2019
2019-11-22
AttackForge Connector Now Available
AttackForge Connector is our tool that allows you to export findings from AFE into other industry leading tools.
It works with AFE JSON files which can be exported from your projects.
It’s client-side & self-contained HTML file – so no install is required. It can be downloaded within AFE from ‘Connector’ module.
Currently AttackForge Connector supports the following tools, however we have many tools planned for integration in upcoming releases:
JIRA Cloud
ServiceNow
Kenna Security
AttackForge Connector aims to become our gateway product for bi-directional data integration between AttackForge and other tools & platforms.
AttackForge Connector works as follows:
Log in to AttackForge and download JSON report for the project/vulnerabilities you wish to export + AttackForge Connector file (from Connector module).
Open the AttackForge Connector HTML file and select the JSON file to upload.
Select the vulnerabilities you wish to export.
Select the tool which you would like to export selected vulnerabilities to.
Fill in export details for your tool.
Click submit. Vulnerabilities should be exported directly to the tool.
NOTE: Due to strict CORS security settings set by JIRA, ServiceNow & Kenna Security – direct exports from browser to the tools is not allowed (denied by browser) for security reasons.
Therefore, all export requests are routed via AttackForge proxy infrastructure to comply with CORS security settings set by the tools.
Please let us know if you would like us to help you configure AttackForge Connector to utilise your own proxy service.
JSON Report Now Available
You can now export project vulnerability reports in JSON format (in addition to PDF, DOCX, HTML & CSV).
JSON reports contain all the information which is currently provided in the standard reports. You can customise content of the JSON report based on your Report Settings.
JSON reports can be used to integrate AFE findings into your own existing reporting templates.
JSON reports can also be used to export AFE findings into other systems via AttackForge Connector, or via direct feeds into other tools.
Vulnerability & Asset Report Mappings
We have now included 2 additional appendices within the vulnerability reports, to help provide a snapshot of affected systems and their remediation status.
Vulnerability-to-Asset Mappings: a list of all vulnerabilities and the assets/systems affected by that vulnerability (including remediation status)
Asset-to-Vulnerability Mappings: a list of all assets and the vulnerabilities affecting each asset (including remediation status)
Bug Fixes & Performance Improvements
We have addressed a number of bugs (particularly in the PDF reports) and well as made performance optimizations (for page load times and reporting speeds) - to help improve user experience.
2019-11-04
Group Membership Now Available
You can now link users to Groups. This will make it easier to manage visibility, collaboration and access to projects as your security & penetration testing program grows. For example:
You can add management and executives to their related Groups so they can track performance and view analytics across their business units.
You can add technology and engineering teams to their related Groups so they always have visibility of issues/vulnerabilities arising on their systems.
You can add pentesters & security teams to their related Groups to ensure they always get the right access to new projects for delivery.
A few notes on how Group Membership works:
Users can belong to one or more groups.
When adding a user to a group, the user will automatically receive access to all projects that the group already has access to, and to any new projects which are created and also linked to the group.
You can set the default access level/permissions for projects when adding the user to the group, and you can update this at any time. Any updates will apply to all projects linked to the group.
When a user is removed from a group, their access to all projects which are linked to the group is also removed.
When a project is added to a group, all group members will receive access according to their group default settings.
When a project is removed from a group, access to all group members is also removed.
You can still update a user’s access to an individual project at any time – for example a user might have View access to a Group, however can have Upload/Edit access to a specific project on that group; or can be removed from a specific project.
You can still invite users to individual projects and manage their access as per normal.
You can access Group Membership from Groups --> Group --> Users; or from Users --> [Manage Access to Groups] or [Grant Access to Groups]
Staging Workflow for Vulnerabilities
When creating or editing a vulnerability, you can now control visibility of the issue. By default, vulnerabilities are set to be visible as soon as you create them.
However you can choose to temporarily hide the issue so that only people with Edit access on the project can see it. And when you are ready – you can set it to be live/visible to entire project team.
This will help you to register vulnerabilities as you test, and choose when you want this information released to the project team.
It can also help with allowing for review cycles, where vulnerabilities need to be reviewed before they are released to customer/stakeholders.
People with Edit access to a project will see an additional box on their project dashboard (Pending) - this is where the staged issues are held.
Pending/staged vulnerabilities do not show in any dashboards, reports, search or analytics – until they are set to live.
Project Coordinator Role
There is now a Project Coordinator role which can be applied to a user via Users module. Project Coordinators are intended to help facilitate & manage projects, without having to provide the user with Admin privileges.
Project Coordinators inherit standard user privileges, however gain additional abilities:
Automatically receive view access to projects which have been created (manually or via project request workflow)
Invite other users in the system, to projects which they have access to - for example invite pentesters, clients, developers, etc.
Update a users’ privileges for a given project (except for their own privileges). This includes deleting/removing a user from the project.
Update scope on a project.
Ability to view all Pending project requests & Actioned project requests.
Enable or Disable MFA for Application User Accounts
Administrators can now enable or disable MFA for application user accounts. By default, MFA is enabled on all application accounts when they are created. However admins can now disable (or re-enable) this for specific users (if required).
This may help in events where a user has lost their mobile device and cannot login, or other circumstances where MFA cannot be performed.
Note this does not affect MFA settings for SSO accounts.
Account De-activation & Self-Reset 2FA Enrolment
Users can now choose to deactivate their account (if it is no longer required) via Profile menu (when logged in). Once an account is de-activated, the user cannot log back in (without an Admin first unblocking their account).
Deactivated accounts are not deleted from the system, and all data remains in AttackForge. Accounts can be re-activated by Admins at any time.
Users can now also self-reset their 2FA enrolment via Profile menu (when logged in). The user is required to authorise this using their current passphrase.
Once reset is authorised & completed, the user will be automatically logged out and will receive a new QR code to scan upon next login.
Project ‘On-Hold’ Status
Projects can now be set to ‘On-Hold’ status. This is intended for projects where testing has had to stop for various reasons, for example experiencing difficulties/delays, environment issues, etc.
Admins can set (and unset) a project to On-Hold using actions menu on Projects screen, or by using the Project menu (when on project dashboard).
Updates to README
We have updated the README to include further details on Backing Up Application Data, including details on where files are stored/persisted on local file system – to help with your backup processes.
2019-09-19
Updates to Report Customisation
You can now upload your own logo that you would like to be included on the reports. This provides flexibility where reports need to be provided to different audiences or branded differently.
Each user has the freedom to upload their own logo which is saved to their profile, along with their own reporting options. Reporting options can be accessed from the Customize Vulnerability Report section (accessed from project menu or Reporting module).
In addition, we have added ability to customize reports to show only vulnerabilities which are Open, Closed or Retesting – or any combination. This provides greater flexibility when generating targeted reports, for example you can generate a report which shows you only Critical & High vulnerabilities which are currently Open or Retesting.
Admins Can Now Create Users
We have added ability for Admins to manually create new users in the system, without having to go through standard registration workflow. This provides greater flexibility and efficiency when accounts need to be created quickly and on short notice.
You can add new users by clicking on the ‘Create New User’ button in the Users administration module. For SSO users, you can enter the SSO username in the ‘Username’ field. Otherwise just include the email address.
2019-09-06
Stealth Mode Now Available
We have released a new ‘Stealth Mode’ theme for AttackForge – it’s our version of Dark Mode and was requested by popular demand! Particularly useful for the pentesters/hackers 😊
You can access Stealth Mode from the global menu. Your theme settings save against your profile, so you don’t have to keep setting it on each login. You can toggle between normal and stealth at any time.
Test Case Evidence Now Available
Previously we had released ability to add notes for each test case on every project. Now we have introduced ability to also upload evidence/files for each test case. This expands AttackForge’ s capabilities and potential use for non-security testing projects, for example self-audits & compliance audits against PCI DSS, HIPPA, NIST, ISO, 3rd party due diligence, etc.
However, for pentesting projects - this means you can now also include screenshots to support test cases. For example, if a test case is Not Applicable – you can add justification/note & upload screenshots. All notes & screenshots are date/time stamped, tracked by user and also included in the downloaded reports.
How it works:
Create a Test Suite for your audit, for example PCI DSS, HIPPA, NIST, ISO, 3rd party due diligence, etc.
Create a new project and apply the test suite.
If it’s a self-audit by 3rd parties, you can invite them to the project – they can then work through each of the test cases/checklist items and mark them off as they go, whilst also upload supporting evidence & add notes.
Customer internal team can then review the response to the checklist/test cases, add additional comments/notes, and if there are any issues they can be raised as an issue/vulnerability on the project. You can define your own issues e.g. ‘Policy Not In Accordance With Customer Guidelines’ in the Vulnerability Library.
If it’s an internal audit, you can follow the same process as above however without inviting 3rd parties to the project – instead Customer staff will run through the checklist.
Performance Improvements
A number of performance improvements have been applied which makes using AttackForge smoother & faster. This includes optimizations to downloading reports to make it faster.
2019-08-20
JIRA Sync Now Available
You can now sync your vulnerabilities with JIRA. This ensures that vulnerability data on a project is always kept up to date between AttackForge & JIRA.
Syncing is easy to do – after you have exported vulnerabilities to your JIRA project, you can then click the ‘Sync with JIRA’ button to pull in latest details for your selected vulnerabilities; as well push any new changes or notes.
JIRA Sync works with any JIRA Cloud tenant & project, making it easy for your business stakeholders to stay on top of latest pentest findings and remediation activities on their projects.
Test Case Notes Now Available
You can now add notes for each test case on every project. This ensures that supporting information and evidence is tracked against every test case performed.
For example, if you mark a test case as ‘Not Applicable’ or leave it as ‘Not Tested’ due to environment issues – you can now add supporting evidence & justification.
Or if you would like to assign test cases to individuals or share notes between pentesters when performing test cases – you can now do so using test case notes.
Each note is date & timestamped and linked to the user who created or updated the note for traceability.
Performance Improvements
A number of performance improvements have been applied which makes using AttackForge smoother & faster. This includes updates to all major modules including Analytics, as well as improvements on load times for vulnerability library when adding/editing a new issue on a project.
2019-08-01
HTML Reports
You can now download HTML reports for any given project - in addition to PDF, DOCX & CSV. These reports are fast to download, robust & customizable by format - which can be used for integration into other systems or for easy search & grep.
They are self-contained HTML files with all screenshots included. These reports will make accessing findings a breeze.
Markdown Now Available
Markdown is now available when adding or editing a vulnerability. You can apply markdown to Proof-of-Concepts/Steps to Reproduce which makes it easy to include code snippets for payloads, rich text formatting and more.
Markdown will make POCs more robust and combined with in-line screenshots previously released – you now have all you need to help developers reproduce issues quickly and effectively.
2019-07-08
ServiceNow Integration Now Available
You can now export your project vulnerabilities to any ServiceNow tenant. Each vulnerability will be raised as an incident. You can select the category you would like to apply.
ServiceNow integration comes standard with AttackForge Enterprise and in addition to Atlassian JIRA integration. It is available to all project team members.
Manage Vulnerability Library from Add/Edit Project Vulnerability Screens
If you are an Admin or Library Moderator - You can now Create a new vulnerability in the library, Edit an existing vulnerability in the library, Duplicate an existing vulnerability in the library and modify it, and Refresh your library – all from the project Add Vulnerability & Edit Vulnerability screens. This makes it easier and faster to manage your vulnerabilities as you are adding them to projects.
Update to Calendar
Calendar (available from global menu) now displays pending projects (new project requests), in addition to projects which are Waiting to Start, In Progress and Completed.
2019-06-19
Screenshots Now Available In Vulnerability Steps to Reproduce & Notes
You can now insert uploaded screenshots in the Steps to Reproduce & Notes section for each vulnerability, which will display in the PDF & DOCX reports.
This will help readers better understand flow of steps when reproducing the vulnerability, as well as provide additional context to support the notes.
It’s easy to do – simply add three (3) curly braces around the file name – for example {{{screenshot.png}}}. You can insert screenshots at any place within the Steps to Reproduce & Notes sections.
It also works with renamed files too, for example {{{Step 1}}}.
Help & Info Now Available
We have added a Help & Info section which is available from the global menu. This includes FAQ which covers the most common questions we get from users.
We are aiming to include additional information in the near future as well as short video tutorials, to help people familiarize faster when using AttackForge Enterprise.
2019-05-21
Enterprise Groups
We have now completed dashboards for groups. You can now view & drill down on following details for each group:
Total vulnerabilities + critical + high + medium + low + zero-day + easily exploitable + CWE top 25 + OWASP top 10 + open + retesting + closed
Total projects + waiting to start + in progress + completed
Total assets
Total attack chains
Total project members (users)
Group owner
Primary contact (name, email, phone)
Drill-down on each item above
Analytics
We have added the ability to drill down in Analytics. You can now view & drill down on following details.
Also we had recently introduced filters – which allows you to filter this information based on start/end dates as well as groups.
Critical vulnerabilities
High vulnerabilities
Medium vulnerabilities
Low vulnerabilities
Open vulnerabilities
Retest vulnerabilities
Closed vulnerabilities
Zero-day vulnerabilities
Easily Exploitable vulnerabilities
OWASP Top 10 vulnerabilities
CWE Top 25 vulnerabilities
Top 10 Most Frequent Vulnerabilities
Rename Uploaded Files
We have added the ability to rename files after they have been uploaded.
This allows you to rename screenshots in the report, to provide more details about what is happening in each screenshot. You can also rename uploaded workspace files or logs to give more meaningful descriptions.
2019-05-07
Enterprise Groups
Groups feature allows admins to assign & track projects (and their related assets & vulnerabilities) to one or more groups, for example business units, internal clients, external clients, platform owners, etc.
This allows for broader visibility of security posture within organisational segments, and ability to allocate Group Owners and contacts who are responsible for systems (assets) in their group, and their related vulnerabilities.
This will help enterprises to visualize vulnerable areas within the organisation faster and more efficiently, to help plan remediation activities.
Admins can now:
Create & Update groups – includes group name, group owner, and primary contact details (name, email, phone)
Assign projects (and their related assets & vulnerabilities) to one or more groups
Users can now:
View analytics across one or more groups, for a given period of time – for groups they have access to
View all vulnerabilities for a given group – for groups they have access to
Coming soon:
Dashboard for each group which shows:
Total vulnerabilities + critical + high + medium + low + zero-day + easily exploitable + CWE top 25 + OWASP top 10 + open + retesting + closed
Total projects + waiting to start + in progress + completed
Total assets
Total attack chains
Total project members (users)
Group owner
Primary contact (name, email, phone)
Ability to drill-down on dashboard items
2019-04-24
Users can now:
Customize PDF & DOCX reports based on the content the user wishes to include in the report
Currently there is 30 different content items which can be independently toggled on/off in the reports
Each user can easily update & save their own global reporting options which applies to every report they download
Customisation menu can be accessed from Project drop-down menu & Reporting module
Admins can now:
Customize PDF & DOCX reports for each user in the system
Admin customisation menu can be accessed from Users module
Project team members can now:
Request new round of retesting – email will be sent to admins with request details (email is disabled in Demo env. to avoid spamming people)
Confirm round of retesting is completed (if user has project Edit permissions) – email will be sent to all project team members to inform retesting is completed
Track history for every round of retesting, including what was retested
See retesting results in the reports
We have also made some updates to the reports:
Track remediation history
Include number of assets affected by total vulnerabilities
Include number of assets with Fixed issues
Include number of assets still undergoing Retesting
Include number of assets with Non-Fixed issues
Include number of assets affected by individual vulnerabilities
Summary if vulnerability is Fixed/Not-Fixed
Border’s applied to screenshots (in PDF report)
File name applied to screenshots
Last updated