Release Notes

Knowledge Base

Additional information, tips and tricks can now be accessed under https://www.security-analyst.org. Since the last release we have given a couple of presentations on how to do an ISO/SAE 21434 compliant TARA with our tool. You may watch it here at the very bottom.

Important Changes

New Report Items specific for ISO/SAE 21434

We have added three new report items that can be added to any report template:

  • Assets and Damage Scenarios Table: This report item shows identified assets with the associated damage scenarios. It is aligned with Table G.2 of the ISO/SAE 21434 DIS.
  • Damage and Threat Scenarios Table: This report item shows the threat scenarios for each damage scenario. It is aligned with Table G.6 of the ISO/SAE 21434 DIS.
  • Threat Scenarios and Attack Paths Table: This report items shows the attack paths of each threat scenario. Because the number of possible attack paths can be very high the number of shown paths can be reduced by skipping paths that result in an identical rating to other paths. The table is aligend with Table G.10 of the ISO/SAE 21434 DIS.

Improved Attack Feasibility Rating

We have fixed the behavior of rare or invalid combinations in the attack feasibility rating. For example, an error is displayed when consecutive risk factors are defined even though no initial risk factors or initial explicit attack feasibility is present. This takes inherited risk factors into account. Furthermore, the distinction between “don’t use consecutive risk factors” and “inherit all consecutive risk factors” is now possible. For the latter case it was fixed that corresponding risk factors where not always shown at the inheriting element.

Fixed Risk Calculation

If identical damage was received from different sources, only the first source was considered. This could lead to wrong risk levels because relevant attack paths might have been omitted. This has been fixed.

Consistent Inheritance for Catalog Elements

We have fixed inconsistencies when properties of catalog elements (threat classes, control classes) were derived. Now, only risk factors are derived. All other properties (e.g. technologies, threatened or protected security properties, …) are never derived.

XSAM: Aligned XML Tags and Name based References

The names used in xml tags and name based references have been aligned. This means that name based references now should match the following syntax: “name/<TagName>/<ElementNameAttributeValue>”.

Display Damage Scenarios in Security Graph

Damage Scenarios are now displayed in the security graph (“Graphing” tool window) above security objectives.

Improved Installer

The installer now supports installation of different Security Analyst versions in parallel. We have fixed a bug which might have prevented that Security Analyst could be started by the installer right after installation.

Improved Tooltips in Assistants

Tooltips in the assistants now show the full name, title and an excerpt of the description as it was already the case for other places with cross references.

Dangling References Notification for most Elements

If an element is deleted and leaves dangling references, the user is notified about this in a popup. Previously this was only the case when a threat was deleted. Now, deletion of any main element as well as assessment model entries will cause this notification.

Various Fixes and Improvements

  • Fixed that the description of an element might got lost when copy & paste was used
  • The “is impossible” property of threats/controls can now be set in the table view
  • Fixed editing of (inherited) risk factors in the table view
  • Fixed editing of consecutive risk factors in the table view
  • Fixed missing properties and expression parser for XSAM import/export
  • Improved derived title of security objectives when no security property or concerned system element was specified
  • Improved auto layout of system diagram: now automatically triggers “fit view”
  • Improved default chunk names (after new project creation)
  • Improved report template editor
  • Documented version mapping (see end of this document)

 

Migration from earlier Versions

See: https://www.security-analyst.org/2020/03/31/update-and-migration-notes/  

Version Mapping

The following table can be used to determine the Security Analyst version based of the internal plugin version “com.moraad.core” that is stored in the .msd file of every solution:

com.moraad.core plugin version Security Analyst version
37 2.5.1
41 2019.2.0
44 2019.3.0
46 2019.3.1
48 2019.4.0
49 2019.4.1
54 2020.2.1
55 2020.1.1
58 2020.2.0
59 2020.2.1