Added]
    • P1689: Unprotected credentials in Ansible files [Added]
    • I1796: Encrypt secrets with Ansible Vault (Ansible) [Added]
    • I1797: Ansible Vault integrations (Ansible) [Added]
    • I1798: Ansible editor integrations (Ansible) [Added]
    • I1799: Manage Ansible Vault passwords (Ansible) [Added]
    • I1800: Use a cloud-based key manager (Ansible) [Added]
    • I1801: Rotate passwords with rekey (Ansible) [Added]
    • I1802: Encrypt sensitive Vault values separately (Ansible) [Added]
  • T2386: Use role-based access control in Automation Controller (Ansible) [Added]
    • P1690: Inadequate access control in Ansible Automation Controller (Ansible) [Added]
    • I1803: Add team permissions to a job template (Ansible) [Added]
    • I1804: Configure user account security in Automation Controller (Ansible) [Added]
  • T2387: Collect logs for analysis and auditing (Ansible) [Added]
    • TA6242: Use Automation Hub (Ansible) [Added]
  • T2388: Enforce the principle of separation of duties [Added]
    • TA6246: Separate the roles for code signing and code submitting [Added]
  • T2389: Prevent co-channel and adjacent channel interference [Added]
    • P1693: Poor WiFi Settings Configuration [Added]
  • T2390: Limit the WiFi network coverage [Added]
    • P1693: Poor WiFi Settings Configuration [Added]
  • T2391: Change the default value of the Service Set Identifier (SSID) and protect it [Added]
    • P1693: Poor WiFi Settings Configuration [Added]
  • T2392: Create an Incident Response Plan [Added]
    • TA6255: Create an Incident Response Plan for compromised cryptographic keys [Added]
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the title.
  • T2393: Verify the principle of Separation of Duties is strongly implemented [Added]
  • T2394: Test co-channel and adjacent channel interference is prevented [Added]
    • P1693: Poor WiFi Settings Configuration [Added]
  • T2395: Test the default value of the Service Set Identifier (SSID) is changed [Added]
    • P1693: Poor WiFi Settings Configuration [Added]
  • T2396: Verify that the organization has a Product Security Incident Plan [Added]
    • P1687: Lack of a Product Security Incident Response [Updated]
      • INFO: Updated the title.
  • T2397: Detect rogue stations in a wireless network [Added]
    • P96: Information Exposure [Updated]
      • INFO: Updated the text.
  • T2398: Verify all rogue stations are detected in your wireless network [Added]

    • P96: Information Exposure [Updated]
      • INFO: Updated the text.
  • Changes to Project Properties and Profiles

    • Q243: Internal Hidden Properties
      • Q189: Internal Properties (Use this, for all hidden answers)
        • A1061: Set of default answers for all profiles [Updated]
          • INFO: Updated the children.
        • A1330: Generic Container Orchestration [Updated]
          • INFO: Updated the text, description, question, and children.
    • Q289: Cloud Computing
      • Q290: Cloud Providers
        • Q309: Google Cloud Services
          • A1213: Kubernetes Engine [Updated]
            • INFO: Updated the children.
        • Q298: AWS Services
          • A1331: EKS [Updated]
            • INFO: Updated the text, description, children, and match conditions.
        • A1190: Microsoft Azure [Updated]
          • INFO: Updated the children.
        • A1212: Google Cloud Content (Not Story-driven) [Updated]
          • INFO: Updated the children.
    • Q299: General
      • Q346: IaC Tools
        • A1342: Ansible [Added]
    • Q307: Containerization
      • Q308: Containerization Technologies
        • A1209: Unmanaged Kubernetes [Updated]
          • INFO: Updated the text.
        • A1329: Managed Kubernetes [Updated]
          • INFO: Updated the text, description, and children.
    • Q331: US Federal and NIST
      • Q348: In-Scope for EO 14028 compliance [Added]
        • A1340: NIST EO Critical Software [Added]
        • A1341: NIST EO Software-Verification [Added]
    • Q349: Broadband cellular networks [Added]
      • A1344: Long-Term Evolution (LTE) or Fifth-generation (5G) technologies [Added]
  • New Just-in-Time Training

    • Secure Software Testing (20)
    • PCI SSF (17)
    • Securing Terraform (17)
    • Defending C and C++ (25)

2022.2

July 7, 2022

New features and enhancements

  • Diagrams

    • Introduced a Threat Model Diagrams feature that allows users to identify and communicate threats with data flow diagrams.
    • Users have the option to create a diagram after filling out the Project Survey, which will automatically generate threat modeling components and place them within the diagram.
    • Users can export a diagram in JSON or PNG format.
    • Each diagram is attached to new releases so that the diagram can evolve with the project.
    • If you don't see Diagrams enabled, contact your SD Elements Administrator or Customer Success Manager.
  • Reusable Components

    • Added a Components object in the SD Elements Library, accessible to users with the permission to customize content.
    • Built-in components are usable initially.
    • Users can create and configure additional components called Custom Components.
    • Each component has a Project Survey Answer mapping (a rule for adding the component to a project), a list of Mark as Complete Tasks and a list of Mark as Incomplete Tasks.
    • Users can add an activated component to projects.
      • Adding a component to a project will apply the component's Mark as Complete and Mark as Incomplete lists, after which users will see their Tasks for the project marked as either complete (automatically) or as needing additional attention.
  • Advanced Reports

    • Added Advanced Reports functionality that allows users the ability to create rich reports with data visualization using pre-built report templates or from a blank template. Accessible to users with permission to view Reporting Dashboard for all projects.
    • Users can select up to 6 different visualizations to represent their data.
    • Users have access to pull data over 200 dimensions and measures across 40 tables from their SD Elements instance to build reports.
    • Users can choose from one of five pre-built templates, or they can create a report from a blank template.
    • Users can take advantage of AND/OR logical operators when filtering.
    • Users can filter reports by relative dates, arrange column orders, and multi-sort data.
    • Users can view their saved advanced reports in the new Advanced Reports page, which includes the ability to export the report as CSV or JSON, ability to edit the report and the ability to expand view size of the report.
      • Added Reusable Component tables to Advanced Reports.
      • Added a new and improved Report Builder UI that enhances the user experience when building out a report.
  • Integrations

    • Added Black Duck SCA integration under Verification Tools.
    • JIRA Feature Enhancements:
      • Added a new configuration to provide a summary of errors found within a completed sync job.
      • Enabled Comment Syncing from SD Elements to JIRA only under the Authoritative Source (not supported for RIA customers).
      • Added a mapping option within JIRA Global Configuration that allows users to leverage the Native Jira field "resolution" with a JIRA Status to provide a different definition to "Done". For example, (Done, Won't Fix) maps to "Not Applicable".
  • Turning features on/off in the UI

    • Users can turn specific features on or off through the SD Elements UI. Toggling features on or off through the API remains a supported feature as well.
    • This functionality is available to SD Elements Administrators with the correct permissions.

Other product improvements

  • Integrations

    • Checkmarx Project ID Configurations: Users can now define a project_id alternatively to project_name in Checkmarx project-level configurations.
  • Problems related Task view

    • Updated sorting so that a Problem's related Tasks will be sorted alphabetically.

Content additions and updates (as of June 16, 2022):

  • Compliance Regulations and Mappings

    • Added California Civil Code (CCPA and CPRA)
    • Added NIST-SSDF-v1.1
    • Updated ISASecure CSA 311 [INFO: Updated the regulation sections].
    • Updated ISASecure SSA 311 [INFO: Updated the regulation sections].
  • Content Packs

    • Added Cybersecurity
    • Added Application Server
    • Added Terraform
    • Added NIST SSDF
  • T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services

    • TA46: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA216: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA262: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA867: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2: Secure the password reset mechanism
    • TA47: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2893: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T3: Require old passwords when users change passwords
    • TA48: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA217: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA878: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T4: Use configurable password policies
    • TA49: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA149: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA218: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA2894: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T5: Use minimum standards for passwords
    • TA50: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA150: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA219: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA871: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T6: Implement account lockout or authentication throttling
    • TA51: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA151: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA220: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA846: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T7: Salt and hash stored passwords
    • TA52: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA152: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA221: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA872: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T8: Use Consistent Error Handling for All Authentication Failures
    • TA53: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2895: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T9: Implement authorization and screening for highly sensitive transactions
    • TA54: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA245: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA2896: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T10: Use server-to-server authentication
    • TA55: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2897: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T12: Mask User Passwords by Default
    • TA56: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA879: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T13: Change Automatically Generated Passwords
    • TA57: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2898: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T14: Enforce the principle of least privilege
    • TA58: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA153: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2899: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T15: Centralize authorization
    • TA2900: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T16: Authorize every non-public page
    • TA2901: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T17: Do not only rely on client-side authorization
    • TA2902: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T18: Make authorization decisions using full context
    • TA2903: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T19: Restrict Application's Access to Database
    • TA2904: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T20: Generate unique session IDs and reset old IDs after authentication [Updated]
    • INFO: Updated the priority.
    • TA59: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA898: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T21: Ensure all data in transit is encrypted using a secure TLS channel
    • TA60: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA154: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA246: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA852: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
    • TA965: Choice of cipher [Updated]
      • INFO: Updated the text.
    • I479: Apache HTTP Server [Updated]
      • INFO: Updated the text.
  • T22: Set secure flags on session cookies
    • TA896: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T23: Set HttpOnly flag on session cookies
    • TA895: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T24: Enforce idle session timeout
    • TA43: PCI/PA DSS notes [Updated]
      • INFO: Updated the title.
    • TA61: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA155: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA851: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T25: Enforce absolute session timeouts
    • TA874: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T26: Expire sessions on logout
    • TA881: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T27: Turn off session rewriting
    • TA897: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T28: Avoid 'Remember Me' features
    • TA2905: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T29: Use anti-Cross-Site Request Forgery (CSRF) tokens
    • TA905: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T30: Protect forms authentication submissions
    • TA62: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2906: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T31: Validate all forms of input
    • TA907: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
    • TA3499: Input validation (GraphQL) [Updated]
      • INFO: Updated the text.
  • T32: Always perform input validation on a server [Updated]
    • INFO: Updated the text.
    • TA2907: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T33: Verify integrity of client-supplied read-only data
    • TA892: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T34: Refuse overly-long, malformed, and non-printable characters unless required
    • TA2908: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T35: Fine-tune HTTP server settings
    • TA888: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript
    • TA904: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T37: Avoid DOM-based Cross-Site Scripting (XSS)
    • TA2909: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T38: Bind variables in SQL statements
    • TA908: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T40: Use XML encoding when interacting with XML data
    • I116: ASP.NET / C# XML encoding with Microsoft Anti XSS [Updated]
      • INFO: Updated the text.
  • T43: Avoid unsafe operating system interaction [Updated]
    • INFO: Updated the text.
    • TA906: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T45: Log potential critical security events
    • TA156: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA247: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA844: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T46: Do not log confidential data
    • I1787: Mark sensitive variables for log redaction (Terraform) [Added]
    • TA63: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA860: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T49: Disable and remove debug capabilities and code/data, and prepare application for release
    • TA901: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T53: Prevent the upload of malicious files and malware
    • TA64: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA157: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA5239: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Embedded Device) [Updated]
      • INFO: Updated the text.
  • T55: Validate all XML input
    • TA887: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T58: Do not process user-supplied XSLTs in XML digital signatures
    • TA2910: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T59: Use standard libraries for cryptography
    • TA2911: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
    • TA158: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA222: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA880: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T61: Disable default accounts or change all default passwords
    • TA65: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA159: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA840: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T62: Protect passwords in property and configuration files
    • TA66: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2912: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T65: Restrict accepted HTTP verbs
    • TA2913: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T68: Encrypt credit card PANs in storage
    • TA67: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA160: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA223: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA2914: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T69: Strong password requirements for server-to-server system accounts
    • TA68: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA161: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2915: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T70: Implement account lockout or authentication throttling for system accounts
    • TA69: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA162: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2916: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T71: Capture sufficient information for each transaction in audit logs
    • TA70: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA163: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA856: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T72: Use safe arithmetic to avoid integer overflow
    • TA2917: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T73: Use random delays in authentication failures
    • TA71: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2918: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T74: Avoid HTTP parameter pollution
    • TA2919: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T76: Do not hard code passwords
    • TA72: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA877: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T77: Test for single-factor authentication
    • TA73: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA224: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA248: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T78: Test strength of password reset mechanism
    • TA74: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T79: Test password change functions
    • TA75: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T80: Test password requirements
    • TA76: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA164: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA225: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
  • T81: Test account lockout
    • TA77: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA165: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T82: Test authentication error consistency
    • TA78: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T83: Verify transactional authorization and screening
    • TA79: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA249: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T86: Test session ID uniqueness and rotation after authentication
    • TA80: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T87: Verify that all data in transit is encrypted using a secure TLS channel
    • TA81: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA166: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA250: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T90: Test idle session timeout
    • TA82: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA167: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA226: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
  • T107: Test that application forbids uploading or transferring malware
    • TA83: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA168: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA5238: ISASecure CSA 311 requirements: Levels (1, 2, 3, 4), Components (Embedded Device) [Updated]
      • INFO: Updated the text.
  • T114: Test system-to-system authentication lockout or throttling
    • TA84: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA169: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T124: Test for authentication timing vulnerability
    • TA85: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T131: Test for forced password change upon login
    • TA86: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T133: Mask credit card PAN numbers when displayed
    • TA227: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA2954: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T134: Do not send unprotected PANs in emails or text messages
    • TA87: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA228: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
  • T135: Assign each person using the system a unique user ID
    • TA88: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA170: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA229: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA866: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T136: Do not store sensitive credit card data
    • TA230: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA2955: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T137: Encrypt protected health information in storage [Updated]
    • INFO: Updated the priority.
    • TA89: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA171: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T139: Use secure channels to transmit protected health information on the Internet [Updated]
    • INFO: Updated the priority.
    • TA90: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA172: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T143: Apply minimum password standards for mobile environments
    • TA91: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA173: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2957: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T144: Do not rely on client for account lockout or authentication throttling
    • TA92: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2958: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T145: Avoid client-side authorization for mobile clients
    • TA2959: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T146: Use encryption for network communications in mobile environments
    • TA93: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA174: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2960: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T148: Avoid caching confidential data on client
    • TA900: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T150: Validate data received from server before handling
    • TA95: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA2961: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T151: Use cryptographically secure random numbers
    • TA894: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T152: Avoid asking for and using excessive permissions
    • TA843: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T153: Scrub buffers holding sensitive information when releasing/deleting
    • TA175: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2962: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T154: Do not store or cache credit card information on client
    • TA96: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA231: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA2963: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T155: Avoid storing sensitive logs on the client
    • TA2964: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T156: Validate certificate and its chain of trust properly
    • TA97: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA876: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T158: Verify integrity of client-supplied read-only data from rich clients
    • TA891: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T159: Follow best practices for secure error and exception handling
    • TA232: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA893: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T160: Avoid relying on jailbreak or root detection as a strong security measure
    • TA2965: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T161: Treat unique device IDs as personal information
    • TA2966: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T163: Handle health data securely [Updated]
    • INFO: Updated the priority.
    • TA98: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA176: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T164: Clear session information from client upon logout
    • TA850: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T165: Do not rely on Unique Device ID values in security controls
    • TA99: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T168: Prevent auto-snapshot from saving sensitive data (iOS)
    • TA2967: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T173: Test that user data is transmitted over secure channel in mobile environment
    • TA101: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA177: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T175: Test that the client validates digital certificates [Updated]
    • INFO: Updated the text.
  • T176: Apply principles of privacy when handling personal information [Updated]
    • INFO: Updated the text.
    • TA2972: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T177: Allow users to review and update their personal information
    • TA6230: California Civil Code: Requests to know [Added]
  • T178: Obtain consent from users prior to collecting personal information
    • TA2973: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T179: Allow access for users to remove their personal information from the system
    • TA2863: California Civil Code: Requests to delete [Updated]
      • INFO: Updated the title and text.
  • T184: Perform authorization checks on RESTful web services
    • TA2974: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T185: Follow best practices to secure SAML implementations
    • TA2975: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T186: Use recommended settings and the latest patches for third party libraries and software
    • TA102: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA863: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T193: Review non-categorized/miscellaneous findings from automated analysis
    • TA178: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2977: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T194: Obtain user consent for tracking cookies [Updated]
    • INFO: Updated the priority.
  • T197: Encrypt and sign any remote code/update and then validate the signature to verify its origin and integrity
    • TA103: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA179: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA251: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA882: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T202: Prevent buffer overflow/underflow
    • TA909: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T205: Avoid inter-process race conditions
    • TA883: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T207: Provide special data protection for children's personal information [Updated]
    • INFO: Updated the priority.
    • TA2979: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T210: Encrypt sensitive data during transmission for rich clients
    • TA104: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA180: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA2980: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T214: Protect confidential files on operating system or server [Updated]
    • INFO: Updated the priority.
    • TA2981: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T217: Use compiler settings to mitigate buffer overflows
    • TA2982: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T219: Avoid transmitting confidential data through URL parameters
    • TA2983: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T220: Verify that user password is salted and hashed
    • TA105: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA181: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T222: Verify server-to-server authentication
    • TA106: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T225: Test that password fields are masked by default
    • TA107: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T229: Verify that logs do not contain confidential data
    • TA108: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T230: Test that sever-to-server system accounts meet minimum password requirements
    • TA109: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA182: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T232: Verify that end-user transaction logs capture sufficient information
    • TA110: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA183: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA252: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T233: Verify that each person using the system is assigned a unique user ID
    • TA111: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA184: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T235: Verify that application does not store protected health information insecurely
    • TA185: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T236: Test that the application encrypts protected health information on the Internet
    • TA112: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA186: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T241: Verify that third party libraries use secure settings and the latest patches
    • TA113: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T243: Check the authenticity and integrity of received SOAP messages
    • TA114: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA853: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T244: Securely delete any unprotected sensitive data before a resource is released or shared
    • TA187: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA233: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA886: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T245: Verify that sensitive unprotected data is securely deleted
    • TA188: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA234: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
  • T246: Control access to encrypted volumes independent of native operating system
    • TA235: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA2998: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T248: Protect secret keys and passwords in the application
    • TA189: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA236: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
    • TA875: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T249: Verify that keys and passwords are protected in the application
    • TA190: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA237: PCI/PA DSS Notes [Updated]
      • INFO: Updated the title.
  • T252: Configure XML parsers for secure processing
    • TA3001: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T257: Secure cross origin resource sharing (CORS)
    • TA3004: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T259: Follow best practices when storing data in Local or Session Storage
    • TA117: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA191: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA3005: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T261: Manage iOS Pasteboards that are used with sensitive data
    • TA3006: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T262: Mask passwords by default on mobiles but consider usability options
    • TA118: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA3007: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T263: Test that password fields are masked by default on mobiles and usability improvement options are implemented
    • TA119: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T264: Do not use method swizzling in Objective-C
    • TA3009: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T270: Follow best practices for storing application data on Android devices
    • TA120: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA192: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA3010: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T275: Avoid sending sensitive data using implicit Intents or Broadcasts
    • TA3011: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T276: Validate the content of received Intents
    • TA3012: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T279: Avoid dynamically loading any code without proper security considerations
    • TA3013: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T282: Bind variables in SQL statements for client applications
    • TA3014: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T286: Make sure username rules are consistent among the registration system, authentication system, and application
    • TA121: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA3016: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T287: Test that usernames are handled consistently by registration system, authentication system and application
    • TA122: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T288: Prevent unauthorized access to information through XML external references
    • TA3018: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T295: Avoid storing unencrypted confidential data without access control mechanisms
    • TA123: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA193: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA3020: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T296: Test that unencrypted confidential data is not stored without access control mechanisms
    • TA124: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA194: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T301: Verify that buffers holding sensitive information are scrubbed
    • TA195: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T302: Test that sensitive data is transmitted over secure channel for rich clients
    • TA125: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA196: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T309: Verify that data received from server is validated before handling
    • TA126: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T313: Identify and classify categories of personal information
    • TA127: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA3032: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T314: Verify that personal and confidential information is identified and classified
    • TA128: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T315: Verify that potential security-critical events are logged
    • TA197: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
    • TA3035: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T321: Verify that Local and Session Storage are securely used
    • TA129: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA198: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T322: Include HTTP Strict-Transport-Security headers in HTTPS responses
    • TA3039: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T323: Test that default accounts are disabled or default passwords are changed
    • TA130: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA199: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T327: Review security of Node.js modules before installation
    • TA3041: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T335: Sanitize user input before passing to NoSQL operators
    • TA3043: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T337: Include a 'break glass' feature that enables emergency functions
    • TA131: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA3483: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T338: Control access to resources through user authentication and authorization
    • TA132: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA200: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA253: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA841: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T340: Use an account and identity management system
    • TA133: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA201: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA3484: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T341: Test that certificate validation and subject identification are properly performed in PKI based authentication [Deactivated]
  • T342: Inform and warn users about using critical system services
    • TA202: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA3047: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T343: Test that proper system use notification is displayed or sent for critical features
    • TA203: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T344: Enforce different rules for access to the system based on the origin, type and medium of request
    • TA135: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA3049: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
    • TA5450: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T345: Check the integrity of critical configuration and data files
    • TA136: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA3050: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T346: Test that the integrity of important configuration and data files are checked
    • TA137: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T347: Fail to a known state with predefined outputs
    • TA899: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T349: Protect audit information and logs against unauthorized access
    • TA204: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA254: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA859: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T350: Verify that audit information is sufficiently protected
    • TA205: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA255: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T353: Control the inbound and outbound data flow across the boundaries of zones
    • TA206: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA842: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T355: Verify that inbound/outbound traffic is properly filtered
    • TA207: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T356: Break the system into zones and design the conduits
    • TA864: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T360: Partition the application in a way that facilitates adoption of a zoning model
    • TA902: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T363: Design a priority scheme for application services and operations
    • TA208: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA3056: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T364: Enable secure backup and restore capabilities
    • TA138: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA209: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA865: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T365: Verify the security of backing up and restoring procedures
    • TA139: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA210: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T367: Mitigate the security risks of power cut and power supply switch
    • TA212: DIACAP Notes [Updated]
      • INFO: Updated the title.
    • TA890: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T368: Test system/application security in the event of a power cut or power supply switch
    • TA213: DIACAP Notes [Updated]
      • INFO: Updated the title.
  • T370: Follow best practices for using third-party software libraries/modules and open source/COTS components [Updated]
    • INFO: Updated the text.
    • TA141: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA861: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T371: Provide unified and manageable interfaces for security settings and configuration parameters
    • TA142: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA845: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T373: Design and regulate access to unauthenticated parts of the application
    • TA3059: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T377: De-identify protected health information before using it for a secondary purpose
    • TA144: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T378: Authorize every request for data objects
    • TA3060: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T379: Provide sufficient documentation for security-related features
    • TA6234: Define security policies (NIST-SSDF) [Added]
    • TA145: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA256: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA885: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T380: Verify that security documents are complete
    • TA146: MDS2 Notes [Updated]
      • INFO: Updated the title.
    • TA257: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T381: Test break-glass procedures
    • TA147: MDS2 Notes [Updated]
      • INFO: Updated the title.
  • T394: Secure one-time passwords (OTP)
    • TA258: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA873: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T395: Verify that one-time passwords (OTP) are securely used
    • TA259: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T396: Set maximum limits for authorized transactions
    • TA260: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
    • TA3064: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T397: Test the limits of authorized transactions
    • TA261: EBA-Security of Internet Payments Notes [Updated]
      • INFO: Updated the title.
  • T399: Separate delegated payment pages from the rest of the application
    • TA3066: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T415: Develop features to allow verifying the authenticity of the product
    • TA3069: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T425: Check the authenticity of external devices/applications
    • TA868: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T427: Implement previous logon (access) notification
    • TA848: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T429: Limit the number of concurrent sessions for each account
    • TA849: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T431: Design a response to logging failures and other minor failures
    • TA858: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T433: Design a fallback mechanism or a degraded mode for the system
    • TA3075: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T437: Include log reduction and report generation capabilities
    • TA857: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T451: Disable index and search capabilities for confidential content on iOS
    • TA3081: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T453: Perform security function verification on a regular basis
    • TA903: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T456: Change default security settings to the most stringent ones and disable unnecessary services and modules
    • TA862: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T459: Remove factory default reset button or key metadata used for IoT device registration
    • TA3085: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T468: Develop an RFID usage, safety, and privacy policy
    • TA3087: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T485: Sign audit records for non-repudiation
    • TA3089: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T502: Limit MQTT broker resource consumption
    • TA3091: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T504: Check the integrity of MQTT messages
    • TA3093: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T514: Prevent formula injection in CSV/Excel files
    • TA3094: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T515: Limit resource consumption of outgoing HTTP requests sent to external user-defined webhooks
    • TA3095: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T517: Protect user registration and account modification pages against user enumeration
    • TA3097: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T520: Design secure SOAP web services
    • TA854: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T521: Protect the ZigBee network infrastructure with a Network Key
    • TA3100: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T536: Restrict the size of incoming messages in services
    • TA3102: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T544: Anonymize (de-identify) identifying information before using it for a secondary purpose [Updated]
    • INFO: Updated the priority.
  • T553: Design secure RESTful web services
    • TA3105: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T555: Acquire a secret token from users for signing the payload of webhook notifications
    • TA3107: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T558: Authenticate all other components before any network communication with them
    • TA869: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T562: Consider Doze, Standby, and battery saving limitations when developing Android applications
    • TA3110: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T566: Enable network layer encryption for local area network communications
    • TA3112: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T567: Enable network access control for local area network communications
    • TA3113: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T569: Prevent parameter tampering in web services
    • TA3114: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T570: Sign the parent tag of the SAML assertion before forwarding
    • TA3115: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T571: Validate SAML assertions
    • TA855: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T574: Prevent information exposure in HyperCat
    • TA3116: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T580: Validate return codes in mainframe programs
    • TA884: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T582: Secure SYSABEND, SYSUDUMP, or SNAP dumps in mainframe
    • TA3120: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T584: Implement update capabilities for your application
    • TA3122: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T586: Implement Secure Boot if possible
    • TA3123: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T604: Implement a consent withdrawal mechanism [Updated]
    • INFO: Updated the priority.
  • T608: Obfuscate your executables
    • TA3133: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T609: Protect your application against debuggers
    • TA3134: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T613: Mitigate DDoS attacks with NGINX
    • TA3135: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T615: Check your mobile application's integrity and installation source
    • TA3136: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T617: Do not rely on APN for delivering critical notifications
    • TA3137: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T620: Use SSL/TLS offloading, encryption and certificates with NGINX
    • TA3138: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T622: Assign a random revocable token to actions and achievements in the game
    • TA3139: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T624: Implement a verifiable log for the game
    • TA3141: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T639: Use secure functions to load DLL files
    • TA3143: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T640: Design and implement some rootkit detection techniques
    • TA3144: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T641: Limit resource consumption of WebSocket connections
    • TA3145: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T643: Implement certificate pinning in a hostile environment
    • TA3147: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T663: Avoid the use of the 'root' account (AWS) [Updated]
    • INFO: Updated the title.
    • I592: How to avoid the use of the "root" account (AWS) [Updated]
      • INFO: Updated the title.
  • T664: Enable multi-factor authentication (MFA) for all IAM users that have a console password (AWS) [Updated]
    • INFO: Updated the title.
    • I593: How to enable multi-factor authentication (MFA) for all IAM users that have a console password (AWS) [Updated]
      • INFO: Updated the title.
  • T665: Disable credentials unused for 90 days or greater (AWS) [Updated]
    • INFO: Updated the title.
    • I594: How to disable credentials unused for 90 days or greater (AWS) [Updated]
      • INFO: Updated the title.
    • P840: Not disabling inactive user accounts (AWS) [Updated]
      • INFO: Updated the title.
  • T666: Rotate access keys every 90 days or less (AWS) [Updated]
    • INFO: Updated the title.
    • I595: How to rotate access keys every 90 days or less (AWS) [Updated]
      • INFO: Updated the title.
    • P161: Password Aging with Long Expiration [Updated]
      • INFO: Updated the title.
  • T667: Apply minimum IAM password policy requirements (AWS) [Updated]
    • INFO: Updated the title.
    • I596: How to apply minimum IAM password policy requirements (AWS) [Updated]
      • INFO: Updated the title.
  • T671: Enable multi-factor authentication for the 'root' account (AWS) [Updated]
    • INFO: Updated the title.
    • I600: How to enable MFA for the "root" account (AWS) [Updated]
      • INFO: Updated the title.
  • T672: Register security questions in the AWS account (AWS) [Updated]
    • INFO: Updated the title.
    • I601: How to register security questions in the AWS account (AWS) [Updated]
      • INFO: Updated the title.
    • P847: No backup of passwords and no secondary ways of accessing accounts (AWS) [Updated]
      • INFO: Updated the title.
  • T673: Attach IAM policies only to groups or roles (AWS) [Updated]
    • INFO: Updated the title.
    • I602: How to attach IAM policies only to groups or roles (AWS) [Updated]
      • INFO: Updated the title.
  • T676: Maintain current contact details (AWS) [Updated]
    • INFO: Updated the title.
    • I605: How to maintain current contact details (AWS) [Updated]
      • INFO: Updated the title.
    • P856: Improper contact details associated to account (AWS) [Updated]
      • INFO: Updated the title.
  • T677: Register security contact information (AWS) [Updated]
    • INFO: Updated the title.
    • I606: How to register security contact information (AWS) [Updated]
      • INFO: Updated the title.
    • P857: Lack of registered security contact information (AWS) [Updated]
      • INFO: Updated the title.
  • T678: Create a support role to manage incidents with AWS Support (AWS) [Updated]
    • INFO: Updated the title.
    • I607: How to create a support role to manage incidents with AWS Support (AWS) [Updated]
      • INFO: Updated the title.
    • P844: No support role or insufficient permissions to manage incidents (AWS) [Updated]
      • INFO: Updated the title.
  • T679: Do not set up access keys during initial IAM user setup (AWS) [Updated]
    • INFO: Updated the title.
    • I608: How to do delete access keys that are created during initial IAM user setup (AWS) [Updated]
      • INFO: Updated the title.
    • P845: Generating unnecessary access keys during initial IAM user setup (AWS) [Updated]
      • INFO: Updated the title.
  • T680: Do not create IAM policies that allow full administrative privileges (AWS) [Updated]
    • INFO: Updated the title.
    • I609: How to delete IAM policies that allow full administrative privileges (AWS) [Updated]
      • INFO: Updated the title.
  • T681: Enable CloudTrail in all regions (AWS) [Updated]
    • INFO: Updated the title.
    • I610: How to enable CloudTrail in all regions (AWS) [Updated]
      • INFO: Updated the title.
    • P846: Lack of CloudTrail logs for all regions (AWS) [Updated]
      • INFO: Updated the title.
  • T682: Make S3 bucket CloudTrail logs publicly inaccessible (AWS) [Updated]
    • INFO: Updated the title.
    • I611: How to make S3 bucket CloudTrail logs publicly inaccessible (AWS) [Updated]
      • INFO: Updated the title.
    • P848: Unauthorized access to CloudTrail log content (AWS) [Updated]
      • INFO: Updated the title.
  • T683: Integrate CloudTrail logs with CloudWatch Logs for real-time analysis (AWS) [Updated]
    • INFO: Updated the title.
    • I612: How to integrate CloudTrail logs with CloudWatch Logs for real-time analysis (AWS) [Updated]
      • INFO: Updated the title.
    • P849: Nonintegrated CloudTrail trails with CloudWatch Logs (AWS) [Updated]
      • INFO: Updated the title.
  • T684: Enable AWS Config in all regions (AWS) [Updated]
    • INFO: Updated the title.
    • I613: How to enable AWS Config in all regions (AWS) [Updated]
      • INFO: Updated the title.
    • P851: Disabled AWS Config (AWS) [Updated]
      • INFO: Updated the title.
  • T685: Enable S3 bucket access logging on the CloudTrail S3 bucket (AWS) [Updated]
    • INFO: Updated the title.
    • I614: How to enable S3 bucket access logging on the CloudTrail S3 bucket (AWS) [Updated]
      • INFO: Updated the title.
    • P852: Disabled S3 bucket logging on target S3 buckets (AWS) [Updated]
      • INFO: Updated the title.
  • T686: Create log metrics and alarms (AWS) [Updated]
    • INFO: Updated the title.
    • I615: How to create log metrics and alarms (AWS) [Updated]
      • INFO: Updated the title.
    • I626: How to create log metrics and alarms (AWS) - In-depth controls [Updated]
      • INFO: Updated the title.
  • T688: Apply security group requirements (AWS) [Updated]
    • INFO: Updated the title.
    • I617: How to apply security group requirements (AWS) [Updated]
      • INFO: Updated the title.
    • P839: Unrestricted connectivity to remote console services (AWS) [Updated]
      • INFO: Updated the title.
  • T689: Enable hardware multi-factor authentication (MFA) for the 'root' account (AWS) [Updated]
    • INFO: Updated the title.
    • I618: How to enable hardware multi-factor authentication (MFA) for the "root" account (AWS) [Updated]
      • INFO: Updated the title.
    • P841: Missing hardware multi-factor authentication (MFA) (AWS) [Updated]
      • INFO: Updated the title.
  • T690: Use IAM instance roles for resource access from instances (AWS) [Updated]
    • INFO: Updated the title.
    • I619: How to use IAM instance roles for resource access from instances (AWS) [Updated]
      • INFO: Updated the title.
    • P842: Failing to properly use AWS IAM roles (AWS) [Updated]
      • INFO: Updated the title.
  • T691: Enable CloudTrail log file validation (AWS) [Updated]
    • INFO: Updated the title.
    • I620: How to enable CloudTrail log file validation (AWS) [Updated]
      • INFO: Updated the title.
    • P843: Unsecure use of CloudTrail logs (AWS) [Updated]
      • INFO: Updated the title.
  • T692: Encrypt CloudTrail logs at rest using KMS CMKs (AWS) [Updated]
    • INFO: Updated the title.
    • I621: How to encrypt CloudTrail logs at rest using KMS CMKs (AWS) [Updated]
      • INFO: Updated the title.
    • P843: Unsecure use of CloudTrail logs (AWS) [Updated]
      • INFO: Updated the title.
  • T693: Enable rotation for customer created CMKs (AWS) [Updated]
    • INFO: Updated the title.
    • I622: How to enable rotation for customer created CMKs (AWS) [Updated]
      • INFO: Updated the title.
    • P850: Missing rotation for encryption keys (AWS) [Updated]
      • INFO: Updated the title.
  • T694: Enable VPC flow logging in all VPCs (AWS) [Updated]
    • INFO: Updated the title.
    • I623: How to enable VPC flow logging in all VPCs (AWS) [Updated]
      • INFO: Updated the title.
  • T695: Restrict all traffic in the default security group of every VPC (AWS) [Updated]
    • INFO: Updated the title.
    • I624: How to restrict all traffic in the default security group of every VPC (AWS) [Updated]
      • INFO: Updated the title.
  • T696: Change routing tables for VPC peering to 'least access' (AWS) [Updated]
    • INFO: Updated the title.
    • I625: How to change routing tables for VPC peering to "least access" (AWS) [Updated]
      • INFO: Updated the title.
  • T697: Test that 'root' account is not used (AWS) [Updated]
    • INFO: Updated the title.
  • T698: Test that multi-factor authentication (MFA) is enabled for all IAM users that have a console password (AWS) [Updated]
    • INFO: Updated the title.
  • T699: Test that credentials unused for 90 days or greater are disabled (AWS) [Updated]
    • INFO: Updated the title.
    • P840: Not disabling inactive user accounts (AWS) [Updated]
      • INFO: Updated the title.
  • T700: Test that access keys are rotated every 90 days or less (AWS) [Updated]
    • INFO: Updated the title.
    • P161: Password Aging with Long Expiration [Updated]
      • INFO: Updated the title.
  • T701: Test that minimum IAM password policy requirements are applied (AWS) [Updated]
    • INFO: Updated the title.
  • T705: Test that multi-factor authentication is enabled for the 'root' account (AWS) [Updated]
    • INFO: Updated the title.
  • T706: Test that security questions are registered in the AWS account (AWS) [Updated]
    • INFO: Updated the title.
    • P847: No backup of passwords and no secondary ways of accessing accounts (AWS) [Updated]
      • INFO: Updated the title.
  • T707: Test that IAM policies are attached only to groups or roles (AWS) [Updated]
    • INFO: Updated the title.
  • T710: Verify that contact details are current (AWS) [Updated]
    • INFO: Updated the title.
    • P856: Improper contact details associated to account (AWS) [Updated]
      • INFO: Updated the title.
  • T711: Verify that security contact information is registered (AWS) [Updated]
    • INFO: Updated the title.
    • P857: Lack of registered security contact information (AWS) [Updated]
      • INFO: Updated the title.
  • T712: Test if a support role has been created to manage incidents with AWS Support (AWS) [Updated]
    • INFO: Updated the title.
    • P844: No support role or insufficient permissions to manage incidents (AWS) [Updated]
      • INFO: Updated the title.
  • T713: Test if access keys have been created during initial IAM user setup (AWS) [Updated]
    • INFO: Updated the title.
    • P845: Generating unnecessary access keys during initial IAM user setup (AWS) [Updated]
      • INFO: Updated the title.
  • T714: Test if any IAM policy exists that allows full administrative privileges (AWS) [Updated]
    • INFO: Updated the title.
  • T715: Test if CloudTrail is enabled in all regions (AWS) [Updated]
    • INFO: Updated the title.
    • P846: Lack of CloudTrail logs for all regions (AWS) [Updated]
      • INFO: Updated the title.
  • T716: Test if S3 bucket CloudTrail logs are not publicly accessible (AWS) [Updated]
    • INFO: Updated the title.
    • P848: Unauthorized access to CloudTrail log content (AWS) [Updated]
      • INFO: Updated the title.
  • T717: Test that CloudTrail trails are integrated with CloudWatch Logs (AWS) [Updated]
    • INFO: Updated the title.
    • P849: Nonintegrated CloudTrail trails with CloudWatch Logs (AWS) [Updated]
      • INFO: Updated the title.
  • T718: Test if AWS Config is enabled in all regions (AWS) [Updated]
    • INFO: Updated the title.
    • P851: Disabled AWS Config (AWS) [Updated]
      • INFO: Updated the title.
  • T719: Test if S3 bucket access logging is enabled on the CloudTrail S3 bucket (AWS) [Updated]
    • INFO: Updated the title.
    • P852: Disabled S3 bucket logging on target S3 buckets (AWS) [Updated]
      • INFO: Updated the title.
  • T720: Test that log metrics and alarms are created (AWS) [Updated]
    • INFO: Updated the title.
  • T722: Test Security Group requirements (AWS) [Updated]
    • INFO: Updated the title.
    • P839: Unrestricted connectivity to remote console services (AWS) [Updated]
      • INFO: Updated the title.
  • T723: Test that hardware multi-factor authentication (MFA) is enabled for the 'root' account (AWS) [Updated]
    • INFO: Updated the title.
    • P841: Missing hardware multi-factor authentication (MFA) (AWS) [Updated]
      • INFO: Updated the title.
  • T724: Test that IAM instance roles are used for resource access from instances (AWS) [Updated]
    • INFO: Updated the title.
    • P842: Failing to properly use AWS IAM roles (AWS) [Updated]
      • INFO: Updated the title.
  • T725: Test that log file validation is enabled (AWS) [Updated]
    • INFO: Updated the title.
    • P843: Unsecure use of CloudTrail logs (AWS) [Updated]
      • INFO: Updated the title.
  • T726: Test that CloudTrail logs are encrypted at rest using KMS CMKs (AWS) [Updated]
    • INFO: Updated the title.
    • P843: Unsecure use of CloudTrail logs (AWS) [Updated]
      • INFO: Updated the title.
  • T727: Test that rotation is enabled for customer created CMKs (AWS) [Updated]
    • INFO: Updated the title.
    • P850: Missing rotation for encryption keys (AWS) [Updated]
      • INFO: Updated the title.
  • T728: Test that VPC flow logging is enabled in all VPCs (AWS) [Updated]
    • INFO: Updated the title.
  • T729: Test that the default security group of every VPC restricts all traffic (AWS) [Updated]
    • INFO: Updated the title.
  • T730: Test that routing tables for VPC peering are 'least access' (AWS) [Updated]
    • INFO: Updated the title.
  • T738: Determine the legal basis for transferring personal information [Updated]
    • INFO: Updated the priority.
  • T740: Provide personal information and its processing information to users in an appropriate format [Updated]
    • INFO: Updated the text.
  • T742: Implement technical measures to ensure the accuracy of personal information [Updated]
    • INFO: Updated the priority.
  • T744: Protect pseudonymized personal information [Updated]
    • INFO: Updated the priority.
  • T750: Limit personal information collection and processing to the specified purpose [Updated]
    • INFO: Updated the priority.
    • TA2864: California Civil Code: Service Provider obligations [Updated]
      • INFO: Updated the title and text.
  • T751: Provide users with a notification of personal information processing
    • TA6228: California Civil Code: Privacy policy [Added]
    • TA6229: California Civil Code: Notice of financial incentive [Added]
    • TA847: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
    • TA2860: California Civil Code: Privacy notice [Updated]
      • INFO: Updated the title and text.
  • T753: Verify whether personal information is collected only for specified purposes [Updated]
    • INFO: Updated the priority.
  • T754: Enable the restriction of processing personal information of an individual for a specific purpose [Updated]
    • INFO: Updated the priority.
    • TA2865: California Civil Code: Requests to opt out of the sale of personal information [Updated]
      • INFO: Updated the title and text.
  • T755: Maintain a Data Processing Register or Record of Business Processing Activities [Updated]
    • INFO: Updated the priority.
  • T765: Authorize user before launching the iOS app via a widget
    • TA3179: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T766: Configure the relational database service correctly (AWS) [Updated]
    • INFO: Updated the title.
    • I629: How to configure the relational database service correctly (AWS) [Updated]
      • INFO: Updated the title.
  • T767: Encrypt the sensitive Elastic Block Storage volumes (AWS) [Updated]
    • INFO: Updated the title.
    • I630: How to encrypt the sensitive Elastic Block Storage volumes (AWS) [Updated]
      • INFO: Updated the title.
    • P867: Encryption on the sensitive Elastic Block Storage volumes is disabled (AWS) [Updated]
      • INFO: Updated the title.
  • T768: Do not share sensitive Amazon Machine Images publicly (AWS) [Updated]
    • INFO: Updated the title.
    • I631: How to remove public launch permissions from Amazon Machine Images (AWS) [Updated]
      • INFO: Updated the title.
    • P868: Public Access to sensitive Amazon Machine Images (AWS) [Updated]
      • INFO: Updated the title and match conditions.
  • T769: Configure Web- and App-tier ELB correctly (AWS) [Updated]
    • INFO: Updated the title.
    • I632: How to configure Web- and App-tier ELB correctly (AWS) [Updated]
      • INFO: Updated the title.
    • I664: How to configure Web and App -tier ELB correctly (AWS) - In-depth controls [Updated]
      • INFO: Updated the title.
  • T770: Configure S3 buckets correctly (AWS) [Updated]
    • INFO: Updated the title.
    • I633: How to configure S3 buckets correctly (AWS) [Updated]
      • INFO: Updated the title.
    • P870: Misconfiguring S3 buckets (AWS) [Updated]
      • INFO: Updated the title.
  • T771: Create IAM roles and policies correctly for Amazon EC2 (AWS) [Updated]
    • INFO: Updated the title.
    • I634: How to create IAM roles and policies correctly for Amazon EC2 (AWS) [Updated]
      • INFO: Updated the title.
    • P871: IAM roles and policies are not created properly for Amazon EC2 (AWS) [Updated]
      • INFO: Updated the title.
  • T772: Configure Auto Scaling Group Launch correctly (AWS) [Updated]
    • INFO: Updated the title.
    • I635: How to configure Auto Scaling Group Launch correctly (AWS) [Updated]
      • INFO: Updated the title.
    • P872: Auto Scaling Group Launch is not configured correctly (AWS) [Updated]
      • INFO: Updated the title.
  • T773: Create separate IAM groups and policies for administration (AWS) [Updated]
    • INFO: Updated the title.
    • I636: How to create separate IAM groups and policies for administration (AWS) [Updated]
      • INFO: Updated the title.
    • P873: No separate IAM groups and policies for administration (AWS) [Updated]
      • INFO: Updated the title.
  • T775: Associate an Elastic Load Balancer to each sensitive Auto Scaling Group (AWS) [Updated]
    • INFO: Updated the title.
    • I638: How to associate an Elastic Load Balancer to each sensitive Auto Scaling Group (AWS) [Updated]
      • INFO: Updated the title.
    • P875: An Elastic Load Balancer Is Not Associated to Each Sensitive Auto Scaling Group (AWS) [Updated]
      • INFO: Updated the title.
  • T776: Ensure each Auto Scaling Group is configured for multiple Availability Zones (AWS) [Updated]
    • INFO: Updated the title.
    • I639: How to ensure each Auto Scaling Group is configured for multiple Availability Zones (AWS) [Updated]
      • INFO: Updated the title.
    • P876: Auto Scaling Group Is Not Configured Correctly for Multiple Availability Zones (AWS) [Updated]
      • INFO: Updated the title.
  • T777: Use an approved Amazon Machine Image in Auto Scaling Launch Configuration (AWS) [Updated]
    • INFO: Updated the title.
    • I640: How to use an approved Amazon Machine Image in Auto Scaling Launch Configuration (AWS) [Updated]
      • INFO: Updated the title.
    • P877: An Approved Amazon Machine Image Is Not Used in Auto Scaling Launch Configuration (AWS) [Updated]
      • INFO: Updated the title and match conditions.
  • T779: Ensure Billing Alerts are enabled for increments of X spend (AWS) [Updated]
    • INFO: Updated the title.
    • I642: How to ensure Billing Alerts are enabled for increments of X spend (AWS) [Updated]
      • INFO: Updated the title.
    • P879: Billing Alerts are disabled for increments of X spend (AWS) [Updated]
      • INFO: Updated the title.
  • T780: Enable AWS Elastic Load Balancer logging (AWS) [Updated]
    • INFO: Updated the title.
    • I643: How to enable AWS Elastic Load Balancer logging (AWS) [Updated]
      • INFO: Updated the title.
    • P880: Inactive AWS Elastic Load Balancer logging (AWS) [Updated]
      • INFO: Updated the title.
  • T781: Enable AWS CloudFront Logging (AWS) [Updated]
    • INFO: Updated the title.
    • I644: How to enable AWS CloudFront Logging (AWS) [Updated]
      • INFO: Updated the title.
  • T782: Create CloudWatch Log Groups (AWS) [Updated]
    • INFO: Updated the title.
    • I645: How to create CloudWatch Log Groups (AWS) [Updated]
      • INFO: Updated the title.
    • P882: CloudWatch Log Groups have same settings (AWS) [Updated]
      • INFO: Updated the title.
  • T783: Install an agent for AWS CloudWatch Logs within required Auto-Scaling Groups (AWS) [Updated]
    • INFO: Updated the title.
    • I646: How to install an agent for AWS CloudWatch Logs within required Auto-Scaling Groups (AWS) [Updated]
      • INFO: Updated the title.
    • P883: Insufficient monitoring of AWS logs within required Auto-Scaling Groups (AWS) [Updated]
      • INFO: Updated the title.
  • T784: Create required AWS Managed Config Rules (AWS) [Updated]
    • INFO: Updated the title.
    • I647: How to create required AWS Managed Config Rules (AWS) [Updated]
      • INFO: Updated the title.
    • P884: Failing to create required AWS Managed Config Rules (AWS) [Updated]
      • INFO: Updated the title.
  • T785: Use CloudFront Content Distribution Network (AWS) [Updated]
    • INFO: Updated the title.
    • I648: How to use CloudFront Content Distribution Network (AWS) [Updated]
      • INFO: Updated the title.
    • P885: Failing to use CloudFront Content Distribution Network (AWS) [Updated]
      • INFO: Updated the title.
  • T786: Create required subnets (AWS) [Updated]
    • INFO: Updated the title.
    • I649: How to create required subnets (AWS) [Updated]
      • INFO: Updated the title.
    • P886: Misconfiguration of VPCs and subnets (AWS) [Updated]
      • INFO: Updated the title.
  • T787: Create NAT gateways (AWS) [Updated]
    • INFO: Updated the title.
    • I650: How to create NAT gateways (AWS) [Updated]
      • INFO: Updated the title.
  • T789: Create and configure ELB Security Groups (AWS) [Updated]
    • INFO: Updated the title.
    • I652: How to create and configure ELB Security Groups (AWS) [Updated]
      • INFO: Updated the title.
    • P889: Misconfiguration of Security Groups (AWS) [Updated]
      • INFO: Updated the title.
  • T790: Create and configure Security Groups (AWS) [Updated]
    • INFO: Updated the title.
    • I653: How to create and configure Security Groups (AWS) [Updated]
      • INFO: Updated the title.
    • P889: Misconfiguration of Security Groups (AWS) [Updated]
      • INFO: Updated the title.
  • T791: Remove redundant Elastic / Public IP addresses (AWS) [Updated]
    • INFO: Updated the title.
    • I654: How to remove redundant Elastic / Public IP addresses (AWS) [Updated]
      • INFO: Updated the title.
    • P891: Redundant Elastic / Public IP addresses (AWS) [Updated]
      • INFO: Updated the title.
  • T792: Create required Customer Master Keys (AWS) [Updated]
    • INFO: Updated the title.
    • I655: How to create required Customer Master Keys (AWS) [Updated]
      • INFO: Updated the title.
    • P892: Lack of customer-managed Customer Master Keys (AWS) [Updated]
      • INFO: Updated the title.
  • T794: Extend all public Web-tier SSL/TLS certificates if required (AWS) [Updated]
    • INFO: Updated the title.
    • I657: How to extend all public Web-tier SSL/TLS certificates if required (AWS) [Updated]
      • INFO: Updated the title.
    • P894: Expired public SSL/TLS certificates (AWS) [Updated]
      • INFO: Updated the title.
  • T795: Configure CloudFront correctly (AWS) [Updated]
    • INFO: Updated the title.
    • I658: How to configure CloudFront correctly (AWS) [Updated]
      • INFO: Updated the title.
    • P895: Misconfiguration of CloudFront (AWS) [Updated]
      • INFO: Updated the title.
  • T796: Configure DNS for Root Domain (AWS) [Updated]
    • INFO: Updated the title.
    • I659: How to configure DNS for Root Domain (AWS) [Updated]
      • INFO: Updated the title.
    • P896: Misconfiguration of DNS for Root Domain (AWS) [Updated]
      • INFO: Updated the title.
  • T797: Make all RDS Databases private and ensure RDS instances are inside a VPC (AWS) [Updated]
    • INFO: Updated the title.
    • I660: How to make all RDS Databases private (AWS) [Updated]
      • INFO: Updated the title.
  • T798: Don't use the default VPC (AWS) [Updated]
    • INFO: Updated the title.
    • I661: How to change the default VPC (AWS) [Updated]
      • INFO: Updated the title.
    • P898: Using the default VPC (AWS) [Updated]
      • INFO: Updated the title.
  • T799: Test if the Relational Database Service is configured correctly (AWS) [Updated]
    • INFO: Updated the title.
  • T800: Test if the sensitive Elastic Block Storage volumes are encrypted (AWS) [Updated]
    • INFO: Updated the title.
    • P867: Encryption on the sensitive Elastic Block Storage volumes is disabled (AWS) [Updated]
      • INFO: Updated the title.
  • T801: Test if the sensitive Amazon Machine Images are shared publicly (AWS) [Updated]
    • INFO: Updated the title.
    • P868: Public Access to sensitive Amazon Machine Images (AWS) [Updated]
      • INFO: Updated the title and match conditions.
  • T802: Test if Web- and App-tier Elastic Load Balancing is correctly configured (AWS) [Updated]
    • INFO: Updated the title.
  • T803: Test if S3 buckets are configured correctly (AWS) [Updated]
    • INFO: Updated the title.
    • P870: Misconfiguring S3 buckets (AWS) [Updated]
      • INFO: Updated the title.
  • T804: Test if IAM roles and policies are created correctly for Amazon EC2 (AWS) [Updated]
    • INFO: Updated the title.
    • P871: IAM roles and policies are not created properly for Amazon EC2 (AWS) [Updated]
      • INFO: Updated the title.
  • T805: Test if Auto Scaling Group Launch is configured correctly (AWS) [Updated]
    • INFO: Updated the title.
    • P872: Auto Scaling Group Launch is not configured correctly (AWS) [Updated]
      • INFO: Updated the title.
  • T806: Test if separate IAM groups and policies are created for administration (AWS) [Updated]
    • INFO: Updated the title.
    • P873: No separate IAM groups and policies for administration (AWS) [Updated]
      • INFO: Updated the title.
  • T808: Test if an Elastic Load Balancer is associated to each sensitive Auto Scaling Group (AWS) [Updated]
    • INFO: Updated the title.
    • P875: An Elastic Load Balancer Is Not Associated to Each Sensitive Auto Scaling Group (AWS) [Updated]
      • INFO: Updated the title.
  • T809: Test if each Auto Scaling Group is configured for multiple Availability Zones (AWS) [Updated]
    • INFO: Updated the title.
    • P876: Auto Scaling Group Is Not Configured Correctly for Multiple Availability Zones (AWS) [Updated]
      • INFO: Updated the title.
  • T810: Test if an approved Amazon Machine Image is used in Auto Scaling Launch Configuration (AWS) [Updated]
    • INFO: Updated the title.
    • P877: An Approved Amazon Machine Image Is Not Used in Auto Scaling Launch Configuration (AWS) [Updated]
      • INFO: Updated the title and match conditions.
  • T812: Test if Billing Alerts are enabled for increments of X spend (AWS) [Updated]
    • INFO: Updated the title.
    • P879: Billing Alerts are disabled for increments of X spend (AWS) [Updated]
      • INFO: Updated the title.
  • T813: Test that AWS Elastic Load Balancer logging is enabled (AWS) [Updated]
    • INFO: Updated the title.
    • P880: Inactive AWS Elastic Load Balancer logging (AWS) [Updated]
      • INFO: Updated the title.
  • T814: Test that AWS CloudFront Logging is enabled (AWS) [Updated]
    • INFO: Updated the title.
  • T815: Test that CloudWatch Log Groups are created (AWS) [Updated]
    • INFO: Updated the title.
    • P882: CloudWatch Log Groups have same settings (AWS) [Updated]
      • INFO: Updated the title.
  • T816: Test that AWS CloudWatch Logs agent is installed within required Auto-Scaling Groups (AWS) [Updated]
    • INFO: Updated the title.
    • P883: Insufficient monitoring of AWS logs within required Auto-Scaling Groups (AWS) [Updated]
      • INFO: Updated the title.
  • T817: Test for required AWS Managed Config Rules (AWS) [Updated]
    • INFO: Updated the title.
    • P884: Failing to create required AWS Managed Config Rules (AWS) [Updated]
      • INFO: Updated the title.
  • T818: Test that CloudFront Content Distribution Network is used (AWS) [Updated]
    • INFO: Updated the title.
    • P885: Failing to use CloudFront Content Distribution Network (AWS) [Updated]
      • INFO: Updated the title.
  • T819: Test the configuration of VPCs and subnets (AWS) [Updated]
    • INFO: Updated the title.
    • P886: Misconfiguration of VPCs and subnets (AWS) [Updated]
      • INFO: Updated the title.
  • T822: Test the configuration of ELB Security Groups (AWS) [Updated]
    • INFO: Updated the title.
    • P889: Misconfiguration of Security Groups (AWS) [Updated]
      • INFO: Updated the title.
  • T823: Test the configuration of Security Groups (AWS) [Updated]
    • INFO: Updated the title.
    • P889: Misconfiguration of Security Groups (AWS) [Updated]
      • INFO: Updated the title.
  • T824: Test that redundant Elastic / Public IP addresses are removed (AWS) [Updated]
    • INFO: Updated the title.
    • P891: Redundant Elastic / Public IP addresses (AWS) [Updated]
      • INFO: Updated the title.
  • T825: Test that required Customer Master Keys are created (AWS) [Updated]
    • INFO: Updated the title.
    • P892: Lack of customer-managed Customer Master Keys (AWS) [Updated]
      • INFO: Updated the title.
  • T827: Test that public Web-tier SSL/TLS certificates are more than 30 days from expiration (AWS) [Updated]
    • INFO: Updated the title.
    • P894: Expired public SSL/TLS certificates (AWS) [Updated]
      • INFO: Updated the title.
  • T828: Test that CloudFront is configured correctly (AWS) [Updated]
    • INFO: Updated the title.
    • P895: Misconfiguration of CloudFront (AWS) [Updated]
      • INFO: Updated the title.
  • T829: Test that DNS for Root Domain is configured correctly (AWS) [Updated]
    • INFO: Updated the title.
    • P896: Misconfiguration of DNS for Root Domain (AWS) [Updated]
      • INFO: Updated the title.
  • T830: Test that RDS Databases are not publicly accessible and are defined in a VPC (AWS) [Updated]
    • INFO: Updated the title.
  • T831: Verify that the default VPC is not used (AWS) [Updated]
    • INFO: Updated the title.
    • P898: Using the default VPC (AWS) [Updated]
      • INFO: Updated the title.
  • T837: Adhere to HTTP DNT header [Updated]
    • INFO: Updated the priority.
  • T839: Follow best practices for securely using Android autofill framework
    • TA3199: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T856: Keep your web server separate from other services
    • TA3201: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T858: Use the vendor supplied version of binaries
    • TA3203: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T859: Minimize Apache HTTP Server modules (Apache HTTP Server)
    • TA3204: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T861: Set up a non-root user account for running the Apache Web server (Apache HTTP Server)
    • TA3206: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T863: Secure Apache directories and files (Apache HTTP Server)
    • TA3208: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T865: Secure Apache access control (Apache HTTP Server)
    • TA3210: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T867: Restrict Apache options and disable default content (Apache HTTP Server)
    • TA3212: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T871: Log Apache errors and access (Apache HTTP Server)
    • TA3214: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T873: Apply applicable patches (Apache HTTP Server)
    • TA3216: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T875: Secure Apache SSL/TLS (Apache HTTP Server)
    • TA3218: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T877: Limit information exposed by Apache (Apache HTTP Server)
    • TA3220: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T879: Protect Apache against DoS attacks (Apache HTTP Server)
    • TA3222: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T890: Limit the size of Apache's request parameters (Apache HTTP Server)
    • TA3224: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T893: Configure AppArmor to restrict Apache processes (Apache HTTP Server)
    • TA3226: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T898: Create bastion hosts for administrative access to the resources (AWS)
    • TA3228: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T900: Seek user consent before updating your application or installing other software in the background
    • TA3230: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T905: Configure application pools securely (Microsoft IIS)
    • TA3232: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T906: Set 'global authorization rule' to restrict access (Microsoft IIS)
    • TA3233: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T908: Require SSL/TLS for 'forms authentication' (Microsoft IIS)
    • TA3234: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T910: Configure transport layer security for 'basic authentication' (Microsoft IIS)
    • TA3235: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T913: Ensure HTTP detailed errors are hidden from displaying remotely (Microsoft IIS)
    • TA3236: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T914: Ensure cookies are set with HttpOnly attribute (Microsoft IIS)
    • TA3237: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T916: Ensure global .NET trust level is configured securely (Microsoft IIS)
    • TA3238: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T919: Do not allow unlisted file extensions (Microsoft IIS)
    • TA3239: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T923: Configure logging securely on Microsoft IIS (Microsoft IIS)
    • TA3240: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T925: Configure TLS/SSL securely for Microsoft IIS (Microsoft IIS)
    • TA3241: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T926: Use cookies for forms authentication (Microsoft IIS)
    • TA3242: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T927: Do not store 'credentials' in configuration files (Microsoft IIS)
    • TA3243: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T929: Ensure custom error messages are not off (Microsoft IIS)
    • TA3244: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T931: Ensure httpcookie mode is configured for session state (Microsoft IIS)
    • TA3245: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T971: Protect the Shutdown Port (Apache Tomcat)
    • TA3260: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T972: Apply access restrictions in Tomcat configurations (Apache Tomcat)
    • TA3261: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T973: Accurately set scheme (Apache Tomcat)
    • TA3262: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T974: Restrict runtime access to sensitive packages (Apache Tomcat)
    • TA3263: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T978: Do not run applications as privileged (Apache Tomcat)
    • TA3264: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T983: Force TLS for manager application (Apache Tomcat)
    • TA3265: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T984: Enable strict servlet compliance (Apache Tomcat)
    • TA3266: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T989: Setup Client-cert Authentication (Apache Tomcat)
    • TA3267: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T991: Configure connectionTimeout (Apache Tomcat)
    • TA3268: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T993: Force TLS for all applications (Apache Tomcat)
    • TA3269: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1027: Configure TLS/SSL securely (Apache Tomcat)
    • TA3280: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1028: Log sufficiently and protect logs (Apache Tomcat)
    • TA3281: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1041: Enable multi-factor authentication (Microsoft Azure)
    • TA3284: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1055: Update VMs (Microsoft Azure)
    • TA3286: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1057: Enable disk and storage encryption (Microsoft Azure)
    • TA3288: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1065: Enable data encryption in transit (Microsoft Azure)
    • TA3290: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1077: Log critical events (Microsoft Azure)
    • TA3292: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1083: Disable non-required user capabilities (Microsoft Azure)
    • TA3294: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1092: Do not store sensitive cleartext information in cookies
    • TA3296: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1094: Place MySQL data and logs on non-system partitions (MySQL)
    • TA3298: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1096: Keep MySQL separate from other services (MySQL)
    • TA3300: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1102: Securely set file and directory permissions (MySQL)
    • TA3302: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1104: Apply the latest security patches (MySQL)
    • TA3304: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1108: Ensure that password policy is in place (MySQL)
    • TA3306: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1116: Drop the default 'test' database (MySQL)
    • TA3308: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1126: Log errors and critical events (MySQL)
    • TA3310: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1128: Ensure raw logging of password is disabled (MySQL)
    • TA3312: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1132: Set up SSL/TLS properly (MySQL)
    • TA3314: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1146: Enable DEP and ASLR on your server
    • TA3316: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1148: Validate JSON files
    • TA3318: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1166: Encrypt data exchanged between containers on different nodes on the overlay network (Docker)
    • TA3320: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1172: Secure daemon configuration files (Docker)
    • TA3322: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1176: Use trusted base images and include the latest security patches (Docker)
    • TA3324: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1188: Configure Linux Security Modules (Docker)
    • TA3326: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1214: Restrict containers from acquiring additional privileges (Docker)
    • TA3328: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1224: Use authorization plugin (Docker)
    • TA3330: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1252: Configure logs securely (Kubernetes)
    • TA3332: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1266: Set permissions for sensitive files properly (Kubernetes)
    • TA3336: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1272: Create administrative boundaries between resources using namespaces (Kubernetes)
    • TA3338: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1290: Apply security context to your pods and containers (Kubernetes)
    • TA3340: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1342: Enable automatic node repair and upgrades for Kubernetes clusters (Google Cloud)
    • TA3352: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1346: Ensure Kubernetes clusters are created with Alias IP ranges enabled (Google Cloud)
    • TA3354: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1348: Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Google Cloud)
    • TA3356: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1362: Perform message throttling in Web APIs
    • TA3360: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1367: Identify and classify critical assets
    • TA3363: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1368: Perform security testing using SAST tools
    • TA3364: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1369: Perform security testing using DAST tools
    • TA3365: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1370: Identify and track common software weaknesses and threats
    • TA6237: Establish a vulnerability disclosure program (NIST-SSDF) [Added]
    • TA3366: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1371: Use a software security management solution to select and track security controls
    • TA3367: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1372: Follow software change management process
    • TA3368: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1373: Maintain the integrity of all software code
    • TA3369: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1374: Ensure the integrity of software release and update delivery
    • TA6235: Securely archive necessary files and other data to be retained for each software release (NIST-SSDF) [Added]
  • T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
    • TA3370: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications
    • TA3371: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1378: Release a change summary for each software update
    • TA3372: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1380: Enforce secure user registration and access control
    • TA3373: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1382: Manage performance and capacity
    • TA3374: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1383: Separate development, test, and operational environments [Updated]
    • INFO: Updated the text.
    • TA3375: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1384: Back up and restore securely
    • TA3376: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1385: Institute secure logging and event monitoring
    • TA3377: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
    • TA3378: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1389: Perform penetration testing
    • TA3379: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1397: Use the most recent service packs and hotfixes (Microsoft SQL Server)
    • TA3380: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1417: Disable 'Trustworthy' database option (Microsoft SQL Server)
    • TA3382: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1451: Maintain audit logs for all database activities (Microsoft SQL Server)
    • TA3384: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1453: Validate user input before transmitting it to the SQL server (Microsoft SQL Server)
    • TA3386: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1457: Use a strong symmetric key encryption algorithm (Microsoft SQL Server)
    • TA3388: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1459: Use asymmetric keys of at least 2048-bit long (Microsoft SQL Server)
    • TA3390: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1465: Decide how to handle sessions/authorization state in your Angular application (Angular)
    • TA3392: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1466: Restrict sending of authorization state to approved origins in Angular (Angular)
    • TA3393: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1468: Encrypt sensitive data at rest in the browser
    • TA3395: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1469: Prevent sensitive data leakage through Content Security Policy (CSP) reports
    • TA3396: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1538: Avoid DOM-based Cross-Site Scripting (XSS) in Angular applications (Angular)
    • TA3397: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1539: Clear browser data on user logout
    • TA3398: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1541: Decide on the best CSRF defense for your application
    • TA3400: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1542: Use the correct HTTP methods for making state-changing operations
    • TA3401: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1543: Leverage origin isolation for compartmentalization
    • TA3402: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1544: Isolate untrusted content in a sandbox
    • TA3403: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1613: Use latest versions and patches (Oracle Database)
    • TA3404: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1615: Keep passwords secure (Oracle Database)
    • TA3406: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1617: Remove all sample data and sample schemas (Oracle Database)
    • TA3408: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1619: Keep audit parameters enabled at all times (Oracle Database)
    • TA3410: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1639: Maintain server logs for bad packets received from the client (Oracle Database)
    • TA3412: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1649: Lock out accounts after 5 unsuccessful attempts (Oracle Database)
    • TA3414: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1651: Accounts must be unlocked automatically after a period of time (Oracle Database)
    • TA3416: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1655: Limit the number of sessions per user (Oracle Database)
    • TA3418: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1659: Revoke excessive system privileges from unauthorized users (Oracle Database)
    • TA3420: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1673: All traditional audit options must be enabled at all times (Oracle Database)
    • TA3422: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1733: Enable all unified audit options (Oracle Database)
    • TA3424: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1878: Grant minimal IAM permissions (especially to Lambda functions) (AWS)
    • TA3426: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1881: Mitigate the risk of uncontrolled data harvesting
    • TA3427: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1885: Ensure Lambda functions handle input safely (AWS)
    • TA3429: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1887: Decide on the right OAuth 2.0 flow for your application
    • TA3430: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1888: Decide on the right OpenID Connect flow for your application
    • TA3431: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1892: Perform a Threat and Risk Assessment (TRA) [Updated]
    • INFO: Updated the text.
    • TA3432: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1897: Encrypt SQS queue messages (AWS)
    • TA3433: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1899: Do not allow unauthorized access to SQS queues (AWS)
    • TA3435: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1903: Enforce Network ACLs for RDS (AWS)
    • TA3437: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1906: Enforce authentication on your relational database services (AWS)
    • TA3438: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1919: Use JSON Web Token (JWT) securely
    • TA3440: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T1920: Conduct security architecture and design reviews before starting code development
    • TA6236: Review the software design (NIST-SSDF) [Added]
  • T1947: Configure auditing properly on the API server (OpenShift)
    • TA3441: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2037: Set root filesystems to be read-only (Amazon ECS)
    • TA3443: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2038: Apply resource limits on containers (Amazon ECS)
    • TA3444: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2040: Ensure host operating systems are up to date (Amazon ECS)
    • TA3445: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2044: Utilize AWS parameter store for sensitive data storage (Amazon ECS)
    • TA3446: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2047: Attach IAM policies to DynamoDB resources (Amazon DynamoDB)
    • TA3447: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2059: Enable App Service authentication and identity management (Microsoft Azure)
    • TA3448: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2067: Use the latest version of software on App Service (Microsoft Azure)
    • TA3450: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2071: Enable logging of important PostgreSQL security events (Microsoft Azure)
    • TA3452: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2111: Set the 'Per-User Session Limit' to a value of '3' or lower (Docker)
    • TA3454: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2113: Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Docker)
    • TA3456: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2118: Exercise security monitoring best practices in Microservices environments
    • TA3458: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2121: Exercise security best practices for service rate limiting in Microservices environments [Updated]
    • INFO: Updated the text.
    • TA3459: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2122: Update Android Security Provider
    • TA3460: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2125: Exercise security strategies for handling session persistence
    • TA3462: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2128: Develop a process to notify users and regulators of breaches of personal information
    • TA3463: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2130: Exercise best practices for securing microservices communication
    • TA3464: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2133: Protect the security of data in iOS
    • TA3465: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2134: Compile iOS applications with PIE and ARC flags
    • TA3466: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2141: Perform function level authorization in API
    • TA3467: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2144: Implement CAN bus protocol properly (Connected Cars)
    • P1548: Poor implementation of CAN bus protocol (Connected Cars) [Updated]
      • INFO: Updated the match conditions.
  • T2145: Enable gRPC Server-Client Certificate Authentication (.NET Core 3) [Updated]
    • INFO: Updated the title and text.
  • T2149: Perform security checks before external infotainment communication (Connected Cars)
    • TA3469: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2154: Validate all YAML input
    • TA3471: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2155: Follow security best practices for YAML parsers
    • TA3472: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2161: Ensure the cloud management interface is secured properly (Cloud)
    • TA3473: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2162: Prevent malicious insider risks and privileged user abuse in cloud providers (Cloud)
    • TA3474: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2165: Ensure security governance when outsourcing to cloud providers (Cloud)
    • TA6231: Use official cloud providers (Terraform) [Added]
    • TA3475: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2166: Ensure business continuity over cloud services (Cloud)
    • TA3476: ASD-STIG requirements [Updated]
      • INFO: Updated the title.
  • T2175: Provide documentation for design (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
    • P1573: Missing documentation for design (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2180: Review Access Control Policy (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
  • T2189: Prevent Semiconductor Defects in Hardware Logic with Security-Sensitive Implications (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
  • T2196: Prevent exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
  • T2201: Enforce physical access control (Hardware/Firmware) [Updated]
    • INFO: Updated the title and text.
    • P1599: Improper physical access control (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2203: Ensure a policy that prevents the use of obsolete encoding (Hardware/Firmware) [Updated]
    • INFO: Updated the title and text.
    • P1601: Policy uses obsolete encoding (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2204: Enforce policy privilege assignments consistently between control and data agents (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
    • P1602: Policy privileges are not assigned consistently between control and data agents (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2205: Prevent a product being released in non-release configuration (Hardware/Firmware) [Updated]
    • INFO: Updated the title and text.
    • P1603: Product released in non-release configuration (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2206: Prevent the generation of incorrect security tokens (Hardware/Firmware) [Updated]
    • INFO: Updated the title and text.
    • P1604: Generation of incorrect security tokens (Hardware/Firmware) [Updated]
      • INFO: Updated the text.
  • T2211: Include a firmware update mechanism/feature (Hardware/Firmware) [Updated]
    • INFO: Updated the title and text.
    • P1609: Firmware cannot be updated (Hardware/Firmware) [Updated]
      • INFO: Updated the title and text.
  • T2278: Test to confirm that different rules for access to the system are enforced based on the origin, type, and medium of the request
    • TA5449: ISASecure SSA 311 requirements: Levels (3, 4) [Updated]
      • INFO: Updated the text.
  • T2286: Configure a secure user authentication (Cloud) (1/2) [Updated]
    • INFO: Updated the title.
  • T2287: Configure a secure user authorization (Cloud) (1/2) [Updated]
    • INFO: Updated the title.
  • T2288: Design a secure application architecture for the cloud environment (Cloud) (1/2) [Updated]
    • INFO: Updated the title.
  • T2289: Secure network access control (Cloud) (1/4) [Updated]
    • INFO: Updated the title.
  • T2290: Secure data in transit (Cloud) (1/2) [Updated]
    • INFO: Updated the title.
  • T2292: Protect data at rest (Cloud) (1/3) [Updated]
    • INFO: Updated the title.
  • T2293: Enable logging and protect log files in your cloud environment (Cloud) (1/4) [Updated]
    • INFO: Updated the title.
  • T2294: Enable logs and configuration monitoring in your cloud environment (Cloud) (1/4) [Updated]
    • INFO: Updated the title.
  • T2305: Verify that logging is enabled and log files are protected (Cloud) (1/2) [Updated]
    • INFO: Updated the title.
  • T2306: Verify that log monitoring and configuration monitoring are enabled (Cloud) (1/3) [Updated]
    • INFO: Updated the title.
  • T2310: Implement proper authentication and authorization (Containerization) (1/2) [Updated]
    • INFO: Updated the title.
  • T2315: Use managed services (Containerization) [Updated]
    • INFO: Updated the text.
  • T2335: Securely automate your infrastructure provisioning process (Terraform) [Added]
    • P1678: Unsafe infrastructure as a code(IaC) process [Added]
  • T2336: Use a remote backend to securely store your infrastructure state (Terraform) [Added]
    • P1679: Unsafe state of infrastructure as a code(IaC) [Added]
    • I1784: Configure a remote backend (Terraform) [Added]
  • T2337: Keep your infrastructure state secure (Terraform) [Added]
    • P1679: Unsafe state of infrastructure as a code(IaC) [Added]
  • T2338: Protect your credentials (Terraform) [Added]
    • I1785: Use a secret manager (Terraform) [Added]
    • I1786: Use dynamically generated, short-lived credentials (Terraform) [Added]
    • I1791: Setting and retrieving credentials in Terraform [Added]
  • T2339: Restrict direct access to your cloud provider (Terraform) [Added]
    • P1678: Unsafe infrastructure as a code(IaC) process [Added]
  • T2340: Use Terraform Teams to implement role-based security (Terraform) [Added]
    • P1679: Unsafe state of infrastructure as a code(IaC) [Added]
  • T2341: Catch common security mistakes with a linter (Terraform) [Added]
    • P1679: Unsafe state of infrastructure as a code(IaC) [Added]
  • T2342: Improve your security posture with Sentinel policies (Terraform) [Added]
    • P1679: Unsafe state of infrastructure as a code(IaC) [Added]
    • I1788: A sample Sentinel policy [Added]
    • I1789: Use the Sentinel CLI to test policies [Added]
    • I1790: Apply Sentinel policies in your Terraform workflow [Added]
    • TA6233: Implement CIS Benchmarks with the Terraform Foundational Policy Library (Sentinel) [Added]
  • T2343: Implement SSDF-related roles and responsibilities (NIST-SSDF) [Added]
    • P1680: Lack of defining proper SSDF roles and responsibilities [Added]
  • T2344: Implement and augment supporting toolchains by automating SDLC security activities [Added]
    • P1681: Lack of automation and implementation of supporting toolchains [Added]
  • T2345: Define and implement criteria for software security checks [Added]
    • P1682: Lack of proper criteria for software security checks [Added]
  • T2346: Establish an organization-wide software and code repository [Added]
    • P1683: Lack of organization-wide software and code repository [Added]
  • T2347: Configure the Integrated Development Environment, Compilation, Interpreter, and Build Processes [Added]
    • P1684: Lack of proper integration of the development environment and tools [Added]
  • T2348: Perform code reviews [Added]
    • P1685: Lack of proper code reviews [Added]
  • T2349: Configure software to have secure settings by default [Added]
    • P1686: Lack of secure default settings [Added]
  • T2350: Create a Product Security Incident Response Team (PSIRT) [Added]
    • P1687: Lack of a Product Security Incident Response Team (PSIRT) [Added]
  • T2351: Verify that SSDF-related roles and responsibilities are properly defined and assigned (NIST-SSDF) [Added]
    • P1680: Lack of defining proper SSDF roles and responsibilities [Added]
  • T2352: Verify that supporting toolchains are properly implemented [Added]
    • P1681: Lack of automation and implementation of supporting toolchains [Added]
  • T2353: Verify that proper criteria for software security checks are defined and implemented [Added]
    • P1682: Lack of proper criteria for software security checks [Added]
  • T2354: Verify that an organization-wide software and code repository is established and used [Added]
    • P1683: Lack of organization-wide software and code repository [Added]
  • T2355: Verify that the IDE, compiler, interpreter, and build processes are configured securely [Added]
    • P1684: Lack of proper integration of the development environment and tools [Added]
  • T2356: Verify that code reviews are performed properly [Added]
    • P1685: Lack of proper code reviews [Added]
  • T2357: Verify that software is configured to have secure settings by default [Added]
    • P1686: Lack of secure default settings [Added]
  • T2358: Verify that the organization has a Product Security Incident Response Team (PSIRT) [Added]
    • P1687: Lack of a Product Security Incident Response Team (PSIRT) [Added]
  • T2359: Configure a secure user authentication (Cloud) (2/2) [Added]
    • TA5646: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.19) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6062: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6066: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6072: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6082: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.12) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6084: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.13) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6086: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.14) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6088: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.15) [Updated]
      • INFO: Updated the inclusion standard.
    • I1520: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.19) [Updated]
      • INFO: Updated the inclusion standard.
    • I1702: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1704: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1707: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1712: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.12) [Updated]
      • INFO: Updated the inclusion standard.
    • I1713: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.13) [Updated]
      • INFO: Updated the inclusion standard.
    • I1714: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.14) [Updated]
      • INFO: Updated the inclusion standard.
    • I1715: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.15) [Updated]
      • INFO: Updated the inclusion standard.
  • T2360: Configure a secure user authorization (Cloud) (2/2) [Added]
    • TA5770: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5772: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5774: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5776: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5778: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6068: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6070: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1582: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1583: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1584: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1585: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1586: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1705: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1706: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.6) [Updated]
      • INFO: Updated the inclusion standard.
  • T2361: Design a secure application architecture for the cloud environment (Cloud) (2/2) [Added]
    • TA5850: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5854: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5856: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5858: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5860: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5862: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5864: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5908: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.32) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5910: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.33) [Updated]
      • INFO: Updated the inclusion standard.
    • I1622: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1624: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1625: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1626: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1627: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1628: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1629: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1651: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.32) [Updated]
      • INFO: Updated the inclusion standard.
    • I1652: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.33) [Updated]
      • INFO: Updated the inclusion standard.
  • T2362: Secure network access control (Cloud) (2/4) [Added]
    • TA5878: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.17) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5888: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.22) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5890: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.23) [Updated]
      • INFO: Updated the inclusion standard.
    • I1636: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.17) [Updated]
      • INFO: Updated the inclusion standard.
    • I1641: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.22) [Updated]
      • INFO: Updated the inclusion standard.
    • I1642: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.23) [Updated]
      • INFO: Updated the inclusion standard.
  • T2363: Secure network access control (Cloud) (3/4) [Added]
    • TA5892: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.24) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5894: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.25) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5896: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.26) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5898: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.27) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5900: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.28) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5902: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.29) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5904: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.30) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5906: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.31) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5912: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.34) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6114: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6116: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6118: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6120: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1643: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.24) [Updated]
      • INFO: Updated the inclusion standard.
    • I1644: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.25) [Updated]
      • INFO: Updated the inclusion standard.
    • I1645: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.26) [Updated]
      • INFO: Updated the inclusion standard.
    • I1646: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.27) [Updated]
      • INFO: Updated the inclusion standard.
    • I1647: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.28) [Updated]
      • INFO: Updated the inclusion standard.
    • I1648: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.29) [Updated]
      • INFO: Updated the inclusion standard.
    • I1649: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.30) [Updated]
      • INFO: Updated the inclusion standard.
    • I1650: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.31) [Updated]
      • INFO: Updated the inclusion standard.
    • I1653: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.34) [Updated]
      • INFO: Updated the inclusion standard.
    • I1728: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1729: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1730: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1731: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.4) [Updated]
      • INFO: Updated the inclusion standard.
  • T2364: Secure network access control (Cloud) (4/4) [Added]
    • TA6122: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6124: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6126: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6128: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6130: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6132: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6150: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6206: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6214: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6216: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1732: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1733: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1734: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1735: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1736: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1737: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1746: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1774: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1778: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1779: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.6) [Updated]
      • INFO: Updated the inclusion standard.
  • T2365: Secure data in transit (Cloud) (2/2) [Added]
    • TA5886: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.21) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6152: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6212: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1640: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.21) [Updated]
      • INFO: Updated the inclusion standard.
    • I1747: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1777: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.4) [Updated]
      • INFO: Updated the inclusion standard.
  • T2366: Protect data at rest (Cloud) (2/3) [Added]
    • TA5736: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5744: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5756: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.16) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5840: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5842: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6146: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6154: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6156: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6158: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 5.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6162: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1565: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1569: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1575: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.16) [Updated]
      • INFO: Updated the inclusion standard.
    • I1617: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1618: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.11) [Updated]
      • INFO: Updated the inclusion standard.
    • I1744: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1748: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.11) [Updated]
      • INFO: Updated the inclusion standard.
    • I1749: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1750: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 5.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1752: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.2) [Updated]
      • INFO: Updated the inclusion standard.
  • T2367: Protect data at rest (Cloud) (3/3) [Added]
    • TA6164: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6198: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6200: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6202: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6204: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6208: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6210: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6218: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6220: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 7.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6222: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1753: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1770: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1771: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1772: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1773: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1775: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1776: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1780: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1781: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 7.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1782: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.2) [Updated]
      • INFO: Updated the inclusion standard.
  • T2368: Enable logging and protect log files in your cloud environment (Cloud) (2/4) [Added]
    • TA5810: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5816: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5818: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5822: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5824: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1602: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1605: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1606: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1608: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1609: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.2) [Updated]
      • INFO: Updated the inclusion standard.
  • T2369: Enable logging and protect log files in your cloud environment (Cloud) (3/4) [Added]
    • TA5826: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5828: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5830: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5832: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5834: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5836: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5838: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6090: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6092: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6094: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6166: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1610: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1611: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1612: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1613: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1614: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1615: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1616: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1716: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1717: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1718: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1754: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.1) [Updated]
      • INFO: Updated the inclusion standard.
  • T2370: Enable logging and protect log files in your cloud environment (Cloud) (4/4) [Added]
    • TA6232: Monitor the audit logs for problems (Terraform) [Added]
    • TA6170: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6172: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6174: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6176: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6178: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6180: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6190: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.13) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6192: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.14) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6194: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.15) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6196: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.16) [Updated]
      • INFO: Updated the inclusion standard.
    • I1756: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1757: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1758: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1759: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1760: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1761: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1766: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.13) [Updated]
      • INFO: Updated the inclusion standard.
    • I1767: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.14) [Updated]
      • INFO: Updated the inclusion standard.
    • I1768: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.15) [Updated]
      • INFO: Updated the inclusion standard.
    • I1769: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.16) [Updated]
      • INFO: Updated the inclusion standard.
  • T2371: Enable logs and configuration monitoring in your cloud environment (Cloud) (2/4) [Added]
    • TA5704: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5706: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5708: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5710: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.12) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5712: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.13) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5714: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.14) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5716: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.15) [Updated]
      • INFO: Updated the inclusion standard.
    • I1549: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1550: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1551: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.11) [Updated]
      • INFO: Updated the inclusion standard.
    • I1552: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.12) [Updated]
      • INFO: Updated the inclusion standard.
    • I1553: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.13) [Updated]
      • INFO: Updated the inclusion standard.
    • I1554: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.14) [Updated]
      • INFO: Updated the inclusion standard.
    • I1555: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.15) [Updated]
      • INFO: Updated the inclusion standard.
  • T2372: Enable logs and configuration monitoring in your cloud environment (Cloud) (3/4) [Added]
    • TA5812: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5814: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5820: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6096: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6098: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6100: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6102: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6104: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1603: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1604: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1607: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.8) [Updated]
      • INFO: Updated the inclusion standard.
    • I1719: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • I1720: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • I1721: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1722: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • I1723: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.8) [Updated]
      • INFO: Updated the inclusion standard.
  • T2373: Enable logs and configuration monitoring in your cloud environment (Cloud) (4/4) [Added]
    • TA6106: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6108: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6110: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6112: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.12) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6168: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6182: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6184: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6186: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6188: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.12) [Updated]
      • INFO: Updated the inclusion standard.
    • I1724: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1725: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1726: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • I1727: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.12) [Updated]
      • INFO: Updated the inclusion standard.
    • I1755: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • I1762: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1763: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • I1764: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • I1765: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.12) [Updated]
      • INFO: Updated the inclusion standard.
  • T2374: Verify that logging is enabled and log files are protected (Cloud) (2/2) [Added]
    • TA6179: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6181: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6191: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.13) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6193: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.14) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6195: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.15) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6197: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.16) [Updated]
      • INFO: Updated the inclusion standard.
  • T2375: Verify that log monitoring and configuration monitoring are enabled (Cloud) (2/3) [Added]
    • TA5711: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.12) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5713: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.13) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5715: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.14) [Updated]
      • INFO: Updated the inclusion standard.
  • T2376: Verify that log monitoring and configuration monitoring are enabled (Cloud) (3/3) [Added]
    • TA5717: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.15) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5813: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5815: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA5821: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6097: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.4) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6099: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.5) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6101: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6103: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.7) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6105: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.8) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6107: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6109: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6111: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6113: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.12) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6169: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.2) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6183: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6185: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.10) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6187: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.11) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6189: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.12) [Updated]
      • INFO: Updated the inclusion standard.
  • T2377: Implement proper authentication and authorization (Containerization) (2/2) [Added]

    • TA6027: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6037: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6039: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6051: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Updated]
      • INFO: Updated the inclusion standard.
    • TA6056: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1682: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Updated]
      • INFO: Updated the inclusion standard.
    • I1683: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Updated]
      • INFO: Updated the inclusion standard.
    • I1684: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Updated]
      • INFO: Updated the inclusion standard.
    • I1685: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Updated]
      • INFO: Updated the inclusion standard.
    • I1686: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Updated]
      • INFO: Updated the inclusion standard.
  • Changes to Project Properties and Profiles

    • Q206: Privacy
      • Q160: Handles Personal Data
        • Q224: Privacy Regulations
          • A1255: California Civil Code (CCPA and CPRA) [Updated]
            • INFO: Updated the text and description.
    • Q289: Cloud Computing
      • Q290: Cloud Providers
        • A1159: Amazon Web Services (AWS) Content (Not Story-driven) [Updated]
          • INFO: Updated the text and description.
        • A1212: Google Cloud Content (Not Story-driven) [Updated]
          • INFO: Updated the text and description.
        • A1333: New Amazon Web Services (AWS) Content (Story-driven) [Updated]
          • INFO: Updated the text.
        • A1336: New Google Cloud Content (Story-driven) [Updated]
          • INFO: Updated the text.
    • Q299: General
      • Q346: IaC Tools [Added]
        • A1338: Terraform [Added]
    • Q331: US Federal and NIST
      • Q347: In-Scope for NIST SSDF compliance [Added]
        • A1339: Yes [Added]
  • New Just-in-Time Training

    • Defending PHP (37)
    • Defending JavaScript (24)
    • OWASP Top 10 (42)
    • OAuth Security Fundamentals (20)
    • Defending Angular (27)
    • OpSec Fundamentals (25)

5.20

April 2, 2022

New features and enhancements

  • Integrations

    • Jira Authentication
      • Introduced a new Authentication type within the Jira Global Connector that allows users to create a uniquely generated Personal Access Token (PAT) as an alternative to a username and password.
  • Reporting

    • The Training Report CSV Export now includes a column for Completed Date.
  • Verification

    • Changed the global verification behavior when setting up scan results to 'Merge'.
      • The original treatment was regardless of the behavior selected, it would always update the SD Elements Task completion status based on the last scanning build report that occurred.
      • The new treatment will now make a calculated decision based on the scanning reports, depending on the behavior selected (Merge) prior to updating the SD Elements Task status.
  • Task searching

    • Migrated Tasks to a new search architecture, with the following improvements:
      • Tasks are now indexed in real time
      • Customized content is now indexed more accurately
      • All Tasks contained within a project are now included in search results, including those that are deactivated in the Library.
      • Deactivated Amendments no longer influence search results

Other product improvements

  • Fixed a bug on the Twistlock Integration where it was defaulting unknown severities as medium on SD Elements.

  • Remote Integration Agent (RIA)

    • Deprecated Python 3.6 on RIA Linux. The default download will be now Python 3.8.

Content improvements summary

Privacy Content

  • Improved the privacy content and added the controller/processor responsibilities for some tasks.

CIS Google Cloud Platform Foundation v1.2.0

  • Added Additional Requirements for Google Cloud content under generic cloud Tasks. These Additional Requirements are based on CIS Benchmarks for Google Cloud Platform Foundations v1.2.0.
  • Outdated Google Cloud content will be deprecated in a future release and has been assigned the match condition ("Applicable When" rule) of "Deprecated Google Cloud Content".

Content additions and updates (as of March 1, 2022):

  • Compliance Regulations and Mappings

    • CIS Google Cloud Platform Foundation
  • T154: Do not store or cache credit card information on client [Updated]

    • Updated text to improve the quality of the content.
  • T177: Allow users to review and update their personal information [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T178: Obtain consent from users prior to collecting personal information [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T179: Allow access for users to remove their personal information from the system [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T194: Obtain user consent for tracking cookies [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
    • P732: Insufficient consent for user tracking [Updated]
      • Updated the text to cover the GPC header
  • T195: Design lawful procedures to obtain consent for processing personal information and to withdraw it when requested [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T244: Securely delete any unprotected sensitive data before a resource is released or shared [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T347: Fail to a known state with predefined outputs [Updated]
    • Updated text to improve the quality of the content.
  • T509: Protect the integrity of Hypercat catalogues and resources [Updated]
    • Updated text to improve the quality of the content.
  • T521: Protect the ZigBee network infrastructure with a Network Key [Updated]
    • Updated text to improve the quality of the content.
  • T544: Anonymize (de-identify) identifying information before using it for a secondary purpose [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T604: Implement a consent withdrawal mechanism [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T607: Develop automated tools/settings for destroying personal information when it is no longer needed [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T738: Determine the legal basis for transferring personal information [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
    • TA6226: Perform a Transfer Impact Assessment [Added]
    • TA6227: Schrems II Requirements [Added]
  • T740: Provide personal information and its processing information to users in an appropriate format [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T744: Protect pseudonymized personal information [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T751: Provide users with a notification of personal information processing [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T754: Enable the restriction of processing personal information of an individual for a specific purpose [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T837: Adhere to HTTP DNT header
    • P732: Insufficient consent for user tracking [Updated]
      • Updated the text to cover the GPC header
  • T838: Test if your application adheres to HTTP DNT header
    • P732: Insufficient consent for user tracking [Updated]
      • Updated the text to cover the GPC header
  • T959: Verify if TLS/SSL is securely configured for Microsoft IIS (Microsoft IIS) [Updated]
    • Updated the text
  • T1300: Enable multi-factor authentication for all non-service accounts (Google Cloud)
    • TA3342: ASD-STIG requirements [Updated]
      • Updated the title.
  • T1310: Include sufficient information in the log files (Google Cloud)
    • TA3344: ASD-STIG requirements [Updated]
      • Updated the title.
  • T1312: Version and backup logs (Google Cloud)
    • TA3346: ASD-STIG requirements [Updated]
      • Updated the title.
  • T1314: Create log metric filters and alerts (Google Cloud)
    • TA3348: ASD-STIG requirements [Updated]
      • Updated the title.
  • T1328: Configure cloud SQL database instance to require all incoming connections to use TLS (Google Cloud)
    • TA3350: ASD-STIG requirements [Updated]
      • Updated the title.
  • T1356: Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) (Google Cloud)
    • TA3358: ASD-STIG requirements [Updated]
      • Updated the title.
  • T1997: Manage image provenance using image controller configuration parameters (OpenShift) [Updated]
    • Updated the title.
  • T2128: Develop a process to notify users and regulators of breaches of personal information [Updated]
    • Updated text to cover the responsibilities of the controllers and processors
  • T2173: Ensure the expected behavior is implemented (Hardware/Firmware) [Updated]
    • Updated text to improve the quality of the content.
  • T2285: Set up and maintain cloud users and roles (Cloud)
    • TA6060: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.1) [Added]
    • TA6074: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.8) [Added]
    • TA6080: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.11) [Added]
    • TA6160: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.1) [Added]
    • I1701: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.1) [Added]
    • I1708: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.8) [Added]
    • I1711: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.11) [Added]
    • I1751: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.1) [Added]
  • T2286: Configure a secure user authentication (Cloud)
    • TA6062: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.2) [Added]
    • TA6066: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.4) [Added]
    • TA6072: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.7) [Added]
    • TA6082: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.12) [Added]
    • TA6084: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.13) [Added]
    • TA6086: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.14) [Added]
    • TA6088: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.15) [Added]
    • I1702: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.2) [Added]
    • I1704: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.4) [Added]
    • I1707: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.7) [Added]
    • I1712: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.12) [Added]
    • I1713: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.13) [Added]
    • I1714: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.14) [Added]
    • I1715: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.15) [Added]
  • T2287: Configure a secure user authorization (Cloud)
    • TA6068: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.5) [Added]
    • TA6070: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.6) [Added]
    • I1705: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.5) [Added]
    • I1706: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.6) [Added]
  • T2289: Secure network access control (Cloud)
    • TA6114: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.1) [Added]
    • TA6116: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.2) [Added]
    • TA6118: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.3) [Added]
    • TA6120: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.4) [Added]
    • TA6122: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.5) [Added]
    • TA6124: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.6) [Added]
    • TA6126: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.7) [Added]
    • TA6128: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.8) [Added]
    • TA6130: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.9) [Added]
    • TA6132: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.10) [Added]
    • TA6150: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.9) [Added]
    • TA6206: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.5) [Added]
    • TA6214: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.5) [Added]
    • TA6216: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.6) [Added]
    • I1728: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.1) [Added]
    • I1729: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.2) [Added]
    • I1730: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.3) [Added]
    • I1731: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.4) [Added]
    • I1732: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.5) [Added]
    • I1733: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.6) [Added]
    • I1734: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.7) [Added]
    • I1735: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.8) [Added]
    • I1736: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.9) [Added]
    • I1737: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.10) [Added]
    • I1746: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.9) [Added]
    • I1774: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.5) [Added]
    • I1778: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.5) [Added]
    • I1779: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.6) [Added]
  • T2290: Secure data in transit (Cloud)
    • TA6152: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.10) [Added]
    • TA6212: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.4) [Added]
    • I1747: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.10) [Added]
    • I1777: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.4) [Added]
  • T2291: Secure hosts and operating systems (Cloud)
    • TA6134: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.1) [Added]
    • TA6136: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.2) [Added]
    • TA6138: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.3) [Added]
    • TA6140: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.4) [Added]
    • TA6142: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.5) [Added]
    • TA6144: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.6) [Added]
    • TA6148: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.8) [Added]
    • I1738: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.1) [Added]
    • I1739: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.2) [Added]
    • I1740: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.3) [Added]
    • I1741: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.4) [Added]
    • I1742: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.5) [Added]
    • I1743: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.6) [Added]
    • I1745: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.8) [Added]
  • T2292: Protect data at rest (Cloud)
    • TA6146: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.7) [Added]
    • TA6154: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.11) [Added]
    • TA6156: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 5.1) [Added]
    • TA6158: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 5.2) [Added]
    • TA6162: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.2) [Added]
    • TA6164: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.3) [Added]
    • TA6198: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.1) [Added]
    • TA6200: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.2) [Added]
    • TA6202: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.3) [Added]
    • TA6204: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.4) [Added]
    • TA6208: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.6) [Added]
    • TA6210: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.7) [Added]
    • TA6218: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.7) [Added]
    • TA6220: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 7.1) [Added]
    • TA6222: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.2) [Added]
    • I1744: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.7) [Added]
    • I1748: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.11) [Added]
    • I1749: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 5.1) [Added]
    • I1750: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 5.2) [Added]
    • I1752: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.2) [Added]
    • I1753: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.3) [Added]
    • I1770: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.1) [Added]
    • I1771: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.2) [Added]
    • I1772: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.3) [Added]
    • I1773: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.4) [Added]
    • I1775: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.6) [Added]
    • I1776: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.7) [Added]
    • I1780: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.7) [Added]
    • I1781: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 7.1) [Added]
    • I1782: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.2) [Added]
  • T2293: Enable logging and protect log files in your cloud environment (Cloud)
    • TA6090: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.1) [Added]
    • TA6092: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.2) [Added]
    • TA6094: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.3) [Added]
    • TA6166: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.1) [Added]
    • TA6170: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.3) [Added]
    • TA6172: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.4) [Added]
    • TA6174: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.5) [Added]
    • TA6176: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.6) [Added]
    • TA6178: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.7) [Added]
    • TA6180: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.8) [Added]
    • TA6190: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.13) [Added]
    • TA6192: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.14) [Added]
    • TA6194: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.15) [Added]
    • TA6196: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.16) [Added]
    • I1716: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.1) [Added]
    • I1717: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.2) [Added]
    • I1718: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.3) [Added]
    • I1754: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.1) [Added]
    • I1756: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.3) [Added]
    • I1757: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.4) [Added]
    • I1758: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.5) [Added]
    • I1759: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.6) [Added]
    • I1760: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.7) [Added]
    • I1761: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.8) [Added]
    • I1766: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.13) [Added]
    • I1767: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.14) [Added]
    • I1768: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.15) [Added]
    • I1769: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.16) [Added]
  • T2294: Enable logs and configuration monitoring in your cloud environment (Cloud)
    • TA6096: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.4) [Added]
    • TA6098: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.5) [Added]
    • TA6100: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.6) [Added]
    • TA6102: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.7) [Added]
    • TA6104: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.8) [Added]
    • TA6106: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.9) [Added]
    • TA6108: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.10) [Added]
    • TA6110: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.11) [Added]
    • TA6112: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.12) [Added]
    • TA6168: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.2) [Added]
    • TA6182: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.9) [Added]
    • TA6184: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.10) [Added]
    • TA6186: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.11) [Added]
    • TA6188: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.12) [Added]
    • I1719: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.4) [Added]
    • I1720: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.5) [Added]
    • I1721: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.6) [Added]
    • I1722: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.7) [Added]
    • I1723: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.8) [Added]
    • I1724: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.9) [Added]
    • I1725: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.10) [Added]
    • I1726: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.11) [Added]
    • I1727: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.12) [Added]
    • I1755: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.2) [Added]
    • I1762: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.9) [Added]
    • I1763: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.10) [Added]
    • I1764: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.11) [Added]
    • I1765: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.12) [Added]
  • T2295: Secure cloud key management system (Cloud)
    • TA6064: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.3) [Added]
    • TA6076: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.9) [Added]
    • TA6078: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.10) [Added]
    • TA6224: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.3) [Added]
    • I1703: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.3) [Added]
    • I1709: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.9) [Added]
    • I1710: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.10) [Added]
    • I1783: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.3) [Added]
  • T2297: Verify that cloud users and roles are set up and maintained (Cloud)
    • TA6061: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.1) [Added]
    • TA6075: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.8) [Added]
    • TA6081: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.11) [Added]
    • TA6161: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.1) [Added]
  • T2298: Verify that user authentication is securely configured (Cloud)
    • TA6063: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.2) [Added]
    • TA6067: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.4) [Added]
    • TA6073: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.7) [Added]
    • TA6083: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.12) [Added]
    • TA6085: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.13) [Added]
    • TA6087: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.14) [Added]
    • TA6089: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.15) [Added]
  • T2299: Verify that user authorization is securely configured (Cloud)
    • TA6069: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.5) [Added]
    • TA6071: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.6) [Added]
  • T2301: Verify that network access control is secured (Cloud)
    • TA6115: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.1) [Added]
    • TA6117: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.2) [Added]
    • TA6119: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.3) [Added]
    • TA6121: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.4) [Added]
    • TA6123: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.5) [Added]
    • TA6125: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.6) [Added]
    • TA6127: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.7) [Added]
    • TA6129: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.8) [Added]
    • TA6131: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 3.9) [Added]
    • TA6133: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 3.10) [Added]
    • TA6151: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.9) [Added]
    • TA6207: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.5) [Added]
    • TA6215: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.5) [Added]
    • TA6217: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.6) [Added]
  • T2302: Verify that data in transit is secured (Cloud)
    • TA6153: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.10) [Added]
    • TA6213: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.4) [Added]
  • T2303: Verify that hosts and operating systems are secure (Cloud)
    • TA6135: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.1) [Added]
    • TA6137: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.2) [Added]
    • TA6139: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.3) [Added]
    • TA6141: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.4) [Added]
    • TA6143: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.5) [Added]
    • TA6145: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 4.6) [Added]
    • TA6149: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.8) [Added]
  • T2304: Verify that data at rest is protected (Cloud)
    • TA6147: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.7) [Added]
    • TA6155: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 4.11) [Added]
    • TA6157: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 5.1) [Added]
    • TA6159: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 5.2) [Added]
    • TA6163: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.2) [Added]
    • TA6165: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.1.3) [Added]
    • TA6199: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.1) [Added]
    • TA6201: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.2) [Added]
    • TA6203: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.3) [Added]
    • TA6205: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.4) [Added]
    • TA6209: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.6) [Added]
    • TA6211: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.3.7) [Added]
    • TA6219: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.7) [Added]
    • TA6221: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 7.1) [Added]
    • TA6223: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.2) [Added]
  • T2305: Verify that logging is enabled and log files are protected (Cloud)
    • TA6091: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.1) [Added]
    • TA6093: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.2) [Added]
    • TA6095: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.3) [Added]
    • TA6167: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.1) [Added]
    • TA6171: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.3) [Added]
    • TA6173: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.4) [Added]
    • TA6175: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.5) [Added]
    • TA6177: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.6) [Added]
    • TA6179: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.7) [Added]
    • TA6181: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.8) [Added]
    • TA6191: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.13) [Added]
    • TA6193: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.14) [Added]
    • TA6195: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.15) [Added]
    • TA6197: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 6.2.16) [Added]
  • T2306: Verify that log monitoring and configuration monitoring are enabled (Cloud)
    • TA6097: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.4) [Added]
    • TA6099: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.5) [Added]
    • TA6101: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.6) [Added]
    • TA6103: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.7) [Added]
    • TA6105: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.8) [Added]
    • TA6107: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.9) [Added]
    • TA6109: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.10) [Added]
    • TA6111: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.11) [Added]
    • TA6113: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 2.12) [Added]
    • TA6169: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.2) [Added]
    • TA6183: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.9) [Added]
    • TA6185: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.10) [Added]
    • TA6187: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.11) [Added]
    • TA6189: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 6.2.12) [Added]
  • T2307: Verify that the key management system is secured (Cloud)
    • TA6065: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 1.3) [Added]
    • TA6077: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.9) [Added]
    • TA6079: CIS Google Cloud Platform Foundation v1.2.0 (Level 1, Recommendation 1.10) [Added]
    • TA6225: CIS Google Cloud Platform Foundation v1.2.0 (Level 2, Recommendation 7.3) [Added]
  • T2312: Ensure proper logging and security monitoring (Containerization) [Updated]
    • Updated the text.
  • T2332: Adhere to an appropriate Global Privacy Control (GPC) header [Added]
    • P732: Insufficient consent for user tracking [Updated]
      • Updated the text to cover the GPC header
  • T2333: Test if your application adheres to a Global Privacy Control (GPC) header [Added]

    • P732: Insufficient consent for user tracking [Updated]
      • Updated the text to cover the GPC header
  • Changes to Project Properties and Profiles

    • Q276: Network Layer
      • Q332: Microcontroller Protocols Used [Updated]
        • INFO: Changed the title to "Microcontroller Protocols Used" and updated the content pack to "Application Security:Hardware/Embedded"
        • A1282: CAN [Updated]
          • INFO: Deleted "This is an automotive application" Match Condition and updated the content pack to "Application Security:Hardware/Embedded"
    • Q289: Cloud Computing
      • Q290: Cloud Providers
        • Q309: Google Cloud Services
          • A1213: Kubernetes Engine [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1236: Cloud IAM [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1237: Compute Engine [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1238: Cloud Key Management Service [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1239: Virtual Private Cloud (VPC) [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1240: Cloud Storage [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1241: Cloud Audit Logs [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1242: Cloud DNS [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1243: Cloud SQL [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1244: Stackdriver [Updated]
            • INFO: Updated Match Conditions from "Deprecated Google Cloud Content." to "Deprecated Google Cloud Content. OR New Google Cloud Content"
          • A1337: BigQuery [Added]
        • A1212: Deprecated Google Cloud Content [Updated]
          • INFO: Updated the title.
        • A1336: New Google Cloud Content [Added]
  • Glossary

    • G33: Controller [Updated the text.]
    • G34: Processor [Updated the text.]
  • New Just-in-Time Training

    • Defending Cobol (11)
    • Defending Ruby on Rails (12)
    • DevSecOps for Managers (12)
    • DevSecOps Fundamentals (23)
    • Supply Chain and Software Acquisition (7)

5.19

February 19, 2022

New features and enhancements

  • Integrations
    • Remote Integration Agent
      • Updated RIA Linux to offer builds with Python 3.8. Reach out to Support for more details.
      • Python 3.6 will still be provided for Linux RIA with plans to deprecate in 5.20.

Other product improvements

  • Fixed a bug where some links in JIRA generated by the JIRA issue tracker integration were not rendering properly.
  • Fixed a bug where LDAP syncs were failing.
  • Fixed a bug where Project Tasks were not rendering properly.

Content improvements summary

  • Cloud/Amazon Web Service (AWS) update

    • Added new generic story-driven cloud umbrella Tasks.
    • Added new AWS Additional Requirements under the generic cloud umbrella Tasks.
    • Added two new regulation mappings/reports based on the new generic cloud Tasks:
      • CIS Amazon Web Services Foundations Benchmark (v1.4.0)
      • CIS Amazon Web Services Three-tier Web Architecture Benchmark (v1.0.0)
    • Added one question and two related answers to the Survey.
  • Privacy content update

    • Added new Additional Requirements to cover gaps in SD Elements privacy content.
    • Added and updated some test Tasks to cover the evidence for complying with regulatory requirements.
    • Improved and updated some of the existing content.
  • Glossary updates

    • Improved the title for "Personally Identifiable Information (PII) or personal information (PI)".

Content additions and updates (as of January 18, 2022):

  • Compliance Regulations and Mappings

    • CIS AWS Foundations Benchmark
    • CIS AWS Three-tier Web Architecture Benchmark
    • CIS Amazon EKS Benchmark
  • T161: Treat unique device IDs as personal information [Updated]

    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA280: Unique device IDs in Android [Updated]
      • Updated the text.
    • TA942: iOS: Device Tracking [Updated]
      • Updated the text.
  • T171: Follow spam-free guidelines for sending solicitation emails [Updated]
    • Updated the text.
    • P722: Spam Emails [Updated]
      • Updated the text.
  • T176: Apply principles of privacy when handling personal information [Updated]
    • Updated the text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA696: Inform users of the operation of RFID system and other security/privacy concerns [Updated]
      • Updated the text.
    • TA699: RFID Privacy Considerations [Updated]
      • Updated the text.
    • TA1327: FedRAMP / Moderate Baseline [Updated]
      • Updated the text.
    • TA2010: FedRAMP / Low Baseline [Updated]
      • Updated the text.
    • TA2325: FedRAMP / High Baseline [Updated]
      • Updated the text.
  • T177: Allow users to review and update their personal data [Updated]
    • Improved the text.
    • P815: Lack of features that allow access and modification of personal data [Updated]
      • Improved the text.
    • TA5927: Individual complaints and requests for data protection [Added]
  • T178: Obtain consent from users prior to collecting personal information (where applicable) [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA788: Residents of California, USA [Updated]
      • Updated the text.
    • TA943: iOS: Purpose String [Updated]
      • Updated the text.
    • TA2009: FedRAMP / Low Baseline [Updated]
      • Updated the text.
    • TA2324: FedRAMP / High Baseline [Updated]
      • Updated the text.
    • TA2876: NIST 800-53 Privacy Controls: Consent [Updated]
      • Updated the text.
    • TA2883: Protect location information (Connected Cars) [Updated]
      • Updated the text.
  • T179: Allow access for users to remove their data from the system [Updated]
    • Improved the text.
    • P815: Lack of features that allow access and modification of personal data [Updated]
      • Improved the text.
  • T194: Obtain user consent for tracking cookies [Updated]
    • Improved the text.
    • TA781: GDPR: Profiling techniques [Updated]
      • Improved the text.
    • I324: Country-specific information [Updated]
      • Improved the text.
  • T195: Design lawful procedures to obtain consent for processing personal information and to withdraw it when requested (where applicable) [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • I326: Sensitive personal information is context-relative [Updated]
      • Improved the title and text.
  • T207: Provide special data protection for children's personal information [Updated]
    • Updated the text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA814: COPPA [Updated]
      • Updated the text.
    • TA815: GDPR: Protection of children's personal information [Updated]
      • Updated the text.
    • TA1330: FedRAMP / Moderate Baseline [Updated]
      • Updated the text.
    • TA2008: FedRAMP / Low Baseline [Updated]
      • Updated the text.
    • TA2323: FedRAMP / High Baseline [Updated]
      • Updated the text.
  • T214: Protect confidential files on operating system or server
    • P426: File and directory information exposure [Updated]
      • Improved the title and text.
    • TA2981: ASD-STIG requirements for T214 [Updated]
      • Improved the text.
  • T237: Test that solicitation emails follow spam-free guidelines [Updated]
    • Updated the title and text.
    • P722: Spam Emails [Updated]
      • Updated the text.
  • T238: Test that users can review and update their personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T239: Test that users provide consent prior to the collection of personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA1331: FedRAMP / Moderate Baseline [Updated]
      • Updated the text.
  • T240: Test whether users can remove their data from the system [Updated]
    • Updated text to include latest guidance
    • P815: Lack of features that allow access and modification of personal data [Updated]
      • Improved the text.
  • T304: Verify that unique device IDs are treated as personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T313: Identify and classify categories of personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA127: MDS2 Notes for T313 [Updated]
      • Updated the text.
    • TA538: NIST 800-53 / Moderate Baseline [Updated]
      • Updated the text.
    • TA630: NIST 800-82 / Low Baseline [Updated]
      • Updated the text.
    • TA777: GDPR: Data classification and labeling feature in database design [Updated]
      • Updated the text.
    • TA778: GDPR: Special categories of personal information [Updated]
      • Updated the title and text.
  • T314: Verify that personal and confidential information is identified and classified
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA128: MDS2 Notes for T314 [Updated]
      • Updated the text.
  • T376: Fill out the manufacturer disclosure statement for the medical device security (MDS2) form
    • TA1389: FedRAMP / Moderate Baseline [Updated]
      • Updated the text.
    • TA2364: FedRAMP / High Baseline [Updated]
      • Updated the text.
  • T377: De-identify protected health information before using it for a secondary purpose [Updated]
    • Updated the text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA144: MDS2 Notes for T377 [Updated]
      • Updated the text.
  • T544: Anonymize (de-identify) identifying information before using it for a secondary purpose
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T545: Verify that personal information is anonymized before being reused for secondary purposes [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T604: Implement a consent withdrawal mechanism [Updated]
    • Updated the text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T605: Verify if consent is obtained prior to personal information collection (where applicable) [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T607: Develop automated tools/settings for destroying personal information when it is no longer needed [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA776: GDPR conditions for information erasure [Updated]
      • Updated the title and text.
  • T735: Verify that personal information is removed when it is no longer needed [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA2875: NIST 800-53 Privacy Controls: Data Retention and Disposal [Updated]
      • Updated the text.
  • T738: Determine the legal basis for transferring personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA779: GDPR: Circumstances of personal information transfer [Updated]
      • Updated the title and text.
    • TA5923: APEC cross border privacy rules [Added]
  • T739: Verify if transferring personal information is legitimate and in compliance with applicable privacy regulations [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T740: Provide personal information and its processing information to users in an appropriate format [Updated]
    • Improved text and title.
    • P815: Lack of features that allow access and modification of personal data [Updated]
      • Improved the text.
  • T741: Verify if users are provided with their personal data and its processing information in an appropriate format
    • P815: Lack of features that allow access and modification of personal data [Updated]
      • Improved the text.
  • T742: Implement technical measures to ensure the accuracy of personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA2873: NIST 800-53 Privacy Controls: Data Quality [Updated]
      • Updated the text.
  • T743: Verify accuracy of personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T744: Protect pseudonymized personal information [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T745: Verify if pseudonymized personal information is protected [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T750: Limit personal information collection and processing to the specified purpose [Updated]
    • Improved the title
    • P859: Collecting more personal information than is required for specified purposes [Updated]
      • Improved the title and text.
    • TA2864: CCPA: Service Provider Obligations [Updated]
      • Improved the text.
    • TA2868: NIST 800-53 Privacy Controls: Purpose Specification and Use Limitation [Updated]
      • Improved the text.
  • T751: Provide users with a notification of personal information processing [Updated]
    • Improved the title and text.
    • P815: Lack of features that allow access and modification of personal data [Updated]
      • Improved the text.
    • TA944: iOS: Privacy Notice [Updated]
      • Improved the text.
    • TA975: GDPR: Data processing notification [Updated]
      • Improved the text.
  • T752: Verify if users are notified about processing their personal information [Updated]
    • Improved the title and text.
    • P815: Lack of features that allow access and modification of personal data [Updated]
      • Improved the text.
  • T753: Verify whether personal information is collected only for specified purposes [Updated]
    • Improved the title
    • P859: Collecting more personal information than is required for specified purposes [Updated]
      • Improved the title and text.
  • T754: Enable the restriction of processing personal information of an individual for a specific purpose [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T755: Maintain a Data Processing Register or Record of Business Processing Activities [Updated]
    • Improved title and text.
    • P861: Inadequate documentation of data processing activities [Updated]
      • Improved the title and text.
    • TA1435: FedRAMP / Moderate Baseline [Updated]
      • Improved the text.
    • TA5918: Register databases with regulators [Added]
    • TA5919: Data flow [Added]
    • TA5921: Binding corporate rules [Added]
    • TA5922: Data transfer contracts [Added]
  • T756: Verify if personal data processing activities are recorded and maintained [Updated]
    • Improved the text.
    • P861: Inadequate documentation of data processing activities [Updated]
      • Improved the title and text.
  • T757: Verify if personal information processing stops when user objects to it [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T837: Adhere to HTTP DNT header
    • TA1858: FedRAMP / Moderate Baseline [Updated]
      • Improved the text.
    • TA2769: FedRAMP / High Baseline [Updated]
      • Improved the text.
  • T863: Secure Apache directories and files (Apache HTTP Server)
    • P426: File and directory information exposure [Updated]
      • Improved the title and text.
  • T864: Test that Apache directories and files are secure (Apache HTTP Server)
    • P426: File and directory information exposure [Updated]
      • Improved the title and text.
  • T1366: Identify applicable compliance regulations
    • TA6058: Comply with ANSSI's encryption control requirements if needed [Added]
    • TA6059: Implement eIDAS requirements for electronic identification and trust services [Added]
  • T1386: Regulate the use of electronic messaging [Updated]
    • Improved the text.
  • T1891: Perform Privacy Impact Assessment (PIA) [Updated]
    • Improved the text.
    • TA5928: Internal data privacy self-assessment [Added]
  • T1892: Perform a Threat and Risk Assessment (TRA)
  • T2128: Develop a process to notify users and regulators of breaches of personal information
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T2170: Ensure that personal information processed by the application meets data localization requirements [Updated]
    • Updated the title and text.
    • P257: Privacy Violation [Updated]
      • Improved the text.
    • TA3485: China Cybersecurity Law (Article 37) - Data Localization [Updated]
      • Updated the text.
  • T2285: Set up and maintain cloud users and roles (Cloud) [Added]
    • P1658: Improper identity management (Cloud) [Added]
    • TA5610: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.1) [Added]
    • TA5612: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.2) [Added]
    • TA5614: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.3) [Added]
    • TA5642: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.17) [Added]
    • I1502: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.1) [Added]
    • I1503: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.2) [Added]
    • I1504: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.3) [Added]
    • I1518: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.17) [Added]
  • T2286: Configure a secure user authentication (Cloud) [Added]
    • P1659: Improper user authentication (Cloud) [Added]
    • TA5616: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.4) [Added]
    • TA5618: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.5) [Added]
    • TA5620: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.6) [Added]
    • TA5622: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.7) [Added]
    • TA5624: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.8) [Added]
    • TA5626: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.9) [Added]
    • TA5628: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.10) [Added]
    • TA5630: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.11) [Added]
    • TA5632: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.12) [Added]
    • TA5634: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.13) [Added]
    • TA5636: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.14) [Added]
    • TA5646: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.19) [Added]
    • I1505: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.4) [Added]
    • I1506: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.5) [Added]
    • I1507: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.6) [Added]
    • I1508: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.7) [Added]
    • I1509: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.8) [Added]
    • I1510: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.9) [Added]
    • I1511: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.10) [Added]
    • I1512: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.11) [Added]
    • I1513: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.12) [Added]
    • I1514: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.13) [Added]
    • I1515: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.14) [Added]
    • I1520: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.19) [Added]
  • T2287: Configure a secure user authorization (Cloud) [Added]
    • P1660: Permissive access policies or improper access control (Cloud) [Added]
    • TA5638: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.15) [Added]
    • TA5640: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.16) [Added]
    • TA5644: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.18) [Added]
    • TA5648: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.20) [Added]
    • TA5650: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.21) [Added]
    • TA5760: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.1) [Added]
    • TA5762: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.2) [Added]
    • TA5764: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.3) [Added]
    • TA5766: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.4) [Added]
    • TA5768: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.5) [Added]
    • TA5770: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.6) [Added]
    • TA5772: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.7) [Added]
    • TA5774: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.8) [Added]
    • TA5776: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.9) [Added]
    • TA5778: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.10) [Added]
    • I1516: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.15) [Added]
    • I1517: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.16) [Added]
    • I1519: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.18) [Added]
    • I1521: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.20) [Added]
    • I1522: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.21) [Added]
    • I1577: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.1) [Added]
    • I1578: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.2) [Added]
    • I1579: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.3) [Added]
    • I1580: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.4) [Added]
    • I1581: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.5) [Added]
    • I1582: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.6) [Added]
    • I1583: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.7) [Added]
    • I1584: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.8) [Added]
    • I1585: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.9) [Added]
    • I1586: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.10) [Added]
  • T2288: Design a secure application architecture for the cloud environment (Cloud) [Added]
    • P1661: Design weakness in application security architecture (Cloud) [Added]
    • TA5780: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.1) [Added]
    • TA5782: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.2) [Added]
    • TA5784: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.3) [Added]
    • TA5786: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.4) [Added]
    • TA5788: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.5) [Added]
    • TA5790: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.6) [Added]
    • TA5792: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.8) [Added]
    • TA5794: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.9) [Added]
    • TA5796: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.10) [Added]
    • TA5798: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.11) [Added]
    • TA5804: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.14) [Added]
    • TA5806: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.15) [Added]
    • TA5850: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.3) [Added]
    • TA5854: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.5) [Added]
    • TA5856: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.6) [Added]
    • TA5858: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.7) [Added]
    • TA5860: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.8) [Added]
    • TA5862: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.9) [Added]
    • TA5864: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.10) [Added]
    • TA5908: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.32) [Added]
    • TA5910: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.33) [Added]
    • I1587: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.1) [Added]
    • I1588: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.2) [Added]
    • I1589: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.3) [Added]
    • I1590: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.4) [Added]
    • I1591: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.5) [Added]
    • I1592: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.6) [Added]
    • I1593: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.8) [Added]
    • I1594: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.9) [Added]
    • I1595: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.10) [Added]
    • I1596: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.11) [Added]
    • I1599: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.14) [Added]
    • I1600: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.15) [Added]
    • I1622: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.3) [Added]
    • I1624: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.5) [Added]
    • I1625: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.6) [Added]
    • I1626: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.7) [Added]
    • I1627: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.8) [Added]
    • I1628: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.9) [Added]
    • I1629: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.10) [Added]
    • I1651: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.32) [Added]
    • I1652: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.33) [Added]
  • T2289: Secure network access control (Cloud) [Added]
    • P1662: Improper network access control (Cloud) [Added]
    • TA5718: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 5.1) [Added]
    • TA5720: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 5.2) [Added]
    • TA5722: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 5.3) [Added]
    • TA5724: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 5.4) [Added]
    • TA5846: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.1) [Added]
    • TA5848: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.2) [Added]
    • TA5852: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.4) [Added]
    • TA5866: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.11) [Added]
    • TA5868: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.12) [Added]
    • TA5870: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.13) [Added]
    • TA5872: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.14) [Added]
    • TA5874: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.15) [Added]
    • TA5876: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.16) [Added]
    • TA5878: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.17) [Added]
    • TA5888: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.22) [Added]
    • TA5890: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.23) [Added]
    • TA5892: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.24) [Added]
    • TA5894: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.25) [Added]
    • TA5896: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.26) [Added]
    • TA5898: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.27) [Added]
    • TA5900: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.28) [Added]
    • TA5902: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.29) [Added]
    • TA5904: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.30) [Added]
    • TA5906: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.31) [Added]
    • TA5912: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.34) [Added]
    • I1556: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 5.1) [Added]
    • I1557: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 5.2) [Added]
    • I1558: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 5.3) [Added]
    • I1559: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 5.4) [Added]
    • I1620: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.1) [Added]
    • I1621: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.2) [Added]
    • I1623: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.4) [Added]
    • I1630: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.11) [Added]
    • I1631: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.12) [Added]
    • I1632: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.13) [Added]
    • I1633: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.14) [Added]
    • I1634: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.15) [Added]
    • I1635: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.16) [Added]
    • I1636: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.17) [Added]
    • I1641: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.22) [Added]
    • I1642: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.23) [Added]
    • I1643: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.24) [Added]
    • I1644: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.25) [Added]
    • I1645: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.26) [Added]
    • I1646: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.27) [Added]
    • I1647: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.28) [Added]
    • I1648: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.29) [Added]
    • I1649: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.30) [Added]
    • I1650: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.31) [Added]
    • I1653: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.34) [Added]
  • T2290: Secure data in transit (Cloud) [Added]
    • P1663: Improper protection of data in transit (Cloud) [Added]
    • TA5742: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.9) [Added]
    • TA5746: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.11) [Added]
    • TA5748: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.12) [Added]
    • TA5750: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.13) [Added]
    • TA5752: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.14) [Added]
    • TA5754: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.15) [Added]
    • TA5758: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.17) [Added]
    • TA5800: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 3.12) [Added]
    • TA5802: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 3.13) [Added]
    • TA5880: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.18) [Added]
    • TA5882: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.19) [Added]
    • TA5884: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.20) [Added]
    • TA5886: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.21) [Added]
    • I1568: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.9) [Added]
    • I1570: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.11) [Added]
    • I1571: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.12) [Added]
    • I1572: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.13) [Added]
    • I1573: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.14) [Added]
    • I1574: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.15) [Added]
    • I1576: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.17) [Added]
    • I1597: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 3.12) [Added]
    • I1598: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 3.13) [Added]
    • I1637: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.18) [Added]
    • I1638: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.19) [Added]
    • I1639: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.20) [Added]
    • I1640: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.21) [Added]
  • T2291: Secure hosts and operating systems (Cloud) [Added]
    • P1664: Weak host/OS security (Cloud) [Added]
    • TA5738: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.7) [Added]
    • TA5740: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.8) [Added]
    • TA5844: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.12) [Added]
    • I1566: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.7) [Added]
    • I1567: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.8) [Added]
    • I1619: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.12) [Added]
  • T2292: Protect data at rest (Cloud) [Added]
    • P1665: Improper protection of data at rest (Cloud) [Added]
    • TA5652: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.1) [Added]
    • TA5654: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.2) [Added]
    • TA5656: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.1.3) [Added]
    • TA5658: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.4) [Added]
    • TA5660: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.1.5) [Added]
    • TA5662: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.2.1) [Added]
    • TA5664: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.3.1) [Added]
    • TA5732: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.4) [Added]
    • TA5734: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.5) [Added]
    • TA5736: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.6) [Added]
    • TA5744: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.10) [Added]
    • TA5756: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.16) [Added]
    • TA5840: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.10) [Added]
    • TA5842: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.11) [Added]
    • I1523: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.1) [Added]
    • I1524: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.2) [Added]
    • I1525: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.1.3) [Added]
    • I1526: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.4) [Added]
    • I1527: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.1.5) [Added]
    • I1528: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.2.1) [Added]
    • I1529: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.3.1) [Added]
    • I1563: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.4) [Added]
    • I1564: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.5) [Added]
    • I1565: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.6) [Added]
    • I1569: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.10) [Added]
    • I1575: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.16) [Added]
    • I1617: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.10) [Added]
    • I1618: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.11) [Added]
  • T2293: Enable logging and protect log files in your cloud environment (Cloud) [Added]
    • P1666: Lack of activity tracking and secure logging (Cloud) [Added]
    • TA5666: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.1) [Added]
    • TA5668: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.2) [Added]
    • TA5670: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.3) [Added]
    • TA5672: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.4) [Added]
    • TA5674: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.5) [Added]
    • TA5676: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.6) [Added]
    • TA5678: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.7) [Added]
    • TA5680: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.8) [Added]
    • TA5682: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.9) [Added]
    • TA5684: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.10) [Added]
    • TA5686: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.11) [Added]
    • TA5808: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.1) [Added]
    • TA5810: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.2) [Added]
    • TA5816: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.6) [Added]
    • TA5818: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.7) [Added]
    • TA5822: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.1) [Added]
    • TA5824: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.2) [Added]
    • TA5826: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.3) [Added]
    • TA5828: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.4) [Added]
    • TA5830: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.5) [Added]
    • TA5832: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.6) [Added]
    • TA5834: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.7) [Added]
    • TA5836: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.8) [Added]
    • TA5838: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.9) [Added]
    • I1530: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.1) [Added]
    • I1531: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.2) [Added]
    • I1532: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.3) [Added]
    • I1533: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.4) [Added]
    • I1534: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.5) [Added]
    • I1535: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.6) [Added]
    • I1536: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.7) [Added]
    • I1537: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.8) [Added]
    • I1538: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.9) [Added]
    • I1539: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.10) [Added]
    • I1540: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.11) [Added]
    • I1601: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.1) [Added]
    • I1602: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.2) [Added]
    • I1605: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.6) [Added]
    • I1606: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.7) [Added]
    • I1608: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.1) [Added]
    • I1609: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.2) [Added]
    • I1610: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.3) [Added]
    • I1611: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.4) [Added]
    • I1612: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.5) [Added]
    • I1613: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.6) [Added]
    • I1614: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.7) [Added]
    • I1615: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.8) [Added]
    • I1616: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.9) [Added]
  • T2294: Enable logs and configuration monitoring in your cloud environment (Cloud) [Added]
    • P1667: Lack of monitoring (Cloud) [Added]
    • TA5688: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.1) [Added]
    • TA5690: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.2) [Added]
    • TA5692: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.3) [Added]
    • TA5694: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.4) [Added]
    • TA5696: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.5) [Added]
    • TA5698: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.6) [Added]
    • TA5700: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.7) [Added]
    • TA5702: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.8) [Added]
    • TA5704: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.9) [Added]
    • TA5706: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.10) [Added]
    • TA5708: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.11) [Added]
    • TA5710: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.12) [Added]
    • TA5712: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.13) [Added]
    • TA5714: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.14) [Added]
    • TA5716: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.15) [Added]
    • TA5812: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.3) [Added]
    • TA5814: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.4) [Added]
    • TA5820: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.8) [Added]
    • I1541: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.1) [Added]
    • I1542: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.2) [Added]
    • I1543: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.3) [Added]
    • I1544: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.4) [Added]
    • I1545: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.5) [Added]
    • I1546: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.6) [Added]
    • I1547: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.7) [Added]
    • I1548: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.8) [Added]
    • I1549: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.9) [Added]
    • I1550: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.10) [Added]
    • I1551: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.11) [Added]
    • I1552: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.12) [Added]
    • I1553: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.13) [Added]
    • I1554: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.14) [Added]
    • I1555: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.15) [Added]
    • I1603: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.3) [Added]
    • I1604: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.4) [Added]
    • I1607: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.8) [Added]
  • T2295: Secure cloud key management system (Cloud) [Added]
    • P1668: Insecure key management (Cloud) [Added]
    • TA5726: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.1) [Added]
    • TA5728: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.2) [Added]
    • TA5730: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.3) [Added]
    • I1560: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.1) [Added]
    • I1561: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.2) [Added]
    • I1562: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.3) [Added]
  • T2297: Verify that cloud users and roles are set up and maintained (Cloud) [Added]
    • P1658: Improper identity management (Cloud) [Added]
    • TA5611: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.1) [Added]
    • TA5613: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.2) [Added]
    • TA5615: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.3) [Added]
    • TA5643: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.17) [Added]
  • T2298: Verify that user authentication is securely configured (Cloud) [Added]
    • P1659: Improper user authentication (Cloud) [Added]
    • TA5617: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.4) [Added]
    • TA5619: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.5) [Added]
    • TA5621: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.6) [Added]
    • TA5623: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.7) [Added]
    • TA5625: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.8) [Added]
    • TA5627: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.9) [Added]
    • TA5629: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.10) [Added]
    • TA5631: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.11) [Added]
    • TA5633: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.12) [Added]
    • TA5635: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.13) [Added]
    • TA5637: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.14) [Added]
    • TA5647: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.19) [Added]
  • T2299: Verify that user authorization is securely configured (Cloud) [Added]
    • P1660: Permissive access policies or improper access control (Cloud) [Added]
    • TA5639: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.15) [Added]
    • TA5641: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.16) [Added]
    • TA5645: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.18) [Added]
    • TA5649: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 1.20) [Added]
    • TA5651: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 1.21) [Added]
    • TA5761: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.1) [Added]
    • TA5763: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.2) [Added]
    • TA5765: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.3) [Added]
    • TA5767: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.4) [Added]
    • TA5769: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.5) [Added]
    • TA5771: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.6) [Added]
    • TA5773: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.7) [Added]
    • TA5775: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.8) [Added]
    • TA5777: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.9) [Added]
    • TA5779: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 2.10) [Added]
  • T2300: Verify that a secure application architecture is designed for the cloud environment (Cloud) [Added]
    • P1661: Design weakness in application security architecture (Cloud) [Added]
    • TA5781: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.1) [Added]
    • TA5783: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.2) [Added]
    • TA5785: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.3) [Added]
    • TA5787: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.4) [Added]
    • TA5789: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.5) [Added]
    • TA5791: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.6) [Added]
    • TA5793: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.8) [Added]
    • TA5795: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.9) [Added]
    • TA5797: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.10) [Added]
    • TA5799: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.11) [Added]
    • TA5805: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.14) [Added]
    • TA5807: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 3.15) [Added]
    • TA5851: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.3) [Added]
    • TA5855: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.5) [Added]
    • TA5857: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.6) [Added]
    • TA5859: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.7) [Added]
    • TA5861: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.8) [Added]
    • TA5863: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.9) [Added]
    • TA5865: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.10) [Added]
    • TA5909: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.32) [Added]
    • TA5911: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.33) [Added]
  • T2301: Verify that network access control is secured (Cloud) [Added]
    • P1662: Improper network access control (Cloud) [Added]
    • TA5719: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 5.1) [Added]
    • TA5721: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 5.2) [Added]
    • TA5723: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 5.3) [Added]
    • TA5725: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 5.4) [Added]
    • TA5847: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.1) [Added]
    • TA5849: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.2) [Added]
    • TA5853: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.4) [Added]
    • TA5867: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.11) [Added]
    • TA5869: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.12) [Added]
    • TA5871: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.13) [Added]
    • TA5873: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.14) [Added]
    • TA5875: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.15) [Added]
    • TA5877: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.16) [Added]
    • TA5879: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.17) [Added]
    • TA5889: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.22) [Added]
    • TA5891: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.23) [Added]
    • TA5893: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.24) [Added]
    • TA5895: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.25) [Added]
    • TA5897: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.26) [Added]
    • TA5899: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.27) [Added]
    • TA5901: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.28) [Added]
    • TA5903: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.29) [Added]
    • TA5905: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.30) [Added]
    • TA5907: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 6.31) [Added]
    • TA5913: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.34) [Added]
  • T2302: Verify that data in transit is secured (Cloud) [Added]
    • P1663: Improper protection of data in transit (Cloud) [Added]
    • TA5743: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.9) [Added]
    • TA5747: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.11) [Added]
    • TA5749: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.12) [Added]
    • TA5751: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.13) [Added]
    • TA5753: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.14) [Added]
    • TA5755: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.15) [Added]
    • TA5759: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.17) [Added]
    • TA5801: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 3.12) [Added]
    • TA5803: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 3.13) [Added]
    • TA5881: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.18) [Added]
    • TA5883: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.19) [Added]
    • TA5885: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.20) [Added]
    • TA5887: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 6.21) [Added]
  • T2303: Verify that hosts and operating systems are secure (Cloud) [Added]
    • P1664: Weak host/OS security (Cloud) [Added]
    • TA5739: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.7) [Added]
    • TA5741: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.8) [Added]
    • TA5845: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.12) [Added]
  • T2304: Verify that data at rest is protected (Cloud) [Added]
    • P1665: Improper protection of data at rest (Cloud) [Added]
    • TA5653: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.1) [Added]
    • TA5655: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.2) [Added]
    • TA5657: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.1.3) [Added]
    • TA5659: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 2.1.4) [Added]
    • TA5661: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.1.5) [Added]
    • TA5663: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.2.1) [Added]
    • TA5665: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 2.3.1) [Added]
    • TA5733: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.4) [Added]
    • TA5735: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.5) [Added]
    • TA5737: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.6) [Added]
    • TA5745: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.10) [Added]
    • TA5757: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 1.16) [Added]
    • TA5841: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.10) [Added]
    • TA5843: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.11) [Added]
  • T2305: Verify that logging is enabled and log files are protected (Cloud) [Added]
    • P1666: Lack of activity tracking and secure logging (Cloud) [Added]
    • TA5667: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.1) [Added]
    • TA5669: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.2) [Added]
    • TA5671: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.3) [Added]
    • TA5673: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.4) [Added]
    • TA5675: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.5) [Added]
    • TA5677: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 3.6) [Added]
    • TA5679: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.7) [Added]
    • TA5681: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.8) [Added]
    • TA5683: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.9) [Added]
    • TA5685: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.10) [Added]
    • TA5687: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 3.11) [Added]
    • TA5809: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.1) [Added]
    • TA5811: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.2) [Added]
    • TA5817: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.6) [Added]
    • TA5819: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.7) [Added]
    • TA5823: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.1) [Added]
    • TA5825: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.2) [Added]
    • TA5827: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.3) [Added]
    • TA5829: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.4) [Added]
    • TA5831: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.5) [Added]
    • TA5833: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.6) [Added]
    • TA5835: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.7) [Added]
    • TA5837: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.8) [Added]
    • TA5839: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 5.9) [Added]
  • T2306: Verify that log monitoring and configuration monitoring are enabled (Cloud) [Added]
    • P1667: Lack of monitoring (Cloud) [Added]
    • TA5689: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.1) [Added]
    • TA5691: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.2) [Added]
    • TA5693: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.3) [Added]
    • TA5695: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.4) [Added]
    • TA5697: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.5) [Added]
    • TA5699: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.6) [Added]
    • TA5701: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.7) [Added]
    • TA5703: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.8) [Added]
    • TA5705: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.9) [Added]
    • TA5707: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.10) [Added]
    • TA5709: CIS AWS Foundation v1.4.0 (Level 2, Recommendation 4.11) [Added]
    • TA5711: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.12) [Added]
    • TA5713: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.13) [Added]
    • TA5715: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.14) [Added]
    • TA5717: CIS AWS Foundation v1.4.0 (Level 1, Recommendation 4.15) [Added]
    • TA5813: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.3) [Added]
    • TA5815: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.4) [Added]
    • TA5821: CIS AWS Three-tier Web Architecture v1.0.0 (Level 1, Recommendation 4.8) [Added]
  • T2307: Verify that the key management system is secured (Cloud) [Added]
    • P1668: Insecure key management (Cloud) [Added]
    • TA5727: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.1) [Added]
    • TA5729: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.2) [Added]
    • TA5731: CIS AWS Three-tier Web Architecture v1.0.0 (Level 2, Recommendation 1.3) [Added]
  • T2309: Securely configure worker nodes (Containerization) [Added]
    • P1671: Insecure configuration of worker nodes (Containerization) [Added]
    • TA5962: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.1) [Added]
    • TA5964: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.2) [Added]
    • TA5966: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.3) [Added]
    • TA5968: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.4) [Added]
    • TA5970: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.1) [Added]
    • TA5974: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.3) [Added]
    • TA5976: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.4) [Added]
    • TA5978: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.5) [Added]
    • TA5980: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.6) [Added]
    • TA5982: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.7) [Added]
    • TA5984: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.8) [Added]
    • TA5986: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.11) [Added]
    • TA6033: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.9) [Added]
    • TA6035: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.10) [Added]
    • I1654: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.1) [Added]
    • I1655: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.2) [Added]
    • I1656: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.3) [Added]
    • I1657: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.4) [Added]
    • I1658: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.1) [Added]
    • I1659: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.3) [Added]
    • I1660: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.4) [Added]
    • I1661: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.5) [Added]
    • I1662: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.6) [Added]
    • I1663: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.7) [Added]
    • I1664: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.8) [Added]
    • I1665: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.11) [Added]
    • I1666: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.9) [Added]
    • I1667: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.10) [Added]
  • T2310: Implement proper authentication and authorization (Containerization) [Added]
    • P1672: Lack of proper authentication and authorization (Containerization) [Added]
    • TA5972: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.2) [Added]
    • TA5988: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.1) [Added]
    • TA5992: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.3) [Added]
    • TA5994: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.4) [Added]
    • TA5996: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.5) [Added]
    • TA5998: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.6) [Added]
    • TA6000: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Added]
    • TA6002: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.2) [Added]
    • TA6004: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.3) [Added]
    • TA6006: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.4) [Added]
    • TA6008: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Added]
    • TA6010: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.7) [Added]
    • TA6012: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.8) [Added]
    • TA6020: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.2) [Added]
    • TA6027: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Added]
    • TA6037: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Added]
    • TA6039: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Added]
    • TA6051: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Added]
    • TA6056: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Added]
    • I1668: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.2) [Added]
    • I1669: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.1) [Added]
    • I1670: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.3) [Added]
    • I1671: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.4) [Added]
    • I1672: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.5) [Added]
    • I1673: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.6) [Added]
    • I1674: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Added]
    • I1675: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.2) [Added]
    • I1676: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.3) [Added]
    • I1677: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.4) [Added]
    • I1678: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Added]
    • I1679: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.7) [Added]
    • I1680: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.8) [Added]
    • I1681: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.2) [Added]
    • I1682: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Added]
    • I1683: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Added]
    • I1684: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Added]
    • I1685: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Added]
    • I1686: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Added]
  • T2311: Ensure proper network settings and configuration (Containerization) [Added]
    • P1673: Improper network settings and configuration (Containerization) [Added]
    • TA6029: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.3) [Added]
    • TA6030: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.4) [Added]
    • TA6041: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.3.2) [Added]
    • TA6054: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.4.2) [Added]
    • TA6055: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.4.5) [Added]
    • I1687: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.3.2) [Added]
  • T2312: Ensure proper logging and security monitoring (Containerization) [Added]
    • P1674: Inadequate logging and security monitoring (Containerization) [Added]
    • TA5960: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 2.1.1) [Added]
    • I1688: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 2.1.1) [Added]
  • T2313: Keep data and secrets safe (Containerization) [Added]
    • P1675: Lack of data and secrets protection (Containerization) [Added]
    • TA5990: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.2) [Added]
    • TA6025: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.3.1) [Added]
    • TA6043: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.4.1) [Added]
    • TA6045: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.4.2) [Added]
    • I1689: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.2) [Added]
    • I1690: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.3.1) [Added]
    • I1691: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.4.1) [Added]
    • I1692: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.4.2) [Added]
  • T2314: Enforce secure policies (Containerization) [Added]
    • P1676: Lack of secure policies (Containerization) [Added]
    • TA6014: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.3.1) [Added]
    • TA6016: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.6.1) [Added]
    • TA6047: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.5.1) [Added]
    • TA6049: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.2) [Added]
    • I1693: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.3.1) [Added]
    • I1694: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.6.1) [Added]
    • I1695: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.5.1) [Added]
    • I1696: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.2) [Added]
  • T2315: Use managed services (Containerization) [Added]
    • P1677: Using unmanaged services (Containerization) [Added]
    • TA6018: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.1) [Added]
    • TA6021: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.3) [Added]
    • TA6023: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.2.1) [Added]
    • TA6031: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.6.1) [Added]
    • TA6053: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.1.4) [Added]
    • I1697: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.1) [Added]
    • I1698: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.3) [Added]
    • I1699: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.2.1) [Added]
    • I1700: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.6.1) [Added]
  • T2317: Verify worker nodes are configured securely (Containerization) [Added]
    • P1671: Insecure configuration of worker nodes (Containerization) [Added]
    • TA5963: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.1) [Added]
    • TA5965: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.2) [Added]
    • TA5967: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.3) [Added]
    • TA5969: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.1.4) [Added]
    • TA5971: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.1) [Added]
    • TA5975: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.3) [Added]
    • TA5977: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.4) [Added]
    • TA5979: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.5) [Added]
    • TA5981: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.6) [Added]
    • TA5983: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.7) [Added]
    • TA5985: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.8) [Added]
    • TA5987: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.11) [Added]
    • TA6034: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.9) [Added]
    • TA6036: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 3.2.10) [Added]
  • T2318: Verify proper authentication and authorization are implemented (Containerization) [Added]
    • P1672: Lack of proper authentication and authorization (Containerization) [Added]
    • TA5973: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 3.2.2) [Added]
    • TA5989: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.1) [Added]
    • TA5993: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.3) [Added]
    • TA5995: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.4) [Added]
    • TA5997: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.5) [Added]
    • TA5999: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.6) [Added]
    • TA6001: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Added]
    • TA6003: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.2) [Added]
    • TA6005: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.3) [Added]
    • TA6007: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.4) [Added]
    • TA6009: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Added]
    • TA6011: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.7) [Added]
    • TA6013: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.8) [Added]
    • TA6028: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.4.1) [Added]
    • TA6038: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Added]
    • TA6040: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.9) [Added]
    • TA6052: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.3) [Added]
    • TA6057: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 5.5.1) [Added]
  • T2319: Verify proper network settings and configuration (Containerization) [Added]
    • P1673: Improper network settings and configuration (Containerization) [Added]
    • TA6042: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.3.2) [Added]
  • T2320: Verify proper logging and security monitoring are implemented (Containerization) [Added]
    • P1674: Inadequate logging and security monitoring (Containerization) [Added]
    • TA5961: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 2.1.1) [Added]
  • T2321: Verify data and secrets are kept safe (Containerization) [Added]
    • P1675: Lack of data and secrets protection (Containerization) [Added]
    • TA5991: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.1.2) [Added]
    • TA6026: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.3.1) [Added]
    • TA6044: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.4.1) [Added]
    • TA6046: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.4.2) [Added]
  • T2322: Verify secure policies are enforced (Containerization) [Added]
    • P1676: Lack of secure policies (Containerization) [Added]
    • TA6015: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.3.1) [Added]
    • TA6017: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.6.1) [Added]
    • TA6048: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.5.1) [Added]
    • TA6050: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.6.2) [Added]
  • T2323: Verify managed services are used (Containerization) [Added]
    • P1677: Using unmanaged services (Containerization) [Added]
    • TA6019: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.1) [Added]
    • TA6022: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.1.3) [Added]
    • TA6024: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.2.1) [Added]
    • TA6032: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 5.6.1) [Added]
  • T2324: Verify whether privacy principles are applied for handling personal data [Added]
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T2327: Verify if a Privacy Impact Assessment is performed [Added]
  • T2328: Verify if proper policies exist for processing sensitive personal data [Added]
  • T2329: Verify if health data is handled securely [Added]
  • T2330: Verify if children's personal information is handled securely [Added]
    • P257: Privacy Violation [Updated]
      • Improved the text.
  • T2331: Verify whether any plan exists for data privacy incident response [Added]

    • P257: Privacy Violation [Updated]
      • Improved the text.
  • Changes to Project Properties and Profiles

    • Q195: Language and Framework
      • Q109: Programming Language
        • Q110: Technology/Framework
          • A47: Java EE [Updated]
            • Removed "A74: Apache" and "A204: Apache HTTP Server 2.0" from match conditions
    • Q205: Geography
      • Q159: Organization is Subject to Laws of:
        • A1334: France [Added]
    • Q237: Compliance Scope: Other
      • Q345: In-Scope for Regulation (EU) 910/2014 (eIDAS Regulation) [Added]
        • A1335: Yes [Added]
    • Q289: Cloud Computing
      • Q290: Cloud Providers
        • A1159: Deprecated Amazon Web Services (AWS) Content [Updated]
        • A1333: New Amazon Web Services (AWS) Content [Added]
      • Q343: New Generic Cloud Content [Added]
        • A1332: Include new generic story-driven cloud tasks [Added]
  • New Just-in-Time Training

    • Secure Software Design (22)
    • Secure Software Coding (11)
    • Defending HTML5 (19)
    • Defending Python (14)
    • Software Acceptance (2)

5.18

December 18, 2021

New features and enhancements

  • Explainable Mappings
    • Added an action button for 'Why is this Task included?' on the Tasks List and Task Details pages.
    • This button expands a widget containing additional information on how exactly a given Task was brought into the Project (such as through Survey Match Conditions, being carried over across releases, and so on.)
    • Added a new column in the All Tasks CSV Report containing information about Task inclusion.
    • Added an include parameter in the Tasks API for Task inclusion information in the response.

Other product improvements

  • Added API request throttling to GitHub integration to avoid rate limiting.
  • Updated the latest version of the Windows RIA to use Python 3.8.
    • The Linux RIA will be updated to Python 3.8 in a future release. Clients should start planning to update their virtual environment to Python 3.8.

Content improvements summary

  • Regulations

    • PCI SSS (Payment Card Industry Secure Software Standard v1.0)
      • Added a new Regulation with relevant Task Amendments based on the updated standard.
    • OWASP Top 10 (2021)
      • Added the latest installment of the OWASP Top 10 as a new regulation. This regulation was mapped to related Tasks based on the new categories and those of the 2017 installment that did not see a change in the 2021 update.
  • Implied answers

    • Removed some implied answers for "A48: .NET" and "A707: Python".
    • Removed retired answers from the implications of some answers.
    • See Changes to Project Properties and Profiles for more information.

Content additions and updates (as of November 22, 2021):

  • Compliance Regulations and Mappings

    • Payment Card Industry Software Security Framework (Secure Software Standard) (PCI-SSF (S3))
    • OWASP Top 10 (2021)
  • New/Updated Content Packs

    • PCI SSF
    • Hardware-Embedded
    • Wireless
    • RFID
    • Bluetooth
    • WiFi
  • T31: Validate all forms of input [Updated]

    • Updated text to include latest guidance.
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Updated]
    • Updated text to include latest guidance
  • T61: Disable default accounts or change all default passwords [Updated]
    • Updated text to include latest guidance
  • T151: Use cryptographically secure random numbers [Updated]
    • Updated text to include latest guidance.
  • T197: Encrypt and sign any remote code/update and then validate the signature to verify its origin and integrity
    • TA5587: PCI-SSF (S3) / Signing all terminal software files [Added]
  • T244: Securely delete any unprotected sensitive data before a resource is released or shared
    • TA5579: PCI-SSF (S3) / Delete transient sensitive data [Added]
  • T338: Control access to resources through user authentication and authorization [Updated]
    • Updated text to include latest guidance.
  • T371: Provide unified and manageable interfaces for security settings and configuration parameters
    • TA5578: PCI-SSF (S3) / Functions and security controls [Added]
  • T379: Provide sufficient documentation for security-related features
    • TA5576: PCI-SSF (S3) / Documentation and evidence [Added]
  • T431: Design a response to logging failures and other minor failures
    • TA5581: PCI-SSF (S3) / Protect the integrity of existing activity records [Added]
  • T432: Test that logging failures and other minor failures are securely handled
    • TA5582: PCI-SSF (S3) / More in-depth tests [Added]
  • T453: Perform security function verification on a regular basis
    • TA5585: PCI-SSF (S3) / Test the terminal software security features [Added]
  • T456: Change default security settings to the most stringent ones and disable unnecessary services and modules [Updated]
    • Updated title and text for more clarity and better guidance.
  • T925: Configure TLS/SSL securely for Microsoft IIS (Microsoft IIS)
    • I803: IIS: How to configure TLS/SSL securely [Updated]
      • INFO: Updated the text.
  • T1075: Use Azure Active Directory for SQL Authentication (Microsoft Azure) [Updated]
    • Updated title for more clarity.
  • T1079: Disable unapproved VM extensions (Microsoft Azure) [Updated]
    • Updated the text for better content accuracy
  • T1367: Identify and classify critical assets [Updated]
    • Updated text to include latest guidance.
  • T1373: Maintain the integrity of all software code
    • TA5583: PCI-SSF (S3) / Integrity of prompts [Added]
  • T1374: Ensure the integrity of software release and update delivery [Updated]
    • Updated text to include latest guidance.
  • T1375: Properly collect and protect sensitive data
    • TA5577: PCI-SSF (S3) / Sensitive data retention or deletion [Added]
  • T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components [Updated]
    • Updated text to include further details and clarity.
    • TA5589: PCI-SSF (S3) / Detailed guidance [Added]
    • TA5590: PCI-SSF (S3) / Detailed guidance for terminal software [Added]
  • T1381: Establish secure processes for key management [Updated]
    • Updated text to include latest guidance.
  • T1385: Institute secure logging and event monitoring
    • TA5588: PCI-SSF (S3) / Tracking and recording sensitive activities [Added]
  • T1885: Ensure Lambda functions handle input safely (AWS) [Updated]
    • Updated Phase from "Deployment" to "Development".
  • T1892: Perform a Threat and Risk Assessment (TRA)
    • TA5580: PCI-SSF (S3) / Default settings [Added]
  • T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS)
    • TA5586: PCI-SSF (S3) / Detection of anomalous behavior [Added]
  • T1901: Use IAM policies for managing access to SQS resources (AWS) [Updated]
    • Updated title for more clarity.
  • T1911: Use IAM policies for managing access to RDS database instances (AWS) [Updated]
    • Updated title for more clarity.
  • T1920: Conduct security architecture and design reviews before starting code development
    • TA5584: PCI-SSF (S3) / Secure terminal software design [Added]
  • T2058: Create IAM policies for database access (Amazon Aurora) [Updated]
    • Updated the title for more clarity
  • T2060: Ensure snapshots are not public (RDS) [Updated]
    • Updated the title and text to cover all RDS-supported databases.
    • P1507: Ensure snapshots are not public (RDS) [Updated]
  • T2062: Use AWS Secrets Manager for connection credentials (RDS) [Updated]
    • Updated the title and text to cover all RDS-supported databases.
    • P1509: Improper secret or connection string management (RDS) [Updated]
  • T2067: Use the latest version of software on App Service (Microsoft Azure) [Updated]
    • Changed its phase from deployment to development
  • T2296: Securely install and configure all software components [Added]

    • P1669: Lack of a process for securely installing and configuring all software components [Added]
  • Updated the following code scanner mappings

    • Fortify
    • AppScan
  • Changes to Project Properties and Profiles

    • Q195: Language and Framework
      • Q109: Programming Language
        • Q110: Technology/Framework
          • A48: .NET [Updated]
            • Removed the following implied answers: "A168: ADO.NET", "A58: ESAPI", "A75: Microsoft IIS", "A158: ODBC", "A13: XML", "A767: ASP.NET Web Application Framework", "A176: Uses ASP.NET ViewState", "A112: Uses ASP.NET Membership provider for authentication"
        • A707: Python [Updated]
          • Removed the implied answer for "A697: Django".
    • Q197: Java Technologies
      • Q147: Third-Party Libraries Used
        • A165: Spring [Updated]
          • Removed JAVA EE from the applicability criteria.
    • Q211: Development Tools

      • Q210: Test Tools
        • Q212: Test Tools Permitted
          • A189: Exploit-Me Tools
            • Removed this answer from the project survey due Exploit-Me Tools being deprecated.
    • Removed the following retired answers from the implications of other answers:

      • Removed “A15: Yes” from “A4: Web Application”
      • Removed “A1085: The application connects to a server as a client” from “A1077: Firmware, embedded, or hardware solution”
      • Removed “A218: Sun Java Development Kit (JDK)” from “A47: Java EE”
      • Removed “A116: Reference Implementation” from “A96:JSF”
      • Removed “A99: Apache Tomahawk” from “A117: Apache MyFaces”
      • Removed “A187: Yes” from “A1061: Set of default answers for all profiles”
      • Removed “A15: Yes” from “A1080: The application is a generic web application.”
      • Removed “A743: (Don’t Use) Changes to resource addressing” from “A740: This is a new project”
  • New Just-in-Time Training

    • Defending .NET (27)
    • Defending Containers (14)
    • Defending Kubernetes (19)

5.17

November 6, 2021

New features and enhancements

  • Project Survey

    • "Application General > Application Type" has been changed to "Application General > Components" and is now multi-choice to help better align with modern development practices.
    • "Application General > Components" has been changed to "Application General > Custom Components" to account for any existing user-created subsections.
    • For more information, contact your Customer Success Manager or sdesupport@securitycompass.com.
  • Library

    • Added the functionality to customize official Problems via Library export.
  • Integrations

    • Klocwork SAST Integration
      • Full functionality now available.

Other product improvements

  • Risk Policies
    • The Risk Policy summary widget on the project overview page was previously not being shown immediately after the survey was saved, this has now been fixed.

Content additions and updates (as of October 12, 2021):

  • Compliance Regulations and Mappings

    • PCI-SSLC-v1.1
    • ISASecure CSA 311
    • ISASecure SSA 311
  • New Content Packs

    • GraphQL
  • T15: Centralize authorization

    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T31: Validate all forms of input
    • TA3499: Input validation (GraphQL) [Added]
  • T59: Use standard libraries for cryptography
    • P224: Use of weak cryptographic algorithms or unsecure algorithm practices [Updated]
      • INFO: Removed the following match conditions "Changes Since Last Release - Changes to hardware design AND Bluetooth Persona - Manufacturer AND Components in development - Firmware, embedded, or hardware solution" and "Changes Since Last Release - Changes to hardware design AND WiFi Persona - Provider AND Components in development - Firmware, embedded, or hardware solution"
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
    • P224: Use of weak cryptographic algorithms or unsecure algorithm practices [Updated]
      • INFO: Removed the following match conditions "Changes Since Last Release - Changes to hardware design AND Bluetooth Persona - Manufacturer AND Components in development - Firmware, embedded, or hardware solution" and "Changes Since Last Release - Changes to hardware design AND WiFi Persona - Provider AND Components in development - Firmware, embedded, or hardware solution"
  • T136: Do not store sensitive credit card data
    • P708: Storage of Confidential Credit Card Fields [Updated]
      • INFO: Updated the text.
  • T154: Do not store or cache credit card information on client
    • P708: Storage of Confidential Credit Card Fields [Updated]
      • INFO: Updated the text.
  • T226: Verify that authorization is centralized
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T234: Verify sensitive credit card data is not stored
    • P708: Storage of Confidential Credit Card Fields [Updated]
      • INFO: Updated the text.
  • T247: Verify logical access to encrypted volumes are managed independently of native operating system
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T338: Control access to resources through user authentication and authorization
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T340: Use an account and identity management system
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T344: Enforce different rules for access to the system based on the origin, type and medium of request
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T445: Verify that only approved cryptographic algorithms and key lengths are used
    • P224: Use of weak cryptographic algorithms or unsecure algorithm practices [Updated]
      • INFO: Removed the following match conditions "Changes Since Last Release - Changes to hardware design AND Bluetooth Persona - Manufacturer AND Components in development - Firmware, embedded, or hardware solution" and "Changes Since Last Release - Changes to hardware design AND WiFi Persona - Provider AND Components in development - Firmware, embedded, or hardware solution"
  • T446: Verify that only standard libraries are used for cryptography
    • P224: Use of weak cryptographic algorithms or unsecure algorithm practices [Updated]
      • INFO: Removed the following match conditions "Changes Since Last Release - Changes to hardware design AND Bluetooth Persona - Manufacturer AND Components in development - Firmware, embedded, or hardware solution" and "Changes Since Last Release - Changes to hardware design AND WiFi Persona - Provider AND Components in development - Firmware, embedded, or hardware solution"
  • T520: Design secure SOAP web services
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T522: Employ address filtering at the MAC layer
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T530: Test that MAC layer address filtering is enabled
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T552: Verify that SOAP web services are securely designed
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T553: Design secure RESTful web services
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T554: Verify that REST web services are securely designed
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T567: Enable network access control for local area network communications
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T591: Verify that network access control is enabled for local area network communications
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T673: Attach IAM policies only to groups or roles (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T707: Test that IAM policies are attached only to groups or roles (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T892: Configure SELinux to restrict Apache processes (Apache HTTP Server)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T893: Configure AppArmor to restrict Apache processes (Apache HTTP Server)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T894: Verify that SELinux is configured to restrict Apache processes (Apache HTTP Server)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T895: Verify that AppArmor is configured to restrict Apache processes
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T898: Create bastion hosts for administrative access to the resources (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T899: Test that bastion hosts are created for administrative access to the resources (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T906: Set 'global authorization rule' to restrict access (Microsoft IIS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T907: Restrict access to sensitive site features to authenticated principals only (Microsoft IIS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T940: Test that 'global authorization rule' is set to restrict access (Microsoft IIS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T941: Test that access to sensitive site features is restricted to authenticated principals only (Microsoft IIS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1240: Do not allow privileged containers (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
    • I973: Kubernetes: How to disallow privileged containers [Deactivated]
      • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1241: Verify that privileged containers are not allowed (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1242: Configure authentication securely (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1110: Improper authentication configuration (Kubernetes) [Updated]
      • INFO: Updated the text.
    • I974: Kubernetes: How to configure authentication securely [Updated]
      • INFO: Updated the text.
  • T1243: Verify that authentication is securely configured (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1110: Improper authentication configuration (Kubernetes) [Updated]
      • INFO: Updated the text.
  • T1244: Do not set insecure bind address and port (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1111: Insecure bind address and port (Kubernetes) [Updated]
      • INFO: Updated the text.
    • I975: Kubernetes: How to securely set bind address and port [Updated]
      • INFO: Updated the text.
  • T1245: Verify that insecure bind address and port are not set (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1111: Insecure bind address and port (Kubernetes) [Updated]
      • INFO: Updated the text.
  • T1246: Disable profiling (Kubernetes) [Updated]
    • INFO: Updated the text.
    • I976: Kubernetes: How to disable profiling [Updated]
      • INFO: Updated the text.
  • T1247: Verify that profiling is disabled (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1248: Disable fixing of malformed updates (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
    • I977: Kubernetes: How to set the --repair-malformed-updates argument to false [Deactivated]
      • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1249: Verify that fixing malformed update is disabled (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1250: Configure admission control policy securely (Kubernetes) [Updated]
    • INFO: Updated the text.
    • I978: Kubernetes: How to configure admission control policy securely [Updated]
      • INFO: Updated the text.
  • T1251: Verify that admission control policy is configured securely (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1252: Configure logs securely (Kubernetes) [Updated]
    • INFO: Updated the text.
    • I979: Kubernetes: How to configure logs securely [Updated]
      • INFO: Updated the text.
  • T1253: Verify that logs are configured securely (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1254: Do not always authorize all requests (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1116: Always authorizing all requests (Kubernetes) [Updated]
      • INFO: Updated the text.
    • I980: Kubernetes: How to Do not always authorize all requests [Updated]
      • INFO: Updated the text.
  • T1255: Verify that all requests are always authorized (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1116: Always authorizing all requests (Kubernetes) [Updated]
      • INFO: Updated the text.
  • T1256: Configure HTTPS securely (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1117: Unsecure HTTPS configuration (Kubernetes) [Updated]
      • INFO: Updated the text.
    • I981: Kubernetes: How to configure HTTPS securely [Updated]
      • INFO: Updated the text.
  • T1257: Verify that HTTPS is configured securely (Kubernetes) [Updated]
    • INFO: Updated the text.
    • P1117: Unsecure HTTPS configuration (Kubernetes) [Updated]
      • INFO: Updated the text.
  • T1258: Configure service account securely (Kubernetes) [Updated]
    • INFO: Updated the text.
    • I982: Kubernetes: How to configure service account securely [Updated]
      • INFO: Updated the text.
  • T1259: Verify that service account is securely configured (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1264: Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
    • I985: Kubernetes: How to remove the --insecure-experimental-approve-all-kubelet-csrs-for-group argument [Deactivated]
      • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1265: Verify that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1266: Set permissions for sensitive files properly (Kubernetes) [Updated]
    • INFO: Updated the text.
    • I986: Kubernetes: How to set permissions for sensitive files [Updated]
      • INFO: Updated the text.
  • T1267: Verify that permissions for sensitive files are properly set (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1270: Create Pod Security Policies for your cluster (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1271: Verify the Pod Security Policies for your cluster (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1275: Verify if the --read-only-port argument is set to 0 (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T1280: Configure network securely (Kubernetes) [Updated]
    • INFO: Updated the text.
    • I993: Kubernetes: How to configure network securely [Updated]
      • INFO: Updated the text.
    • I997: Kubernetes: How to configure network securely - more in-depth controls [Deactivated]
      • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1282: Set the --keep-terminated-pod-volumes argument to false (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
    • I994: Kubernetes: How to set the --keep-terminated-pod-volumes argument to false [Deactivated]
  • T1283: Verify if the --keep-terminated-pod-volumes argument is set to false (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1284: Ensure that the --cadvisor-port argument is set to 0 (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
    • I995: Kubernetes: How to set the --cadvisor-port argument to 0 [Deactivated]
      • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1285: Verify if the --cadvisor-port argument is set to 0 (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T1288: Ensure that the seccomp profile is set to docker/default in your pod definitions (Kubernetes)
    • I999: Kubernetes: How to ensure that the seccomp profile is set to docker/default in your pod definitions [Updated]
      • INFO: Updated the text.
  • T1373: Maintain the integrity of all software code [Updated]
    • INFO: Updated the text.
  • T1465: Decide how to handle sessions/authorization state in your Angular application (Angular)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1466: Restrict sending of authorization state to approved origins in Angular (Angular)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1467: Verify that the Angular application does not leak the authorization state (Angular)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1878: Grant minimal IAM permissions (especially to Lambda functions) (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1886: Do not allow anonymous invocation of Lambda functions (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1887: Decide on the right OAuth 2.0 flow for your application
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1888: Decide on the right OpenID Connect flow for your application
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1889: Secure the configuration of the authorization server
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1890: Implement OAuth 2.0 securely on the resource server
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1899: Do not allow unauthorized access to SQS queues (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1900: Verify that SQS queues are only accessible from trusted AWS accounts (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1901: Attach IAM policies to SQS resources (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1902: Verify that SQS queues have IAM Policies attached (AWS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T1922: Use secure OAuth 2.0 and OpenID Connect integration (where applicable)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2041: Attach IAM roles for ECS container instances (Amazon ECS)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2047: Attach IAM policies to DynamoDB resources (Amazon DynamoDB)
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2077: Use strong cryptographic ciphers (Kubernetes)
    • I1370: Kubernetes: How to only use strong cryptographic ciphers [Updated]
      • INFO: Updated the text.
  • T2081: Encrypt data at rest properly (Kubernetes) [Updated]
    • INFO: Updated the text.
    • I1372: Kubernetes: How to encrypt data at rest properly [Updated]
      • INFO: Updated the text.
  • T2082: Verify that data at rest is encrypted properly (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T2084: Verify that the admission control plugin 'EventRateLimit' is set (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T2091: Do not bind the scheduler and the controller manager services to non-loopback insecure addresses (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T2092: Verify that the scheduler and controller manager services are not bound to non-loopback insecure addresses (Kubernetes) [Updated]
    • INFO: Updated the text.
  • T2097: Minimize containers with excessive privileges (Kubernetes) [Updated]
    • INFO: Updated the text and title.
    • TA2857: Kubernetes: Minimize the admission of containers with excessive privileges - More in-depth controls [Updated]
      • INFO: Updated the text and title.
  • T2098: Verify that containers with excessive privileges are minimized (Kubernetes) [Updated]
    • INFO: Updated the title.
    • TA2858: Kubernetes: Verify that containers with excessive privileges are minimized - More in-depth controls [Updated]
      • INFO: Updated the text and title.
  • T2101: Place compensating controls in the form of PSP and RBAC for privileged containers usage (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
    • I1382: Kubernetes: How to Place compensating controls in the form of PSP and RBAC for privileged containers usage [Deactivated]
      • INFO: Deactivated to align with latest CIS Benchmarks.
  • T2102: Verify that Place compensating controls in the form of PSP and RBAC for privileged containers usage (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T2103: Configure Network policies as appropriate (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
    • I1383: Kubernetes: How to Configure Network policies as appropriate [Deactivated]
      • INFO: Deactivated to align with latest CIS Benchmarks.
  • T2104: Verify that Configure Network policies as appropriate (Kubernetes) [Deactivated]
    • INFO: Deactivated to align with latest CIS Benchmarks.
  • T2117: Secure microservices APIs that access sensitive data
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2128: Develop a process to notify users and regulators of breaches of personal information [Updated]
    • INFO: Updated the title.
  • T2185: Prevent unauthorized access to sensitive data through debug or test interfaces (Hardware/Firmware) [Updated]
    • INFO: Updated CVSS.
  • T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware) [Updated]
    • INFO: Updated CVSS.
  • T2246: Use correct and approved cryptographic parameters and key lengths (Bluetooth) [Updated]
    • INFO: Updated match conditions. Changed "Bluetooth Persona - Manufacturer AND Components in development - Firmware, embedded, or hardware solution" to "Changes Since Last Release - Changes to hardware design AND Bluetooth Persona - Manufacturer AND Components In Development - Firmware, embedded, or hardware solution"
    • P224: Use of weak cryptographic algorithms or unsecure algorithm practices [Updated]
      • INFO: Removed the following match conditions "Changes Since Last Release - Changes to hardware design AND Bluetooth Persona - Manufacturer AND Components in development - Firmware, embedded, or hardware solution" and "Changes Since Last Release - Changes to hardware design AND WiFi Persona - Provider AND Components in development - Firmware, embedded, or hardware solution"
  • T2253: Use AES encryption in CCMP mode when WPA is applied (WiFi) [Updated]
    • INFO: Updated match conditions. "Changes Since Last Release - Changes to hardware design AND WiFi Persona - Provider AND Components In Development - Firmware, embedded, or hardware solution"
    • P224: Use of weak cryptographic algorithms or unsecure algorithm practices [Updated]
      • INFO: Removed the following match conditions "Changes Since Last Release - Changes to hardware design AND Bluetooth Persona - Manufacturer AND Components in development - Firmware, embedded, or hardware solution" and "Changes Since Last Release - Changes to hardware design AND WiFi Persona - Provider AND Components in development - Firmware, embedded, or hardware solution"
  • T2259: Minimize access rights assigned to RBAC roles and Service Accounts (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1653: Inappropriate access settings for RBAC roles and Service Accounts (Kubernetes) [Added]
    • I1496: Kubernetes: How to ensure assigned access rights to RBAC roles and Service Accounts are appropriate [Added]
  • T2260: Verify access rights assigned to RBAC roles and Service Accounts are minimal (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1653: Inappropriate access settings for RBAC roles and Service Accounts (Kubernetes) [Added]
  • T2261: Do not use client certificate authentication for users (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1654: Lack of support for certificate revocation (Kubernetes) [Added]
  • T2262: Verify client certificate authentication is not used for users (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1654: Lack of support for certificate revocation (Kubernetes) [Added]
  • T2263: Ensure network policies and CNI selection are appropriate (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1528: Inappropriate Network policies and CNI configurations (Kubernetes) [Updated]
      • INFO: Updated the text and title.
    • I1497: Kubernetes: How to ensure network policies and CNI selection are appropriate [Added]
  • T2264: Verify network policies and CNI selection are appropriate (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1528: Inappropriate Network policies and CNI configurations (Kubernetes) [Updated]
      • INFO: Updated the text and title.
  • T2265: Ensure proper Secrets Management (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1655: Improper secrets management (Kubernetes) [Added]
    • I1498: Kubernetes: How to ensure proper secrets management [Added]
  • T2266: Verify proper Secrets Management (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1655: Improper secrets management (Kubernetes) [Added]
  • T2267: Do not use default namespaces (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1656: Using default namespaces (Kubernetes) [Added]
    • I1499: Kubernetes: How to use non-default namespaces [Added]
  • T2268: Verify default namespace is not used (Kubernetes) [Added]
    • INFO: Align with latest CIS Benchmark.
    • P1656: Using default namespaces (Kubernetes) [Added]
  • T2269: Prevent batching attacks (GraphQL) [Added]
  • T2270: Test to confirm that password policies are configurable [Added]
  • T2271: Test to confirm that unauthorized access to sensitive data through debug or test interfaces is properly restricted (Hardware/Firmware) [Added]
  • T2272: Test immutability of Root of Trust for storage (Hardware/Firmware) [Added]
  • T2273: Verify that unified and manageable interfaces are available for security settings and configuration parameters [Added]
  • T2274: Test to confirm that the principle of least privilege is strongly implemented [Added]
  • T2275: Test to confirm that the most robust Security Operation Mode is applied (WiFi) [Added]
  • T2276: Test to confirm that authorization and authentication controls are in place for access to resources [Added]
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2277: Test to confirm the use of an account and identity management system [Added]
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2278: Test to confirm that different rules for access to the system are enforced based on the origin, type, and medium of the request [Added]
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2279: Verify that the application adopts a zoning model [Added]
  • T2280: Verify that a priority scheme for application services and operations is designed [Added]
  • T2281: Secure access control (GraphQL) [Added]
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
  • T2282: Test to confirm that unauthenticated parts of the application are accessible [Added]
  • T2283: Configure GraphQL correctly [Added]
    • P182: Improper Access Control (Authorization) [Updated]
      • INFO: Added a match condition for GraphQL.
    • I1500: Disable Introspection in PHP [Added]
    • I1501: Disable Introspection and GraphiQL in NodeJS [Added]
  • T2284: Prevent DoS attacks (GraphQL) [Added]

  • Deactivated Problems

    • P1109: Running privileged containers (Kubernetes) [INFO: Align with latest CIS Benchmark.]
    • P1113: Malformed requests (Kubernetes) [INFO: Align with latest CIS Benchmark.]
    • P1121: Active --insecure-experimental-approve-all-kubelet-csrs-for-group argument (Kubernetes) [INFO: Align with latest CIS Benchmark.]
    • P1124: Lack of Pod Security Policies (Kubernetes) [INFO: Align with latest CIS Benchmark.]
    • P1130: Set the --keep-terminated-pod-volumes argument to false (Kubernetes) [INFO: Align with latest CIS Benchmark.]
    • P1131: The --cadvisor-port argument is not set to 0 (Kubernetes) [INFO: Align with latest CIS Benchmark.]
    • P1527: Problem for Place compensating controls in the form of PSP and RBAC for privileged containers usage (Kubernetes) [INFO: Align with latest CIS Benchmark.]
  • Updated the following code scanner mappings

    • Checkmarx
  • Changes to Project Properties and Profiles

    • Q193: Components [Updated]
      • INFO: Updated title to "Q193: Components"
      • Q101: Components In Development [Updated]
        • INFO: Updated title to "Q101: Components In Development"
        • A5: Generic server [Updated]
          • INFO: Updated title to "A5: Generic server"
        • A8: Stand-alone [Updated]
          • INFO: Updated title to "A8: Stand-alone"
        • A194: Generic client [Updated]
          • INFO: Updated title to "A194: Generic client"
        • A713: Mobile app [Updated]
          • INFO: Updated title to "A713: Mobile app"
        • A1264: Microservice backend [Updated]
          • INFO: Updated title to "A1264: Microservice backend"
        • A1289: Frontend [Updated]
          • INFO: Updated children answers. Removed "Microservices - Code" and added "HTML5", "jQuery", "Uses iFrames", and "CORS"
      • Q253: Components In Use [Updated]
        • INFO: Updated title to "Q253: Components In Use"
    • Q194: Custom Components [Updated]
      • INFO: Updated title to "Q194: Custom Components"
    • Q196: Web Technologies
      • Q191: Web Client Technologies Used
        • A721: jQuery [Updated]
          • INFO: Added "Frontend" to match conditions
    • Q205: Geography
      • Q159: Organization is Subject to Laws of:
        • A1326: United Kingdom [Added]
    • Q243: Internal Hidden Properties
      • Q189: Internal Properties (Use this, for all hidden answers)
        • A761: Expand the scope to include a server side in the application (not recommended) [Updated]
          • INFO: Moved it under "Q189: Internal Properties (Use this, for all hidden answers)"
        • A1079: Includes a web application component [Updated]
          • INFO: Moved it under "Q189: Internal Properties (Use this, for all hidden answers)"
        • A1100: ANSI/ISA 62443-3-3 [Updated]
          • INFO: Moved it under "Q189: Internal Properties (Use this, for all hidden answers)"
        • A1101: ANSI/ISA 62443-4-2 [Updated]
          • INFO: Moved it under "Q189: Internal Properties (Use this, for all hidden answers)"
        • A1263: This is an overarching project for designing and implementing security measures in the Microservices Ecosystem. (Select this if you are modeling the deployment of, or setting up the infrastructure for, microservices.) [Updated]
          • INFO: Moved it under "Q189: Internal Properties (Use this, for all hidden answers)"
    • Q249: Industrial Control Systems
      • Q250: In-Scope for ANSI/ISA 62443 or CSA/SSA-311 [Updated]
        • INFO: Updated title to "Q250: In-Scope for ANSI/ISA 62443 or CSA/SSA-311"
        • Q341: Component Type [Added]
          • A1321: Software Application [Added]
          • A1322: Embedded Device [Added]
          • A1323: Host Device [Added]
          • A1324: Network Device [Added]
        • A1319: ANSI/ISA 62443-4-2 or CSA 311 [Added]
        • A1320: ANSI/ISA 62443-3-3 or SSA 311 [Added]
    • Q330: Cloud
      • Q326: In-Scope for Cloud Controls Matrix (CCM) [Updated]
        • INFO: Updated title to "In-Scope for Cloud Controls Matrix (CCM)"
  • New Just-in-Time Training

    • Defending .NET 5 (11)
    • Defending AWS (16)
    • GDPR for Developers (16)

5.16

September 25, 2021

New features and enhancements

  • Read Only Projects

    • Introduced a new audit-friendly view of projects, where changes cannot be made to a project once it's locked. Projects return to an editable format when they are unlocked.
    • Added a project permission option to lock or unlock a project.
    • Added a menu option on the project list and project overview pages to lock or unlock a project.
    • Added an indicator on project pages to unlock locked projects.
    • Updated the project API to facilitate locking and unlocking a project.
    • Updated activity log entries to indicate who locked or unlocked a project and when.
    • Read-only projects can be carried over releases, archived, and deleted by a user with the appropriate permissions.
    • It is possible to view but not change read only project Task descriptions, Task tags, assigned users, last updated statuses, notes, and associated JITTs from the Task View page.
    • It is possible to view but not change read only project Problem descriptions, related Tasks, related Tasks statuses, and assigned users from the Problems View Page.
    • It is possible to view but not change read only project Survey answers submitted and history from the Project Survey page. It is also possible to add and view Survey comments for locked projects.
  • Integrations

    • Klocwork SAST Integration
      • Introduced Klocwork integration in SD Elements v5.16 with full functionality available in v5.17.
    • SonarQube integration now makes more efficient queries to SonarQube.
    • Integrations and Sync history can be viewed in a locked project but new syncs or integrations cannot be initiated when a project is locked into a read-only view.

Other product improvements

  • System
    • Fixed a bug where the "Automation" menu header was not visible on older System pages.
  • LDAP Synchronization
    • Fixed a bug where users were not synchronized due to a character casing mismatch between the group names in the SD Elements mapping and the LDAP instance.

Content additions and updates (as of August 31, 2021):

  • Compliance Regulations and Mappings

    • GDPR [INFO: Updated regulation description to include UK-GDPR.]
    • NIST 800-190
  • New Content Packs

    • Bluetooth/WiFi
  • T35: Fine-tune HTTP server settings [Updated]

    • INFO: Updated the text.
  • T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T37: Avoid DOM-based Cross-Site Scripting (XSS)
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T48: HTML entity encode validation error messages
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T53: Prevent the upload of malicious files and malware [Updated]
    • INFO: Updated text to include latest guidance related to CSA-SSA 311.
  • T89: Test that site is not vulnerable to XSS
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T169: Test that the site is not vulnerable to DOM-based XSS
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T194: Obtain user consent for tracking cookies [Updated]
    • INFO: Added details on Global Privacy Control.
  • T258: Secure web (cross domain) messaging in HTML5
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T267: Minimize your exposure to common web-based attacks
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T319: Verify that web messaging is securely used
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T331: Enforce policies through content security policy (CSP) or XSS protection headers
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T332: Test that content security policy (CSP) headers are added
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T417: Avoid passing dynamic data to trustAs or bypassSecurityTrust functions
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T418: Use Angular's built-in sanitization for user output with limited code or markup
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T419: Make sure strict contextual escaping (SCE) is enabled in AngularJS
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T420: Prevent Client-Side Template Injection (CSTI)
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T421: Verify if web page template is vulnerable to client side template injection (CSTI)
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T422: Verify that built-in sanitization is used in Angular with limited code or markup
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T449: Manage the visibility of information and actions in iOS 3D touch preview window [Updated]
    • INFO: The previous solution was deprecated. Modified the solution regarding the latest iOS update.
  • T560: Sanitize any HTML input passed to dangerouslySetInnerHTML attribute
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T561: Verify that any HTML input passed to dangerouslySetInnerHTML attribute is sanitized
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T1380: Enforce secure user registration and access control [Updated]
    • INFO: Updated text to include latest guidance related to CSA-SSA 311.
  • T1463: Enable ahead-of-time (AOT) compilation for Angular applications (Angular)
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T1464: Verify application compatibility with AOT compilation in Angular applications (Angular)
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T1538: Avoid DOM-based Cross-Site Scripting (XSS) in Angular applications (Angular)
    • P632: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) [Updated]
      • INFO: Revised text for language.
  • T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware) [Updated]
    • INFO: Updated the text.
  • T2256: Authenticate and log all access to registries containing sensitive or proprietary images [Added]
    • P1650: Insufficient authentication for container registries [Added]
  • T2257: Keep host OS components up-to-date [Added]
    • P1651: Insufficient updates of host OS components [Added]
  • T2258: Minimize host OS attack surface [Added]

    • P1652: Large host OS attack surface [Added]
  • Changes to Project Properties and Profiles

    • Q206: Privacy
      • Q160: Handles Personal Data
        • Q224: Privacy Regulations
          • A1148: GDPR [Updated]
            • INFO: Updated tooltip.
  • New Just-in-Time Training

    • Azure (28)
    • React (13)
    • HIPAA (10)

5.15

July 31, 2021

New features and enhancements

  • Library

    • Problems
      • Added the ability to customize rules for built-in library Problems.
      • Added the ability to revert all customizations on a built-in library Problem.
    • Content Pack Selector
      • Updated the Content Pack Selector page to be hidden by default.
        • All content pack selection functionality remains available through the API.
        • Contact sdesupport@securitycompass.com to activate the Content Pack Selector page UI.
  • Risk Policy Widget redesign

    • Updated to show the percentage of Tasks in a project that are risk-compliant.

Other product improvements

  • Risk Policy
    • Fixed a bug where clicking the "Continue To Tasks" button on the Project Risk Policy page would navigate slowly to the Project Tasks page.

Content additions and updates (as of July 5, 2021):

  • Compliance Regulations and Mappings

    • CSA Cloud Controls Matrix (CCM) v4.0.1
  • T1880: Encrypt data at rest for Lambda functions (AWS)

    • I1287: How to encrypt data at rest for Lambda functions (AWS) [Updated]
      • INFO: Updated the text and language without changing the security content.
  • Changes to Project Properties and Profiles

    • Q204: Financial Systems
      • Q161: Payment Components
        • A132: In-scope for PCI-DSS [Updated]
          • INFO: Updated tooltip.
        • A784: In-scope for PA-DSS [Updated]
          • INFO: Updated tooltip.
      • Q229: Financial Regulations
        • A1246: In-scope for NYDFS Cybersecurity Regulation [Updated]
          • INFO: Updated tooltip.
        • A1254: In-scope for MAS-TRMG Guidelines [Updated]
          • INFO: Updated tooltip.
    • Q206: Privacy
      • Q160: Handles Personal Data
        • A130: Yes [Updated]
          • INFO: Updated tooltip.
        • Q224: Privacy Regulations
          • A746: PIPEDA [Updated]
            • INFO: Updated tooltip.
          • A747: GAPP [Updated]
            • INFO: Updated tooltip.
          • A750: ECPA [Updated]
            • INFO: Updated tooltip.
          • A1148: GDPR [Updated]
            • INFO: Updated tooltip.
          • A1255: CCPA [Updated]
            • INFO: Updated tooltip.
      • Q236: In-Scope with Children's Privacy Compliance
        • Q238: In-Scope for COPPA Compliance
          • A780: Yes [Updated]
            • INFO: Updated tooltip.
        • A779: Yes [Updated]
          • INFO: Updated tooltip.
    • Q237: Compliance Scope: Other
      • Q225: Types of Emails Sent by the Application
        • A752: Advertisement or other solicitation emails [Updated]
          • INFO: Updated tooltip.
      • Q325: In-Scope for ISO 27001 Compliance
        • A1267: Yes [Updated]
          • INFO: Updated tooltip.
      • Q334: MASVS Level
        • A1296: Level 2 [Updated]
          • INFO: Updated tooltip.
        • A1297: R [Updated]
          • INFO: Updated tooltip.
      • Q336: In-Scope for China Cybersecurity Law
        • A1308: Yes [Updated]
          • INFO: Updated tooltip.
    • Q254: Health Care Systems
      • Q223: Health Regulations
        • A145: In-scope for HIPAA compliance [Updated]
          • INFO: Updated tooltip.
    • Q330: Cloud
      • Q319: In-Scope for FedRAMP Compliance
        • A1247: Yes [Updated]
          • INFO: Updated tooltip.
      • Q326: In-Scope for Cloud Security Matrix (CCM)
        • A1268: Yes [Updated]
          • INFO: Updated tooltip.
    • Q331: US Federal and NIST
      • Q265: In-Scope for NIST 800-53 Compliance
        • A1107: Yes [Updated]
          • INFO: Updated tooltip.
      • Q328: In-Scope for CMMC
        • A1275: Yes [Updated]
          • INFO: Updated tooltip.
      • Q333: In-Scope for NIST Cybersecurity Framework
        • A1290: Yes [Updated]
          • INFO: Updated tooltip.
      • Q337: In-Scope for CNSSI Controls [Updated]
        • INFO: Updated tooltip.
        • A1309: Baseline [Updated]
          • INFO: Updated tooltip.
        • A1310: Overlays [Updated]
          • INFO: Updated tooltip.
  • New Just-in-Time Training

    • Defending iOS (32 JITTs)
    • Mobile Security Fundamentals (12 JITTs)

5.14

June 19, 2021

New features and improvements

  • Library

    • Added the ability for Problems to be customized in the UI.
    • Import / Export
      • Added the ability to import and export Compliance Regulations and their Sections.
        • Only available to a few SaaS customers as a beta release.
      • Updated JSON and YAML exported field orders to match CSV and XLSX.
    • Project Overview
      • Added the ability for the Task completion widget to be filtered by Risk Policy.
  • Project Tasks

    • Added labels for Task status in the list view, accordion expansion view, and Task detailed view.
    • Added the ability to select individual Tasks via the API when accepting new content updates. This was formerly restricted to accepting all changes or none in the UI.
  • Dashboard

    • Added the ability for the Activities Widget to track creating and modifying Business Units and applications, and archiving and unarchiving applications.
    • Added a new search filter for project and application tags.

Other product improvements

  • Account settings

    • Fixed a bug related to password recovery questions.
  • Project Problems

    • Fixed a bug where a related manually added library Problem was not added to a project when a manually added library Task was added.
  • Reporting

    • Fixed an issue with Risk Policy Reports not showing the correct percentage of completed Tasks when filtering by regulation.
    • Updated Risk Policy Reports to show zero tasks for incomplete surveys.

Content additions and updates (as of May 25, 2021):

  • Compliance Regulations and Mappings

    • Secure Controls Framework (SCF)
  • New Content Packs

    • SCF
  • T29: Use anti-Cross-Site Request Forgery (CSRF) tokens [Updated]

    • INFO: Updated links to the OWASP cheat sheet and community web site.
  • T186: Use recommended settings and the latest patches for third party libraries and software
    • I296: Rails [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I297: Django [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I298: Spring Framework [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I299: Struts [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I300: Apache Tomcat [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I361: GnuTLS [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I362: OpenSSL [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I363: Apache HTTP Server [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I364: Apache Wicket [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I365: Apache MyFaces [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I366: Java [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I381: Bouncy Castle [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I432: Unix/Linux Bash [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I481: AFNetworking Library [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I503: Node.js [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I504: AngularJS/Angular [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I972: Docker [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I1040: jQuery [Deactivated]
      • INFO: Removed T186 HowTo's.
    • I1495: Using SCA tools to keep third-party libraries up-to-date [Added]
  • T270: Follow best practices for storing application data on Android devices
    • I402: Android storage options and considerations [Updated]
      • INFO: Updated the text to include the latest guidance.
  • T271: Prevent access to Android components if they do not need external communication [Updated]
    • INFO: Updated text to include the latest guidance.
    • I404: Disabling external access to Android components [Updated]
      • INFO: Updated the text.
  • T289: Verify that access to Android components is properly restricted [Updated]
    • INFO: Updated text to include the latest guidance.
  • T440: Follow best practices when managing Android permissions [Updated]
    • INFO: Updated text to include the latest guidance.
  • T2250: Implement secure authentication for connections (Bluetooth)
    • P1646: Poor authentication in wireless technologies [Updated]
      • INFO: Updated the text to include the latest guidance on wireless technologies.
  • T2251: Implement secure authentication for connections (WiFi) [Added]
    • P1646: Poor authentication in wireless technologies [Updated]
      • INFO: Updated the text to include the latest guidance on wireless technologies.
  • T2253: Use AES encryption in CCMP mode when WPA is applied (WiFi) [Added]
  • T2254: Use the most robust Security Operation Mode (WiFi) [Added]
    • P1648: Weak authentication in PSK Mode [Added]
  • T2255: Protect personally identifiable information in wireless devices [Added]

    • P1649: Lack of privacy protection in wireless technologies [Added]
  • Changes to Project Properties and Profiles

    • Q197: Java Technologies
      • Q147: Third-Party Libraries Used
        • A165: Spring [Updated]
          • INFO: Removed Java EE / A97 from Match Conditions.
    • Q276: Network Layer
      • Q339: Wireless Protocols Used
        • Q340: WiFi Persona [Added]
          • A1317: Client [Added]
          • A1318: Provider [Added]
        • A1316: WiFi [Added]
  • New Just-in-Time Training

    • Defending Android
    • Cloud Security Fundamentals

5.13

May 8, 2021

New features and improvement

  • Reporting

    • Project Compliance Report
      • Added a checkbox for “Include Out of Scope Tasks” to filter or include out of scope tasks from the report.
  • Dashboard (new)

    • Added the ability for Widgets to be filtered by application with a dropdown under the date range filter.
  • Library Import/Export
    • Added a Rules field to the import and export of Answers.

Other product improvements

  • Library Answers
    • Fixed an issue where editing Answers from the Library Question page caused the Answer field to change size.

Content additions and updates (as of April 12, 2021):

  • T194: Obtain user consent for tracking cookies
    • TA3498: CNIL Cookie Guidelines (French Data Protection Authority) [Added]
  • T217: Use compiler settings to mitigate buffer overflows [Updated]
    • Updated the text.
  • T2211: Include firmware update mechanism/feature (Hardware/Firmware)
    • TA3497: Patch and upgrade software and firmware regularly (Bluetooth) [Added]
  • T2246: Use correct and approved cryptographic parameters and key lengths (Bluetooth) [Added]
  • T2247: Use the strongest Security Mode and Level in devices (Bluetooth) [Added]
    • P1644: Improper implementation of Bluetooth security features [Added]
  • T2248: Provide appropriate range and power controls for secure communication (Bluetooth) [Added]
    • P1645: Using a fixed frequency or high power levels for Bluetooth communication [Added]
  • T2249: Enforce strongest association model in Secure Simple Pairing (SSP) (Bluetooth) [Added]
    • P1644: Improper implementation of Bluetooth security features [Added]
  • T2250: Implement secure authentication for connections (Bluetooth) [Added]

    • P1646: Poor authentication in wireless technologies [Added]
  • Updated T186 with the latest security patch levels for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Apache Tomcat
    • GnuTLS
    • Apache Wicket
    • Apache MyFaces
    • Java
    • Unix/Linux Bash
    • Node.js
    • AngularJS/Angular
    • Docker
  • Updated the following code scanner mappings

    • Checkmarx
    • WhiteHat
  • Changes to Project Properties and Profiles

    • Q276: Network Layer
      • Q339: Wireless Protocols Used [Added]
        • Q338: Bluetooth Persona [Added]
          • A1312: Developer [Added]
          • A1313: Manufacturer [Added]
        • A1314: Bluetooth [Added]
  • New Just-in-Time Training

    • Privacy Fundamentals
    • Defending Docker

5.12

New features and improvements

  • Project Survey Comments

    • Added a new icon to each individual question on the project survey. Clicking on the icon opens up a new survey comments popover that displays all comments added to that question.
    • The popover also contains an input field that users can use to create new comments. Each comment can be edited until the survey is saved or locked.
    • A comment can be pinned to a question by clicking on the pin icon located on each comment. Pinning a comment displays that particular comment directly on the survey below the question.
    • Known issues:
      • When editing or creating a comment, clicking on the edit icon again will cause all changes to be lost without warning.
      • Excessively long comments with no whitespace are pushed out and not displayed properly.
      • A double scroll bar is shown when a comment being created or edited is longer than 8 lines of text.
      • Clicking ‘Cancel’ while creating or editing a comment cancels without a warning.
  • Dashboard

    • The CSV exports of Dashboard widgets now display a drilldown report of the data in the widget instead of aggregate counts.
    • The ‘Active Entities’ widget has been renamed to ‘Activities’.
    • The Activities and Active Projects widgets now show data from the last 12 months by default (changed from last 3 months).
    • Widgets with no data show an empty state:
    • The CSV export button is disabled.
    • Widgets show a message indicating there is no data.
    • Date Filtering
  • Added a date filter to the Dashboard.
  • Click on the Filter button on the Dashboard to open a panel with date range options for the filter. The filter is applied to all widgets on the dashboard.
  • Note: Dashboard is available only to SaaS and OSD customers on a container deployment.

  • Problems View

    • Added a filter for filtering out problems with no related Tasks.
    • Added a release carry over option for Project Specific Problems on the release carry over dialog.
    • Added an option to carry over the Task status of related Tasks for Project Specific Problems.
    • Added implicit release carry over behavior for Problems:
      • When a user selects retaining phases, all the status and notes of Tasks in that phase and their related Problems are carried over in the release project.
      • When a user selects Project specific Tasks retention, then the Project Specific Problems related to those Tasks are carried over in the release project.
    • Added BU level behavior changes for Problems carry over.
    • Added front-end messaging changes to indicate the release carry over for Problems.
  • Library Improvements

    • Changed the default export file type to .csv format.
    • Added copy improvements on import and export pages.
    • Content item uuid uniqueness is now enforced.
    • Rules field added to the import and export of the following content items:
      • Section
      • Subsection
      • Question
    • Django multi import now supports multiple passes of saving. This allows for importing content items with bi-directional relationships.
  • Permissions and Roles

    • Added the following global permissions:
      • View_all_business_unit: allows the user to view all business units.
      • sync_with_all_issue_tracker: allows the user to sync with an issue tracker to any project they have access to.
      • write_all_task_note: allows the user to write Task notes to any project they have access to.
      • verify_all_task: allows the user to verify Tasks to any project they have access to.
      • mark_all_task: allows the user to mark a Task status to any project they have access to.
  • A new global role was added:

    • Sync Service: a user with this role can perform an issue tracker or verification tool sync with any project in the organization. This does not include LDAP sync.
  • Problem Summary Report (Project Reports)

    • Added a risk policy filter checkbox to filter the report by risk relevant Tasks only.
  • Integrations

    • JIRA Issue Tracker Plugin
      • Added support for using account IDs for JIRA user fields. JIRA has deprecated the usage of email addresses in user fields like ‘Assignee’. Integrations using email addresses need to switch to using the user’s account ID.
    • Fortify Verification Tool Plugin
      • Added support for API Tokens to support Fortify v20 and later.
    • Added support for Twistlock Infrastructure Scanner.

Content additions and updates (as of February 23, 2021):

  • T181: Validate models explicitly for fields the user is allowed to update
    • I323: Rails (v3.0 and later) [Updated]
      • INFO: Updated title and text to reflect the changes in the new version.
    • I1487: Rails (v3.0 and later) [Deactivated]
      • INFO: Removed as the content is covered and updated in I323.
  • T371: Provide unified and manageable interfaces for security settings and configuration parameters
    • INFO: Updated text to fix a typo.
  • T2170: Ensure personal data processed by the application meets data localization requirements

    • TA3485: China Cybersecurity Law (Article 37) – Data Localization [Updated]
      • INFO: Added new Match Condition "Yes - cce:/Operational Context:Compliance:China Cyber Law required, none excluded."
  • Updated T186 with the latest security patch levels for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Apache Tomcat
    • OpenSSL
    • Apache Wicket
    • Apache MyFaces
    • Java
    • Bouncy Castle
    • Node.js
    • AngularJS/Angular
    • Docker
    • jQuery
  • Changes to Project Properties and Profiles

    • Q331: US Federal and NIST
      • Q337: In-Scope for CNSSI Controls [Added]
        • A1309: Baseline [Added]
        • A1310: Overlays [Added]

5.11

New features and improvements

  • New Dashboard

    • For administrators and users with the new View Analytics permission, a new Dashboard experience is accessible in the Reporting menu.
  • Project Relationship page

    • Added a new table that can be toggled via the new Relationships Icon on the Applications page.
    • The new table indicates a project's parent project, base project in the Application, and whether it is a release project.
  • Project Overview page

    • The page now shows two new fields:
      • Base Project: The base project of a release project
      • release: A flag indicating if the current project is a release project
  • Library Import and Export

    • Added support for importing and exporting survey sections, questions, and answers.
      • This does not include the import and export of rules.
    • Task import is no longer possible with a Project Specific Problem's ID.
  • Third party attributions page

    • Added a page that lists third-party sources for the SD Elements Content Library.

Other product improvements

  • Accessibility

    • Improved the contrast of user avatars.
      • Fixed a scrolling issue on tooltips where the survey page would scroll instead of the tooltip text.
      • Fixed an issue where the notes for a Task in a project did not display until another tab was selected.
  • API Changes

    • Added support for upcoming improvements to reporting on Business Unit, Application, Project, Task, and Problem metrics.
    • Projects model and 'api/v2/projects/' have new boolean flag field 'release_project'.
  • Domain Length

    • Increased Domain Length from 50 characters to 100.
  • How-Tos Import/Export

    • Fixed a slug error preventing users from importing custom How-Tos.
    • Fixed a slug error where the field displayed longer exported/imported values for How-Tos.
  • Integrations

    • Fixed an issue with syncing SAST findings in Whitehat.
    • Fixed an issue where the global integration connection form became uneditable.
    • Fixed an issue where certain AppScan findings were not being synced.
    • Fixed an issue where some JIRA instances with next-gen projects encountered 400 errors when syncing.
    • Fixed an issue where Checkmarx syncs would error if the scan's timestamp was in an unexpected format.
    • Note: Remote Integration Agent users must redeploy with the latest version to apply all fixes.
  • Project Specific Problems (PSPs) in different projects

    • Fixed an issue where PSPs in different projects could not have the same title.
    • Fixed an issue where if a Task were imported with a Problem Specific Problem as its Problem, the application would not correctly provide a warning.
  • Library Tasks detail page

    • Fixed an issue where the full text of a Problem's description was not visible within the view of an associated Task.
  • Training Modules

    • Fixed a 404 issue found on newer training modules.
  • Training Report

    • Fixed a 504 timeout issue when generating the report on an instance with large amounts of training data.

Content additions and updates (as of January 18, 2021):

  • Compliance Regulations and Mappings

    • China Cybersecurity Law
    • NIST 800-53 Rev. 5
    • NIST 800-53B [New "High", "Moderate", "Low" and "Privacy" baselines.]
    • ISO 27001:2013 [Updated the mapping.]
  • New Content Packs

    • China Cyber Law
  • T7: Salt and hash stored passwords [Updated]

    • Updated the recommendations about the salt storage.
  • T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
    • Deleted Match Conditions "Changes Since Last Release - Changes to inbound/outbound interfaces (OR) Changes Since Last Release - Changes to servers/frameworks and/or configuration".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T59: Use standard libraries for cryptography
    • TA3490: Follow cryptography best practices (Hardware/Firmware) [Added]
  • T87: Verify that all data in transit is encrypted using a secure TLS channel [Updated]
    • Deleted Match Conditions "Changes Since Last Release - Changes to inbound/outbound interfaces (OR) Changes Since Last Release - Changes to servers/frameworks and/or configuration".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T146: Use encryption for network communications in mobile environments [Updated]
    • Updated Match Conditions from "Type of Application - Mobile client AND Changes Since Last Release - Changes to inbound/outbound interfaces" to "Type of Application - Mobile client".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T151: Use cryptographically secure random numbers
    • TA3491: Ensure a true random number generator is specified and implemented (Hardware/Firmware) [Added]
  • T173: Test that user data is transmitted over secure channel in mobile environment [Updated]
    • Updated Match Conditions from "Type of Application - Mobile client AND Changes Since Last Release - Changes to inbound/outbound interfaces" to "Type of Application - Mobile client".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T205: Avoid inter-process race conditions
    • TA3494: Follow best practices to avoid Race Conditions (Hardware/Firmware) [Added]
  • T210: Encrypt sensitive data during transmission for rich clients [Updated]
    • Updated Match Conditions from "Changes Since Last Release - Changes to inbound/outbound interfaces AND Type of Application - Rich client" to "Type of Application - Rich client".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T244: Securely delete any unprotected sensitive data before a resource is released or shared
    • TA3487: Remove sensitive information before releasing resources (Hardware/Firmware) [Added]
    • TA3492: Prevent improper scrubbing of sensitive data from decommissioned devices (Hardware/Firmware) [Added]
    • TA3493: Prevent sensitive data exposure due to Debug/Power State Transition (Hardware/Firmware) [Added]
    • TA3496: Safeguard against confidentiality breach of sensitive remanent data [Added]
  • T302: Test that sensitive data is transmitted over secure channel for rich clients [Updated]
    • Updated Match Conditions from "Changes Since Last Release - Changes to inbound/outbound interfaces AND Type of Application - Rich client" to "Type of Application - Rich client".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T327: Review security of Node.js modules before installation [Updated]
    • Updated the hyperlinks and added a note about the usage of the npm-audit tool instead of Node Security Platform.
  • T379: Provide sufficient documentation for security-related features
    • TA3495: Restrict undocumented and non-transparent resource sharing of microarchitectural resources (Hardware/Firmware) [Added]
  • T394: Secure one-time passwords (OTP) [Updated]
    • Updated the recommendations about the salt storage.
  • T521: Protect the ZigBee network infrastructure with a Network Key [Updated]
    • Updated Match Conditions from "Low-Power Protocols Used - ZigBee AND Changes Since Last Release - Changes to servers/frameworks and/or configuration" to "Low-Power Protocols Used - ZigBee".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T529: Verify that a Network Key is utilized in the ZigBee network [Updated]
    • Updated Match Conditions from "Low-Power Protocols Used - ZigBee AND Changes Since Last Release - Changes to servers/frameworks and/or configuration" to "Low-Power Protocols Used - ZigBee".
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T538: Disable or protect JTAG interfaces in production
    • TA3489: Ensure that password checking logic is resistant to timing attacks (Hardware/Firmware) [Added]
  • T540: Restrict direct memory access
    • TA3488: Use IOMMU to orchestrate IO access (Hardware/Firmware) [Added]
  • T566: Enable network layer encryption for local area network communications [Updated]
    • Updated Match Conditions. See Match Conditions footnotes for more details.
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T590: Verify that network layer encryption is enabled for local area network communications [Updated]
    • Updated Match Conditions. See Match Conditions footnotes for more details.
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T620: Use SSL/TLS offloading, encryption and certificates with NGINX
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T875: Secure Apache SSL/TLS (Apache HTTP Server)
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T876: Verify Apache SSL/TLS configuration (Apache HTTP Server)
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T908: Require SSL/TLS for 'forms authentication' (Microsoft IIS)
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T910: Configure transport layer security for 'basic authentication' (Microsoft IIS)
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T942: Test that 'forms authentication' require SSL/TLS (Microsoft IIS)
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T944: Test that transport layer security for 'basic authentication' is configured (Microsoft IIS)
    • P216: Clear Text and Unencrypted Transmission of Information [Updated]
      • Updated Match Conditions. See Match Conditions footnotes for more details.
  • T1915: Perform network vulnerability assessment
    • TA3486: China Cybersecurity Law (Article 21) – Multi-Level Protection Scheme (MLPS) [Added]
  • T1925: Maintain the default behavior for anonymous access (OpenShift) [Updated]
    • Updated text and title.
    • P1440: Changing default behavior for anonymous access (OpenShift) [Updated]
      • Updated text and title.
  • T1926: Verify that the default behavior for anonymous access is maintained (OpenShift) [Updated]
    • Updated text and title.
    • P1440: Changing default behavior for anonymous access (OpenShift) [Updated]
      • Updated text and title.
  • T1927: Disable basic-auth-file method (OpenShift) [Updated]
    • Updated text and title.
    • P1441: Using static passwords (OpenShift) [Updated]
      • Updated text and title.
  • T1928: Verify that the basic-auth-file option has not been configured (OpenShift) [Updated]
    • Updated text and title.
    • P1441: Using static passwords (OpenShift) [Updated]
      • Updated text and title.
  • T1929: Secure communication between API server and master nodes (OpenShift) [Updated]
    • Updated text and title.
    • P1442: Unsecure connection between API server and node/kubelet (OpenShift) [Updated]
      • Updated text and title.
    • I1308: OpenShift: How to see the cert and key used by the API server to sign service account tokens: [Updated]
  • T1930: Verify that the connection between API server and master node is secure (OpenShift) [Updated]
    • Updated text and title.
    • P1442: Unsecure connection between API server and node/kubelet (OpenShift) [Updated]
      • Updated text and title.
  • T1931: Prevent insecure bindings and insecure port access (OpenShift) [Updated]
    • Updated text and title.
    • P1443: Insecure binding or port access for API server (OpenShift) [Updated]
      • Updated text and title.
  • T1932: Verify that insecure-bind-address and insecure-port are disabled (OpenShift) [Updated]
    • Updated text and title.
    • P1443: Insecure binding or port access for API server (OpenShift) [Updated]
      • Updated text and title.
  • T1933: Do not disable secure-port for API server traffic (OpenShift) [Updated]
    • Updated text and title.
    • P1444: Disabled secure-port flag (OpenShift) [Updated]
      • Updated text and title.
    • I1310: OpenShift: How to make sure 'secure-port' is not disabled [Updated]
  • T1934: Verify that 'secure-port' is not disabled (OpenShift)
    • P1444: Disabled secure-port flag (OpenShift) [Updated]
      • Updated text and title.
  • T1939: Disable AlwaysAdmit admission controller (OpenShift) [Updated]
    • Updated text and title.
    • P1447: Active AlwaysAdmit admission controller (OpenShift) [Updated]
      • Updated text and title.
    • I1313: OpenShift: How to disable 'AlwaysAdmit' admission controller [Updated]
  • T1940: Verify that AlwaysAdmit admission controller is disabled (OpenShift) [Updated]
    • Updated text and title.
    • P1447: Active AlwaysAdmit admission controller (OpenShift) [Updated]
      • Updated text and title.
  • T1941: Disable the AlwaysPullImages admission control plugin (OpenShift) [Updated]
    • Updated text and title.
    • P1448: Active AlwaysPullImages admission controller (OpenShift) [Updated]
      • Updated text and title.
  • T1942: Verify that the admission control plugin AlwaysPullImages is not set (OpenShift) [Updated]
    • Updated text and title.
    • P1448: Active AlwaysPullImages admission controller (OpenShift) [Updated]
      • Updated text and title.
  • T1943: Use Security Context Constraints instead of SecurityContextDeny admission controllers (OpenShift) [Updated]
    • Updated text and title.
    • P1449: Using DenyEscalatingExec or SecurityContextDeny admission controllers (OpenShift) [Updated]
      • Updated text and title.
  • T1944: Verify that the list of admission controllers does not include SecurityContextDeny (OpenShift) [Updated]
    • Updated text and title.
    • P1449: Using DenyEscalatingExec or SecurityContextDeny admission controllers (OpenShift) [Updated]
      • Updated text and title.
  • T1945: Do not disable NamespaceLifecycle admission controller (OpenShift) [Updated]
    • Updated text and title.
    • P1450: Disabled NamespaceLifecycle admission controller (OpenShift) [Updated]
      • Updated text and title.
    • I1316: OpenShift: How to make sure 'NamespaceLifecycle' plugin is not disabled [Updated]
  • T1946: Verify that the NamespaceLifecycle plugin is not disabled (OpenShift) [Updated]
    • Updated text and title.
    • P1450: Disabled NamespaceLifecycle admission controller (OpenShift) [Updated]
      • Updated text and title.
  • T1947: Configure auditing properly on the API server (OpenShift) [Updated]
    • Updated text and title.
    • P1451: Lack of proper auditing or retention of audit logs for API server (OpenShift) [Updated]
      • Updated text and title.
  • T1948: Verify that API server auditing is configured properly (OpenShift) [Updated]
    • Updated text and title.
    • P1451: Lack of proper auditing or retention of audit logs for API server (OpenShift) [Updated]
      • Updated text and title.
  • T1949: Do not set authorization-mode flag (OpenShift) [Updated]
    • Updated text and title.
    • P1452: Using authorization-mode flag (OpenShift) [Updated]
      • Updated text and title.
    • I1317: OpenShift: How to make sure 'authorization-mode' is not set [Updated]
  • T1950: Verify that the authorization-mode argument is not set to AlwaysAllow and Node authorizer is enabled (OpenShift) [Updated]
    • Updated text and title.
    • P1452: Using authorization-mode flag (OpenShift) [Updated]
      • Updated text and title.
  • T1951: Do not use static token files for authentication (OpenShift) [Updated]
    • Updated text and title.
    • P1453: Using static token files (OpenShift) [Updated]
      • Updated text and title.
    • I1318: OpenShift: How to make sure static token files are not used [Updated]
  • T1952: Verify that static token files are not used (OpenShift) [Updated]
    • Updated text and title.
    • P1453: Using static token files (OpenShift) [Updated]
      • Updated text and title.
  • T1953: Ensure that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1454: Using service-account-lookup or service-account-key-file arguments (OpenShift) [Updated]
      • Updated text and title.
    • I1319: OpenShift: How to see public/private keys used by the API server to sign service account tokens [Updated]
  • T1954: Verify that the service-account-lookup and service-account-key-file arguments are properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1454: Using service-account-lookup or service-account-key-file arguments (OpenShift) [Updated]
      • Updated text and title.
  • T1955: Do not enable PodSecurityPolicy admission control plugin (OpenShift) [Updated]
    • Updated text and title.
    • P1455: Enabling PodSecurityPolicy and SecurityContextConstraints at the same time (OpenShift) [Updated]
      • Updated text and title.
  • T1956: Verify that the admission control plugin SecurityContextConstraint is set (OpenShift)
    • P1455: Enabling PodSecurityPolicy and SecurityContextConstraints at the same time (OpenShift) [Updated]
      • Updated text and title.
  • T1957: Ensure that etcd arguments are properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1456: Unsecure communication to etcd (OpenShift) [Updated]
      • Updated text and title.
    • I1321: OpenShift: How to see the cert and key used by the API server for etcd communication [Updated]
  • T1958: Verify that etcd arguments are properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1456: Unsecure communication to etcd (OpenShift) [Updated]
      • Updated text and title.
  • T1959: Do not disable ServiceAccount admission controller (OpenShift) [Updated]
    • Updated text and title.
    • P1457: Inactive ServiceAccount admission controller (OpenShift) [Updated]
      • Updated text and title.
  • T1960: Verify that the admission control plugin ServiceAccount is set (OpenShift) [Updated]
    • Updated text and title.
    • P1457: Inactive ServiceAccount admission controller (OpenShift) [Updated]
      • Updated text and title.
  • T1961: Ensure that the admission control plugin NodeRestriction is enabled (OpenShift) [Updated]
    • Updated text and title.
    • P1458: Disabled NodeRestriction admission plugin (OpenShift) [Updated]
      • Updated text and title.
  • T1962: Verify that the admission control plugin NodeRestriction is set (OpenShift) [Updated]
    • Updated text and title.
    • P1458: Disabled NodeRestriction admission plugin (OpenShift) [Updated]
      • Updated text and title.
  • T1963: Encrypt data at rest in etcd datastore with aescbc encryption (OpenShift) [Updated]
    • Updated text and title.
    • P1459: Unencrypted data on etcd (OpenShift) [Updated]
      • Updated text and title.
  • T1964: Verify data at rest on etcd datastore is encrypted with aescbc encryption provider (OpenShift) [Updated]
    • Updated text and title.
    • P1459: Unencrypted data on etcd (OpenShift) [Updated]
      • Updated text and title.
  • T1965: Enable the APIPriorityAndFairness feature gate (OpenShift) [Updated]
    • Updated text and title.
    • P1460: No rate limit for requests to API server (OpenShift) [Updated]
      • Updated text and title.
  • T1966: Verify that the APIPriorityAndFairness feature gate is enabled (OpenShift) [Updated]
    • Updated text and title.
    • P1460: No rate limit for requests to API server (OpenShift) [Updated]
      • Updated text and title.
  • T1967: Adjust the request timeout value (OpenShift) [Updated]
    • Updated text and title.
    • P1461: Inappropriate request timeout value (OpenShift) [Updated]
      • Updated text and title.
    • I1323: OpenShift: How to change the 'request-timeout' value [Updated]
  • T1968: Verify that request timeout is set to an appropriate value (OpenShift) [Updated]
    • Updated text and title.
    • P1461: Inappropriate request timeout value (OpenShift) [Updated]
      • Updated text and title.
  • T1971: Adjust the terminated-pod-gc-threshold argument as needed (OpenShift) [Updated]
    • Updated text and title.
    • P1463: Inappropriate terminated-pod-gc-threshold value (OpenShift) [Updated]
      • Updated text and title.
  • T1972: Verify that the terminated-pod-gc-threshold and eviction arguments are set as appropriate (OpenShift) [Updated]
    • Updated text and title.
    • P1463: Inappropriate terminated-pod-gc-threshold value (OpenShift) [Updated]
      • Updated text and title.
  • T1973: Do not disable use-service-account-credentials argument (OpenShift) [Updated]
    • Updated text and title.
    • P1464: Disabling use-service-account-credentials argument (OpenShift) [Updated]
      • Updated text and title.
    • I1325: OpenShift: How to make sure 'use-service-account-credentials' is not disabled [Updated]
  • T1974: Verify that use-service-account-credentials is not disabled (OpenShift) [Updated]
    • Updated text and title.
    • P1464: Disabling use-service-account-credentials argument (OpenShift) [Updated]
      • Updated text and title.
  • T1975: Do not change the default setting for service-account-private-key-file (OpenShift) [Updated]
    • Updated text and title.
    • P1465: Changing the default service-account-private-key-file (OpenShift) [Updated]
      • Updated text and title.
    • I1326: OpenShift: How to make sure the 'service-account-private-key-file' argument is not set [Updated]
  • T1976: Verify that the service-account-private-key-file argument is properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1465: Changing the default service-account-private-key-file (OpenShift) [Updated]
      • Updated text and title.
  • T1977: Ensure that root-ca-file is properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1466: Changing the default root-ca-file (OpenShift) [Updated]
      • Updated text and title.
    • I1327: OpenShift: How to make sure 'root-ca-file' argument is not set [Updated]
  • T1978: Verify that the root-ca-file argument is not set (OpenShift) [Updated]
    • Updated text and title.
    • P1466: Changing the default root-ca-file (OpenShift) [Updated]
      • Updated text and title.
  • T1979: Never give pods more privileges than required (OpenShift) [Updated]
    • Updated text and title.
    • P1467: Giving unnecessary privileges to the pods (OpenShift) [Updated]
      • Updated text and title.
  • T1980: Verify that Security Context Constraints get applied (OpenShift) [Updated]
    • Updated text and title.
    • P1467: Giving unnecessary privileges to the pods (OpenShift) [Updated]
      • Updated text and title.
  • T1981: Enable the RotateKubeletServerCertificate feature gate (OpenShift) [Updated]
    • Updated text and title.
    • P1468: Lack of certificate rotation (OpenShift) [Updated]
      • Updated text and title.
    • I1328: OpenShift: How to rotate certificates [Updated]
  • T1982: Verify that RotateKubeletServerCertificate is set to true (OpenShift) [Updated]
    • Updated text and title.
    • P1468: Lack of certificate rotation (OpenShift) [Updated]
      • Updated text and title.
  • T1983: Set permissions for sensitive files properly (OpenShift) [Updated]
    • Updated text and title.
    • P1469: Improper permissions for sensitive files (OpenShift) [Updated]
      • Updated text and title.
    • I1329: OpenShift: How to set the permissions for the configuration files [Updated]
  • T1984: Verify the permissions for the configuration files (OpenShift) [Updated]
    • Updated text and title.
    • P1469: Improper permissions for sensitive files (OpenShift) [Updated]
      • Updated text and title.
  • T1985: Secure etcd communication (OpenShift) [Updated]
    • Updated text and title.
    • P1470: Unsecure etcd communication (OpenShift) [Updated]
      • Updated text and title.
  • T1986: Verify that etcd communication is secure (OpenShift) [Updated]
    • Updated text and title.
    • P1470: Unsecure etcd communication (OpenShift) [Updated]
      • Updated text and title.
  • T1987: Follow the principle of least privilege (OpenShift) [Updated]
    • Updated text and title.
    • P1471: Granting excessive permissions (OpenShift) [Updated]
      • Updated text and title.
    • I1493: OpenShift: How to remove 'cluster-admin' role from 'clusterrolebindings' [Added]
  • T1988: Verify that the cluster-admin role is only used where required (OpenShift) [Updated]
    • Updated text and title.
    • P1471: Granting excessive permissions (OpenShift) [Updated]
      • Updated text and title.
  • T1989: Run pods with the most restrictive Security Context Constraints possible (OpenShift) [Updated]
    • Updated text and title.
    • P1472: Loose access constraints for pods (OpenShift) [Updated]
      • Updated text and title.
  • T1990: Verify Security Context Constraints as in use (OpenShift) [Updated]
    • Updated text and title.
    • P1472: Loose access constraints for pods (OpenShift) [Updated]
      • Updated text and title.
  • T1991: Restrict access to projects only to the required users (OpenShift) [Updated]
    • Updated text and title.
    • P1473: Excessive access to projects (OpenShift) [Updated]
      • Updated text and title.
  • T1992: Verify that only required users are assigned to projects (OpenShift) [Updated]
    • Updated text and title.
    • P1473: Excessive access to projects (OpenShift) [Updated]
      • Updated text and title.
  • T1995: Enable and configure seccomp (OpenShift) [Updated]
    • Updated text and title.
    • P1475: Running containers with unconfined seccomp settings (OpenShift) [Updated]
      • Updated text and title.
  • T1996: Verify that Security Context Constraints have been configured with seccomp (OpenShift)
    • P1475: Running containers with unconfined seccomp settings (OpenShift) [Updated]
      • Updated text and title.
  • T1997: Manage image provenance using ImagePolicy plugin (OpenShift) [Updated]
    • Updated text and title.
    • P1476: Lack of control on images run in a cluster (OpenShift) [Updated]
      • Updated text and title.
    • I1330: OpenShift: How to edit the 'image.config.openshift.io/cluster' to configure Image Provenance [Updated]
  • T1998: Verify image policy configuration (OpenShift) [Updated]
    • Updated text and title.
    • P1476: Lack of control on images run in a cluster (OpenShift) [Updated]
      • Updated text and title.
  • T1999: Implement strong network policies (OpenShift) [Updated]
    • Updated text and title.
    • P1477: Lack of network access control (OpenShift) [Updated]
      • Updated text and title.
    • I1492: OpenShift: How to create a network policy and and add proper NetworkPolicy objects [Added]
  • T2000: Verify network policies (OpenShift) [Updated]
    • Updated text and title.
    • P1477: Lack of network access control (OpenShift) [Updated]
      • Updated text and title.
  • T2001: Limit the use of privileged containers (OpenShift) [Updated]
    • Updated text and title.
    • P1478: Using privileged containers (OpenShift) [Updated]
      • Updated text and title.
  • T2002: Verify the usage of privileged containers (OpenShift) [Updated]
    • Updated text and title.
    • P1478: Using privileged containers (OpenShift) [Updated]
      • Updated text and title.
  • T2005: Do not enable the anonymous-auth flag (OpenShift) [Updated]
    • Updated text and title.
    • P1480: Setting the anonymous-auth flag to true (OpenShift) [Updated]
      • Updated text and title.
  • T2006: Verify that the anonymous-auth argument is set to false (OpenShift) [Updated]
    • Updated text and title.
    • P1480: Setting the anonymous-auth flag to true (OpenShift) [Updated]
      • Updated text and title.
  • T2007: Do not set the authorization-mode argument (OpenShift) [Updated]
    • Updated text and title.
    • P1481: Setting the authorization-mode argument (OpenShift) [Updated]
      • Updated text and title.
  • T2008: Verify that the authorization-mode argument is not set (OpenShift) [Updated]
    • Updated text and title.
    • P1481: Setting the authorization-mode argument (OpenShift) [Updated]
      • Updated text and title.
  • T2009: Do not change the default value of the client-ca-file argument (OpenShift) [Updated]
    • Updated text and title.
    • P1482: Improper configuration of the client-ca-file argument (OpenShift) [Updated]
      • Updated text and title.
  • T2010: Verify that the clientCAFile exists and is not changed (OpenShift) [Updated]
    • Updated text and title.
    • P1482: Improper configuration of the client-ca-file argument (OpenShift) [Updated]
      • Updated text and title.
  • T2011: Do not set the read-only-port argument (OpenShift) [Updated]
    • Updated text and title.
    • P1483: Enabling read-only port (OpenShift) [Updated]
      • Updated text and title.
  • T2012: Verify that the read-only port is not enabled (OpenShift) [Updated]
    • Updated text and title.
    • P1483: Enabling read-only port (OpenShift) [Updated]
      • Updated text and title.
  • T2013: Adjust the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
    • Updated text and title.
    • P1484: Improper value for the streaming-connection-idle-timeout argument (OpenShift) [Updated]
      • Updated text and title.
    • I1332: OpenShift: How to set the 'streaming-connection-timeout' value [Updated]
  • T2014: Verify the value of streaming-connection-idle-timeout argument (OpenShift) [Updated]
    • Updated text and title.
    • P1484: Improper value for the streaming-connection-idle-timeout argument (OpenShift) [Updated]
      • Updated text and title.
  • T2015: Make sure that protect-kernel-defaults is not set (OpenShift) [Updated]
    • Updated text and title.
    • P1485: Setting the protect-kernel-defaults argument (OpenShift) [Updated]
      • Updated text and title.
  • T2016: Verify that protectKernelDefaults is not set (OpenShift) [Updated]
    • Updated text and title.
    • P1485: Setting the protect-kernel-defaults argument (OpenShift) [Updated]
      • Updated text and title.
  • T2017: Ensure that the make-iptables-util-chains is set to true (OpenShift) [Updated]
    • Updated text and title.
    • P1486: Disabling the make-iptables-util-chains flag (OpenShift) [Updated]
      • Updated text and title.
  • T2018: Verify that make-iptables-util-chains is set to true for each machinepool (OpenShift) [Updated]
    • Updated text and title.
    • P1486: Disabling the make-iptables-util-chains flag (OpenShift) [Updated]
      • Updated text and title.
  • T2021: Ensure that the hostname-override is not set (OpenShift) [Updated]
    • Updated text and title.
    • P1488: Disabling the hostname-override flag (OpenShift) [Updated]
      • Updated text and title.
  • T2022: Verify that hostname-override does not exist (OpenShift) [Updated]
    • Updated text and title.
    • P1488: Disabling the hostname-override flag (OpenShift) [Updated]
      • Updated text and title.
  • T2023: Set the kubeAPIQPS event-qps argument to 0 (OpenShift) [Updated]
    • Updated text and title.
    • P1489: Non-zero value for the event-qps argument (OpenShift) [Updated]
      • Updated text and title.
    • I1491: OpenShift: How to edit 'kubeAPIQPS' parameters [Added]
  • T2024: Verify that the value of event-qps is set to 0 (OpenShift) [Updated]
    • Updated text and title.
    • P1489: Non-zero value for the event-qps argument (OpenShift) [Updated]
      • Updated text and title.
  • T2025: Ensure that tls-cert-file and tls-private-key-file are properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1490: Improper value for the cert-dir argument (OpenShift) [Updated]
      • Updated text and title.
  • T2026: Verify that the kubelet-client-certificate and kubelet-client-key are properly set (OpenShift) [Updated]
    • Updated text and title.
    • P1490: Improper value for the cert-dir argument (OpenShift) [Updated]
      • Updated text and title.
  • T2029: Do not disable rotate-certificates (OpenShift) [Updated]
    • Updated text and title.
    • P1492: Disabling the RotateKubeletClientCertificate and RotateKubeletServerCertificate flags (OpenShift) [Updated]
      • Updated text and title.
  • T2030: Verify that rotate-certificates settings are not disabled (OpenShift) [Updated]
    • Updated text and title.
    • P1492: Disabling the RotateKubeletClientCertificate and RotateKubeletServerCertificate flags (OpenShift) [Updated]
      • Updated text and title.
  • T2170: Ensure personal data processed by the application meets data localization requirements [Added]
    • TA3485: China Cybersecurity Law (Article 37) – Data Localization [Added]
  • T2171: Avoid observable discrepancy and side channel attacks (Hardware/Firmware) [Added]
    • P1569: Observable discrepancy (Hardware/Firmware) [Added]
  • T2172: Enforce the principle of least privilege (Hardware/Firmware) [Added]
    • P1570: Incorrect default permissions (Hardware/Firmware) [Added]
  • T2173: Ensure the expected behavior is implemented (Hardware/Firmware) [Added]
    • P1571: Expected behavior violation (Hardware/Firmware) [Added]
  • T2174: Avoid unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware) [Added]
    • P1572: Unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware) [Added]
  • T2175: Provide documentation for design (Hardware/Firmware) [Added]
    • P1573: Missing documentation for design (Hardware/Firmware) [Added]
  • T2176: Avoid mixing agents of varying trust levels (Hardware/Firmware) [Added]
    • P1574: Improper isolation of shared resources on SoC (Hardware/Firmware) [Added]
  • T2177: Generate unique and immutable identifiers in SoC (Hardware/Firmware) [Added]
    • P1575: SoC using components without unique and immutable identifiers (Hardware/Firmware) [Added]
  • T2178: Ensure fabric access controls enablement before 3rd party hardware IPs (Hardware/Firmware) [Added]
    • P1576: Power-on of untrusted execution core before enabling fabric access control (Hardware/Firmware) [Added]
  • T2179: Block write operations to reserve bits (Hardware/Firmware) [Added]
    • P1577: Failure to disable reserved bits (Hardware/Firmware) [Added]
  • T2180: Review Access Control Policy (Hardware/Firmware) [Added]
    • P1578: Insufficient granularity of access control (Hardware/Firmware) [Added]
  • T2181: Evaluate write-once registers for proper configuration (Hardware/Firmware) [Added]
    • P1579: Race condition for write-once attributes (Hardware/Firmware) [Added]
  • T2182: Check lock bit protections for design consistency (Hardware/Firmware) [Added]
    • P1580: Improper implementation of lock protection registers (Hardware/Firmware) [Added]
  • T2183: Avoid using chicken bits (Hardware/Firmware) [Added]
    • P1581: Inclusion of undocumented features or chicken bits (Hardware/Firmware) [Added]
  • T2184: Disable access to security-sensitive information stored in fuses (Hardware/Firmware) [Added]
    • P1582: Sensitive non-volatile information not protected during debug (Hardware/Firmware) [Added]
  • T2185: Prevent unauthorized access to sensitive data through debug or test interfaces (Hardware/Firmware) [Added]
    • P1583: Improper access to sensitive information using debug and test interfaces (Hardware/Firmware) [Added]
  • T2186: Enforce valid Finite State Machines (FSMs) in hardware logic (Hardware/Firmware) [Added]
    • P1584: Improper finite state machines (FSMs) in hardware logic (Hardware/Firmware) [Added]
  • T2187: Enforce proper implementation of wear leveling operations (Hardware/Firmware) [Added]
    • P1585: Improper write handling in limited-write non-volatile memories (Hardware/Firmware) [Added]
  • T2188: Enforce proper protection against voltage and clock glitches (Hardware/Firmware) [Added]
    • P1586: Missing or improperly implemented protection against voltage and clock glitches (Hardware/Firmware) [Added]
  • T2189: Prevent Semiconductor Defects in Hardware Logic with Security-Sensitive Implications (Hardware/Firmware) [Added]
    • P1587: Semiconductor defects in hardware logic with security-sensitive implications (Hardware/Firmware) [Added]
  • T2190: Prevent mirroring regions with different values (Hardware/Firmware) [Added]
    • P1588: Mirrored regions with different values (Hardware/Firmware) [Added]
  • T2191: Ensure using configured CPU hardware to support exclusivity of write and execute operations (Hardware/Firmware) [Added]
    • P1589: CPU hardware not configured to support exclusivity of write and execute operations (Hardware/Firmware) [Added]
  • T2192: Prevent incorrect selection of fuse values (Hardware/Firmware) [Added]
    • P1590: Incorrect selection of fuse values (Hardware/Firmware) [Added]
  • T2193: Prevent incorrect comparison logic granularity (Hardware/Firmware) [Added]
    • P1591: Incorrect comparison logic granularity (Hardware/Firmware) [Added]
  • T2194: Prevent hardware features to enable physical attacks from Software (Hardware/Firmware) [Added]
    • P1592: Hardware features enable physical attacks from software (Hardware/Firmware) [Added]
  • T2195: Ensure access control applied properly to Mirrored or Aliased Memory Regions (Hardware/Firmware) [Added]
    • P1593: Improper access control applied to mirrored or aliased memory regions (Hardware/Firmware) [Added]
  • T2196: Prevent exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Added]
    • P1594: Exposure of sensitive system information due to uncleared debug information (Hardware/Firmware) [Added]
  • T2197: Prevent Improper Restriction of Security Token Assignment (Hardware/Firmware) [Added]
    • P1595: Improper restriction of security token assignment (Hardware/Firmware) [Added]
  • T2198: Prevent improper handling of overlap between protected memory ranges (Hardware/Firmware) [Added]
    • P1596: Improper handling of overlap between protected memory ranges (Hardware/Firmware) [Added]
  • T2199: Prevent improper handling of single-event upsets (Hardware/Firmware) [Added]
    • P1597: Improper handling of single event upsets (Hardware/Firmware) [Added]
  • T2200: Ensure register interface does not allow software access to sensitive data (Hardware/Firmware) [Added]
    • P1598: Register interface allows software access to sensitive data or security settings (Hardware/Firmware) [Added]
  • T2201: Enforce Physical access control (Hardware/Firmware) [Added]
    • P1599: Improper physical access control (Hardware/Firmware) [Added]
  • T2202: Prevent hardware logic with insecure De-Synchronization between control and data channels (Hardware/Firmware) [Added]
    • P1600: Hardware logic with insecure desynchronization between control and data channels (Hardware/Firmware) [Added]
  • T2203: Prevent policy to use obsolete encoding (Hardware/Firmware) [Added]
    • P1601: Policy uses obsolete encoding (Hardware/Firmware) [Added]
  • T2204: Enforce policy privilege assignments consistently between control and data agents (Hardware/Firmware) [Added]
    • P1602: Policy privileges are not assigned consistently between control and data agents (Hardware/Firmware) [Added]
  • T2205: Prevent product released in none-release configuration (Hardware/Firmware) [Added]
    • P1603: Product released in non-release configuration (Hardware/Firmware) [Added]
  • T2206: Prevent generation of incorrect security tokens (Hardware/Firmware) [Added]
    • P1604: Generation of incorrect security tokens (Hardware/Firmware) [Added]
  • T2207: Prevent uninitialized value on reset for registers holding security settings (Hardware/Firmware) [Added]
    • P1605: Uninitialized value on reset for registers holding security settings (Hardware/Firmware) [Added]
  • T2208: Restrict sharing device unlocking credentials across multiple parties (Hardware/Firmware) [Added]
    • P1606: Device unlock credential sharing (Hardware/Firmware) [Added]
  • T2209: Prevent boot code tampering in the non-volatile memory (Hardware/Firmware) [Added]
    • P1607: Insufficient protections on the volatile memory containing boot code (Hardware/Firmware) [Added]
  • T2210: Prevent signals conflict between a hardware IP and the parent system (Hardware/Firmware) [Added]
    • P1608: Hardware child block incorrectly connected to parent system (Hardware/Firmware) [Added]
  • T2211: Include firmware update mechanism/feature (Hardware/Firmware) [Added]
    • P1609: Firmware not capable of being updated (Hardware/Firmware) [Added]
  • T2212: Use Integrated Circuit (IC) Imaging Techniques to protect against hardware reverse engineering (Hardware/Firmware) [Added]
    • P1610: Missing protection against reverse engineering using IC imaging techniques (Hardware/Firmware) [Added]
  • T2213: Implement access control checks before accessing the assets (Hardware/Firmware) [Added]
    • P1611: Access control check implemented after asset is accessed (Hardware/Firmware) [Added]
  • T2214: Protect unexpected behavior of system due to sequence of processor instructions (Halt and Catch Fire) (Hardware/Firmware) [Added]
    • P1612: Sequence of processor instructions leads to unexpected behavior (halt and catch fire) (Hardware/Firmware) [Added]
  • T2215: Prevent modification of immutable data (Hardware/Firmware) [Added]
    • P1613: Assumed-immutable data is stored in writable memory (Hardware/Firmware) [Added]
  • T2216: Prevent modification of measurement reporting data by an untrusted agent (Hardware/Firmware) [Added]
    • P1614: Mutable attestation or measurement reporting data (Hardware/Firmware) [Added]
  • T2217: Prevent security identifiers from unauthorized access while decoding (Hardware/Firmware) [Added]
    • P1615: Incorrect decoding of security identifiers (Hardware/Firmware) [Added]
  • T2218: Prevent same Public Key usage for different environments (Debug and Production) (Hardware/Firmware) [Added]
    • P1616: Public key re-use for signing both debug and production code (Hardware/Firmware) [Added]
  • T2219: Implement secure conversion of Security Identifiers (Hardware/Firmware) [Added]
    • P1617: Incorrect conversion of security identifiers (Hardware/Firmware) [Added]
  • T2220: Implement secure mechanism to generate Security Identifiers (Hardware/Firmware) [Added]
    • P1618: Insecure security identifier mechanism (Hardware/Firmware) [Added]
  • T2221: Prevent debugging messages revealing sensitive Information (Hardware/Firmware) [Added]
    • P1619: Debug messages revealing unnecessary information (Hardware/Firmware) [Added]
  • T2222: Prevent incorrect Chaining or Granularity of Debug Components (Hardware/Firmware) [Added]
    • P1620: Incorrect chaining or granularity of debug components (Hardware/Firmware) [Added]
  • T2223: Restrict access to confidential information on device by OSAT vendors (Hardware/Firmware) [Added]
    • P1621: Unprotected confidential information on device is accessible by OSAT vendors (Hardware/Firmware) [Added]
  • T2224: Implement protections to alternate access paths and interfaces inside the SoC (Hardware/Firmware) [Added]
    • P1622: Missing protection mechanism for alternate hardware interface (Hardware/Firmware) [Added]
  • T2225: Data remanence within the hardware component (Hardware/Firmware) [Added]
    • P1623: Insufficient or incomplete data removal within hardware component (Hardware/Firmware) [Added]
  • T2226: Transaction without a security identifier (Hardware/Firmware) [Added]
    • P1624: Missing security identifier (Hardware/Firmware) [Added]
  • T2227: Preserve the integrity of hardware configuration state (Hardware/Firmware) [Added]
    • P1625: Improperly preserved integrity of hardware configuration state during a power save/restore operation (Hardware/Firmware) [Added]
  • T2228: Include functionality to patch Read-only-Memory (ROM) Code (Hardware/Firmware) [Added]
    • P1626: Missing ability to patch ROM code (Hardware/Firmware) [Added]
  • T2229: Prevent improper translation of security attributes by Fabric Bridge (Hardware/Firmware) [Added]
    • P1627: Improper translation of security attributes by fabric bridge (Hardware/Firmware) [Added]
  • T2230: Protect mirrored regions in On-Chip Fabric Firewall (Hardware/Firmware) [Added]
    • P1628: Missing protection for mirrored regions in on-chip fabric firewall (Hardware/Firmware) [Added]
  • T2231: Protect debug logic (feature) runtime alterations and sensitive data exposure (Hardware/Firmware) [Added]
    • P1629: Hardware allows activation of test or debug logic at runtime (Hardware/Firmware) [Added]
  • T2232: Use write protection for Parametric Data values (Hardware/Firmware) [Added]
    • P1630: Missing write protection for parametric data values (Hardware/Firmware) [Added]
  • T2233: Set proper setting of Bus Controlling Capability in Fabric end-point (Hardware/Firmware) [Added]
    • P1631: Improper setting of bus controlling capability in fabric end-point (Hardware/Firmware) [Added]
  • T2234: Restrict mapping of unwarranted programming overlaps of protected and unprotected ranges by Fabric-Address (Hardware/Firmware) [Added]
    • P1632: Fabric-address map allows programming of unwarranted overlaps of protected and unprotected ranges (Hardware/Firmware) [Added]
  • T2235: Put security checks in Fabric Bridge (Hardware/Firmware) [Added]
    • P1633: Missing security checks in fabric bridge (Hardware/Firmware) [Added]
  • T2236: Put security controls in On-chip Fabrics or Buses (Hardware/Firmware) [Added]
    • P1634: Missing support for security features in on-chip fabrics or buses (Hardware/Firmware) [Added]
  • T2237: Protect against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Added]
    • P1635: Improper protection against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Added]
  • T2238: Protect alert signals against untrusted agents (Hardware/Firmware) [Added]
    • P1636: Improper protection for out of bounds signal level alerts (Hardware/Firmware) [Added]
  • T2239: Tag traces to indicate owner and debugging privilege level (Hardware/Firmware) [Added]
    • P1637: Improper management of sensitive trace data (Hardware/Firmware) [Added]
  • T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware) [Added]
    • P1638: Missing immutable root of trust in hardware (Hardware/Firmware) [Added]
  • T2241: Ensure security version data is protected from tampering (Hardware/Firmware) [Added]
    • P1639: Security version number mutable to older versions (Hardware/Firmware) [Added]
  • T2242: Implement priority-based arbitration inside the Network on Chips (Hardware/Firmware) [Added]
    • P1640: Improper isolation of shared resources in network on chip (Hardware/Firmware) [Added]
  • T2243: Protect against fault injection attacks (Hardware/Firmware) [Added]
    • P1641: Insufficient protection against instruction skipping via fault injection (Hardware/Firmware) [Added]
  • T2244: Protect against error injection errors in redundant blocks (Hardware/Firmware) [Added]
    • P1642: Unauthorized error injection can degrade hardware redundancy (Hardware/Firmware) [Added]
  • T2245: Protect against abnormal thermal range (Hardware/Firmware) [Added]

    • P1643: Improper protections against hardware overheating (Hardware/Firmware) [Added]
  • Updated T186 with the latest security patch levels for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Struts
    • Apache Tomcat
    • GnuTLS
    • Java
    • Bouncy Castle
    • Unix/Linux Bash
    • Node.js
  • Changes to Project Properties and Profiles

    • Q205: Geography [Updated]
      • Updated title from "Organization" to "Geography".
    • Q237: Compliance Scope: Other
      • Q336: In-Scope for China Cybersecurity Law [Added]
        • A1308: Yes [Added]
    • Q278: Hardware Features
      • A1300: Hardware design and manufacturing is in scope [Added]
      • A1301: Firmware and software development for hardware is in scope [Added]
      • A1302: Implements cryptographic algorithms [Added]
      • A1304: Has Access Control settings [Added]
      • A1305: Hardware/firmware update is in scope [Added]
      • A1306: Hardware configuration is in scope [Added]
    • Q220: Changes Since Last Release
      • A1307: Changes to hardware design [Added]
  • New Just-in-Time Training

    • Cloud Security (3 JITTs)

Footnotes for Match Conditions

  • T566: Enable network layer encryption for local area network communications [Updated]

    • Updated Match Conditions from:

      • IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
      • (OR) IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to inbound/outbound interfaces
    • To:

      • IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system
  • T590: Verify that network layer encryption is enabled for local area network communications [Updated]

    • Updated Match Conditions from:

      • IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
      • (OR) IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system AND Changes Since Last Release - Changes to inbound/outbound interfaces
    • To:

      • IoT Architecture - Has a local area network between IoT devices in scope AND IoT Architecture - This is the core component of a multi-component IoT system
  • P216: Clear Text and Unencrypted Transmission of Information [Updated]

    • Updated Match Conditions from:

      • Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
      • (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
      • (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - New transactions / use cases
      • (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - New transactions / use cases
    • To:

      • Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
      • (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - Changes to servers/frameworks and/or configuration
      • (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - New transactions / use cases
      • (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - New transactions / use cases
      • (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic client application AND Changes Since Last Release - Changes to inbound/outbound interfaces
      • (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - Changes to inbound/outbound interfaces
      • (OR) Internal Properties (Use this, for all hidden answers) - The application is a generic server application AND Changes Since Last Release - New transactions / use cases
      • (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - Changes to inbound/outbound interfaces
      • (OR) Internal Properties (Use this, for all hidden answers) - Microservices - Code AND Changes Since Last Release - Changes to servers/frameworks and/or configuration

5.10

New features and improvements

  • Completion Status Report (Project Reports)

    • Added a priority checkbox filter to filter reports by High, Medium, and Low priority Tasks.
    • Added a Regulation Dropdown to filter report by Tasks that are relevant to a given regulation.
  • Project Risk Policy Report

    • Added a Regulation Dropdown to filter reports by Tasks that are associated with a given regulation.
  • All Tasks Report CSV changes

    • Added new columns to the All Tasks CSV Report.
    • Problem ID, Problem Title, Risk Rating, Business Unit, Application, Project, Issue Tracker Tickets (JIRA, Rally, and so on), Custom Project Attributes.
  • License Usage Report

    • Restructured data presentation and updated nomenclature to improve usability and ease of understanding.
    • Note: These changes are to the report only and not to the software license itself.
  • Library Import and Export

    • Added support for JSON and YAML formats.
    • Added human readable foreign keys to supplement UUIDs in the exported files.
    • Replaced the ‘copied_from’ column with a ‘Custom’ column that can be used to differentiate built-in and custom objects.
    • Added support for importing and exporting match conditions for library content.
  • Project Survey

    • Fixed an issue where empty survey sections still appeared even after disabling all answers in those sections via content packs.
    • Fixed a frontend issue where custom implied answers were not being deselected automatically when deselecting their parent answers.
  • Activity Logs

    • Added logging for Project Problem-related operations, such as Adding and Removing Manually Added Library Problems or Creating, Updating, and Deleting Project Specific Problems from a project under the Project and Global Activity logs.

Other product improvements

  • Minor UI improvements:
    • Implemented new toasts/notifications that utilize an icon to better convey the type of notification.
    • Changed "View Latest History" link on survey questions to an icon button.
    • Added UI functionality for "No Role" users to view their account information (email, first name, last name), view their password reset questions, and view and edit their password.
    • Fixed an issue with Azure DevOps integration using Closed Issue Status incorrectly.
    • Fixed an issue with Checkmarx scan imports.
    • Restricted access to internal network resources for issue tracker and verification tool connections.
      • OSD customers that are currently syncing with internal integration services can disable this functionality via the settings file. See the user guide for more details.

Content additions and updates (as of November 24, 2020):

  • Compliance Regulations and Mappings

    • Updated PCI-DSS v3.2.1 compliance report
    • Updated PA-DSS v3.2 compliance report
    • Disabled PCI-DSS v2.0 compliance report [INFO: Outdated]
    • Disabled PA-DSS v2.0 compliance report [INFO: Outdated]
    • Added MASVS compliance reports and mappings
    • Updated ASD-STIG compliance to Version 5
    • Added CNSSI 1253 - Baseline compliance report
    • Added CNSSI 1253 - Classified Information Overlay compliance report
    • Added CNSSI 1253 - Privacy Overlay compliance report
    • Added CNSSI 1253 - Space Platform Overlay compliance report
  • New Content Packs

    • Compliance:CNSSI
    • Compliance:MASVS
  • T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services

    • TA2892: Mobile ASVS (section:4.8) Requirements [Added]
  • T6: Implement account lockout or authentication throttling
    • TA2891: Mobile ASVS (section:2.15) Requirements [Added]
  • T46: Do not log confidential data
    • I1489: Disable Logging Sensitive Information in Rails [Added]
  • T53: Prevent the upload of malicious files and malware
    • P325: Unrestricted Upload of Unsafe File Types [Updated]
      • INFO: Updated text to include malicious file names.
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Updated]
    • INFO: Updated text to include avoid reusing same key for multiple purposes, and updated recommendation for using FIPS 140-2 to FIPS 140-3.
  • T61: Disable default accounts or change all default passwords
    • TA840: ASD-STIG requirements for T61 [Updated]
      • INFO: Not an inclusive range. 68 Additional Requirements updated.
  • T107: Test that application forbids uploading or transferring malware
    • P325: Unrestricted Upload of Unsafe File Types [Updated]
      • INFO: Updated text to include malicious file names.
  • T181: Validate models explicitly for fields the user is allowed to update
    • I323: Rails (v3.0 and earlier) [Updated]
      • INFO: Changed title to specify the version.
    • I1487: Rails (v3.0 and later) [Added]
  • T189: Minimize the use of unmanaged (native) code [Updated]
    • INFO: Updated text to include securely allocate/free/use memory for unmanaged code.
  • T278: Follow best security practices when using WebView (Android) [Updated]
    • INFO: Updated text to include MASVS requirements.
  • T324: Follow best security practices when using WKWebView (iOS) [Updated]
    • INFO: Updated text to include MASVS requirements.
  • T331: Enforce policies through content security policy (CSP) or XSS protection headers [Updated]
    • INFO: Updated title, added XSS protection as the task text explained it as a replacement.
  • T335: Sanitize user input before passing to NoSQL operators
    • I1490: Secure Query Generation in Rails [Added]
  • T340: Use an account and identity management system [Updated]
    • INFO: Updated text to include deny all access by default.
  • T445: Verify that only approved cryptographic algorithms and key lengths are used [Updated]
    • INFO: Updated recommendation for using FIPS 140-2 to FIPS 140-3.
  • T542: Protect hardware modules against tampering and probing [Updated]
    • INFO: Updated recommendation for using FIPS 140-2 to FIPS 140-3.
  • T543: Verify that hardware modules are protected against tampering and probing [Updated]
    • INFO: Updated recommendation for using FIPS 140-2 to FIPS 140-3.
  • T1541: Decide on the best CSRF defense for your application [Updated]
    • INFO: Updated text to add a CSRF defense flowchart.
  • T2167: Secure file storage [Added]
    • P325: Unrestricted Upload of Unsafe File Types [Updated]
      • INFO: Updated text to include malicious file names.
    • I1488: Deep File Name Sanitization in Ruby [Added]
  • TA2893 to TA3484: ASD-STIG requirements [INFO: Not an inclusive range. 302 Additional Requirements added.]
  • TA840 to TA909: ASD-STIG requirements [INFO: Not an inclusive range. 68 Additional Requirements updated.]

  • Updated T186 with the latest security patch levels for third-party libraries

    • Django
    • Spring Framework
    • Apache Tomcat
    • GnuTLS
    • Apache Wicket
    • Bouncy Castle
    • Node.js
  • Updated the following code scanner mappings

    • Checkmarx Static Code Analysis (CxSAST)
    • WhiteHat Sentinel
  • Changes to Project Properties and Profiles

    • Q202: More Features
      • Q214: Miscellaneous
        • A1288: Sends electronic messages and/or emails [Updated]
          • INFO: Changed the title from "Sends solicitation emails" to "Sends electronic messages and/or emails".
    • Q237: Compliance Scope: Other
      • Q334: MASVS Level
        • A1295: Level 1 [Added]
        • A1296: Level 2 [Added]
        • A1297: R [Added]
  • New Just-in-Time Training

    • BC/DR plan for cloud services

5.9

New features and improvements

  • Problems view

    • Added a feature to create project-specific Problems through the New Problem form. Tasks can be added to the Problem by creating or editing project-specific Tasks.
    • Added a Problem Source filter to narrow down Problems shown in the table (default content, custom content, manually added, project specific).
  • Tasks view

    • Added a field to the New Task form for selecting the Problem the Task will belong to. Only available to project-specific tasks. Any Problem accepted into the project can be selected.
  • Project Survey

    • Fixed an issue where disabling all content packs and deselecting an answer in the survey caused the survey to become unresponsive.
    • Fixed an issue where disabling/enabling content packs failed to change the survey state accordingly (cache invalidation failed).
    • Fixed an issue where disabling an answer that implied another answer that is selected in a project’s survey caused the survey to return a 500 error.
  • Integrations

    • JIRA
      • Custom field mappings can now map to date type fields.
    • Implemented SmartSync for Pivotal Tracker, reducing the number of API requests sent to Pivotal Tracker during a sync.
    • Added the ability to replace strings of text in a Task description with custom values when the Task is synced to an issue tracker.
    • Updated the user interface for custom field mapping to support multiline field values.
    • Fixed SmartSync issue where statuses in the non-authoritative source are not synchronized if the authoritative source has not been updated.
    • Deprecated APIs are no longer used when connecting to Archer.
    • Fixed an issue with LDAP sync where character encoding was raising an exception when syncing users and groups.
  • System Settings

    • Fixed a bug in the "Build Pipeline" page under the System Settings where the documentation links were not displaying.
    • Fixed a security issue where LDAP credentials for superusers were exposed in the "Authentication" page under the System Settings.
  • Reports

    • The OWASP Top 10 (2017) report title has been renamed to OWASP Top 10 (Latest).
    • CSV export
      • Updated training list export so that only users with permission to Manage Users may download the CSV export.
      • Updated user list export so that only users with permission to Manage Users may download the CSV export.
    • All Tasks Report
      • The CSV export now includes the following additional fields associated with the Task and Custom Project attributes: Problem ID, Problem Title, Risk rating, Application, Business Unit, Project, Issue Tracker Ticket.
    • Problem Summary Report
      • Fixed a bug where duplicate rows showed for the same problem.
  • Manage Groups

    • Fixed a bug where the page was not loading if there were a large number of LDAP groups.

Content additions and updates (as of September 18, 2020):

  • Compliance Regulations and Mappings

    • OWASP Top 10 (2017) renamed to OWASP Top 10 (Latest)
    • 2020 CWE Top 25 Most Dangerous Software Weaknesses
    • NIST 800-53 Mandates compliance reports
      • Added to specify more granular sub-control mappings (Mandates) to our NIST 800-53 SDE content. The compliance reports are mapped to the NIST 800-53 impact levels:
        • NIST 800-53 Mandates (High) compliance report
        • NIST 800-53 Mandates (Moderate) compliance report
        • NIST 800-53 Mandates (Low) compliance report
  • T202: Prevent buffer overflow/underflow

    • P21: Buffer Copy without Checking the Bounds [Updated]
      • Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
  • T217: Use compiler settings to mitigate buffer overflows
    • P21: Buffer Copy without Checking the Bounds [Updated]
      • Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
  • T256: Test that compiler settings are set to mitigate buffer overflows
    • P21: Buffer Copy without Checking the Bounds [Updated]
      • Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
  • T1146: Enable DEP and ASLR on your server
    • P21: Buffer Copy without Checking the Bounds [Updated]
      • Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
  • T1147: Verify that DEP and ASLR are enabled on your server
    • P21: Buffer Copy without Checking the Bounds [Updated]
      • Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
  • T1366: Identify applicable compliance regulations
    • TA2889: Identify compliance regulations of the cloud infrastructure (Cloud) [Added]
  • T2134: Compile iOS applications with PIE and ARC flags
    • P21: Buffer Copy without Checking the Bounds [Updated]
      • Updated Match Conditions to include Changes Since Last Release, from “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration” to “Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes Since Last Release - Changes to servers/frameworks and/or configuration (OR) Internal Properties (Use this, for all hidden answers) - Uses an unmanaged programming language AND Changes to User Input/Output Since Last Release - New/modified user input OR changes to how user input is used”
  • T2158: Ensure that data is deleted securely and efficiently from storage (Cloud) [Added]
    • P1558: Insecure or ineffective erasure of data [Added]
  • T2159: Ensure security of virtualized environments (Cloud) [Added]
    • P1559: Insecure virtualization [Added]
  • T2160: Avoid vendor lock-in as a customer when migrating into or out of solutions (Cloud) [Added]
    • P1560: Insufficient data portability in the cloud and insecure migration to the cloud (in and out) [Added]
  • T2161: Ensure the cloud management interface is secured properly (Cloud) [Added]
    • P1561: Insecure cloud management interface [Added]
  • T2162: Prevent malicious insider risks and privileged user abuse in cloud providers (Cloud) [Added]
    • P1562: Malicious insiders and abuse of high privilege roles [Added]
  • T2163: Ensure the security of hypervisors (Cloud) [Added]
    • P1563: Lack of hypervisor security [Added]
  • T2164: N/A - Not Applicable [Added]
    • Used to identify not applicable sections in the NIST Mandates compliance reports
    • P1564: N/A - Not Applicable [Added]
      • Used to identify not applicable sections in the NIST Mandates compliance reports
  • T2165: Ensure security governance when outsourcing to cloud providers (Cloud) [Added]
    • P1565: Loss of control over security of supply chain [Added]
    • TA2890: Supplier security assessment (Cloud) [Added]
  • T2166: Ensure business continuity over cloud services (Cloud) [Added]

    • P1566: Lack of business continuity and disaster recovery processes [Added]
  • Updated T186 with the latest security patch levels for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Apache Tomcat
    • GnuTLS
    • Apache HTTP Server
    • Java
    • Bouncy Castle
    • Node.js
  • Updated the following code scanner mappings

    • Checkmarx
    • AppScan
    • WebInspect
    • WhiteHat
  • Changes to Project Properties and Profiles

    • Q196: Web Technologies
      • Q191: Web Client Technologies Used
        • A94: Uses iFrames [Updated]
          • Updated Match Conditions from "The application is a generic web application." to "The application is a generic web application. OR Frontend"
        • A792: HTML5 [Updated]
          • Updated Match Conditions from "The application is a generic web application. OR Rich client" to "The application is a generic web application. OR Rich client OR Frontend"
        • A1192: CORS [Updated]
          • Updated Match Conditions from "The application is a generic web application." to "The application is a generic web application. OR Frontend"
    • Q219: General Changes
      • Q220: Changes Since Last Release
        • A1294: Changes to processes/activities [Added]
    • Q243: Internal Hidden Properties
      • Q189: Internal Properties (Use this, for all hidden answers)
        • A1293: Cloud [Added]
    • Q258: Architecture/Environment
      • Q322: Architecture
        • A1142: Contains multiple components that communicate through a network [Updated]
          • Added tooltip clarifying use case
    • Q262: External Dependencies
      • Q259: External Code/Data
        • A1157: Uses remote procedure calls (RPC) or object serialization/deserialization [Updated]
          • Added tooltip clarifying use case
    • Q284: Context and Characteristics
      • Q252: Application's Context and Characteristics
        • A744: The application handles health data [Updated]
          • Added tooltip describing Personal Health Information
        • A1291: Consumes cloud services [Added]
        • A1292: Provides cloud services [Added]
  • New Just-in-Time Training

    • Defending Databases (7 JITTs)
    • OWASP Top 10 (40 JITTs)

5.8

New features and improvements

  • Manually added Library Problems

    • Added the ability to manually add Library Problems directly to a Project from the Problems View using the New Problem (+) button.
    • Added the ability to delete a manually added Library Problem from the Problems View.
    • Problems View
      • Added the ability to filter Tasks and Problems by Task Status, Assigned Users, and Task Priority.
  • User Interface

    • Increased maximum character lengths for Compliance Regulation fields:
      • Compliance Regulation and Compliance Regulation Section name field increased to 500 characters.
      • Compliance Regulation Section description field increased to 5000 characters.
  • Activity Logs

    • Added the ability to export a project’s survey history from Activity Logs:
      • Added an export button on the project survey and project activity log to download the project survey history as a CSV file.
      • Added an export button on global activity log to download the survey history of all projects as a CSV file.
    • Updated Activity Log entries for project survey changes to display the number of changes instead of all individual changes.
  • Status mapping

    • Custom status mapping fields in their supported issue tracker connections are now pre-populated with the required SD Elements status mappings on the creation form:
      • Made minor UI additions and description updates to improve user experience.
      • Changed ordering of the custom status mappings to align with updated descriptions.

Other product improvements

  • Fixed an issue synchronizing with Checkmarx version 8.6 and later.
  • Updated confirmation messages for deleting risk policy configurations.
  • Survey history now displays actions taken, actor, and time for each answer.
  • Modifying the email address or accessing the password reset link of a Super User now requires Super User permissions.
  • Significantly improved the load time of the Project Survey by 30-50%.

Content additions and updates (as of July 24, 2020):

  • Compliance Regulations and Mappings

    • Added NIST Cybersecurity Framework (CSF) compliance report
    • Removed the regulation for OWASP Top 10 (2013)
  • New Content Packs

    • NIST CSF
  • T4: Use configurable password policies [Updated]

    • Updated text
  • T5: Use minimum standards for passwords [Updated]
    • Updated text
  • T20: Generate unique session IDs and reset old IDs after authentication [Updated]
    • Updated text
  • T1144: Prevent Server-Side Template Injection (SSTI) [Updated]
    • Updated text
  • T1145: Verify if web page template is vulnerable to SSTI [Updated]
    • Updated text
  • T2157: Secure email and messaging in web applications [Added]

  • Updated T186 with the latest security patch levels for third-party libraries

    • Django
    • Spring Framework
    • Struts
    • Apache Tomcat
    • Apache Wicket
    • Apache MyFaces
    • Java
    • Bouncy Castle
    • Node.js
  • Changes to Project Properties and Profiles

    • Q193: Application Type
      • Q101: Type of Application
        • A1289: Frontend [Added]
    • Q202: More Features
      • Q214: Miscellaneous
        • A1288: Sends solicitation emails [Added]
    • Q237: Compliance Scope: Other
      • Q225: Type of Emails Sent by the Application
        • A752: Advertisement or other solicitation emails [Updated]
          • Updated tooltip description
    • Q331: US Federal and NIST
      • Q333: In-Scope for NIST Cybersecurity Framework [Added]
        • A1290: Yes [Added]
  • New Just-in-Time Training

    • Microservices (5 modules)
    • OpSec Fundamentals (10 modules)
    • Defending Android (26 modules)

5.7

New features and improvements

  • Advanced Project Classification mode

  • User Interface

    • Project Survey
      • Changed “No Profile” to “Blank” in Profile selection and updated the description to be more informative.
      • Added a tab for the Project Survey to make it easier to locate.
    • Problems View
      • Added a checkbox to filter Problem Tasks by Risk Policy relevance.
    • Verification
      • The Whitesource reference field in verification notes are now clickable links.
    • “Problems” string customization
      • Admins can now customize the “Problems” string from System > UI Customization.
    • Forms
      • Introduced secondary buttons to forms with more than primary and Cancel actions.
  • API

    • The Project Problems API GET endpoint calls now require {project_id}-{problem_id} instead of {problem_id}.
    • Removed ‘related_tasks’. Users should now use Problem Tasks API endpoints to return related tasks for a Problem.

Other product improvements

  • Fixed an issue in Library Import/Export where re-importing certain content items with non-standard encodings caused a crash.
  • Improved error messages in Library Import/Export.
  • Fixed an issue where a user removed from an LDAP group was not removed from its corresponding SD Elements group following a sync.
  • Removed the reordering disclaimer in Project Survey subsections as the action was not possible.
  • Fixed a tooltip bug on the Phases page.
  • Fixed a bug where Project Problems were not accepting related task changes made in the library.
  • Fixed a bug on the Problem view caused by rapidly expanding Problems in quick succession.
  • Fixed long business unit name column overflow in PDF License Usage reports.
  • Fixed an error that caused a crash if content had empty backticks (``).
  • Fixed a bug that prevented Reports windows to close when transitioning between Profile and Survey Questions pages in the Project Survey.
  • Improved the sorting performance on Global Reports page when sorting by Task Completion %.

Content additions and updates (as of June 12, 2020):

  • New Content Packs

    • Connected Cars
    • YAML
  • T2: Secure the password reset mechanism

    • I1455: ASP.NET Core / VB: Generic forget password request messages [Added]
  • T4: Use configurable password policies
    • I1477: ASP.NET Core / VB: Password Requirements Configuration [Added]
  • T6: Implement account lockout or authentication throttling
    • I1481: ASP.NET / VB account lockout [Added]
    • I1483: ASP.NET Core / VB: Account lockout [Added]
  • T7: Salt and hash stored passwords
    • I1475: ASP.NET Core / VB: String Hashing [Added]
  • T8: Use Consistent Error Handling for All Authentication Failures
    • I1468: ASP.NET Core / VB: Generic login failure messages [Added]
    • I1471: ASP.NET / VB consistent error handling [Added]
  • T15: Centralize authorization
    • I1435: ASP.NET / VB centralized authorization [Added]
  • T16: Authorize every non-public page
    • I1428: ASP.NET / VB non-public page authorization [Added]
    • I1429: ASP.NET Core / VB: Authorize non-public pages [Added]
  • T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
    • Updated text
    • TA241: WCF - Use X509 Certificates Instead of NTLM [Updated]
      • Updated text
    • TA751: Use strong encryption algorithms if credit card information is transmitted [Updated]
      • Updated text
    • TA965: Choice of cipher [Updated]
      • Updated text
    • I479: Apache HTTP Server [Updated]
      • Updated text
  • T22: Set secure flags on session cookies
    • I1433: ASP.NET Core / VB: Sending cookies over HTTPS [Added]
  • T23: Set HttpOnly flag on session cookies
    • I1459: ASP.NET Core / VB: Setting HttpOnly Flag [Added]
  • T25: Enforce absolute session timeouts
    • I1474: ASP.NET Core / VB: Absolute session timeout [Added]
  • T26: Expire sessions on logout
    • I1458: ASP.NET / VB clear sessions on logout [Added]
  • T28: Avoid 'Remember Me' features
    • I1470: ASP.NET / VB: Disable 'Remember Me' functionality [Added]
    • I1472: ASP.NET Core / VB: Disable 'Remember Me' functionality [Added]
  • T29: Use anti-Cross-Site Request Forgery (CSRF) tokens
    • I1427: ASP.NET / VB Anti-CSRF tokens [Added]
  • T31: Validate all forms of input
    • I1437: ASP.NET / VB: Request Form Validation [Added]
    • I1438: ASP.NET Core / VB: Validation Attributes [Added]
  • T33: Verify integrity of client-supplied read-only data
    • I1431: ASP.NET / VB - Using Session State [Added]
  • T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript
    • I1440: ASP.NET / VB untrusted data escape [Added]
    • I1441: ASP.NET / VB: Error message encoding with Microsoft Anti-XSS [Added]
    • I1442: ASP.NET Core / VB: Character encoding [Added]
  • T38: Bind variables in SQL statements
    • I1443: VB with Linq [Added]
    • I1444: VB with SqlClient [Added]
    • I1445: VB with Enterprise Library [Added]
    • I1446: VB SQL variable binding with OleDB [Added]
    • I1447: VB variable binding with ODBC [Added]
    • I1448: ASP.NET Core / VB: Parameterize SQL Queries [Added]
    • I1449: VB with Entity [Added]
  • T43: Avoid unsafe operating system interaction
    • I1450: VB.NET safe operating system interaction [Added]
  • T50: Use indirect object reference maps if accessing files
    • I1426: ASP.NET / VB indirect object reference map [Added]
  • T54: Validate file contents
    • I1480: ASP.NET / VB file content validation [Added]
  • T55: Validate all XML input
    • P12: Missing or Incorrect XML Validation [Updated]
      • Updated text
  • T59: Use standard libraries for cryptography
    • I1456: ASP.NET Core / VB: Revoking Keys and Refreshing the Keyring [Added]
    • I1462: ASP.NET Core / VB: Protecting Ephemeral Data [Added]
    • I1463: ASP.NET Core / VB: Data Encryption [Added]
    • I1464: ASP.NET / VB encryption libraries [Added]
  • T60: Use correct and approved cryptographic algorithms, parameters, and key lengths
    • I1460: ASP.NET Core / VB: Setting Key Lifetime [Added]
    • I1461: ASP.NET Core / VB: Choosing cryptographic algorithms [Added]
  • T62: Protect passwords in property and configuration files
    • I1476: ASP.NET Core / VB: Accessing Application Secrets from Secret Manager [Added]
  • T64: Set no-cache for confidential web pages
    • I1453: ASP.NET / VB Cache-Control [Added]
    • I1454: ASP.NET Core / VB: Limiting Response Caching [Added]
  • T65: Restrict accepted HTTP verbs
    • I1434: ASP.NET / VB HTTP verbs restriction [Added]
  • T66: Prevent web pages from being loaded inside iFrame
    • I1482: ASP.NET / VB: Frame busting through JavaScript and use of headers [Added]
  • T67: Protect page navigation flow
    • I1469: ASP.NET / VB page navigation enforcement [Added]
  • T68: Encrypt credit card PANs in storage
    • I1478: VB.NET credit card PAN encryption [Added]
  • T72: Use safe arithmetic to avoid integer overflow
    • I1473: VB.NET [Added]
  • T74: Avoid HTTP parameter pollution
    • I1432: ASP.NET / VB HTTP parameters protection [Added]
  • T87: Verify that all data in transit is encrypted using a secure TLS channel [Updated]
    • Updated text
    • TA809: Verify use of security protocols wherever credit card information is transmitted or received [Updated]
      • Updated text
  • T137: Encrypt protected health information in storage
    • I1479: ASP.Net / VB [Added]
  • T151: Use cryptographically secure random numbers
    • I321: C# .NET cryptographically secure random number generation [Updated]
      • Updated title and text
    • I1465: VB.NET cryptographically secure random number generation [Added]
  • T159: Follow best practices for secure error and exception handling
    • I1452: ASP.NET / VB - Global error handling using HTTPModule [Added]
  • T162: Validate pathname before retrieving local resources
    • I1439: ASP.NET Core / VB: Directory Traversal [Added]
  • T164: Clear session information from client upon logout
    • I1457: ASP.NET Core / VB: Session expiration on logout [Added]
  • T178: Obtain consent from users prior to collecting Personal Data (where applicable)
    • TA2883: Protect location information (Connected Cars) [Added]
  • T189: Minimize the use of unmanaged (native) code
    • I1430: VB.NET unmanaged code avoidance [Added]
  • T191: Follow best practices when handling primitive data types
    • I1451: VB.NET [Added]
  • T200: Test for validation on all untrusted XML input
    • P12: Missing or Incorrect XML Validation [Updated]
      • Updated text
  • T256: Test that compiler settings are set to mitigate buffer overflows
    • I1466: ASP.NET Core / VB: Storing session information on the server [Added]
  • T322: Include HTTP Strict-Transport-Security headers in HTTPS responses
    • I1467: ASP.NET Core / VB: Enabling HSTS [Added]
  • T338: Control access to resources through user authentication and authorization
    • TA2884: Enforce access control if you output sensitive data to a port (Connected Cars) [Added]
  • T456: Select stringent security settings and disable unnecessary services and modules
    • TA2885: Properly harden the infotainment operating system (Connected Cars) [Added]
  • T795: Configure CloudFront correctly (AWS) [Updated]
    • Updated text
    • I658: How to configure CloudFront correctly (AWS) [Updated]
      • Updated text
  • T828: Test that CloudFront is configured correctly (AWS) [Updated]
    • Updated text
  • T875: Secure Apache SSL/TLS (Apache HTTP Server)
    • TA920: More in-depth controls [Updated]
      • Updated text
    • I729: Apache HTTP Server: How to secure Apache SSL/TLS [Updated]
      • Updated text
    • I734: Apache HTTP Server: How to for in-depth controls [Updated]
      • Updated text
  • T876: Verify Apache SSL/TLS configuration (Apache HTTP Server)
    • TA921: Test in-depth controls [Updated]
      • Updated text
  • T925: Configure TLS/SSL securely for Microsoft IIS (Microsoft IIS) [Updated]
    • Updated text
  • T959: Verify if TLS/SSL is securely configured for Microsoft IIS (Microsoft IIS) [Updated]
    • Updated text
  • T1118: Restrict access to local files (MySQL) [Updated]
    • Updated text
    • P1051: Unrestricted access to local files (MySQL) [Updated]
      • Updated text
    • I893: MySQL: How to restrict access to local files [Updated]
      • Updated text
  • T1119: Verify that access to local files is restricted (MySQL)
    • P1051: Unrestricted access to local files (MySQL) [Updated]
      • Updated text
  • T2143: Enhance the security of OBD ports (Connected Cars) [Added]
    • P1547: Lack of security measures in OBD port (Connected Cars) [Added]
  • T2144: Implement CAN bus protocol properly (Connected Cars) [Added]
    • P1548: Poor implementation of CAN bus protocol (Connected Cars) [Added]
  • T2145: gRPC Server-Client Certificate Authentication (.NET Core 3) [Added]
    • P1549: Unauthenticated gRPC client-server communication [Added]
    • I1484: gRPC server-client certificate authentication (.NET Core 3-C#) [Added]
    • I1485: gRPC server-client certificate authentication (.NET Core 3-VB) [Added]
  • T2148: Perform security checks before infotainment OS update (Connected Cars) [Added]
    • P1550: Insecure software updates (Connected Cars) [Added]
  • T2149: Perform security checks before external infotainment communication (Connected Cars) [Added]
    • P1551: Insufficient security checks between infotainment system and external devices (Connected Cars) [Added]
  • T2150: Verify that external infotainment communication is secure (Connected Cars) [Added]
    • P1551: Insufficient security checks between infotainment system and external devices (Connected Cars) [Added]
  • T2151: Verify that security checks are performed before updating infotainment OS (Connected Cars) [Added]
    • P1550: Insecure software updates (Connected Cars) [Added]
  • T2152: Protect against Denial of Service attacks (Connected Cars) [Added]
    • P1553: Denial of Service in networks (Connected Cars) [Added]
  • T2153: Verify the security against Denial of Service attacks (Connected Cars) [Added]
    • P1553: Denial of Service in networks (Connected Cars) [Added]
  • T2154: Validate all YAML input [Added]
    • I1486: Write a schema using RX to validate YAML data [Added]
  • T2155: Follow security best practices for YAML parsers [Added]
    • P1556: Improper serializing/deserializing of YAML data [Added]
  • T2156: Validate Scalable Vector Graphics (SVG) [Added]

    • P12: Missing or Incorrect XML Validation [Updated]
      • Updated text
  • Deactivated Problems

    • P30: Improper Validation of Array Index
    • P38: Compiler Removal of Code to Clear Buffers
    • P69: Improper Null Termination
    • P154: Storing Passwords in a Recoverable Format
    • P309: Use After Free
    • P402: Spyware
    • P518: Null Byte Interaction Error (Poison Null Byte)
    • P573: Use of multiple resources with duplicate identifier
    • P670: Failure to Control Generation of Code ('Code Injection')
    • P691: Padding Oracle Decryption
  • Updated T186 w/ latest security patch level for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Apache Tomcat
    • GnuTLS
    • Java
    • Node.js
    • AngularJS/Angular
    • Docker
    • jQuery
  • Changes to Project Properties and Profiles

    • Q195: Language and Framework
      • Q109: Programming Language
        • A1284: VB [Added]
    • Q208: Data Formats
      • Q115: Generates or reads data/files in the following formats:
        • A1285: YAML [Added]
        • A1286: SVG [Added]
    • Q276: Network Layer
      • Q332: Automotive Protocols Used [Added]
        • A1282: CAN [Added]
    • Q307: Containerization
      • Q308: Containerization Technologies
        • A1209: Kubernetes (unmanaged) [Updated]
          • Updated title and description
  • New Just-in-Time Training

    • CCPA
    • Microservices JITT: API Gateway Implementation

5.6

New features and improvements

  • Problem View

    • Gain visibility into the risks your projects face by viewing all of their Problems in one page.
    • Added a Problems tab to the Project page with a table listing all Project Problems in rows.
    • Each Problem row can be expanded to display the Problem description or its related Tasks. The Related Tasks view allows you to update a Problem’s task statuses and assign users.
    • Search by Problem title, Problem description, related Task description, and filter by Risk Rating.
  • Project Survey

    • View Latest History
      • Select or change an answer in the survey to see a “View Latest History” link that displays information about the last change, when it was made, and by whom.
    • Help text on Questions and Answers now support multi-line markdown and URLs.
  • Verification

    • Added support for WhiteSource integration. Update the verification status of task T186 using dependency information tracked in a WhiteSource product.
  • Compliance Reports

    • Added support for exporting to CSV.
    • HTML, PDF, and CSV reports now have an “[edited on ]” field for updated task notes. The most recently created note appears first in descending order. Each task note ends with a semi-colon for easy parsing.
  • API changes

    • Added endpoints for project problems and related tasks.
    • Added an endpoint for retrieving a Project's survey history. The history shows changes to answers in a project survey, along with the time and date, and the user who changed it.

Other product improvements

  • Glossary Task tooltips now support URLs.
  • Updated the term “ALM” to “Issue Tracker” on the SD Elements UI and in the API. There will be backwards compatibility for the API until a future release.
  • Resized the solution column on the import evaluation screen to correctly view all of its contents.
  • Fixed export for Questions in the Content exporter.
  • Updated warning button styling to make them more user-friendly.
  • Updated Jira integration to support deprecated createmeta API calls for Jira Server 8.4 and later.

Content additions and updates (as of May 7, 2020):

  • Compliance Regulations and Mappings

    • Added CMMC (Level 1) compliance report
    • Added CMMC (Level 2) compliance report
    • Added CMMC (Level 3) compliance report
    • Added CMMC (Level 4) compliance report
    • Added CMMC (Level 5) compliance report
    • Added OWASP API compliance report
  • New Content Packs

    • CMMC
    • Flutter
    • OWASP API Top 10
  • T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services

    • I1413: Biometric authentication (Flutter) [Added]
  • T21: Ensure all data in transit is encrypted using a secure TLS channel
    • I1423: Data-in-transit encryption (Flutter) [Added]
  • T25: Enforce absolute session timeouts
    • I1420: Session Invalidation (Flutter) [Added]
  • T45: Log potential critical security events
    • TA2881: OWASP API Guidelines for Log Monitoring [Added]
  • T49: Disable and remove debug capabilities and code/data, and prepare application for release
    • I1417: Prepare the application for release (Flutter) [Added]
  • T59: Use standard libraries for cryptography
    • I1421: Cryptography (Flutter) [Added]
  • T148: Avoid caching confidential data on client
    • I1408: Protect against client side caching (iOS) [Added]
    • I1416: Securely store temporary camera files (Flutter) [Added]
  • T152: Avoid asking for and using excessive permissions
    • I1412: Excessive permissions (Flutter) [Added]
  • T156: Validate certificate and its chain of trust properly
    • I1414: Certificate pinning (Flutter) [Added]
  • T157: Temporary files must be cleaned up after the resource is used
    • I1425: Clear cached files (Flutter) [Added]
  • T160: Avoid relying on jailbreak or root detection as a strong security measure
    • I1422: Jailbroken and rooted device detection (Flutter) [Added]
  • T168: Prevent auto-snapshot from saving sensitive data (iOS) [Updated]
    • Updated text
    • I1405: Disable iOS application backgrounding [Added]
    • I1406: Mask sensitive data in the iOS app UI (Objective-C) [Added]
    • I1409: How to mask sensitive data in iOS app UI (iOS-Swift) [Added]
  • T248: Protect secret keys and passwords in the application
    • I1418: Secure data storage (Flutter) [Added]
  • T261: Manage iOS Pasteboards that are used with sensitive data [Updated]
    • Updated text
  • T282: Bind variables in SQL statements for client applications
    • I1419: SQL injection prevention (Flutter) [Added]
  • T295: Avoid storing unencrypted confidential data without access control mechanisms
    • I482: iOS data encryption with PBKDF2 (Objective-C) [Updated]
      • Updated text.
    • I528: iOS data encryption with PBKDF2 (Swift) [Updated]
      • Updated text.
  • T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
    • I1415: Disable autocorrection/keyboard extension (Flutter) [Added]
  • T324: Follow best security practices when using WKWebView (iOS)
    • I1407: Handle universal links in the application [Added]
  • T608: Obfuscate your executables
    • I1424: Code obfuscation (Flutter) [Added]
  • T1362: Perform message throttling in Web APIs [Updated]
    • Updated title and text to better reflect completion conditions.
    • TA2882: Web API - throttling types [Added]
  • T1363: Verify if message throttling is properly performed in Web APIs [Updated]
    • Updated title to better reflect completion conditions.
  • T1539: Clear browser data on user logout [Updated]
    • Updated text
  • T1917: Perform container security assessment [Updated]
    • Updated text
  • T2133: Protect the security of data in iOS [Added]
    • P1544: Unprotected and Unsecure Data in Mobile Applications [Added]
    • I1400: Data encryption using CryptoKit framework (iOS-Swift) [Added]
    • I1401: Create and validate signatures in CryptoKit framework (iOS-Swift) [Added]
    • I1403: Encryption with Apple Secure Enclave (iOS-Objective C) [Added]
  • T2134: Compile iOS applications with PIE and ARC flags [Added]
    • I1404: Enable PIE and ARC flags in Xcode [Added]
  • T2137: Ensure that sensitive data is not recorded (iOS) [Added]
    • P1545: Information Disclosure in iOS via ReplayKit Framework [Added]
    • I1410 Prevent information disclosure in iOS when mirroring/recording (Objective-C) [Added]
    • I1411 Prevent information disclosure in iOS when mirroring/recording (Swift) [Added]
  • T2139: Prevent information exposure through APIs [Added]
  • T2140: Test that APIs do not expose sensitive information [Added]
  • T2141: Perform function level authorization in API [Added]
  • T2142: Verify that function level authorization is implemented in API [Added]

  • Updated T186 w/ latest security patch level for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Apache Tomcat
    • GnuTLS
    • OpenSSL
    • Apache HTTP Server
    • Apache Wicket
    • Bouncy Castle
    • jQuery
    • AFNetworking Library
    • Node.js
  • Changes to Project Properties and Profiles

    • Q195: Language and Framework
      • Q109: Programming Language
        • A1281: Flutter [Added]
    • Q331: US Federal and NIST
      • Q328: In-Scope for CMMC [Added]
        • Q329: CMMC Maturity Level [Added]
          • A1276: Level 1 [Added]
          • A1277: Level 2 [Added]
          • A1278: Level 3 [Added]
          • A1279: Level 4 [Added]
          • A1280: Level 5 [Added]
        • A1275: Yes [Added]

5.5

New features and improvements

  • Issue tracker integrations

    • Added RSA Archer issue tracker integration: synchronize SD Elements tasks as Archer findings in order to track outstanding controls.
    • Added GitLab issue tracker integration: synchronize SD Elements tasks as issues in a GitLab project.
    • Added custom priority mapping to Micro Focus ALM integration
    • Rally: Added support to allow the issue type “Feature” to serve as the parents of “User Stories”
  • API changes

    • Added support for upcoming improvements to project classification.
    • Updated the project classification endpoint to save and fetch a classification formula.
    • New risk factor endpoint to save and fetch risk factors used by classification formulas.

Other product improvements

  • Restyled primary UX buttons to be more user friendly
  • Improved performance of the project ALM connection endpoint
  • Renamed HP ALM to Micro Focus ALM
  • Migrated Remote Integration Agent to Python 3
    • If you are using the Linux RIA, you must install the new RIA package in a python 3 environment
  • Fixed unclear JIRA error message for invalid username or token
  • Fixed JIRA integration issues with On-Prem JIRA instances
    • This will be backported to 5.4
  • Updated the error message for when implied answers create a conflict

Content additions and updates (as of March 20, 2020):

  • Compliance Regulations and Mappings

    • Added NY SHIELD compliance report
    • Added ASVS 4 compliance report
    • Updated GDPR compliance report
    • Updated NYDFS compliance report
    • Updated PIPEDA compliance report
  • T7: Salt and hash stored passwords [Updated]

    • Updated text and recommended hash function.
  • T15: Centralize authorization
    • I5: Centralize authorization using AccessController interface of ESAPI [Updated]
      • Fixed the text’s formatting.
  • T146: Use encryption for network communications in mobile environments
    • I1392: Using encrypted channels in Android (Kotlin) [Added]
    • I1397: Android (Kotlin) - StrictMode for cleartext network traffic detection [Added]
  • T157: Temporary files must be cleaned up after the resource is used
    • I1391: Android (Kotlin) [Added]
  • T162: Validate pathname before retrieving local resources
    • I1395: Android (Kotlin) [Added]
  • T248: Protect secret keys and passwords in the application
    • I1393: Using server-side module to store secret keys and passwords for Android applications (Kotlin) [Added]
  • T270: Follow best practices for storing application data on Android devices
    • I1394: Android storage options and considerations (Kotlin) [Added]
  • T282: Bind variables in SQL statements for client applications
    • I1398: Android (Kotlin): Bind parameters to content provider query [Added]
  • T394: Secure one-time passwords (OTP) [Updated]
    • Updated text.
  • T408: Set secure flag on Android Activities with sensitive content [Updated]
    • Updated text.
    • I1396: Setting FLAG_SECURE for Android Activity (Kotlin) [Added]
  • T2122: Update Android Security Provider [Added]
    • P1535: Lack of Verification of Up-to-date Android Security Provider [Added]
    • I1399: How to update Android Security Provider in the application [Added]
  • T2123: Verify that Android Security Provider gets checked to be up-to-date [Added]
    • P1535: Lack of Verification of Up-to-date Android Security Provider [Added]
  • T2124: Exercise security best practices for inducing new versions of microservices [Added]
    • P1536: Insecure induction of new versions for microservices [Added]
  • T2125: Exercise security strategies for handling session persistence [Added]
    • P1537: Lack of security strategies for handling session persistence [Added]
  • T2126: Exercise security strategies for preventing credential abuse and stuffing attacks [Added]
    • P1538: Lack of security strategies for preventing credential abuse and stuffing attacks [Added]
  • T2127: Exercise security best practices for API gateway implementation [Added]
    • P1539: Lack of security best practices for API gateway implementation [Added]
  • T2128: Notify users and regulators of breaches of personal information [Added]
    • TA2879: NY SHIELD Act / Breach Notification [Updated]
  • T2129: Exercise security best practices for access management in microservices
    • P1540: Inadequate access management in microservices [Added]
  • T2130: Exercise best practices for securing microservices communication
    • P1541: Unsecure microservices communication [Added]
  • T2131: Exercise security strategies for service mesh implementation
    • P1542: Lack of security strategies for service mesh implementation [Added]
  • T2132: Exercise security best practices for service registry

    • P1543: Lack of security best practices for service registry [Added]
  • Updated T186 w/ latest security patch level for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Apache Tomcat
    • GnuTLS
    • OpenSSL
    • Java
    • Docker
    • AngularJS/Angular
    • Node.js
    • Bouncy Castle
  • Changes to Project Properties and Profiles

    • Q206: Privacy
      • Q160: Handles Personal Data
        • Q224: Privacy Regulations
          • A1273: NY SHIELD [Added]

5.4

New features and improvements

  • Survey section and subsection reorder

    • Sections and subsections can now be reordered to better fit your organization’s needs.
    • Reorder these sections from Library > Project Survey.
    • Note: Reordering the survey in the library affects existing and future projects. This action may also affect subsequent completions of a project's survey because the default order of the survey is designed to automatically answer some questions or make new questions available in subsequent sections. By reordering the survey and completing it again, answers and sections may become available out of an expected order and affect your project's settings.
    • It is recommended that you reorder the survey with your Customer Success representative.
  • Performance Improvements

    • Significantly improved the load time by up to 70% for the Library Tasks page.
    • Improved the generation time by 15% of the All Tasks report for projects with ~800-1000 tasks.
    • The Project Survey may show improved performance during answer selection.
  • Integrations

    • Azure DevOps (TFS)
      • Added custom status mapping.
  • Automations:

    • Automations has moved to System Settings.
    • The Automations form now allows users to specify Business Unit, Application, Task, and Task Status from a dropdown list of available options or by performing a keyword search.
    • Threshold values can be set for Task Status Change and Verification Tool Ran events.

Other product improvements:

  • JIRA Issue Tracker sync
    • Resolved an issue with ALM tasks not being recreated when they were removed when the authoritative source was set to SDE or “Last Status Update”.
  • Process content used for Automations is no longer disabled by default during SD Elements upgrades. You can enable or disable process content in the Content Pack Selector.
  • Clicking on links in the Tasks Overview of a project now takes you to the correct phase.
  • Added a Name ID format field when configuring SAML for single sign-on.

  • New Just-in-Time Training

    • JSP
    • Continuous Compliance

Content additions and updates (as of February 13, 2020):

  • T1922: Use secure OAuth 2.0 and OpenID Connect integration (where applicable) [Updated]
    • Changed title.
  • T2117: Secure microservices APIs that access sensitive data [Added]
  • T2118: Exercise security monitoring best practices in Microservices environments [Added]
  • T2119: Deploy circuit breakers in Microservices environments [Added]
  • T2120: Exercise security best practices for load balancing in Microservices environments [Added]
  • T2121: Exercise security best practices for service rate limiting in Microservices environments [Added]

  • Compliance Regulations and Mappings

    • Added AICPA Trust Services Criteria 2017 (SOC2) compliance report
    • Updated ISO 27001:2013 compliance report
    • Removed outdated ISO 27001:2005 mapping and compliance report
    • Added CSA Cloud Controls Matrix (CCM) v3.0.1 compliance report
  • Updated T186, w/ latest security patch level for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Struts
    • Apache Tomcat
    • GnuTLS
    • OpenSSL
    • Apache HTTP Server
    • Apache Wicket
    • Apache MyFaces
    • jQuery
    • Docker
    • AngularJS/Angular
    • AFNetworking Library
    • Node.js
    • Bouncy Castle
  • Changes to Project Properties and Profiles

    • Q193: Application Type
      • Q101: Type of Application
        • A1264: Microservice [Added]
    • Q237: Compliance Scope: Other
      • Q324: In-Scope for AICPA Trust Services Criteria (SOC2) [Added]
        • A1266: Yes [Added]
      • Q325: In-Scope for ISO 27001 Compliance [Added]
        • A1267: Yes [Added]
      • Q326: In-Scope for Cloud Security Matrix (CCM)
        • A1268: Yes [Added]
    • Q243: Internal Hidden Properties
      • Q189: Internal Properties (Use this, for all hidden answers)
        • A1265: Microservices - Code [Added]
        • A1269: Microservices - Non-code [Added]
    • Q258: Architecture/Environment
      • Q322: Architecture [Added]
        • Q261: IoT Architecture [Updated]
          • Changed “Architecture” to new “IoT Architecture” and moved it under "Q322: Architecture".
        • Q327: Microservices Architecture [Added]
          • A1263: This is an overarching project for designing and implementing security measures in Microservices Ecosystem (select this if you are modelling the deployment of, or setting up the infrastructure for the microservices). [Added]
        • A1137: IoT ecosystem [Updated]
          • Moved it under "Q322: Architecture".
        • A1142: Contains multiple components that communicate through a network [Updated]
          • Moved it under "Q322: Architecture".
        • A1262: Microservices ecosystem [Added]
    • Q289: Cloud Computing
      • Q290: Cloud Providers
        • Q298: AWS Services
          • A1270: ECS [Added]
          • A1271: DynamoDB [Added]

5.3

New features and improvements:

  • Performance Improvements

    • SD Elements now runs in Python 3, the modern and slightly faster version of Python.
      • Older Library pages should experience improved loading times in Python 3.
    • The Dashboard page should experience improved loading times.
  • Automations (Beta)

  • Content Pack Selector (Beta)

    • The Content Pack Selector is now available from the Library.
    • Privileged users can now enable and disable certain subject areas of the base SD Elements content using the application user interface.
      • The base SD Elements content is now organized into a set Content Packs. A Content Pack is a collection of related Tasks, How-Tos, Additional Requirements, Profiles, and Survey Answers covering distinct subject areas: Application Security, Compliance, Operational Security, Privacy, and Process.
      • Process content used for Automations is disabled by default but may be enabled by content administrators.
    • See our documentation for more details: https://docs.sdelements.com/release/latest/guide/
  • Profiles

    • Built-in profiles are now visible from the Profiles page within the Library.
    • Deactivated Profiles will not appear in the Profile selection list.
    • All Projects must have an active Profile selected.
      • The state of a Profile is now indicated on the Project Survey.
      • For existing Projects with a deactivated Profile, you can cancel out of the Project Survey to preserve your Project Survey’s Answers.
  • Issue Trackers

    • JIRA SmartSync
      • Optimized JIRA ALM sync. Previously, the ALM sync reached out to every JIRA task to check for changes. This change detection is now done in bulk, which results in SD Elements only reaching out to JIRA tasks that have changed since the last successful sync.
  • Project Survey Enhancements

    • Buttons now have improved clarity.
      • For example, the “Continue” button now says, “Continue To Summary”, and “Close” now says, “Continue To Tasks”.
    • Cancel buttons were added to the Survey and Summary pages, which allow you to return to the Tasks page.
  • Remote Integration Agent (RIA)

    • The Linux RIA is now available for download in SD Elements from Integrations > Remote Agent.
    • A link to RIA installation guidance is now available on the RIA list and the download dialog for both Windows and Linux agents.
  • Project Specific Tasks

    • Individual tasks identified within the blue button “New Content Updates Available” notification can now be manually added to a project using the “Add task” feature.
  • Risk Policy

    • A Risk Policy description has been added to the Summary steps during project creation and the Project Survey page.
  • System Updates

    • Updated the data encryption library in SD Elements.
      • SD Elements has upgraded to django cryptography, which uses the Python cryptography library for encryption.
      • Previously, SD Elements used the django-extensions library to store encrypted values in the database, which used the keyczar library. This library is now deprecated and does not support Python 3.
      • Note: Due to the cryptography library changes in this version, do not remove the system’s keyczar keys from the system until all releases of SD Elements prior to version 5.3 are no longer present on the system. For more information, contact sdesupport@securitycompass.com
  • Tooltip Improvements

    • Accessibility enhancements have been made for tooltips throughout SD Elements. The contrast between font and background colors, and the font and margin sizes have now been increased.
    • Library Question and Answer Help Text now support markdown styling for bold and italicized text, ordered and unordered lists, code blocks, and indentations.
  • Other Product Improvements:

    • Group caches now refresh on a regular interval, fixing some cache issues that required a manual cache restart.
    • The Remote Integration Agent installer now only allows administrators to install apps.
    • Relevant tasks can now be manually added to a project without error messages.
    • Fixed an issue with incorrect browser tabs under Accounts.
    • Fixed an issue with columns in compliance reports.
    • Problems without a relevant CWE no longer show CWE headers.
  • New Just-in-Time Training

    • Defending ASP.NET Core in C#
    • Defending HTML5
    • Defending Swift for iOS
    • Defending Web API
    • Defending Web Apps

Content additions and updates (December 11, 2019):

  • Compliance Regulations and Mappings

    • Added California Consumer Privacy Act (CCPA) compliance report
    • Updated California Online Privacy Protection Act compliance report
    • Added Brazil Data Protection Law (LGPD) compliance report
    • Added NIST 800-53 Privacy Controls (Appendix J) compliance report
  • Updated Tasks

    • T17: Do not only rely on client-side authorization [Changed title and updated text to be more distinct from similar tasks.]
    • T738: Determine the legal basis for transferring personal data [Changed title and updated text.]
    • T739: Verify if transferring personal data is legitimate and in compliance with applicable privacy regulations [Changed title and updated text.]
    • T1154: Secure Docker registries (Docker) [Updated the text.]
    • T1155: Verify that Docker registries are secure (Docker) [Updated the text.]
    • T1172: Secure daemon configuration files (Docker) [Updated the text.]
    • T1173: Verify that daemon configuration files are secured (Docker) [Updated the text.]
  • Added Tasks

    • T2105: Enforce the use of client certificate bundles for unprivileged users to access UCP (Docker)
    • T2106: Verify that the use of client certificate bundles for unprivileged users is enforced (Docker)
    • T2107: Configure applicable cluster role-based access control policies for UCP access (Docker)
    • T2108: Verify that a valid RBAC model is configured for UCP access (Docker)
    • T2109: Enable signed image enforcement (Docker)
    • T2110: Verify that signed image enforcement is enabled (Docker)
    • T2111: Set the 'Per-User Session Limit' to a value of '3' or lower (Docker)
    • T2112: Verify that the 'Per-User Session Limit' is set to a value of '3' or lower (Docker)
    • T2113: Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Docker)
    • T2114: Verify that the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values are set to '15' or lower and '0' respectively (Docker)
    • T2115: Enable image vulnerability scanning (Docker)
    • T2116: Verify that image vulnerability scanning is enabled (Docker)
  • Deactivated Tasks

    • T1216: Perform regular security audits of your host system and containers (Docker)
    • T1217: Verify that security audits of your host system and containers are performed regularly (Docker)
    • T1218: Monitor the usage, performance, and metering of Docker containers (Docker)
    • T1219: Verify that the usage, performance, and metering of Docker containers are monitored (Docker)
    • T1220: Back up container data (Docker)
    • T1221: Verify that container data is backed up (Docker)
  • Added Additional Requirements

    • TA2859: California Online Privacy Protection Act (CalOPPA): Privacy Policy
    • TA2860: CCPA: Privacy Notice
    • TA2861: CCPA: Indirect Collection of Personal Information
    • TA2862: CCPA: Access Requests and Verification
    • TA2863: CCPA: Requests to Delete
    • TA2864: CCPA: Service Provider Obligations
    • TA2865: CCPA: Requests to Opt-Out of Sale of Personal Information
    • TA2866: CCPA: Record Keeping
    • TA2867: CCPA: Opt-In Consent for Sale of Children's Personal Information
    • TA2868: NIST 800-53 Privacy Controls: Purpose Specification and Use Limitation
    • TA2869: NIST 800-53 Privacy Controls: Privacy Notice
    • TA2870: NIST 800-53 Privacy Controls: Privacy Impact Assessment
    • TA2872: NIST 800-53 Privacy Controls: Personal Data Inventory
    • TA2873: NIST 800-53 Privacy Controls: Data Quality
    • TA2874: NIST 800-53 Privacy Controls: Data Anonymization
    • TA2875: NIST 800-53 Privacy Controls: Data Retention and Disposal
    • TA2876: NIST 800-53 Privacy Controls: Consent
    • TA2877: NIST 800-53 Privacy Controls: Individual Access
  • Deactivated Additional Requirements

    • TA935: HTTP Public Key Pinning (HPKP) [Removed since HPKP is not supported by many browsers any more.]
  • Updated Problems

    • P834: Lack of Certificate/Public Key Pinning [Included “A1260: Requires certificate or public key pinning” in the applicability rules.]
    • P1066: Insecure Docker registries (Docker) [Updated the text.]
    • P1075: Unprotected daemon configuration files (Docker) [Updated the text.]
  • Added Problems

    • P1529: Providing direct access to UCP manager nodes by giving administrative permissions to users (Docker)
    • P1530: Using the default RBAC roles provided by UCP (Docker)
    • P1531: Running untrusted containers (Docker)
    • P1532: Using an improper value for limiting the number of per user concurrent sessions (Docker)
    • P1533: Using an improper value for limiting the duration of active sessions (Docker)
    • P1534: Running Docker containers based on images with known vulnerabilities (Docker)
  • Deactivated Problems

    • P1097: Failing to perform security audits of your host system and containers (Docker)
    • P1098: Unmonitored Docker containers usage, performance, and metering (Docker)
    • P1099: Failing to back up container data (Docker)
  • Updated HowTo's

    • I922: Docker: How to secure Docker registries [Updated the text.]
    • I931: Docker: How to secure daemon configuration files [Updated the text.]
  • Added HowTo's

    • I1385: Docker: How to create client certificate bundles
    • I1386: Docker: How to configure UCP RBAC components
    • I1387: Docker: How to enable signed image enforcement
    • I1388: Docker: How to set the 'Per-User Session Limit'
    • I1389: Docker: How to set the 'Lifetime Minutes' and 'Renewal Threshold Minutes'
    • I1390: Docker: How to enable image vulnerability scanning
  • Deactivated HowTo’s

    • I908: Apache: Enabling HPKP [HPKP is not supported by many browsers.]
    • I909: NGINX: Enabling HPKP [HPKP is not supported by many browsers.]
    • I910: IIS: Enabling HPKP [HPKP is not supported by many browsers.]
    • I954: Docker: How to monitor Docker container usage, performance, and metering
    • I955: Docker: How to back up container data
  • Updates to T186 with the latest security patch level for third-party libraries:

    • Rails
    • Django
    • Spring
    • Struts
    • Apache Tomcat
    • GnuTLS
    • Apache MyFaces
    • Java
    • Node.js
    • AngularJS/Angular
    • Docker
  • Changes to Project Properties and Profiles

    • Added “Q160: Handles Personal Data” under "Q206: Privacy"
    • Added “Q265: In-Scope for NIST 800-53 Compliance” under "Q237: Compliance Scope: Other"
    • Added "Q321: NIST 800-53 Privacy Controls” under “Q265: In-Scope for NIST 800-53 Compliance”
    • Added "A1255: CCPA” under “Q224: Handles Personal Data”
    • Added "A1256: CalOPPA” under “Q224: Handles Personal Data”
    • Added "A1257: Latin America” under “Q159: Organization is Subject to the Laws of:”
    • Added "A1258: Brazil LGPD” under “Q224: Handles Personal Data”
    • Added “A1260: Requires certificate or public key pinning” under “Q214: Miscellaneous”
    • Deactivated “A1177: VPC” from the ‘Applicable When’ criteria of “P866: Relational Database Service Misconfigured (AWS)”
    • Deactivated “A1171: EC2” from the ‘Applicable When’ criteria of “P866: Relational Database Service Misconfigured (AWS)”

5.2

New features and improvements

  • Automations (formerly Process Task Automation)

    • Automations is currently in Beta and does not have any features that are visible to users. It does, however, run in the background and may affect some of your tasks. As more features become available in SD Elements, more information will follow.
  • Project Classification

    • The classification list page has been improved. Classifications that have no policies or active answers are now greyed out, and classifications that have inactive answers now show a warning.
  • Existing integrations:

    • HCL AppScan:
      • IBM AppScan has changed to HCL AppScan.
    • HP ALM:
      • Added support for the “Not Covered” status.
  • New Integrations:

    • Added support for ServiceNow integration.
    • Added support for Coverity verification integration:
      • We are aware of the following behavior with Coverity integration with SD Elements:
        • Only flaws with the action “Ignore” are marked as pass/partial pass and removed from flaws total counts.
        • Custom Severities in Coverity are mapped to “unknown” severity in SD Elements and are counted as fails.
        • At this time, there is no method to add custom severity mappings.
  • Project Reports

    • The All Task Report PDF export now has a limit of 1000 tasks.
  • Project Survey Answers

    • Deactivating Answers in the Project Survey will now also set them to be hidden in the Project Survey (similarly reactivating answers result in them reappearing in the survey).
  • Deprecations

    • Thoughtworks Mingle has been deprecated and is no longer supported in SD Elements.
    • Trac has been deprecated and is no longer supported in SD Elements.
  • Bug fixes:

    • Fortify reports with a count of 0 now correctly trigger Process Task Automation events.
    • Fixed dropdown fields in the frontend from becoming deselected when escaped or clicked away from.
    • Reports no longer display a unicode error when non-ASCII characters are present.
    • SAML SP initiated POST requests now correctly navigate to the IdP page.
    • Fixed Azure DevOps (TFS) sync error for “missing ‘fields’”.
    • SD Elements no longer crashes if a large number of projects sharing the same risk policy refresh their risk policies at the same time.

Content additions and updates (as of October 25, 2019):

  • Compliance Regulations and Mappings

    • Added FedRAMP compliance report for Low/Moderate/High baselines.
    • Added FedRAMP additional requirements for Low/Moderate/High baselines.
    • Added NIST 800-53 compliance report for Low/Moderate/High baselines.
    • Added NYDFS compliance report.
    • Updated CalOPPA compliance report and added new subsections.
  • Updated Tasks

    • T5: Use minimum standards for passwords [Updated the text.]
    • T680: Do not create IAM policies that allow full administrative privileges (AWS) [Updated the title.]
    • T681: Enable CloudTrail in all regions (AWS) [Updated the text.]
    • T699: Test that credentials unused for 90 days or greater are disabled (AWS) [Updated the text.]
    • T700: Test that access keys are rotated every 90 days or less (AWS) [Updated the text.]
    • T714: Test if any IAM policy exists that allows full administrative privileges (AWS) [Updated the title and the text.]
    • T718: Test if AWS Config is enabled in all regions (AWS) [Updated the text.]
    • T719: Test if S3 bucket access logging is enabled on the CloudTrail S3 bucket (AWS) [Updated the text.]
    • T720: Test that log metrics and alarms are created (AWS) [Updated the text.]
    • T725: Test that log file validation is enabled (AWS) [Updated the text.]
    • T1053: Enable VM protection features (Microsoft Azure) [Updated the text.]
    • T1054: Test that VM protection features are enabled (Microsoft Azure) [Updated the text.]
    • T1056: Test that all VMs are updated (Microsoft Azure) [Updated the text.]
    • T1057: Enable disk and storage encryption (Microsoft Azure) [Updated the text.]
    • T1058: Test that disk and storage encryption is enabled (Microsoft Azure) [Updated the text.]
    • T1059: Configure network security groups and firewalls securely (Microsoft Azure) [Updated the text.]
    • T1060: Test that network security groups and firewalls are configured securely (Microsoft Azure) [Updated the text.]
    • T1061: Enable SQL auditing (Microsoft Azure) [Changed the old title "Enable SQL auditing and threat detection" and updated the text.]
    • T1062: Verify that SQL auditing is enabled (Microsoft Azure) [Changed the old title "Test that SQL auditing and threat detection are enabled" and updated the text.]
    • T1063: Set up security contacts (Microsoft Azure) [Updated the text.]
    • T1064: Verify that security contacts are set up (Microsoft Azure) [Changed the old title and updated the text.]
    • T1073: Keep logs long enough (Microsoft Azure) [Updated the text.]
    • T1074: Verify that logs are kept long enough (Microsoft Azure) [Updated the text.]
    • T1077: Log critical events (Microsoft Azure) [Updated the text.]
    • T1078: Verify that critical events are logged (Microsoft Azure) [Updated the text.]
    • T1082: Verify that Key Vault is configured securely (Microsoft Azure) [Updated the text.]
    • T1087: Select standard pricing tier (Microsoft Azure) [Updated the text.]
    • T1088: Verify that standard pricing tier is selected (Microsoft Azure) [Updated the text.]
  • Deactivated Tasks

    • T674: Enable Detailed Billing (AWS)
    • T675: Activate IAM Master and IAM Manager roles (AWS)
    • T708: Verify that detailed billing is enabled (AWS)
    • T709: Verify that IAM Master and IAM Manager roles are active (AWS)
  • Added Tasks

    • T2033: Ensure SELinux is enabled on all container instances (Amazon ECS)
    • T2034: Ensure AppArmor is enabled on all container instances (Amazon ECS)
    • T2035: Ensure privileged containers are not permitted on the container instance (Amazon ECS)
    • T2036: Ensure containers do not run as root (Amazon ECS)
    • T2037: Set root filesystems to be read-only (Amazon ECS)
    • T2038: Apply resource limits on containers (Amazon ECS)
    • T2039: Enable container insights on ECS clusters (Amazon ECS)
    • T2040: Ensure host operating systems are up to date (Amazon ECS)
    • T2041: Attach IAM roles for ECS container instances (Amazon ECS)
    • T2042: Ensure virtual machines running ECS instances are inside a VPC (Amazon ECS)
    • T2043: Identify and remediate vulnerabilities in container images (Amazon ECS)
    • T2044: Utilize AWS parameter store for sensitive data storage (Amazon ECS)
    • T2045: Ensure a VPC endpoint is used to access DynamoDB tables (Amazon DynamoDB)
    • T2046: Encrypt data stored in DynamoDB at rest (Amazon DynamoDB)
    • T2047: Attach IAM policies to DynamoDB resources (Amazon DynamoDB)
    • T2048: Utilize client-side encryption for DynamoDB (Amazon DynamoDB)
    • T2051: Configure network access rules for storage accounts (Microsoft Azure)
    • T2052: Verify that network access rules are configured properly for storage accounts (Microsoft Azure)
    • T2053: Ensure virtual machines running instances are inside a VPC (Amazon Aurora)
    • T2054: Utilize Security Groups to restrict access to instances (Amazon Aurora)
    • T2055: Enforce network ACLs for instances (Amazon Aurora)
    • T2056: Encrypt data stored at rest (Amazon Aurora)
    • T2057: Enforce authentication on your database engine (Amazon Aurora)
    • T2058: Attach IAM policies to resources (Amazon Aurora)
    • T2059: Enable App Service authentication and identity management (Microsoft Azure)
    • T2060: Ensure snapshots are not public (Amazon Aurora)
    • T2061: Change the default master username (Amazon Aurora)
    • T2062: Use AWS Secrets Manager for connection credentials (Amazon Aurora)
    • T2063: Utilize Database Activity Streams for PostgreSQL databases (Amazon Aurora)
    • T2064: Verify that App Service authentication and identity management is enabled (Microsoft Azure)
    • T2065: Configure TLS for secure connections to App Service (Microsoft Azure)
    • T2066: Verify that TLS is configured properly for App Service (Microsoft Azure)
    • T2067: Use the latest version of software on App Service (Microsoft Azure)
    • T2068: Verify that the latest version of software is used on App Service (Microsoft Azure)
    • T2069: Set 'Enforce SSL connection' to 'ENABLED' for database servers (Microsoft Azure)
    • T2070: Verify that 'Enforce SSL connection' is set to 'ENABLED' for database servers (Microsoft Azure)
    • T2071: Enable logging of important PostgreSQL security events (Microsoft Azure)
    • T2072: Verify that logging of important PostgreSQL security events is enabled (Microsoft Azure)
    • T2073: Enable 'log_retention_days' on PostgreSQL servers (Microsoft Azure)
    • T2074: Verify that server parameter 'log_retention_days' is set to more than 3 days for PostgreSQL database server (Microsoft Azure)
    • T2075: Enable 'connection_throttling' on PostgreSQL servers (Microsoft Azure)
    • T2076: Verify that 'connection_throttling' on PostgreSQL servers is enabled (Microsoft Azure)
    • T2077: Use strong cryptographic ciphers (Kubernetes)
    • T2078: Verify that strong cryptographic ciphers are used (Kubernetes)
    • T2079: Restrict Kublet nodes to access only objects associated with them. (Kubernetes)
    • T2080: Verify that Kublet nodes are restricted to access only objects associated with them. (Kubernetes)
    • T2081: Encrypt data at rest properly (Kubernetes)
    • T2082: Verify that data at rest is encrypted properly (Kubernetes)
    • T2083: Limit the rate at which the API server accepts requests (Kubernetes)
    • T2084: Verify that the admission control plugin 'EventRateLimit' is set (Kubernetes)
    • T2089: Turn on Role Based Access Control (Kubernetes)
    • T2090: Verify that Role Based Access Control is turned on (Kubernetes)
    • T2091: Do not bind the scheduler and the controller manager services to non-loopback insecure addresses (Kubernetes)
    • T2092: Verify that the scheduler and controller manager services are not bound to non-loopback insecure addresses (Kubernetes)
    • T2093: Enable Kubelet server certificate rotation (Kubernetes)
    • T2094: Verify that Kubelet server certificate rotation is enabled (Kubernetes)
    • T2095: Set the permissions properly on the sensitive configuration files (Kubernetes)
    • T2096: Verify that the permissions on the sensitive configuration files are set properly (Kubernetes)
    • T2097: Do not let containers to be run with excessive privileges (Kubernetes)
    • T2098: Verify that containers with excessive privileges are not permitted (Kubernetes)
  • Updated Additional Requirements

    • TA927: Test in-depth controls [Updated the text.]
  • Added Additional Requirements

    • TA1980: Blind Server Side Request Forgery (SSRF)
    • TA1981: AWS Metadata Endpoint Data Exfiltration (SSRF)
    • TA2847: NYDFS Cybersecurity Regulation / Penetration Testing and Vulnerability Assessments
    • TA2848: NYDFS Cybersecurity Regulation / Audit Trail
    • TA2849: NYDFS Cybersecurity Regulation / Access Privileges
    • TA2850: NYDFS Cybersecurity Regulation / Multi-Factor Authentication
    • TA2851: Enable JIT Network Access for virtual machines - More in-depth controls
    • TA2852: Verify that JIT Network Access for virtual machines is enabled - More in-depth controls
    • TA2853: Enable 'Advanced Data Security' on critical SQL Servers - More in-depth controls
    • TA2854: Verify that 'Advanced Data Security' is enabled on critical SQL Servers - More in-depth controls
    • TA2855: Enable security alerts for SQL servers - More in-depth controls
    • TA2856: Verify that security alerts for SQL servers are enabled - More in-depth controls
    • TA2857: Kubernetes: Do not let containers to be run with excessive privileges - More in-depth controls
    • TA2858: Kubernetes: Verify that containers with excessive privileges are not permitted - More in-depth controls
  • Updated Problems

    • P846: Lack of CloudTrail logs for all regions (AWS) [Updated the text.]
    • P1020: Inactive VM protection features (Microsoft Azure) [Updated the text.]
    • P1024: No SQL auditing (Microsoft Azure) [Changed the old title "No SQL auditing or threat detection".]
    • P1025: No security contacts (Microsoft Azure) [Updated the text.]
    • P1030: Inadequate Log Retention (Microsoft Azure) [Updated the text.]
    • P1032: Insufficient Logging (Microsoft Azure) [Updated the text.]
  • Deactivated Problems

    • P854: Lack of Detailed Billing records (AWS)
    • P855: One-person control over IAM (AWS)
  • Added Problems

    • P1494: Unrestricted connectivity to sensitive data (Amazon ECS)
    • P1495: Using unsafe container images (Amazon ECS)
    • P1496: Unprotected sensitive data in containers (Amazon ECS)
    • P1497: Publicly accessible database (Amazon DynamoDB)
    • P1498: Missing database encryption (Amazon DynamoDB)
    • P1499: Improper network access rules for storage accounts (Microsoft Azure)
    • P1500: Unrestricted connectivity to sensitive data (Amazon Aurora)
    • P1501: Unrestricted connectivity to sensitive data (Amazon RDS)
    • P1502: Misconfigured or missing network ACLs (Amazon Aurora)
    • P1503: Missing encryption mechanism (Amazon Aurora)
    • P1504: Improper authentication and access control (Amazon Aurora)
    • P1505: Improper App Service authentication and identity management (Microsoft Azure)
    • P1506: Misconfigured IAM policies attached to instances (Amazon Aurora)
    • P1507: Ensure snapshots are not public (Amazon Aurora)
    • P1508: Default master usernames (Amazon Aurora)
    • P1509: Improper secret or connection string management (Amazon Aurora)
    • P1510: Insufficient logging or protection of logs (Amazon Aurora)
    • P1511: Insecure network communication (Microsoft Azure)
    • P1512: Using outdated software in App Service (Microsoft Azure)
    • P1513: Insecure connection to database servers (Microsoft Azure)
    • P1514: No connection throttling for PostgreSQL database server (Microsoft Azure)
    • P1515: Using weak cryptographic ciphers (Kubernetes)
    • P1516: Inadequate access control for Kubelet nodes (Kubernetes)
    • P1517: Cleartext or weakly encrypted data at rest (Kubernetes)
    • P1518: Resource Exhaustion (Kubernetes)
    • P1521: Lack of Role Based Access Control (RBAC) (Kubernetes)
    • P1522: Unauthorized access to the scheduler and controller manager API services (Kubernetes)
    • P1523: Downtimes due to expired certificates (Kubernetes)
    • P1524: Unauthorized access to the sensitive configuration files (Kubernetes)
    • P1525: Allowing containers with excessive privileges (Kubernetes)
  • Updated HowTo's

    • I609: How to delete IAM policies that allow full administrative privileges (AWS) [Updated the text.]
    • I610: How to enable CloudTrail in all regions (AWS) [Updated the text.]
    • I613: How to enable AWS Config in all regions (AWS) [Updated the text.]
    • I615: How to create log metrics and alarms (AWS) [Updated the text.]
    • I626: How to create log metrics and alarms (AWS) - In-depth controls [Updated the text.]
    • I724: Apache HTTP Server: How to secure Apache access control [Updated the text.]
    • I858: Microsoft Azure: How to enable VM protection features [Updated the text.]
    • I859: Microsoft Azure: How to update VMs [Updated the text.]
    • I860: Microsoft Azure: How to enable disk and storage encryption [Updated the text.]
    • I861: Microsoft Azure: How to configure network security groups and firewalls securely [Updated the text.]
    • I862: Microsoft Azure: How to enable SQL auditing [Changed the old title "Microsoft Azure: How to enable SQL auditing and threat detection" and updated the text.]
    • I863: Microsoft Azure: How to set up security contacts [Updated the text.]
    • I868: Microsoft Azure: Keep logs long enough [Updated the text.]
    • I870: Microsoft Azure: Log critical events [Updated the text.]
    • I872: Microsoft Azure: Configure Key Vault securely [Updated the text.]
    • I878: Microsoft Azure: Select standard pricing tier [Updated the text.]
  • Deactivated HowTo's

    • I603: How to enable Detailed Billing (AWS)
    • I604: How to activate IAM Master and IAM Manager roles (AWS)
  • Added HowTo's

    • I1333: Amazon ECS-optimized AMI: Configure SELinux on each container instance
    • I1334: Amazon ECS: Configure AppArmor on each container instance
    • I1335: Amazon ECS: Disable privileged containers on each container instance
    • I1336: Amazon ECS: Configure containers to run as non-root
    • I1337: Amazon ECS: Provide containers in ECS Task Definitions with read-only access to the root file system
    • I1338: Amazon ECS: Configure resource limits for containers
    • I1339: Amazon ECS: Enable Container Insights in a new ECS cluster
    • I1340: Amazon ECS: Enable update on ECS container instances
    • I1341: Amazon ECS: Configure proper IAM policies on ECS clusters
    • I1343: Amazon ECS: Configure ECS instances to run in a VPC
    • I1344: Amazon ECS: Configure containers to inject sensitive data at runtime
    • I1345: Amazon DynamoDB: Configure DynamoDB tables to use a VPC endpoint
    • I1346: Amazon DynamoDB: Use a customer-managed key (CMK) in DynamoDB
    • I1347: Amazon DynamoDB: Configure IAM policies as required
    • I1348: Amazon DynamoDB: Utilizing the DynamoDB Encryption Client
    • I1349: Microsoft Azure: How to set network access rules for storage accounts
    • I1350: Amazon Aurora: How to determine if the RDS instance is configured to run in a VPC
    • I1351: Amazon Aurora: How to determine if Security Groups are configured to protect RDS resources
    • I1352: Amazon Aurora: How to determine if Network ACLs are configured securely
    • I1353: Amazon Aurora: How to determine if data at rest is encrypted in RDS
    • I1354: Amazon Aurora: How to ensure IAM Authentication is enabled for databases
    • I1355: Amazon Aurora: How to determine if an IAM account is configured securely for RDS
    • I1356: Amazon Aurora: How to determine if RDS database snapshots are publicly accessible
    • I1357: Amazon Aurora: How to determine if the default master username is changed
    • I1358: Amazon Aurora: How to create a secret or connection string in AWS Secrets Manager
    • I1359: Amazon Aurora: How to determine if Database Activity Streams are enabled
    • I1360: Microsoft Azure: How to enable App Service authentication and identity management
    • I1361: Microsoft Azure: How to configure TLS for secure connections to App Service
    • I1362: Microsoft Azure: How to use the latest version of software on App Service
    • I1363: Microsoft Azure: How to enforce SSL connection for database servers
    • I1364: Microsoft Azure: How to enable logging of security events for PostgreSQL database
    • I1365: Microsoft Azure: How to set log retention duration for PostgreSQL database server
    • I1366: Microsoft Azure: How to enable connection throttling on PostgreSQL database servers
    • I1367: Microsoft Azure: How to enable JIT Network Access for virtual machines - More in-depth controls
    • I1368: Microsoft Azure: How to enable 'Advanced Data Security' on critical SQL Servers - More in-depth controls
    • I1369: Microsoft Azure: How to enable security alerts for SQL servers - More in-depth controls
    • I1370: Kubernetes: How to only use strong cryptographic ciphers
    • I1371: Kubernetes: How to restrict Kublet nodes to access only objects associated with them.
    • I1372: Kubernetes: How to encrypt data at rest properly
    • I1373: Kubernetes: How to limit the rate at which the API server accepts requests
    • I1376: Kubernetes: How to turn on Role Based Access Control
    • I1377: Kubernetes: How to find the address of the scheduler and controller manager services
    • I1378: Kubernetes: How to enable Kubelet server certificate rotation
    • I1379: Kubernetes: How to set the permissions properly on the sensitive configuration files
    • I1380: Kubernetes: How to not permit containers to be run with excessive privileges
    • I1384: Kubernetes: How to for in-depth controls
  • Changes to Project Properties and Profiles

    • Added "Q319: In-Scope for FedRAMP Compliance" under "Q237: Compliance Scope: Other"
    • Added "Q320: FedRAMP Control Baseline" under "Q319: In-Scope for FedRAMP Compliance"
    • Added "A1247: Yes" under "Q319: In-Scope for FedRAMP Compliance"
    • Added "A1248: Low" under "Q320: FedRAMP Control Baseline"
    • Added "A1249: Moderate" under "Q320: FedRAMP Control Baseline"
    • Added "A1250: High" under "Q320: FedRAMP Control Baseline"
    • Added "A1251: Aurora" under "Q298: AWS Services"
    • Added "A1252: PostgreSQL" under "Q305: Database Management System (DBMS)"
    • Added "A1253: Asia Pacific" under "Q159: Organization is Subject to Laws of:"
    • Added "A1254: In-scope for MAS-TRMG Guidelines" under "Q229: Financial Regulations"

5.1

New features and improvements

  • Risk Policy and Project Classification

    • Project Classification no longer shows a Project as being reclassified from Unclassified the first time a project is classified. It now only displays the initial Project Classification.
    • The Project Classification filter in Global Reports now allows filtering on Projects that are Unclassified.
  • LDAP Sync

    • LDAP Sync now supports LDAPS protocol.
  • Existing Integrations

    • Veracode
      • Updated Veracode authentication for XML to HMAC authentication. Authentication now requires a Veracode Access Key (API ID) and Veracode Secret Key (Key).
      • Existing Veracode connections will not work until credentials are updated.
  • New Integrations for Verification

    • OWASP Dependency Track
  • The beta version of PTA now supports the following verification tools:

    • Threadfix
    • OWASP Dependency Track
  • Known bugs:

    • OWASP Dependency Track:
      • False positives are counted as flaws in SD Elements unless you explicitly suppress them in the OWASP Dependency Track tool.This will be corrected in a later version.
  • Bug Fixes

    • Fixed bug that allowed Problems to be deleted.
    • Fixed LDAP sync group mapping form field that was limited to 1000 groups.
    • Fixed LDAP sync issue with custom certificates.
    • Fixed LDAP sync failing with names longer than 30 characters.
      • First and last names longer than 30 characters are now auto-truncated.
    • Fixed a bug that allowed a Project’s Classification to be updated when the Project’s Survey was saved, but incomplete.
    • Fixed a bug that allowed users to name or rename their project and application to “archived”.
    • Fixed a bug in the Fortify integration where suppressed issues were being included in scanner results.
    • Fixed a bug where the hover zone for a tooltip on the add new Remote Agent button was too small.
  • Hotfixes:

    • PDF Reports
      • PDF reports should be faster to produce as we have replaced the underlying engines used to build them.
    • Fixed an error that was causing Veracode reports with unicode characters to fail to import.
    • Fixed the modification of a Library Task’s priority

Content additions and updates (as of September 16, 2019):

  • Added Tasks

    • T1925: Maintain the default behavior for anonymous access (OpenShift)
    • T1926: Verify that the default behavior for anonymous access is maintained (OpenShift)
    • T1927: Disable basic-auth-file method (OpenShift)
    • T1928: Verify that the basic-auth-file option has not been configured (OpenShift)
    • T1929: Secure communication between API server and master nodes (OpenShift)
    • T1930: Verify that the connection between API server and master node is secure (OpenShift)
    • T1931: Prevent insecure bindings and insecure port access (OpenShift)
    • T1932: Verify that insecure-bind-address and insecure-port are disabled (OpenShift)
    • T1933: Do not disable 'secure-port' for API server traffic (OpenShift)
    • T1934: Verify that 'secure-port' is not disabled (OpenShift)
    • T1935: Do not expose API server profiling data (OpenShift)
    • T1936: Verify that API server profiling is not exposed (OpenShift)
    • T1937: Set the 'repair-malformed-updates' value to 'true' (OpenShift)
    • T1938: Verify the value of 'repair-malformed-updates' (OpenShift)
    • T1939: Disable 'AlwaysAdmit' admission controller (OpenShift)
    • T1940: Verify that 'AlwaysAdmit' admission controller is disabled (Open Shift)
    • T1941: Disable 'AlwaysPullImages' admission controller if possible (OpenShift)
    • T1942: Verify that 'AlwaysPullImages' admission controller is disabled (OpenShift)
    • T1943: Use Security Context Constraints instead of 'DenyEscalatingExec' and 'SecurityContextDeny' admission controllers (OpenShift)
    • T1944: Verify the user/groups that are bound to 'edit' and 'admin' roles and usage of Security Context Constraints (OpenShift)
    • T1945: Do not disable 'NamespaceLifecycle' admission controller (OpenShift)
    • T1946: Verify that the 'NamespaceLifecycle' plugin is not disabled (OpenShift)
    • T1947: Configure auditing properly on the API server (OpenShift)
    • T1948: Verify that API server auditing is configured properly (OpenShift)
    • T1949: Do not set 'authorization-mode' flag (OpenShift)
    • T1950: Verify that 'authorization-mode' is not set (OpenShift)
    • T1951: Do not use static token files for authentication (OpenShift)
    • T1952: Verify that static token files are not used (OpenShift)
    • T1953: Do not set 'service-account-lookup' and 'service-account-key-file' arguments (OpenShift)
    • T1954: Verify that 'service-account-lookup' and 'service-account-key-file' arguments are not set (OpenShift)
    • T1955: Do not enable 'PodSecurityPolicy' admission control plugin (OpenShift)
    • T1956: Verify that 'PodSecurityPolicy' is disabled (OpenShift)
    • T1957: Do not set 'etcd-certfile', 'etcd-keyfile' or 'etcd-cafile' arguments (OpenShift)
    • T1958: Verify that 'etcd-certfile', 'etcd-keyfile', or 'etcd-cafile' arguments are not set (OpenShift)
    • T1959: Do not disable 'ServiceAccount' admission controller (OpenShift)
    • T1960: Verify that 'ServiceAccount' plugin is not disabled (OpenShift)
    • T1961: Do not disable 'NodeRestriction' admission controller (OpenShift)
    • T1962: Test that the 'NodeRestriction' admission controller is enabled (OpenShift)
    • T1963: Encrypt data at rest in etcd datastore (OpenShift)
    • T1964: Verify data at rest on 'etcd' datastore is encrypted with 'aescbc' encryption provider (OpenShift)
    • T1965: Enable the 'EventRateLimit' plugin (OpenShift)
    • T1966: Verify that the 'EventRateLimit' plugin is enabled (OpenShift)
    • T1967: Adjust the request timeout value (OpenShift)
    • T1968: Verify that request timeout is set to an appropriate value (OpenShift)
    • T1969: Do not expose profiling to the web (OpenShift)
    • T1970: Verify that profiling is not exposed to the web (OpenShift)
    • T1971: Adjust the 'terminated-pod-gc-threshold' argument as needed (OpenShift)
    • T1972: Verify the 'terminated-pod-gc-threshold' value (OpenShift)
    • T1973: Do not disable 'use-service-account-credentials' argument (OpenShift)
    • T1974: Verify that 'use-service-account-credentials' is not disabled (OpenShift)
    • T1975: Do not set 'service-account-private-key-file' argument (OpenShift)
    • T1976: Verify that 'service-account-private-key-file' argument is not set (OpenShift)
    • T1977: Do not set 'serviceAccountConfig.masterCA' argument (OpenShift)
    • T1978: Verify that the '--root-ca-file' argument is not set (OpenShift)
    • T1979: Never give pods more privileges than required (OpenShift)
    • T1980: Verify that Security Context Constraints get applied (OpenShift)
    • T1981: Enable the 'RotateKubeletServerCertificate' feature gate (OpenShift)
    • T1982: Verify that the 'RotateKubeletServerCertificate' feature is enabled (OpenShift)
    • T1983: Set permissions for sensitive files properly (OpenShift)
    • T1984: Verify the permissions for the configuration files (OpenShift)
    • T1985: Secure etcd communication (OpenShift)
    • T1986: Verify that etcd communication is secure (OpenShift)
    • T1987: Follow the principle of least privilege (OpenShift)
    • T1988: Verify that the cluster-admin role is only used where required (OpenShift)
    • T1989: Run pods with the most restrictive Security Context Constraints possible (OpenShift)
    • T1990: Verify Security Context Constraints as in use (OpenShift)
    • T1991: Restrict access to projects only to the required users (OpenShift)
    • T1992: Verify that only required users are assigned to projects (OpenShift)
    • T1993: Create restrictive network segmentation (OpenShift)
    • T1994: Verify the network segmentation (OpenShift)
    • T1995: Enable and configure seccomp (OpenShift)
    • T1996: Verify that Security Context Constraints have been configured with seccomp (OpenShift)
    • T1997: Manage image provenance using ImagePolicy plugin (OpenShift)
    • T1998: Verify image policy configuration (OpenShift)
    • T1999: Implement strong network policies (OpenShift)
    • T2000: Verify network policies (OpenShift)
    • T2001: Limit the use of privileged containers (OpenShift)
    • T2002: Verify the usage of privileged containers (OpenShift)
    • T2003: Do not disable the 'allow-privileged' flag (OpenShift)
    • T2004: Verify that the 'allow-privileged' flag is not disabled (OpenShift)
    • T2005: Enable the 'anonymous-auth' flag (OpenShift)
    • T2006: Verify that the 'anonymous-auth' is not disabled (OpenShift)
    • T2007: Do not set the 'authorization-mode' argument (OpenShift)
    • T2008: Verify that the 'authorization-mode' argument is not set (OpenShift)
    • T2009: Do not change the default value of the 'client-ca-file' argument (OpenShift)
    • T2010: Verify that the 'client-ca-file' argument is not set (OpenShift)
    • T2011: Do not set the 'read-only-port' argument (OpenShift)
    • T2012: Verify that the read-only port is not enabled (OpenShift)
    • T2013: Adjust the value of 'streaming-connection-idle-timeout' argument (OpenShift)
    • T2014: Verify the value of 'streaming-connection-idle-timeout' argument (OpenShift)
    • T2015: Do not set the 'protect-kernel-defaults' argument (OpenShift)
    • T2016: Verify that the 'protect-kernel-defaults' argument is not set (OpenShift)
    • T2017: Do not disable the 'make-iptables-util-changes' flag (OpenShift)
    • T2018: Verify that the 'make-iptables-util-chains' argument is not disabled (OpenShift)
    • T2019: Do not enable the 'keep-terminated-pod-volumes' flag (OpenShift)
    • T2020: Verify that the 'keep-terminated-pod-volumes' is not enabled (OpenShift)
    • T2021: Do not disable the 'hostname-override' flag (OpenShift)
    • T2022: Verify that the 'hostname-override' flag is not disabled (OpenShift)
    • T2023: Set the 'event-qps' argument to 0 (OpenShift)
    • T2024: Verify the value of 'event-qps' argument (OpenShift)
    • T2025: Do not set the 'cert-dir' argument (OpenShift)
    • T2026: Verify the value of 'cert-dir' argument (OpenShift)
    • T2027: Do not enable cAdvisor endpoint (OpenShift)
    • T2028: Verify that cAdvisor endpoint is not enabled (OpenShift)
    • T2029: Do not disable the 'RotateKubeletClientCertificate' and 'RotateKubeletServerCertificate' flags (OpenShift)
    • T2030: Verify that the 'RotateKubeletClientCertificate' and 'RotateKubeletServerCertificate' are not disabled (OpenShift)
  • Updated Tasks

    • T1053: Enable VM protection features (Microsoft Azure) [Updated text.]
    • T1056: Test that all VMs are updated (Microsoft Azure) [Updated text.]
    • T1057: Enable disk and storage encryption (Microsoft Azure) [Updated text.]
    • T1058: Test that disk and storage encryption is enabled (Microsoft Azure) [Updated text.]
    • T1059: Configure network security groups and firewalls securely (Microsoft Azure) [Updated text.]
    • T1060: Test that network security groups and firewalls are configured securely (Microsoft Azure) [Updated text.]
    • T1061: Enable SQL auditing and threat detection (Microsoft Azure) [Updated text.]
    • T1062: Test that SQL auditing and threat detection are enabled (Microsoft Azure) [Updated text.]
    • T1063: Set up security contacts (Microsoft Azure) [Updated text.]
    • T1064: Test that security contacts are set up (Microsoft Azure) [Updated text.]
    • T1077: Log critical events (Microsoft Azure) [Updated text.]
    • T1074: Verify that logs are kept long enough (Microsoft Azure) [Updated text.]
    • T1078: Verify that critical events are logged (Microsoft Azure) [Updated text.]
    • T1082: Verify that Key Vault is configured securely (Microsoft Azure) [Updated text.]
    • T1087: Select standard pricing tier (Microsoft Azure) [Updated text.]
    • T1368: Perform security testing using SAST tools [Updated the old title "Perform SAST and triage findings" and text to better reflect completion conditions.]
    • T1369: Perform security testing using DAST tools [Updated the old title "Perform DAST and triage findings" and text to better reflect completion conditions.]
    • T1635: Drop connections after 3 unsuccessful login attempts (Oracle Database) [Changed the old title: "Lock out accounts after 3 unsuccessful attempts" and updated the text.]
    • T1636: Verify that connections are dropped after 3 unsuccessful login attempts (Oracle Database) [Changed the old title: "Verify that accounts are locked out after 3 unsuccessful attempts" and updated the text."
    • T1649: Lock out accounts after 5 unsuccessful attempts (Oracle Database) [Updated the text.]
    • T1650: Verify that accounts are locked out after 5 unsuccessful attempts (Oracle Database) [Updated the text.]
    • T1893: Perform a cloud solution security posture assessment [Updated text to better reflect completion conditions.]
    • T1915: Perform network vulnerability assessment [Updated the old title "Perform network vulnerability assessment and triage findings" and text to better reflect completion conditions.]
    • T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software [Updated title text to better reflect completion conditions.]
  • Added Problems

    • P1440: Changing default behavior for anonymous access (OpenShift)
    • P1441: Using static passwords (OpenShift)
    • P1442: Unsecure connection between API server and node/kubelet (OpenShift)
    • P1443: Insecure binding or port access for API server (OpenShift)
    • P1444: Disabled 'secure-port' flag (OpenShift)
    • P1445: Exposed API server profiling data (OpenShift)
    • P1446: API incompatibility across versions (OpenShift)
    • P1447: Active 'AlwaysAdmit' admission controller (OpenShift)
    • P1448: Active 'AlwaysPullImages' admission controller (OpenShift)
    • P1449: Using 'DenyEscalatingExec' or 'SecurityContextDeny' admission controllers (OpenShift)
    • P1450: Disabled 'NamespaceLifecycle' admission controller (OpenShift)
    • P1451: Lack of proper auditing or retention of audit logs for API server (OpenShift)
    • P1452: Using 'authorization-mode' flag (OpenShift)
    • P1453: Using static token files (OpenShift)
    • P1454: Using 'service-account-lookup' or 'service-account-key-file' arguments (OpenShift)
    • P1455: Enabling 'PodSecurityPolicy' and 'SecurityContextConstraints' at the same time (OpenShift)
    • P1456: Unsecure communication to 'etcd' (OpenShift)
    • P1457: Inactive 'ServiceAccount' admission controller (OpenShift)
    • P1458: Disabled 'NodeRestriction' admission plugin (OpenShift)
    • P1459: Unencrypted data on 'etcd' (OpenShift)
    • P1460: No rate limit for requests to API server (OpenShift)
    • P1461: Inappropriate request timeout value (OpenShift)
    • P1462: Exposing profiling to the web (OpenShift)
    • P1463: Inappropriate 'terminated-pod-gc-threshold' value (OpenShift)
    • P1464: Disabling 'use-service-account-credentials argument' argument (OpenShift)
    • P1465: Changing the default 'service-account-private-key-file' (OpenShift)
    • P1466: Changing the default 'root-ca-file' (OpenShift)
    • P1467: Giving unnecessary privileges to the pods (OpenShift)
    • P1468: Lack of certificate rotation (OpenShift)
    • P1469: Improper permissions for sensitive files (OpenShift)
    • P1470: Unsecure etcd communication (OpenShift)
    • P1471: Granting excessive permissions (OpenShift)
    • P1472: Loose access constraints for pods (OpenShift)
    • P1473: Excessive access to projects (OpenShift)
    • P1474: Lack of restrictive network segmentation (OpenShift)
    • P1475: Running containers with unconfined seccomp settings (OpenShift)
    • P1476: Lack of control on images run in a cluster (OpenShift)
    • P1477: Lack of network access control (OpenShift)
    • P1478: Using privileged containers (OpenShift)
    • P1479: Disabling the 'allow-privileged' flag (OpenShift)
    • P1480: Disabling the 'anonymous-auth' flag (OpenShift)
    • P1481: Setting the 'authorization-mode' argument (OpenShift)
    • P1482: Improper configuration of the 'client-ca-file' argument (OpenShift)
    • P1483: Enabling read-only port (OpenShift)
    • P1484: Improper value for the 'streaming-connection-idle-timeout' argument (OpenShift)
    • P1485: Setting the 'protect-kernel-defaults' argument (OpenShift)
    • P1486: Disabling the 'make-iptables-util-chains' flag (OpenShift)
    • P1487: Enabling the 'keep-terminated-pod-volumes' flag (OpenShift)
    • P1488: Disabling the 'hostname-override' flag (OpenShift)
    • P1489: Non-zero value for the 'event-qps' argument (OpenShift)
    • P1490: Improper value for the 'cert-dir' argument (OpenShift)
    • P1491: Enabling cAdvisor endpoint (OpenShift)
    • P1492: Disabling the 'RotateKubeletClientCertificate' and 'RotateKubeletServerCertificate' flags (OpenShift)
  • Updated Problems

    • P1169: Server Side Request Forgery (SSRF) [Corrected text errors.]
    • P1306: Unlimited number of login attempts during a connection (Oracle Database) [Changed the old title: "Unlimited number of login attempts can lead to brute-force attack".]
    • P1313: Unlimited failed login attempts by a user (Oracle Database) [Changed the old title: "Repeated failed login attempts" and updated the text.]
  • Added HowTo's

    • I1307: Using Correct Cryptographic Algorithms and Parameters in Java
    • I1308: OpenShift: How to see the cert and key used by the API server to sign service account tokens
    • I1309: OpenShift: How to remove insecure-bind-address and insecure-port
    • I1310: OpenShift: How to make sure 'secure-port' is not disabled
    • I1311: OpenShift: How to disable profiling data exposure
    • I1312: OpenShift: How to modify 'repair-malformed-updates' value for API compatibility
    • I1313: OpenShift: How to disable 'AlwaysAdmit' admission controller
    • I1314: OpenShift: How to enable 'AlwaysPullImages' plugin
    • I1315: OpenShift: How to restrict usage of 'edit' and 'admin' roles
    • I1316: OpenShift: How to make sure 'NamespaceLifecycle' plugin is not disabled
    • I1317: OpenShift: How to make sure 'authorization-mode' is not set
    • I1318: OpenShift: How to make sure static token files are not used
    • I1319: OpenShift: How to see public/private keys used by the API server to sign service account tokens
    • I1320: OpenShift: How to disable the 'PodSecurityPolicy' admission control plugin
    • I1321: OpenShift: How to see the cert and key used by the API server for etcd communication
    • I1322: OpenShift: How to enable 'ServiceAccount' admission controller
    • I1323: OpenShift: How to change the 'request-timeout' value
    • I1324: OpenShift: How to make sure profiling is not exposed to the web
    • I1325: OpenShift: How to make sure 'use-service-account-credentials' is not disabled
    • I1326: OpenShift: How to make sure 'service-account-private-key-file' argument is not set
    • I1327: OpenShift: How to make sure 'root-ca-file' argument is not set
    • I1328: OpenShift: How to rotate certificates
    • I1329: OpenShift: How to set the permissions for the configuration files
    • I1330: OpenShift: How to configure imagePolicy plugin
    • I1331: OpenShift: How to make sure the 'client-ca-file' argument is not set
    • I1332: OpenShift: How to set the 'streaming-connection-timeout' value
  • Updated HowTo's

    • I1: Java with Jasypt [Change of text, Content was reviewed and updated.]
    • I2: Java with Jasypt and Bouncy Castle [Change of text, Content was reviewed and updated.]
    • I3: Java [Change of text, Content was reviewed and updated.]
    • I4: Java with Jasypt [Change of text, Content was reviewed and updated.]
    • I5: Centralize authorization using AccessController interface of ESAPI [Change of text, Content was reviewed and updated.]
    • I6: Authorize every page using ESAPI AccessController interface [Change of text, Content was reviewed and updated.]
    • I8: Java EE with ESAPI: Invalidate old session ID [Change of text, Content was reviewed and updated.]
    • I9: Java EE [Change of text, Content was reviewed and updated.]
    • I11: Java EE with Tomcat [Change of text, Content was reviewed and updated.]
    • I12: Java EE with WebLogic 9.2 [Change of text, Content was reviewed and updated.]
    • I14: Java EE , Servlet Spec 3+ [Change of text, Content was reviewed and updated.]
    • I15: SiteMinder 6 [Change of text, Content was reviewed and updated.]
    • I17: Java EE with Tomcat 6.0+ [Change of text, Content was reviewed and updated.]
    • I18: Java EE with WebLogic 9.2 [Change of text, Content was reviewed and updated.]
    • I19: Java EE with WebSphere 6.1+ [Change of text, Content was reviewed and updated.]
    • I20: Java EE [Change of text, Content was reviewed and updated.]
    • I21: SiteMinder 6 [Change of text, Content was reviewed and updated.]
    • I28: Java EE, Servlet Spec 3.x [Change of text, Content was reviewed and updated.]
    • I30: Java EE [Change of text, Content was reviewed and updated.]
    • I32: Java [Change of text, Content was reviewed and updated.]
    • I33: Java EE with ESAPI: Perform input validation on all forms of input [Change of text, Content was reviewed and updated.]
    • I38: Java EE with JSF [Change of text, Content was reviewed and updated.]
    • I41: Java EE with WebLogic 9.2 [Change of text, Content was reviewed and updated.]
    • I42: Java EE with WebSphere 6.1+ [Change of text, Content was reviewed and updated.]
    • I44: Java EE with ESAPI: Escape untrusted data [Change of text, Content was reviewed and updated.]
    • I46: Java EE with JSF and Facelets [Change of text, Content was reviewed and updated.]
    • I51: Java with JDBC Prepared Statements [Change of text, Content was reviewed and updated.]
    • I53: Java EE with Java Persistence Architecture (JPA) [Change of text, Content was reviewed and updated.]
    • I54: Java EE with ESAPI: Disallow carriage returns in HTTP response headers [Change of text, Content was reviewed and updated.]
    • I55: Java with ESAPI: Use XML encoding [Change of text, Content was reviewed and updated.]
    • I56: Java EE with JAXB [Change of text, Content was reviewed and updated.]
    • I57: Java EE with ESAPI: Use Lightweight Directory Access Protocol (LDAP) encoding [Change of text, Content was reviewed and updated.]
    • I59: Java with ESAPI: Avoid unsafe operating system interaction [Change of text, Content was reviewed and updated.]
    • I60: Java EE [Change of text, Content was reviewed and updated.]
    • I63: Java EE with AppSensor [Change of text, Content was reviewed and updated.]
    • I68: Java with ESAPI and Jasypt: Use standard libraries for encryption [Change of text, Content was reviewed and updated.]
    • I69: Java EE with Jasypt, Bouncy Castle, and Spring IOC [Change of text, Content was reviewed and updated.]
    • I271: Java [Change of text, Content was reviewed and updated.]
    • I366: Java [Change of text, Content was reviewed and updated.]
    • I381: Bouncy Castle [Change of text, Content was reviewed and updated.]
    • I420: Java or Android Keystore [Change of text, Content was reviewed and updated.]
    • I507: Java Object Serialization [Change of text, Content was reviewed and updated.]
    • I509: Storing cryptographic keys and data [Change of text, Content was reviewed and updated.]
    • I1004: Enable encrypted connection to database engine [Updated the text.]
  • Updated T186, w/ latest security patch level for third-party libraries

    • Django
    • Spring Framework
    • Apache Tomcat
    • GnuTLS
    • OpenSSL
    • Apache HTTP Server
    • Apache Wicket
    • Java
    • Bouncy Castle
    • Node.js
    • AngularJS/Angular
    • Docker
  • Changes to Project Properties and Profiles

    • Updated "A754: Provides web services or external APIs" [Updated tooltip description.]
    • Added "A1245: OpenShift" under "Q308: Containerization Technologies"
    • Added "A1236: Cloud IAM" under "Q309: Google Cloud Services"
    • Added "A1237: Compute Engine" under "Q309: Google Cloud Services"
    • Added "A1238: Cloud Key Management Service" under "Q309: Google Cloud Services"
    • Added "A1239: Virtual Private Cloud (VPC)" under "Q309: Google Cloud Services"
    • Added "A1240: Cloud Storage" under "Q309: Google Cloud Services"
    • Added "A1241: Cloud Audit Logs" under "Q309: Google Cloud Services"
    • Added "A1242: Cloud DNS" under "Q309: Google Cloud Services"
    • Added "A1243: Cloud SQL" under "Q309: Google Cloud Services"
    • Added "A1244: Stackdriver" under "Q309: Google Cloud Services"

5.0

Introducing SD Elements V5!

This release is dedicated to Mark Rathwell. Thank you for your friendship and passion.

  • Anticipated release dates:
    • Early Access Server: August 5th, 2019
    • General Availability: August 19th, 2019

New features and improvements:

  • V5 presents a set of major enhancements to the SD Elements platform and its content in support of Continuous Compliance.

  • Automated Project Classification:

    • You can now better manage projects by classifying them by their potential risk.
    • This feature can be enabled or disabled by the organization admin. It is disabled by default.
    • Once enabled, projects may be automatically assigned a risk classification and a default Risk Policy based on the answers of the Project Survey.
    • Project Classifications are reflected after completing the Project Survey, in the Activity Log, and in Global Reports. Please see the user guide for more information.
    • Risk Policies may be configured after completing the Project Survey.
    • Project Classifications require one answer and one Risk Policy. Deleting a custom answer from the Project Survey will remove it from Project Classifications. If that was the only answer assigned to the Classification, the Classification cannot be saved until a replacement is provided.
  • Enhancements to Verification Integrations:

    • Analysis integration categories are now displayed on the integration forms such as Veracode (SAST, DAST).
    • Added support for the following new verification integrations:
      • Sonarqube
      • OWASP Dependency Check
      • Tenable Nessus (CIS AWS Benchmarks Compliance)
  • Process Controls for the Software Security Lifecycle:

    • Process controls enhance the coverage of SD Elements beyond software development to cover the entire security lifecycle of your software, including operations and maintenance of software being developed or purchased.
    • Process controls are mapped to popular security frameworks such as NIST 800-53 and PCI-SSLC.
    • This new set of content is disabled by default. Please contact your Customer Success representative to enable it.
    • Process controls are added in a new phase called “Activities”.
    • These new tasks take advantage of our classification system to decide on the applicability of various process activities.
    • For more details, please refer to the content additions and updates below.
  • Process Task Automation Beta (PTA):

    • The Beta version of PTA is available to customers that have activated Process Controls for the Software Security Lifecycle.
    • A new event-action framework supports automatically transitioning certain SD Elements process tasks to ‘Complete’.
      • This is based on the occurrence of triggering events within SD Elements with certain predefined criteria.
      • For instance, marking the process task T1368 complete when a SAST code scanner is run and the results are imported into SD Elements with zero high and zero critical findings.
      • Or reopen a process task previously marked complete (such as T1368), if a SAST scan has not been run and results are imported into SDE within a predefined time threshold.
    • The following process tasks are automatically marked ‘Complete’ when scan results are returned with zero high and zero critical vulnerabilities for the respective category:
      • T1368: Perform security testing using SAST tools
      • T1369: Perform security testing using DAST tools
      • T1893: Perform a cloud solution security posture assessment
      • T1915: Perform network vulnerability assessment
      • T1921: Avoid obtaining code (source or mobile) from untrusted sources such as public Internet
    • The beta version of PTA supports the following verification tools:
      • Microfocus Fortify SSC
      • Microfocus WebInspect
      • IBM Appscan Standard
      • IBM Appscan Source
      • Sonarqube
      • OWASP Dependency Check
      • Checkmarx
      • Veracode
      • Nessus
    • Support for additional events and actions will be added in future releases.
  • Deprecations:

    • The super-user only ‘Export Logs’ feature has been removed. To retrieve log files, refer to the SSH method here: https://docs.sdelements.com/release/latest/sysadmin/docs/ongoing_tasks.html#_examine_logs
    • SD Elements no longer supports legacy AppScan Standard files (9.0.3.0 and earlier).
    • Fortify no longer supports XML file uploads. (It continues to support FVDL and FPR.)
    • Thoughtworks Mingle support in SD Elements will be deprecated on July 31st, 2019, and it may cease to function on or after that date. Mingle support will be removed in a future version of SD Elements.
  • Bug Fixes

    • Fixed a bug where LDAP sync table’s status did not change to ‘In progress’ when a sync was in progress.
    • Task verification notes created by a verification sync will now include the report reference if available.
    • Fixed a bug where the Global Reports ‘Last Modified’ column was only updated when the report was created.

Content additions and updates (as of July 23, 2019):

  • Updated Tasks

    • T29: Use anti-Cross-Site Request Forgery (CSRF) tokens (Change of text, a note was added on generating one token per session independent of session id)
    • T87: Verify that all data in transit is encrypted using a secure TLS channel (Change of text and title. Merged with content from T254)
    • T422: Verify that built-in sanitization is used in Angular with limited code or markup (Change of title and text. Added test section for Angular as well)
    • T496: Protect sensitive data on forward and back (reverse) RFID channels (Change of title from encrypt to protect)
    • T797: Make all RDS Databases private and ensure RDS instances are inside a VPC (AWS) [Change of title and text, emphasis on VPC instance and use of EC2-VPC]
    • T830: Test that RDS Databases are not publicly accessible and are defined in a VPC (AWS) [Change of title and text, emphasis on VPC instance and verifying VPC assignment for RDS]
    • T1164: Secure swarm mode (Docker) [Updated text and rules]
    • T1165: Verify that swarm mode is secured (Docker) [Updated text and rules)
    • T1873: Prevent information leakage through HTTP response headers (Change of text)
  • Added Tasks

    • T1887: Decide on the right OAuth 2.0 flow for your application
    • T1888: Decide on the right OpenID Connect flow for your application
    • T1889: Secure the configuration of the authorization server
    • T1890: Implement OAuth 2.0 securely on the resource server
    • T1897: Encrypt SQS queue messages (AWS)
    • T1898: Verify that SQS queue messages are encrypted (AWS)
    • T1899: Do not allow unauthorized access to SQS queues (AWS)
    • T1900: Verify that SQS queues are only accessible from trusted AWS accounts (AWS)
    • T1901: Attach IAM policies to SQS resources (AWS)
    • T1902: Verify that SQS queues have IAM Policies attached (AWS)
    • T1903: Enforce Network ACLs for RDS (AWS)
    • T1904: Encrypt data stored in RDS at rest (AWS)
    • T1905: Verify whether data at rest in RDS is encrypted (AWS)
    • T1906: Enforce authentication on your relational database services (AWS)
    • T1907: Verify whether IAM authentication is enabled for RDS databases (AWS)
    • T1909: Change the RDS default master username (AWS)
    • T1910: Verify whether the default master username is changed (AWS)
    • T1911: Attach IAM policies to RDS resources (AWS)
    • T1912: Verify that RDS databases have IAM policies attached (AWS)
    • T1919: Use JSON Web Token (JWT) securely
    • T1922: Integrate OAuth 2.0 and OpenID Connect where appropriate
    • T1923: Disable swarm mode if not needed
    • T1924: Verify that swarm mode is disabled
  • Deactivated Tasks

    • T495: Send sensitive data in cover-coded mode on forward channel (Deactivated. Merged with T496: Protect sensitive data on forward and back (reverse) RFID channels)
    • T254: Test that TLS/SSL communication is protected (Deactivated. Merged with T87: Verify that all data in transit is encrypted using a secure TLS channel)
  • Added Additional Requirements

    • TA1007: Restricting the user
    • TA1008: Restricting the client
    • TA1009: Restricting the scope
    • TA1010: Testing Security Group requirements for RDS (AWS)
    • TA1011: Configuring Security Groups for RDS (AWS)
    • TA1012: Use database engine authentication (AWS)
    • TA1013: Purpose of each OAuth 2.0 flow
    • TA1014: Using scopes as permissions
    • TA1015: Understanding the Authorization Code Grant flow with PKCE
    • TA1016: Understanding the Client Credentials flow
    • TA1017: Proof-of-possession tokens
    • TA1018: Securing client registration
    • TA1019: Understanding the OIDC Authorization Code flow with PKCE
    • TA1020: Understanding the OIDC Hybrid flow
    • TA1023: The purpose of OAuth 2.0
    • TA1021: Understanding the OIDC Implicit flow
    • TA1022: Context information on OAuth 2.0 and OIDC
    • TA1024: The purpose of OpenID Connect
    • TA1025: Ensure RDS snapshots are not public (AWS)
    • TA1026: Verify that RDS snapshots are not publicly accessible (AWS)
  • Updated Problems

    • P1074: Unlocked swarm (Docker) [Updated rules.]
    • P1102: Failing to manage secrets in Docker Swarm (Docker) [Updated rules.]
  • Added Problems

    • P1431: Insecure use of JSON Web Token (JWT)
  • Updated HowTo’s

    • I927: Docker: How to secure swarm mode (Updated text.)
  • Added HowTo’s

    • I1293: Handling user involvement in OIDC
    • I1294: Implementing the Authorization Code Grant flow with PKCE
    • I1295: Session Management with OIDC
    • I1297: Handling the Identity Token for User Authentication
    • I1299: Validating reference tokens
    • I1300: Validating self-contained tokens
    • I1302: How to enforce ACL for RDS (AWS)
    • I1303: Implementing the Client Credentials flow
    • I1304: Augmenting OAuth 2.0 flows with OIDC properties
    • I1305: Docker: How to disable swarm mode
  • Updated T186, w/ latest security patch level for third-party libraries

    • Rails
    • Django
    • Spring Framework
    • Apache Tomcat
    • Java
    • AFNetworking Library
    • Node.js
    • Docker
  • Changes to Project Properties and Profiles

    • Deactivated "Q125: Authentication Backend" (This question has been disabled and all of its answers have been moved under "Q121: Authentication Method")
    • Updated "A8: Stand-alone application" (Changed the description to suggest using this application type for some categories of libraries and SDKs)
    • Updated "A21: Passwords stored in configuration files" (Updated matching conditions to make this applicable to all types of applications)
    • Updated "A27: Uses encryption functions (not including SSL)" (Updated matching conditions to make this applicable to all types of applications)
    • Updated "A39: Has file upload or file transfer functions" (Relaxed the matching conditions/applicability criteria)
    • Updated "A54: Uses SSO or federated authentication" (Moved under "Q121: Authentication Method" and removed generic server application from its machine conditions)
    • Updated "A55: Uses LDAP repository" (Moved under "Q121: Authentication Method" and removed generic server application from its machine conditions)
    • Updated "A167: Uses database authentication" (Moved under "Q121: Authentication Method" and removed generic server application from its machine conditions)
    • Updated "A194: Rich client" (Changed the description to suggest using this application type for some categories of libraries and SDKs)
    • Updated "A697: Django" (Added "Generic Web Application" to the matching conditions/applicability criteria)
    • Deactivated "A756: Authentication is handled through a different system" (Combined with "A758: Has direct or third party authentication for end users, devices or nodes")
    • Updated "A758: Has direct or third party authentication for end users, devices or nodes" (Updated text)
    • Updated "A1122: Requires non-repudiation" (Removed ‘Requires security logging’ from the matching conditions/applicability criteria)
    • Added "A1227: SQS" under "Q298: AWS Services"
    • Added "A1235: Swarm" under "Q308: Containerization Technologies"

We also added Oracle database content based on CIS Oracle Database 12c benchmark:

  • Added Tasks

    • T1476: Use secure channels for remote administration (Oracle Database)
    • T1477: Verify that secure channels are used for remote administration (Oracle Database)
    • T1478: Remove 'extproc' from 'listener.ora' (Oracle Database)
    • T1479: Verify that external procedures are not enabled (Oracle Database)
    • T1480: Block unauthorized users from making changes to 'listener.ora' (Oracle Database)
    • T1481: Verify that unauthorized users are not able to make alterations to remote data/service settings (Oracle Database)
    • T1482: Use encrypted channels for remote connections (Oracle Database)
    • T1483: Verify remote connections are established through encrypted channels (Oracle Database)
    • T1613: Use latest versions and patches (Oracle Database)
    • T1614: Verify that latest versions and patches are used (Oracle Database)
    • T1615: Keep passwords secure (Oracle Database)
    • T1616: Verify that all default passwords are changed (Oracle Database)
    • T1617: Remove all sample data and sample schemas (Oracle Database)
    • T1618: Verify that sample schemas are removed from the production environment (Oracle Database)
    • T1619: Keep audit parameters enabled at all times (Oracle Database)
    • T1620: Verify that audit parameters are enabled (Oracle Database)
    • T1621: Only allow authorized domains to connect with database (Oracle Database)
    • T1622: Verify that name of database link matches the remote database (Oracle Database)
    • T1623: Block all unauthorized access to data structures (Oracle Database)
    • T1624: Verify that the value of Dictionary_Accessibility is set to False (Oracle Database)
    • T1625: Do not allow OS external groups to connect with database (Oracle Database)
    • T1626: Verify that external groups are not able to connect with database (Oracle Database)
    • T1627: Disable remote listener setting (Oracle Database)
    • T1628: Verify that remote listener setting is empty (Oracle Database)
    • T1629: Do not share login password file between databases (Oracle Database)
    • T1630: Verify that remote login password file is not shared between the databases (Oracle Database)
    • T1631: OS 'roles' with attendant privileges should be incapable of remote client connections (Oracle Database)
    • T1632: Verify that OS 'roles' are incapable of remote client connections (Oracle Database)
    • T1633: Leave the utl_file_dir setting value empty (Oracle Database)
    • T1634: Verify that utl_file_dir setting value is empty (Oracle Database)
    • T1635: Lock out accounts after 3 unsuccessful attempts (Oracle Database)
    • T1636: Verify that accounts are locked out after 3 unsuccessful attempts (Oracle Database)
    • T1637: Drop a connection after 3 bad packets from the client (Oracle Database)
    • T1638: Verify that system drops a connection after 3 bad packets from the client (Oracle Database)
    • T1639: Maintain server logs for bad packets received from the client (Oracle Database)
    • T1640: Verify that system maintains server logs for bad packets received from the client (Oracle Database)
    • T1641: Do not allow database to return current patch/update information (Oracle Database)
    • T1642: Verify that database is not disclosing the current patch/update information (Oracle Database)
    • T1643: User must have SELECT object privilege (Oracle Database)
    • T1644: Verify that user has been granted SELECT object privilege (Oracle Database)
    • T1645: Restrict trace file access by making it unreadable (Oracle Database)
    • T1646: Verify that system's trace file is unreadable (Oracle Database)
    • T1647: Enforce resource limit in any database profile (Oracle Database)
    • T1648: Verify that resource limit has been enforced in database profile (Oracle Database)
    • T1649: Lock out accounts after 5 unsuccessful attempts (Oracle Database)
    • T1650: Verify that accounts are locked out after 5 unsuccessful attempts (Oracle Database)
    • T1651: Accounts must be unlocked automatically after a period of time (Oracle Database)
    • T1652: Verify that locked account is unlocked automatically after 1 day (Oracle Database)
    • T1653: Do not allow remote OS authentication of the user (Oracle Database)
    • T1654: Verify that users cannot be authenticated by remote OS for full authorization to database (Oracle Database)
    • T1655: Limit the number of sessions per user (Oracle Database)
    • T1656: Verify that maximum number of sessions per user is less than or equal to 10 (Oracle Database)
    • T1657: Do not assign default profile to any user (Oracle Database)
    • T1658: Verify that default profile has not been assigned to any user (Oracle Database)
    • T1659: Revoke excessive system privileges from unauthorized users (Oracle Database)
    • T1660: Verify that excessive system privileges have been revoked from unauthorized users (Oracle Database)
    • T1661: Proxy users should only have connect privileges (Oracle Database)
    • T1662: Verify the access privileges for proxy users (Oracle Database)
    • T1663: Remove 'EXECUTE ANY PROCEDURE' from OUTLN and DBSNMP users (Oracle Database)
    • T1664: Verify that 'EXECUTE ANY PROCEDURE' is revoked (Oracle Database)
    • T1665: Revoke default public execute privileges from powerful packages and object types (Oracle Database)
    • T1666: Verify that default public execute privileges from powerful packages and object types have been revoked (Oracle Database)
    • T1667: Revoke non-default public execute privileges from powerful packages and object types (Oracle Database)
    • T1668: Verify that non-default public execute privileges from powerful packages and object types have been revoked (Oracle Database)
    • T1669: Revoke powerful roles where they are not likely needed (Oracle Database)
    • T1670: Verify that powerful roles have been revoked from where they are not likely needed (Oracle Database)
    • T1671: Revoke excessive tables and view privileges (Oracle Database)
    • T1672: Verify that excessive tables and view privileges have been revoked for unauthorized users (Oracle Database)
    • T1673: All traditional audit options must be enabled at all times (Oracle Database)
    • T1674: Verify that all traditional audit options are enabled at all times (Oracle Database)
    • T1733: Enable all unified audit options (Oracle Database)
    • T1734: Verify that all unified audit options are enabled (Oracle Database)
  • Added Problems

    • P1230: Unencrypted remote connections can result in sniffing of the control configuration (Oracle Database)
    • P1231: Database can run procedures from OS libraries (Oracle Database)
    • P1232: Nonprivileged users can compromise data confidentiality (Oracle Database)
    • P1233: Unauthorized users can sniff unencrypted remote channels (Oracle Database)
    • P1295: Using an outdated version of the database (Oracle Database)
    • P1296: Attackers can gain access if default passwords are not changed (Oracle Database)
    • P1297: Sample schemas can launch exploits in production database (Oracle Database)
    • P1298: Not monitoring user activities (Oracle Database)
    • P1299: Unauthorized domain sources connecting to the database (Oracle Database)
    • P1300: Unauthorized access to critical data structures (Oracle Database)
    • P1301: External groups can cause privilege overlaps (Oracle Database)
    • P1302: Remote listener setting can lead to connection spoofing (Oracle Database)
    • P1303: Remote login password file could permit unsecured privileged connections (Oracle Database)
    • P1304: OS roles can cause connection spoofing and privilege overlaps (Oracle Database)
    • P1305: utl_file_dir can impact the integrity of files (Oracle Database)
    • P1306: Unlimited number of login attempts can lead to brute-force attack (Oracle Database)
    • P1307: Receiving bad packets could result in a denial-of-service condition (Oracle Database)
    • P1308: Receiving bad packets can indicate packet-based attack (Oracle Database)
    • P1309: Disclosing release/patch numbers can reveal known weaknesses to unauthorized users (Oracle Database)
    • P1310: Inadvertent information disclosure (Oracle Database)
    • P1311: Disclosure of sensitive information about instance operations (Oracle Database)
    • P1312: Performance impact due to resource limit (Oracle Database)
    • P1313: Repeated failed login attempts (Oracle Database)
    • P1314: Administrative overhead due to account lockout (Oracle Database)
    • P1315: Remote OS authentication of a user can grant full access to database (Oracle Database)
    • P1316: Allowing multiple sessions per user can lead to memory resource consumption or denial-of-service attack (Oracle Database)
    • P1317: Default profile settings can lead to privileged access (Oracle Database)
    • P1318: Unauthorized users with excessive privileges can impact confidentiality and integrity of data (Oracle Database)
    • P1319: Not monitoring access of proxy users (Oracle Database)
    • P1320: Granting excessive privileges (Oracle Database)
    • P1321: Unauthorized users can impact confidentiality and integrity of database (Oracle Database)
    • P1322: Excessive privileges can lead to unauthorized actions in the database (Oracle Database)
    • P1323: Powerful roles can be configured to perform unauthorized actions in the database (Oracle Database)
    • P1324: Unauthorized users can attack the confidentiality and integrity of database tables (Oracle Database)
    • P1325: Not logging the pattern of unauthorized activities (Oracle Database)
    • P1355: Not monitoring the activities of malicious users (Oracle Database)
  • Added HowTo's

    • I1082: Oracle Database: How to use secure channels for remote administration
    • I1083: Oracle Database: How to remove 'extproc' from 'listener.ora'
    • I1084: Oracle Database: How to block unauthorized users from making alterations
    • I1085: Oracle Database: How to encrypt remote connections
    • I1154: Oracle Database: How to apply latest and critical patches
    • I1155: Oracle Database: How to change default passwords
    • I1156: Oracle Database: How to remove sample schemas
    • I1157: Oracle Database: How to enable audit parameters
    • I1158: Oracle Database: How to enable remote database settings
    • I1159: Oracle Database: How to block unauthorized access to data structures
    • I1160: Oracle Database: How to disable OS external groups settings for database management
    • I1161: Oracle Database: How to make the remote listener setting empty
    • I1162: Oracle Database: How to remove remote login password files between databases
    • I1163: Oracle Database: How to disable remote client connections for OS 'roles'
    • I1164: Oracle Database: How to make the utl_file_dir setting value empty
    • I1165: Oracle Database: How to lock out an account after 3 unsuccessful attempts
    • I1166: Oracle Database: How to drop a connection after receiving 3 bad packets from the client
    • I1167: Oracle Database: How to log the response level for bad/malformed packets from the client
    • I1168: Oracle Database: How to modify database settings so that current patch/update information is not disclosed
    • I1169: Oracle Database: How to modify SELECT object privilege
    • I1170: Oracle Database: How to make the system trace file unreadable
    • I1171: Oracle Database: How to enforce resource limits in any database profile
    • I1172: Oracle Database: How to set failed login attempt limit
    • I1173: Oracle Database: How to set password lock time
    • I1174: Oracle Database: How to remove remote OS authentication of a user
    • I1175: Oracle Database: How to limit the number of sessions per user
    • I1176: Oracle Database: How to assign function-appropriate profile to a user
    • I1177: Oracle Database: How to revoke excessive system privileges from unauthorized users
    • I1178: Oracle Database: How to modify the access privileges for proxy users
    • I1179: Oracle Database: How to revoke excessive privileges
    • I1180: Oracle Database: How to revoke default public execute privileges from powerful packages and object types
    • I1181: Oracle Database: How to revoke non-default public execute privileges from powerful packages and object types
    • I1182: Oracle Database: How to revoke powerful roles
    • I1183: Oracle Database: How to revoke excessive tables and view privileges for unauthorized users
    • I1184: Oracle Database: How to enable all audit options
    • I1214: Oracle Database: How to enable all unified audit options

Continuous Compliance content:

We have added 33 tasks for continuous compliance processes that are disabled by default. Once you upgrade to 5.0, please contact your Customer Success representative for more information.

  • Added Tasks:

    • T1366: Identify applicable compliance regulations
    • T1367: Identify and classify critical assets
    • T1368: Perform security testing using SAST tools
    • T1369: Perform security testing using DAST tools
    • T1370: Identify and track common software weaknesses and threats
    • T1371: Use a software security management solution to select and track security controls
    • T1372: Follow software change management process
    • T1373: Maintain the integrity of all software code
    • T1374: Ensure the integrity of software release and update delivery
    • T1375: Properly collect and protect sensitive data
    • T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
    • T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications
    • T1378: Release a change summary for each software update
    • T1380: Enforce secure user registration and access control
    • T1381: Establish secure processes for key management
    • T1382: Manage performance and capacity
    • T1383: Separate development, test, and operational environments
    • T1384: Back up and restore securely
    • T1385: Institute secure logging and event monitoring
    • T1386: Regulate the use of electronic messaging
    • T1387: Ensure the security of products acquired through the supply chain and contractors
    • T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
    • T1389: Perform penetration testing
    • T1891: Perform Privacy Impact Assessment (PIA)
    • T1892: Perform a Threat and Risk Assessment (TRA)
    • T1893: Perform a cloud solution security posture assessment
    • T1894: Perform a vendor security assessment
    • T1895: Protect applications with Intrusion Detection / Protection System (IDS/IPS)
    • T1915: Perform network vulnerability assessment
    • T1917: Perform container security assessment
    • T1918: Integrate with SSO
    • T1920: Conduct security architecture and design reviews before starting code development
    • T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
  • Added Additional Requirements

    • TA993: PCI-DSS Requirements
  • Added Problems

    • P1170: Lack of a secure process for outsourcing
    • P1171: Lack of a process for identifying applicable compliance regulation
    • P1172: Lack of a process for identifying critical assets
    • P1173: Lack of a process for dynamic application testing
    • P1174: Lack of software change management process
    • P1175: Insufficient software code control
    • P1177: Lack of a process for creating summary of changes upon each software update
    • P1178: Lack of a process for ensuring the integrity of software release and update
    • P1179: A secure backup and restore processes are missing or lacking
    • P1180: Lack of process for collecting and protecting sensitive data
    • P1181: Lack of guidance on secure installation, maintenance and configuration of all software components
    • P1182: Lack of a communication channel for reporting security issues
    • P1183: No secure processes for logging and monitoring events
    • P1184: Lack of a secure process for penetration testing
    • P1185: Lack of process for user registration and enforcement of access control
    • P1186: Lack of a process for static application security testing (SAST)
    • P1187: Lack of a process for identifying and assessing software threats
    • P1188: Lack of software security management solution to track security controls
    • P1190: Lack of process for performance and capacity management
    • P1191: Deploying software in production on the same environment as development and testing
    • P1225: Unmanaged test result findings
    • P1226: Lack of a process for regulating the use of electronic messaging
    • P1429: Applications not protected with Intrusion Detection / Protection System (IDS/IPS)
    • P1432: Lack of security architecture and design activities
    • P1433: Lack of third-party software code or dependencies management
    • P1434: Lack of secure key management process
    • P1435: Lack of Privacy Impact Assessment (PIA)
    • P1436: Lack of cloud solution security posture assessment
    • P1437: Lack of vendor security assessment
    • P1438: Lack of network vulnerability assessment
    • P1439: Lack of container security assessment
  • Added HowTo's

    • I1044: Oracle
    • I1045: Microsoft SQL Server

results matching ""

    No results matching ""