Release Notes for verinice and verinice.PRO

Codename: Siargao

Release date: January 2024

Available at: verinice.SHOP and customer repository

New functions

Business Continuity Management

The Business Continuity Management according to BSI standard 200-4 has been adapted to the current status and extended by extensive functionalities:

• The new Business Impact Analysis view graphically displays dependencies between processes and target objects for better overall assessment.
• The new reports for business continuity are available including a sample organization in the separately downloadable product Business Continuity Management BCMS (200-4).

Management Summary IT-Grundschutz report template

The new overview report Management Summary IT-Grundschutz presents the most important data on IT Baseline Protection (depending on the chosen safeguarding procedure, e.g. structural analysis, protection requirements assessment, IT-Grundschutz check and risk analysis) in a compact graphical form.

New packages for RHEL 8 and AlmaLinux 8

For verinice 1.27, RPM packages are provided for Red Hat Enterprise Linux (RHEL) 7 and CentOS 7, as well as for RHEL 8 and AlmaLinux 8. Due to the end of support for CentOS and RHEL 7 on June 30, 2024, the RPM packages for these versions will be provided for the last time with verinice 1.27! It is recommended that all users migrate to AlmaLinux 8 or RHEL 8 as soon as possible.

Bug fixes and detail improvements

Performance improvements

• The creation of links has been significantly accelerated.
• CSV and VNA import have been accelerated.

Client under MacOS

• The verinice single-user version (verinice.Subscription and verinice.EVAL) is available as a Mac OS installation package (.pkg).
• The splash screen under MacOS is displayed correctly.

Detail improvements

• User-defined perspectives can be deleted.
• The description field for the implementation of requirements/measures in IT-Grundschutz has been enlarged.

Product maintenance

• Update of the RCP development environment to version 2023-09 (4.29).
• Java 17 as runtime environment for the client.

Bug fixes

• Fixed an error when changing the icons of objects.
• Fixed a bug in the risk calculation in the mass editor.
• Fixed a bug when restoring the default values in the editor settings.
• Correction of alphanumeric sorting in report A.1 Structure analysis dependencies.

Security notes

New actions

none

Changed property files

• veriniceserver/WEB-INF/SNCA.xml
• veriniceserver/WEB-INF/snca-messages_??.properties
• veriniceserver/WEB-INF/verinice-auth-default.xml

Database changes

none

New AlmaLinux appliance

The verinice.PRO appliance has been based on AlmaLinux since verinice 1.27. Please note in particular that an additional public package key must be imported before installing the verinice.PRO server! For details see verinice.PRO - Installation under AlmaLinux 8 and RHEL 8 chapter 4.3.1. verinice Repository.

Codename: Mal de Plata

Release date: May & July 2023

Version 1.26 / 1.26.1 of verinice and verinice.PRO is now available for download in the verinice.SHOP and the customer repository.

With verinice 1.26 the verinice team provides new features, detail changes and bug fixes.

The most important new feature is the support for the new ISO/IEC 27001:2022 in verinice 1.26. It is planned to release the new verinice risk catalog with the relevant contents of the ISO 27001 family soon. In parallel, the adaptation of the risk analysis in the ISM/ISO perspective was simplified; in the associated report templates, the risk matrices for confidentiality, integrity and availability can now be adapted.

In the context of product maintenance, the RCP development environment and the JDK have been updated in verinice 1.26 in addition to numerous detail improvements and bug fixes.

verinice 1.26.1 additionally fixed two bugs:

• Corrected the signing of verinice packages to SHA-256, as Microsoft Defender warnings were occasionally reported during installation on Windows.
• The handling of Unicode encoding has been improved to prevent a theoretically possible path traversal, see CWE-176: Improper Handling of Unicode Encoding for details. However, exploitation is not evaluated as real in the verinice usage scenario.

The update is accordingly recommended for all users who receive Microsoft Defender warnings during client installation under Windows.

As administrator of a verinice.PRO server, please also note the security notice at the end of these release notes!

New functions (verinice 1.26)

Risk Catalog ISO/IEC 27001:2022

With verinice 1.26 it is planned to publish the verinice risk catalog based on the new ISO/IEC 27001:2022.

The object Control will be extended by the new Attributes for this purpose:

• measure type is an attribute for the view of measures from the point of view of when and how a measure changes the risk in relation to the occurrence of an information security incident.
• Information Security Properties is an attribute for viewing measures from the standpoint of what protection goal the measure is intended to support. Cybersecurity Concepts looks at measures from the perspective of how measures map to the cybersecurity framework described in ISO/IEC TS 27110. Cybersecurity Framework.
• Operational Capabilities considers measures from the perspective of their operational information security capabilities and supports a practical user view of the measures.
• Security Domains are an attribute that allows measures to be viewed from the perspective of four information security domains.

Risk reports can be more easily customized by changing the risk parameters in the report templates to meet customer-specific requirements.

Bug fixes and detail improvements (verinice 1.26.1)

• Correction of the package signing to SHA-256.
• Improvement of Unicode encoding handling.

Bug fixes and detail improvements (verinice 1.26)

IT Baseline Protection

• The icon decorator for risk analysis in the modernized IT Baseline Protection are displayed independently of the authorization (action ID).
• Risk configuration* is displayed.
• The incorrect CSV import of business processes in modernized IT Baseline Protection has been fixed.
• Filtering takes into account objects that have multiple change types.

Business Continuity Management

• English translation was completed and some spelling errors were fixed.

Report templates

• In report A.1 Structural Analysis with Dependencies all linked objects are now displayed.
• In the report A.5 Risk Analysis all information about the information network is listed correctly.
• In the ISM report templates Risk Analysis and Risk Treatment, missing translations have been added.

vDesigner

• Fixed a bug that overwrote column names in report queries (encoding of the CSV-export can be specified in the settings).

General (Product Maintenance)

• Update of the RCP development framework to version 2022-09 (4.25).
• Update of the Java Development Kit in the client to JDK on 11.0.18+10.
• Group objects are correctly included in the search index.
• Translation of some properties in SNCA.xml added.

Security notes

New actions

none

Changed property files

• veriniceserver/WEB-INF/SNCA.xml veriniceserver/WEB-INF/snca-messages_??.properties

Database changes

none

Codename: Sultans

Release date: November 2022

Version 1.25 of verinice and verinice.PRO is now available for download from verinice.SHOP and customer repository, respectively. With verinice 1.25 the verinice.TEAM provides about 70 new functions, detail changes and bug fixes.

Starting with verinice 1.25, the Business Continuity Management (BCM)can be documented. Both the BSI standard 200-4 1.CD and ISO 22301:2019 have been implemented. Core processes can be identified, criticality data can be recorded, failure scenarios can be defined and relevant systems can be specified for restart. The new features can be found in the familiar IT baseline protection and ISM perspective, so it is possible to benefit from data that has already been collected and to use the synergies between ISMS and BCMS.

In addition, enhancements have been made to the reporting. In addition to numerous improvements and bug fixes in the reports, it is now possible to output multiple reports for a scope at once. In addition, a classification can be made for the reports.

As administrator of a verinice.PRO server, please also note the security notice at the end of these release notes!

New functions

Business Continuity Management

The documentation for the Business Continuity Management (BCM) can be made. Both the German BSI standard 200-4 1.CD and ISO 22301:2019 have been implemented. Core processes can be identified, criticality data can be recorded, failure scenarios can be defined and relevant systems can be specified for restart. The new features can be found in the familiar IT baseline protection and ISM perspective, so it is possible to benefit from data that has already been collected and to use the synergies between ISMS and BCMS. Numerous enhancements have been made to the following target objects:

• Information Network / Scope
• Documents
• Person
• Business Process / Processes
• Target objects (Application, IT system, ICS system, Device, Network, Room Group) / Assets
• Modules / Controls
• Safeguards / Requirements

Figure 1. BCM - ISO: Process

Reporting enhancements

• Output of multiple reports at once: Multiple reports can be selected at once. These are generated and output one after the other in the desired storage directory.
• Classification of reports: When creating reports, the classification of the reports can be set. This classification is displayed in the report header on each page. By default, four levels are predefined, but these can be adjusted and extended according to the requirements (under the settings).

Figure 2. Reporting

Detail changes

• The startup message has been updated.
• On the Welcome screen, the entry point for BSI IT-Grundschutz after 100-x has been removed. However, the perspective is still available and can still be used.
• The Audit Report report has been revised so that all information from the audit is now output.
• Links between business processes and rooms are possible.
• In the Link-Maker it is now possible to search and sort not only by title but also by identifier, parent target object and scope.
• The Imported Objects are no longer sorted by alphabet, but are always listed first.
• Adjustments and enhancements to the Tutorials.
• Improvements to the External Links View.

Bug fixes

• In report A.1 Structure analysis dependencies all linked elements are now output.
• In report A.3 Modeling, the correct number of blocks of communication connections is output in the table "Overview: List of blocks used".
• In report A.4 Basic protection check, the implementation date (implementation by) is now also output if not derived from measure.
• In the report Report form BSIG8b IS (ISO and basic protection) small inconsistencies have been corrected.
• In the report Statement of applicability the elements are sorted by abbreviation.
• The link direction can be changed again afterwards.
• Fixing an error when copying with links for many elements.
• Sorting in the consolidator is now possible.
• In the ISM perspective, elements are sorted by abbreviation.
• Performance improvements in inheritance from protection requirement and module referencing.
• A total of four security improvements have been made.
• Fix for a bug in v.Designer.
• The inheritance of icons now works properly.
• Deletion using keyboard shortcuts is prevented for read-only catalog items.
• Removing HTML tags when sending mail from tasks.
• The VDS_ISA_Audit tag has been removed for the Audit handling element.
• A Local Admin now only sees the account groups he created in the account settings.
• Adjustment of Access rights for VNA and CSV import.
• Modeling of blocks on a read-only information compound is prevented from now on.
• Adjustments to Consolidator so that read-only information federations and elements can no longer be modified.

Security notes

New actions

none

Changed property files

• veriniceserver/WEB-INF/SNCA.xml
• veriniceserver/WEB-INF/snca-messages.properties
• veriniceserver/WEB-INF/snca-messages_en.properties
• veriniceserver/WEB-INF/veriniceserver-plain.properties
• veriniceserver/WEB-INF/classes/sernet/gs/server/spring/veriniceserver-common.xml

Database changes

• In the ChangeLogEntry table, indexes are automatically created on the changetime, elementChange and stationid columns.
• All required indexes are created automatically if they do not already exist.

Codename: Jeju Island

Release date: May 2022

With verinice 1.24.1 the verinice.TEAM provides more than 40 new functions, detail changes and bug fixes. Additionally, the Windows client is delivered signed from now on. This version is now available in the verinice.SHOP and the customer repository.

NOTE: verinice 1.24.1 is the most current version. After an update to verinice 1.24, multiple IDs were displayed in the client behind the names of the objects. This feature, intended for debugging, caused unwanted noise, but no errors in the application and verinice could be used as usual. The problem also did not occur with a new installation - nevertheless, the team provided a new version 1.24.1.

The use of verinice is supported on a current MacBook with an M1 processor.

In addition, due to security vulnerabilities in older log4j versions, a switch to reload4j was made.

New functions

Module referencing

With the module referencing, it is possible to use already modeled modules for several target objects at the same time. This reduces both the effort required for editing and maintaining the modules and the number of modules contained in the information network. The target objects for which a module referencing exists are highlighted.

Detail changes

• In report A.6 Realization plan, the conversion date (conversion by) is now also shown if no person is linked with the link type "conversion by".
• The new Office formats (DOCX and XLSX) are supported for report creation.
• The v.Designer can be started with JAVA 11 and is thus delivered again in version 1.24.
• Improvement of the "Derive from task" option when modeling requirements.
• Tasks can be created automatically via cron job. This function is deactivated by default.
• Encryption method "Encrypt with certificate" is no longer possible during export and import.

Bug fixes

• Performance improvements when inheriting permissions, copying with shortcuts and in the account group view.
• Fixed a bug in the GSTOOL import.
• Fixed a bug in copying with shortcuts in Security Assessment.
• Fixed an error when starting an audit workflow from the context menu of an ISO Control group.
• Updated to RCP framework 2021-12 (4.22) to support newer operating systems.
• Corrected changes to the program window after selecting links in the report query.
• Catalog elements are now excluded from validation.
• Language inconsistencies have been fixed in several places.
• Removal of the old tutorial for data protection.
• Deleting tasks in workflow is now possible again.
• Correction in workflow when selecting appointments in an old template.
• Deletion of links in the catalog is prevented.
• Fixed the creation of aggregated charts in v.Designer.
• Fixed an error when adding accounts to account groups.
• Fixed a bug in the post-modeling of threats.
• Concretization of the unavailable Greenbone/OpenVAS connection for Modernized IT Baseline Protection in several places.

Security advisories

New actions

none

Changed Property Files

• veriniceserver/WEB-INF/SNCA.xml
• veriniceserver/WEB-INF/veriniceserver-plain.properties
• veriniceserver/WEB-INF/verinice-ldap.properties
• veriniceserver/WEB-INF/web.xml

Database changes

none

Code name: Great Barrier Island

Release date: October & November 2021

Version 1.23.x of verinice and verinice.PRO are now available for download in the verinice.SHOP and the customer repository, respectively. Single users should run verinice 1.23.1, on the server the packages 1.23.0 are still applicable.

With verinice 1.23 the verinice.TEAM provides more than 30 new functions, detail changes and bug fixes.

Starting with version 1.23, verinice now uses Java 11. The Java Runtime Environment (JRE) from Adoptium (formerly AdoptOpenJDK) delivered with the client has been updated to the latest version. The update 1.23.1 additionally fixes an error in the single user version when copying objects.

Attention: If a previous version is to be updated to verinice 1.23.x, an option must be deactivated in the verinice settings. Please refer to the update instructions at the end of the release notes.

To support newer operating systems, the RCP framework has been updated to version 2021-06 (4.20) is used. verinice thus offers better support for the macOS Big Sur operating system in particular. As of the release date, no statement can yet be made regarding support for the macOS version Monterey announced for the end of 2021.

Attention: As administrator of a verinice.PRO server, please also note the security notice at the end of these release notes

Users of the verinice.PRO server should install the available RPM packages from the customer repository using the known update procedure.

Users of the verinice standalone version will be prompted to install the updated version at startup. If the automatic update mechanism has been disabled by the user, the update can be triggered manually using the following menu item: Help -> Check for Updates

Details about verinice 1.23.1

This update for verinice fixes an error when copying objects. In the single user version of verinice 1.22.2 and 1.23 the function "Copy with links" could not be executed. Calling up the function is possible again in version 1.23.1. verinice.PRO was not affected by the error. In the operating mode "Server", the function "Copy with links" can also be executed without errors in older versions. Therefore, no new verinice.PRO packages for 1.23.1 are published in the customer repository. On the server the packages for 1.23.0 can still be used.
Details about verinice 1.23

Details about verinice 1.23

• Double output of VDA ISA Controls for documents linked in the ISM perspective in the report templates Information Security Assessment compact/detailed fixed.
• In the report A.4 Grundschutz-Check, the implementation date is now also output if no person is linked.
• If a valid licence is available, the unencrypted control texts are displayed in the web frontend.
• The mail configuration has been extended for MSA-compliant mail dispatch.
• The settings for StartTLS have been added to the configuration file veriniceserver-plain.properties.

Bug fixes

• Fixed an error when importing multiple scopes at the same time.
• Fix a bug with recurring CSV import with activated option Delete objects in verinice.
• Fixed selecting a template file in the view Report filing.
• Execution of the function Integrate (removal of Source-ID and Ext-ID) on objects locked for users without write access.
• Correction of incorrectly implemented function Expand All in folder Imported Objects.
• Normalisation of strings to avoid problems with special characters (Combined Diaresis) in verinice (Content, Report queries and Reports).
• Catch error when consolidating blocks if hazards are linked with the same identifier.
• Removed superfluous tag Risk for the checkbox Derive from measure for requirements in modernised IT-Grundschutz.
• Links in the welcome screen on macOS can be called up again.
• The creation of duplicate permissions is now intercepted.
• The account view now shows changes to objects immediately (refresh).
• Correction of the reference to the download of the IT-Grundschutz compendium in the tutorial.
• Update of the tutorial for the consolidator in IT-Grundschutz.
• Missing German translation in tutorial 3.2 Risk management based on ISO 27005 added.
• Reset of perspectives in case of missing view corrected.
• Fixed an error that in some cases prevented navigating back to the root object.

Closing a security hole

verinice 1.23 also includes the fix for a security vulnerability delivered with verinice 1.22.2. Users who missed this intermediate release are strongly recommended to update to verinice 1.23.x or at least verinice 1.22.2! See also the release notes for verinice 1.22.2.

In this context, verinice 1.23 also fixes two bugs reported by users from verinice 1.22.2 (subsequent bugs in the context of fixing the security vulnerability):

• Licensed content is displayed correctly again in the single-user version if a licence is available.
• The LDAP import of accounts works again in verinice 1.23.

Update Note

verinice requires a Java Runtime Environment (JRE) to start. As of version 1.23, verinice runs with JRE 11 and no longer with JRE 8. Therefore, before updating to version 1.23.x, an option must be disabled in the settings:

Menu → Edit → Settings... → Install / Update.

☐ Verify provisioning operation is compatible with currently running JRE

After that you can start the update as usual:

Menu → Help → Check for updates

After updating to 1.23.x, the automatic restart of verinice does not work. verinice must be stopped after the update and restarted manually.

Security advice

New actions

none

Changed property files

• veriniceserver/WEB-INF/SNCA.xml
• veriniceserver/WEB-INF/veriniceserver-plain.properties

Database changes

none

Code name: Essaouira

Release date: August 2021

Version 1.22.2 of verinice and verinice.PRO are now available for download from the verinice.SHOP and the customer repository, respectively.

The verinice.TEAM closes a security gap with this. Updating to the new version is strongly recommended for security reasons.

Users of the verinice.PRO server should install the available RPM packages from the customer repository using the known update procedure.

Users of the verinice standalone version will be prompted to install the updated version at startup. If the automatic update mechanism has been disabled by the user, the update can be triggered manually using the following menu item: Help -> Check for Updates

Vulnerability description

A vulnerability in the communication between the client and server components can be used to execute arbitrary code on the server. The prerequisite for exploiting the vulnerability is completed authentication with an account on the verinice.PRO server, with or without admin privileges. Without such an account, the vulnerability cannot be exploited.

• CVE-2021-36981
• Affected Versions: All versions of verinice and verinice.PRO prior to 1.22.2.

verinice uses Java serialization for communication between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework used are vulnerable to exploits that can be used to execute arbitrary code on the server component.

Since the server component is also used in the standalone mode of verinice, the vulnerability could theoretically be used to attack the standalone client as well. In the attack, arbitrary commands can be executed on the same machine, but with the rights and context of the verinice client. This second attack variant has not been verified by us, but as a precaution, we still recommend all users of the standalone client to install the available patch as well.

The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and read information, including all data in the verinice database.

A detailed description of the vulnerability can be found here: https://verinice.com/cve-2021-36981

Modified Property Files

None

Database changes

None

Codename: Essaouira

Release: November 2021

Version 1.22.1 of verinice and verinice.PRO is now available for download from verinice.SHOP and customer repository respectively.

An important component of the new version is, among other things, the IT-Grundschutz-Kompendium 2021. The IT-Grundschutz-Kompendium 2021 is directly delivered with verinice 1.22.1. For users of the 2020 edition, an automatic update to the 2021 edition is possible. Errors in the change documentation of the BSI for Edition 2021 of the IT-Grundschutz-Kompendium have been corrected; some discrepancies had crept in here (overview in the verinice.FORUM).

The IT-Grundschutz-Kompendium 2021 for verinice is also available via the verinice.SHOP. It thus supplements the already available additional modules which can be used with verinice.

In addition, verinice 1.22.1 contains the following new features:

• VDA ISA / TISAX version 4 and 5 (catalogues and report templates)
• Reporting form BSIG 8b for safety incidents in the ISO/ITGS perspective
• Correction of the link view under macOS BigSur
• Acceleration of VNA export for scopes with >20,000 elements
• Numerous detail improvements and bug fixes

The most important new features are described in detail below.

New features

IT-Grundschutz-Kompendium 9 Edition 2021

verinice 1.22 comes with the IT-Grundschutz-Kompendium 9 Edition 2021 and supports the update functionality already introduced with verinice 1.20. Users of the 2020 edition of the IT-Grundschutz-Kompendium can retain the already documented implementation by remodelling with the building blocks of the 2021 edition and effectively update all changes and innovations.

Edition 2021 of the IT-Grundschutz-Kompendium contains a large number of changes and innovations; all users are strongly advised to observe the documentation accompanying the Kompendium.

Security incident reporting form

The target object incident/incident has been updated for both the ISM perspective and the perspective of the modernised IT-Grundschutz and now maps security incidents. In addition to the contents required for the notification form according to § 8b paragraph 4 BSIG, data protection-relevant contents are also included.

The reporting forms for data protection incidents are provided in parallel as an update of the respective data protection modules.

VDA Information Security Assessment

Screenshot VDA ISA in verinice 1.22

Figure 1. VDA ISA 5 Report

For the mapping of the self-assessment according to VDA ISA / TISAX, verinice 1.22 includes the currently valid version 5 (default) as well as the predecessor version 4 including the respective report templates.

Detail improvements

• The export of information networks with more than 20,000 objects has been considerably accelerated by optimising the caching.
• Extension of the roles according to the IT-Grundschutz-Kompendium of the edition 2021.

Bug fixes

• Correction of an error in the linking of requirements with an information network in the link maker.
• Fix for incorrect creation of .VNAs (zip files could not be opened).
• Fixed error when importing cross-scope links if not both linked objects are included in the imported .VNA.
• Correction of the link view under Mac OS Big Sur.
• Correction of the download link for the IT-Grundschutz-Kompendium in the cheat sheet.
• Correction of inconsistencies in display and storage of objects in the web frontend (task workflow) with and without activated release process.
• Display/output of certain special characters (combined diaresis) in reports corrected.
• Correction of the level Normal in the table definition of protection requirement categories in the line internal/external impact in report A.5 Risk analysis. The value of the level Uncritical was output incorrectly.

Security advice

New actions

None

Changed Property Files

• veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_en.properties, snca-messages_cs.properties

Database changes

None

Update from 1.22 to 1.22.1

Client verinice 1.22.1

With verinice 1.22.1, the verinice.TEAM fixes an error when updating a modelled information network to Edition 2021 of the IT-Grundschutz Compendium. Mistakenly, changes from the previous edition 2020 were not deleted during the remodelling but kept as "new" changes from the edition 2021. The problem is described in detail in this forum article: https://forum.verinice.com/t/kompendiums-update-von-8-0-und-8-1-auf-9/1337.

The problem can be easily corrected in verinice 1.22.1 by re-modelling with the new version 9.1 of the IT-Grundschutz-Kompendium of Edition 2021 published in parallel.

Note: For each update (remodelling) from one edition of the IT-Grundschutz-Kompendium to a newer one, at least verinice 1.22.1 must be used!

IT-Grundschutz-Kompendium 9.1 Edition 2021

With the **IT-Grundschutz-Kompendium 9.1 Edition 2021**, the verinice.TEAM provides a new version of the IT-Grundschutz-Kompendium to correct the error fixed with verinice 1.22.1 when updating the IT-Grundschutz-Kompendium. The new version replaces the previous one with the same content, but the newer release tag [2021-1] enables the correction through simple re-modelling. Users who have modelled an information network without updating from a previous edition with the previous version *IT-Grundschutz-Kompendium 9 Edition 2021* can continue to use it. An update from version 9 to version 9.1 is not necessary.

Note: For each update (remodelling) from one edition of the IT-Grundschutz-Kompendium to a newer one, at least verinice 1.22.1 must be used!

Code name: Sumba
Release date: November 2020

As of now verinice and verinice.PRO version 1.21 are available for download in the verinice.SHOP or in the customer repository.

The verinice.TEAM provides more than 50 new functions, detail changes and bugfixes with verinice 1.21. The most important innovations are described in detail below.

IMPORTANT: As an administrator of a verinice.PRO server, please read the security note at the end of these release notes!

New functions

Module consolidator

Figure 1: Data selection for the module consolidator

The module consolidator for the modernised IT Baseline Protection considerably simplifies the processing of identical modules. Freely selectable parameters of a module, the requirements and the linked hazards and measures can be quickly transferred to selected modules with the same identifier.

Figure 2: Module selection for consolidation

In the subsequent overview, which takes into account either the current scope or all scopes, all modules found are available for selection with the associated target objects and scopes for consolidation.

Security incident reporting form

The target object Incident has been updated to reflect security incidents. In addition to the content required for the notification form according to § 8b paragraph 4 BSIG, it also contains content relevant to data protection. The related report templates will be availavble for download shortly.

Figure 3: Report form for security incidents

VDA ISA / TISAX 5.0.2

The new version 5.0.2 is integrated to map the self assessment according to VDA ISA / TISAX. The corresponding report template will be available for download separately shortly.

Context for report templates

The dialogue for report generation has been fundamentally revised. Report templates are now displayed contextually for the respective perspective of the selected scope, which increases clarity and prevents the selection of unsuitable report templates. The context can be defined separately for each report template, e.g. also for customer-specific report templates. Even report templates that shall run over different perspectives can be realised in this way.

Figure 4: Context for report templates

Report creation across multiple scopes

New in verinice is the possibility to execute report templates across multiple scopes. After selecting several scopes in the model view (tree), a correspondingly prepared report template can be executed via the context menu (right mouse-click).

Figure 5: Report creation across multiple scopes

*The standard report templates in verinice are not designed for cross-scope report generation! However, users can create their own reports with the v.Designer or adapt the templates accordingly.

Parent objects in the Link Maker

In the Link Maker, in addition to the scope the parent objects are now displayed for better assignment.

Figure 6: Parent objects in the Link Maker

Extension of the target object document

The target object document was revised both in the ISM and in the perspective of the modernised IT Baseline Protection and extended by important contents.

Figure 7: Target Object Document

In addition to document type and classification, description, version, document status, date of approval and revision can now also be documented.

BSI IT Baseline Protection Profiler

The IT Baseline Protection Profiler in verinice enables the creation of new IT Baseline Protection profiles. This option makes verinice interesting for industry associations that create their own IT Baseline Protection profiles, as these can be seamlessly submitted to the BSI for approval. The update functionality for the IT Baseline Protection also significantly simplifies the maintenance and updating of the profiles required at least once a year when a newIT Baseline Protection Compendium is released by the BSI.

Figure 8: IT Baseline Protection Profiler

Detailed improvements

• Performance improvements in VNA import and export and account settings.
• Adjustments have been made in data protection (list of processing activities).
• Catalogues are excluded from VNA export and report generation.
• Extension of the risk category in the modernised BSI IT-Grundschutz.
• Adjustment of the date field in the editor.
• Links between requirement added.
• For ISO tasks, the object browser is now also displayed with contents in the web frontend.

Bugfixes

• The sorting of assets in the Risk Assessment report has been adjusted.
• Report templates can be changed and saved again in the report repository (server mode).
• Report templates (including A.3, A.4 and A.6) have been revised.
• Links between a scope and a catalogue are no longer possible.
• Catalogues are now also displayed by default for Scope-Only Accounts.
• Account permissions for the Local Admin have been adjusted.
• Scopes with an account can be deleted.
• Attributes have been extended to facilitate mapping during CSV import.
• The object browser is updated correctly and also displays the verinice logo under Windows.
• Inconsistencies in icons and the language of the context menu have been fixed.
• Security vulnerabilities when attaching files have been fixed.
• Inconsistencies in the risk calculation according to ISO 27005 have been fixed.
• Automatic verinice update is possible again from version 1.21.

Discontinuation of the verinice.PRO packages for RHEL 6 and CentOS 6

Support for Red Hat Enterprise Linux (RHEL) 6 and CentOS 6 will end on 30 November 2020. For this reason, verinice.PRO packages of verinice 1.21 will only be provided for RHEL 7 and CentOS 7! verinice.PRO servers still running RHEL 6 or CentOS 6 must be upgraded to the successor version.

Security Notes

New actions

• consolidator_modbp: BSIMOD/F/Consolidator (modernized base protection)

Changed property files

NOTE: In the file veriniceserver-common.xml the number of threads during export can no longer be configured!

• veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_en.properties, snca-messages_cs.properties
• veriniceserver/WEB-INF/verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages[_cs|en].properties:
  • The action ID simpleauditview has been removed.
  • The action ID consolidator_modbp was added.
• veriniceserver/WEB-INF/veriniceserver-osgi.properties:
  • The jdbc.ds.pool.maxPoolSize property has been increased to 15.

Database changes

None

Codename: Unstad

Release Note: 14. April 2020

New features in verinice 1.20

With immediate effect, verinice and verinice.PRO in version 1.20 are available for download in verinice.SHOP or in the update repository.

With verinice 1.20, the verinice.TEAM provides more than 50 new features, detail changes and bug fixes.

With verinice 1.20, users receive support for essential tasks in the modernized IT-Baseline Security:

• The update of modelled information networks, which is required annually by the BSI with the publication of a new IT-Baseline Security compendium, is significantly simplified by a guided update functionality (new modelling).
• The implementation of the risk analysis according to BSI standard 200-3 is effectively supported by visualization of outstanding risk analyses as well as high or very high risks with need for action.
• IT-Baseline Security audits can be performed, documented and outputted via report template.

The most important new features are described in detail below.

New Features

Update function for the IT Baseline Security Compendium

Both the IT Baseline Security Compendium Edition 2020 and the Edition 2019, which were published in February, have been extended compared to their respective predecessor editions to include the BSI’s change notices (including errata from 05.02.2020 for the Edition 2020). Both editions can be obtained from download area of the verinice website or from the update repository.

In verinice 1.20, when using one of the two versions of the IT Baseline Security Compendium mentioned above, all changes are represented by specifying the release of the edition, the change type (new, changed, re-sorted, omitted) and the change details in:

• Requirements and modules (requirement groups)
• Measures and groups of measures
• Hazards and hazard groups

Figure 1. Notes on changes to the IT Baseline Security Compendium

Repeated modelling with a newer edition of the IT Baseline Security Compendium allows you to update existing information networks conveniently and check the changes and rework them if necessary.

Figure 2. Filter options for changes

The extended filter in the model view of verinice 1.20 supports you by allowing you to search information networks for all changes.

Visualization of the block implementation status

Figure 3. Visualization of the module implementation status

For modules and measure groups, the implementation status of all the related appropriation requests or measures is now displayed visually in the tree, so that you can see the degree of fulfillment of the type of procedure at a glance. You can activate the display in the settings.

Visualization of the risk status

Figure 4. Visualization of the risk status

Visualization simplifies the risk analysis process. You can see at a glance for which target objects a risk analysis is to be carried out, where which risks are present in which category and, if necessary, still need to be dealt with.

Figure 5. Filtering by risk

The visualization is optimally supplemented by the extended filter in the modernized IT Basic Protection view. Users can see at a glance for which target objects a risk analysis is still to be carried out and where, for example, high or very high risks exist.

Audit support in the modernized IT Baseline Security

Figure 6. Audits in the modernized IT basic protection

verinice 1.20 now enables better mapping of audits in the modernized IT Baseline Security. Document audit actions in the new section Audit and output them in the audit report.

Basic/further responsibility

Figure 7. principle/further responsibility

For requirements and requirement groups (modules) as well as measures and measure groups, two new relationship types basically responsible and additional responsibility were introduced, which were defined by the BSI instead of the roles main responsible and responsible respectively. verinice 1.20 reads both relationship types in particular in the corresponding report templates (A.3 Modeling and A.4 IT Baseline-Check), so that users can use them synonymously or successively exchange them.

Context for Report Templates

Figure 8. Context for report templates

A context has been added to all report templates to improve the overview in the Create Report dialog. The introduction of the context is also in preparation for the planned future enhancement to create reports across scopes.

Detail changes

• The section implementation in Requirements and Measures in the modernized IT Baseline Security has been extended by the property implementation by.
• The report templates of the affected reference documents ITGS: A.4 IT Baseline Security Check and ITGS: A.6 Implementation Plan have been adjusted accordingly.
• The default perspective at first login is now the Modernized IT Baseline Security (previously IT Baseline Security old).
• The revision of requirements and measures can now be documented directly in requirements and measures and no longer needs to be done in the description field for the linked person.
• In the report template ITGS: A.2 Protection requirement determination an error in the definition of the protection requirement category has been corrected.
• In the report templates Risk Assessment and Risk Treatment for the ISM Perspective and Data Protection Module 3 for the ISM Perspective, an inconsistency in the calculation between the risk matrix and the bar charts has been corrected.
• The obsolete report templates VV-BSIG have been removed and will be updated in one of the following versions.
• The delivered RPM packages are now signed by GPG key.
• The Person object in the modernized IT Baseline Security has been extended for data protection by General DSB.

Bug fixes

• Local administrators can only edit the accounts they are authorized to write to.
• Inactivation of the Save button in the Report Repository view corrected.
• Import of malicious VNA files prevented.
• Missing display of information groups and accounts of the modernized IT Baseline Security in the view Tasks fixed.
• Fixed an error in the display of fields in the web front end when a new date field was created via customizong.
• Links created using Rest-API are now displayed directly in the client.
• The derivation of the conversion status of task on demand in the modernized IT Baseline Security has been corrected for the case that the last linked task has been deleted.

Safety Instructions

New actions

None

Changed property files

Client

The Java Keystore of the verinice client was moved. Up to version verinice-1.19.1 the keystore is located in this file:

<VERINICE>/jre/lib/security/cacerts

The new file path as of verinice-1.20 is

• Windows: <VERINICE>/plugins/sernet.verinice.extraresources.jre_win_64_1.20.0.507d45a/jre/lib/security/cacerts
• Mac: <VERINICE>/plugins/sernet.verinice.extraresources.jre_mac_64_1.20.0.507d45a/jre/Contents/Home/lib/security/cacerts
• Linux: <VERINICE>/plugins/sernet.verinice.extraresources.jre_linux_64_1.20.0.507d45a/jre/lib/security/cacerts

Please note that the version number (1.20.0.507d45a) in the file path will change with future verinice versions.

Server

• veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_en.properties, snca-messages_cs.properties: Various changes
• veriniceserver/WEB-INF/web.xml: Healthcheck added
• veriniceserver/WEB-INFveriniceserver-osgi.properties: Update target platform
• veriniceserver/WEB-INFveriniceserver-plain.properties: Update target platform
• veriniceserver/WEB-INF/classes/sernet/gs/server/spring/springDispatcher-servlet.xml: Modeling Migration Service removed
• veriniceserver/WEB-INF/classes/sernet/gs/server/spring/veriniceserver: common.xml
  • Healthcheck added
  • modeling migration service removed
  • Update target platform
• veriniceserver/WEB-INF/classes/sernet/gs/server/spring/veriniceserver: reportdeposit.xml

database changes

None

Codename: Kuta
Publication: 5 December 2019

verinice and verinice.PRO version 1.19 are now available for download in the verinice.SHOP or in the customer repository.

This update for verinice and verinice.PRO fixes a bug in the VNA export. Some data models could not or not completely be exported. The update to verinice 1.19.1 is recommended for all customers who have problems exporting information networks of the modernized IT Baseline Protection.

Please check the detailed release notes of version 1.19 for further information.

Codename: Kuta

Release Date: 11 November 2019

verinice and verinice.PRO version 1.19 are now available for download in the verinice.SHOP or in the customer repository.

'ATTENTION: As administrator of a verinice.PRO server, please also note the security note at the end of this Release Notes!

verinice 1.19 brings a variety of new application solutions with it:

1 VDA ISA 4.1.1

verinice version 1.19 supports the VDA ISA catalog version 4.1.1 for TISAX in German and English. In the VDA perspective, users can carry out information security assessments including the additional modules prototypes, third party integration and data protection.

2 Data protection module 3

Version 3 of the data protection module is only available in German at the moment.

3 IT-Grundschutz profiles

verinice optimally supports users of the modernized IT-Grundschutz in the creation and use of BSI - IT-Grundschutz-Profile.

All IT-Grundschutz-Profile published by the BSI can be downloaded from the verinice website for import into verinice.

In the verinice.FORUM, users can also exchange information on all aspects relating to the use or creation of IT-Grundschutz-Profile and industry-specific security standards (B3S) in accordance with § 8a BSIG.

4 Detail improvements and bugfixes

The verinice.TEAM releases verinice 1.19, a version optimized for stability and performance in many respects.

More than 50 bugfixes and detail improvements especially improve the areas:

• Performance
• LDAP import
• Task workflow
• Report queries and reporting

5 From 2020 on no more verinice.PRO packages for RHEL 6 and CentOS 6

Support for Red Hat Enterprise Linux (RHEL) 6 and CentOS 6 will end on November 30, 2020. For this reason, verinice.PRO packages for these operating system versions are only available for verinice 1.19 and 1.20. For all versions released thereafter, there will only be packages for RHEL 7 and CentOS 7. verinice-1.19 and 1.20 will be the last versions available for RHEL 6 and CentOS 6.

We already recommend upgrading your verinice.PRO server to RHEL 7 and CentOS 7 if you are still using version 6.

6 Security notes

6.1 New Actions

• None

6.2 Changed Property Files

• veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_de.properties, snca-messages_cs.properties - New relation "rel_bp_itnetwork_bp_person_dps" (Data privacy officer).
• veriniceserver/WEB-INF/verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages[_cs|de].properties - The files have been formatted and sorted.

Codename: Mangalore

Release date: July 2019

Please refer to the security notes at the end of this release note.

In July verinice and verinice.PRO version 1.18.1 are available for download in the verinice.SHOP or in the customer repository. This version contains the following new features and improvements:

1 Risik analyses according to BSI-Standard 200-3

The verinice.TEAM further simplifies the risk analysis in verinice 1.18.1 according to BSI standard 200-3 . Risk assessment and risk treatment are no longer documented in the individual requirements or safeguards but directly in the respective threats:

(Remark: English version of IT Baseline compendium pending by BSI!)

Users can now evaluate and document the risk directly in the threat with and without additional safeguards before and after any risk treatment for a package of safeguards.

The elimination of the previous documentation per safeguards/requirement and its calculation in the threats reduces the effort considerably. In addition to further bug fixes and detail improvements, the new procedure significantly increases performance.

2 Reporting

The verinice.TEAM publishes the final versions of the Report Templates for the new IT Baseline Protection, which have already been discussed in the verinice.FORUM in recent weeks, and would like to express its thanks to all testers for their constructive feedback. The new or revised report templates will be released exclusively based on the new LTR technology:

The report templates for the Security Assessments according to VDA ISA / TISAX 4.1.0 can now be generated including the spider web diagrams with SVG support.

With verinice 1.18.1, the report templates Risk Management and Risk Treatment for the ISO/ISM Perspective benefit most from the generation via LTR graph technology - customer tests promise a considerably faster generation of reports.

In addition, all report templates are successively internationalized, each report template file only exists once, and additional language versions are made available by simply adding a translation file.

A small but helpful feature is the option to open reports after creation directly from the confirmation dialog, no searching via the file manager is required.

The report queries themselves have also been optimized through caching and other improvements. In particular, the opening of large LTR datasets in verinice and v.Designer has been significantly accelerated.

3 Webfrontend

Users of the modernized IT Basic Protection can now access the texts of the IT Baseline Protection Compendium in the web frontend under tasks for requirements, safeguards and threats, which greatly simplifies the implementation of the individual tasks.

4 Bugfixes and detail improvements

More than 30 further bugfixes and detail improvements contribute to a further improvement of verinice 1.18.1, primarily concerning the general performance. Some shall be mentioned explicitly:

• Java 8 has been updated to the latest release.
• The Elasticsearch REST API has been disabled to address a vulnerability.
• When copying with shortcuts, the remarks in the shortcuts are now also copied.
• The vertical and horizontal scroll bars are now always available in the Editor.
• The old CSV catalog view in the ISM perspective was discontinued and is no longer available.
• VDA ISA Report Templates can only be executed per Scope.

5 Safety instructions

5.1 Update

We have compiled all necessary information for manual updates in a Howto.

To update the verinice.PRO server to version 1.18.1, please use the package manager "yum" (verinice.PRO update details) as usual.

9.5.2 New actions

none

5.3 Deleted actions

• addcatalog
• deletecatalog
• generateauditreport
• ismcatalog

5.4 Changed property files

• veriniceserver/WEB-INF/SNCA.xml, snca-messages[_cs|de].properties - Changes related to the risk analysis according to BSI-Standard 200-3
• veriniceserver/WEB-INF/verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages[_cs|de].properties - Deletion of actions: addcatalog, deletecatalog, generateauditreport und ismcatalog

5.5 Database changes

none

Code name: Mangalore

Release date: 9th April 2019

verinice and verinice.PRO version 1.18 are now available for download in the verinice.SHOP or in the customer repository.

ATTENTION: Automatic client updates are not possible for verinice 1.18! We have compiled all necessary information about manual updates in a Howto. To update the verinice.PRO server to version 1.18, please use the package manager "yum" as usual (details on the verinice.PRO update).

This version contains the following new features and improvements:

1 VDA ISA 4.1.0

verinice version 1.18 supports the VDA ISA catalog version 4.1.0 for TISAX in German and English language. In the VDA perspective, users can carry out information security assessments including the additional modules prototypes, third party integration and data protection.

VDA ISA

In addition, the new catalogue contains all information on the maturity model, performance levels, KPIs and other relevant information on the performance of an assessment.

VDA ISA Appendix

Note: The report templates are not yet part of Release 1.18, but will be delivered at short notice.

2 Modernized IT Baseline Protection

2.1 Conversion of information networks

Users of IT Baseline Protection can now convert existing IT networks based on the BSI standards of the 100 series directly into verinice into information networks based on the BSI standards of the 200 series.

Conversion of IT Networks

Remark: German version shown here due to pending englisch version of the Compendium

During the conversion, a copy of the old model is created in the perspective of the Modernized IT Baseline Protection; the old IT network remains unchanged. The conversion can be repeated as often as required. All target objects including all existing links are converted.

In addition to this transfer of the structural analysis, the existing protection requirement definitions and inheritances are also automatically transferred.

Special features of the conversion:

• Applications can be converted per tag either as a process (tag: MoGs:ProZess) or application (tag:' MoGs:Anwendung) (case sensitive).
• Where necessary, groups are created in the new model, see e.g. the subgroups Buildings and Rooms in the new information system.
• In rare cases the type of a link cannot be converted uniquely, the link is then marked with PRÜFEN:Verknüpfungstyp in the description and can easily be corrected.
• Object types that were not used in the old IT Baseline Protection are not copied. These can be newly created via the context menu with a right mouse click.
• A migration of modules from the old IT Baseline Protection Catalog to the new IT Baseline Protection Compendium does NOT take place.

2.2 Optimization of the risk analysis according to 200-3

The risk analysis according to BSI standard 200-3 is further optimized in verinice 1.18:

• Invalid values and double designations in the risk configuration are intercepted.
• Inconsistencies after changing risk configuration values and during calculation are avoided.
• The sections Implementation and Safeguard Strength have been combined into requirements and safeguards for consistency:

Safeguard implementation

• The derivation of the safeguard strength was corrected for the case that probability of occurrence or effect was set to unedited.
• Inconsistencies when changing risk values using the bulk editor have been corrected.
• Display and change of risk values in the web frontend have been improved.

2.3 Optimization of the modeling

In verinice 1.18, the modeling in Modernized IT Baseline Protection was further optimized with regard to performance, especially for large networks. In addition, minor errors are corrected:

• Modules and safeguard groups/implementation hints are sorted analogous to the listing in the IT Baseline Protection Compendium:

Sorting of modules

Remark: German version shown here due to pending englisch version of the Compendium

• The settings for derivation are no longer overwritten when a previously modeled module is repeatedly modeled.
• Incorrect modeling of entire module groups is prevented.
• The missing display of the view Links during reload has been fixed.

2.4 Detail changes in the Modernized IT Baseline Protection

The verinice.TEAM implements several detail improvements in verinice 1.18:

• Fixed a bug where requirements could not be opened in the editor if the option BSI-200-3 was not enabled in the settings.
• Added deletion of people with accounts in the Modernized IT Baseline Protection perspective (verinice.PRO only).
• Tags can now also be selected in Modernized IT Baseline Protection using the key combination Arrow down.
• Missing or wrong icons have been corrected.
• The sorting of links in Link Maker and Link View has been redefined and a bug has been fixed. The sorting order is now as follows:
  • Object type
  • Relationship type
  • Procedure for hedging (if any)
  • Identifier/Abbreviation of the linked object
  • Title/name of the linked object
• Added property tags for object groups documents, incidents, records in Modernized IT Basic Protection for unification.

3 Classical IT baseline protection

3.1 Detail changes in the classic IT baseline protection

Also in the perspective of the old IT baseline protection smaller changes and improvements were made in the sense of the product care:

• Performance has been improved when generating reports A.4 and A.7.
• In the risk analysis wizard, you can now edit and delete your own threats directly.

4 ISM Perspective

4.1 Detail changes in the ISM Perspective

With verinice 1.18 the following improvements are made:

• The option Shown in SoA-Report is now always visible by default.
• Fixed bug when editing people with mass editor.

5 Global Functions

5.1 New Java Runtime Environment

verinice is delivered from version 1.18 with a Java Runtime Environment (JRE) of the initiative AdoptOpenJDK. AdoptOpenJDK creates JRE which contain all security patches and may be used free of charge. For verinice users nothing changes: verinice will still contain a current JRE and the installation will be as easy as possible.

Previously (incl. version 1.17) verinice contained a JRE, which was published by Oracle free of charge. However, Oracle changed the Java release cycle and the license for the JRE in 2018, so that it will no longer be possible to deliver verinice with the Oracle JRE from 2019.

5.2 No verinice client for 32-bit Linux systems

Since version 1.18 there is no client for 32-bit Linux systems anymore. verinice is delivered with the Java Runtime Environment (JRE) of the AdoptOpenJDK initiative. AdoptOpenJDK does not provide a JRE for 32-bit Linux. For this reason, verinice cannot be created for this architecture. As before there will be a Linux version of verinice for 64-bit systems.

5.3 Report Queries (LTR)

The report queries were extended in verinice 1.18 by an important additional function:

Source ID and External ID can now be exported in report queries. This makes it possible to export data in order, for example, to have it processed externally in Excel and then to import changes again via CSV import.

IDs

5.4 CSV import

With CSV import, the fields are provided with domain/perspective and ID, so that mapping between data to be imported and data fields in verinice is significantly simplified.

CSV import

5.5 Czech Version

As of version 1.18 verinice is available in Czech language.

For details see the corresponding product information in czech verinice hovoří česky.

5.6 verinice.EVAL

Version 1.18 of verinice.EVAL brings back the import function for .vna files, so that users can import demo data.

5.7 Global detail changes

More global detail improvements and bugfixes in verinice 1.18:

• The bug when opening the object browser if opened before the editor is fixed.
• Fixed an error when saving empty files (0 bytes) in the File View.
• The option Change password was deactivated by default in the single-user version.
• Problems when updating report templates in the View Template Repository have been fixed (verinice.PRO).
• To avoid accidental changing of field contents while scrolling in the editor, the mouse wheel function for the controls Single-Select and Date Fields has been deactivated.
• When assigning an already created task to another person, the domain/perspective does not have to be selected again.
• Invalid combinations of due date and reminder period intercepted.

5.8 Report templates

The verinice.TEAM is currently revising all report templates fundamentally and will publish them in a forthcoming follow-up release verinice 1.18.1.

All report templates will be available for download in the verinice forum as pre-releases!

1. Revising the templates for the Modernised IT Basic Protection
   • A.1 Structural analysis
   • A.1 Structural analysis dependencies
   • A.2 Determination of protection requirement (1.18)
   • A.3 Modelling
   • A.4 Basic protection check
   • A.5 Risk analysis (1.18)
   • A.6 Implementation plan
2. Template revision for VDA ISA 4.1.0
   • Information Security Assessment Report
   • Information Security Assessment Report (with diagram)
3. Revaluation of risk reports for the ISM perspective:
   • Risk Management
   • Risk Treatment

6 New actions

• BSIMOD/F/IT-Verbünde konvertieren, Action-ID:convertitnetwork

7 Changed property files

• veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_en.properties

8 Database changes

None

Codename: Raglan
Release date: 13th February 2019

verinice and verinice.PRO version 1.17.2 are available in the verinice.SHOP and the update repository.

ATTENTION: Automatic updates of the clients are not possible for verinice 1.17! We have compiled all necessary information for manual updates in a HowTo. To update the verinice.PRO server to version 1.17, please use the package manager "yum" as usual.

The verinice.TEAM publishes verinice 1.17.2, which fixes several bugs in modeling in the Modernized IT Baseline Protection:

• In some cases, elementary threats were linked to incorrect target objects during modeling.
• In borderline cases, some modules could not be modelled at all, in particular the modules DER.4, ORP.4, OPS.3.1 and OPS.2.1, if the modelling was carried out with blank measures.
• Requirements could not be opened in the editor in case the BSI 200-3 section was activated in the settings.

Performance was optimized in all perspectives, especially for large information networks, by making the creation, display and deletion of links more stable and performant. In addition to direct influences, boundary effects such as the creation of the search index and the deletion of objects in general have also been optimized.

The update to verinice 1.17.2 is recommended for all users of Modernized IT Baseline Protection.

Codename: Raglan
Release date: 09th November 2018

verinice and verinice.PRO version 1.17 are available in the verinice.SHOP and the update repository.

ATTENTION: Automatic updates of the clients are not possible for verinice 1.17! We have compiled all necessary information for manual updates in a HowTo. To update the verinice.PRO server to version 1.17, please use the package manager "yum" as usual (see details on the verinice.PRO update). As an administrator for a verinice.PRO server please notice the security notes at the end of theses release notes!

This version includes the following news and optimizations:

Optimised Modeling in the Modernized IT-Baseline Protection

verinice 1.17 now supports multiple modeling of modules for different target objects:

In addition, verinice 1.17 now always models all module requirements (basic, standard, increased protection requirement) and, if activated, all associated implementation hints. If the related filter is activated, the requirements or safeguards are filtered according to the procedure for protection defined for the information network. The filter also acts on linked threats, e.g. only threats that are linked to basic requirements are displayed in the link maker.

This ensures that, for example, after a successful basic protection of an information network, it is easy to switch to the standard protection.

Migration of previous Modeling in the Modernized IT Baseline Protection

When verinice 1.17 is started for the first time, all previous modeling in the Modernized IT Baseline Protection is migrated to the new modeling.

Improvements in the IT Baseline Protection Compendium

The IT Baseline Protection Compendium is planned to be released in English by the BSI at the end of 2018 and will be available for use in verinice afterwards.

The modeling instructions are now displayed in the object browser of each module:

The texts from the implementation hints (if they exist) are also displayed in the requirements. The conversion notes are also available if you are not working explicitly with the object type safeguards in verinice:

Hybrid Modeling

Parallel to the IT-Baseline Protection Compendium, the verinice.TEAM provides a catalogue which contains all modules from the 15th Supplementary Delivery of the IT-Baseline Protection Catalogue that are not yet available in the new IT Baseline Protection Compendium. The modules of the 15th Supplementary Delivery can thus be modeled directly in the New IT-Baseline Protection by Drag&Drop, requirements are generated from the safeguards of the 15th Supplementary Delivery and can be adapted if necessary, safeguards are available as implementation hints and the threats of the IT Baseline Protection Catalogue are modeled as additional threats.

New filter in the Modernized IT Baseline Protection View

The filter in the Modernized IT Baseline Protection View now allows you to search for implementation status and security level for requirements and safeguards.

Userdefined modules, safeguards and threats

For each target object, user-defined modules, safeguards and threats can be created directly via the context menu (right mouse click):

Improvements for report queries

Report queries can now follow links in other scopes to include data from there:

In addition, some missing relations have been added and incorrect relations haven been corrected, so that the data can now be used in queries and reports (e.g. relations between requirements and network components in the Modernized IT Baseline Protection).

RCP4 Migration

The verinice.TEAM has updated the development environment to a newer version to fix some operating system related problems (macOS X, Ubuntu Linux) and to ensure future security.

Only a few innovations that accompany this update are immediately recognizable for the users, the most obvious are:

The new environment allows the use of further design elements, e.g. tabs in the editor area:

In the editor area several views can now be opened one above the other, which can be helpful for some tasks in verinice.

ATTENTION: Due to the new framework an AUTOMATIC update from an older version to verinice 1.17 is impossible! Please notice the description of updating manually to verinice 1.17: Update to verinice 1.17.

The new catalog view

The new catalog view is now used by default in the Modernized IT Baseline Protection and ISM/ISO perspectives. In the ISM/ISO perspective, the new catalog also replaces the old CSV catalog, which will be discontinued in the next verinice version.

Any .vna file can be loaded into the new catalog view as a read-only catalog, template, master, profile, etc:

In addition to the drag & drop modelling of the IT Baseline Protection Compendium components already introduced in verinice 1.16, all elements can now also be copied from the catalog view to the model view (tree) using the context menu (right mouse click) with or without links. When copying with links, unlike in the Model View, no links are copied back into the catalog, but only links between the copied objects themselves!

The Risik Analysis according to BSI Standard 200-3

In the Modernized IT Baseline Protection, the parameters/definitions for the risk analysis (probability of occurrence/damage impact matrix) can now be defined separately for each information network in a graphical user interface:

Definition of the frequency of occurrence:

Definition of the effect:

Definition of the risk categories:

Definition of the risk matrix:

The calculated risk values are reflected in the hazards associated with the individual target objects:

Requirements or safeguards can be used to define whether they reduce a risk and what effect they have.

The safeguard strength reduces either the frequency of occurrence or the impact to a lower value, the risk itself is calculated on the base of the defined risk matrix and cannot be changed directly.

If several requirements/safeguards are linked that result in a risk reduction, the risk is set to the lowest value with regard to frequency of occurrence or impact (minimum principle).

If safeguards are used explicitly, the strength of the safeguard can be inherited from the safeguard to the requirement:

AD Interface and Task Workflow in the Modernized IT Baseline Protection

verinice 1.17 now also supports the connection to an Active Directory for the Modernized IT Baseline Protection and enables the task workflow for the creation of tasks, e.g. for the implementation of requirements or safeguards.

More

With verinice 1.17 the verinice.TEAM releases more than 70 further detail improvements and fixes various minor bugs:

• Bug fixes and minor improvements in the bulk editor.
• In the web frontend, the behavior of different elements has been improved, in case the approval process is activated in the task workflow.
• The email link for notifications in the task workflow has been corrected.
• The default memory for verinice was adapted to current systems and increased to 4 GB for the client and 16 GB for the server.

Security note

Please note that verinice 1.17 migrates all information networks created in the Modernized IT Baseline Protection at the first start due to the changes of the modeling.

Please create a backup of all data before the first start!

Security notes for verinice.PRO administrators

New actions

•   BSIMOD/F/Edit risk configuration, Action-ID:editriskconfiguration

Changed Property Files

• veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_de.properties
• veriniceserver/WEB-INF/verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages[_de].properties

Codename: Agger

Release date: 17th april 2018

verinice and verinice.PRO version 1.16 are available in the verinice.SHOP and the update repository.

Attention: As an administrator for a new verinice.PRO server please notice the security notes at the end of theses release notes!

This version includes the following news and optimizations:

General Data Protection Regulation (GDPR) in verinice

verinice 1.16 supports the documentation required by the GDPR, including the processing activities, technical and organisational measures and contracted data processing.

Optimizations in the new IT-Baseline Protection

Implementation status

The implementation status has been improved. Now it works in the same way as in the old ITBP perspective. The status is indicated by icons (yes, no, partially, na, unedited). In addition to the display in the tree structure of the View Modernized IT-Grundschutz, the status is also displayed in the links (link makers) and in the tab area of the object editor.

(Screenshot in German only due to the fact that the IT Baseline Protection Compendium is only available in German!)

Identifier

The "Identifier" field indicates requirements, measures and hazards for links in the link maker. This makes it easier to identify which target object or objects mentioned above are linked to each other.

ITBP Compendium

The IT Baseline Protection (ITBP) Compendium has been optimized for verinice and minor changes by the BSI have been added. A new version of the ITBP Compendium is available for download in the update repository or on the verinice website.

New object types

In oder to support the various tasks of documentation three new object types (documents, records, incidents) have been added to the perspective IT Baseline Protection.

Context for report queries

The creation of report queries has been improved in verinice 1.16 by adding context to all elements. For each element the perspective it is used in is displayed now (ISM, ITBP old, ITBP new, ...). Additionally the objects ID is displayed as defined in the SNCA.xml and therefore enables better differentiation of i.e. object groups and pbjects itself.

RPMs for RHEL 7 / CentOS 7

verinice.PRO can be installed on servers with Red Hat Enterprise Linux (RHEL) 7 and CentOS 7 now. RPM packages for RHEL 6 and CentOS 6 as well as for the new version 7 are available in two repositories. The verinice.TEAM recommends to install RHEL 7 or CentOS 7 on any new verinice.PRO server. Red Hat supports RHEL 6 until 2020. We have not yet decided how long packages for RHEL 6 and CentOS 6 will be provided. The end of support for theses versions will be announced in advance.

Security notes for verinice.PRO administrators

New action ID

New action ID in user rights:

• ISM/F/Migrate to GDPR, Action-ID: migrate_data_protection

Changed property files

• veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_de.properties
• veriniceserver/WEB-INF/verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages[_de].properties

Codename: Miyazaki

Release date: 1st februrary 2018

verinice and verinice.PRO version 1.15 are available in the verinice.SHOP and the update repository.

Attention: Administrators for verinice.PRO servers please notice the security notes at the end of theses release notes!

This version includes the following news and optimizations:

New IT Baseline Protection

verinice 1.15 is the first iteration of the New IT Baseline Protection according to the BSI Stadards 200-1, 200-2 and 200-3.

To implement the new standards the data model has been extended extensively and future-proofed, all new object types required by the New IT Baseline Protection are available.

The graphical user interface has been extended with the new perspective New IT Baseline Protection and the new views IT Baseline Protection Model and IT Baseline Protection Compendium.

The IT Baseline Protection Compendium is available as verinice XML-Datei (.vna) for import in the new view IT Baseline Protection Compendium. Remark: So far the IT Baseline Protection Compendium is only available in German!

Information networks can be modelled following the basic, standard or core protection.

The reference documents A.1 to A.4 are available as report templates.

Prospect

The verinice.TEAM will continue to implement the New IT Baseline Protection and release additional verinice versions in 2018 adding further concretisations provided by the BSI. This includes the risik management and especially the migration from the old New IT Baseline Protection Catalog to the New IT Baseline Protection Compendium.

The EU GDPR in verinice

verinice 1.15 lays the foundations for the EU GDPR and the use of the enhanced data privacy module, which will soon be available for download in the verinice.SHOP or in the update repository. The verinice module will support the mapping of the the dircetory of processings and the contract data processing. Until May, extensions are planned for the privacy module so that risk management for data privacy and the data privacy impact assessment can be done with verinice.

Improvements and bug fixes

The verinice.TEAM has addressed various further issues in verinice 1.15, including bugfixes and smaller changes based on customer requests that improve the overall performance and usabillity. In addition certain improvements according the overall security have been implemented.

The most significant to mentioned are:

• The search functionality has been improved by fixing various bugs. Serach and indexing are more stable now in borderline cases.
• The use of report queries generated in verinice has been improved when working with the v.Designer. vlt-Files can be loaded in the v.Designer and may be used as data sets directly.
• In the webfrontend the behaviour of various elements has been improved:
  • Multiselect-fields are now displayed correctly.
  • Depending fields are displayed correctly now.
• By improving the verinice.REST-interface the connection of external systems has been made easier (KIX).

Security notes for verinice.PRO administrators

New Java version

With verinice 1.15 the verinice server requires Java 1.8.

Changed property files

SNCA.xml, snca-messages.properties, snca-messages_de.properties:

• Extensive changes for the new IT-Baseline-Protection

Database changes

Table properties:

• Changed data type for Derby database: propertyvalue, Typ: CLOB (Derby)

New actions

• BSIMOD/F/Add BSI element, Action-ID: addbpelement 
• BSIMOD/F/Add BSI group, Action-ID: addbpgroup 
• BSIMOD/F/Add BSI information network, Action-ID: additnetwork 
• BSIMOD/F/Delete catalog, Action-ID: catalogdelete 
• BSIMOD/F/Catalog import, Action-ID: catalogimport 
• BSIMOD/F/Model modernized base protection, Action-ID: baseprotectionmodeling 
• BSIMOD/V/IT-Baseline-Compendium, Action-ID: catalogview 
• BSIMOD/V/Modernized BSI Model View, Action-ID: baseprotectionview

verinice Codename: Acapulco

Release Date: 10th july 2017

As of today verinice 1.14 is available for download in the verinice.SHOP and in the verinice.PRO download repository.

CAUTION: As an administrator of a verinice.PRO server please regard the security notice at the end of these release notes!

Webfrontend

verinice.PRO users will find the webfrontend in verinice 1.14 in a new look and feel. The appearance has been reworked completely, usage is way more convenient thanks to the contrasty and sleek user interface. Even more the webfrontend got various internal improvements related to security, i.e. complete support of access rights. Access can be provided by deep links to any verinice user and an explicit logout function has been implemented.

The new responsive template enables comfortable use of the webfrontend on mobile devices. The new webfrontend is an investment into the future and fundament for a variety of new features.

Graphical Analysis

The first and most palpable feature implemented in the new webfrontend is the grahical presentation of the implementation status for ISO-Controls and IT-Baseline Protection Safeguards regarding one or all organisations/scopes. Users can provide their management with the current status of the ISMS anytime and in real-time. Especially in larger installations with various organisations/scopes the implementation status are displayed in identical scales to allow direct comparison.

The gaphical presentation in the webfrontend gives way to a new and important aspect: visualization of information security and presentation of specific issues in real-time. In addition to the new reporting technology that has been introduced with verinice 1.13 and receives further improvements with version 1.14 verinice continues to ease the daily work challenges of CISOs and provides an easy way to report results and success of their work.

License management

In oder to have access to all details and descriptions in information security standard e.g. ISO, verinice 1.14 now provides the complete standard including any content that is subject to license. Get rid of studying large documents in paper form and error-prone manual data entry - the original content can be provide to each user as needed.

The new license management in verinice 1.14 guarantees organisation-wide compliance with license regulations in information security. Licensing is possible per user per year and therefore enables efficient allocation of ressources and expenses. Licenses for available content can be puchased briefly in the  verinice.SHOP.

CAUTION: Due to licensing restrictions any licenses in verinice covers usage and display in verinice only! The original documents are not distributed in paper form or any other digital form outside of verinice.
 

Risk Analysis

When running a risk analysis in the ISMS perspective users can now select for which organisation/scope the calculation shall be performed. This reduces the time for analysis significantly which is especially helpful in installations with many organisations. A dialog now confirms when the risk analysis has been finished successfully.

Report Repository Clean-Up

With the query builder introduced in verinice 1.13 user specific report templates can be generated fast and easily. In verinice 1.14 older and not longer used report templates have been discontinued to aid clarity in the report repository. The verinice.TEAM will continue to switch other older report templates to the new report technology in order to increase the performance when creating reports.

Improvements to the In-Memory Query Wizard and v.Designer

The query assistant has been further improved, queries can now run over data for all organisations and scopes in verinice 1.14. The connectivity between verinice and v.Designer has been optimized to improve the creation of user specific report templates based on data sets in verinice.PRO as well as in the standalone version.

The interface to the database has been extended in order to simplify usage of user specific datafields.
The v.Designer is available for all verinice.PRO users in the download repository. User of the standalone version can purchase the v.Designer in the verinice.SHOP.

Discontinuation of the deprecated data privacy view

Due to the upcoming GDPR the old data privacy view will be discontinued with verinice 1.15 and should not be used anymore. For new data privacy projects the verinice.TEAM offers a special module/catalogue. This module is at present only available in german language and according to german legislation (interpretation of GDPR). Users from any other countries may contact the verinice.TEAM to adapt the module to their countries regulations.
 

Improvements and Bug Fixes

The verinice.TEAM has addressed various issues in verinice. 1.14, including bugfixes and smaller changes based on customer requests that improve the overall performance and usabillity. In addition certain improvements according to the overall security have been implemented.

Security notice for verinice.PRO administrators

Changed property files

veriniceserver/WEB-INF/web.xml

File veriniceserver-security-web.xml has been deleted.

veriniceserver/WEB-INF/veriniceserver-plain.properties[-default|local]

• New: veriniceserver.risk.calculation.method=ADDITION
• New: veriniceserver.object.limit=10000 (A limit on how many elements can be loaded at once. Set -1 to disable the limit )
• veriniceserver.grundschutzKataloge=/WEB-INF/it-grundschutz_el15_html_de.zip

SNCA.xml, snca-messages.properties, snca-messages_de.properties

veriniceserver/WEB-INF/verinice-ldap.properties

• New: ldap.search.user=
• New: ldap.search.password=

veriniceserver/WEB-INF/verinice-auth-default.xml
 

Changes to the database

Table properties:

• New column: licenseContentId, Typ: varchar(255)
• New column: limitedLicense, Typ: boolean (PostgreSQL), smallint (Derby)

Codename: Sylt

Release date: 19th december 2016

As of now version 1.13.1 of verinice and verinice.PRO are now available for download.

CAUTION: As a verinice.PRO server administrator please regard the change log at the end of these release notes.

Business-Impact-Analysis according to BSI-Standard 100-4

The Business-Impact-Analysis according to the Baseline-Security-Standard 100-4 is now an integral part of verinice. This BIA provides all required information regarding critical business processes and resources. It complements the BSI-Risk-Analysis according to BSI-Standard 100-3, that provides all required information regarding existing risks against which your organisation should be safeguarded.

Optimised Query-Builder

The Query-Builder got a new and way more intuitive graphical user interface. Select any row and move or delete it directly.

In the query results cells with repeating content, i.e. parent elements, will be filled now. This enables better sorting and filtering in spreadsheet tools.

To enable you to link various objects in different tables in the report designer (datacubes) the query builder now supports the export of database-ID's (such as Scope-, Parent-, UUID's).

Additionally the verinice.TEAM has implemented various improvements that simplify the use of the query builder in general.

Query-Builder for Datasets in the verinice Report-Designer

With verinice 1.13.1 the Query-Builder including its graphical user interface is available in the verinice report designer. 

This enables you to create your own datasets intuitive using the Query-Builder and to present data in a variety of charts, spreadsheets and other elements. Provide your resulting report templates to all users or specific user groups and enable them to create standardised one click reports in your organisations layout and style.

Link table reports can now be created, stored and loaded in both verinice and the report designer. One base for a broad range of use!

The verinice.TEAM will convert selected report templates to the new technology on base of the Query-Builder shortly and speed up the creation of these reports significantly.

On top of this the v.Designer including the new Query-Builder GUI is now available as a standalone add-on for the verinice-client and can be purchased in the verinice shop. This gives all users of the standalone version the option to easily create their own reports based on their own data including any customizing.

Displaying net risk values 

In links between assets and scenarios in the ISMS perspective verinice 1.13.1 now shows the calculated net risk values (risks '''with''' implemented controls) in addition to the gross risk values (risks '''without''' implemented controls). This presentation enables a better comparison and evaluation of specific risks according to ISO 27005 while working with assets and scenarios in verinice.

The net risk values are available for output via Query-Builder of course.

Risk treatment method

The risk treatment method can be selected and documented likewise for each combination of asset and scenario in the link maker. You can choose accept, transfer, avoid, and modify as risk treatment method according to ISO 27005.

Again the risk treatment method is available for output via Query-Builder.

Release process for workflow tasks

The task workflow has been extended by a release process that can be activated optionally. Any changes in objects related with a certain task will only be saved when the originator of that task approves the change.

Changes may be rejected and can be reassigned to the same or any other person. To support your decision about an approval all changes can be compared with the original values in a dialogue.

Bug-fixes and smaller changes

The verinice.TEAM has addressed various further issues in verinice. 1.13.1, including bug-fixes and smaller changes based on customer requests that improve the overall performance and usability.

Changed Property Files

Extensions for Data Security, BSI-BIA 100-4 and PCI DSS

• SNCA.xml
• snca-messages.properties
• snca-messages_de.properties

Extensions for the Update Process

New in veriniceserver/WEB-INF/web.xml

• classpath:sernet/gs/server/spring/veriniceserver-updatenews-dummy.xml

New user rights

New Action-ID: taskwithreleaseprocess (ALL/F/ Enable release process) in:

• verinice-auth-default.xml
• verinice-auth-messages.properties
• verinice-auth-messages_de.properties

Changes to the database

New columns in Table cnalink:

• riskConfidentialityWithControls
• riskIntegrityWithControls
• riskAvailabilityWithControls
• riskTreatment

Security Notice for verinice.PRO administrators

In previous versions of verinice the default profile for "scope-only" administrators included the permission to change access rights and user profiles. Since this allows a scope-only administrator to escalate his priviliges by changing his/her own profile, we have removed this right and some others from the default profile.

If you have used this profile without changing it, these changes will become active automatically. If however you have made changes or created your own profiles based on this preset, you will have to remove the questionable actions from these profiles yourself.

The list of actions we have removed from the scope-only administrator is:

• Change account settings
• Edit userprofiles
• GSTOOL notes import
• GSTOOL import
• LDAP import
• Show all tasks

Changed configuration files

Easier configuration for Greenbone Security Manager (GSM) import

• veriniceserver/WEB-INF/veriniceserver-plain.properties[-default|local]
  • New: veriniceserver.gsmGenerator.enabled=false
  • New: veriniceserver.gsmGenerator.cron=0 5 3 * * ?
  • No longer supported MySQL properties were removed

Various additions, especially for German privacy law and KIX integration:

• SNCA.xml, snca-messages.properties, snca-messages_de.properties

Additional security for server services

• veriniceserver/WEB-INF/web.xml

ElasticSearch configuration

• veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_de.json
• veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_en.json
• veriniceserver/WEB-INF/classes/sernet/verinice/search/mapping.json

Account profiles

• veriniceserver/WEB-INF/verinice-auth-default.xml

LDAP-Authentifizierung

• veriniceserver/WEB-INF/verinice-ldap.properties

Codename: Sylt 

Release Date: 12th October 2016

We are proud to present version 1.13 of verinice and verinice.PRO which are now available for download. Starting with this version, the verinice client has to be purchased at the verinice.SHOP. 

CAUTION: As an verinice.PRO server administrator please regard the security notice at the end of these release notes.

Link-Table-Reports: The In-Memory Query Builder

Our new query assistant enables you to query your data directly from the verinice client. Let's say you need a list of interrelated security controls from different standards. No problem. Or maybe you need a list of assets with risk scenarios and responsible personnel? Also created with just a few mouse clicks.

For every object you can determine exactly which fields to extract.

All queries can be saved as CSV files and opened in Microsoft Excel or LibreOffice Calc for further editing. Using the familiar functions of your spreadsheet application you can sort, filter or create charts based on the data.

The best part: even queries over thousands of objects and complex structures run lightning fast and are usually completed in a manner of seconds.

This is achieved by using an in-memory query mechanism created especially for this purpose: every query created by the user is translated into our own "verinice Query Language" (VQL). This query is translated into a graph model that loads just those elements of the database that are required to answer the query. The actual query is then run in memory and the result table saved to disk.

Improved security features

We introduced additional security measures in different places.

Encrypted database exports in the VNA format now each have an individual salt value to thwart dictionary attacks. In previous versions the same salt was used for all files. Due to this change, encrypted exports made with verinice 1.13 cannot be imported in older versions of verinice.

Report creation has been moved into a sandbox that limits the possible actions of report templates. This mechanism can be turned off if you have individually created templates that would conflict with the new stricter guidelines. Since report templates can contain potentially malicious code segments (much like macros in MS Word documents) you should not turn off this additional security mechanism, especially if you want to use report templates from third parties.

verinice.PRO received an additional security layer that compares the use of services with the user profile and prevents forbidden actions.

Search View: Drag and Drop

Objects in search results can now be used for drag and drop operations. You can select multiple objects at the same time. For instance, you could search for risk scenarios regarding "compliance", chose the ones you want and link them to a relevant asset immediately.

Copying attachments with objects

When copying objects in the tree view by copy and paste you can now choose to make copies of all attached files as well. This behaviour can be toggled in the preferences.

verinice.PRO: New REST Web Service

A new REST API allows network based access to the verinice database for third party applications. This enables a lot of opportunities to integrate verinice.PRO with other software tools. Of course all access over this new interface is subject to all existing security restrictions.

verinice.PRO: Cooperation with KIX4OTRS

We have teamed up with c.a.p.e. IT to bring ISMS and ITSM together. Newly created database properties allow objects to link to OTRS tickets. The KIX workflow state can be transfered to verinice and changes to verinice objects can be made directly in the OTRS ticket. Changes will be written to the verinice database when a ticket is completed.

You can also import configuration items from your ITSM into verinice as additional assets. To talk about your individual demands both SerNet and C.A.P.E. IT are standing by to offer their assistance.

verinice.PRO: Easier configuration for Greenbone GSM

It is now easier to connect to a Greenbone / OpenVAS vulnerability scanner. You can use the special verinice vulnerability management workflow to aggregate and assign vulnerabilities to responsible personnel. You can also use any detected vulnerabilities and hardware assets in your risk assessments.

All configuration settings for this have been moved to the default configuration file. You can find more information in the corresponding documentation.

verinice.PRO: AD-/LDAP-Authentication Support for Account Groups

When using Active Directory or LDAP for user authentication, verinice.PRO now supports querying accounts in different subtrees of the directory.

Relations between IT Baseline Protection View and ISM View

You can now create relations between the ISM-view and the IT-baseline view by drag and drop.

User defined modules: Drag and Drop

You can now add controls and scenarios to user-defined modules in the IT-baseline-view simply by dragging them there from the IT-baseline catalogue.

Risk Analysis (IT Baseline Protection): copy and paste

You can now copy and paste risk analysis objects in the IT Baseline Protection view.

GSTOOL Import

The import from the former GSTOOL (provided by the German BSI) database has been improved to correct IDs and criticality levels when importing IT Baseline Protection modules and network connections.

Changes for privacy regulation

Some changes were made regarding the fields for German privacy law. We will further develop this feature to include the European General Data Protection Regulation.

Quality of Life Improvements

We fixed over 100 bugs and introduced small improvements in this version based on feedback from our users. Amongst other changes, the account groups view now has an additional button to allow direct editing of accounts and sorting of special characters such as German umlauts has been improved both in the UI and in reports. The ISM Risk Analysis now calculates and saves all values even if the executing user does not have write permissions for some linked objects.

Security Notice for verinice.PRO administrators

In previous versions of verinice the default profile for "scope-only" administrators included the permission to change access rights and user profiles. Since this allows a scope-only administrator to escalate his priviliges by changing his/her own profile, we have removed this right and some others from the default profile.

If you have used this profile without changing it, these changes will become active automatically. If however you have made changes or created your own profiles based on this preset, you will have to remove the questionable actions from these profiles yourself.

The list of actions we have removed from the scope-only administrator is:

• Change account settings
• Edit userprofiles
• GSTOOL notes import
• GSTOOL import
• LDAP import
• Show all tasks

Changed configuration files

Easier configuration for Greenbone Security Manager (GSM) import

• veriniceserver/WEB-INF/veriniceserver-plain.properties[-default|local]

  • New: veriniceserver.gsmGenerator.enabled=false
  • New: veriniceserver.gsmGenerator.cron=0 5 3 * * ?
  • No longer supported MySQL properties were removed

  Various additions, especially for German privacy law and KIX integration:

  • SNCA.xml, snca-messages.properties, snca-messages_de.properties

  Additional security for server services

  • veriniceserver/WEB-INF/web.xml

  ElasticSearch configuration

  • veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_de.json
  • veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_en.json
  • veriniceserver/WEB-INF/classes/sernet/verinice/search/mapping.json

  Account profiles

  • veriniceserver/WEB-INF/verinice-auth-default.xml

  LDAP-Authentifizierung

  • veriniceserver/WEB-INF/verinice-ldap.properties

Codename: Piha

Release Date: 17th February 2016

We are proud to present version 1.12 of verinice and verinice.PRO which are now available for download. This version contains the following updates and improvements.

New Greenbone-GSM perspective

A new perspective guides new users to experience the benefits that you get from combining the Greenbone GSM (OpenVAS) vulnerability scanner with verinice. Two new tutorials take you through the process step-by-step and show how you can import the results of a scan in verinice.

In the IT baseline protection view the scan speeds up the necessary steps: the inventory can be updates with systems found during the scan. Fitting modules can be selected based on the identification of software from the scan. And finally the implementation status of technical controls can be set based on the scan results as well. This gives you a detailed view regarding implementation of information security controls on each individual system based on our extensive IT-baseline control catalogue which is included in verinice for free.

verinice.PRO: increased speed for full text search in AD environments

We have increased the performance of our full text search engine in environments where verinice.PRO is being used with Active Directory- or LDAP-authentication.

Our transparent software manufacture (GIT migration)

Our source code is and will always be open source. Now our development has become even more transparent. From now on our entire development work is also visible on Github. If you want to watch our team at work you can now do so in the verinice repository.

For instance, all changes will be listed in detail on this page: https://github.com/SerNet/verinice/commits/develop

For non-techies, the graphical reports may be more interesting. For example, the diagram showing branches in the source code during development. 

Even more GSTOOL Import

We have made further improvements for previous users of the now officially deprecated German "GSTOOL": you can now also import user-defined object types.

Risk analysis for German standard 100-3

We have improved the wizard dialogue for users who are doing their risk analysis with the German standard BSI 100-3.

If you are conducting your risk analysis in the ISM perspective based on international standards such as ISO/IEC 27005 you are not affected by this change.

VNA export of risk analysis based on German standard BSI 100-3

All risk analyses that are conducted in the IT-baseline perspective according to the German standard BSI 100-3 are now included in exports to VNA files.

If you are conducting your risk analysis in the ISM perspective based on international standards such as ISO/IEC 27005 you are not affected by this change. Your objects were always fully included in the VNA exports.

IT-baseline protection perspective: all reference fields now included in VNA export

For users of the German IT-baseline perspective: all references to persons are now also included in the VNA export file. Previously on relations made using the relation view were exported. Now also the (older) form fields with references to persons are included.

If you are working in the ISM perspective you are not affected by this change. All references here are made using real relations between objects and were always included in the VNA export.

Bugfixes and smaller changes

We have addressed more than 80 issues for this release, here's a list of the noteworthy changes:

• Fixed a bug that lead to the IT-baseline model not loading after startup.
• Fixed a bug introduced in V 1.11 that allowed relations to be created in the wrong direction (i.e. "document is author of person"). Updating to version 1.12 removes this possibility and will automatically repair relations that have been created incorrectly by changing the direction if needed.
• The verinice client now uses the Oracle Java Runtime Environment 8.
• IT-baseline catalogues are now loaded independent of the catalogue view being open.
• Read and write permissions on newly created IT-baseline risk analysis are now correctly taken from the parent object.
• LTR-report (a dataset that can be used in the vDesigner): threw an exception if only one top-level element was present, fixed.
• LTR-report (a dataset that can be used in the vDesigner): now uses all relation types when none are explicitly given
• New splash screen and new icons.
• The validation view now sorts all elements correctly and updates itself on global refresh.
• The search index could be started multiple times simultaneously, fixed.
• The attachment file size was not saved when importing using the web service, fixed.
• The property field for file-size is now read-only.
• File view: the initial state of the button "link to editor" was wrong, fixed.
• The ISA-consolidator was transferring the target maturity of all controls, fixed.
• User profiles: deactivating the search function now also deactivates the toolbar button and the corresponding menu item.
• URLs to verinice web-pages on the welcome screen have been corrected.
• All IT-baseline elements now have an additional validation rule: title must not be empty.
• Editors of deleted elements are now always closed.
• The password dialogue now checks for invalid characters in passwords.
• Data for the account-groups dialogue is now loaded in a background job.
• Relations in the selection drop-down box are now sorted alphabetically.

Update notes

Changed properties

• veriniceserver-plain.properties[.default|.local]
  • veriniceserver.gsmGenerator.enabled=false
  • veriniceserver.gsmGenerator.cron=0 5 3 * * ?
• SNCA.xml, snca-messages.properties, snca-messages_de.properties
• veriniceserver-plain.xml
• veriniceserver-jbpm.xml

Database changes

• Spalte "Beschreibung" in Tabelle OwnGefaehrdung wird auf (32672(derby), 400000(postgres), 4000(oracle)) Zeichen Länge umgestellt
• Spalte "Description" in Tabelle Risikomassnahme wird auf (32672(derby), 400000(postgres), 4000(oracle)) Zeichen Länge umgestellt
• Datenbankmigration: Durch den Fehler [http://bob.sernet.private:8180/browse/VN-1280 VN-1280] können bestehende DBs korrupte Verknüpfungen enthalten. Dazu wurde eine Datenbankmigration geschrieben (neue Version: 1.03D), die beim Update auf die neue Version (des Clients) durchgeführt wird und zu verlängerten Startzeiten führen kann (je nach Größe der Datenbank (alle existierenden Verknüpfungen werden auf Korrektheit (Richtung) geprüft)).

Codename: Sandy Beach

Release date: 28th August 2015

Full-text search

Starting with version 1.11 verinice and verinice.PRO received a search function, allowing users to find objects in mere seconds. The entire database is continuously indexed to ensure superb performance even with large databases. verinice deploys the open source framework Elasticsearch. This search engine - used among others by Wikimedia - has been fully integrated into verinice and verinice.PRO.

The search will be displayed in a new view, which can be opened multiple times. So several searches can be carried out parallel and results can be compared.

Note: To achieve the best indexing possible the language setting of the verinice.PRO server or of the verinice standalone clients should match the language of the information entered by the user.

Free Column Selection

The columns included in the search view can be customized. Additionally, verinice now remembers the user-specific configuration of the displayed fields.

CSV export

The displayed search results can be exported as a CSV file. This allows to further evaluate lists of found objects in Excel or LibreOffice.

GSTOOL Import

The verinice.TEAM has carried out numerous and extensive improvements to the GSTOOL import. Many fields have been completed and the list of subtypes has been extended in order to take over from the last available versions of GSTOOL or supplementary deliveries all information networks can. GSTOOL is the official but now deprecated software tool published by the German BSI for its IT-Baseline standard.

Support for large GSTOOL databases

Some of the largest GSTOOL databases in Germany already have been transferred with verinice, each consisting of hundreds of individual scopes. Thanks to significant improvements in speed and memory usage verinice now accepts even those GSTOOL databases (with sizes of 1 gigabyte and more) in "one go". All targets are correctly allocated to the relevant scopes. Modules and module references are applied correctly. verinice even handles rare cases that cause other tools to stumble.

Risk Analysis acc. to BSI 1003

Starting with version 1.11 verinice is able to completely convert the "Additional security analysis" as well as the risk analysis according to BSI 100-3 from the GSTOOL to verinice.

All measures and risks are transferred. All intermediate steps are imported properly into the verinice wizard for risk analysis according to BSI 100-3. This way every single step of the imported risk analysis can be retraced later and edited again at any time: the threat summary, the risk assessment and the risk treatment.

To maintain the individual intermediate steps is a mandatory requirement in order to create a standards-compliant A.6 report. verinice creates this report using the imported data at the push of a button.

Orphans

verinice now handles it correctly when during the import an asset is not associated with any scope, but is being referenced by other assets. In this case, all objects and relations between them are correctly mapped in order to ensure protection needs inheritance and all other mechanisms.

Linked persons

All measures and blocks linked to persons (interviewers, interviewees, project managers...) are correctly accepted as references in verinice.

New Report Template

A new template simplifies the creation of reports with linked elements in the vDesigner.

VDA ISA Version 2.1.3

verinice now contains the updated version 2.1.3 of the VDA ISA questionnaire.

Object Browser

The Object Browser now responds to selections of links - this allows to navigate interrelated controls even better.

OpenJDK 7 on the server

verinice.PRO now uses the RedHat supported OpenJDK 7.

Improvements and bug fixes

We added a variety of minor improvements and fixed bugs in various places in V 1.11. Worth mentioning are e.g .:

• The layout of the account groups view has been improved.
• All title fields now have an optional validation rule, which marks untitled objects.
• The dialog "New Link" now allows to directly select the desired link type.
• The button "Multiuser" is now named "Server" to coincide with general wording.
• When adding attachments verinice now remembers recently used folders.
• GSM Import: scenarios and vulnerabilities that have been imported from OpenVAS or Greenbone GSM will now be marked in color depending on the severity.
• Missing write permission on the report template folder will be noticed and displayed as an error message.
• The ISA consolidator now no longer overwrites the ISA version number.
• The Object Browser is now displayed in all perspectives by default.
• The icon of view "Review plan" has been changed.
• The package for Mac OS X now includes the most recent version of the Java Runtime Environment 7 by Oracle (Apple's Java 6 package still has to be installed, even though it's not used to execute verinice).

Update Notes

Changed properties

web.xml

• classpath:sernet/gs/server/spring/veriniceserver-search-base.xml
• classpath:sernet/gs/server/spring/veriniceserver-search.xml

veriniceserver-plain.properties[-default|local]

• veriniceserver.search.index.directory=/WEB-INF/elasticsearch/
• veriniceserver.search.indexingOnStartup=true
• verinice-auth-default.xml, WEB-INF/verinice-auth-messages[_de].properties
• springDispatcher-servlet.xml
• veriniceserver-common.xml
• veriniceserver-daos-common.xml
• veriniceserver-plain.xml
• veriniceserver-security.xml
• veriniceserver-search*.xml (new)

Codename: Tres Palmas

Release date: 29th May 2015

Important note for the update: Due to the necessary data migration, the first launch of verinice clients after updating may take a bit longer than usual. Don’t panic. For more information, see the section "Display of file size in the File View". Please also note the general indications regarding the update and the release notes. 

IT Baseline Protection Catalogs in English

The full text of the IT Baseline Protection Catalogs published by the German Federal Office for Information Security (BSI) is now available in English. Especially international teams benefit from this, simplifying the work with the IT Baseline Protection significantly.

Users of the native ISO 27001: 2013 can profit from the comprehensive catalog of risks and controls, too: In a risk assessment or a risk treatment the Basic Protection Catalogs can be used as database on specific topics like Windows or SAP.

All risks can be used as scenarios in an individual risk analysis as well. Simply drag-n-drop the desired risks or whole modules into the Risk Model.

The catalogs, containing more than 1,000 Baseline Protection Controls, also proof to be useful in the case of a risk treatment. As specific controls, they supplement the generic requirements of ISO / IEC 27002:2013. The controls are easy to drag-n-drop to the ISM-Risk Model.

The English IT Baseline Protection Catalogs correspond to the 13th update from the BSI.

Thanks to our verinice.PARTNER Alexander von Ossowski for contributing the English archive of the IT Baseline Protection Catalogs and his ongoing support for the verinice project.  

VDA ISA 2.x Update

verinice V 1.10 fully supports the new edition of the IS-Assessment catalog published by the German Association of the Automotive Industry in version 2.x. Apart from the actual catalog, the method of calculating the averages and the "Total Security Figure" have been adjusted.

The issued report provides the radar chart indicating the level of maturity reached and the target level of maturity for each chapter, taking into account all the questions marked “NA".

Users of verinice are absolutely compliant with the VDA standard. Moreover
a consolidator allows to import assessment results originating from the VDA 1.x standard. Shifts of controls etc. are taken into account properly. 

Display of file size in the File View

The File View now reveals the file size of each attachment. This accelerates, for example, the inevitable clean up of a growing database.

Note: After updating to V 1.10 the file size information is updated in the database. The update will be triggered at the first connection of a verinice client to the database. Depending on the number of attachments this can take between a few seconds up to several minutes to complete. We therefore recommend to immediately perform a client-start after the server update, so the update is complete before the first regular user login. The operation is run only once. 

Exclusive features of verinice.PRO

Single-Sign-On with Active Directory

On Windows clients verinice.PRO now supports Single-Sign-On: registered users automatically can login to verinice.PRO. Re-entering the username and password are not required.

The previous registration mechanism with renewed user and password input is still available optionally, e.g. if you want to work in verinice with another user as the logged in under Windows.

Import of individuals from AD in the basic protection view

Starting an AD-Import it is now possible to select whether the imported persons and accounts are created in the ISM or in the Baseline Protection model.

Optimization of the task view

The Task View has been improved: Tasks load faster and a detailed search allows you to find specific tasks. Tasks can be sorted by group, editor, process, task type, start and end date.

Improvements and bug fixes

Minor improvements and a variety of fixed bugs in various places round off V 1.10. Worth mentioning are e.g .:

• The full text of Baseline Protection Controls can now be viewed via the web front-end for tasks. This makes it easier to delegate the basic security check as well as control of the implementation.
• The local report filing on the verinice client now works as intended.
• The allocation of modules, users and target types when using the GSTOOL import have been corrected.
• Inheriting Custom icons to child objects can now be switched on or off.
• When moving objects it can be selected if the permissions of the destination folder should be applied to the moved object.
• Double-clicking an attachment in the file view now selects the associated object in the tree view.
• The standard account view changed to: "Last name, first name [account]".
• Account groups are not displayed in the total list of all accounts as before, but only those who are not included in the selected group. This facilitates the search for non-associated accounts.
• The customized file ("SNCA.xml") will no longer be moved during the update process but will continue to operate. Attention: Please continue to follow the update instructions for dealing with configuration files!

Update Notes

Changed properties

Folder: WEB-INF

• SNCA.xml, snca-messages.properties, snca-messages_de.properties
  Extension for the asset properties regarding the risk values with planed controls (all controls not markeds "N.A.")
• veriniceserver-plain.properties, veriniceserver-plain.properties.default

Folder: WEB-INF/classes/sernet/gs/server/spring

• veriniceserver-common.xml
• veriniceserver-jbpm.xml

Please see the notes for Updating verinice.PRO.

Database changes

Migration to DB version 1.01 regarding the filesize property (see "Display of file size in the File View").

Announcement: verinice 1.11 coming soon

The verinice.TEAM is expected to publish the next verinice version - V 1.11 - shortly, presumably  in two month.
An indexed full text search of all the elements in the database will be the most signifi

Codename: Tavarua

New in this release

As of now verinice 1.9 is available for download. The update at a glance:

• VDA ISA Standard 2.0
  In verinice 1.9 the new IS-assessment Catalog of the Association of the Automotive Industry is implemented. The standard has been thoroughly revised and adjusted to the new requirements of the updated ISO 27001: 2013.
  Due to a special unify function existing levels of maturity can be transferred to the new chapter numbering. Existing assessment results can be reused, and users do not have to start completely from scratch. That should reduce the cost of the update and for the re-evaluation as much as possible.
  Any changes took place in close contact with the authors of the ISA catalog in the corresponding working group of the Association. Conformity to the questionnaire is 100% guaranteed.
• Account Management (verinice.PRO)
  A completely new user and group management facilitates the creation and maintenance of the authorization concept. This comes in handy especially for a large number of verinice users and groups.
• Report Repository (verinice.PRO)
  verinice 1.9 comes with a newly introduced central report repository. This makes reports generated with the vDesigner available for all users of verinice.PRO servers. The central report repository is synched by the client and cached locally so that all the reports are still available in offline mode. In addition, only local reports can be stored in the client - eg for testing or confidential evaluations. Here, local and server reports are designated and distinguished clearly in the list.
  For each report, the required and reasonable output formats can now also be programmed centrally (DOC, XLS, PDF...).
  The standard reports included with verinice can be managed in the same way. Thus, e.g. a standard report will be replaced by a custom template, for example if in all reports a company logo is to be used, etc.
• Easy changes in the permission dialog (verinice.PRO)
  The authorization dialog for assigning access rights to objects has also been revised. It is now easier and more comfortable to set, read and write permissions for individual objects or groups of objects.

References for the update

Important notice:

Before updating to verinice 1.9 please ensure that there is no account group matching a login name. Otherwise, it may lead to serious conflicts - making the installation unusable after the update and necessitating a roll back to the old version.

Changed properties:

Folder: WEB-INF

• SNCA.xml, snca-messages.properties, snca-messages_de.properties
• verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages.properties, verinice-auth-messages_de.properties
• verinice-ldap.properties
• web.xml

Folder: WEB-INF/classes/sernet/gs/server/spring

• springDispatcher-servlet.xml
• veriniceserver-common.xml
• veriniceserver-daos-common.xml
• veriniceserver-daos-osgi.xml
• veriniceserver-daos-plain.xml
• veriniceserver-reportdeposit.xml
• veriniceserver-reportdeposit-dummy.xml

Please see the notes Update verinice.PRO.