AttackForge tracks the life of vulnerabilities - from Open, to Retesting & Closed. This helps to understand the status of a vulnerability - at any point in time - when you or the customer need it.
Every vulnerability has its own audit trail which contains remediation notes, to help track what remediation actions were performed, by whom and when.
AttackForge also tracks every round of retesting that has been requested or performed against the project, with automations to make the process simple & fast.
Any project team member can add remediation notes to a vulnerability. This can be used by developers when updating the remediation actions performed on the vulnerability, or by pentesters when documenting observations during a retest.
To add a remediation note, navigate to the vulnerability page and use the menu to select
Add Remediation Note
The remediation notes can be viewed from the vulnerability page by clicking on the
Remediation Notestab. Remediation Notes are ordered by date, with last created showing at the top.
You can also view remediation notes by downloading the on-demand reports.
Remediation notes are also exported to JIRA; and any notes from JIRA are also imported into AttackForge (bi-directional sync).
Any project team member can flag a vulnerability for retesting. This can be used by developers when indicating that an issue has been resolved and can now be retested.
You can individually mark a vulnerability for retesting by clicking on
Ready for Retestingfrom the vulnerability page menu.
The status of the vulnerability will change to Yellow; and the vulnerability will shows as Ready for Retest within the application.
A remediation note will also appear to indicate when the vulnerability was flagged as ready for retesting, and by whom.
If you need to flag multiple vulnerabilities as ready for retesting, you can use the bulk update action from the vulnerabilities page menu.
After you have flagged vulnerabilities as ready for retesting on a project, you can request a round of retesting to be performed.
To request a round of retesting, click on
Retestingfrom the project dashboard menu.
From the Retesting section on the project, use the page menu to select
Request Retest. Note any project team member can request a retest.
When a retest has been requested, all vulnerabilities flagged for retesting on the project will be included in a new round of retesting.
The Project Owner (AttackForge.com) or Administrators (AttackForge Enterprise) will receive an email notification to let them know the user has requested a retest for the given project. They can then engage the pentester/consultant to commence remediation testing.
Once a retest has been requested, the pentesters/consultants can commence the retesting. The vulnerabilities flagged for retesting will be accessible by clicking on
Retestdashboard box on the project dashboard page. This can also be accessed by clicking on
Retestingfrom the project menu.
Click on a vulnerability to navigate to the vulnerability page.
From here, use the menu to perform the following functions. Note you will need to have Edit permissions on the project.
- Upload Evidence - upload screenshots and proof of the findings/observations from the retest
- Add Remediation Note - add remediation note to include the findings/observations from the retest
- Re-Open Vulnerability - re-open the vulnerability if it is deemed to be not fixed
- Close Vulnerability - close the vulnerability if it is deemed to be fixed
Once you have performed the retest for all the vulnerabilities, click on
Confirm Retest Completedfrom the Retesting section page menu on your project.
Once you have confirmed the retest is completed, an email notification will be sent to the project team to inform them that the retest is now completed. A record of the retested vulnerabilities will also be included in the Retesting section of the project, as well as within the on-demand reports.
You can keep track of all retests on your projects by clicking on Retesting module from the main navigation menu.
Here you will find a list of all your projects, including columns at the end (far right) which you can sort by and includes:
- number of vulnerabilities flagged for retesting on the project;
- number of round of retesting requested on the project;
- number of rounds of retesting completed on the project.
You can click on any of the numbers in order to drill-down to the details.