Install SimpleRisk on WAMP Server

Introduction
SimpleRisk is a simple and free tool to perform risk management activities. Based entirely on
open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be
stood up in minutes and instantly provides the security professional with the ability to submit
risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track
regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak
risk formulas on the fly. It is under active development with new features being added all the
time and can be downloaded for free or demoed at https://www.simplerisk.it/.

Disclaimer
The lucky security professionals work for companies who can afford expensive GRC tools to aide
in managing risk. The unlucky majority out there usually end up spending countless hours
managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. When
Josh Sokol started writing SimpleRisk, it was out of pure frustration with the other options out
there. What he’s put together is undoubtedly better than spreadsheets and gets you most of the
way towards the “R” in GRC without breaking the bank. That said, humans can make mistakes,
and therefore the SimpleRisk software is provided to you with no warranties expressed or
implied. If you get stuck, you can always try sending an e-mail to [email protected] and we’ll
do our best to help you out. Also, while SimpleRisk was written by a security practitioner with
security in mind, there is no way to promise that it is 100% secure. You accept that as a risk when
using the software, but if you do find any issues, please report them to us so that we can fix them
ASAP.

Installing WAMP Server

Although SimpleRisk can run on just about any platform that runs PHP and MySQL, for the
purpose of this guide we will work in Windows using WAMP Server. This guide will from here on
out be speaking of setup and installation on this platform. Before we begin the steps to
installation first we must prep the environment. First we must disable IIS these steps can vary
differently but on Windows 8 and 10 the following will disable IIS.

Disable IIS
1. Right-Click start menu and click Programs & Features

2. On the left hand border of the menu click “Turn Windows features on or off”

3. Find Internet Information Security tree root and disable it. (This will allow our server to
operate traffic on port 80.)

Installing WAMP
1. Navigate to ​www.wampserver.com​ and select your language of choice from the top right
of the page.

2. Near the center of the top of the page you should find the “Download” link go ahead and
navigate there to find the applicable version for your architecture and click the yellow download
button should be labeled “WAMP SERVER 64 BITS (X64) 3.0.6” or “WAMP SERVER 43 BITS (X86)
3.0.6”

3. Open your file directory containing the downloaded installer and run it. Read installer
carefully as there are some prerequisites for installation of WAMP. A copy of the requirements: --
VC9 Packages (Visual C++ 2008 SP1)
http://www.microsoft.com/en-us/download/details.aspx?id=5582

http://www.microsoft.com/en-us/download/details.aspx?id=2092

-- VC10 Packages (Visual C++ 2010 SP1)

http://www.microsoft.com/en-us/download/details.aspx?id=8328

http://www.microsoft.com/en-us/download/details.aspx?id=13523
-- VC11 Packages (Visual C++ 2012 Update 4)
The two files VSU4\vcredist_x86.exe and VSU4\vcredist_x64.exe to be download are on the same
page: ​http://www.microsoft.com/en-us/download/details.aspx?id=30679

-- VC13 Packages] (Visual C++ 2013)

The two files VSU4\vcredist_x86.exe and VSU4\vcredist_x64.exe to be download are on the same
page: ​https://www.microsoft.com/en-us/download/details.aspx?id=40784

-- VC14 Packages (Visual C++ 2015 Update 3)

The two files vcredist_x86.exe and vcredist_x64.exe to be download are on the same page:
http://www.microsoft.com/fr-fr/download/details.aspx?id=53840

If you have a 64-bit Windows, you must install both 32 and 64bit versions, even if you do not use
Wampserver 64 bit.

4. Once the former has been installed you can continue through the installer by choosing
next. Choose the install directory wisely as you will have to go here frequently during the setup.
For this guide I have left it at “C:/wampserver” and will be referred to as installation directory
throughout the rest of the guide. (The installer will also ask for what browser you're going to use.
This will be your way of connecting to localhost for this example I will use Internet Explorer
(iexplore.exe).)

Setting up WAMPServer

1. Navigate to your WAMP server installation directory and open “wampmanager.exe”.

2. Download the SimpleRisk software at “​https://www.simplerisk.com/download​” (you will

need both the WEB BUNDLE and the INSTALLER files.)

3. Extract the downloaded files into a place you will be able to find easily for this example I
have extracted the WEB BUNDLE into “C:/SimpleRisk” then take the installer folder and extract it
into “C:/SimpleRisk” creating “C:/SimpleRisk/installer”

4. While wampmanager is running navigate to “localhost/” in your browser chosen during

installation. This page should look like the following.

5. At the far bottom left of the page choose “add a VirtualHost”

6. You will be on a page for configuring the virtualhost the first dialogue should contain what
you want to call the virtual host in this case we call it simplerisk if you are going to be running the
server on a local network and wish the other system to have access enter an IP in the second
dialogue of where you’d like the virtual host to be found at. The third dialogue box should contain
the file path to the simplerisk web bundle we downloaded earlier. Once filled out properly it
should look something like this.
7. The next step is we need to adjust the virtual host we just created to allow for the SimpleRisk
api to function properly. (This is required even if you are not using the API Extra.) To edit the
virtual host right-click the WAMP server system tray icon, then choose Apache, inside you will
find httpd-vhosts.conf open it. Once open you will need to match your simplerisk virtual host to
match the example below. (Note: Setting a “ServerAlias” and changing “Require Local” to
“Require all granted” are only necessary if your intend to access your SimpleRisk instance from
outside the local network. You will also have to left-click WAMP manager in the task bar and click
“Put Online” at the bottom to open the virtual host to the public.) Example:
<VirtualHost *:80>
ServerName simplerisk
DocumentRoot "c:/wamp64/www/simplerisk"
<Directory "c:/wamp64/www/simplerisk/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
allow from all
</Directory>
</VirtualHost>

8. Next we need to change the thread stack size to do this open the httpd.conf by left-clicking the
wamp task tray icon selecting the apache tree and finally clicking httpd.conf. Now at the very
bottom of this text file add the following:
<IfModule mpm_winnt_module>
ThreadStackSize 8388608
</IfModule>

9. The last step in setting up WAMP for SimpleRisk will be to change the PHP version to 7.3. Left
click the wamp task tray icon and select PHP then Version and lastly 7.3.1.

Accessing Simple Risk and Installing Database

1. Restart all WAMP services by finding the green W in your task tray and left-clicking and
selecting “restart all services”. You should be able to now go into your browser when it completes
restarting and type “/simplerisk” you should be taken to a page letting you know simplerisk
cannot communicate with the database. Looks something like this.
2. To install the database we first must set a password on the mysql database since WAMP
by default leaves this blank which simplerisk will not allow for an unsecured database. Left click
the wampserver manager task tray icon the green W and select MySql then MySql Console.

3. It will ask for the password leave blank and hit enter then type the following commands in
this order
3a. Type “use mysql;”
3b. Type “set password for ‘root’@’localhost’ = password(‘<yourpassword>’);”
(if using server by ip substitute step for “set password for ‘root’@’<chosenIP>’ =
password(‘<yourpassword>’);
This should look like the following.

4. One last step of preparation before we install the database will be to disable strict mode.
Navigate to the following directory in the wamp install should be something like
“C:\wamp64\bin\mysql\mysql5.7.14”. Open My.ini in a text editor of choice. Scroll down until
you find the code that resembles the screenshot below and remove the “;” before the command
“sql-mode=””. Now edit this line to read:

sql-mode=”NO_ENGINE_SUBSTITUTION”

Save and close the text file. Restart all service through the WAMP task bar icon. An example is
displayed below of the My.ini.

5. In your chosen browser navigate to “​http://simplerisk/install/​” this should look like the
picture shown below.
This page will show if any of the most common issues are present in your environment. If
everything looks good here you may hit continue at the bottom.

You will now be taken to the database connection stage of the install. This is where you can edit
how SimpleRisk connects to your database. For a simple setup and for our demonstration the
only thing you should need to fill out on this page is the MySQL “Database Pass:” field, once
entered you may hit the “Validate Database Credentials” button and it will ensure SimpleRisk is
able to make a connection to the database to setup the SimpleRisk user with the least privileged
required for the program to function. An example of this page is posted below.

6.
 Now that you have setup the SimpleRisk database connection your last step is to setup the
SimpleRisk install information and the SimpleRisk configuration information, you do not have to
enter or change anything on this page for a standard install. The most important thing to note on
this page is that you have 2 checks at the top notifying you that SimpleRisk was able to connect to
the database and that STRICT_TRANS_TABLES is not enabled. If everything looks correct you may
click the install button. An example of this page is posted below.

If everything was installed correctly you will be taken to a page that looks like the image below.
Your final step for setting up the database will be to click the update button and you will have
completed your SimpleRisk installation. Next we will cover logging in to your instance.

Logging in to SimpleRisk
You should now have performed all of the steps you need to for SimpleRisk to be up and running.
Now is the moment of truth where we hopefully get to see if all of your hard work paid off. You
now need to point your web browser to the URL where SimpleRisk would be installed. If you
followed the optional instructions, then it should be located at http://simplerisk/. You will know
that you’ve got the right page when you see something like this:
Enter username “admin” and password “admin” to get started. Then, select the “Admin”
dropdown at the top right and click on “My Profile”.

Enter your current password as “admin” and place a new long and randomly generated password
into the “New Password” and “Confirm Password” fields. Then click “Submit”.

You should receive a message saying that your password was updated successfully. If so, then
this is your new “admin” password for SimpleRisk. If you received a message saying that “The
password entered does not adhere to the password policy”, you can change the policy by
selecting “Configure” from the menu at the top followed by “User Management” on the left side.
You will see a “Password Policy” section at the bottom of the page where you can change the
policy and try changing your password again.

Registering SimpleRisk
This step is completely optional, but without it upgrades of SimpleRisk will require manual
downloads of the new version, backing up your configuration file, extracting the new files,
restoring the configuration file, and a database upgrade. It sounds like more effort than it really
is, but we’ve made the process far simpler if you’re willing to tell us who you are. To register
your SimpleRisk instance, select “Configure” from the menu at the top followed by “Register &
Upgrade” from the menu at the left.

Enter your information and select the “Register” button. This will create a unique Instance ID for
your SimpleRisk instance and download the Upgrade Extra which enables functionality for
one-click backups and upgrades. If you run into issues with the registration process, we
recommend that you check to ensure that the “simplerisk” directory and its sub-directories are
writeable by the www-data user (or whatever user Apache is running as).
 ** This completes your installation of SimpleRisk **

SimpleRisk Paid Support and Extras

Everything that you’ve seen up to this point is completely free for you to install and use, forever.
That said, we offer a number of ways for you to enhance your SimpleRisk instance with even
more functionality. If you like what you see, and find it useful, please consider purchasing one of
our inexpensive Paid Support plans or Extra functionality so that we can continue to offer you the
best open source risk management tool available. Thank you!