Release Notes

verinice over the versions

verinice 1.17

Codename: Raglan
Release date: 09.11.2018

verinice and verinice.PRO version 1.17 are available in the verinice.SHOP and the update repository.

ATTENTION: Automatic updates of the clients are not possible for verinice 1.17! We have compiled all necessary information for manual updates in a HowTo. To update the verinice.PRO server to version 1.17, please use the package manager "yum" as usual (see details on the verinice.PRO update). As an administrator for a verinice.PRO server please notice the security notes at the end of theses release notes!

This version includes the following news and optimizations:

Optimised Modeling in the Modernized IT-Baseline Protection

verinice 1.17 now supports multiple modeling of modules for different target objects:

Optimized: Multiple modeling of modules for different target objects

In addition, verinice 1.17 now always models all module requirements (basic, standard, increased protection requirement) and, if activated, all associated implementation hints. If the related filter is activated, the requirements or safeguards are filtered according to the procedure for protection defined for the information network. The filter also acts on linked threats, e.g. only threats that are linked to basic requirements are displayed in the link maker.

Filtering information networks according to the procedure for protection

This ensures that, for example, after a successful basic protection of an information network, it is easy to switch to the standard protection.

Migration of previous Modeling in the Modernized IT Baseline Protection

When verinice 1.17 is started for the first time, all previous modeling in the Modernized IT Baseline Protection is migrated to the new modeling.

Improvements in the IT Baseline Protection Compendium

The IT Baseline Protection Compendium is planned to be released in English by the BSI at the end of 2018 and will be available for use in verinice afterwards.

The modeling instructions are now displayed in the object browser of each module:

IT Baseline Protection Compendium: Modeling notes in the object browser of the modules

The texts from the implementation hints (if they exist) are also displayed in the requirements. The conversion notes are also available if you are not working explicitly with the object type safeguards in verinice:

IT Baseline Compendium: Output of the implementation notes in the requirements

Hybrid Modeling

Parallel to the IT-Baseline Protection Compendium, the verinice.TEAM provides a catalogue which contains all modules from the 15th Supplementary Delivery of the IT-Baseline Protection Catalogue that are not yet available in the new IT Baseline Protection Compendium. The modules of the 15th Supplementary Delivery can thus be modeled directly in the New IT-Baseline Protection by Drag&Drop, requirements are generated from the safeguards of the 15th Supplementary Delivery and can be adapted if necessary, safeguards are available as implementation hints and the threats of the IT Baseline Protection Catalogue are modeled as additional threats.

Modernized IT Baseline Protection: Hybrid Modeling

New filter in the Modernized IT Baseline Protection View

The filter in the Modernized IT Baseline Protection View now allows you to search for implementation status and security level for requirements and safeguards.

New filter in view Modernized IT Baseline Protection: Search for implementation status as well as for security level for requirements and safeguards

Userdefined modules, safeguards and threats

For each target object, user-defined modules, safeguards and threats can be created directly via the context menu (right mouse click):

Create user-defined modules, safeguards, and threats using the context menu.

Improvements for report queries

Report queries can now follow links in other scopes to include data from there:

Report queries can include data from other scopes

In addition, some missing relations have been added and incorrect relations haven been corrected, so that the data can now be used in queries and reports (e.g. relations between requirements and network components in the Modernized IT Baseline Protection).

RCP4 Migration

The verinice.TEAM has updated the development environment to a newer version to fix some operating system related problems (macOS X, Ubuntu Linux) and to ensure future security.

Only a few innovations that accompany this update are immediately recognizable for the users, the most obvious are:

The new environment allows the use of further design elements, e.g. tabs in the editor area:

New development environment: Enables e.g. tabs in the editor area

In the editor area several views can now be opened one above the other, which can be helpful for some tasks in verinice.

ATTENTION: Due to the new framework an AUTOMATIC update from an older version to verinice 1.17 is impossible! Please notice the description of updating manually to verinice 1.17: Update to verinice 1.17.

The new catalog view

The new catalog view is now used by default in the Modernized IT Baseline Protection and ISM/ISO perspectives. In the ISM/ISO perspective, the new catalog also replaces the old CSV catalog, which will be discontinued in the next verinice version.

Any .vna file can be loaded into the new catalog view as a read-only catalog, template, master, profile, etc:

New Catalog View: Integrates (read-only) any catalogs, templates, masters, templates, profiles, etc.

In addition to the drag & drop modelling of the IT Baseline Protection Compendium components already introduced in verinice 1.16, all elements can now also be copied from the catalog view to the model view (tree) using the context menu (right mouse click) with or without links. When copying with links, unlike in the Model View, no links are copied back into the catalog, but only links between the copied objects themselves!

The Risik Analysis according to BSI Standard 200-3

In the Modernized IT Baseline Protection, the parameters/definitions for the risk analysis (probability of occurrence/damage impact matrix) can now be defined separately for each information network in a graphical user interface:

Definition of the frequency of occurrence:

Risk analysis: Definition of the frequency of occurrence

Definition of the effect:

Risk Analysis: Definition of Effects

Definition of the risk categories:

Risk analysis: Definition of risk categories

Definition of the risk matrix:

Risk analysis: Definition of the risk matrix

The calculated risk values are reflected in the hazards associated with the individual target objects:

Risk analysis: mapping of risk values

Requirements or safeguards can be used to define whether they reduce a risk and what effect they have.

Risk analysis: requirements or measures can lead to risk reduction

The safeguard strength reduces either the frequency of occurrence or the impact to a lower value, the risk itself is calculated on the base of the defined risk matrix and cannot be changed directly.

If several requirements/safeguards are linked that result in a risk reduction, the risk is set to the lowest value with regard to frequency of occurrence or impact (minimum principle).

If safeguards are used explicitly, the strength of the safeguard can be inherited from the safeguard to the requirement:

Inheritance of the measure strength from the measure to the requirement

AD Interface and Task Workflow in the Modernized IT Baseline Protection

verinice 1.17 now also supports the connection to an Active Directory for the Modernized IT Baseline Protection and enables the task workflow for the creation of tasks, e.g. for the implementation of requirements or safeguards.

More

With verinice 1.17 the verinice.TEAM releases more than 70 further detail improvements and fixes various minor bugs:

  • Bug fixes and minor improvements in the bulk editor.
  • In the web frontend, the behavior of different elements has been improved, in case the approval process is activated in the task workflow.
  • The email link for notifications in the task workflow has been corrected.
  • The default memory for verinice was adapted to current systems and increased to 4 GB for the client and 16 GB for the server.

Security note

Please note that verinice 1.17 migrates all information networks created in the Modernized IT Baseline Protection at the first start due to the changes of the modeling.

Please create a backup of all data before the first start!

Security notes for verinice.PRO administrators

New actions

  •   BSIMOD/F/Edit risk configuration, Action-ID:editriskconfiguration

Changed Property Files

  • veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_de.properties
  • veriniceserver/WEB-INF/verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages[_de].properties

 

 

 

Codename: Agger
Release date: 17.04.2018

verinice and verinice.PRO version 1.16 are available in the verinice.SHOP and the update repository.

Attention: As an administrator for a new verinice.PRO server please notice the security notes at the end of theses release notes!

This version includes the following news and optimizations:

General Data Protection Regulation (GDPR) in verinice

verinice 1.16 supports the documentation required by the GDPR, including the processing activities, technical and organisational measures and contracted data processing.

Records of Processing Activities

Optimizations in the new IT-Baseline Protection

Implementation status

The implementation status has been improved. Now it works in the same way as in the old ITBP perspective. The status is indicated by icons (yes, no, partially, na, unedited). In addition to the display in the tree structure of the View Modernized IT-Grundschutz, the status is also displayed in the links (link makers) and in the tab area of the object editor.

Implementation Status

(Screenshot in German only due to the fact that the IT Baseline Protection Compendium is only available in German!)

Identifier

The "Identifier" field indicates requirements, measures and hazards for links in the link maker. This makes it easier to identify which target object or objects mentioned above are linked to each other.

Identifier

ITBP Compendium

The IT Baseline Protection (ITBP) Compendium has been optimized for verinice and minor changes by the BSI have been added. A new version of the ITBP Compendium is available for download in the update repository or on the verinice website.

New object types

In oder to support the various tasks of documentation three new object types (documents, records, incidents) have been added to the perspective IT Baseline Protection.

New object types for ITBP

Context for report queries

The creation of report queries has been improved in verinice 1.16 by adding context to all elements. For each element the perspective it is used in is displayed now (ISM, ITBP old, ITBP new, ...). Additionally the objects ID is displayed as defined in the SNCA.xml and therefore enables better differentiation of i.e. object groups and pbjects itself.

RPMs for RHEL 7 / CentOS 7

verinice.PRO can be installed on servers with Red Hat Enterprise Linux (RHEL) 7 and CentOS 7 now. RPM packages for RHEL 6 and CentOS 6 as well as for the new version 7 are available in two repositories. The verinice.TEAM recommends to install RHEL 7 or CentOS 7 on any new verinice.PRO server. Red Hat supports RHEL 6 until 2020. We have not yet decided how long packages for RHEL 6 and CentOS 6 will be provided. The end of support for theses versions will be announced in advance.

Security notes for verinice.PRO administrators

New action ID

New action ID in user rights:

  • ISM/F/Migrate to GDPR, Action-ID: migrate_data_protection

Changed property files

  • veriniceserver/WEB-INF/SNCA.xml, snca-messages.properties, snca-messages_de.properties
  • veriniceserver/WEB-INF/verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages[_de].properties

Codename: Miyazaki
Release date: 01.02.2018

verinice and verinice.PRO version 1.15 are available in the verinice.SHOP and the update repository.

Attention: Administrators for verinice.PRO servers please notice the security notes at the end of theses release notes!

This version includes the following news and optimizations:

New IT Baseline Protection

verinice 1.15 is the first iteration of the New IT Baseline Protection according to the BSI Stadards 200-1, 200-2 and 200-3.

To implement the new standards the data model has been extended extensively and future-proofed, all new object types required by the New IT Baseline Protection are available.

The graphical user interface has been extended with the new perspective New IT Baseline Protection and the new views IT Baseline Protection Model and IT Baseline Protection Compendium.

The IT Baseline Protection Compendium is available as verinice XML-Datei (.vna) for import in the new view IT Baseline Protection Compendium. Remark: So far the IT Baseline Protection Compendium is only available in German!

Information networks can be modelled following the basic, standard or core protection.

The reference documents A.1 to A.4 are available as report templates.

Prospect

The verinice.TEAM will continue to implement the New IT Baseline Protection and release additional verinice versions in 2018 adding further concretisations provided by the BSI. This includes the risik management and especially the migration from the old New IT Baseline Protection Catalog to the New IT Baseline Protection Compendium.

The EU GDPR in verinice

verinice 1.15 lays the foundations for the EU GDPR and the use of the enhanced data privacy module, which will soon be available for download in the verinice.SHOP or in the update repository. The verinice module will support the mapping of the the dircetory of processings and the contract data processing. Until May, extensions are planned for the privacy module so that risk management for data privacy and the data privacy impact assessment can be done with verinice.

Improvements and bug fixes

The verinice.TEAM has addressed various further issues in verinice 1.15, including bugfixes and smaller changes based on customer requests that improve the overall performance and usabillity. In addition certain improvements according the overall security have been implemented.

The most significant to mentioned are:

  • The search functionality has been improved by fixing various bugs. Serach and indexing are more stable now in borderline cases.
  • The use of report queries generated in verinice has been improved when working with the v.Designer. vlt-Files can be loaded in the v.Designer and may be used as data sets directly.
  • In the webfrontend the behaviour of various elements has been improved:

    • Multiselect-fields are now displayed correctly.
    • Depending fields are displayed correctly now.

  • By improving the verinice.REST-interface the connection of external systems has been made easier (KIX).

Security notes for verinice.PRO administrators

New Java version

With verinice 1.15 the verinice server requires Java 1.8.

Changed property files

SNCA.xml, snca-messages.properties, snca-messages_de.properties:

  • Extensive changes for the new IT-Baseline-Protection

Database changes

Table properties:

  • Changed data type for Derby database: propertyvalue, Typ: CLOB (Derby)

verinice Codename: Acapulco
Release Date: 10.07.2017

As of today verinice 1.14 is available for download in the verinice.SHOP and in the verinice.PRO download repository.

CAUTION: As an administrator of a verinice.PRO server please regard the security notice at the end of these release notes!

Webfrontend

verinice.PRO users will find the webfrontend in verinice 1.14 in a new look and feel. The appearance has been reworked completely, usage is way more convenient thanks to the contrasty and sleek user interface. Even more the webfrontend got various internal improvements related to security, i.e. complete support of access rights. Access can be provided by deep links to any verinice user and an explicit logout function has been implemented.

The new responsive template enables comfortable use of the webfrontend on mobile devices. The new webfrontend is an investment into the future and fundament for a variety of new features.

Webfrontend Home Webfrontend ISO View

Webfrontend Asset Webfrontend Tasks

 

Graphical Analysis

The first and most palpable feature implemented in the new webfrontend is the grahical presentation of the implementation status for ISO-Controls and IT-Baseline Protection Safeguards regarding one or all organisations/scopes. Users can provide their management with the current status of the ISMS anytime and in real-time. Especially in larger installations with various organisations/scopes the implementation status are displayed in identical scales to allow direct comparison.

The gaphical presentation in the webfrontend gives way to a new and important aspect: visualization of information security and presentation of specific issues in real-time. In addition to the new reporting technology that has been introduced with verinice 1.13 and receives further improvements with version 1.14 verinice continues to ease the daily work challenges of CISOs and provides an easy way to report results and success of their work.

Graphical Analysis: Web-Dashboard

License management

In oder to have access to all details and descriptions in information security standard e.g. ISO, verinice 1.14 now provides the complete standard including any content that is subject to license. Get rid of studying large documents in paper form and error-prone manual data entry - the original content can be provide to each user as needed.

The new license management in verinice 1.14 guarantees organisation-wide compliance with license regulations in information security. Licensing is possible per user per year and therefore enables efficient allocation of ressources and expenses. Licenses for available content can be puchased briefly in the  verinice.SHOP.

License Management

CAUTION: Due to licensing restrictions any licenses in verinice covers usage and display in verinice only! The original documents are not distributed in paper form or any other digital form outside of verinice.

Risk Analysis

When running a risk analysis in the ISMS perspective users can now select for which organisation/scope the calculation shall be performed. This reduces the time for analysis significantly which is especially helpful in installations with many organisations. A dialog now confirms when the risk analysis has been finished successfully.



Report Repository Clean-Up

With the query builder introduced in verinice 1.13 user specific report templates can be generated fast and easily. In verinice 1.14 older and not longer used report templates have been discontinued to aid clarity in the report repository. The verinice.TEAM will continue to switch other older report templates to the new report technology in order to increase the performance when creating reports.

Improvements to the In-Memory Query Wizard and v.Designer

The query assistant has been further improved, queries can now run over data for all organisations and scopes in verinice 1.14. The connectivity between verinice and v.Designer has been optimized to improve the creation of user specific report templates based on data sets in verinice.PRO as well as in the standalone version.

The interface to the database has been extended in order to simplify usage of user specific datafields.
The v.Designer is available for all verinice.PRO users in the download repository. User of the standalone version can purchase the v.Designer in the verinice.SHOP.

Discontinuation of the deprecated data privacy view

Due to the upcoming GDPR the old data privacy view will be discontinued with verinice 1.15 and should not be used anymore. For new data privacy projects the verinice.TEAM offers a special module/catalogue. This module is at present only availaible in german language and according to german legislation (interpretation of GDPR). Users from any other countries may contact the verinice.TEAM to adapt the module to their countries regulations.

Improvements and Bug Fixes

The verinice.TEAM has addressed various issues in verinice. 1.14, including bugfixes and smaller changes based on customer requests that improve the overall performance and usabillity. In addition certain improvements according to the overall security have been implemented.

Security notice for verinice.PRO administrators

Changed property files

veriniceserver/WEB-INF/web.xml

File veriniceserver-security-web.xml has been deleted.

veriniceserver/WEB-INF/veriniceserver-plain.properties[-default|local]

  • New: veriniceserver.risk.calculation.method=ADDITION
  • New: veriniceserver.object.limit=10000 (A limit on how many elements can be loaded at once. Set -1 to disable the limit )
  • veriniceserver.grundschutzKataloge=/WEB-INF/it-grundschutz_el15_html_de.zip

SNCA.xml, snca-messages.properties, snca-messages_de.properties

veriniceserver/WEB-INF/verinice-ldap.properties

  • New: ldap.search.user=
  • New: ldap.search.password=

veriniceserver/WEB-INF/verinice-auth-default.xml

Changes to the database

Table properties:

  • New column: licenseContentId, Typ: varchar(255)
  • New column: limitedLicense, Typ: boolean (PostgreSQL), smallint (Derby)

Codename: Sylt
Release date: 19.12.2016

As of now version 1.13.1 of verinice and verinice.PRO are now available for download.

CAUTION: As a verinice.PRO server administrator please regard the change log at the end of these release notes.

Business-Impact-Analysis according to BSI-Standard 100-4

The Business-Impact-Analysis according to the Baseline-Security-Standard 100-4 is now an integral part of verinice. This BIA provides all required information regarding critical business processes and resources. It complements the BSI-Risk-Analysis according to BSI-Standard 100-3, that provides all required information regarding existing risks against which your organisation should be safeguarded.

Optimised Query-Builder

The Query-Builder got a new and way more intuitive graphical user interface. Select any row and move or delete it directly.

In the query results cells with repeating content, i.e. parent elements, will be filled now. This enables better sorting and filtering in spreadsheet tools.

To enable you to link various objects in different tables in the report designer (datacubes) the query builder now supports the export of database-ID's (such as Scope-, Parent-, UUID's).

Additionally the verinice.TEAM has implemented various improvements that simplify the use of the query builder in general.

Query-Builder for Datasets in the verinice Report-Designer

With verinice 1.13.1 the Query-Builder including its graphical user interface is available in the verinice report designer. 

This enables you to create your own datasets intuitive using the Query-Builder and to present data in a variety of charts, spreadsheets and other elements. Provide your resulting report templates to all users or specific user groups and enable them to create standardised one click reports in your organisations layout and style.

Link table reports can now be created, stored and loaded in both verinice and the report designer. One base for a broad range of use!

The verinice.TEAM will convert selected report templates to the new technology on base of the Query-Builder shortly and speed up the creation of these reports significantly.

On top of this the v.Designer including the new Query-Builder GUI is now available as a standalone add-on for the verinice-client and can be purchased in the verinice shop. This gives all users of the standalone version the option to easily create their own reports based on their own data including any customizing.

Displaying net risk values 

In links between assets and scenarios in the ISMS perspective verinice 1.13.1 now shows the calculated net risk values (risks '''with''' implemented controls) in addition to the gross risk values (risks '''without''' implemented controls). This presentation enables a better comparison and evaluation of specific risks according to ISO 27005 while working with assets and scenarios in verinice.

The net risk values are available for output via Query-Builder of course.

Risk treatment method

The risk treatment method can be selected and documented likewise for each combination of asset and scenario in the link maker. You can choose accept, transfer, avoid, and modify as risk treatment method according to ISO 27005.

Again the risk treatment method is available for output via Query-Builder.

Release process for workflow tasks

The task workflow has been extended by a release process that can be activated optionally. Any changes in objects related with a certain task will only be saved when the originator of that task approves the change.

Changes may be rejected and can be reassigned to the same or any other person. To support your decision about an approval all changes can be compared with the original values in a dialogue.

Bug-fixes and smaller changes

The verinice.TEAM has addressed various further issues in verinice. 1.13.1, including bug-fixes and smaller changes based on customer requests that improve the overall performance and usability.

Changed Property Files

Extensions for Data Security, BSI-BIA 100-4 and PCI DSS

  • SNCA.xml

  • snca-messages.properties

  • snca-messages_de.properties


Extensions for the Update Process

New in veriniceserver/WEB-INF/web.xml

  • classpath:sernet/gs/server/spring/veriniceserver-updatenews-dummy.xml


New user rights

New Action-ID: taskwithreleaseprocess (ALL/F/ Enable release process) in:

  • verinice-auth-default.xml

  • verinice-auth-messages.properties

  • verinice-auth-messages_de.properties

Changes to the database

New columns in Table cnalink:

 

  • riskConfidentialityWithControls

  • riskIntegrityWithControls

  • riskAvailabilityWithControls

  • riskTreatment

 

Security Notice for verinice.PRO administrators

In previous versions of verinice the default profile for "scope-only" administrators included the permission to change access rights and user profiles. Since this allows a scope-only administrator to escalate his priviliges by changing his/her own profile, we have removed this right and some others from the default profile.

If you have used this profile without changing it, these changes will become active automatically. If however you have made changes or created your own profiles based on this preset, you will have to remove the questionable actions from these profiles yourself.

The list of actions we have removed from the scope-only administrator is:

  • Change account settings
  • Edit userprofiles
  • GSTOOL notes import
  • GSTOOL import
  • LDAP import
  • Show all tasks

Changed configuration files

Easier configuration for Greenbone Security Manager (GSM) import

  • veriniceserver/WEB-INF/veriniceserver-plain.properties[-default|local]

    • New: veriniceserver.gsmGenerator.enabled=false
    • New: veriniceserver.gsmGenerator.cron=0 5 3 * * ?
    • No longer supported MySQL properties were removed

Various additions, especially for German privacy law and KIX integration:

    • SNCA.xml, snca-messages.properties, snca-messages_de.properties

Additional security for server services

    • veriniceserver/WEB-INF/web.xml

ElasticSearch configuration

    • veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_de.json
    • veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_en.json
    • veriniceserver/WEB-INF/classes/sernet/verinice/search/mapping.json

Account profiles

    • veriniceserver/WEB-INF/verinice-auth-default.xml

LDAP-Authentifizierung

    • veriniceserver/WEB-INF/verinice-ldap.properties

Codename: Sylt
Release Date: October 12th, 2016

We are proud to present version 1.13 of verinice and verinice.PRO which are now available for download. Starting with this version, the verinice client has to be purchased at the verinice.SHOP. 

CAUTION: As an verinice.PRO server administrator please regard the security notice at the end of these release notes.

Link-Table-Reports: The In-Memory Query Builder

Our new query assistant enables you to query your data directly from the verinice client. Let's say you need a list of interrelated security controls from different standards. No problem. Or maybe you need a list of assets with risk scenarios and responsible personnel? Also created with just a few mouse clicks.

For every object you can determine exactly which fields to extract.

All queries can be saved as CSV files and opened in Microsoft Excel or LibreOffice Calc for further editing. Using the familiar functions of your spreadsheet application you can sort, filter or create charts based on the data.

The best part: even queries over thousands of objects and complex structures run lightning fast and are usually completed in a manner of seconds.

This is achieved by using an in-memory query mechanism created especially for this purpose: every query created by the user is translated into our own "verinice Query Language" (VQL). This query is translated into a graph model that loads just those elements of the database that are required to answer the query. The actual query is then run in memory and the result table saved to disk.

In-Memory Query BuilderLTR CSV ExportLTR ChartLTR Radar Chart

Improved security features

We introduced additional security measures in different places.

Encrypted database exports in the VNA format now each have an individual salt value to thwart dictionary attacks. In previous versions the same salt was used for all files. Due to this change, encrypted exports made with verinice 1.13 cannot be imported in older versions of verinice.

Report creation has been moved into a sandbox that limits the possible actions of report templates. This mechanism can be turned off if you have individually created templates that would conflict with the new stricter guidelines. Since report templates can contain potentially malicious code segments (much like macros in MS Word documents) you should not turn off this additional security mechanism, especially if you want to use report templates from third parties.

verinice.PRO received an additional security layer that compares the use of services with the user profile and prevents forbidden actions.

Search View: Drag and Drop

Objects in search results can now be used for drag and drop operations. You can select multiple objects at the same time. For instance, you could search for risk scenarios regarding "compliance", chose the ones you want and link them to a relevant asset immediately.

Copying attachments with objects

When copying objects in the tree view by copy and paste you can now choose to make copies of all attached files as well. This behaviour can be toggled in the preferences.

verinice.PRO: New REST Web Service

A new REST API allows network based access to the verinice database for third party applications. This enables a lot of opportunities to integrate verinice.PRO with other software tools. Of course all access over this new interface is subject to all existing security restrictions.

verinice.PRO: Cooperation with KIX4OTRS

We have teamed up with c.a.p.e. IT to bring ISMS and ITSM together. Newly created database properties allow objects to link to OTRS tickets. The KIX workflow state can be transfered to verinice and changes to verinice objects can be made directly in the OTRS ticket. Changes will be written to the verinice database when a ticket is completed.

You can also import configuration items from your ITSM into verinice as additional assets. To talk about your individual demands both SerNet and C.A.P.E. IT are standing by to offer their assistance.

verinice.PRO: Easier configuration for Greenbone GSM

It is now easier to connect to a Greenbone / OpenVAS vulnerability scanner. You can use the special verinice vulnerability management workflow to aggregate and assign vulnerabilities to responsible personnel. You can also use any detected vulnerabilities and hardware assets in your risk assessments.

All configuration settings for this have been moved to the default configuration file. You can find more information in the corresponding documentation.

verinice.PRO: AD-/LDAP-Authentication Support for Account Groups

When using Active Directory or LDAP for user authentication, verinice.PRO now supports querying accounts in different subtrees of the directory.

Relations between IT Baseline Protection View and ISM View

You can now create relations between the ISM-view and the IT-baseline view by drag and drop.

User defined modules: Drag and Drop

You can now add controls and scenarios to user-defined modules in the IT-baseline-view simply by dragging them there from the IT-baseline catalogue.

Risk Analysis (IT Baseline Protection): copy and paste

You can now copy and paste risk analysis objects in the IT Baseline Protection view.

GSTOOL Import

The import from the former GSTOOL (provided by the German BSI) database has been improved to correct IDs and criticality levels when importing IT Baseline Protection modules and network connections.

Changes for privacy regulation

Some changes were made regarding the fields for German privacy law. We will further develop this feature to include the European General Data Protection Regulation.

Quality of Life Improvements

We fixed over 100 bugs and introduced small improvements in this version based on feedback from our users. Amongst other changes, the account groups view now has an additional button to allow direct editing of accounts and sorting of special characters such as German umlauts has been improved both in the UI and in reports. The ISM Risk Analysis now calculates and saves all values even if the executing user does not have write permissions for some linked objects.

Security Notice for verinice.PRO administrators

In previous versions of verinice the default profile for "scope-only" administrators included the permission to change access rights and user profiles. Since this allows a scope-only administrator to escalate his priviliges by changing his/her own profile, we have removed this right and some others from the default profile.

If you have used this profile without changing it, these changes will become active automatically. If however you have made changes or created your own profiles based on this preset, you will have to remove the questionable actions from these profiles yourself.

The list of actions we have removed from the scope-only administrator is:

  • Change account settings
  • Edit userprofiles
  • GSTOOL notes import
  • GSTOOL import
  • LDAP import
  • Show all tasks

Changed configuration files

Easier configuration for Greenbone Security Manager (GSM) import

  • veriniceserver/WEB-INF/veriniceserver-plain.properties[-default|local]

    • New: veriniceserver.gsmGenerator.enabled=false
    • New: veriniceserver.gsmGenerator.cron=0 5 3 * * ?
    • No longer supported MySQL properties were removed

    Various additions, especially for German privacy law and KIX integration:

    • SNCA.xml, snca-messages.properties, snca-messages_de.properties

    Additional security for server services

    • veriniceserver/WEB-INF/web.xml

    ElasticSearch configuration

    • veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_de.json
    • veriniceserver/WEB-INF/classes/sernet/verinice/search/analysis_en.json
    • veriniceserver/WEB-INF/classes/sernet/verinice/search/mapping.json

    Account profiles

    • veriniceserver/WEB-INF/verinice-auth-default.xml

    LDAP-Authentifizierung

    • veriniceserver/WEB-INF/verinice-ldap.properties

Codename: Piha

Release Date: February 17th, 2016

We are proud to present version 1.12 of verinice and verinice.PRO which are now available for download. This version contains the following updates and improvements.

New Greenbone-GSM perspective

A new perspective guides new users to experience the benefits that you get from combining the Greenbone GSM (OpenVAS) vulnerability scanner with verinice. Two new tutorials take you through the process step-by-step and show how you can import the results of a scan in verinice.

In the IT baseline protection view the scan speeds up the necessary steps: the inventory can be updates with systems found during the scan. Fitting modules can be selected based on the identification of software from the scan. And finally the implementation status of technical controls can be set based on the scan results as well. This gives you a detailed view regarding implementation of information security controls on each individual system based on our extensive IT-baseline control catalogue which is included in verinice for free.

verinice.PRO: increased speed for full text search in AD environments

We have increased the performance of our full text search engine in environments where verinice.PRO is being used with Active Directory- or LDAP-authentication.

Our transparent software manufacture (GIT migration)

Our source code is and will always be open source. Now our development has become even more transparent. From now on our entire development work is also visible on Github. If you want to watch our team at work you can now do so in the verinice repository.

For instance, all changes will be listed in detail on this page: https://github.com/SerNet/verinice/commits/develop

For non-techies, the graphical reports may be more interesting. For example, the diagram showing branches in the source code during development

Even more GSTOOL Import

We have made further improvements for previous users of the now officially deprecated German "GSTOOL": you can now also import user-defined object types.

Risk analysis for German standard 100-3

We have improved the wizard dialogue for users who are doing their risk analysis with the German standard BSI 100-3.

If you are conducting your risk analysis in the ISM perspective based on international standards such as ISO/IEC 27005 you are not affected by this change.

VNA export of risk analysis based on German standard BSI 100-3

All risk analyses that are conducted in the IT-baseline perspective according to the German standard BSI 100-3 are now included in exports to VNA files.

If you are conducting your risk analysis in the ISM perspective based on international standards such as ISO/IEC 27005 you are not affected by this change. Your objects were always fully included in the VNA exports.

IT-baseline protection perspective: all reference fields now included in VNA export

For users of the German IT-baseline perspective: all references to persons are now also included in the VNA export file. Previously on relations made using the relation view were exported. Now also the (older) form fields with references to persons are included.

If you are working in the ISM perspective you are not affected by this change. All references here are made using real relations between objects and were always included in the VNA export.

Bugfixes and smaller changes

We have addressed more than 80 issues for this release, here's a list of the noteworthy changes:

  • Fixed a bug that lead to the IT-baseline model not loading after startup.
  • Fixed a bug introduced in V 1.11 that allowed relations to be created in the wrong direction (i.e. "document is author of person"). Updating to version 1.12 removes this possibility and will automatically repair relations that have been created incorrectly by changing the direction if needed.
  • The verinice client now uses the Oracle Java Runtime Environment 8.
  • IT-baseline catalogues are now loaded independent of the catalogue view being open.
  • Read and write permissions on newly created IT-baseline risk analysis are now correctly taken from the parent object.
  • LTR-report (a dataset that can be used in the vDesigner): threw an exception if only one top-level element was present, fixed.
  • LTR-report (a dataset that can be used in the vDesigner): now uses all relation types when none are explicitly given
  • New splash screen and new icons.
  • The validation view now sorts all elements correctly and updates itself on global refresh.
  • The search index could be started multiple times simultaneously, fixed.
  • The attachment file size was not saved when importing using the web service, fixed.
  • The property field for file-size is now read-only.
  • File view: the initial state of the button "link to editor" was wrong, fixed.
  • The ISA-consolidator was transferring the target maturity of all controls, fixed.
  • User profiles: deactivating the search function now also deactivates the toolbar button and the corresponding menu item.
  • URLs to verinice web-pages on the welcome screen have been corrected.
  • All IT-baseline elements now have an additional validation rule: title must not be empty.
  • Editors of deleted elements are now always closed.
  • The password dialogue now checks for invalid characters in passwords.
  • Data for the account-groups dialogue is now loaded in a background job.
  • Relations in the selection drop-down box are now sorted alphabetically.

Update notes

Changed properties

  • veriniceserver-plain.properties[.default|.local]

    • veriniceserver.gsmGenerator.enabled=false
    • veriniceserver.gsmGenerator.cron=0 5 3 * * ?

  • SNCA.xml, snca-messages.properties, snca-messages_de.properties
  • veriniceserver-plain.xml
  • veriniceserver-jbpm.xml

Database changes

  • Spalte "Beschreibung" in Tabelle OwnGefaehrdung wird auf (32672(derby), 400000(postgres), 4000(oracle)) Zeichen Länge umgestellt
  • Spalte "Description" in Tabelle Risikomassnahme wird auf (32672(derby), 400000(postgres), 4000(oracle)) Zeichen Länge umgestellt
  • Datenbankmigration: Durch den Fehler [http://bob.sernet.private:8180/browse/VN-1280 VN-1280] können bestehende DBs korrupte Verknüpfungen enthalten. Dazu wurde eine Datenbankmigration geschrieben (neue Version: 1.03D), die beim Update auf die neue Version (des Clients) durchgeführt wird und zu verlängerten Startzeiten führen kann (je nach Größe der Datenbank (alle existierenden Verknüpfungen werden auf Korrektheit (Richtung) geprüft)).

Codename: Sandy Beach

Release date: August 28th, 2015

Full-text search

Starting with version 1.11 verinice and verinice.PRO received a search function, allowing users to find objects in mere seconds. The entire database is continuously indexed to ensure superb performance even with large databases. verinice deploys the open source framework Elasticsearch. This search engine - used among others by Wikimedia - has been fully integrated into verinice and verinice.PRO.

The search will be displayed in a new view, which can be opened multiple times. So several searches can be carried out parallel and results can be compared.

Note: To achieve the best indexing possible the language setting of the verinice.PRO server or of the verinice standalone clients should match the language of the information entered by the user.

Free Column Selection

The columns included in the search view can be customized. Additionally, verinice now remembers the user-specific configuration of the displayed fields.

CSV export

The displayed search results can be exported as a CSV file. This allows to further evaluate lists of found objects in Excel or LibreOffice.

GSTOOL Import

The verinice.TEAM has carried out numerous and extensive improvements to the GSTOOL import. Many fields have been completed and the list of subtypes has been extended in order to take over from the last available versions of GSTOOL or supplementary deliveries all information networks can. GSTOOL is the official but now deprecated software tool published by the German BSI for its IT-Baseline standard.

Support for large GSTOOL databases

Some of the largest GSTOOL databases in Germany already have been transferred with verinice, each consisting of hundreds of individual scopes. Thanks to significant improvements in speed and memory usage verinice now accepts even those GSTOOL databases (with sizes of 1 gigabyte and more) in "one go". All targets are correctly allocated to the relevant scopes. Modules and module references are applied correctly. verinice even handles rare cases that cause other tools to stumble.

Risk Analysis acc. to BSI 1003

Starting with version 1.11 verinice is able to completely convert the "Additional security analysis" as well as the risk analysis according to BSI 100-3 from the GSTOOL to verinice.

All measures and risks are transferred. All intermediate steps are imported properly into the verinice wizard for risk analysis according to BSI 100-3. This way every single step of the imported risk analysis can be retraced later and edited again at any time: the threat summary, the risk assessment and the risk treatment.

To maintain the individual intermediate steps is a mandatory requirement in order to create a standards-compliant A.6 report. verinice creates this report using the imported data at the push of a button.

Orphans

verinice now handles it correctly when during the import an asset is not associated with any scope, but is being referenced by other assets. In this case, all objects and relations between them are correctly mapped in order to ensure protection needs inheritance and all other mechanisms.

Linked persons

All measures and blocks linked to persons (interviewers, interviewees, project managers...) are correctly accepted as references in verinice.

New Report Template

A new template simplifies the creation of reports with linked elements in the vDesigner.

VDA ISA Version 2.1.3

verinice now contains the updated version 2.1.3 of the VDA ISA questionnaire.

Object Browser

The Object Browser now responds to selections of links - this allows to navigate interrelated controls even better.

OpenJDK 7 on the server

verinice.PRO now uses the RedHat supported OpenJDK 7.

Improvements and bug fixes

We added a variety of minor improvements and fixed bugs in various places in V 1.11. Worth mentioning are e.g .:

  • The layout of the account groups view has been improved.
  • All title fields now have an optional validation rule, which marks untitled objects.
  • The dialog "New Link" now allows to directly select the desired link type.
  • The button "Multiuser" is now named "Server" to coincide with general wording.
  • When adding attachments verinice now remembers recently used folders.
  • GSM Import: scenarios and vulnerabilities that have been imported from OpenVAS or Greenbone GSM will now be marked in color depending on the severity.
  • Missing write permission on the report template folder will be noticed and displayed as an error message.
  • The ISA consolidator now no longer overwrites the ISA version number.
  • The Object Browser is now displayed in all perspectives by default.
  • The icon of view "Review plan" has been changed.
  • The package for Mac OS X now includes the most recent version of the Java Runtime Environment 7 by Oracle (Apple's Java 6 package still has to be installed, even though it's not used to execute verinice).

Update Notes

Changed properties

web.xml

  • classpath:sernet/gs/server/spring/veriniceserver-search-base.xml
  • classpath:sernet/gs/server/spring/veriniceserver-search.xml

veriniceserver-plain.properties[-default|local]

  • veriniceserver.search.index.directory=/WEB-INF/elasticsearch/
  • veriniceserver.search.indexingOnStartup=true
  • verinice-auth-default.xml, WEB-INF/verinice-auth-messages[_de].properties
  • springDispatcher-servlet.xml
  • veriniceserver-common.xml
  • veriniceserver-daos-common.xml
  • veriniceserver-plain.xml
  • veriniceserver-security.xml
  • veriniceserver-search*.xml (new)

Codename: Tres Palmas

Important note for the update: Due to the necessary data migration, the first launch of verinice clients after updating may take a bit longer than usual. Don’t panic. For more information, see the section "Display of file size in the File View". Please also note the general indications regarding the update and the release notes. 

IT Baseline Protection Catalogs in English

The full text of the IT Baseline Protection Catalogs published by the German Federal Office for Information Security (BSI) is now available in English. Especially international teams benefit from this, simplifying the work with the IT Baseline Protection significantly.

Users of the native ISO 27001: 2013 can profit from the comprehensive catalog of risks and controls, too: In a risk assessment or a risk treatment the Basic Protection Catalogs can be used as database on specific topics like Windows or SAP.

All risks can be used as scenarios in an individual risk analysis as well. Simply drag-n-drop the desired risks or whole modules into the Risk Model.

The catalogs, containing more than 1,000 Baseline Protection Controls, also proof to be useful in the case of a risk treatment. As specific controls, they supplement the generic requirements of ISO / IEC 27002:2013. The controls are easy to drag-n-drop to the ISM-Risk Model.

The English IT Baseline Protection Catalogs correspond to the 13th update from the BSI.

 

Thanks to our verinice.PARTNER Alexander von Ossowski for contributing the English archive of the IT Baseline Protection Catalogs and his ongoing support for the verinice project.  

VDA ISA 2.x Update

verinice V 1.10 fully supports the new edition of the IS-Assessment catalog published by the German Association of the Automotive Industry in version 2.x. Apart from the actual catalog, the method of calculating the averages and the "Total Security Figure" have been adjusted.

The issued report provides the radar chart indicating the level of maturity reached and the target level of maturity for each chapter, taking into account all the questions marked “NA".

Users of verinice are absolutely compliant with the VDA standard. Moreover
a consolidator allows to import assessment results originating from the VDA 1.x standard. Shifts of controls etc. are taken into account properly. 

Display of file size in the File View

The File View now reveals the file size of each attachment. This accelerates, for example, the inevitable clean up of a growing database.

Note: After updating to V 1.10 the file size information is updated in the database. The update will be triggered at the first connection of a verinice client to the database. Depending on the number of attachments this can take between a few seconds up to several minutes to complete. We therefore recommend to immediately perform a client-start after the server update, so the update is complete before the first regular user login. The operation is run only once. 

Exclusive features of verinice.PRO

Single-Sign-On with Active Directory

On Windows clients verinice.PRO now supports Single-Sign-On: registered users automatically can login to verinice.PRO. Re-entering the username and password are not required.

The previous registration mechanism with renewed user and password input is still available optionally, e.g. if you want to work in verinice with another user as the logged in under Windows.

Import of individuals from AD in the basic protection view

Starting an AD-Import it is now possible to select whether the imported persons and accounts are created in the ISM or in the Baseline Protection model.

Optimization of the task view

The Task View has been improved: Tasks load faster and a detailed search allows you to find specific tasks. Tasks can be sorted by group, editor, process, task type, start and end date.

Improvements and bug fixes

Minor improvements and a variety of fixed bugs in various places round off V 1.10. Worth mentioning are e.g .:

  • The full text of Baseline Protection Controls can now be viewed via the web front-end for tasks. This makes it easier to delegate the basic security check as well as control of the implementation.
  • The local report filing on the verinice client now works as intended.
  • The allocation of modules, users and target types when using the GSTOOL import have been corrected.
  • Inheriting Custom icons to child objects can now be switched on or off.
  • When moving objects it can be selected if the permissions of the destination folder should be applied to the moved object.
  • Double-clicking an attachment in the file view now selects the associated object in the tree view.
  • The standard account view changed to: "Last name, first name [account]".
  • Account groups are not displayed in the total list of all accounts as before, but only those who are not included in the selected group. This facilitates the search for non-associated accounts.
  • The customized file ("SNCA.xml") will no longer be moved during the update process but will continue to operate. Attention: Please continue to follow the update instructions for dealing with configuration files!

Update Notes

Changed properties

Folder: WEB-INF

  • SNCA.xml, snca-messages.properties, snca-messages_de.properties
    Extension for the asset properties regarding the risk values with planed controls (all controls not markeds "N.A.")
  • veriniceserver-plain.properties, veriniceserver-plain.properties.default

Folder: WEB-INF/classes/sernet/gs/server/spring

  • veriniceserver-common.xml
  • veriniceserver-jbpm.xml

Please see the notes Update von Konfigurationsdateien - we're working on an English translation as of now.

Database changes

Migration to DB version 1.01 regarding the filesize property (see "Display of file size in the File View").

Announcement: verinice 1.11 coming soon

 

The verinice.TEAM is expected to publish the next verinice version - V 1.11 - shortly, presumably  in two month.

An indexed full text search of all the elements in the database will be the most significant innovation of V 1.11. We would like to make this useful feature available as soon as possible for our users - so we opted for a timely publication.

Codename: Tavarua

New in this release

As of now verinice 1.9 is available for download. The update at a glance:

  • VDA ISA Standard 2.0
    In verinice 1.9 the new IS-assessment Catalog of the Association of the Automotive Industry is implemented. The standard has been thoroughly revised and adjusted to the new requirements of the updated ISO 27001: 2013.
    Due to a special unify function existing levels of maturity can be transferred to the new chapter numbering. Existing assessment results can be reused, and users do not have to start completely from scratch. That should reduce the cost of the update and for the re-evaluation as much as possible.
    Any changes took place in close contact with the authors of the ISA catalog in the corresponding working group of the Association. Conformity to the questionnaire is 100% guaranteed.
  • Account Management (verinice.PRO)
    A completely new user and group management facilitates the creation and maintenance of the authorization concept. This comes in handy especially for a large number of verinice users and groups.
  • Report Repository (verinice.PRO)
    verinice 1.9 comes with a newly introduced central report repository. This makes reports generated with the vDesigner available for all users of verinice.PRO servers. The central report repository is synched by the client and cached locally so that all the reports are still available in offline mode. In addition, only local reports can be stored in the client - eg for testing or confidential evaluations. Here, local and server reports are designated and distinguished clearly in the list.
    For each report, the required and reasonable output formats can now also be programmed centrally (DOC, XLS, PDF...).
    The standard reports included with verinice can be managed in the same way. Thus, e.g. a standard report will be replaced by a custom template, for example if in all reports a company logo is to be used, etc.
  • Easy changes in the permission dialog (verinice.PRO)
    The authorization dialog for assigning access rights to objects has also been revised. It is now easier and more comfortable to set, read and write permissions for individual objects or groups of objects.

References for the update

Important notice:

Before updating to verinice 1.9 please ensure that there is no account group matching a login name. Otherwise, it may lead to serious conflicts - making the installation unusable after the update and necessitating a roll back to the old version.

Changed properties:

Folder: WEB-INF

  • SNCA.xml, snca-messages.properties, snca-messages_de.properties
  • verinice-auth-default.xml, verinice-auth-standalone-default.xml, verinice-auth-messages.properties, verinice-auth-messages_de.properties
  • verinice-ldap.properties
  • web.xml

Folder: WEB-INF/classes/sernet/gs/server/spring

  • springDispatcher-servlet.xml
  • veriniceserver-common.xml
  • veriniceserver-daos-common.xml
  • veriniceserver-daos-osgi.xml
  • veriniceserver-daos-plain.xml
  • veriniceserver-reportdeposit.xml
  • veriniceserver-reportdeposit-dummy.xml

Please see the notes Update von Konfigurationsdateien - we're working on an english translation as of now. 


English languageDeutsche SpracheLingua italiana
© SerNet GmbH, 2018