It seems that the name of the business asset space is very small compared to the other elements in the table on the Business asset tab. Would it be possible to slightly make the fonts smaller of the other columns for Asset Values so as to make more space for the asset name, so asset names becomes wider.
We need to make sure that either the final PDF report or the ISRA itself can be digitally signed to indicate that is has been approved and finalized for a specific version and not modified after review.
Technical requirements:
It should support signing with hardware tokens such as smartcards as well as standard signing keys such as PGP.
If it is decided that digital signature is going to protect the actual risk data assessment file and not the PDF report:
When a data risk assessment file is opened if there is a digital signature:
It is verified to check for tampering and if tampered an error is shown in a dialog box, but data can still be viewed.
The digital signature should be displayed with who signed and date (in welcome page?), otherwise indicate not signed.
If data is modified then a dialog box indicating that signature will be lost, and it should be cleared and user can continue working on it (maybe do it on export)
There should be a menu option to 'export' (To be discussed) the risk data assessment file and this would prompt the actual signature.
Additional requirements
Try to base digital signature on standard way for signing JSON files if they exist.
When loading a very complex Risk assessment recalculating and repopulating the data in each tab may take some time but its not clear that the backend is processing data. It may be interesting to popup a "processing/waiting" dialog box or other visual clue if after a certain amount of time has been reached and the backend has not responded yet. Other proposals are also good.
The objective is for the user to know that processing is still going on and that the application has simply not crashed / finished. The threshold when this appears on the screen is if the processing for the tab has not completed in X seconds, then display the popup until the task is completed.
Requirements:
The value X, in seconds, can be configured through the configuration file. A value of 0 means always displayed.
Use-case:
We should be able to configure what type of files can be uploaded as attachments for the project description document and vulnerability description document
Each page of the exported PDF should include the classification label in the page footer for security reasons. The classification label is the configured text at bottom of each tab ... confidential {Project} .
The text fields for Project Context, Business Assets, Supporting Assets will become empty if the user clicks on the respective tab while it is reloading
How to reproduce:
Key in some text in the rich text fields for any of the three tabs
Click on the tab to reload and click on it again while it is reloading
Example based on Risks ID (same issue observed on Supporting Asset IDs, not tested on others).
How to reproduce:
Delete Risk with max ID.
Save the file and close it.
Open the file
Add a new Risk: the deleted ID is reused.
This is a behavior change from previous tool, in which IDs are unique even across sessions, to avoid ambiguous ID values between different assessment iteration. Be able to have different Risks with same ID in different assessment version may lead to ambiguous risk tracking in products.
The application will close on its own in some instances when either file, edit or window menu was left opened while dialog box is active after responding to the same dialog box
How to reproduce:
Trigger a dialog box (Eg. Save or print)
Ignore the dialog box and click on file, edit, or window
Respond to the dialog box, application will crash after this
In Supporting assets, under list of supporting assets, Network Security Level drop down missing value "3".
Compare to the ISRA which is opened by using InfoPath, it has -2, -1, 1, 2, 3
But in the ISRA app, it only has -2, -1, 1, 2
Create an XML with some risks which are non-chronological, then import them in the new tool. They will be displayed in the original order, and not in chronological order, maybe it would be nice to sort them or in the header of the table to be able to sort them in chronological order.
When supporting assets have empty labels, they can still be selected in the vulnerabilities tab as well as in the table where they are linked with the business assets.
Create a supporting asset
1a.. They are displayed and linked to vulnerabilities in the vulnerability tab.
1b. They are displayed in the supporting assets when they must be linked to business assets
Whenever the user switches across tabs, a loading dialog will pop-up and very quickly go away, which can be disruptive if the user has to switch across tabs frequently
Supporting asset, risks and vulnerabilities add/delete buttons should be at bottom of table, not at beginning of table. This permits to make it easier to delete and add rows especially in very big tables. This is a UX improvement.
Opening an existing ISRA xml which has file attached on Project Descriptive Document
Navigate to Project Context, get error message pop up "Invalid Project Descriptive Document"
Click on the attachment link and click Remove
Save as to a json file
Close this app and open the json file which is saved on step 4
Navigate to Project Context, and attach a file in Project Descriptive Document
Navigate to Welcome tab and then navigate back to Project Context again
Expect to see the file is attached correctly in Project Descriptive Document, but no file is attached and get error message pop up "Invalid Project Descriptive Document"
1.0.0-alpha02:
When exporting the ISRA to a PDF, the page numbers and total page numbers should be added to the footer of each page. Position could be in center or other location in footer.
We should be able to configure the User Interface elements without modifying the schema used to validate the JSON risk assessment data format. For example some typical elements that should be configurable by organizations are the following:
Organization in Welcome tab
Document classification label
Technical proposals
The configuration data elements should be required for packaging? If not present a warning is displayed to user when packaging and default values are used. Default values for organization in welcome tab could be an edit box instead of a listbox. And for label, it would be CONFIDENTIAL {Project} like it is now.
In the project context in the threat modeling there is this text and may not be known to users:
"the result of the TLOT assessment: if the TLOT is low it may not be necessary to use a threat modeling tool"
It is proposed to replace it by:
"the result of the Targeted level of trust assessment (as defined in ISO 27034): if the TLOT falls within a certain minimum threshold it may not be necessary to use a threat modeling tool." which is clearer and defines what is TLOT
The JSON Schema contains some data that should not be present or seems wrong:
From 1.0.0-alpha03:
'description' element should be renamed to 'classification' as it represents the security classification of the document. Also in our implementation it should contain our organization name at the beginning.
appVersion: Should this not be hard-coded in the application? I am unsure this should probably be discussed
what is the useNewDecode usage? It is found in 2 places in the Schema
what is the isAutomaticRiskName usage?
vulnerabilityCVE: Probably the default value should be a CVSS3.0 string, not a CVSS2.0 string, or it should simply be left empty.
cveScore: Why is the default 4.37, should it not be 0?
This issue may difficult to reproduce, when running the executable, i did print to PDF then switched to the PDF and opened it in windows and then came back to the SRA and could not switch tabs anymore, and no dialog box occurred. See attached image for more information. I am running Windows 10 with Electron Windows executable electron-v21.3.3-win32-x64
Estimated Cost (md) is expected to be number and it is greater than or equal to 0 (zero).
Because man days (md) cannot be negative value, it should not have + or - sign too.
When importing XML or JSON data with large files stored as base 64 strings or uploading large files to the application,
JSON validation will fail due to stack overflow as the string is too large for the regex function used in the AJV package's validate function
How to reproduce:
Upload Case
Upload any large files at Project Descriptive Document in the Project Context Tab (Rich text fields would work also but the uploaded image needs to be about 2MB)
An invalid attachment error would pop up
Opening XML Case
Open any XML generated by ISRA containing large attachments in the application
An invalid xml file error would pop up and the file cannot be opened
Use-case:
Imported a complex XML and switched from different tabs and when switching to project context tab, I get a dialog box with the following information: Invalid Attachment: Invalid Project Descriptive Document.
Some auditors may require proof that the file has not been tampered, there should probably be a digital signature mechanism for the file to ensure that its not been modified when outside of the tool.
Use-case: I wish to pre-populate datasets for supporting vulnerabilities, risks or supporting assets for example which can be reused by other users. Today the only way to do this is to open an existing risk assessment data file, which is not very clean. Instead it would be interesting to have an import option that imports datasets from selected tabs into an existing risk assessment data file.
Exact steps for a possible use-case:
User create a new risk assessment and populates the welcome, project context and business assets fields.
User imports existing known supporting assets and vulnerabilities for this technology by opening the import menu item in File and selecting an existing JSON data file and then a dialog both appears permitting to select tabs to import: he selects supporting assets and vulnerabilities to be imported and all of these are imported into current JSON data file.
Some extra information that needs to be discussed for the design for each tab:
Welcome tab should either not be able to be imported, or if imported, it should overwrite everything after a warning to user through a dialog box if data is already present and that it will be overwritten.
Project tab should either not be able to be imported, or if imported, it should overwrite everything after a warning to user through a dialog box if data is already present and that it will be overwritten.
Business assets tab: It should append to existing data but not append data that is equal to existing data.
Supporting assets tab: It should append to existing supporting assets definition table and ignore the rest? Only append data that do not already exist
Risks tab: It should append to existing risks, Only append risks that do not already exist
Vulnerabilities tab: It should append to existing vulnerabilities, Only append vulnerabilities that do not already exist
The issue here is how to compare data for equality such as risks, vulnerabilities and supporting assets, do we need to create a special range of ID's that is reserved or create a UUID to define equality?
When importing a file from a previous format (XML), vulnerability scoring are displayed with 11 digits precision after comma.
We should limit to one digit precision after the comma.
There are some projects which ISRA xml for the 1st risk Id is empty Id <my:riskId xsi:nil="true"></my:riskId>
Opening this kind of ISRA xml file will not show correctly.
Steps to reproduce:
Open ISRA xml which 1st risk is empty Id
Expect this xml is opened correctly, able to see all risks in this file.
Actual result:
Only see the 1st risk in table, others are not shown.
Issue description:
In the risks tab, for security controls implementation, estimated cost (md) accepts a negative number or just a negative sign character.
Expected behavior:
Normally it should not be possible to set negative numbers, as it is impossible.
When you have unsaved data and open a JSON file, it does not ask to save before opening the other file, so you may lose everything in case of inattention.
When copying some normal text from a textbox in the Infopath version of the tool, and it is pasted back into the tool, the background color of the text instead of being default, becomes another background color.
Steps to reproduce:
In MS Infopath tool write some text in Project description textbox and copy it to the clipboard
Paste the copied text into the Project Description textbox of the ISRA Web app, the background color will be wrong.
The "AND" text position is incorrect when there are multiple items in the same attack path. It should be some kind like "item1 AND item2", but now is "item1 item2 AND"
Steps to reproduce:
On the attack path which only have 1 item, it is expected that don't have "AND" text.
Click on add button, 2nd item is added, it is expected to have "AND" text beside the 1st item.
Actual result
The "AND" text is beside the 2nd item.
Transfer:
It is highly recommended for the application layer to protect all the xxx API that is used with anti hooking.
Navigate to ISRA Report tab and find the same risk
Expect to see the same decision text, but it is shown as
It is highly recommended for the application layer to protect all the XXX API Transfer:
that is used with anti hooking.
Use case 2:
There is a risk which decision details is like
Mitigation:
xxx will only delay attacker to understand the program flow and critical function. Transfer:
It is highly recommended for the application layer to protect all the xxx that is used with anti hooking.
Navigate to ISRA Report tab and find the same risk
Expect to see the same decision text, but it is shown as
xxx will only delay attacker to understand the program flow Mitigation:
and critical function.
It is highly recommended for the application layer to protect all the xxx Transfer:
is used with anti hooking.
Use-case:
Currently where there is a data validation error, the information displayed to the user does not lead to a very good user experience, as it does not indicate enough information to fix it.
This could be improved by adding more information.