Creating & Updating Projects

Overview

AttackForge is built upon Projects. Each project has scope (assets) and findings (vulnerabilities). Vulnerabilities are linked to assets.

Projects can be any of the following typical security testing activities, however is not limited to the following:

• Red Team and Purple Team Assessments

• Web Application Penetration Test

• Web Services / API Penetration Test

• Mobile Application Penetration Test

• Network and Infrastructure Penetration Test

• Wireless Network Assessment

• Source Code Review

• Configuration Audit

• PCI-DSS Assessment

• SCADA Assessment

• OSINT Assessment

• Physical Security Audit

Only Administrators, Project Coordinators, and delegated users can create a new project.

To create a new project, click on Projects module from the main menu. You will see a page which contains a table with all of your projects. To create a new project, click on New -> Project from the page menu.

Project Name

The project name is used to identify this pentest or security testing activity within the system.

Project Code

The project code is also used to identify this pentest or security testing activity within the system. It does not have to be unique. It can be any value.

Validating Project Code

AttackForge will validate the project code to check whether an existing project exists using the same code.

You can also fetch the latest project code to help with sequencing.

Linking Groups

You can link one or more groups to a project. Groups may be used in the following ways, however is not limited to following:

• Link a Customer to their project

• Link a Customer's 3rd party to the project (for example development agency)

• Link a Customer and their related organizational sub-units to the project

• Link a Platform / Technology to a project

• Link a Functional Team to the project

• Link a Security Team to the project

Linking a group will have the following effects:

• Any Group Members will automatically receive access to the project, based on their access level defined in the Groups' settings.

• Group Members will be able to filter Analytics based on the Group.

• Project data will be included in the Group Dashboard.

!IMPORTANT: Group members do not receive access to project-related emails by default. You need to enable this option in the groups settings when creating/updating a group.

Linking Portfolio Streams

You can associate a project with one or more Portfolio Streams at time of project creation or approval; or when editing a project. Data from the project, such as vulnerabilities and assets, will be associated with the relevant portfolios and streams automatically.

Scope

Every project must have at least one (1) asset assigned to the project scope.

Assets can be, but are not limited to, the following:

• URL for a web application or web services / API

• Name of an application or server

• Network subnet or IP address e.g. 192.168.0.1/24

• File (for example if performing a code review)

• Person (for example if performing social engineering)

• Address (for example if performing a physical security audit)

The asset(s) can be entered in manually or pasted in. You can also set your delimiter options for multi-scope projects.

If using the Assets module, assets can be selected from a list of pre-existing assets for which user has access.

Test Suites

When creating a new project, you can select one or more testing methodologies/playbooks/checklists to apply to the project - referred to as Test Suites.

A test suite helps:

• Clients understand exactly what was and was not tested on the project;

• Developers/Engineers link test cases to vulnerabilities;

• Pentesters structure their testing in a methodical, consistent & standardized way.

When hovering over each test suite, you will see brief information relating to what the test suite is intended for and number of test cases that will be assigned to the project.

AttackForge comes preloaded with test suites from industry benchmarks such as OWASP, MITRE OSSTMM, and more.

You can create custom test suites via the Test Suites module. This allows you to define exactly what you will test on your projects; or for customers.

Vulnerability Scoring System

When creating a new project, you can select a scoring system for the vulnerabilities.

AttackForge supports following scoring systems:

• Manual

  • manually select Priority (Critical / High / Medium / Low / Info)

  • manually select Likelihood of Exploitation - 1 [Difficult to Exploit] to 10 [Trivial to Exploit]

• CVSS v3.1 Baseline

• CVSS v3.1 Baseline + Temporal

• CVSS v3.1 Baseline + Temporal + Environmental

• CVSS v4 (coming soon)

Vulnerability Code

Vulnerability code field is used to generate user-friendly unique vulnerability identifiers for all vulnerabilities on the project.

For example, if you set a vulnerability code as SEC01 - the first vulnerability created on the project will have an alternate user-friendly unique identifier of SEC01-1. The next vulnerability will be SEC02-2 and so on.

You can update the vulnerability code on a project at any time, so long as it's a unique value (has not been used on ay other projects) and is between three (3) to eight (8) characters in length.

When you update a vulnerability code on a project - all of the existing IDs for any of the projects' vulnerabilities will also be updated to match, except for Linked Vulnerabilities. To manage the vulnerability code for a linked vulnerability, you need to update the settings from the source project.

!IMPORTANT: Be careful if you update a vulnerability code on a project - as it may break your existing references to vulnerabilities in other external tools.

Apply SLAs on Vulnerabilities

This field will become available if you have SLAs enabled in Administration -> Vulnerabilities -> SLA.

Usually SLAs will be automatically applied to any new vulnerabilities created or imported on your projects.

However you can opt-out of applying SLAs automatically, and instead apply them manually on selected vulnerabilities.

This is useful if you want SLAs to applied only under certain conditions, for example:

• Apply SLAs only at the end of the project

• Apply SLAs only when the application team acknowledges the findings

• Apply SLAs only on certain projects, for example compliance/regulatory projects

• Apply SLAs only on certain vulnerabilities that require an SLA

To disable automatic creation of SLAs on your project, select Manual option.

To apply SLAs manually on your vulnerabilities, please check this link.

Email Project Team on Events

To make vulnerability information flow faster to help reduce time-to-remediate - email notifications can be enabled on different events, such as discovery of a new critical or high vulnerability. You can opt into whichever email notifications are relevant for the project.

Notification Type For New Vulnerabilities

Emails for new vulnerabilities can be sent in two different ways:

• Send Individual Email For Each New Vulnerability - an email will be sent to each opt-in project team member (and additional recipients, if configured) for every new vulnerability discovered. That is, one email will be sent per new vulnerability.

• Send One Email with Details For All New Vulnerabilities - an email will be sent to each opt-in project team member (and additional recipients, if configured) which includes a summary for every new vulnerability discovered, in a single email. That is, one email will be sent with a summary for each new vulnerability.

Email Body for Vulnerabilities

Send Individual Email For Each New Vulnerability

If you have opted into 'Send Individual Email For Each New Vulnerability' (see above) - you can set a custom email template for each vulnerability.

When creating a custom email body, ensure to include all HTML tags as the emails will be sent in HTML format. You can adjust the standard template which is already pre-loaded for convenience.

The following meta tags will map to the following details when the email is sent:

• {firstName} - this will include the firstName of the project team member. For Additional email recipients who are not on the project team, this field will be skipped.

• {consultant} - this is the first name & last name of the consultant who is sending the daily email.

• {projectName} - this will be the name of the project.

• {priority} - this is the priority of the vulnerability i.e. Critical, High, Medium, Low, Info.

• {title} - this is the title of the vulnerability.

• {asset} - this is the affected asset for the vulnerability.

• {likelihood_of_exploitation} - this is the likelihood of exploitation for the vulnerability. It is a number between 1 to 10.

• {is_zeroday} - this is either Yes or No depending on if the vulnerability is a Zero-Day (0-day) or not.

• {description} - this is the description of the vulnerability.

• {attack_scenario} - this is the attack scenario of the vulnerability.

• {remediation_recommendation} - this is the remediation recommendation for the vulnerability.

• {proof_of_concept} - this is the proof of concept / steps to reproduce the vulnerability. This is rendered in full HTML.

• {notes} - this is the notes for the vulnerability.

• {tags} - this is the tags for the vulnerability. It is presented as an unordered list.

• {link} - hyperlink to view the new vulnerability in AttackForge

• {link.url} - URL to view the new vulnerability in AttackForge

• Support has now been added for '{vulnerabiity.<tag>}' Custom Email Meta Tags: https://support.attackforge.com/attackforge-enterprise/getting-started/notifications#custom-email-meta-tags

Send One Email with Details For All New Vulnerabilities

If you have opted into 'Send One Email with Details For All New Vulnerabilities' (see above) - you can set a custom email template with a summary for all new vulnerabilities.

When creating a custom email body, ensure to include all HTML tags as the emails will be sent in HTML format. You can adjust the standard template which is already pre-loaded in the form for you.

The following meta tags will map to the following details when the email is sent:

• {firstName} - this will include the firstName of the project team member. For Additional email recipients who are not on the project team, this field will be skipped.

• {consultant} - this is the first name & last name of the consultant who is sending the daily email.

• {projectName} - this will be the name of the project.

!IMPORTANT: The following tags must be included within {vulnerabilities}...{/vulnerabilities} tags in your template - for example {vulnerabilities}<li>{priority} - {title}</li>{/vulnerabilities}

• {priority} - this is the priority of the vulnerability i.e. Critical, High, Medium, Low, Info.

• {title} - this is the title of the vulnerability.

• {asset} - this is the affected asset for the vulnerability.

• {likelihood_of_exploitation} - this is the likelihood of exploitation for the vulnerability. It is a number between 1 to 10.

• {is_zeroday} - this is either Yes or No depending on if the vulnerability is a Zero-Day (0-day) or not.

• {description} - this is the description of the vulnerability.

• {attack_scenario} - this is the attack scenario of the vulnerability.

• {remediation_recommendation} - this is the remediation recommendation for the vulnerability.

• {proof_of_concept} - this is the proof of concept / steps to reproduce the vulnerability. This is rendered in full HTML.

• {notes} - this is the notes for the vulnerability.

• {tags} - this is the tags for the vulnerability. It is presented as an unordered list.

• {link} - hyperlink to view the new vulnerability in AttackForge

• {link.url} - URL to view the new vulnerability in AttackForge

• Support has now been added for '{vulnerabiity.<tag>}' Custom Email Meta Tags: https://support.attackforge.com/attackforge-enterprise/getting-started/notifications#custom-email-meta-tags

Email Body for Start/Stop Testing

When creating or updating a project, you can set a custom email body for the daily start & stop testing notifications which are sent to the project team. You can also send the emails to additional recipients which are not already on the project team, for example SOC teams.

When creating a custom email body, ensure to include all HTML tags as the emails will be sent in HTML format. You can adjust the standard template which is already pre-loaded for convenience.

The following meta tags will map to the following details when the email is sent:

• {firstName} - this will include the firstName of the project team member. For Additional email recipients who are not on the project team, this field will be skipped.

• {consultant} - this is the first name & last name of the consultant who is sending the daily email.

• {started_or_stopped_testing} - this will be either 'Started Testing' or 'Stopped Testing' depending on the daily email action being performed.

• {projectName} - this will be the name of the project.

• {projectStartDate} - start date for the project.

• {projectEndDate} - end date for the project.

• {key.<custom_field>} - you can access your project custom fields using {key.<custom_field>} where <custom_field> is the key for your custom field. For example, if you had a custom field 'Out of Scope' and it had a key 'out_of_scope' - you can use {key.out_of_scope} to print the value of the custom field in this email.

• {scope} - this is the scope on the project. It is presented as an unordered list.

• {link} - hyperlink to view the project in AttackForge

• {link.url} - URL to view the project in AttackForge

• {startTesting}...{/startTesting} - information which will only be sent in email's when testing has started.

• {stopTesting}...{/stopTesting} - information which will only be sent in email's when testing has stopped.

• {totalVulns} - total number of vulnerabilities on the project.

• {totalCriticalVulns} - total number of critical vulnerabilities on the project.

• {totalHighVulns} - total number of high vulnerabilities on the project.

• {totalMediumVulns} - total number of medium vulnerabilities on the project.

• {totalLowVulns} - total number of low vulnerabilities on the project.

• {totalInfoVulns} - total number of informational vulnerabilities on the project.

• {totalVulnsToday} - total number of vulnerabilities that were discovered today.

• {totalCriticalVulnsToday} - total number of critical vulnerabilities that were discovered today.

• {totalHighVulnsToday} - total number of high vulnerabilities that were discovered today.

• {totalMediumVulnsToday} - total number of medium vulnerabilities that were discovered today.

• {totalLowVulnsToday} - total number of low vulnerabilities that were discovered today.

• {totalInfoVulnsToday} - total number of informational vulnerabilities that were discovered today.

• {totalActionedTestCasesToday} - total number of actioned test cases today.

• {totalFailedTestCasesToday} - total number of failed test cases today.

• {totalRemainingTestCases} - total number of remaining test cases on project.

• {totalRemainingTestCases%} - percentage of remaining test cases on project.

• {totalCompletedTestCases} - total number of completed test cases on project.

• {totalCompletedTestCases%} - percentage of completed test cases on project.

• Support has now been added for '{project.<tag>}' Custom Email Meta Tags: https://support.attackforge.com/attackforge-enterprise/getting-started/notifications#custom-email-meta-tags

!IMPORTANT: The following tags must be included within {assets}...{/assets} tags in your template - for example {assets}<li>{name} - {details}</li>{/assets}

• {name} - name of the asset.

• {type} - asset type.

• {details} - details for the asset.

• {external_id} - external id of the asset.

• {key.<custom_field>} - you can access your asset custom fields using {key.<custom_field>} where <custom_field> is the key for your custom field. For example, if you had a custom field 'Asset Owner' and it had a key 'asset_owner' - you can use {key.asset_owner} to print the value of the custom field in this email.

Let's take a look at an example email template:

<p>Hi {firstName},</p>
<p>This is just a courtesy email to let you know {consultant} has {started_or_stopped_testing} for <br /><b>{projectName}</b></p>
{startTesting}
<p>As a reminder, testing for {projectName} will be performed between {projectStartDate} to {projectEndDate}.</p>
<p>The scope for testing is as follows: 
{scope}
</p>
{/startTesting}
{stopTesting}
<p>
Please find summary below for today's testing:
</p>
<h4>Testing Progress</h4>
<ul>
<li>Test Cases Actioned Today: {totalActionedTestCasesToday}</li>
<li>Test Cases Failed Today: {totalFailedTestCasesToday}</li>
<li>Total Test Cases Completed: {totalCompletedTestCases} ({totalCompletedTestCases%})</li>
<li>Total Test Cases Remaining: {totalRemainingTestCases} ({totalRemainingTestCases%})</li>
</ul>
<h4>Vulnerabilities Found Today</h4>
<ul>
<li>Total: {totalVulnsToday}</li>
<li>Critical: {totalCriticalVulnsToday}</li>
<li>High: {totalHighVulnsToday}</li>
<li>Medium: {totalMediumVulnsToday}</li>
<li>Low: {totalLowVulnsToday}</li>
<li>Info: {totalInfoVulnsToday}</li>
</ul>
{/stopTesting}
<p>For more information on testing progress please visit {link}.</p>

When the Daily Start Testing email is sent, it will appear as follows:

And when the Daily Stop Testing email is sent, it will appear as follows:

Invite Project Team Members

You can invite your project team during the project creation process.

You can invite as many users as you need, all in one go. You can define the following for each project team member:

• Access Level

  • Set the access level for the user on the project. This can be either View, Upload & Edit.

  • Full details for each access level are displayed in the info panel, and can also be found in the Access Control Matrix

• Project Role

  • Set the users' project role on the project e.g. pentester, customer, developer, etc.

  • Project role is used for collaborative purposes only. Privileges are managed via access level (see above)

• Notification Events

  • Set the emails which the user will receive on the project.

• Test Suites

  • Assign the user to a test suite. The user will be assigned to each of the test cases loaded on the project for the given test suite.

Features

You can configure different features, and access to those features, on your projects. For example:

• Test Cases - You can configure the lowest project access level required in order to see Test Cases. You can also configure which application user roles can get access to Test Cases on the project.

• Retesting - You can enable or disable Retesting Rounds on the project. You can also configure the lowest project access level required in order to see Retesting Rounds. You can also configure which application user roles can get access to Retesting Rounds on the project.

• Attack Chains - You can enable or disable Attack Chains on the project. You can also configure the lowest project access level required in order to see Attack Chains. You can also configure which application user roles can get access to Attack Chains on the project.

• Reporting - You can enable or disable Reporting on the project. This affects both reports which can be downloaded as well as the Executive Summary. You can also configure the lowest project access level required in order to see Reporting. You can also configure which application user roles can get access to Reporting on the project.

!IMPORTANT: Test Cases cannot be disabled on projects (for now).

!IMPORTANT: Project Coordinators and Administrators will always have access to all features on their projects. You cannot restrict features for these user roles.

Reviewing & Creating Project

After you have completed setting up the project, you can review the project to ensure all the details are correct, then proceed to create the project. Once the project is created, you will be directed to the project dashboard page.

Updating a Project

After your project is created, you will be redirected to the Project Dashboard page. This is you control center for your projects. From here you can access all project areas.

If you would like to update your project, you can click on the cog in the top-right of the page to enter the settings.

Place Project On-Hold / Off-Hold

A project may be set to On-Hold or Off-Hold at any time. This can be used when there are issues which are preventing the project from progressing further, and recording when these issues have been resolved.

When a project is placed on-hold or off-hold, an email will be sent to the project team with the reason why, and the project status will be updated.

Every time a project is placed on-hold or off-hold, the details are logged in the project tracking section. You can access this by clicking on Tracking button on your project dashboard page.

Cloning Projects

If you are an Administrator or Project Coordinator - you can clone an existing project. This is an effective way to:

• Prepare for a new round of testing

• Track vulnerabilities for specific assets across projects

• Focus retesting on open vulnerabilities

When cloning a project, the new project will get access to:

• Project settings, which can be adjusted for the new project - this includes name, codes, test suites, scope, email templates, portfolios, custom fields & project team

• Project workspace, included all notes & files previously uploaded / created

• Project notes previously created (excluding private notes)

• Executive summary, including uploaded files

You can also select which vulnerabilities (if any) you would like to carry forward into the new project.

To start, you can select Clone Project option from project module actions menu.

Step 1: Configure New Project

Review & adjust settings for new project.

Step 2: Select Vulnerabilities

Select any vulnerabilities from previous project you would like to bring into this new project.

!IMPORTANT: When cloning vulnerabilities, keep in mind: - Vulnerabilities are not transferred. Vulnerabilities will become available in the new project, and will also remain available in the source project. - Vulnerabilities are not copied. This means there will be no duplication of vulnerabilities. - Vulnerabilities are universal. Any changes to these vulnerabilities in the source project, will also apply to the new project, and vice-versa. - Assets assigned to each vulnerability will be added to the new projects' scope.

Step 3: Select Options

Select from different cloning options available.

Once you are done, simply click Review and Create Project and your new cloned project will be ready.

View Project Logs

If you are an Administrator or Project Coordinator - you can view project logs to see every recorded event on the project. This can help you to troubleshoot or report on project activities. You can view logs from the project settings page.

Delete Project

If you are an administrator, you can delete your project at any time by first selecting Archive Project from the projects module actions menu. You will receive a confirmation prompt to authorise this.

All archived projects will be sent to the projects archive. You can access the project archive from Projects module page, by selecting Archived Projects.

Archived projects are hidden for non-admin users. Therefore any vulnerabilities inside archived projects will no longer be included in dashboards, analytics or other sections with AttackForge.

Archived projects can be restored at any time by selecting Restore Project from the actions menu.

You can also permanently destroy projects. This can be performed using the Destroy Project Data options from the action menu.

!WARNING - once a project has been destroyed, there is no way to recover it or its data.