= Functionality development complete and ready for release

= Functionality development incomplete, but on the short-term roadmap


FUTURE RELEASES (Last Updated 5/21/2020):


Q2 2020 Release Target (June?)

  • Import-Export: Support for mapping of custom fields
  • Notification: Ability to send automated notifications for document reviews
  • Development of Organization Hierarchy Extra
  • Ability to attach files to policy and control exceptions
  • New permissions under Risk Management for creating, deleting, and managing projects
  • New permissions under Compliance for defining tests and initiating and managing audits
  • Ability to save the column filter selections in the Dynamic Risk Report
  • Fixed a bug with sorting by Subject in the Dynamic Risk Report
  • Fixed a bug where the "Define Tests" page under Compliance would refresh after a new test had been added
  • Added a report under Configuration -> User Management to track users and all of the responsibilities they are associated with.
  • Added a report under Configuration -> User Management to track users and all of the roles they are associated with.
  • Updated the Risks and Controls report to sort by the inherent risk score for the "Risks by Control" view.
  • Added the ability to select a "Document Owner" from the Document Program menu under Governance
  • Added an "Additional Stakeholders" user multi-select dropdown in the Document Program menu under Governance
  • Added an "Approver" user select dropdown in the Document Program menu under Governance
  • Added a "Next Review Date" date select field in the Document Program menu under Governance
  • Added a "Review Frequency" field in the Document Program menu under Governance
  • Added the ability to choose whether to sort by Asset Name or Asset Risk in the Risks and Assets report
  • Added the ability to choose the columns displayed for the Active Audits page under Compliance
  • Removed Obsolete Reports from Reporting
  • Updated to invalidate the old password reset token for a user if a new token is generated
  • Change "Review Date" to "Approval Date" in the Document Program menu under Governance
  • Changed the Health Check to a tab layout and added a Summary tab
  • Added a new health check to ensure the SimpleRisk Base URL defined in Settings matches the base URL that is being used to access the instance
  • Separation: Added a report under Configuration -> User Management for users mapped to teams and teams mapped to users


Q3 2020 Release Target (September?)

  • Adding a new report to view latest comments and updates to risks
  • Ability to save the column filter selections in the Dynamic Risk Report
  • Ability to dynamically generate graphs and charts with the Dynamic Risk Report
  • Notification: Allow customization of language of notifications
  • Custom Authentication: Enhancements to setting of teams and permissions via AD and SAML attributes
  • Team-Based Separation: Apply team separation to the viewing and use of assets in dropdowns, searches, and asset management.


PAST RELEASES:


Q1 2020 Release Target (March 28, 2020)

  • Add filterable and sortable columns for Dynamic Risk Report and similar tabular views of data
  • Enhance usability of the Dynamic Risk Report by creating expandable sections
  • Performance improvements by converting concatenated ids to junction tables and adding indexes
  • Ability to choose if High Risk Report is based on the Inherent or Residual risk score
  • Fix for creation of circular references with control framework parent-child relationships
  • Fix for different looking Action buttons on the Audit Timeline report
  • Added a new audit log type for user events
  • The Risks and Assets report now includes the risk's locations/teams in the row instead of the asset's locations/teams.
  • Group names are now included on the Assets by Risk report in brackets.
  • The Audit Trail now includes an entry when a framework is deleted.
  • After adding a test to a control, you are now brought back to the same place you were when you clicked "Add Test".
  • Changing user permissions while a session is open will now immediately take effect without the need to logout.
  • Added the ability to control whether the "High Risk Report" is based on the Inherent or Residual risk score.
  • Added a new health check to see if an Extra is compatible with the SimpleRisk instance version.
  • Added a new health check to see if an instance is running the most recent version of an Extra.
  • Added a new health check to check for proper MySQL database user permissions.
  • Sorted the "Mitigation Controls" dropdown when planning a mitigation in alphabetical order.
  • Fixed an issue in the Risks and Assets report where assets that were part of an asset group were not displayed when the asset was assigned to a risk and the asset group was not.
  • Fixed a bug where using the "Group By" feature on the Dynamic Risk Report would show both a column header and footer when that was not necessary.
  • Updated a function that caused an error when the SimpleRisk Base URL was not set.
  • Fixed a bug when updating your user profile language while selecting "--".
  • Fixed a bug where users would not receive password reset emails without setting the simplerisk_base_url value.
  • Fixed an issue where MySQL instances with STRICT_TRANS_TABLES enabled would throw an error if too many characters were entered into the Compliance related fields.
  • Fixed a bug where the risk levels for "Custom" Classic Risk scoring were not being set properly.
  • Removed Control Regulation from Add and Remove Values as this is now managed through the Governance section of SimpleRisk.
  • Fixed a UI bug that would occur when a Framework's name was too long.
  • Fixed an issue where reporting with Risks and Assets would cause an incorrect maximum quantitative loss when an asset group was attached to a risk.
  • Fixed a bug that was causing the Site/Location and Asset Valuation for assets to not accept new changes.
  • Fixed various issues that occur when SimpleRisk is run from a sub-directory of the virtualhost's web root.
  • Fixed a bug where all pages were making unnecessary calls to the SimpleRisk update server.
  • Fixed a bug where circular references could be made for Frameworks using parent/child associations.
  • Fixed undefined index errors on the Risk and Controls report.
  • Fixed a bug where the Contributing Risk popup window was named "SimpleRisk OWASP Calculator" instead of "SimpleRisk Contributing Risk Calculator".
  • Added the ability to set SimpleRisk to make requests via a proxy through the SimpleRisk UI under the "Security" tab in Configure -> Settings.
  • Open sessions are now immediately invalidated when a password is reset.
  • When account lockouts occur, any active sessions from that account are also invalidated.
  • Various security fixes
  • ComplianceForge SCF: Changed the user interface for enabling and disabling frameworks.
  • ComplianceForge SCF: Added functionality to dynamically download the current ComplianceForge SCF release and update SimpleRisk with the new controls and mappings.
  • Jira: Integration with Jira (Official Release)
  • Risk Assessment: Added a new "Fill in the blank" question type
  • Risk Assessment: Added the ability to send assessments to users already defined in SimpleRisk
  • Email Notification: Fixed an issue where email notifications were not sent with risk closures.
  • Custom Authentication: Added the ability to add a manager attribute through LDAP to the account created in SimpleRisk.
  • Custom Authentication: Added the ability to specify display name, email address, and manager username value attributes for SAML authentication.
  • Custom Authentication: Updated SAML authentication to handle when strict_user_validation is turned off.
  • Upgrade: Continuing to move closer to a true "one-click" upgrade process.
  • Customization: Added an option to have results in a single-select or multi-select dropdown displayed in alphabetical order.
  • Customization: Added a new "Hyperlink" custom field that allows users to create clickable hyperlinks in their templates.
  • Import-Export: Fixed a bug with importing existing assets with updated custom fields.
  • Import-Export: Fixed a bug where the "Export to XLS" button did not work in the Dynamic Risk Report unless a subject column was selected.
  • Import-Export: Added the "Date Closed" column for risk exports.
  • Import-Export: Added the ability to import a Mitigation Submission Date value.
  • Import-Export: Updated import mappings to store custom fields.
  • Import-Export: Added "Additional Stakeholders" to imports.


Q4 2019 Release Target (November 30, 2019)

  • Added a selection to view the Date Closed value on the Dynamic Risk Report.
  • Updated existing multi-select dropdowns to be searchable and scrollable.
  • Added the ability to search tags when filtering by tags in the Dynamic Risk Report.
  • Added a new filter on the Compliance Active Audits page that allows you to filter based on the "Test Name" column.
  • Added a new filter on the Compliance Past Audits page that allows you to filter based on the "Test Name" column.
  • Added a new "Actions" column in the Audit Timeline report enabling the user to initiate a new audit of the test, view active audits of the test, or view past audits of the test directly from the page.
  • Updated the Team field for assets to be a multi-select dropdown.
  • Updated the "Associated Frameworks" under the Audit Timeline report so that only active frameworks are displayed.
  • Added the ability for a user to select any document type as a parent in the Document Hierarchy on the Governance page.
  • Removed the ability to create a risk subject with only whitespace characters.
  • Removed the "report requires PHP >= 5.5" message if you are running PHP >= 5.5.
  • Added a health check to detect an outdated version of PHP.
  • The missing "Initiate Test" functionality was added back to the Initiate Audits page.
  • Fixed an issue where the pop up menus were no longer able to be scrolled through.
  • Fixed an issue where filtering by an asset or asset group in the Dynamic Risk Report did not work.
  • Fixed an issue where you could not make a tag that contained spaces in it.
  • Fixed an issue where you could not sort by Residual Risk Score in the Dynamic Risk Report after grouping by risk level.
  • Fixed an issue where the Dynamic Risk Report did not properly group by risk level when using custom risk level names.
  • Fixed an issue where changing tabs in the Configure -> Settings menu caused the Risk Appetite slider to disappear until the page is refreshed.
  • Fixed an issue where the "All" button on the Risk Appetite Report did not expand to show all risks under the selected tab.
  • Fixed a spelling issue for "Mitigation Supporting Documenttation" under the Mitigation tab in the Configure, Extras, and Customization menus.
  • Added additional code to prevent a time-based account enumeration attack on login.
  • Fixed a CSRF vulnerability with the new one-click-upgrade functionality.
  • Fixed a SQL Injection vulnerability with audit trail logs.
  • Fixed a Stored XSS vulnerability with the new risk appetite functionality.
  • Fixed a Stored XSS vulnerability with the Frameworks and Controls tabs.
  • Fixed an issue where any user could access the list of Framework Controls.
  • Fixed an issue where an unprivileged user could change the risk levels.
  • Jira: Integration with Jira (Beta)
  • Risk Assessment: Created a new "Control Audit" button when viewing a questionnaire result that will show all controls mapped to the question asked, their associated frameworks, and whether the answer was a "Pass" or "Fail".
  • Risk Assessment: Made it so that each time a pending risk is accepted it did not reload the entire page.
  • Risk Assessment: Fixed an issue where you would receive a datatables error if you added a text filter for questionnaire questions and select a filter template.
  • Email Notification: Fixed an issue where the scheduled reporting section of the Notification Extra would send e-mails to users it should not send emails to.
  • Upgrade: Fixed an issue where the Upgrade Extra would throw an error regarding undefined available_extras when attempting to upgrade even if no upgrade was needed.
  • API: Added an API query to update the values of a risk.
  • API: Fixed an issue in the API Extra when attempting to create a new API key for a user.
  • Customization: Fixed an issue where required asset fields would inhibit database upgrades.
  • Import-Export: Added support for asset groups to Tenable and Rapid7 integrations.
  • Import-Export: Fixed an issue where you could not import fields set to be encrypted using the Customization Extra.


Q3 2019 Release Target (September 30, 2019)

  • Ability to define a custom "risk appetite" value
  • Creation of a new "Risk Appetite" report that shows separate tabs for risks within and outside the appetite
  • Ability to save selections in the Dynamic Risk Report with a name 
  • Ability to share saved selections in the Dynamic Risk Report with other users
  • Customization: Ability to define custom fields as required
  • Risk Assessment: Ability to add sub-templates as questionnaire logic
  • Customization/Encryption: Ability to define custom fields as encrypted
  • Risk Assessment: Ability to audit questionnaire responses against a defined control framework


Q2 2019 Release Target (June 30, 2019)

  • Addition of a "Manager" value for each user that will automatically populate the "Owner's Manager" field for risks
  • Fix for IE10 compatibility issues
  • Add the "Mitigation Control" value to the Dynamic Risk Report
  • Updated handling of roles so that user permissions change when role permissions are changed
  • Fix so that updating a control in the Governance section doesn't refresh the entire page
  • Add an audit trail entry for Accepting and Rejecting a Risk Mitigation
  • Add functionality to combine multiple assets into an "Asset Group" that can be added to a risk
  • Add translations for the Mongolian language
  • Association of teams with audit tests
  • Ability to delete active audits
  • Risk Assessment: Ability to select multiple contacts for an assessment
  • Import-Export: Ability to import vulnerabilities with Rapid7 Nexpose
  • Import-Export: Export of controls to a CSV file
  • Ability to specify your own scores for risks depending on the likelihood and impact values
  • Team-Based Separation: Restrict access to audit tests by associated team
  • Advanced Search: Creation of a new SimpleRisk Extra to enable more targeted search criteria


Q1 2019 Release Target (March 31, 2019)

  • Addition of tagging of risks and assets
  • Addition of asset groups
  • Addition of text-based description for asset valuation range
  • Enable project selection as part of risk review
  • Association of Frameworks and Controls with Policies, Guidelines, Standards, and Procedures
  • Ability to Document Exceptions to Policies and Controls
  • Addition of a help menu
  • Addition of the Audit Timeline report
  • Customization of e-mail prepend value
  • Ability to export the audit log
  • Import-Export: Ability to import assets with Rapid7 Nexpose