Release Notes

2020-09-07

Download Multi-Reports & Group Reports

We have supercharged the Reporting module to take advantage of ReportGen capabilities!

Reporting module is a place where you can easily and quickly access reports on-demand, in any available reporting template, to save time & effort on manually creating or adjusting reports.

Using the New Reporting module, you can:

  • download multiple individual reports at once for each of your projects, using your custom ReportGen templates

  • download consolidated group report which contains all your data for multiple projects in one single report, using your custom ReportGen templates

  • download individual reports for your projects in PDF, DOCX, HTML, CSV & JSON formats

  • download individual ZIP archives for each of your projects

AttackForge ReportGen helps you to create fully customized reports using your own DOCX templates. You can style and structure the reports however you need.

For Enterprise customers, you can access pre-existing report templates loaded by your Administrators.

Administrators can:

  • Upload New Templates - they will be made available to all users to download custom reports

  • Download ReportGen Client-Side Tool - this can be used to help build your custom DOCX template, with verbose logging enabled in the tool (browser console).

  • Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.

  • Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.

  • Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.

  • View available custom reporting options.

  • Download reports for any accessible projects using any of the available reporting options.

Non-Administrators can:

  • View available custom reporting options.

  • Download reports for any accessible projects using any of the available reporting options.

Downloading Individual Reports

  • Step 1: Select the projects you wish to download an individual report

  • Step 2: Select the template you wish to use, and click on Download Individual Reports button

A report will be created for each selected project using the selected template.

Downloading Group/Combined Reports

  • Step 1: Select the projects you wish to combine into a single report

  • Step 2: Select the template you wish to use, and click on Download Combined Report button

A single report will be created which contains all the data for the selected projects. De-duplication is performed automatically to help reduce report size.

Import Vulnerabilities Directly on Projects

You can now directly import vulnerabilities from your projects without having to use the AttackForge Connector.

This provides a faster & hassle-free way to import vulnerabilities on your projects, improving the user experience and making importing of vulnerabilities a breeze!

How it Works

  • Select a tool you wish to import from, for example Nessus, BURP, Qualys, etc.

  • After you select a tool, you will be prompted to select the output file from the tool in order to parse the data.

  • Once the data has been parsed, you can then select the vulnerabilities you wish to import into your project.

  • Once you have made your selection, click Import Vulnerabilities button and the vulnerabilities will be imported to your project. A summary of the import will be displayed in the notification boxes.

If you need to import data via the API, select API from the selection of import tools. The API is detailed and includes sample cURL request to help get you started.

If a vulnerability template does not exist in the library, it will be automatically created for you. The next time you try to add the vulnerability, it will map to the existing template in the library.

Similarly if the affected asset does not exist on the project, it will be automatically created for you. The next time you try to add a vulnerability on the same affected asset, it will map to the existing asset on the project.

Integrate Your Projects with Discord

AttackForge is a collaboration platform for Technology, Security & Engineering Teams. It helps to get the right people, in the right place with the right information.

To help achieve this, AttackForge now integrates with industry leading collaboration platform Discord.

Discord is a group-chatting platform originally built for gamers, but which has since become a general use platform for all sorts of communities – in particular the InfoSec community.

AttackForge lets you integrate your projects to your own Discord server to create a private channel.

To link your Discord server to your AttackForge project and create a private channel, click on Collaboration button from your project dashboard then select Discord.

Enter your details to connect to your Discord server & click Create Channel.

Once your channel is created, the following information will be displayed to all project team members.

Performance, UI & UX Improvements

This release is actioned-packed with performance improvements, UI enhancements and an overall better user experience for all your users.

Performance has been improved by:

  • Redesigning the PDF, DOCX & HTML reporting functionality to reduce time taken to generate a report up to 300%! This is after we also included additional reporting content packed into each report – how awesome is that! 😊

  • Redesigning the Data tables engine for Projects, Retesting, Reporting & Users modules – providing significant decrease in page load times of up to 600%! Now that’s fast 😊

UX has been improved by:

  • Providing better support for importing vulnerabilities from Burp, Nessus & Qualys - including linking CVSS scores to Likelihood of Exploitation and supporting additional tags

  • Updating the style of JIRA tickets & content which is exported & synced to JIRA, including better error handling and syncing

  • Displaying the Owner & Last Modified when selecting an issue from the library on a project – helping you make better decisions when selecting the right vulnerability from the library

  • Ability to score vulnerabilities in the library using CVSSv3.1, which are then referenced when adding a vulnerability on a project – saving time & effort when scoring vulnerabilities on every project; and improving standardization of scoring

UI has been improved by:

  • Providing additional new themes allowing you to further personalize your experience in AttackForge. New themes include Neptune, Lost Woods, Amethyst & Firestorm

NEPTUNE
LOST WOODS
AMETHYST
FIRESTORM

2020-08-14

Export Data Tables to CSV

You can now export any of your data tables to CSV. This allows you to quickly and easily export data from AttackForge to input into your own reports; to share information with others; or to perform your own analysis in Excel or other tools.

The export functionality will download a CSV containing all data visible in your data table.

It also works with Search filter allowing you to extract the exact data that you need.

Want to export more or all records? Easy – just use the Show XX Entries drop-down menu to show more records.

This functionality has been implemented across all data tables in AttackForge.

Updates to Analytics

We have introduced a number of updates to Analytics module, to provide you with more information at your fingertips – and an enhanced user experience.

You can now see the Days Open for every vulnerability, when you drill-down on the analytics data. This helps with SLAs and getting on top of outstanding vulnerabilities.

We have also included extra information in every table, such as Exploitability and Project.

Now when you click on a link such as a vulnerability or project, it will open the data in a new tab – so you don’t lose your filtered analytics data.

Also when you filter your analytics & then drill-down on a data item, then click back button, you will be presented with your filtered data & options – so you don’t lose your filtered analytics data.

Export Vulnerabilities Directly from Projects + Support for Azure DevOps

You can now export vulnerabilities directly from your project for all supported platforms, as alternative to using the Connector.

We now support the following exports directly from your projects:

  • Atlassian JIRA

  • ServiceNow

  • Azure DevOps

  • Kenna Security

  • Nucleus Security

We have also introduced support for Azure DevOps – now one of the leading platforms for orchestrating a DevOps toolchain.

Any authorised user on your projects can now easily self-export vulnerabilities as Work Items directly to your ADO Projects.

Assign Testcases To Project Team Members & Filter Testcases

You can now assign test cases on a project to a team member. This makes it easier to delegate tasks on a project; and to enforce accountability as well as increase efficiency by reducing doubling-up on tasks.

You can assign individual test cases to a person; or you can perform bulk assignments using page menu.

You can also filter test cases by the Test Suite, and also filter by:

  • Test Cases Assigned to Me

  • Not Tested

  • Tested

  • Testing In Progress

  • Not Applicable

For more information on how it works, see https://support.attackforge.com/attackforge-enterprise/getting-started/test-cases#assigning-test-cases-to-a-user

Updates to ReportGen

We have made a number of improvements to ReportGen to improve quality of your on-demand reports & reduce reporting noise and increase actionability.

  • Duplicate Screenshots are now removed for every vulnerability, cutting report size down.

  • Duplicate Affected Assets are now noted, instead of reported, significantly reducing the size of the report where there is a vulnerability affecting dozens of assets.

  • ReportGen is now available in the Reporting module, along with all other on-demand report formats (PDF, DOCX, HTML, CSV, JSON & ZIP)

  • Actions menus have been updated to include the Reporting option for ReportGen, allowing you to get access to reports faster!

For all the latest ReportGen metatags, try downloading a Baseline Template and check the new tags available!

User Experience (UX) & Performance Updates

We have made improvements to the user experience when accessing various modules.

Now when you access either Projects module; Test Suite Builder; or Vulnerability Library – and view information from any of the tabs – clicking the back button will take you back to the tab you were viewing, avoiding unnecessary extra steps.

We have also rebuilt the rendering engine for data tables in the Dashboard; Analytics; Search; Vulnerability Library & Groups – providing significant decrease in page load times of up to 600%! Now that’s fast 😊

Feel confident showing thousands of records, and all the flexibility of the search to help you get the data you need – when you need it.

Also when you click on a vulnerability in your Vulnerability Library, it will now open in a new tab - so you don’t lose your filtered data.

We have also consolidated all Export & Collaboration integrations into single easy-to-access sections within your projects – allowing for multi-export & multi-collaboration on a single page.

Project Coordinator Gets Extra Powers

Due to the increasing role the Project Coordinators are performing in AttackForge, they are now given the following extra powers to help reduce burden on Administrators and to increase efficiency.

Project Coordinators can now:

  • create new projects

  • update projects

  • get access to all new projects

  • invite users to projects

  • manage user access to projects

  • access all pending & actioned project requests

  • approve new project requests

  • request more information on project requests

  • reject new project requests

  • full access to the Vulnerability Library

2020-07-12

ReportGen Now Available In Projects – Download Custom Reports On-Demand In Your Own Templates

AttackForge ReportGen is a tool to help you create fully custom reports based on your own DOCX report templates.

For Enterprise customers, you can now access pre-existing report templates - loaded by your Administrators - directly from your Project Dashboard by clicking ReportGen button.

You can download reports on-demand, in any available reporting template, to save time.

This also provides your customers with flexibility to generate reports in multi-formats to help create tailored automated reports for their needs.

Administrators can:

  • Upload New Templates - they will be made available to all users on all projects to download custom reports

  • Download ReportGen Client-Side Tool - this can be used to help build your custom DOCX template, with verbose logging enabled in the tool (browser console). This should be performed before uploading any new templates which will be available to customers, to ensure it is working as expected.

  • Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.

  • Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.

  • Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.

  • View available custom reporting options.

  • Download reports on their project using any of the available reporting options.

Administrators can:

  • View available custom reporting options.

  • Download reports on their project using any of the available reporting options.

To download a report in a custom template, click on the Download Report button.

Reports will automatically download in your browser - there is no need to use the ReportGen Client-Side Tool.

Project Notes Now Available

Project Notes allows to create & store notes on your project. You can consolidate all your notes in one place, to make it easy to track & record information as you go.

The notes can include:

  • Private notes - these are notes which are only visible to you.

  • Team notes - these notes are available to project team members with Edit access to the project (pentesters/consultants).

  • Report notes - these notes are included in the downloaded PDF, DOCX & HTML reports. They are also included in the JSON export & ReportGen.

Project Notes is only available to users with Edit permissions to the project.

You can access project notes from the project menu by clicking on Notes.

Updates to AttackForge Connector

We have updated the AttackForge Connector to include support for additional tools - allowing you greater flexibility when importing and exporting data to and from AttackForge.

We now support sixteen (16) industry tools & formats, with new tools & platforms constantly added to our roadmap.

The following tools & formats have been included in this release:

  • Tenable.io

  • Tenable.sc (Tenable Security Center)

  • Netsparker

  • Rapid7 Nexpose / InsightVM

  • Rapid7 AppSpider / InsightAppSec

  • AttackForge JSON – this can be used to import data from any AttackForge project into another AttackForge project. Particularly useful if you are a multi-tenant customer.

  • CSV – this is a generic CSV importer that can work with any data. CSV template is available from within the Connector.

  • Nucleus

Updates to Self-Service API

In this release, we have included 2 NEW API Methods to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.

Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.

The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.

  • createVulnerabilityBulk

    • this method allows user to create multiple vulnerabilities on a project, in one single request.

  • getApplicationAuditLogs

    • this method allows user to download all exportable logs from the application. This can be integrated with tools such as Splunk, SolarWinds, ManageEngine, LogRythem, IBMQRadar & others

New Project Request – Request More Information From Customer

Administrators can request more information for a new project request, before they Approve or Reject the request.

When requesting more information, an email will be sent to the customer with the details for the request. The information is also visible by clicking on the request to view the details.

Once an Admin has requested more information, the status of the request will be set to Requested Information.

The customer can make necessary changes to the request in order to address the feedback, and once they save the updates - the status will be set back to Pending Approval and Administrators will be notified by email that the request has been updated and is ready for review.

UX Improvements

We have made the following enhancements to AttackForge to ensure yours’ and your customers experience is the best that it can be!

  • Support for Scrolling Sidebar on Global Menu

  • Now include _likelihood_of_exploitation, _severity and _testcases for all vulnerabilities in the JSON export

  • Managing Access to Projects (via Users module) now removes existing projects the user has access to

  • Managing Access to Groups (via Users module) now removes existing groups the user has access to

  • Managing Access to Self-Service API (via Users module) now removes existing SSAPI methods the user has access to; including button to Add All & Remove All when performing updates

  • Unified Data tables – all data tables now have a unified experience. All data is loaded by default to assist with pagination. You can still filter number of records on screen using the Show XX Entries option. Search will now return results based on all records.

  • Simpler & Unified Flow for Re-Opening & Closing Vulnerabilities on a project.

2020-06-15

Attack Chains Now Map to MITRE ATT&CK Framework

You can now map attack chains to MITRE ATT&CK Framework.

This helps to create standardised attack chains & threat models, and will benefit any Red Team, Blue Team or Purple Team activities in your environment.

Blue teams will be able to leverage MITRE’s global knowledge base of adversary tactics to get enriched information on each action performed in the attack chain.

Red teams will be able to articulate their attack sequence with more clarity by leveraging wealth of information relating to their attack pattern provided in MITRE’s framework.

Mapping to MITRE ATT&CK Framework takes only minutes & is easy to do. Check out our tutorial video on how to start mapping your attack chains to MITRE ATT&CK Framework:

Service Catalogue Now Available to Your Customers

When a customer is requesting a new project, they must specify the service which they would like to purchase or proceed with. The test suites are now presented to the customer as a Service Catalogue, allowing them to pick and choose what they would like to be performed on their project. Test suites can be adjusted to align with the security services offering for a consultancy or internal security team/function.

Every service in the catalogue includes a brief description, tags & total number of test cases that will be assigned to the project – should the customer select it.

They are visible to the customer by hovering over any service in the drop-down list.

For example, if a customer requires a PCI DSS penetration test to meet their annual penetration testing requirements, they can select the service from the catalogue and list the details for the PCI assets in-scope for the assessment (see below). Or if the customer requires a Pre-Launch Assessment for a New Web Application – they can select the service & it will automatically load any test cases on the project related to this activity, once the project is approved.

The feature is also extended to Admins when manually creating a new project.

For more details please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/requesting-a-project

CVSS v3.1 Temporal & Environmental Calculators Are Now Available

Previously we had introduced an alternative scoring system which allows you to score your vulnerabilities using CVSS v3.1 Baseline in-app calculator.

We have now extended this to also include CVSS v3.1 Temporal & Environmental Calculators.

After you score a vulnerability using CVSS, it will automatically include the CVSS Vector String + CVSS Score for you as tags.

If you are using Temporal or Environmental scoring, it will include the Base Score, Temporal Score & Environmental Score as separate tags.

When creating a new project, or at any time during a project (via Edit Project) - you can select a scoring system for the vulnerabilities.

AttackForge supports following scoring systems:

  • Manual

    • manually select Priority (Critical / High / Medium / Low / Info)

    • manually select Likelihood of Impact (0 to 10)

  • CVSS v3.1 Baseline

  • CVSS v3.1 Baseline + Temporal

  • CVSS v3.1 Baseline + Temporal + Environmental

For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/creating-and-managing-projects#selecting-a-scoring-system

Duplicate Vulnerabilities On Your Projects

You can now duplicate any vulnerabilities on your project, against selected assets.

The system will create a new vulnerability (for each of the selected) and assign it to the assets which you have also selected.

This makes it fast & easy to assign vulnerabilities to assets during a pentest where multiple affected assets have been discovered later on for a vulnerability which had already been reported.

For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/managing-vulnerabilities/updating-vulnerabilities#duplicate-vulnerabilities

Bulk Open or Close Vulnerabilities On Your Project

You can now perform bulk action to Open or Close selected vulnerabilities on you project.

This makes it fast & easy to close or re-open vulnerabilities on projects where there is a large amount of vulnerabilities discovered.

This is particularly useful for issues relating to vulnerability scanners, where by many vulnerabilities may be observed fixed/remediated during retest.

For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/managing-vulnerabilities/updating-vulnerabilities#mark-vulnerability-as-closed-re-opened

Adding Scope Now Supports New Lines

You can now create new scope on a project using a line break, in addition to comma-separated values.

This helps to avoid unnecessary effort of converting assets to comma-separated values where they are already leveraging a line break format.

For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/project-scope#add-assets-scope

Daily Tracker Now Includes Color-Coding

We have updated the colors used on the daily tracker page to help identify relevant sections easier.

For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/creating-and-managing-projects#place-project-on-hold-off-hold

2020-05-14

ReportGen Updates

We have released an update to ReportGen Tool & Template files:

  • ReportGen Tool:

    • AttackChains are now supported

    • Updates to auto-scale images to correct dimensions without exceeding page width

    • Tags & Help information is now available in browser console

  • ReportGen Template

    • Meta tags for AttackChains are now included

    • Updates to Testing Summary to include additional data/tags

JSON Export Updates

We have released an update to the project JSON Export:

  • Now includes AttackChains, including icons in base64

  • Additional tags for Testing Summary section

New AttackChain Entities

We have released an update to AttackChains:

  • You can now select additional entities including Device, Server & Database.

  • For the new entities, you can select from either an existing asset on the project; or enter a new asset name. Any new assets are only included for purpose of the attack chain and are not added to project scope.

Updates to Self-Service API

In this release, we have included 39 NEW API Methods to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.

Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.

The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.

  • createScope - this method allows user to create new assets on a project that they have Edit access to.

  • updateScope - this method allows user to update assets on a project that they have Edit access to.

  • createRemediationNote - this method allows user to create a remediation note for a vulnerability on a project that they have access to.

  • sendDailyCommencementEmail - this method allows user to send daily commencement notification on a project they have Edit access to.

  • sendDailyCompletionEmail - this method allows user to send daily completion notification on a project they have Edit access to.

  • updateTestcase - this method allows user to update a testcase on a project they have Edit access to.

  • createTestcaseNote - this method allows user to create a note on a testcase for a project they have Edit access to.

  • requestRetest - this method allows user to request a retest on a project they have access to.

  • confirmRetestCompleted - this method allows user to confirm retest is completed on a project they have Edit access to.

  • updateExecSummaryNotes - this method allows user to update executive summary notes section of report on a project they have Edit access to.

  • getGroups - this method allows user to get details for groups the user is a member of.

  • getVulnerabilitiesByGroup - this method allows user to get details for all vulnerabilities for a group that they are a member of, with optional filter.

  • getProjectsByGroup - this method allows user to get details for all projects for a group that they are a member of.

  • getVulnerabilityLibraryIssues - this method allows user to get details for all vulnerabilities in the library.

  • updateVulnerabilityLibraryIssueById - this method allows user to update a vulnerability in the library.

  • getTestsuites - this method allows user to get details for all test suites.

  • getTestsuiteById - this method allows user to get details for a Testsuite, including list of test cases.

  • getUsers - this method allows user to get details for all users in the system, with option filter.

  • getUserById - this method allows user to get details for a user in the system.

  • getAssets - this method allows user to get details for all assets the user has access to.

  • getAssetsByGroup - this method allows user to get details for all assets for a specified group.

  • createGroup - this method allows user to create a new group.

  • updateGroup - this method allows user to update a group.

  • getGrou - this method allows user to get details for a group.

  • addUserToGroup - this method allows user to create a new member on a group.

  • updateUserAccessOnGroup - this method allows user to update a users’ membership for a group.

  • createTestsuite - this method allows user to create a new test suite.

  • updateTestsuite - this method allows user to update a test suite.

  • addTestcaseToTestsuite - this method allows user to add a new test case on a test suite.

  • updateTestcaseOnTestsuite - this method allows user to update a test case on a test suite.

  • updateUserAccessOnProject - this method allows user to update a users’ role/permissions for a given project.

  • createUser - this method allows user to create a new user in the system.

  • deactivateUser - this method allows user to deactivate a user in the system.

  • activateUser - this method allows user to activate a user in the system.

  • getUserAuditLogs - this method allows user to get audit logs for a user, with optional filter.

  • getUserLoginHistory - this method allows user to get login history for a user, with optional filter.

  • getUserProjects - this method allows user to get details for all projects a user has access to.

  • getUserGroups - this method allows user to get details for all groups a user has access to.

  • getProjectAuditLogs - this method allows user to get audit logs for a project, with optional filter.

2020-04-13

ReportGen Now Available

We have released AttackForge ReportGen which is a tool to help you create fully customizable reports based on your own DOCX templates.

ReportGen provides you with the flexibility and autonomy to create reports which are specific to your organization, requirements, target audience or style guidelines.

We have included a baseline template that is aligned with the AFE PDF report and includes all necessary tags to help you get you started. You can download the template from AFE.

You can build upon this template or create new templates entirely, to reflect your reporting needs.

ReportGen is a self-contained HTML file and works in your browser. There is no need to install anything.

It works in an offline environment and requires no Internet or dependencies to run. All reports are generated locally in your browser.

ReportGen works as follows:

  1. Download JSON export from your AFE project

  2. Download ReportGen & AFE ReportGen Template

  3. Open ReportGen in your browser. Select AFE JSON export file. Select DOCX template.

  4. Your new report will automatically download.

  5. Enjoy savings hours of reporting time! 😊

ReportGen is available to all users. There is a button on the Project Dashboard to access ReportGen, or you can access it directly via ReportGen module in navigation pane.

Updates to Self-Service API

In this release, we have included the following updates to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.

Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.

The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.

  • createVulnerability - this method allows user to create a vulnerability on a project that user has Edit access to. Any new assets will be automatically added to the project. Any new issue descriptions will be automatically added to the library.

  • updateVulnerabilityById - this method allows user to update a vulnerability on a project that user has Edit access to. You can update status of vulnerabilities using this method. Any new issue descriptions will be automatically added to the library.

  • createVulnerabilityLibraryIssue - this method allows user to create a new vulnerability in the library, which can be used by users when creating a new vulnerability on a project.

  • getprojectRequests - this method allows user to get project requests that the user has access to, with optional filter to narrow results.

  • createProjectRequest - this method allows user to create a new project request. This method can be used to integrate into your existing workflows and systems, to enable seamless project requests via 3rd party systems and scripts.

  • getProjectRequestById - this method allows user to get a project request by its Id, if user has access to it.

  • updateProjectRequestById - this method allows user to update a project request by its Id, if user has access to it.

  • approveProjectRequestById - this method allows user to approve a project request by its Id. Approved project requests are automatically created as new projects in the system, and users invited accordingly (including email notifications).

  • rejectProjectRequestById - this method allows user to reject a project request by its Id. Email notification is sent to the requestor notifying them project has been rejected and reason(s) why.

Additional Project Email Notifications

We have added support to enable project email notifications to project team or to admins on various events. This helps to keep people informed on progress and status changes for vulnerabilities on their projects.

Notifications can be enabled or disabled via project creation form, or via project update form.

The following events can be enabled on a per-project basis:

  • Email Project Team on:

    • New Critical Vulnerability

    • New High Vulnerability

    • New Medium Vulnerability

    • New Low Vulnerability

    • New Informational Vulnerability

  • Email Admins on:

    • Vulnerability Ready for Retesting

    • Vulnerability Re-Opened

    • Vulnerability Closed

Download Project Assets as CSV

We have added ability to download the project scope (assets assigned to a project) in CSV format. This helps testers extract scoping information from AFE more effectively so they can load it in various tools.

You can download the project assets CSV file via the Scope section on your project.

Updates to Project JSON Export

We have added support for uploaded files to vulnerabilities (as evidence) to be included in the project JSON export file. This includes all files, not just images.

This helps to export your evidence into various tools in a consolidated way that can be automated. All files are encoded in Base64, including raw Base64 value and Base64 Data URL.

Updates to User Interface (UI) & User Experience (UX)

We have included the following updates to UI/UX in this release:

  • Updates to Analytics Groups filter when selecting 2 or more groups, a checkbox will now show up with ‘Only Search Projects With Selected Groups Linked To The Project’. If you click the checkbox and run the search, it will filter results based on projects where all of the selected groups are linked. Otherwise, you can continue to use the default search for groups which operates on an Inclusive or basis.

  • Updates to Security Code form when logging in, to include OTP input box (instead of standard input box used previously). You can also use the keyboard Enter button to select Sign in with Mobile button (instead of having to click it with mouse).

  • Updates to Project Scope field when creating a project, to make it a text area. This allows you to enter in multiple assets via comma-separated values, which is easier and faster when dealing with large groups of assets.

2020-03-16

Self-Service API Now Available

We have released a Self-Service API for AFE. This API aims to provide you with more flexible and powerful ways of interacting with AFE.

It utilises static API keys which are assigned to individual users and can be used in scripts, batch jobs, cURL requests, or other ways - to help with:

  • Creating custom dashboards & analytics with the information you or your organisation needs, at any time

  • Creating custom queries for projects, vulnerabilities, testcases, etc.

  • Simplifying workflows for creating projects, requesting & approving projects, etc. initiated from your own tools/platforms

  • Providing hooks into upstream & downstream pentesting flows, and integrations into Enterprise eco-system

  • Creating service accounts with limited functionality to perform specific tasks only

In this release we have included thirteen (13) API methods – with more planned for future releases.

Access to each method for every user is managed and controlled by Administrators via Users module. By default, users have no access to the Self-Service API. This must be enabled by an Admin for a given user, including scope of methods allowed for the user.

Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.

The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.

  • getVulnerabilities - this method allows user to get all vulnerabilities in the system, that user has access to. It includes detailed information for every vulnerability, and optional filters to narrow results.

  • getProjects - this method allows user to get all projects in the system, that the user has access to. It includes detailed information for every project, and optional filters to narrow results.

  • getProjectById - this method allows user to get detailed information for a given project that the user has access to.

  • getProjectVulnerabilitiesById - this method allows user to get detailed information for all vulnerabilities on a given project that the user has access to, and optional filters to narrow results.

  • getVulnerabilityById - this method allows user to get detailed information for a vulnerability that the user has access to.

  • getVulnerabilitiesByAssetName - this method allows user to get detailed information for all vulnerabilities which match specified asset name, that the user has access to, and optional filters to narrow results.

  • getProjectTestcasesById - this method allows user to get detailed information for all project testcases for a given project that the user has access to, and optional filters to narrow results.

  • getMostVulnerableAssets - this method allows user to get statistics on the Most Vulnerable Assets that the user has access to, and optional filters to narrow results.

  • getMostCommonVulnerabilities - this method allows user to get statistics on the Most Common Vulnerabilities that the user has access to, and optional filters to narrow results.

  • getMostFailedTestcases - this method allows user to get statistics on the Most Failed Testcases that the user has access to, and optional filters to narrow results.

  • createProject - this method allows user to create a new project in the system.

  • updateProjectById - this method allows user to update any project in the system.

  • inviteUserToProjectById - this method allows user to invite another user to a given project and specify their privileges/access on that project.

Updates to Core Framework Modules

We have updated a number of core framework modules to the latest stable versions.

This will help to ensure stability, performance, reliability, security & robustness of the overall solution.

Bug Fixes in Reports and Testcases

We have addressed a number of bugs in the reports which affected visual representation of certain sections or text.

We have also addressed a bug in the test cases where under certain circumstances, the counter on the project dashboard would not update accordingly to changes made to the test cases.

Sessions No Longer Timeout on Vulnerability Library Create/Update

We had previously addressed an issue where customers had experienced data loss during session timeout on creating or updating a vulnerability on a project.

We have now extended this to include the Vulnerability Library.

Now when you are entering or updating an issue in the Vulnerability Library, your session will remain active until you either navigate away or log out.

Session’s will timeout as per normal on all other screens, with exception of Add/Edit project vulnerability (see previous release notes).

2020-02-20

Updates to Connector

We have updated the AttackForge Enterprise Connector to be compatible with the following tools / platforms.

This makes it easier and faster to import data from your favourite tools into AttackForge; or to export data from your AttackForge projects into other tools / platforms.

  • Qualys

  • OpenVAS

  • OWASP Zed Attack Proxy

Updates to PDF, DOCX & HTML Reports

We have updated the PDF, DOCX and HTML reports to address a number of issues & bugs, namely:

  • Performance updates to increase speed of report generation

  • Increased robustness of reports to effectively handle large projects with many thousands of issues/findings

  • Improved translation from HTML to Plain-Text for the Steps to Reproduce / POC, providing more consistent results

  • Addressed a number of bugs with regards to visual representation of reports

Ability to Secure Delete Projects

We have added support to provide Admin users with the ability to securely delete all data related to a project from the database, uploads & logs.

This allows you to ensure that any sensitive projects can be sanitized and securely removed. Note the records will exist in any prior backups taken.

In order to perform a secure delete, you must first Archive a project. From the Archived Projects tab (in Projects module), you can use the item menu to select from the following options. You will be prompted to confirm and authorise the action.

  • Destroy Project Data (Keep Logs)

    • This option will delete all project data from the database & uploads, however will maintain the logs (which are available to Admins via Users module)

    • A new record will be created in the logs for the user, indicating the project ID & name that was deleted (for auditing & security)

  • Destroy Project Data (& Logs)

    • This option will delete all project data from the database, uploads & logs.

    • A new record will be created in the logs for the user, indicating the project ID & name that was deleted (for auditing & security)

IMPORTANT: This feature is disabled by default for security reasons. The buttons will appear however will not work. This can only be enabled by request to AttackForge team.

Support for CVSS 3.1 Scoring

We have added support for CVSS 3.1 as an alternative scoring system for vulnerabilities on projects. This aligns with industry best practices and helps you to enforce a more consistent approach to determining issue Priority and Likelihood of Exploitation.

When using CVSS scoring system, you only need to click the buttons which apply to the issue you have discovered. The Priority and Likelihood of Exploitation will automatically update based on your selection.

Note the CVSS Vector will automatically be added to the Tags section and updated with each change in scoring.

To access this scoring system - when creating a new project, you will now see a drop-down menu allowing you to select the scoring system. By default, CVSS 3.1 is selected, however you can still access the previous scoring system by selecting Manual.

You can toggle between scoring systems for a project at any time by Editing the project and selecting the new scoring system.

2020-01-29

Updates to Analytics

We have updated the Analytics module to provide you with even better discovery & analysis of your vulnerabilities and pentesting data.

This will help to identify trends and problem areas and provide better tracking of progress on remediation activities.

Analytics can also be filtered across Dates & Groups, so you have greater control over the time periods and business functions which are relevant to you & your reporting.

You can also drill-down on any of the metrics, to identify root cause.

The newly added areas to Analytics include:

  • Total Projects

  • Total Assets

  • Assets with Open Critical Vulnerabilities

  • Assets with Open High Vulnerabilities

  • Critical & Open Vulnerabilities <30 Days, <60Days, <90 Days

  • High & Open Vulnerabilities <30 Days, <60Days, <90 Days

  • Mean-Time-To-Remediate (MTTR) for Critical Vulnerabilities

  • Mean-Time-To-Remediate (MTTR) for High Vulnerabilities

  • Top 10 Most Vulnerable Assets

Normalization of Vulnerability Import Data

We have added support to match existing issues from API & Connector imports to relevant issues in the Vulnerability Library.

This allows you to:

  • Import findings from various sources, via API or Connector

  • For any newly created issues in the library during the import process, you can now freely make relevant changes to the text for those issues in the library – and have this reflected back on subsequent imports

  • On the next import which has same issue details, they will be automatically linked to the updated versions in the library

This will save you time & effort from having to modify the descriptions, attack scenarios & recommendations every time you run an import.

For example, if you import a Nessus scan with the issue ‘SSL Certificate Expiry’ – on the first import, if it does not exist in the library - it will create the issue for you.

Then you can make changes to the issue in the library, for example change the title to ‘Expired SSL Certificate In Use’.

Next time you import a Nessus scan and it has SSL Certificate Expiry which is the same as before, it will be automatically linked to the updated issue in the library Expired SSL Certificate In Use.

Resource Manager View for Calendar / Schedule

You can now filter the Schedule / Calendar by users, in addition to by projects – allowing you to be more effective when planning resources on upcoming pentests.

You can see which projects that users/pentesters are assigned to for any given day/week/month and determine which users/pentesters are heavily utilized - or have capacity for projects.

You can compare multiple users at the same time, to get a clearer picture of the team’s overall capacity and availability.

UI & Compatibility Updates to Connector

We have added support for AF Connector for the majority of common browsers, including Chrome, Firefox, Safari and Edge. This ensures you can access import & export functionality in your native browser, without having to rely solely on Chrome.

We have also made minor UI updates for error handling, and also to display statistics on a successful import operation.

NOTE: BURP import is not supported in Firefox & Edge at the moment, due to Firefox and Edge not supporting native XML v1.1 parser (which is required by BURP XML exports).

New Workflow for Editing Multiple Vulnerabilities

We have added a new workflow which allows you to make changes to multiple vulnerabilities on a project, one-after-another, all from a single screen.

This makes it easier and faster to perform QA on vulnerabilities, and review & make changes without losing track.

This option lets you update each issue and move on to the next one, or you can traverse through the issues using the Previous and Next buttons until you find the one(s) you want to update.

You can access this workflow by selecting multiple vulnerabilities on the project and using the page menu to select ‘Update Selected Vulnerabilities (Individually)’.

We have kept the alternate workflow, Update Selected Vulnerabilities (All)’, which allows you to make bulk updates to vulnerabilities in one go.

This is useful when you need to update the details for all issues at the same time, for example update the POC for all selected issues.

Re-assign Affected Asset for Vulnerabilities

We have added support to re-assign affected assets for existing vulnerabilities on a project. If you have created a vulnerability against an incorrect asset, you can now update the affected asset to the correct value.

This can be performed on an individual vulnerability, or you can also perform mass-updates to multiple vulnerabilities at the same time.

Meta Tags in Executive Summary Notes

We have added support for the following meta tags in the Executive Summary Notes section of the reports. This will make it faster to reference the project’s details without having the look them up – or worry about making changes retrospectively if the project details are updated.

  • {{{projectName}}} – will display project’s name

  • {{{projectCode}}} – will display project code

  • {{{projectStart}}} – will display project start date

  • {{{projectEnd}}} – will display project end date

2020-01-14

Nessus & BURP Import Added to Connector

You can now import vulnerabilities from Nessus and BURP export formats (.nessus & .xml) to a given project via AttackForge Connector.

This makes it fast & easy to add multiple vulnerabilities from scanners, in a matter of minutes.

Importing vulnerabilities is easy – simply download the Enterprise Connector from the module in AttackForge, open the HTML file and follow the steps.

You can select all vulnerabilities to import or adjust your selection by ratings (Critical/High/Medium/Low/Info). You can also individually select the issues you want to import.

We are currently working on other integrations for AttackForge Connector with customer-requested tools and platforms – watch this space!

Import Vulnerabilities via API

You can now directly import vulnerabilities for a given project via AttackForge API.

This allows you to directly feed vulnerability data into your project, from various sources - including tools, scripts, or adding historical data.

All details on how to access the API, including sample working cURL requests, can be found from your project menu by selecting Import Vulnerabilities.

Only users with Edit access to a project, or Administrators, can access this API.

To help save you time & effort – if you import a vulnerability which does not already exist in your library, or if the affected asset does not already exist on your project – it will automatically create these for you.

If the issue exists in the library, or if the asset exists on the project – it will automatically link these to your vulnerability that you are importing.

You can also use this API for bulk imports on projects.

Daily Tracker Now Added To All Projects

Every project now has a daily tracker which shows you how many vulnerabilities were discovered each day on the project, and how many testcases were actioned.

You can click on the items to drill-down and see the corresponding details.

We have also included the history for all project On-Hold & Off-Hold notices, which are also included within the daily tracker.

Each notice includes the status (On-Hold or Off-Hold), the reason/explanation, and date/time stamp.

You can access the daily tracker from the Project Dashboard by clicking on Tracker button, or via the Schedule by clicking on the project name.

Project On-Hold / Off-Hold Enhancements

When you place a project On-Hold or Off-Hold, you are required to enter an explanation which is sent to all project team members by email – to inform all stakeholders why the project is On-Hold or Off-Hold.

If a project is On-Hold, an alert box is displayed at the top of the project dashboard to inform project team members of the issue and when it was raised.

In addition, the global dashboard now displays details for Projects On-Hold – to help inform you & stakeholders of issues affecting projects as soon as you log in to AttackForge.

Sessions No Longer Timeout on Vulnerability Create/Update

We have addressed an issue where customers had experienced data loss during session timeout on Creating or Updating a vulnerability.

Now when you are on these screens, your session will remain active until you either navigate away or log out.

Session’s will timeout as per normal on all other screens.

Tags Added to Vulnerability Library

Tags have been added to the Vulnerability Library to help you with searching the library more efficiently & effectively.

2019-11-22

AttackForge Connector Now Available

AttackForge Connector is our tool that allows you to export findings from AFE into other industry leading tools.

It works with AFE JSON files which can be exported from your projects.

It’s client-side & self-contained HTML file – so no install is required. It can be downloaded within AFE from ‘Connector’ module.

Currently AttackForge Connector supports the following tools, however we have many tools planned for integration in upcoming releases:

  • JIRA Cloud

  • ServiceNow

  • Kenna Security

AttackForge Connector aims to become our gateway product for bi-directional data integration between AttackForge and other tools & platforms.

AttackForge Connector works as follows:

  1. Log in to AttackForge and download JSON report for the project/vulnerabilities you wish to export + AttackForge Connector file (from Connector module).

  2. Open the AttackForge Connector HTML file and select the JSON file to upload.

  3. Select the vulnerabilities you wish to export.

  4. Select the tool which you would like to export selected vulnerabilities to.

  5. Fill in export details for your tool.

  6. Click submit. Vulnerabilities should be exported directly to the tool.

NOTE: Due to strict CORS security settings set by JIRA, ServiceNow & Kenna Security – direct exports from browser to the tools is not allowed (denied by browser) for security reasons.

Therefore, all export requests are routed via AttackForge proxy infrastructure to comply with CORS security settings set by the tools.

Please let us know if you would like us to help you configure AttackForge Connector to utilise your own proxy service.

JSON Report Now Available

You can now export project vulnerability reports in JSON format (in addition to PDF, DOCX, HTML & CSV).

JSON reports contain all the information which is currently provided in the standard reports. You can customise content of the JSON report based on your Report Settings.

JSON reports can be used to integrate AFE findings into your own existing reporting templates.

JSON reports can also be used to export AFE findings into other systems via AttackForge Connector, or via direct feeds into other tools.

Vulnerability & Asset Report Mappings

We have now included 2 additional appendices within the vulnerability reports, to help provide a snapshot of affected systems and their remediation status.

  1. Vulnerability-to-Asset Mappings: a list of all vulnerabilities and the assets/systems affected by that vulnerability (including remediation status)

  2. Asset-to-Vulnerability Mappings: a list of all assets and the vulnerabilities affecting each asset (including remediation status)

Bug Fixes & Performance Improvements

We have addressed a number of bugs (particularly in the PDF reports) and well as made performance optimizations (for page load times and reporting speeds) - to help improve user experience.

2019-11-04

Group Membership Now Available

You can now link users to Groups. This will make it easier to manage visibility, collaboration and access to projects as your security & penetration testing program grows. For example:

  • You can add management and executives to their related Groups so they can track performance and view analytics across their business units.

  • You can add technology and engineering teams to their related Groups so they always have visibility of issues/vulnerabilities arising on their systems.

  • You can add pentesters & security teams to their related Groups to ensure they always get the right access to new projects for delivery.

A few notes on how Group Membership works:

  • Users can belong to one or more groups.

  • When adding a user to a group, the user will automatically receive access to all projects that the group already has access to, and to any new projects which are created and also linked to the group.

  • You can set the default access level/permissions for projects when adding the user to the group, and you can update this at any time. Any updates will apply to all projects linked to the group.

  • When a user is removed from a group, their access to all projects which are linked to the group is also removed.

  • When a project is added to a group, all group members will receive access according to their group default settings.

  • When a project is removed from a group, access to all group members is also removed.

  • You can still update a user’s access to an individual project at any time – for example a user might have View access to a Group, however can have Upload/Edit access to a specific project on that group; or can be removed from a specific project.

  • You can still invite users to individual projects and manage their access as per normal.

  • You can access Group Membership from Groups --> Group --> Users; or from Users --> [Manage Access to Groups] or [Grant Access to Groups]

Staging Workflow for Vulnerabilities

When creating or editing a vulnerability, you can now control visibility of the issue. By default, vulnerabilities are set to be visible as soon as you create them.

However you can choose to temporarily hide the issue so that only people with Edit access on the project can see it. And when you are ready – you can set it to be live/visible to entire project team.

This will help you to register vulnerabilities as you test, and choose when you want this information released to the project team.

It can also help with allowing for review cycles, where vulnerabilities need to be reviewed before they are released to customer/stakeholders.

People with Edit access to a project will see an additional box on their project dashboard (Pending) - this is where the staged issues are held.

Pending/staged vulnerabilities do not show in any dashboards, reports, search or analytics – until they are set to live.

Project Coordinator Role

There is now a Project Coordinator role which can be applied to a user via Users module. Project Coordinators are intended to help facilitate & manage projects, without having to provide the user with Admin privileges.

Project Coordinators inherit standard user privileges, however gain additional abilities:

  • Automatically receive view access to projects which have been created (manually or via project request workflow)

  • Invite other users in the system, to projects which they have access to - for example invite pentesters, clients, developers, etc.

  • Update a users’ privileges for a given project (except for their own privileges). This includes deleting/removing a user from the project.

  • Update scope on a project.

  • Ability to view all Pending project requests & Actioned project requests.

Enable or Disable MFA for Application User Accounts

Administrators can now enable or disable MFA for application user accounts. By default, MFA is enabled on all application accounts when they are created. However admins can now disable (or re-enable) this for specific users (if required).

This may help in events where a user has lost their mobile device and cannot login, or other circumstances where MFA cannot be performed.

Note this does not affect MFA settings for SSO accounts.

Account De-activation & Self-Reset 2FA Enrolment

Users can now choose to deactivate their account (if it is no longer required) via Profile menu (when logged in). Once an account is de-activated, the user cannot log back in (without an Admin first unblocking their account).

Deactivated accounts are not deleted from the system, and all data remains in AttackForge. Accounts can be re-activated by Admins at any time.

Users can now also self-reset their 2FA enrolment via Profile menu (when logged in). The user is required to authorise this using their current passphrase.

Once reset is authorised & completed, the user will be automatically logged out and will receive a new QR code to scan upon next login.

Project ‘On-Hold’ Status

Projects can now be set to ‘On-Hold’ status. This is intended for projects where testing has had to stop for various reasons, for example experiencing difficulties/delays, environment issues, etc.

Admins can set (and unset) a project to On-Hold using actions menu on Projects screen, or by using the Project menu (when on project dashboard).

Updates to README

We have updated the README to include further details on Backing Up Application Data, including details on where files are stored/persisted on local file system – to help with your backup processes.

2019-09-19

Updates to Report Customisation

You can now upload your own logo that you would like to be included on the reports. This provides flexibility where reports need to be provided to different audiences or branded differently.

Each user has the freedom to upload their own logo which is saved to their profile, along with their own reporting options. Reporting options can be accessed from the Customize Vulnerability Report section (accessed from project menu or Reporting module).

In addition, we have added ability to customize reports to show only vulnerabilities which are Open, Closed or Retesting – or any combination. This provides greater flexibility when generating targeted reports, for example you can generate a report which shows you only Critical & High vulnerabilities which are currently Open or Retesting.

Admins Can Now Create Users

We have added ability for Admins to manually create new users in the system, without having to go through standard registration workflow. This provides greater flexibility and efficiency when accounts need to be created quickly and on short notice.

You can add new users by clicking on the ‘Create New User’ button in the Users administration module. For SSO users, you can enter the SSO username in the ‘Username’ field. Otherwise just include the email address.

2019-09-06

Stealth Mode Now Available

We have released a new ‘Stealth Mode’ theme for AttackForge – it’s our version of Dark Mode and was requested by popular demand! Particularly useful for the pentesters/hackers 😊

You can access Stealth Mode from the global menu. Your theme settings save against your profile, so you don’t have to keep setting it on each login. You can toggle between normal and stealth at any time.

Test case Evidence Now Available

Previously we had released ability to add notes for each test case on every project. Now we have introduced ability to also upload evidence/files for each test case. This expands AttackForge’ s capabilities and potential use for non-security testing projects, for example self-audits & compliance audits against PCI DSS, HIPPA, NIST, ISO, 3rd party due diligence, etc.

However, for pentesting projects - this means you can now also include screenshots to support test cases. For example, if a test case is Not Applicable – you can add justification/note & upload screenshots. All notes & screenshots are date/time stamped, tracked by user and also included in the downloaded reports.

How it works:

  1. Create a Test Suite for your audit, for example PCI DSS, HIPPA, NIST, ISO, 3rd party due diligence, etc.

  2. Create a new project and apply the test suite.

  3. If it’s a self-audit by 3rd parties, you can invite them to the project – they can then work through each of the test cases/checklist items and mark them off as they go, whilst also upload supporting evidence & add notes.

  4. Customer internal team can then review the response to the checklist/test cases, add additional comments/notes, and if there are any issues they can be raised as an issue/vulnerability on the project. You can define your own issues e.g. ‘Policy Not In Accordance With Customer Guidelines’ in the Vulnerability Library.

  5. If it’s an internal audit, you can follow the same process as above however without inviting 3rd parties to the project – instead Customer staff will run through the checklist.

Performance Improvements

A number of performance improvements have been applied which makes using AttackForge smoother & faster. This includes optimizations to downloading reports to make it faster.

2019-08-20

JIRA Sync Now Available

You can now sync your vulnerabilities with JIRA. This ensures that vulnerability data on a project is always kept up to date between AttackForge & JIRA.

Syncing is easy to do – after you have exported vulnerabilities to your JIRA project, you can then click the ‘Sync with JIRA’ button to pull in latest details for your selected vulnerabilities; as well push any new changes or notes.

JIRA Sync works with any JIRA Cloud tenant & project, making it easy for your business stakeholders to stay on top of latest pentest findings and remediation activities on their projects.

Test case Notes Now Available

You can now add notes for each test case on every project. This ensures that supporting information and evidence is tracked against every test case performed.

For example, if you mark a test case as ‘Not Applicable’ or leave it as ‘Not Tested’ due to environment issues – you can now add supporting evidence & justification.

Or if you would like to assign test cases to individuals or share notes between pentesters when performing test cases – you can now do so using test case notes.

Each note is date & timestamped and linked to the user who created or updated the note for traceability.

Performance Improvements

A number of performance improvements have been applied which makes using AttackForge smoother & faster. This includes updates to all major modules including Analytics, as well as improvements on load times for vulnerability library when adding/editing a new issue on a project.

2019-08-01

HTML Reports

You can now download HTML reports for any given project - in addition to PDF, DOCX & CSV. These reports are fast to download, robust & customizable by format - which can be used for integration into other systems or for easy search & grep.

They are self-contained HTML files with all screenshots included. These reports will make accessing findings a breeze.

Markdown Now Available

Markdown is now available when adding or editing a vulnerability. You can apply markdown to Proof-of-Concepts/Steps to Reproduce which makes it easy to include code snippets for payloads, rich text formatting and more.

Markdown will make POCs more robust and combined with in-line screenshots previously released – you now have all you need to help developers reproduce issues quickly and effectively.

2019-07-08

ServiceNow Integration Now Available

You can now export your project vulnerabilities to any ServiceNow tenant. Each vulnerability will be raised as an incident. You can select the category you would like to apply.

ServiceNow integration comes standard with AttackForge Enterprise and in addition to Atlassian JIRA integration. It is available to all project team members.

Manage Vulnerability Library from Add/Edit Project Vulnerability Screens

If you are an Admin or Library Moderator - You can now Create a new vulnerability in the library, Edit an existing vulnerability in the library, Duplicate an existing vulnerability in the library and modify it, and Refresh your library – all from the project Add Vulnerability & Edit Vulnerability screens. This makes it easier and faster to manage your vulnerabilities as you are adding them to projects.

Update to Calendar

Calendar (available from global menu) now displays pending projects (new project requests), in addition to projects which are Waiting to Start, In Progress and Completed.

2019-06-19

Screenshots Now Available In Vulnerability Steps to Reproduce & Notes

You can now insert uploaded screenshots in the Steps to Reproduce & Notes section for each vulnerability, which will display in the PDF & DOCX reports.

This will help readers better understand flow of steps when reproducing the vulnerability, as well as provide additional context to support the notes.

It’s easy to do – simply add three (3) curly braces around the file name – for example {{{screenshot.png}}}. You can insert screenshots at any place within the Steps to Reproduce & Notes sections.

It also works with renamed files too, for example {{{Step 1}}}.

Help & Info Now Available

We have added a Help & Info section which is available from the global menu. This includes FAQ which covers the most common questions we get from users.

We are aiming to include additional information in the near future as well as short video tutorials, to help people familiarize faster when using AttackForge Enterprise.

2019-05-21

Enterprise Groups

We have now completed dashboards for groups. You can now view & drill down on following details for each group:

  • Total vulnerabilities + critical + high + medium + low + zero-day + easily exploitable + CWE top 25 + OWASP top 10 + open + retesting + closed

  • Total projects + waiting to start + in progress + completed

  • Total assets

  • Total attack chains

  • Total project members (users)

  • Group owner

  • Primary contact (name, email, phone)

  • Drill-down on each item above

Analytics

We have added the ability to drill down in Analytics. You can now view & drill down on following details.

Also we had recently introduced filters – which allows you to filter this information based on start/end dates as well as groups.

  • Critical vulnerabilities

  • High vulnerabilities

  • Medium vulnerabilities

  • Low vulnerabilities

  • Open vulnerabilities

  • Retest vulnerabilities

  • Closed vulnerabilities

  • Zero-day vulnerabilities

  • Easily Exploitable vulnerabilities

  • OWASP Top 10 vulnerabilities

  • CWE Top 25 vulnerabilities

  • Top 10 Most Frequent Vulnerabilities

Rename Uploaded Files

We have added the ability to rename files after they have been uploaded.

This allows you to rename screenshots in the report, to provide more details about what is happening in each screenshot. You can also rename uploaded workspace files or logs to give more meaningful descriptions.

2019-05-07

Enterprise Groups

Groups feature allows admins to assign & track projects (and their related assets & vulnerabilities) to one or more groups, for example business units, internal clients, external clients, platform owners, etc.

This allows for broader visibility of security posture within organisational segments, and ability to allocate Group Owners and contacts who are responsible for systems (assets) in their group, and their related vulnerabilities.

This will help enterprises to visualize vulnerable areas within the organisation faster and more efficiently, to help plan remediation activities.

Admins can now:

  • Create & Update groups – includes group name, group owner, and primary contact details (name, email, phone)

  • Assign projects (and their related assets & vulnerabilities) to one or more groups

Users can now:

  • View analytics across one or more groups, for a given period of time – for groups they have access to

  • View all vulnerabilities for a given group – for groups they have access to

Coming soon:

  • Dashboard for each group which shows:

    • Total vulnerabilities + critical + high + medium + low + zero-day + easily exploitable + CWE top 25 + OWASP top 10 + open + retesting + closed

    • Total projects + waiting to start + in progress + completed

    • Total assets

    • Total attack chains

    • Total project members (users)

    • Group owner

    • Primary contact (name, email, phone)

    • Ability to drill-down on dashboard items

2019-04-24

Users can now:

  • Customize PDF & DOCX reports based on the content the user wishes to include in the report

  • Currently there is 30 different content items which can be independently toggled on/off in the reports

  • Each user can easily update & save their own global reporting options which applies to every report they download

  • Customisation menu can be accessed from Project drop-down menu & Reporting module

Admins can now:

  • Customize PDF & DOCX reports for each user in the system

  • Admin customisation menu can be accessed from Users module

Project team members can now:

  • Request new round of retesting – email will be sent to admins with request details (email is disabled in Demo env. to avoid spamming people)

  • Confirm round of retesting is completed (if user has project Edit permissions) – email will be sent to all project team members to inform retesting is completed

  • Track history for every round of retesting, including what was retested

  • See retesting results in the reports

We have also made some updates to the reports:

  • Track remediation history

  • Include number of assets affected by total vulnerabilities

  • Include number of assets with Fixed issues

  • Include number of assets still undergoing Retesting

  • Include number of assets with Non-Fixed issues

  • Include number of assets affected by individual vulnerabilities

  • Summary if vulnerability is Fixed/Not-Fixed

  • Border’s applied to screenshots (in PDF report)

  • File name applied to screenshots

Contents
2020-09-07
Download Multi-Reports & Group Reports
Import Vulnerabilities Directly on Projects
Integrate Your Projects with Discord
Performance, UI & UX Improvements
2020-08-14
Export Data Tables to CSV
Updates to Analytics
Export Vulnerabilities Directly from Projects + Support for Azure DevOps
Assign Testcases To Project Team Members & Filter Testcases
Updates to ReportGen
User Experience (UX) & Performance Updates
Project Coordinator Gets Extra Powers
2020-07-12
ReportGen Now Available In Projects – Download Custom Reports On-Demand In Your Own Templates
Project Notes Now Available
Updates to AttackForge Connector
Updates to Self-Service API
New Project Request – Request More Information From Customer
UX Improvements
2020-06-15
Attack Chains Now Map to MITRE ATT&CK Framework
Service Catalogue Now Available to Your Customers
CVSS v3.1 Temporal & Environmental Calculators Are Now Available
Duplicate Vulnerabilities On Your Projects
Bulk Open or Close Vulnerabilities On Your Project
Adding Scope Now Supports New Lines
Daily Tracker Now Includes Color-Coding
2020-05-14
ReportGen Updates
JSON Export Updates
New AttackChain Entities
Updates to Self-Service API
2020-04-13
ReportGen Now Available
Updates to Self-Service API
Additional Project Email Notifications
Download Project Assets as CSV
Updates to Project JSON Export
Updates to User Interface (UI) & User Experience (UX)
2020-03-16
Self-Service API Now Available
Updates to Core Framework Modules
Bug Fixes in Reports and Testcases
Sessions No Longer Timeout on Vulnerability Library Create/Update
2020-02-20
Updates to Connector
Updates to PDF, DOCX & HTML Reports
Ability to Secure Delete Projects
Support for CVSS 3.1 Scoring
2020-01-29
Updates to Analytics
Normalization of Vulnerability Import Data
Resource Manager View for Calendar / Schedule
UI & Compatibility Updates to Connector
New Workflow for Editing Multiple Vulnerabilities
Re-assign Affected Asset for Vulnerabilities
Meta Tags in Executive Summary Notes
2020-01-14
Nessus & BURP Import Added to Connector
Import Vulnerabilities via API
Daily Tracker Now Added To All Projects
Project On-Hold / Off-Hold Enhancements
Sessions No Longer Timeout on Vulnerability Create/Update
Tags Added to Vulnerability Library
2019-11-22
AttackForge Connector Now Available
JSON Report Now Available
Vulnerability & Asset Report Mappings
Bug Fixes & Performance Improvements
2019-11-04
Group Membership Now Available
Staging Workflow for Vulnerabilities
Project Coordinator Role
Enable or Disable MFA for Application User Accounts
Account De-activation & Self-Reset 2FA Enrolment
Project ‘On-Hold’ Status
Updates to README
2019-09-19
Updates to Report Customisation
Admins Can Now Create Users
2019-09-06
Stealth Mode Now Available
Test case Evidence Now Available
Performance Improvements
2019-08-20
JIRA Sync Now Available
Test case Notes Now Available
Performance Improvements
2019-08-01
HTML Reports
Markdown Now Available
2019-07-08
ServiceNow Integration Now Available
Manage Vulnerability Library from Add/Edit Project Vulnerability Screens
Update to Calendar
2019-06-19
Screenshots Now Available In Vulnerability Steps to Reproduce & Notes
Help & Info Now Available
2019-05-21
Enterprise Groups
Analytics
Rename Uploaded Files
2019-05-07
Enterprise Groups
Admins can now:
Users can now:
Coming soon:
2019-04-24
Users can now:
Admins can now:
Project team members can now:
We have also made some updates to the reports: