Review & QA

Overview

Quality assurance is a very personal and bespoke process for every organization.

For example, internal security teams usually have different QA workflows when compared to consultancies and MSSPs.

Some teams are small, highly experienced and co-located; where as others might be large, with a mixture of senior and junior testers, and geographically dispersed - making QA workflows unique to the organization.

Areas you might consider in your QA workflows include:

  • Configuring QA fields, for example:

    • QA Status (not ready / ready / passed / failed / etc.)

    • QA Requestor (user / users / group / groups)

    • QA Reviewer (user / users / group / groups)

    • QA Approver (user / users / group / groups)

    • QA Approved Datetime

    • etc.

  • Configuring business logic on when those QA fields should show or hide

  • Access control on each field i.e. who can view, who can edit

  • Capturing QA comments and discussions

  • Notifying QA members when QA review is requested

  • Permitting authorized QA members to perform QA review, and to update QA status fields

  • Transition statuses according to custom business logic relating to QA fields

You can also adjust the project status calculation logic to factor in your QA fields. For example, you may only consider a project to be “Completed” when your custom QA criteria has been met.

All QA fields can be used in reports, for example you may need reports which only show vulnerabilities when your QA has passed, or include information on the QA reviewers. There are examples for this on our ReportGen GitHub repository.

You can use the Custom Time-Based Emails to configure additional custom emails to be sent as part of your QA processes.

You can also configure custom workflow automations relating to your QA processes using the Flows workflow automations engine.

Review Notes

Review Notes in AttackForge are designed to help with quality control and quality assurance. They help to keep track of review information in one place.

Review Notes can be created by editors, and are available in the following sections:

  • Vulnerabilities

  • Project Test Cases

  • Reporting

  • Summary page

  • Writeups (coming soon)

Creating Review Notes

When creating review notes for vulnerabilities, project test cases, reporting or summary page - you must have Edit permissions on the project to view and create review notes.

Start a new thread on a topic; or reply to a note in an existing thread.

Set your notification preferences. You can also include additional persons to be notified, if required.

Reply to an existing note in a thread. An email will be sent to the person you are replying to. You can include additional persons to be notified, if required.

Bulk Review/QA on Vulnerabilities

To perform efficient QA reviews, you can select multiple vulnerabilities that you wish to review, and then review each vulnerability one-by-one - all from one screen. You can access all information, including evidence & review notes.

If you need to perform QA on multiple vulnerabilities, or would like to review each vulnerability one-by-one (from one screen) - you can select the vulnerabilities then click on Actions -> Edit.

Click on the Review tab, then enter your review comments. Once you are finished, click on the next vulnerability using the directional arrows.

Once you have finished reviewing all vulnerabilities, you will see the Next option is no longer available - meaning you have reached the end of the review.

PreviousUpdating VulnerabilitiesNextAttack Chains

Last updated