About the CIS SecureSuite Platform¶
Introduction¶
The CIS SecureSuite Platform is an all-in-one solution for CIS SecureSuite Members to assess their cybersecurity posture against the CIS Controls and demonstrate compliance with the CIS Benchmarks. The platform combines the features and capabilities of existing CIS products into a simple and intuitive interface that offers all organizations the critical first steps to improve their cybersecurity posture.
Feature Highlights¶
- Consolidates the features and functionality from CIS-CAT (Configuration Assessment Tool) Pro Dashboard and CIS Controls Self Assessment Tool (CIS CSAT) in one platform
- Overall landing page view of CIS Benchmark and Controls assessments
- Single Sign-On (SSO)
- Consistent design and style
Technology¶
The CIS SecureSuite Platform is a web application supported by a Grails Framework. All the necessary components required to operate the CIS SecureSuite Platform are embedded. These components are configured during your installation of the CIS SecureSuite Platform.
The embedded components include:
- Database: MariaDB
- Web application: Apache Tomcat
- Java: OpenJDK version
- Identity and access management: Keycloak
Note
The CIS SecureSuite Platform will officially support only the delivered components. Refer to the SBOM for the version numbers of the embedded components.
Security¶
Development Process¶
CIS makes its best effort to ensure that the product is free from material vulnerabilities resulting from integrated third-party libraries with continuous use of monitoring tools as part of the software build process.
Additionally, we run static application security testing (SAST) scans to identify potential security vulnerabilities in the CIS SecureSuite Platform’s code during the early stages of development. These scans are thorough, detecting a wide range of issues, such as buffer overflow, cross-site scripting (XSS), injection flaws and more. With SAST scans, we are able to resolve issues without breaking builds or passing on vulnerabilities to CIS SecureSuite Platform releases.
Some detected vulnerabilities, however, may still be present in the application for multiple reasons such as the vendor has not provided a non-vulnerable update, the vulnerability is a false positive, NIST has not yet completed analysis, etc. The known vulnerabilities will be disclosed in the README.txt document within the bundle. With each release, CIS reviews and updates this list and the libraries where possible.
Penetration Testing¶
CIS performs annual penetration testing on eligible software products. The CIS SecureSuite Platform mitigates risks with recommended solutions associated with penetration test findings assessed at or above a Medium.
SOC 2 Compliant¶
CIS's product engineering practices are SOC 2 certified.
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.
Security Trained Engineers¶
The CIS SecureSuite Platform's engineering team is comprised of individuals educated and certified in CIS's cybersecurity best practices. We develop these best practices with our global community of cybersecurity experts.
Software Bill of Materials (SBOM)¶
The CIS SecureSuite Platform delivers with a Software Bill of Materials (SBOM) in the JSON and XML file formats. The SBOM is updated with every release. You can find the SBOM in the Documentation folder or download it from CIS WorkBench.
SBOM is a formal record containing the details and supply chain relationships of various components used in building software. CIS SecureSuite products utilize and embed many open source and commercial software components. The SBOM enumerates these components in the product.
An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.
SBOMs can provide tremendous value when stored in a repository that can be easily queried by other applications or systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
FAQ¶
What will happen to CIS-CAT Pro Assessor, CIS-CAT Pro Dashboard, and CIS CSAT?¶
As we transition our Members to the CIS SecureSuite Platform, CIS will continue to support our existing products.
Do I need a current license to operate the CIS SecureSuite Platform?¶
Yes. The CIS SecureSuite Platform utilizes the same license that the current SecureSuite products utilize. The license is available from CIS WorkBench under your organization’s profile.
Can I deploy the CIS SecureSuite Platform on a system that already has previous releases of CSAT Pro or Dashboard installed?¶
No. The web and database ports required by the CIS SecureSuite Platform would already be utilized by those tools.
What is the recommended target audience for the CIS SecureSuite Platform?¶
Small/medium organizations. The CIS SecureSuite Platform is not designed for very large enterprises generating a significant daily volume of assessment data from 1000+ systems.
Why is the CIS SecureSuite Platform a Java-based application?¶
To support the broadest possible portability, we created the CIS SecureSuite Platform as a Java application. It requires an available Java Runtime Environment (JRE) for execution, currently included as part of the installed application.
Is using Java with the CIS SecureSuite Platform safe?¶
The security vulnerabilities reported are not about Java (the programming language). While Java is used for the application, there is no Java code executed in the browser. Vue.js (JavaScript framework) is used to build some of the CIS SecureSuite Platform's UI and does execute in the browser.
The CIS SecureSuite Platform is written with security in mind. CIS utilizes scanning tools to detect vulnerabilities in the code and eliminates any detected issues before product releases.