PRODUCT SECURITY HUB RELEASE NOTES

  • ProdSecDesigner
    • SBOM Import:
      • When importing an SBOM with vulnerability data, the Rating’s “source” field was changed from mandatory to optional to enable importing files that missed this information and alinged to CycloneDX spec (bug fix)
      • When importing an SBOM that does not contain SBOM “version” metadata, the version on the SBOM Dashboard is no longer replaced (bug fix)
    • Threats Page and Threats Export: Renamed the “Design Feature Mitigation” column to “Recommended Mitigations” (new feature)
  • ProdSecDesigner
    • SBOM Pages: When an SBOM with a large amount of records (~ over 800) was imported, the performance on the page was impacted significantly and in some cases caused ProdSecDesigner to timeout. Improvements were made to fix the performance issues (bug fix)
  • ProdSecDesigner
    • Global Change:
      • Updated .net6 to .net8, as .net6 is out of support in November 2024 (new feature)
      • Added Role Based Access Controls – to the tenants and products to enable read-only or full control and the ability for a tenant admin to administer their own permissions (new feature)
    • Vulnerability Management Page: added the ability to select multiple vulnerabilities and delete them vs individually clicking delete (new feature)

       

  •  ProdSecMaturity
    • Released updated demographic questions as part of the 2024 MDIC/Apraciti Medical Device Cybersecurity Benchmarking Effort (new feature)
  • ProdSecDesigner
    • Component Page: When a component is deleted, the associated SBOMs and vulnerabilities will now be deleted as well (new feature)
    • Residual Risk Page: The Search on the Risks page will now search requirements not met, requirements met, all addendums, including those not displayed due to the field chooser. (new feature)
    • SBOM Page:
      • Updated the CycloneDX plugin from 6.0.0 to 7.0.1 (new feature)
      • For SBOM imports with VEX data, the “Method” field used in Vuln Ratings will no longer be mandatory (new feature)
    • Vulnerability Management Page: The Vulnerability Mgmt page will no longer display orphaned data for Time Until Patch Available, Number of Devices Impacted, Number of Devices Patched, and Time Patch Available after a Patch is deleted (new feature)
    • Vulnerability Management page: New fields added to the PSH Vulnerabilities Dashboard: “Time Until Patch Available”, “Number of Devices Impacted”, “Number of Devices Patched”, “Time Patch Available Until Patched” and the Patches page includes the new field “Date All Devices Were Patched” (new feature)
    • Exporting:
      • Requirement text that was not relevant will no longer be included in the SecurityRequirement field in the exports
      • 4 new fields visible on the Vulnerability dashboard will be exported: Time Until Patch Available, Number of Devices Impacted, Number of Devices Patched, Time Patch Available Until Patched – and 1 new field on the Patch dashboard will be exported: Date All Devices Were Patched (new feature)

  • ProdSecMaturity
    •  Added NIST Cybersecurity Framework Version 2 as a maturity assessment option (new feature)
  • ProdSecDesigner
    • Global Change: Paging was implemented across ProdSecDesigner pages to split large amounts of records into pages, with a page navigation bar at the bottom of each ProdSecDesigner page when necessary (new feature)
    • Exporting:
      • Exports from the My Product Dashboard were updated to include a new tab that lists all requirements in the grouped view (where requirements include the group of components that are applicable instead of an unique requirement per component) (new feature)
      • Exporting CycloneDX SBOMs without vulnerabilities from the SBOM page has been added (new feature)
    • Residual Risk Page:
      • A Scoring Justification field was added to the risks page to be used for explaining how scores were generated (new feature)
      • Fixed a crash when importing using the blank template on the Risks page (bug fix)
    • Requirements Page:
      • The ability for a user to set a default view of Grouped or Ungrouped Requirements has been added on the Product Details page (new feature)
      • Fixed a bug where Requirements are reverted to Status = WIP and added back to Threats with applicability = No after adding a new Component (bug fix)
    • Vulnerability Management page: New fields added to the PSH Vulnerabilities Dashboard: “Time Until Patch Available”, “Number of Devices Impacted”, “Number of Devices Patched”, “Time Patch Available Until Patched” and the Patches page includes the new field “Date All Devices Were Patched” (new feature)
  • ProdSecDesigner
    • Product Dashboard: Added additional fields to hide or show in the settings modal. (new feature)
    • Requirement/Threat Importing: Added the ThreatID and RequirementID to the Threats/Requirements Import Review screen. (new feature)
    • Patch Importing: Replaced “SBOM Component BOM-Ref” with “SBOM Component ID” on the Patch import template. (new feature)
    • Exporting: Renamed “Description” column header in Product export Threats tab to “STRIDE Category”. (new feature)
    • Vulnerability Page: Updated the “Date Identified” field restrict to current or past dates only. (new feature)
    • Vulnerability Management Page:  Updated the Vulnerability “Ratings” on the Vulnerability Management dashboard. (new feature)
  • ProdSecDesigner
    • Residual Risks Page: Updated fields that are displayed by default and fields that can be hidden on the Risks page. (new feature)
    • Exporting:
      • Added pre-defined glossary tabs for Threats, Requirements, and Risks within Product exports. (new feature)
      • Replaced the comma delimiters with semi-colon delimiter in the exports of requirement text in the Risks tab (SecurityRequirement) due to the use of commas within the requirements. (new feature)
    • Threats Page: Implemented a bug fix so that the hover-over display of requirements within the UI function properly after a threat is set to N/A, then set back to Applicable. (bug fix)
    • Adding a New Product: Implemented a bug fix so that when a user adds a New Product, the Add New Product screen disappears after clicking the Add button. (bug fix)
    • Data Update: Updated the Product Security Hub data according to the June Product Security Hub Data Load, which adds a new “AI Model” component, threats, and requirements, along with several additional minor modifications to mappings of existing requirements to existing threats. (new feature)
  • ProdSecDesigner
    • Product Dashboard: Added product consolidation via “carrots” and new requirements status fields to product dashboard that can be enabled in the Settings Modal: # of Req, # of Req WIP, # of Req Met, # of Req Not Met, # of Req N/A. (new feature)
    • Residual Risks Export Bug: Implemented a bug fix for product export Risks tab where both requirements not met, met, WIP, N/A were sometimes mixed together in the SecurityRequirements column. (bug fix)
    • Requirements Sorting Bug: Implemented a bug fix to sort the requirements screen by the Component ID (tenant’s unique ID) instead of the component name. (bug fix)
    • SBOM Component Inventory Page: Added the ability to sort on the SBOM component dashboard for the known vulns and CRA ID columns on the SBOM component dashboard. (new feature)
    • Vulnerabilities Management Page: Added “one sentence summary” existing open text field from the Vulnerability Details to the Vulnerability Management dashboard, after the VM ID and before the Status field. (new feature)
  • ProdSecDesigner
    • Global Change: The character limit on open text fields has been increased from 1000 to 2000 characters to support additional text content. (new feature)
    • SBOM Component Inventory: The “software level of support” field used within SBOM Components has beenupdated from mandatory to optional, as this field is not mandatory per the CycloneDX specification, and as mandatory it requires the user to add this information when modifying any component if the information is missing. (new feature)
    • Requirement/Threat Importing Bug: Implemented a bug fix to resolve an issue identified when a user adds a new custom requirement to an existing Product Security Hub threat via the import functionality and then proceeds to delete the requirement, which causes the requirements page to display an error because PSH attempts to also delete the associated threat. This fix updates the requirement deletion logic to remove the automatic deletion of an associated threat. (bug fix)
  • ProdSecDesigner
    • Security Patch: Updated the Microsoft.Identity.Web package – this change was necessary to resolve a known vulnerability in the 3rd party component and update to the latest version. (security patch)
    • Global Change: Added a “changes have been saved successfully” message pop up in the lower right corner of Product Security Hub when Product Security Hub automatically saves any edits made. (new feature)
    • Residual Risk Page – Added more detail to the hover-over help messages for the CVSS fields in the Risks page. (new feature)
  • ProdSecDesigner
    • Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)
    • Data Update: Released a new version of the component, threat, and requirements data. Most changes were semantic changes (e.g. look and feel) and a new component was added (data flow to external entity). Existing products will primarily notice these semantic changes on the requirements page (new feature).
      • Example: “Anonymous and/or guest access to the component shall be prohibited (removed or disabled)” was updated to “Anonymous and/or guest access shall be prohibited (removed or disabled)”
      • Example: “The component shall automatically log out an authenticated user after a period of inactivity” was updated to “Authenticated users shall be automatically logged out after a period of inactivity”
    • Global Change: Implemented a UI modification to maintain the header on the threats, requirements, and residual risks pages (new feature).
    • Global Change: Removed the “Changes have been made successfully” banner that appeared each time a field was edited (new feature).
    • Residual Risk Creation Logic: Previously, residual risks were generated each time a requirement was labeled as “Not Met,” resulting in a significant number of residual risks tied to requirements, even if they were recommendations rather than mandatory. The new approach associates residual risks with threats rather than requirements when a requirement is marked as “Not Met.” This allows for consolidating multiple “Not Met” requirements into a single risk associated with a single threat. Existing products will notice consolidated risks on the residual risks page, including new risk id numbers. The previous risk id numbers will appear in the Residual Risk column (new feature).
    • Requirements Page Consolidation View: Introduced the capability to consolidate requirements around the requirement itself rather than the component, facilitating a more efficient review of requirements and creating a more concise list to work with. This also provides the ability to update requirements that impact multiple components quickly but switching to the consolidated view and editing the requirements (new feature).
    • Import Capabilities: Added the functionality to import new/custom requirements, threats, or residual risks, as well as existing ones that may have been edited offline in Microsoft Excel. Users can download a blank or pre-filled template, make edits, and then import it into ProdSecDesigner (new feature).
    • Additional Addendums: Expanded the editable fields (addendums) on the requirements and threats pages (new feature).
    • Dashboard Updates: Included additional existing fields in the patch management, vulnerability management, and SBOM dashboards (new feature).
    • SBOM Importing/Exporting of Vulnerability Data: Enhanced the SBOM Management page to allow importing and exporting vulnerability data within the CyloneDX JSON file format (new feature).
    • KEV Checking: Added the functionality to verify vulnerabilities with CVEs in ProdSecDesigner against the DHS CISA KEV database (new feature).
  • ProdSecDesigner
    • Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)
  • ProdSecDesigner
    • Update the Threats and Requirements pages to show the component name and not component type (bug fix)
    • Changed ISO 80001-22 to ISO 80001-2-2 on the Requirements Page (bug fix)
    • Update the Threats Page to include the ability to show residual risks and met and not met requirements (new feature)
    • “Reference to Safety Risk Assessment” field added to Residual Risks page (new feature)
    • Updated new version feature to include the Completed IFU Guidance field in the new version (bug fix)
    • Fixed an issue with using a product name that was already used (bug fix)
    • Update the export feature to include custom threat and requirement details and include R in front of the requirement ids (bug fix)
    • Added Software Bill of Materials (SBOM) feature, with the ability to manually add SBOM components, import from a CycloneDX JSON file, export to a CycloneDX JSON file or a Microsoft Excel human readable file (new feature)
    • Added Patch Management feature, with the ability to track cybersecurity patches by either manually adding them or importing from a Microsoft Excel file (new feature)
  • ProdSecAssessor
    • Initial release of ProdSecAssessor, which provides the ability to assess against a number of industry guidance documents from US FDA, Australian TGA, EU MDCG and more (new feature)
  • ProdSecDesigner
    • Changed dashboard view to group products by product name (new feature)
    • Added ability to create new versions of existing products (new feature)
    • Updated the export file to include product name and added applicability to threat output (new feature)
    • Added a new field (consideration for ifu/labeling) on the risk assessment page (new feature)
    • Added a new field (product status) to the product details page (new feature)
    • Updated component ids in the add a new threat and add a new requirement modal (new feature)
  • ProdSecMaturity
    • Removed the draft guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment
    • Added the final guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment (new feature)
  • Initial release of Product Security Hub Platform, ProdSecDesigner and ProdSecMaturity.