PRODUCT SECURITY HUB RELEASE NOTES

  • ProdSecDesigner
    • Product Dashboard: Added additional fields to hide or show in the settings modal. (new feature)
    • Requirement/Threat Importing: Added the ThreatID and RequirementID to the Threats/Requirements Import Review screen. (new feature)
    • Patch Importing: Replaced “SBOM Component BOM-Ref” with “SBOM Component ID” on the Patch import template. (new feature)
    • Exporting: Renamed “Description” column header in Product export Threats tab to “STRIDE Category”. (new feature)
    • Vulnerability Page: Updated the “Date Identified” field restrict to current or past dates only. (new feature)
    • Vulnerability Management Page:  Updated the Vulnerability “Ratings” on the Vulnerability Management dashboard. (new feature)
  • ProdSecDesigner
    • Residual Risks Page: Updated fields that are displayed by default and fields that can be hidden on the Risks page. (new feature)
    • Exporting:
      • Added pre-defined glossary tabs for Threats, Requirements, and Risks within Product exports. (new feature)
      • Replaced the comma delimiters with semi-colon delimiter in the exports of requirement text in the Risks tab (SecurityRequirement) due to the use of commas within the requirements. (new feature)
    • Threats Page: Implemented a bug fix so that the hover-over display of requirements within the UI function properly after a threat is set to N/A, then set back to Applicable. (bug fix)
    • Adding a New Product: Implemented a bug fix so that when a user adds a New Product, the Add New Product screen disappears after clicking the Add button. (bug fix)
    • Data Update: Updated the Product Security Hub data according to the June Product Security Hub Data Load, which adds a new “AI Model” component, threats, and requirements, along with several additional minor modifications to mappings of existing requirements to existing threats. (new feature)
  • ProdSecDesigner
    • Product Dashboard: Added product consolidation via “carrots” and new requirements status fields to product dashboard that can be enabled in the Settings Modal: # of Req, # of Req WIP, # of Req Met, # of Req Not Met, # of Req N/A. (new feature)
    • Residual Risks Export Bug: Implemented a bug fix for product export Risks tab where both requirements not met, met, WIP, N/A were sometimes mixed together in the SecurityRequirements column. (bug fix)
    • Requirements Sorting Bug: Implemented a bug fix to sort the requirements screen by the Component ID (tenant’s unique ID) instead of the component name. (bug fix)
    • SBOM Component Inventory Page: Added the ability to sort on the SBOM component dashboard for the known vulns and CRA ID columns on the SBOM component dashboard. (new feature)
    • Vulnerabilities Management Page: Added “one sentence summary” existing open text field from the Vulnerability Details to the Vulnerability Management dashboard, after the VM ID and before the Status field. (new feature)
  • ProdSecDesigner
    • Global Change: The character limit on open text fields has been increased from 1000 to 2000 characters to support additional text content. (new feature)
    • SBOM Component Inventory: The “software level of support” field used within SBOM Components has beenupdated from mandatory to optional, as this field is not mandatory per the CycloneDX specification, and as mandatory it requires the user to add this information when modifying any component if the information is missing. (new feature)
    • Requirement/Threat Importing Bug: Implemented a bug fix to resolve an issue identified when a user adds a new custom requirement to an existing Product Security Hub threat via the import functionality and then proceeds to delete the requirement, which causes the requirements page to display an error because PSH attempts to also delete the associated threat. This fix updates the requirement deletion logic to remove the automatic deletion of an associated threat. (bug fix)
  • ProdSecDesigner
    • Security Patch: Updated the Microsoft.Identity.Web package – this change was necessary to resolve a known vulnerability in the 3rd party component and update to the latest version. (security patch)
    • Global Change: Added a “changes have been saved successfully” message pop up in the lower right corner of Product Security Hub when Product Security Hub automatically saves any edits made. (new feature)
    • Residual Risk Page – Added more detail to the hover-over help messages for the CVSS fields in the Risks page. (new feature)
  • ProdSecDesigner
    • Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)
    • Data Update: Released a new version of the component, threat, and requirements data. Most changes were semantic changes (e.g. look and feel) and a new component was added (data flow to external entity). Existing products will primarily notice these semantic changes on the requirements page (new feature).
      • Example: “Anonymous and/or guest access to the component shall be prohibited (removed or disabled)” was updated to “Anonymous and/or guest access shall be prohibited (removed or disabled)”
      • Example: “The component shall automatically log out an authenticated user after a period of inactivity” was updated to “Authenticated users shall be automatically logged out after a period of inactivity”
    • Global Change: Implemented a UI modification to maintain the header on the threats, requirements, and residual risks pages (new feature).
    • Global Change: Removed the “Changes have been made successfully” banner that appeared each time a field was edited (new feature).
    • Residual Risk Creation Logic: Previously, residual risks were generated each time a requirement was labeled as “Not Met,” resulting in a significant number of residual risks tied to requirements, even if they were recommendations rather than mandatory. The new approach associates residual risks with threats rather than requirements when a requirement is marked as “Not Met.” This allows for consolidating multiple “Not Met” requirements into a single risk associated with a single threat. Existing products will notice consolidated risks on the residual risks page, including new risk id numbers. The previous risk id numbers will appear in the Residual Risk column (new feature).
    • Requirements Page Consolidation View: Introduced the capability to consolidate requirements around the requirement itself rather than the component, facilitating a more efficient review of requirements and creating a more concise list to work with. This also provides the ability to update requirements that impact multiple components quickly but switching to the consolidated view and editing the requirements (new feature).
    • Import Capabilities: Added the functionality to import new/custom requirements, threats, or residual risks, as well as existing ones that may have been edited offline in Microsoft Excel. Users can download a blank or pre-filled template, make edits, and then import it into ProdSecDesigner (new feature).
    • Additional Addendums: Expanded the editable fields (addendums) on the requirements and threats pages (new feature).
    • Dashboard Updates: Included additional existing fields in the patch management, vulnerability management, and SBOM dashboards (new feature).
    • SBOM Importing/Exporting of Vulnerability Data: Enhanced the SBOM Management page to allow importing and exporting vulnerability data within the CyloneDX JSON file format (new feature).
    • KEV Checking: Added the functionality to verify vulnerabilities with CVEs in ProdSecDesigner against the DHS CISA KEV database (new feature).
  • ProdSecDesigner
    • Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)
  • ProdSecDesigner
    • Update the Threats and Requirements pages to show the component name and not component type (bug fix)
    • Changed ISO 80001-22 to ISO 80001-2-2 on the Requirements Page (bug fix)
    • Update the Threats Page to include the ability to show residual risks and met and not met requirements (new feature)
    • “Reference to Safety Risk Assessment” field added to Residual Risks page (new feature)
    • Updated new version feature to include the Completed IFU Guidance field in the new version (bug fix)
    • Fixed an issue with using a product name that was already used (bug fix)
    • Update the export feature to include custom threat and requirement details and include R in front of the requirement ids (bug fix)
    • Added Software Bill of Materials (SBOM) feature, with the ability to manually add SBOM components, import from a CycloneDX JSON file, export to a CycloneDX JSON file or a Microsoft Excel human readable file (new feature)
    • Added Patch Management feature, with the ability to track cybersecurity patches by either manually adding them or importing from a Microsoft Excel file (new feature)
  • ProdSecAssessor
    • Initial release of ProdSecAssessor, which provides the ability to assess against a number of industry guidance documents from US FDA, Australian TGA, EU MDCG and more (new feature)
  • ProdSecDesigner
    • Changed dashboard view to group products by product name (new feature)
    • Added ability to create new versions of existing products (new feature)
    • Updated the export file to include product name and added applicability to threat output (new feature)
    • Added a new field (consideration for ifu/labeling) on the risk assessment page (new feature)
    • Added a new field (product status) to the product details page (new feature)
    • Updated component ids in the add a new threat and add a new requirement modal (new feature)
  • ProdSecMaturity
    • Removed the draft guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment
    • Added the final guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment (new feature)
  • Initial release of Product Security Hub Platform, ProdSecDesigner and ProdSecMaturity.

New Jersey, USA

info@productsecurityhub.com

888-740-0993

Copyright © Product Security Hub, LLC. All Rights Reserved.