2020
Measuring & Tracking performance of your security & pentesting program is crucial in understanding how individual business units, or the entire organisation, is performing over time.
This analysis can help to identify systemic issues across the organisation, or within function areas; and help to make informed decisions on remediation and placement of resources for security improvement.
In this release, we have introduced new SLAs, Mean-Time-To-Remediate (MTTR) & extended Assets with Open Vulnerabilities:
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 15 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 15 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 30 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 30 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 45 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 45 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 60 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 60 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 90 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 90 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 120 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 120 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 180 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 180 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 365 days
- SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 365 days
- MTTR – Medium Vulnerabilities
- MTTR – Low Vulnerabilities
- Assets with Open Medium Vulnerabilities
- Assets with Open Low Vulnerabilities
Abuse cases are project or assessment specific test cases. They are unique test cases which apply to the assets on the project or relate to the objective of the assessment.
Abuse cases help to ensure complete coverage for any given project, beyond the standard test cases.
For example, consider a web application pentest for a reverse auction website. Typically the pentest may cover the standard OWASP ASVS test cases, however the customer also requires that business logic tests are performed against the bidding functionality to determine whether it can be cheated or not. Abuse cases can be created to specifically test this functionality which relating to the application. This provides a higher level of assurance beyond standard test cases.
Abuse Cases can be created directly from the Test Cases section on a project by Admins or Project Coordinators; and are stored & tracked per project in the Test Suite Builder module under the new Abuse Cases tab.
As your security & pentesting program grows and you collect valuable vulnerability data against your assets – the ability to drill-down on the exact information you need becomes essential.
To help with this, we have extended the Search capabilities in AFE to include following:
- Search all vulnerabilities (you have access to) by a Vulnerability Title – for example “show me all vulnerabilities which are SQL Injection”.
- Search all vulnerabilities (you have access to) by one or more Vulnerability Tags – for example “show me all vulnerabilities which have a CVSS Score of 8.0. Now include those which are also OWASP Top 10”.
You can also continue to search by an Asset Name or filter vulnerabilities by a Group.
In this release we have included the following updates to the Schedule:
- Percentage completion for each project in calendar
- Every project now has a percentage completion value next to the name in the calendar. This helps to identify at a glance how far the project has progressed.
- Daily tracker now includes detailed progress breakdown for each individual test suite assigned to the project
- This helps to identify progress on each phase of the pentest, for example:
- Planning & Preparations (100%)
- Web Application Pentesting (60%)
- Abuse Cases (10%)
- Retesting (0%)
- …
- Filter by User now shows list of all the users’ projects
- This helps to identify which projects the user is assigned to, and information relating to each of those projects such as status, vulnerabilities, test window, etc.
- As this information is in a data table, it can be filtered or even exported to CSV for offline schedule copy
When creating or updating a project, you can now set a custom email body for the daily start & stop testing notifications which are sent to the project team.
You can also now send the emails to additional recipients which are not already on the project team, for example SOC teams.
This helps to create personalized notifications which relate to the specific project; and to also keep other stakeholders informed of testing where they are not explicitly invited to the project in AFE.
When creating a custom email body, ensure to include all HTML tags as the emails will be sent in HTML format. You can adjust the standard template which is already pre-loaded in the form for you.
The following meta tags will map to the following details when the email is sent:
- {{firstName}} - this will include the first name of the project team member. For Additional email recipients who are not on the project team, this field will be skipped.
- {{consultant}} - this is the first name & last name of the consultant who is sending the daily email
- {{started_or_stopped_testing}} - this will be either 'Started Testing' or 'Stopped Testing' depending on the daily email action being performed.
- {{projectName}} - this will be the name of the project.
We introduced Project Notes a few releases back. Since then it has been one of the most popular features, allowing pentesters on a project to create private notes, share team notes & also export reporting notes.
In this release we have included support for Rich Text Editor. This allows pentesters to create detailed notes with sections, headings, tables, etc. which can be used as example to capture observations during reconnaissance, and can be shared with the project team to help collaborate on a project; or stored privately for personal use.
In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
The updates in this release include:
- createVulnerabilityWithLibrary
- this new method allows authorized user to create a new vulnerability on a project with linkage to an existing issue in the library (as opposed to providing custom description, attack scenario, recommendation, etc.)
- updateVulnerabilityWithLibrary
- this new method allows authorized user to update an existing vulnerability on a project with linkage to an existing issue in the library (as opposed to providing custom description, attack scenario, recommendation, etc.)
As an Admin user, you can now re-assign a vulnerability to another project. Once a vulnerability is re-assigned, it will no longer be available on the current project.
All remediation notes & evidence will also be relocated to the new project.
Due to the increasing role the Project Coordinators are performing in AttackForge, they are now given the following extra powers to help reduce burden on Administrators and to increase efficiency.
- Download ReportGen Base Template
- Upload new templates to ReportGen
- Modify existing templates uploaded to ReportGen
Project Coordinators can now perform following functions, in addition to standard user functions:
- can create new projects
- can update projects
- gets access to all new projects (optional)
- can invite users to projects
- can manage user access to projects
- can access all pending & actioned project requests
- can approve new project requests
- can request more information on project requests
- can reject new project requests
- assign assets to test cases on a project
- lock test cases on a project
- unlock test cases on a project
- download ReportGen Baseline template
- upload new ReportGen templates
- modify existing ReportGen templates
- full access to the Vulnerability Library module
- full access to the Test Suite Builder module
This release is actioned-packed with user experience & user interface improvements.
UX has been improved by:
- Allowing users to assign assets & upload files directly to workspace notes, in addition to the general upload section in the workspace
- Removing all internal CAPTCHAs to reduce user friction
- Allowing previously escaped characters & and “ to be saved on any field
- Removing double-escaping on save
- Reordered fields on Project Request form & Project Create form – to capture essential data first
- Removed timeouts on Viewing, Creating & Updating Attack Chains – to help with presentations & lengthy attack chains
- Disabled Copy/Paste & Drag/Drop screenshots feature in Rich Text Editor on vulnerability proof-of-concept – as this was not a supported feature and had caused issues for some users
- Select All in Test Cases & Project Vulnerabilities will now select all of the filtered data in the table, instead of all data in the table
UI has been improved by:
- Providing additional new themes allowing you to further personalize your experience in AttackForge. New themes include The Matrix, Lightning, Halloween & Redback
THE MATRIX
LIGHTNING
HALLOWEEN
REDBACK
AttackForge is a collaboration platform for Technology Teams, Security Teams & Engineering Teams. It helps to get the right people, in the right place with the right information.
To help achieve this, AttackForge now integrates with industry leading collaboration platform Microsoft Teams.
Microsoft Teams allows you to engage in collaborative and inclusive meetings from anywhere with Teams meetings and Teams-enabled devices.
AttackForge integrates into your organizations Microsoft Teams via your Enterprise Microsoft Azure Identity Provider.
For detailed information on how to set up & use AF MS Teams integration – please visit https://support.attackforge.com/attackforge-enterprise/getting-started/integrations/microsoft-teams
You can now perform multiple rounds of testing on a single project! This will help Enterprises to:
- Keep track of all testing & vulnerabilities against your assets, in one place
- Perform periodic assessments whilst maintaining all data in single project
- View historical rounds of testing performed against assets, without switching projects
- Make it easier for your auditors
To allocate a new round of testing on your project, click on Add More Test Suites button from the Test Cases page menu.
Select the test suites you would like to load on the project and click Add Test Suites to Project.
The test suites will then be loaded on to your project.
By default, the new test cases loaded on to the project will be set to Unlocked/Active status.
If it is a new round of testing, you can automatically lock the previous test cases by selecting Yes to option Assign Test Suites to New Round of Testing? This will ensure the previous test cases can’t be tampered with or changed accidentally.
It will also reset the project status to Waiting to Start and progress will be set to 0%.
You can now lock & unlock test cases on a project at any given time.
Locking test cases is useful if you need to allocate a new round of testing to your project, to ensure previous rounds of testing cannot be altered or tampered with.
When a test case is locked, it cannot be updated. You cannot add any new notes or evidence either. This provides greater assurance from an auditing perspective.
Locked test cases will not show up on or affect the project status and percentage completion.
Locked test cases will not show up in the reports as reporting is focused on the current round of testing. This helps to avoid lengthy reports on projects where multiple rounds of testing are performed.
To lock a Test Case individually - use the Actions menu on an unlocked test case and select Lock.
To unlock a Test Case individually - use the Actions menu on a locked test case and select Unlock.
You can also filter on Locked & Unlocked test cases.
To perform bulk updates - use the Page menu to select the test cases and your option.
You can also delete test cases on a project. This can help if you need to remove test cases which do not need to be actioned on the project.
To delete test cases on a project, click on Edit Multiple Test Cases button from the page menu.
Select the test cases you would like to delete, then click on Delete Selected Test Cases from the page menu.
You can now assign assets to test cases. This helps to delegate tasks to individual assets to increase testing coverage and traceability.
You can assign one or more assets to the test case by clicking on editable All value in the Assigned Asset(s) column, and then selecting the assets from the list of presented options.
You can multi-select in the field.
By default, all test cases assigned on the project will be allocated to all assets in the project scope.
You can now filter your search criteria to individual columns.
This helps to extract the exact information you need for your reporting, management or follow ups.
You can search in one or more columns, and combine the search criteria across columns to narrow down your results even further.
The global search bar at the top of the table is still enabled so you can perform a table-wide search when you need it.
You can also use the Export button to export the data into a CSV after you have narrowed the search to the information you need.
We have enabled a Quick Actions menu on the project dashboards, providing an improved user experience.
The Quick Actions menu helps pentesters access common functions on the project faster & without having to use the page menu.
The Quick Actions are visible for any person who has Edit permissions to the project.
Due to the increasing role the Project Coordinators are performing in AttackForge, they are now given the following extra powers to help reduce burden on Administrators and to increase efficiency.
- full access to the Test Suite Builder module
- assign assets to test cases on a project
- lock test cases on a project
- unlock test cases on a project
Project Coordinators can now perform following functions, in addition to standard user functions:
- can create new projects
- can update projects
- gets access to all new projects
- can invite users to projects
- can manage user access to projects
- can access all pending & actioned project requests
- can approve new project requests
- can request more information on project requests
- can reject new project requests
- assign assets to test cases on a project
- lock test cases on a project
- unlock test cases on a project
- full access to the Vulnerability Library module
- full access to the Test Suite Builder module
We have added ability to toggle visibility of test suites on project requests.
This allows you to control which test suites are published to your Service Catalogue for your customers to select from, when requesting a new project.
This also allows you to create & maintain test suites that are only visible by authorised users.
When creating or updating a test suite, select Yes or No for the option Make Test suite Visible on Project Requests?
By default, all test suites are set to Yes/Visible unless you opt to hide the test suite.
We are now including timestamps & user details for all test cases in the reports.
In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
The updates in this release include:
- downloadVulnerabilityEvidence
- this new method allows authorized user to download an evidence file which has been uploaded for a vulnerability on a project they have access to.
- getVulnerabilityById
- this method has been updated to include the Steps to Reproduce / Proof of Concept in HTML format, in addition to the plain-text format.
- this method has been updated to include the details for all uploaded files, which can be downloaded in the new downloadVulnerabilityEvidence method.
- getProjectVulnerabilitiesById
- this method has been updated to include the Steps to Reproduce / Proof of Concept in HTML format, in addition to the plain-text format.
- this method has been updated to include the details for all uploaded files, which can be downloaded in the new downloadVulnerabilityEvidence method.
Our friends over at Nucleus Security now natively support AttackForge JSON exports, allowing you to Post your AF Project JSON file directly to your Nucleus Security tenant – in one easy step.
This makes it hassle-free to export all of your pentesting vulnerabilities from AttackForge into your vulnerability management solution.
You can also set up an AttackForge Connector within Nucleus Security and upload your AF JSON files directly.
You can still use the API export for individual vulnerabilities.
We have supercharged the Reporting module to take advantage of ReportGen capabilities!
Reporting module is a place where you can easily and quickly access reports on-demand, in any available reporting template, to save time & effort on manually creating or adjusting reports.
Using the New Reporting module, you can:
- download multiple individual reports at once for each of your projects, using your custom ReportGen templates
- download consolidated group report which contains all your data for multiple projects in one single report, using your custom ReportGen templates
- download individual reports for your projects in PDF, DOCX, HTML, CSV & JSON formats
- download individual ZIP archives for each of your projects
AttackForge ReportGen helps you to create fully customized reports using your own DOCX templates. You can style and structure the reports however you need.
For Enterprise customers, you can access pre-existing report templates loaded by your Administrators.
Administrators can:
- Upload New Templates - they will be made available to all users to download custom reports
- Download ReportGen Client-Side Tool - this can be used to help build your custom DOCX template, with verbose logging enabled in the tool (browser console).
- Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.
- Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.
- Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.
- View available custom reporting options.
- Download reports for any accessible projects using any of the available reporting options.
Non-Administrators can:
- View available custom reporting options.
- Download reports for any accessible projects using any of the available reporting options.
Downloading Individual Reports
- Step 1: Select the projects you wish to download an individual report
- Step 2: Select the template you wish to use, and click on
Download Individual Reportsbutton
A report will be created for each selected project using the selected template.
Downloading Group/Combined Reports
- Step 1: Select the projects you wish to combine into a single report
- Step 2: Select the template you wish to use, and click on
Download Combined Reportbutton
A single report will be created which contains all the data for the selected projects.
De-duplication is performed automatically to help reduce report size.
You can now directly import vulnerabilities from your projects without having to use the AttackForge Connector.
This provides a faster & hassle-free way to import vulnerabilities on your projects, improving the user experience and making importing of vulnerabilities a breeze!
How it Works
- Select a tool you wish to import from, for example Nessus, BURP, Qualys, etc.
- After you select a tool, you will be prompted to select the output file from the tool in order to parse the data.
- Once the data has been parsed, you can then select the vulnerabilities you wish to import into your project.
- Once you have made your selection, click
Import Vulnerabilitiesbutton and the vulnerabilities will be imported to your project. A summary of the import will be displayed in the notification boxes.
If you need to import data via the API, select
API from the selection of import tools. The API is detailed and includes sample cURL request to help get you started. If a vulnerability template does not exist in the library, it will be automatically created for you. The next time you try to add the vulnerability, it will map to the existing template in the library.
Similarly if the affected asset does not exist on the project, it will be automatically created for you. The next time you try to add a vulnerability on the same affected asset, it will map to the existing asset on the project.
AttackForge is a collaboration platform for Technology, Security & Engineering Teams. It helps to get the right people, in the right place with the right information.
To help achieve this, AttackForge now integrates with industry leading collaboration platform Discord.
Discord is a group-chatting platform originally built for gamers, but which has since become a general use platform for all sorts of communities – in particular the InfoSec community.
AttackForge lets you integrate your projects to your own Discord server to create a private channel.
To link your Discord server to your AttackForge project and create a private channel, click on
Collaboration button from your project dashboard then select Discord.
Enter your details to connect to your Discord server & click
Create Channel.
Once your channel is created, the following information will be displayed to all project team members.
This release is actioned-packed with performance improvements, UI enhancements and an overall better user experience for all your users.
Performance has been improved by:
- Redesigning the PDF, DOCX & HTML reporting functionality to reduce time taken to generate a report up to 300%! This is after we also included additional reporting content packed into each report – how awesome is that! 😊
- Redesigning the Data tables engine for Projects, Retesting, Reporting & Users modules – providing significant decrease in page load times of up to 600%! Now that’s fast 😊
UX has been improved by:
- Providing better support for importing vulnerabilities from Burp, Nessus & Qualys - including linking CVSS scores to Likelihood of Exploitation and supporting additional tags
- Updating the style of JIRA tickets & content which is exported & synced to JIRA, including better error handling and syncing
- Displaying the Owner & Last Modified when selecting an issue from the library on a project – helping you make better decisions when selecting the right vulnerability from the library
- Ability to score vulnerabilities in the library using CVSSv3.1, which are then referenced when adding a vulnerability on a project – saving time & effort when scoring vulnerabilities on every project; and improving standardization of scoring
UI has been improved by:
- Providing additional new themes allowing you to further personalize your experience in AttackForge. New themes include Neptune, Lost Woods, Amethyst & Firestorm
NEPTUNE
LOST WOODS
AMETHYST
FIRESTORM
You can now export any of your data tables to CSV. This allows you to quickly and easily export data from AttackForge to input into your own reports; to share information with others; or to perform your own analysis in Excel or other tools.
The export functionality will download a CSV containing all data visible in your data table.
It also works with Search filter allowing you to extract the exact data that you need.
Want to export more or all records? Easy – just use the Show XX Entries drop-down menu to show more records.
This functionality has been implemented across all data tables in AttackForge.
We have introduced a number of updates to Analytics module, to provide you with more information at your fingertips – and an enhanced user experience.
You can now see the Days Open for every vulnerability, when you drill-down on the analytics data. This helps with SLAs and getting on top of outstanding vulnerabilities.
We have also included extra information in every table, such as Exploitability and Project.
Now when you click on a link such as a vulnerability or project, it will open the data in a new tab – so you don’t lose your filtered analytics data.
Also when you filter your analytics & then drill-down on a data item, then click back button, you will be presented with your filtered data & options – so you don’t lose your filtered analytics data.
You can now export vulnerabilities directly from your project for all supported platforms, as alternative to using the Connector.
We now support the following exports directly from your projects:
- Atlassian JIRA
- ServiceNow
- Azure DevOps
- Kenna Security
- Nucleus Security
We have also introduced support for Azure DevOps – now one of the leading platforms for orchestrating a DevOps toolchain.
Any authorised user on your projects can now easily self-export vulnerabilities as Work Items directly to your ADO Projects.
You can now assign test cases on a project to a team member. This makes it easier to delegate tasks on a project; and to enforce accountability as well as increase efficiency by reducing doubling-up on tasks.
You can assign individual test cases to a person; or you can perform bulk assignments using page menu.
You can also filter test cases by the Test Suite, and also filter by:
- Test Cases Assigned to Me
- Not Tested
- Tested
- Testing In Progress
- Not Applicable
For more information on how it works, see https://support.attackforge.com/attackforge-enterprise/getting-started/test-cases#assigning-test-cases-to-a-user
We have made a number of improvements to ReportGen to improve quality of your on-demand reports & reduce reporting noise and increase actionability.
- Duplicate Screenshots are now removed for every vulnerability, cutting report size down.
- Duplicate Affected Assets are now noted, instead of reported, significantly reducing the size of the report where there is a vulnerability affecting dozens of assets.
- ReportGen is now available in the Reporting module, along with all other on-demand report formats (PDF, DOCX, HTML, CSV, JSON & ZIP)
- Actions menus have been updated to include the Reporting option for ReportGen, allowing you to get access to reports faster!
For all the latest ReportGen metatags, try downloading a Baseline Template and check the new tags available!
We have made improvements to the user experience when accessing various modules.
Now when you access either Projects module; Test Suite Builder; or Vulnerability Library – and view information from any of the tabs – clicking the back button will take you back to the tab you were viewing, avoiding unnecessary extra steps.
We have also rebuilt the rendering engine for data tables in the Dashboard; Analytics; Search; Vulnerability Library & Groups – providing significant decrease in page load times of up to 600%! Now that’s fast 😊
Feel confident showing thousands of records, and all the flexibility of the search to help you get the data you need – when you need it.
Also when you click on a vulnerability in your Vulnerability Library, it will now open in a new tab - so you don’t lose your filtered data.
We have also consolidated all Export & Collaboration integrations into single easy-to-access sections within your projects – allowing for multi-export & multi-collaboration on a single page.
Due to the increasing role the Project Coordinators are performing in AttackForge, they are now given the following extra powers to help reduce burden on Administrators and to increase efficiency.
Project Coordinators can now:
- create new projects
- update projects
- get access to all new projects
- invite users to projects
- manage user access to projects
- access all pending & actioned project requests
- approve new project requests
- request more information on project requests
- reject new project requests
- full access to the Vulnerability Library
AttackForge ReportGen is a tool to help you create fully custom reports based on your own DOCX report templates.
For Enterprise customers, you can now access pre-existing report templates - loaded by your Administrators - directly from your Project Dashboard by clicking ReportGen button.
You can download reports on-demand, in any available reporting template, to save time.
This also provides your customers with flexibility to generate reports in multi-formats to help create tailored automated reports for their needs.
Administrators can:
- Upload New Templates - they will be made available to all users on all projects to download custom reports
- Download ReportGen Client-Side Tool - this can be used to help build your custom DOCX template, with verbose logging enabled in the tool (browser console). This should be performed before uploading any new templates which will be available to customers, to ensure it is working as expected.
- Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.
- Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.
- Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.
- View available custom reporting options.
- Download reports on their project using any of the available reporting options.
Administrators can:
- View available custom reporting options.
- Download reports on their project using any of the available reporting options.
To download a report in a custom template, click on the
Download Report button. Reports will automatically download in your browser - there is no need to use the ReportGen Client-Side Tool.
Project Notes allows to create & store notes on your project. You can consolidate all your notes in one place, to make it easy to track & record information as you go.
The notes can include:
- Private notes - these are notes which are only visible to you.
- Team notes - these notes are available to project team members with Edit access to the project (pentesters/consultants).
- Report notes - these notes are included in the downloaded PDF, DOCX & HTML reports. They are also included in the JSON export & ReportGen.
Project Notes is only available to users with Edit permissions to the project.
You can access project notes from the project menu by clicking on Notes.
We have updated the AttackForge Connector to include support for additional tools - allowing you greater flexibility when importing and exporting data to and from AttackForge.
We now support sixteen (16) industry tools & formats, with new tools & platforms constantly added to our roadmap.
The following tools & formats have been included in this release:
- Tenable.io
- Tenable.sc (Tenable Security Center)
- Netsparker
- Rapid7 Nexpose / InsightVM
- Rapid7 AppSpider / InsightAppSec
- AttackForge JSON – this can be used to import data from any AttackForge project into another AttackForge project. Particularly useful if you are a multi-tenant customer.
- CSV – this is a generic CSV importer that can work with any data. CSV template is available from within the Connector.
- Nucleus
In this release, we have included 2 NEW API Methods to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
- createVulnerabilityBulk
- this method allows user to create multiple vulnerabilities on a project, in one single request.
- getApplicationAuditLogs
- this method allows user to download all exportable logs from the application. This can be integrated with tools such as Splunk, SolarWinds, ManageEngine, LogRythem, IBMQRadar & others
Administrators can request more information for a new project request, before they Approve or Reject the request.
When requesting more information, an email will be sent to the customer with the details for the request. The information is also visible by clicking on the request to view the details.
Once an Admin has requested more information, the status of the request will be set to
Requested Information. The customer can make necessary changes to the request in order to address the feedback, and once they save the updates - the status will be set back to
Pending Approval and Administrators will be notified by email that the request has been updated and is ready for review.
We have made the following enhancements to AttackForge to ensure yours’ and your customers experience is the best that it can be!
- Support for Scrolling Sidebar on Global Menu
- Now include _likelihood_of_exploitation, _severity and _testcases for all vulnerabilities in the JSON export
- Managing Access to Projects (via Users module) now removes existing projects the user has access to
- Managing Access to Groups (via Users module) now removes existing groups the user has access to
- Managing Access to Self-Service API (via Users module) now removes existing SSAPI methods the user has access to; including button to Add All & Remove All when performing updates
- Unified Data tables – all data tables now have a unified experience. All data is loaded by default to assist with pagination. You can still filter number of records on screen using the Show XX Entries option. Search will now return results based on all records.
- Simpler & Unified Flow for Re-Opening & Closing Vulnerabilities on a project.
You can now map attack chains to MITRE ATT&CK Framework.
This helps to create standardised attack chains & threat models, and will benefit any Red Team, Blue Team or Purple Team activities in your environment.
Blue teams will be able to leverage MITRE’s global knowledge base of adversary tactics to get enriched information on each action performed in the attack chain.
Red teams will be able to articulate their attack sequence with more clarity by leveraging wealth of information relating to their attack pattern provided in MITRE’s framework.
Mapping to MITRE ATT&CK Framework takes only minutes & is easy to do. Check out our tutorial video on how to start mapping your attack chains to MITRE ATT&CK Framework:
When a customer is requesting a new project, they must specify the service which they would like to purchase or proceed with. The test suites are now presented to the customer as a Service Catalogue, allowing them to pick and choose what they would like to be performed on their project. Test suites can be adjusted to align with the security services offering for a consultancy or internal security team/function.
Every service in the catalogue includes a brief description, tags & total number of test cases that will be assigned to the project – should the customer select it.
They are visible to the customer by hovering over any service in the drop-down list.
For example, if a customer requires a PCI DSS penetration test to meet their annual penetration testing requirements, they can select the service from the catalogue and list the details for the PCI assets in-scope for the assessment (see below).
Or if the customer requires a Pre-Launch Assessment for a New Web Application – they can select the service & it will automatically load any test cases on the project related to this activity, once the project is approved.
The feature is also extended to Admins when manually creating a new project.
For more details please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/requesting-a-project
Previously we had introduced an alternative scoring system which allows you to score your vulnerabilities using CVSS v3.1 Baseline in-app calculator.
We have now extended this to also include CVSS v3.1 Temporal & Environmental Calculators.
After you score a vulnerability using CVSS, it will automatically include the CVSS Vector String + CVSS Score for you as tags.
If you are using Temporal or Environmental scoring, it will include the Base Score, Temporal Score & Environmental Score as separate tags.
When creating a new project, or at any time during a project (via Edit Project) - you can select a scoring system for the vulnerabilities.
AttackForge supports following scoring systems:
- Manual
- manually select Priority (Critical / High / Medium / Low / Info)
- manually select Likelihood of Impact (0 to 10)
- CVSS v3.1 Baseline
- CVSS v3.1 Baseline + Temporal
- CVSS v3.1 Baseline + Temporal + Environmental
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/creating-and-managing-projects#selecting-a-scoring-system
You can now duplicate any vulnerabilities on your project, against selected assets.
The system will create a new vulnerability (for each of the selected) and assign it to the assets which you have also selected.
This makes it fast & easy to assign vulnerabilities to assets during a pentest where multiple affected assets have been discovered later on for a vulnerability which had already been reported.
You can now perform bulk action to Open or Close selected vulnerabilities on you project.
This makes it fast & easy to close or re-open vulnerabilities on projects where there is a large amount of vulnerabilities discovered.
This is particularly useful for issues relating to vulnerability scanners, where by many vulnerabilities may be observed fixed/remediated during retest.
You can now create new scope on a project using a line break, in addition to comma-separated values.
This helps to avoid unnecessary effort of converting assets to comma-separated values where they are already leveraging a line break format.
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/project-scope#add-assets-scope
We have updated the colors used on the daily tracker page to help identify relevant sections easier.
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/creating-and-managing-projects#place-project-on-hold-off-hold
We have released an update to ReportGen Tool & Template files:
- ReportGen Tool:
- AttackChains are now supported
- Updates to auto-scale images to correct dimensions without exceeding page width
- Tags & Help information is now available in browser console
- ReportGen Template
- Meta tags for AttackChains are now included
- Updates to Testing Summary to include additional data/tags
We have released an update to the project JSON Export:
- Now includes AttackChains, including icons in base64
- Additional tags for Testing Summary section
We have released an update to AttackChains:
- You can now select additional entities including Device, Server & Database.
- For the new entities, you can select from either an existing asset on the project; or enter a new asset name. Any new assets are only included for purpose of the attack chain and are not added to project scope.
In this release, we have included 39 NEW API Methods to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
- createScope - this method allows user to create new assets on a project that they have Edit access to.
- updateScope - this method allows user to update assets on a project that they have Edit access to.
- createRemediationNote - this method allows user to create a remediation note for a vulnerability on a project that they have access to.
- sendDailyCommencementEmail - this method allows user to send daily commencement notification on a project they have Edit access to.
- sendDailyCompletionEmail - this method allows user to send daily completion notification on a project they have Edit access to.
- updateTestcase - this method allows user to update a testcase on a project they have Edit access to.
- createTestcaseNote - this method allows user to create a note on a testcase for a project they have Edit access to.
- requestRetest - this method allows user to request a retest on a project they have access to.
- confirmRetestCompleted - this method allows user to confirm retest is completed on a project they have Edit access to.
- updateExecSummaryNotes - this method allows user to update executive summary notes section of report on a project they have Edit access to.
- getGroups - this method allows user to get details for groups the user is a member of.
- getVulnerabilitiesByGroup - this method allows user to get details for all vulnerabilities for a group that they are a member of, with optional filter.
- getProjectsByGroup - this method allows user to get details for all projects for a group that they are a member of.
- getVulnerabilityLibraryIssues - this method allows user to get details for all vulnerabilities in the library.
- updateVulnerabilityLibraryIssueById - this method allows user to update a vulnerability in the library.
- getTestsuites - this method allows user to get details for all test suites.
- getTestsuiteById - this method allows user to get details for a Testsuite, including list of test cases.
- getUsers - this method allows user to get details for all users in the system, with option filter.
- getUserById - this method allows user to get details for a user in the system.
- getAssets - this method allows user to get details for all assets the user has access to.
- getAssetsByGroup - this method allows user to get details for all assets for a specified group.
- createGroup - this method allows user to create a new group.
- updateGroup - this method allows user to update a group.
- getGrou - this method allows user to get details for a group.
- addUserToGroup - this method allows user to create a new member on a group.
- updateUserAccessOnGroup - this method allows user to update a users’ membership for a group.
- createTestsuite - this method allows user to create a new test suite.
- updateTestsuite - this method allows user to update a test suite.
- addTestcaseToTestsuite - this method allows user to add a new test case on a test suite.
- updateTestcaseOnTestsuite - this method allows user to update a test case on a test suite.
- updateUserAccessOnProject - this method allows user to update a users’ role/permissions for a given project.
- createUser - this method allows user to create a new user in the system.
- deactivateUser - this method allows user to deactivate a user in the system.
- activateUser - this method allows user to activate a user in the system.
- getUserAuditLogs - this method allows user to get audit logs for a user, with optional filter.
- getUserLoginHistory - this method allows user to get login history for a user, with optional filter.
- getUserProjects - this method allows user to get details for all projects a user has access to.
- getUserGroups - this method allows user to get details for all groups a user has access to.
- getProjectAuditLogs - this method allows user to get audit logs for a project, with optional filter.
We have released AttackForge ReportGen which is a tool to help you create fully customizable reports based on your own DOCX templates.
ReportGen provides you with the flexibility and autonomy to create reports which are specific to your organization, requirements, target audience or style guidelines.
We have included a baseline template that is aligned with the AFE PDF report and includes all necessary tags to help you get you started. You can download the template from AFE.
You can build upon this template or create new templates entirely, to reflect your reporting needs.
ReportGen is a self-contained HTML file and works in your browser. There is no need to install anything.
It works in an offline environment and requires no Internet or dependencies to run. All reports are generated locally in your browser.
ReportGen works as follows:
- 1.Download JSON export from your AFE project
- 2.Download ReportGen & AFE ReportGen Template
- 3.Open ReportGen in your browser. Select AFE JSON export file. Select DOCX template.
- 4.Your new report will automatically download.
- 5.Enjoy savings hours of reporting time! 😊
ReportGen is available to all users. There is a button on the Project Dashboard to access ReportGen, or you can access it directly via ReportGen module in navigation pane.
In this release, we have included the following updates to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
- createVulnerability - this method allows user to create a vulnerability on a project that user has Edit access to. Any new assets will be automatically added to the project. Any new issue descriptions will be automatically added to the library.
- updateVulnerabilityById - this method allows user to update a vulnerability on a project that user has Edit access to. You can update status of vulnerabilities using this method. Any new issue descriptions will be automatically added to the library.
- createVulnerabilityLibraryIssue - this method allows user to create a new vulnerability in the library, which can be used by users when creating a new vulnerability on a project.
- getprojectRequests - this method allows user to get project requests that the user has access to, with optional filter to narrow results.
- createProjectRequest - this method allows user to create a new project request. This method can be used to integrate into your existing workflows and systems, to enable seamless project requests via 3rd party systems and scripts.
- getProjectRequestById - this method allows user to get a project request by its Id, if user has access to it.
- updateProjectRequestById - this method allows user to update a project request by its Id, if user has access to it.
- approveProjectRequestById - this method allows user to approve a project request by its Id. Approved project requests are automatically created as new projects in the system, and users invited accordingly (including email notifications).
- rejectProjectRequestById - this method allows user to reject a project request by its Id. Email notification is sent to the requestor notifying them project has been rejected and reason(s) why.
We have added support to enable project email notifications to project team or to admins on various events. This helps to keep people informed on progress and status changes for vulnerabilities on their projects.
Notifications can be enabled or disabled via project creation form, or via project update form.
The following events can be enabled on a per-project basis:
- Email Project Team on:
- New Critical Vulnerability
- New High Vulnerability
- New Medium Vulnerability
- New Low Vulnerability
- New Informational Vulnerability
- Email Admins on:
- Vulnerability Ready for Retesting
- Vulnerability Re-Opened
- Vulnerability Closed
We have added ability to download the project scope (assets assigned to a project) in CSV format. This helps testers extract scoping information from AFE more effectively so they can load it in various tools.
You can download the project assets CSV file via the Scope section on your project.
We have added support for uploaded files to vulnerabilities (as evidence) to be included in the project JSON export file. This includes all files, not just images.
This helps to export your evidence into various tools in a consolidated way that can be automated. All files are encoded in Base64, including raw Base64 value and Base64 Data URL.
We have included the following updates to UI/UX in this release:
- Updates to Analytics Groups filter when selecting 2 or more groups, a checkbox will now show up with ‘Only Search Projects With Selected Groups Linked To The Project’. If you click the checkbox and run the search, it will filter results based on projects where all of the selected groups are linked. Otherwise, you can continue to use the default search for groups which operates on an Inclusive or basis.