PRODUCT SECURITY HUB RELEASE NOTES

  • ProdSecDesigner
    • Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)
    • Data Update: Released a new version of the component, threat, and requirements data. Most changes were semantic changes (e.g. look and feel) and a new component was added (data flow to external entity). Existing products will primarily notice these semantic changes on the requirements page (new feature).
      • Example: “Anonymous and/or guest access to the component shall be prohibited (removed or disabled)” was updated to “Anonymous and/or guest access shall be prohibited (removed or disabled)”
      • Example: “The component shall automatically log out an authenticated user after a period of inactivity” was updated to “Authenticated users shall be automatically logged out after a period of inactivity”
    • Global Change: Implemented a UI modification to maintain the header on the threats, requirements, and residual risks pages (new feature).
    • Global Change: Removed the “Changes have been made successfully” banner that appeared each time a field was edited (new feature).
    • Residual Risk Creation Logic: Previously, residual risks were generated each time a requirement was labeled as “Not Met,” resulting in a significant number of residual risks tied to requirements, even if they were recommendations rather than mandatory. The new approach associates residual risks with threats rather than requirements when a requirement is marked as “Not Met.” This allows for consolidating multiple “Not Met” requirements into a single risk associated with a single threat. Existing products will notice consolidated risks on the residual risks page, including new risk id numbers. The previous risk id numbers will appear in the Residual Risk column (new feature).
    • Requirements Page Consolidation View: Introduced the capability to consolidate requirements around the requirement itself rather than the component, facilitating a more efficient review of requirements and creating a more concise list to work with. This also provides the ability to update requirements that impact multiple components quickly but switching to the consolidated view and editing the requirements (new feature).
    • Import Capabilities: Added the functionality to import new/custom requirements, threats, or residual risks, as well as existing ones that may have been edited offline in Microsoft Excel. Users can download a blank or pre-filled template, make edits, and then import it into ProdSecDesigner (new feature).
    • Additional Addendums: Expanded the editable fields (addendums) on the requirements and threats pages (new feature).
    • Dashboard Updates: Included additional existing fields in the patch management, vulnerability management, and SBOM dashboards (new feature).
    • SBOM Importing/Exporting of Vulnerability Data: Enhanced the SBOM Management page to allow importing and exporting vulnerability data within the CyloneDX JSON file format (new feature).
    • KEV Checking: Added the functionality to verify vulnerabilities with CVEs in ProdSecDesigner against the DHS CISA KEV database (new feature).
  • ProdSecDesigner
    • Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)
  • ProdSecDesigner
    • Update the Threats and Requirements pages to show the component name and not component type (bug fix)
    • Changed ISO 80001-22 to ISO 80001-2-2 on the Requirements Page (bug fix)
    • Update the Threats Page to include the ability to show residual risks and met and not met requirements (new feature)
    • “Reference to Safety Risk Assessment” field added to Residual Risks page (new feature)
    • Updated new version feature to include the Completed IFU Guidance field in the new version (bug fix)
    • Fixed an issue with using a product name that was already used (bug fix)
    • Update the export feature to include custom threat and requirement details and include R in front of the requirement ids (bug fix)
    • Added Software Bill of Materials (SBOM) feature, with the ability to manually add SBOM components, import from a CycloneDX JSON file, export to a CycloneDX JSON file or a Microsoft Excel human readable file (new feature)
    • Added Patch Management feature, with the ability to track cybersecurity patches by either manually adding them or importing from a Microsoft Excel file (new feature)
  • ProdSecAssessor
    • Initial release of ProdSecAssessor, which provides the ability to assess against a number of industry guidance documents from US FDA, Australian TGA, EU MDCG and more (new feature)
  • ProdSecDesigner
    • Changed dashboard view to group products by product name (new feature)
    • Added ability to create new versions of existing products (new feature)
    • Updated the export file to include product name and added applicability to threat output (new feature)
    • Added a new field (consideration for ifu/labeling) on the risk assessment page (new feature)
    • Added a new field (product status) to the product details page (new feature)
    • Updated component ids in the add a new threat and add a new requirement modal (new feature)
  • ProdSecMaturity
    • Removed the draft guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment
    • Added the final guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment (new feature)
  • Initial release of Product Security Hub Platform, ProdSecDesigner and ProdSecMaturity.