2021

2021-11-08

New Vulnerability Libraries

Tracking & managing your vulnerability write-ups / templates can be difficult – particularly when you might have thousands of write-ups.

To make life easier for you and your pentest teams - AttackForge now supports new vulnerability libraries:

• Main Vulnerability Library - Centralized library for your approved vulnerability write-ups

• Imported Vulnerabilities Library - Centralized library for your write-ups from tools & scanners

• Project Vulnerabilities Library - Project-related write-ups

Main Vulnerabilities

• This is the primary source of your vulnerability write-ups.

• It contains 1300+ pre-loaded vulnerabilities that come with AttackForge. You can also add your own.

• This library is shared, which means any user on a project with permissions to create vulnerabilities for the project, will be able to use any of the vulnerabilities in this library.

Imported Vulnerabilities

• This is where you can find all of the vulnerabilities you have imported from various tools & scanners.

• This library is shared, which means any user on a project with permissions to create vulnerabilities for the project, will be able to use any of the vulnerabilities in this library.

Project Vulnerabilities

• This is where you can access vulnerability write-ups that are designated to specific projects.

• This is useful if you have project-specific or sensitive data which you would like to segregate from the Main and Imported libraries which are shared libraries.

Your pentest teams now have an option to select which library they would like to use when creating a new vulnerability on a project, or when importing vulnerabilities.

Project Vulnerabilities are designated to specific projects.

This is useful if you have project-specific or sensitive data which you would like to segregate from the Main and Imported libraries which are shared libraries.

Vulnerabilities in this library must be assigned/linked to at least one (1) project. They can be assigned to more than one project, if it would be relevant to do so.

Only users with access to the linked project(s) will be able to use these write-ups when creating a new vulnerability, and only on the linked projects.

Users with access to this library will only be able to view & modify vulnerability write-ups for which the user has access to at least one (1) of the linked projects.

By default, Admins will be able to see all write-ups/templates in this library.

You can easily re-assign vulnerabilities between libraries using the page menu options in the Vulnerability Library module.

This can be used to retrospectively transition your imported write-ups into the Imported Vulnerabilities library.

Custom Forms & Fields

AttackForge now supports ability to create custom fields & forms in the user interface.

This can help to capture information which is relevant to your organization, customers & vulnerabilities.

Custom fields can be accessed in the application, in JSON exports and also via the Self-Service API.

You can create custom fields & forms for the following:

• Project Request

• Project Creation

• Vulnerability Library (write-up)

• Vulnerability (on project)

To set custom fields, you must be an Administrator. You can create & manage your custom fields from the Administration module.

You can set custom fields from the Vulnerabilities and Projects tabs inside Configuration.

AttackForge supports the following custom field types:

• Input field - display a single-line input box within the relevant forms

• Text Area - displays a multi-line input box within the relevant forms. Text area can be resized by the user within the form if additional space is needed.

• Select - displays a drop-down menu with a single item select within the relevant forms.

• Multi-Select - displays a drop-down menu with a multi-item select within the relevant forms. User can select one or more options.

• Datepicker - displays a calendar where the user can select a single date.

For each field, you can set the following options:

• Key - This the name of the field (e.g. database field name).

• Placeholder Value - This is the default value that will be displayed in the forms.

• Label - This is the label that will be displayed in the form for this field, as well as in the tables.

• Required - This is used to determine whether the field is mandatory or optional in the forms.

• Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.

• Hide Condition - This is used to create a condition to hide the field, until such condition is met.

Hide Conditions can be used to add simple or complex logic into your forms.

For example, you can add logic to only display a field once a user has made a selection in a previous field. Or you can extend this logic to check for certain values which have been selected.

Hide Conditions fully support JavaScript methods and boolean logic. This means you can create highly customised forms which are suited to your needs.

You can also choose to display custom fields in relevant tables within the application.

Every custom field is available to use in ReportGen as well as the Self-Service REST and Events APIs.

For detailed guidance on how to create and use custom fields, please check the following support article: https://support.attackforge.com/attackforge-enterprise/getting-started/custom-fields-and-forms

You can now also disable existing fields for new project requests. Combining with custom fields, this means you can create a fully custom project request / intake form based on the questions you need from your customers.

Your admins can disable existing fields for new project requests via the Administration module.

New Functionality

• Manage access control for your groups’ projects in one place

You can now easily add & remove projects for a group via Groups module:

• New global dashboard summary boxes

There are new global dashboard summary boxes:

• Projects Overrun

• Projects Ready for Retest

• Open Critical Vulnerabilities

• Open High Vulnerabilities

• Open Medium Vulnerabilities

• Open Low Vulnerabilities

• Added Bulk Update Closed Fixed & Risk Accepted options for vulnerabilities

• Toggle unique vulnerabilities globally

You can now toggle between Unique and All vulnerabilities across entire application.

• Link a group to Portfolio

When configuring your Portfolios and Streams - you can select a group or multiple groups and assign their projects to a Stream.

• Set recipients on review notes

• Notifications on new user registrations & invitations

Admins now receive email notifications every time a new user is registered or created in the application.

• Project Coordinators can now filter schedule by users

Project coordinators can now filter the schedule per user in the Schedule module.

• Increased file upload limit & improved experience for low bandwidth uploads

The file upload limit has been increased to allow for larger files to be uploaded.

Changes have also been made to allow for users with low bandwidth internet connections to upload large files without timeout.

UX Improvements

• Project percentage completion across all projects

• Tables filter now shows at top

Column filters within tables has been moved to the top row, to improve UX when filtering

• Tables now support horizontal scroll

Various tables in the application now support horizontal scrolling. This provides better experience viewing & filtering data in tables.

• Project request status page update

When viewing a project request, the latest status has been moved to the top of the page along with any supporting information.

Updates to ReportGen

In this release, we have added new tags to ReportGen – providing even more datapoints you can access in your custom reports.

The following tags have been added:

• {projectDuration} – project duration in days i.e. difference between start & end dates

  • This tag as available at top-level

• {#assets_equally_affected_full_details} – contains all details for affected assets when using RemoveDuplicatePOCs option in your template.

  • This tag is available in in the following sections:

    • {#retestingHistory}

    • {#vulnerabilities}

    • {#criticalVulnerabilities}

    • {#highVulnerabilities}

    • {#mediumVulnerabilities}

    • {#lowVulnerabilities}

    • {#infoVulnerabilities}

    • {#completedTestcases}

    • {#inProgressTestcases}

    • {#notTestedTestcases}

    • {#notApplicableTestcases}

    • {#passedTestcases}

    • {#failedTestcases}

    • {#remediatedTestcases}

    • {#abuseCases}

    • {#assetVulnerabilityMapping}

We have also launched a new tutorial video which covers the basics on how to set up a new template, create tables, insert images, access custom fields, and more.

You can access the tutorial video from here: https://support.attackforge.com/attackforge-enterprise/modules/reporting#available-tags-for-individual-reports

Updates to Roles

From this release, users with Upload permissions to a project can now also:

• Create notes on a project

  • This can be used to capture test credentials and other information directly as a note

  • Users will only be able to view & modify their own notes

Also users with Edit permissions to a project can now also:

• Update project test window

• Add additional email recipients for automated vulnerability emails (if enabled by Admins / Project Coordinators)

• Add additional email recipients for daily start/stop testing notifications

For an up-to-date list of all user-related permissions, please check Access Control Matrix on our support site: https://support.attackforge.com/attackforge-enterprise/access-control-matrix

Updates to Self-Service API

In this release, we have improved our Self-Service REST & Events APIs to provide more flexibility and options when interacting with AttackForge.

We have created the following new APIs:

• New REST method: UploadVulnerabilityEvidence

  • This can be used to upload evidence files for a vulnerability. It is useful when importing vulnerabilities from external systems for each bug bounty systems.

  • For details on how it works, please visit https://support.attackforge.com/attackforge-enterprise/modules/self-service-restful-api/uploadvulnerabilityevidence

• New Events notification: ProjectCreated

  • This event is generated when a new project has been created.

  • For details on how it works, please visit https://support.attackforge.com/attackforge-enterprise/modules/self-service-events-api/project-create

• New Events notification: ProjectUpdated

  • This event is generated when a project has been updated.

  • For details on how it works, please visit https://support.attackforge.com/attackforge-enterprise/modules/self-service-events-api/project-updated

We have also updated the following APIs:

• REST GetProjectById, GetProjects & GetProjectsByGroup to include following new fields:

  • project_organization_code

  • project_vulnerability_code

  • project_scoring

  • project_team_notifications

  • project_admin_notifications

  • project_total_assets

  • project_critical_open_vulnerabilities

  • project_critical_ready_for_retest_vulnerabilities

  • project_critical_closed_vulnerabilities

  • project_high_open_vulnerabilities

  • project_high_ready_for_retest_vulnerabilities

  • project_high_closed_vulnerabilities

  • project_medium_open_vulnerabilities

  • project_medium_ready_for_retest_vulnerabilities

  • project_medium_closed_vulnerabilities

  • project_low_open_vulnerabilities

  • project_low_ready_for_retest_vulnerabilities

  • project_low_closed_vulnerabilities

  • project_info_open_vulnerabilities

  • project_info_ready_for_retest_vulnerabilities

  • project_info_closed_vulnerabilities

  • project_custom_fields (new custom fields)

• REST GetVulnerabilityById, GetVulnerabilities, GetVulnerabilitiesByAssetName, GetVulnerabilitiesByGroup + EVENTS VulnerabilityCreated, VulnerabilityUpdated to include following new fields:

  • vulnerability_custom_fields (new custom fields)

  • vulnerability_library_custom_fields (new custom fields)

  • vulnerability_project_custom_fields (new custom fields)

2021-09-06

New Module – Portfolios

Portfolios help you to track & monitor the progress of your penetration testing programs.

Want to know how your internal systems compare to your external systems? Or wanting to track security posture for your applications or compliance requirements? Portfolios makes this easy!

Portfolios represent high-level grouping for segments within your pentesting program(s).

Every portfolio is made up of Work Streams (Streams) – a collection of pentests which focus on specific areas within your portfolio.

Portfolios and Streams can help you track Business-as-Usual (BAU) pentesting and better understand where to focus your time and resources more effectively.

Projects can be assigned to many streams and portfolios. This ensures you are tracking the right vulnerabilities, across your enterprise. See examples below:

Portfolios can help you to answer the following questions. Check out our blog on Portfolios to read how.

• What is the exposure of our Internet facing applications? How many critical vulnerabilities are currently open on these platforms?

• How can we be sure that each business division has pentested everything they need to have tested?

• How are platforms fixing vulnerabilities? Is it done within the required timeframes agreed in our internal policies or set by external regulators?

• How do our applications compare between 1st quarter and 2nd quarter? Are we getting any better?

• How are different business divisions and platforms comparing against each other? Where are you going to focus resources for next period?

• Which external suppliers are lagging?

Every Portfolio and Stream has a unique dashboard which includes details on vulnerabilities, projects & assets - helping you make more informed business decisions when it comes to tracking and remediation.

Using Portfolios, you can reduce the amount of time you spend reporting to your boards, executives, committees, and auditors!

Portfolios is currently only available to Administrators on AttackForge Enterprise.

New Self-Service API – Events

With this release, we are launching an entirely new Self-Service API – Events API.

Events API provides you with real-time notifications on important events, such as new vulnerabilities discovered or testing progress updates.

Events API helps you to easily automate workflows. It’s perfect for customisations and integrations into your enterprise ecosystem.

For example, you want vulnerabilities to be raised in both ServiceNow & JIRA immediately when they are discovered, and emails to be sent to relevant teams so they can action it. This is now possible using the Events API!

Events API complements our existing RESTful API. You can combine both APIs to have seamless two-way integrations and workflows between AttackForge and your tools.

Events API allows you to:

• Receive real-time notifications on new vulnerabilities – automatically export them into your vulnerability management and/or ticketing systems.

• Update your applications with live testing & vulnerability feeds.

• Notified immediately when vulnerabilities are ready for retesting, closed or re-opened.

• Know exactly when changes are happening on your projects, for example when testing starts and stops.

• Receive audit logs for users in real-time.

Every event contains the same level of details information you can find in our Self-Service RESTful API.

Getting started with the Events API is a breeze and takes only minutes to set up.

We have done the hard work for you – you can access our production-ready example clients within AttackForge or directly from our GitHub repository.

Our example clients are available in NodeJS, Python, Java, .NET and Go – providing flexibility for your engineering teams.

Getting started with any client is as simple as 1,2,3!

1. Download the client from our GitHub repository

2. Install the dependencies (single command)

3. Run the client & start receiving events

If you’re interested in seeing a live demo of the Events API in action – reach out to us to schedule it in!

New Workflow – Review Notes

In this release, we have launched a new workflow to help make QA easy for your vulnerabilities. Introducing Review Notes!

Your pentest team can now create & reply to Review Notes for each of your vulnerabilities, as they perform QA.

Email notifications are enabled to ensure that people are made aware when they need to action changes for a vulnerability.

To perform efficient reviews & QA, you can select multiple vulnerabilities that you wish to review, and then add review notes to each vulnerability one-by-one. Best of all - you can do all of this from just one screen!

Once you have finished reviewing all vulnerabilities, you will see the Next option is no longer available - meaning you have reached the end of the review.

New ReportGen Template Library

AttackForge ReportGen is by far the easiest to use reporting tool available right now – and it’s made even easier with its “no code” design, allowing your teams to create new reporting templates quickly and with minimal knowledge/effort required.

In this release, we have launched a library of ReportGen templates that you can use to create powerful custom reports out-of-the-box.

Every template comes with an example end-result so you can see the finished product.

The templates included in this release are:

• Asset Report

• Auditor / 3rd Party Report

• Critical & High Vulnerabilities Report

• Executive Report

• Internal & External Findings Report

• Pentest Report

• Retest Report

• Technical Report

• Testing Progress Report

• Web App & Infrastructure Report

Templates are provided in DOCX format. You can adjust each template to your desire/requirements, then upload back into AttackForge when ready to use on you projects.

You can also access sample project data files (JSON) to test your own templates with.

New Functionality

[ALL] Delete multiple scope/assets on project at once & keep assets which are linked to vulnerabilities

• You can now bulk select many or all assets to delete on a project.

• AttackForge will prevent deleting any assets with exiting vulnerabilities.

[ENT + CORE] Export/Sync screenshots & evidence with JIRA

• Every time you export or sync a vulnerability with JIRA, the evidence/screenshots/files are now also exported/synced to JIRA.

• This makes it easier for your engineering teams to access screenshots to help them reproduce & fix vulnerabilities fast!

[ALL] Upload Files to Executive Summary Section of Report

• The Executive Summary now supports ability to upload files.

• This reduces the manual effort required to insert screenshots into your reports for the executive summary.

[ALL] Captions Now Available for Images in Reports

• You can now add captions to each of your images in the report.

• Captions will be automatically applied in ReportGen and displayed under the images.

[ALL] Rename a retest round

• You can now create custom names for each round of resting.

[ENT] See all vulnerabilities for an asset in the Assets Module

• Administrators can now see all vulnerabilities for a given asset in the Assets module.

• This makes is fast & easy to identify all known vulnerabilities for an asset.

[ENT + CORE] Assign users to multiple test suites at project creation

• You can now assign multiple test suites to users during project creation.

• This eliminates the manual effort of assigning users to multiple test suites.

UX Improvements

This release is jam-packed with updates to the user experience, to make AttackForge experience even better for you and your customers.

[ALL] New project statuses: Overrun & Retest

• Projects will now display a status of Overrun and Retest in the projects & various modules.

• This helps to quickly identify projects which require immediate attention.

• Overrun status applies when a project has exceeded the test window, and the test cases have not yet been completed.

• Retest status applies when a project has all test cases completed, and at least one vulnerability is flagged as ready for retesting.

[ALL] Collapse vulnerabilities into unique vulnerabilities

• You can now collapse vulnerabilities into unique vulnerabilities, and toggle back to individual vulnerabilities.

• This helps to determine how many types of vulnerabilities have been discovered.

[ALL] Project column has been added to Global Dashboard vulnerability tables

• You can now see the affected project when viewing vulnerabilities in the global dashboard.

[ENT] Admins can set/override daily/weekly notifications for users

• To improve experience for your customers, Admins can now enable/update progress notifications on behalf of your users.

• Progress notifications provide daily/weekly breakdowns of projects, vulnerabilities and testing progress – essential for your busy project managers and platform leads.

[ALL] Retesting rounds now show vulnerabilities which were not tested

• You can now see which vulnerabilities were not retested for a new retest round, in addition to the vulnerabilities which were retested.

• This can help to identify vulnerabilities which need further attention.

[ENT + CORE] View & restore deleted users

• Admins can now view and restore users. All user data is preserved on restore.

[ENT + CORE] Access Control Matrix now available in support centre

• We have published an Access Control Matrix on our support site to help your teams with setting up the right levels of access for your users and projects.

[ENT + CORE] Redesigned Reporting Module to make it easier to download custom reports

• We have redesigned the Reporting Module interface to make it easier to select multiple projects and to download custom reports, as well as access new template library and uploaded/available templates.

New Configuration Options

In this release, we have introduced new global tenant configuration options, to help you personalize and improve your AttackForge experience even further.

You can start using these new options via the Configuration section in the Administration module.

• Vulnerabilities – Add Placeholder Steps to Reproduce/Proof of Concept for all new vulnerabilities

• Vulnerabilities – Add Placeholder Notes for all new vulnerabilities

• Users – Enable/Disable Local Authentication

• Users – Enable/Disable SSO Authentication

[ALL] Updates to ReportGen

This release includes updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.

The updates in this release include:

• New Filter – FilterBy

• New Metatags

For more information please visit Reporting.

New Filter – FilterBy

You can use this filter in order to extract filtered data for vulnerabilities using various conditions.

This filter is useful if you are creating custom sections in your reports, for example a section for ‘Web App Vulnerabilities’ or ‘Infrastructure Vulnerabilities’.

Currently the following conditions are supported:

• filterBy:'AffectedAssetReportGenTags'

  • This filter can be used to retrieve a list of vulnerabilities which have affected assets that meet conditions in their ReportGen tags.

• filterBy:'AffectedAssetReportGenTags-CountVulns'

  • This filter can be used to retrieve a count of vulnerabilities which have affected assets that meet conditions in their ReportGen tags.

New Metatags

We have introduced the following new tags & updates to existing tags:

• {#retestingHistory} --> {retesting_custom_round_name} - custom round name (optional)

• {#retestingHistory} --> {retesting_custom_status_name} - custom status name (optional)

• {#retestingHistory} --> {#vulnerabilities} – Forty-seven (x47) new tags for vulnerabilities retested on the retesting round

• {#retestingHistory} --> {#vulnerabilitiesNotTested} – Forty-seven (x47) new tags for vulnerabilities not retested on the retesting round

Updates to Self-Service RESTful API

In this release we have made updates to the Self-Service RESTful API to improve the data points available to you for vulnerabilities and test cases.

• GetVulnerabilities, GetVulnerabilitiesByAssetName, GetVulnerabilitiesByGroup, GetVulnerabilityById & GetProjectVulnerabilitiesById received the following new fields:

  • vulnerability_alternate_id

  • vulnerability_cvssv3_vector

  • vulnerability_cvssv3_base_score

  • vulnerability_cvssv3_temporal_score

  • vulnerability_cvssv3_environmental_score

  • vulnerability_steps_to_reproduce_HTML

  • vulnerability_remediation_notes

  • vulnerability_project_code

  • vulnerability_project_groups

  • vulnerability_evidence

  • vulnerability_custom_fields

  • vulnerability_library_custom_fields

  • vulnerability_project_custom_fields

• GetProjectTestcasesById received the following new fields:

  • locked

New Themes

Themes have been a popular feature for AttackForge, with now Fourteen (x14) themes supported!

In this release we have introduced five new themes: Midnight Ocean, Predator, BumbleBee, Purple Panther & Nebula

Add Test Suites After Project Creation

In this release we have introduced the ability for AttackForge Pro users to add more test suites to a project after the project has been created.

Invite Team Members to Project at Project Creation

In this release we have introduced the ability for AttackForge Free & Pro users to invite their connected team members to their projects, at time of project creation.

2021-07-12

Major UX Uplift!

In this release we have a significant number of improvements we have made to AttackForge to enhance the experience for you and your users.

These improvements are a direct result of the feedback from our customers over the recent months, and includes the following:

1. Invite Project Team & Assign Test Suites at Project Creation or Approval

You can now invite your entire project team during the project creation or approval process, and assign their roles, test suites & manage their notifications – in one easy step!

You can define the following for each project team member:

• Access Level

  • Set the access level for the user on the project. This can be either View, Upload & Edit.

• Project Role

  • Set the users' project role on the project e.g. pentester, customer, developer, etc.

• Email Notifications

  • Set the emails which the user will receive on the project.

• Assign to Test Suite

  • Assign the user to a test suite. The user will be assigned to each of the test cases loaded on the project for the nominated test suite.

2. User-Friendly Vulnerability ID

AttackForge now supports an alternative vulnerability code that is configurable and used to generate user-friendly unique vulnerability identifiers for all vulnerabilities on the project.

For example, if you set a vulnerability code as SEC01 - the first vulnerability created on the project will have an alternate user-friendly unique identifier of SEC01-1. The next vulnerability will be SEC02-2 and so on.

You can update the vulnerability code on a project at any time, so long as it's a unique value (has not been used on any other projects) and is between three (3) to eight (8) characters in length.

When you update a vulnerability code on a project - all of the existing IDs for any of the projects' vulnerabilities will also be updated to match.

3. Validate Project Code & Get Latest Project Code

You can now validate the project code to check whether an existing project exists using the same code.

You can also fetch the latest project code, to help with sequencing.

4. Manage Project Email Notifications

You can now set & control which email notifications a user will receive on a project.

Project Team Notifications are intended to help keep you informed throughout the lifecycle of a project. For example, you can choose to be notified when testing has commenced or stopped daily, when new vulnerabilities are discovered, or when a project is on-hold - plus more.

To receive these notifications, you must be a member on a project team. Your administrators and project coordinators will invite you to the relevant project teams. In addition, project-level notifications must be enabled on the project. Your administrators and project coordinators will configure this for you, per project.

The Project Team Notifications include the following:

• No Emails - Under normal circumstances, you will not receive any email notifications for any projects you are a team member.

• All Emails - You will receive all enabled emails for all projects you are a team member.

• Daily Start/Stop Testing - You will receive notifications each time a team member starts or stops testing each day, where this option is enabled on the project.

• New Critical Vulnerability - You will receive notifications each time a team member discovers a new critical vulnerability, where this option is enabled on the project.

• New High Vulnerability - You will receive notifications each time a team member discovers a new high vulnerability, where this option is enabled on the project.

• New Medium Vulnerability - You will receive notifications each time a team member discovers a new medium vulnerability, where this option is enabled on the project.

• New Low Vulnerability - You will receive notifications each time a team member discovers a new low vulnerability, where this option is enabled on the project.

• New Informational Vulnerability - You will receive notifications each time a team member discovers a new informational vulnerability, where this option is enabled on the project.

• Project Role Updated - You will receive notifications each time your role on a project has been updated, where this option is enabled on the project.

• Project On-Hold/Off-Hold - You will receive notifications each time the project is placed on-hold or off-hold, where this option is enabled on the project.

• Retest Completed - You will receive notifications each time a round of retesting has been completed, where this option is enabled on the project.

A user can choose to opt-out of project email notifications via Notifications module.

If you decide to disable certain types of emails, even when they are enabled for you on the project - you will not receive them. You ultimately control the project notifications you will receive.

However, under certain circumstances - an administrator or project coordinator may decide to force an email to be sent, for example new critical vulnerability that you should be aware of. Your administrators and project coordinators will configure any forced emails, per project.

We have also introduced new email notifications when a users’ role on a project is changed, and we also now include their role on the project invitation email.

5. Friendly Links Now Included In All Email Notifications

We have introduced links in all emails which provide a friendly URL that will redirect the user to the relevant page on AttackForge, even if they are not yet logged in.

This helps to improve user experience by allowing the user to access a project, vulnerability, or event - with a single click!

This feature is also fully compatible with Single-Sign-On.

6. Configurable Welcome Invitation

When creating a new user via Users module, the user will now receive a welcome email that can be configured via Administration module.

You can configure this email to contain a warm welcome message, or instructions on how to access the portal.

The email supports full HTML.

7. Project Team Displayed on All Projects

We have included extra column on Projects table to include project team.

This helps to easily find & search who is on which projects.

8. View Project Team and Group Access

We have included a new table which helps to separate which users are on a project team, and which users have access to the project via their group memberships.

This makes it easier to know who is actively involved with the project.

9. Resolution field for project vulns

We have included an additional column with the Resolution status when viewing project vulnerabilities.

This helps to quickly determine whether a vulnerability has been resolved, and also the reason it was resolved – for example had been fixed, risk accepted, etc.

10. Ready for Retest now prompts for note

When setting a vulnerability as Ready for Retesting, you can now add a remediation note at the same time – to help pentesters understand what fixes were put in place.

11. Other UX Improvements

We have also included the following UX improvements in this release:

• Admins can now Personalize Analytics for Other Users

• Performance Enhancements on downloading JSON Exports & Using ReportGen

• Major Bug Fixes in Various Parts of the Application, including when Creating/Editing Vulnerabilities in Projects & Library

• Upgraded Library to Handle Conversion of HTML-to-Text addressing number of Issues in Reports

• Pop-Up Warning Alert Now Included When Attempting Bulk Updates

• Improvements in Filtering & Comparison in Analytics

In-App Customizations For Your AttackForge Experience

AttackForge provides a rich set of global tenant configuration options - allowing you to customize your workflows, features & user experience.

In this release, we have made these options available to you via the Administration module – allowing you to customize your tenant on-demand!

You can personalize your email templates, change workflows, introduce or remove fields, set default values, configure your security settings – and much more!

The list of supported configuration options is regularly updated and can be found on our support site: https://support.attackforge.com/attackforge-enterprise/configuration-options

You can access the following Configuration modules from the Administration module in your AttackForge tenant:

• Emails

• Vulnerabilities

• Projects

• Reporting

• Modules

• Integrations

• Users

• Security

• Miscellaneous

New Progress Notifications

In our previous May release, we introduced a new Notifications module to provide centralized & dashboard-style email notifications to keep your teams informed even whilst on the go.

In this release, we have extended this module to include Daily & Weekly Project Updates, as well as Daily & Weekly Admin Updates.

We have also included more information in these emails such as Projects Overrun, Projects Completed, and more detailed information for each project.

Every email notification is designed to provide important information relating to projects, vulnerabilities & user activity.

You can access Notifications via the global menu.

New Configuration Options

In this release, we have introduced new global tenant configuration options, to help you personalize and improve your AttackForge experience even further.

You can start using these new options via the Configuration section in the Administration module.

• Projects – New Organization Code field for Projects

• Emails – Create Custom Email Subject & Body for Invited Users

• Vulnerabilities – Enable/Disable Severity Field in Vulnerability Library

• Vulnerabilities – Enable/Disable Likelihood of Exploitation Field in Vulnerability Library

• Vulnerabilities – Enable/Disable CVSS Scoring Fields in Vulnerability Library

• Modules – Enable/Disable Project Request Workflow

Updates to ReportGen

This release is action-packed with updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.

The updates in this release include:

• New Filter – Store

• New Filter – FindVuln

• New Reporting Option - Remove Duplicate Proof-of-Concepts/Steps to Reproduce

• New Reporting Option - Remove Duplicate Evidence

• New Metatags

For more information please visit https://support.attackforge.com/attackforge-enterprise/modules/reporting

New Filter – Store

You can store custom data in arbitrarily defined tags using this filter.

For example we can create a new custom tag called 'AllVulns' and reference it, along with its data, later in the template.

This is useful if you are dynamically creating custom subsections/tables to reference in your report.

New Filter – FindVulns

You can use this filter to find a vulnerability based on a Title & Priority.

New Reporting Option - Remove Duplicate Proof-of-Concepts/Steps to Reproduce

This option can be set at the beginning of your template in order to remove duplicate Proof-of-Concepts/Steps to Reproduce for vulnerabilities which have multiple affected assets and each affected asset has the same POC & Notes.

This option is useful to reduce duplicate entries where the POCs/Notes are the same, significantly reducing report size and making content more useful to the reader.

New Reporting Option - Remove Duplicate Evidence

This option can be set at the beginning of your template in order to remove duplicate Evidence for vulnerabilities which have already used/included the evidence within the Proof-of-Concept or Notes for any of affected assets, for example the screenshots have already appeared in-line within the Proof-of-Concept or Notes.

This option is useful to reduce duplicate evidence displaying, significantly reducing report size and making content more useful to the reader.

New Metatags

We have introduced the following new tags & updates to existing tags:

• {#affected_asset} --> {alternate_id} - user-friendly id associated with the vulnerability, set via project settings

• {#assetVulnerabilityMapping} - list of all assets on the project mapped to their vulnerabilities

  • {asset} - asset name

  • {#vulnerabilities} - list of all vulnerabilities the asset is affected by

    • {vulnerability} - vulnerability title

    • {priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info

    • {status} - remediation status e.g. Fixed / Not Fixed

    • {#vulnerabilityDetails}

      • {#vulnerabilityCustomTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within ReportGen Reports

      • {title} - title of the vulnerability

      • {priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info

      • {remediation_status} - either Open or Closed. Only Closed if all affected assets are also Closed.

      • {description} - description of the vulnerability

      • {attack_scenario} - attack scenario for the vulnerability

      • {remediation_recommendation} - remediation recommendation for the vulnerability

      • {cvssv3_vector} - includes the CVSS v3.1 vector string e.g. /AV/...

      • {cvssv3_base_score} - includes the CVSS v3.1 base score e.g. 10.0

      • {cvssv3_temporal_score} - includes the CVSS v3.1 temporal score e.g. 10.0

      • {cvssv3_environmental_score} - includes the CVSS v3.1 environmental score e.g. 10.0

      • {testcases} - list of all the linked test cases to the vulnerability

      • {#tags} - list of all tags

        • {.} - tag

      • {#affected_asset} - details for the affected asset - see {#assetVulnerabilityMapping} - {asset}

        • {#assetCustomTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within Individual Reports

        • {alternate_id} - user-friendly id associated with the vulnerability, set via project settings

        • {asset} - asset name

        • {remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open / Ready for Retest on <DATE> / Closed on <DATE>

        • {#remediation_notes} - list of all remediation notes for this affected asset

          • {created} - date stamp when remediation note was created

          • {note} - remediation note details

        • {#notes} - list of all notes for this affected asse

          • {note} - note details

          • {%inlineScreenshot} - display inline images where they are included in the note

        • {#proof_of_concept} - details for proof of concept / steps to reproduce

          • {text} - proof of concept / steps to reproduce

          • {%inlineScreenshot} - display inline images where they are included in the note

          • {#proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).

          • {#assets_equally_affected_title} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the heading for this section e.g. LIST OF ASSETS EQUALLY AFFECTED

          • {#assets_equally_affected} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the names of all the assets which have the same POC & Notes as the vulnerability above.

            • {.} - asset name

      • {#affected_assets} - list of all affected assets for this vulnerability

        • {#assetCustomTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within Individual Reports

        • {asset} - asset name

        • {remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open / Ready for Retest on <DATE> / Closed on <DATE>

        • {#remediation_notes} - list of all remediation notes for this affected asset

          • {created} - date stamp when remediation note was created

          • {note} - remediation note details

        • {#notes} - list of all notes for this affected asset

          • {note} - note details

          • {%inlineScreenshot} - display inline images where they are included in the note

        • {#proof_of_concept} - details for proof of concept / steps to reproduce

          • {text} - proof of concept / steps to reproduce

          • {%inlineScreenshot} - display inline images where they are included in the note

          • {#proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).

        • {#assets_equally_affected_title} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the heading for this section e.g. LIST OF ASSETS EQUALLY AFFECTED

        • {#assets_equally_affected} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the names of all the assets which have the same POC & Notes as the vulnerability above.

          • {.} - asset name

      • {#evidence} - list of all evidence files uploaded to the vulnerabilities for each affected asset. De-duplication is performed to remove images which have already been displayed in the in-line screenshots

        • {%fileBase64} - display image (if evidence type is of image format)

        • {fileName} - name of the file uploaded

2021-05-03

Trend Analysis & Comparison Now Available in Analytics

You can now easily perform trend analysis by comparing key data such as projects, vulnerabilities, SLAs, etc. across periods of time & groups.

This can help you to discover if you are getting better or worse. You can compare business units or customers over time.

You can easily compare last year/month/quarter against this year/month/quarter using pre-defined filters.

Or you can select a custom date range for the time periods you want to compare.

You can also include Groups to track & compare how a business unit, supplier or team are performing over a given time period.

To compare Analytics, click on Compare button in the top-right of your Analytics dashboard.

New Global Dashboard Notifications Module

You can now access global dashboard email notifications to keep you & your teams informed, even whilst on the go.

Every email notification is designed to provide a dashboard summary of key information – for example projects, vulnerabilities, SLAs, group activity, user activity etc.

The first notification we have included in this release is the Daily Admin Update.

This email dashboard is intended to provide an overview of activities happening in AttackForge over the past 24 hours, and also to provide key information to help plan & prepare for the upcoming week.

The Daily Admin Update Email includes the following:

• Total number of Vulnerabilities discovered in past 24 hours, including Critical, High, Medium, Low & Info

• Total number of Vulnerabilities Closed in past 24 hours

• Total number of Vulnerabilities Ready for Retest in past 24 hours

• Total number of Projects Requested in past 24 hours, including project name & desired test window

• Total number of Projects In-Progress, including name, test window & total number of vulnerabilities

• Total number of Projects Waiting to Start in next 7-days, including project name & test window

• Total number of New Users in past 24 hours, including first & last names

Daily Admin Update Email supports following options:

• Enable/Disable - depending on whether you would like to use the feature or not. Default is Disabled.

• Selection of users to send the email to - you can individually add users to receive the email.

• Time each day the email will be sent - this is based on the geographical region assigned to your tenant. The emails will be sent at any given point during the selected hour.

You can access Notifications via the global menu. It is currently restricted to admin users only.

Automating Access to Groups/Projects via Active Directory

Administrators can link Identity Provider (IDP) or Active Directory (AD) groups to AttackForge Groups.

This feature is available for Single-Sign-On (SSO) enabled tenants to help automate provisioning and removal of users to AttackForge Groups and their related projects, based on the users' IDP/AD groups.

This feature can help to ensure that users accessing AttackForge receive sufficient access to projects based on the Enterprises' own access control groups; and remove access to projects which they should not have access.

This option is Disabled by default. It is only enabled, on a AttackForge Group-by-Group basis, when an IDP/AD group is linked to the AttackForge Group.

For more information on how this feature works, please visit https://support.attackforge.com/attackforge-enterprise/modules/groups#linking-identity-provider-active-directory-groups

Revision History Now Available on Vulnerabilities

You can now access revision history for every change made to a vulnerability on a project or in the library.

This feature can help with tracking changes, for quality assurance or auditing.

The revision history includes:

• Field that was changed

• Datestamp when the change happened

• The user who performed the change

• The data before the change

• The data after the change

When viewing a vulnerability on a project or in the library you can click on the Revision History tab to see the changes.

Set Custom Default Landing Page

The landing page is the first page a user sees when they log into AttackForge.

The default login landing page is the Global Dashboard; however you can now configure your own landing page to another area within AttackForge – for example Analytics, Vulnerabilities, Projects, Users, etc.

Admins can also update the login landing page on behalf of another user. This is useful to ensure smooth user experience for your customers.

Users can update their own landing page via Profile section. Admins can update landing page for another user via Users module.

Access Project Logs On-Demand

You can now access project logs on-demand, to help with troubleshooting or auditing.

Admins can access project logs from the project dashboard page menu.

New Administration Module

The new administration module helps you to:

• Track & manage your AttackForge licensing

• Configure & customize your tenant

• Access Ticketing System (Backlog) and monitor support credits

The Licence tab provides overview of your AttackForge licence, including:

• Licence Type

• Licence Plan

• SKU

• Licence Start Date

• Licence End Date

• Project Credits Used

• Project Credits Remaining/Available

You can also top-up your project credits via credit-card to avoid any disruption to your customers or business.

This is available for tenants on the Cloud or Core licence (with exception of Unlimited plan).

The Configuration tab provides tenant configuration options to customize your AttackForge experience. For a detailed list of all support configurations, please visit https://support.attackforge.com/attackforge-enterprise/configuration-options

NOTE: This section is new and still in progress. More configuration options will be included over the coming releases.

The Support tab provides a link and information on how to access Backlog - the AttackForge ticketing system for Core & Enterprise customers.

If your SLA includes Support Credits - they will also be listed on this page, including total number of support credits used and support credits remaining.

Updates to ReportGen

This release is action-packed with updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.

The updates include:

• New Filter – Includes

• New Filter – Excludes

• New Filter – Count

• New Filter – Find

• New Metatags

For more information please visit https://support.attackforge.com/attackforge-enterprise/modules/reporting

New Filter – Includes

You can now check to see if a tag contains a specified value, or array of values, and continue if true/exists.

New Filter – Excludes

You can now check to see if a tag does not contain a specified value, or array of values, and continue if true/doesn't exist.

New Filter – Count

You can now use a 'count' filter to set an arbitrary counter for a condition, then reference that counter later on.

New Filter – Find

You can now search a tag which contains an array of objects to return an object which meets a specific condition.

New Metatags

We have introduced the following new tags & updates to existing tags:

• {#statusUpdates} - details for each project status update e.g. when project goes on-hold or off-hold

  • {status} - e.g. 'On-Hold' or 'Off-Hold'

  • {note} - reason why project was on-hold or off-hold

  • {created} - timestamp when project went on-hold or off-hold

• {asset_library_created} - timestamp when asset was added to Assets module library. NOTE: requires tenant configuration with Assets module enabled.

• {asset_library_id} - Assets module library id. NOTE: requires tenant configuration with Assets module enabled.

• {asset_external_id} - user-defined external id for the asset. NOTE: requires tenant configuration with Assets module enabled.

• {asset_type} - asset type e.g. Web App, API, Network, etc. NOTE: requires tenant configuration with Assets module enabled.

• {asset_details} - asset details. NOTE: requires tenant configuration with Assets module enabled.

• {projectGroups} - details for each linked Group

  • {name} - name of the group

• {#retestingHistory} --> {retesting_round} - e.g. 1, 2, 3, etc.

• {remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open / Ready for Retest on <DATE> [NEW] / Closed on <DATE>

New Global Config Options Available

We have added new configuration options in this release which can be enabled on your tenant:

• Custom Email Template Header

• Custom Email Template Body Style

• Custom Email Template Footer

• Replace Likelihood of Exploitation with CVSS Score in Project Vulnerabilities pages/tables (default Disabled)

• Default ReportGen Project Custom Tags, to pre-fill & display on every project when a user attempts to create new ReportGen Project Custom Tags on a project (default None)

• Default ReportGen Vulnerability Custom Tags, to pre-fill & display on every project when a user attempts to create new ReportGen Vulnerability Custom Tags in the library (default None)

• Default ReportGen Affected Assets Custom Tags, to pre-fill & display on every project when a user attempts to create new ReportGen Affected Asset Custom Tags on a project (default None)

• Enable Password-Protection for all PDF Reports. Prior to download, user will be prompted to enter in strong password (default Disabled)

UX Enhancements

This release is actioned-packed with user experience improvements.

UX has been improved by:

• Alternate Flow to Approving a Project Request to includes changes to Project before approving it

• Improved report generation & download speed by up to 20% using new optimized compression algorithms

• Better feedback when importing vulnerabilities and file is being parsed

• Option to use Affected Domain or Affected URL when importing from Netsparker

• Button to create an asset when creating a new vulnerability on a project

• Performance improvements by up to 15% on page load times when accessing Global Dashboard Vulnerabilities & Global Search

• New layout for Analytics Personalization to make it easier to build your personal dashboard

• Option to add a Remediation note at same time when Re-Opening or Closing a vulnerability

• Option to download project reports via page menu when viewing the project vulnerabilities

• Automated email to user when they are added as a group member to a project

• Improved consistency in project breadcrumbs

2021-03-08

ReportGen Gets A Power-Up!

This release is action-packed with updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.

The updates include:

• Support for Conditions, Loops, Filters, Data Aggregation, Data Formatting & Assignments

• Support for Custom Tags

• New Tags Available

Support for Conditions, Loops, Filters, Data Aggregation, Data Formatting & Assignments

You can now add logic conditions to your ReportGen templates. These logic conditions can help make decisions on how your report should render, providing you with greater precision in your reports.

For example, if you want to create a section within a report which just contains the details for all PCI-DSS or SSL/TLS vulnerabilities, or results from the Internal/External vulnerability scanning – you can now do this!

Combining this new functionality with Custom Tags (also included in this release) provides you with full-control over custom sections within your reports.

For more information on how to use the new logic conditions in your report template, check out following support page for more details: https://support.attackforge.com/attackforge-enterprise/modules/reporting#general-syntax-rules

Support for Custom Tags

AttackForge ReportGen now lets you define your own custom fields/tags which can be referenced anywhere within your report templates.

Custom fields can be used to capture additional information for projects, vulnerabilities and affected assets. This could include metadata, scoring, client information, or simply used for logically separating data within your reports - for example you can create a template to show just PCI-DSS vulnerabilities, or External vulnerabilities, etc.

Custom fields/tags are arbitrarily defined – this means you can control the name & value of each field, to then reference in your ReportGen templates.

Custom fields/tags can be set at three (3) different levels:

• Project-Level

  • You can now define custom project-level fields which could be used to capture and include information relating to the overall project, for example client details, report classifications, test-related information, etc.

• Vulnerability-Level (in library)

  • You can now define custom vulnerability-level fields which could be used to provide supporting details for a vulnerability in the library, for example technical risk score, industry classifications, type classifications, references to internal sources/mappings, etc.

• Affected Asset-level (vulnerability on project)

  • You can now define custom affected asset-level fields which could be used to provide supporting details for a vulnerability on a project, for example whether its derived from internal or external scanning, whether it’s PCI related finding, etc.

  • You can also perform bulk-add/update to apply custom fields/tags across a selection of vulnerabilities on a project at one time (see following link for more details: https://support.attackforge.com/attackforge-enterprise/getting-started/updating-vulnerabilities#bulk-add-reportgen-fields-tags)

Project-Level Example:

To start creating Custom Tags at Project-Level, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#project-level-custom-fields

Vulnerability-Level Example:

To start creating Custom Tags at Vulnerability-Level, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#vulnerability-level-library-custom-fields

Affected-Asset Level Example:

To start creating Custom Tags at Affected Asset-Level, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#affected-asset-level-project-custom-fields

New Tags Available

We have added new ReportGen tags which can be used in your report templates.

The new tags include:

• {#criticalVulnerabilities} – details for just the Critical vulnerabilities on the project. Includes details for affected assets.

• {#highVulnerabilities} – details for just the High vulnerabilities on the project. Includes details for affected assets.

• {#mediumVulnerabilities} – details for just the Medium vulnerabilities on the project. Includes details for affected assets.

• {#lowVulnerabilities} – details for just the Low vulnerabilities on the project. Includes details for affected assets.

• {#infoVulnerabilities} – details for just the Info vulnerabilities on the project. Includes details for affected assets.

• {testcases} – list of all the test cases linked to the vulnerability

• {#passedTestcases} – details for all the Passed test cases on the project.

• {#failedTestcases} – details for all the Failed test cases on the project. Includes details for the linked vulnerabilities which lead to test case being failed.

• {#remediatedTestcases} – details for all the Remediated test cases on the project. Includes details for the linked vulnerabilities which lead to test case being failed then remediated.

For more information on new tags and the data available for each tag, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#available-tags-for-individual-reports

Tracking Passed, Failed & Remediated Test Cases

In this update we have included ability to track Passed, Failed & Remediated test cases for every project.

Failed test cases can help to identify tests which need to be re-performed as part of remediation testing.

Remediated test cases help to identify which failed test cases have had all vulnerabilities fixed/closed.

You can fail a test case automatically by linking a vulnerability to a test case.

When creating or updating a vulnerability on a project, select the failed test case(s) to link them.

You can also add a vulnerability directly from the test cases page, to quickly link the test case to the new vulnerability.

We have also included the ability to filter test cases by Passed, Failed & Remediated when viewing the test cases on the project.

You can also access the data for Passed, Failed & Remediated test cases in ReportGen (see above).

See example below for Failed Test Case:

See example below for Remediated Test Case:

Personalize Your Analytics

You can personalize analytics based on the data you want to see on your Analytics dashboard. Fine tune your SLAs based on how your organization tracks and measures them.

To personalize Analytics, click on Personalize Analytics button in the top-right of your Analytics page.

In this release we have also added additional analytics widgets for the items below.

Each widget can also be filtered based on time/date and groups.

• Zero(0)-Day Vulnerabilities

• Easily Exploitable Vulnerabilities

• OWASP Top 10 Vulnerabilities

• CWE Top 25 Vulnerabilities

• Critical Vulnerabilities

• High Vulnerabilities

• Medium Vulnerabilities

• Low Vulnerabilities

• Total Vulnerabilities

• Closed Vulnerabilities

• Open Vulnerabilities

• Ready for Retest Vulnerabilities

• Closed Vulnerabilities

You can select the analytics you want to display on your own Analytics dashboard:

New Global Config Options Available

We have added new configuration options in this release which can be enabled on your tenant:

• Disable default reports (PDF/DOCX/HTML) for all users or just client users – to force use of ReportGen custom reports (default Enabled)

• Default option for whether a new vulnerability is Visible or Pending – depending on your QA workflow (default Visible)

• Support for US date format e.g. MM/dd/YYYY (default Disabled)

• Default value for Project Name field when creating a new project (default None)

• Default value for Project Code field when creating a new project (default None)

• Default value for Scoring System field when creating a new project (default CVSSv3.1 Baseline)

• Default Project Groups when creating a new project (default None)

• Default Project Team Notifications (e.g. New Critical Vuln, New High Vuln, etc.) when creating a new project (default None)

• Default Project Admin Notifications (e.g. Vulnerability Ready for Retesting, Vulnerability Closed, etc.) when creating a new project (default None)

• Support for Middle-East work week e.g. Sunday to Thursday when requesting a new project (default Disabled)

• Auto-redirect to SSO login on visiting application login page (recommended for SSO-integration tenants with no self-registration workflow) (default Disabled)

As a reminder we also have the following configuration options already available:

• Custom domain for accessing the application

• Enable/Disable emails (default Enabled)

• Custom domain for all emails (default discover@attackforge.com)

• Whitelisted domains for self-registration (default None)

• Session length (default 30 minutes)

• Assets Library Module (default Disabled)

• Give project coordinators access to all new created projects (default Disabled)

• Email on change if IP address form last login (default Enabled)

• Local account self-registration (default Enabled)

• Admins require AF MFA on login via SSO (default Disabled)

• Simultaneous user sessions allowed (default Disabled)

• Custom email body for new registrations

• Custom blacklist for file upload extensions

• Self-password reset from login page (default Enabled)

• Custom value for Project Code in the UI (default Project Code)

• CIA ratings in the Vulnerability Library (default Enabled)

• Enable Slack (default Disabled)

• Enable Teams (default Disabled)

• Enable Discord (default Disabled)

• Custom default email body for daily start/stop testing email notifications

• Custom default additional email addresses for daily start/stop testing email notifications

• Custom default email body for project team email notifications e.g. new critical vulnerability

• Custom default additional email addresses for project team email notifications

• Rich-Text Editor or Text Area for Steps to Reproduce (POC) for project vulnerabilities (default Rich-Text Editor)

  • Text area will disable HTML conversion in reports & exports – to allow for verbatim POCs

Updates to Self-Service API

In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.

Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.

The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.

The updates in this release include:

• Updates to getVulnerabilities, getVulnerabilitiesByAssetName, getVulnerabilitiesByGroup getVulnerabilityById, getProjectVulnerabilitiesById

  • Added new fields to return date stamp when status of vulnerability was last updated

  • Added new fields to return the Asset Library id & external Id values

• createAssetInLibrary

  • this new method allows authorized users to create new assets in the Assets Library

• updateAssetInLibrary

  • this new method allows authorized users to update assets in the Assets Library

• getAssetInLibrary

  • this new method allows authorized users to get an asset in the Assets Library by its Id

• getAssetsInLibrary

  • this new method allows authorized users to get assets in the Assets Library by filters

UX Enhancements

This release is actioned-packed with user experience improvements.

UX has been improved by:

• Allowing users inspect & override vulnerability data before it get’s imported on a project

• Project tracking page and tooltips (when hovering over project) now includes dates for each test suite, to help track when rounds of testing were performed on the project.

• Attack Chains now link to MITRE ATT&CK® framework website – to help provide more detailed information on tactics used by adversaries in the attack chains

• Better error handling for all tools when importing vulnerabilities on a project, including guides for the CSV imports to indicate required fields

• Better mapping for CVSS scores, including to Likelihood of Exploitation, from tools when importing vulnerabilities on a project

• Better support for importing vulnerabilities form Netsparker

• Updates to editing multiple vulnerabilities on a project, to include:

  • Select All Vulnerabilities (currently filtered in the table)

  • De-select All Vulnerabilities

  • Select Critical Vulnerabilities (currently filtered in the table)

  • De-Select Critical Vulnerabilities (currently filtered in the table)

  • Select High Vulnerabilities (currently filtered in the table)

  • De-Select High Vulnerabilities (currently filtered in the table)

  • Select Medium Vulnerabilities (currently filtered in the table)

  • De-Select Medium Vulnerabilities (currently filtered in the table)

  • Select Low Vulnerabilities (currently filtered in the table)

  • De-Select Low Vulnerabilities (currently filtered in the table)

  • Select Info Vulnerabilities (currently filtered in the table)

  • De-Select Info Vulnerabilities (currently filtered in the table)

  • Bulk Add Tags

  • Bulk Add ReportGen Custom Tags

  • Stop Editing Multiple Vulnerabilities

2021-01-12

Updates to Scheduling & Planning Projects

Scheduling & planning projects is now even easier with the following updates in this release:

• Availability checker now available when grating user access to a project – making it easier to see which consultants are available (or not available) for the project & to help you with effective planning of resources.

• Calendar now available when grating user access to a project – making it easier to see which projects are currently scheduled or planned. You can also filter this calendar by user or time period.

• All calendars now have On-Hover feature which allows you to access key project status/progress information without having to leave the page.

• You can also now filter the schedule by user role, for example to see all projects for Consultants.

Custom Email Notifications on New Vulnerabilities Discovered

When creating or updating a project, you can now set a custom email body for the new vulnerability notifications which are sent to the project team.

You can also send the emails to additional recipients which are not already on the project team, for example SOC teams.

When creating a custom email body, ensure to include all HTML tags as the emails will be sent in HTML format.

You can adjust the standard template which is already pre-loaded in the form for you, please contact us for more details on how to do this.

The following meta tags will map to the following details when the email is sent:

• {{firstName}} - this will include the firstName of the project team member. For Additional email recipients who are not on the project team, this field will be skipped.

• {{consultant}} - this is the first name & last name of the consultant who is sending the daily email.

• {{projectName}} - this will be the name of the project.

• {{priority}} - this is the priority of the vulnerability i.e. Critical, High, Medium, Low, Info.

• {{title}} - this is the title of the vulnerability.

• {{asset}} - this is the affected asset for the vulnerability.

• {{likelihood_of_exploitation}} - this is the likelihood of exploitation for the vulnerability. It is a number between 1 to 10.

• {{is_zeroday}} - this is either Yes or No depending on if the vulnerability is a Zero-Day (0-day) or not.

• {{description}} - this is the description of the vulnerability.

• {{attack_scenario}} - this is the attack scenario of the vulnerability.

• {{remediation_recommendation}} - this is the remediation recommendation for the vulnerability.

• {{proof_of_concept}} - this is the proof of concept / steps to reproduce the vulnerability. This is rendered in full HTML.

• {{notes}} - this is the notes for the vulnerability.

• {{tags}} - this is the tags for the vulnerability. It is presented as an unordered list.

Project Roles Now Available

Project Roles can be assigned to any user on the project. The roles include common stakeholders involved in pentest project lifecycle, including Red Teams, Blue Teams, Security Teams and Customers.

Project Roles are displayed in the Calendars & Project Tracking / Overview page, so that other team members can see who is on their project and also their role on the project - to help with collaboration and contacting the right person.

Project Roles are also included in the reports, alongside the project team member's name.

Project Roles do not provide the user with any additional access rights. Privileges on the project are controlled via the Access Roles.

Login Redirects Now Available

AttackForge Enterprise now supports login redirects to help your users & customers access the data they need, quickly and efficiently.

You can append any of the following redirects to the login URL, which can be shared with customers:

• ?redirectTo=sso

  • This will automatically redirect the user to sign in with Single-Sign-On (if available)

• ?redirectTo=register

  • This will automatically redirect the user to registration page (if available)

• ?redirectTo=resetPassword

  • This will automatically redirect the user to password reset page (if available)

• ?redirectTo=/#!/app/…

  • This will automatically redirect the user to a page within AFE, after the user has logged in.

  • !IMPORTANT - this is only supported with Local Accounts (Non-SSO)

Examples are provided below for reference:

• https://<AFE_TENANT>/#!/login?redirectTo=sso

  • Redirect to SSO login

• https://<AFE_TENANT>/#!/login?redirectTo=register

  • Redirect to registration page

• https://<AFE_TENANT>/#!/login?redirectTo=resetPassword

  • Redirect to password reset

• https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/projects

  • Redirect to list of all projects after login

• https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/projects/5bdd20d8128aa82e0040a75d/dashboard

  • Redirect to Project Dashboard for a specified project, after login

• https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/projects/5bdd20d8128aa82e0040a75d/overview

  • Redirect to Project Overview for a specified project, after login

• https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/schedule

  • Redirect to Schedule / Calendar after login

Projects OnHover Feature

You can now view quick project status/update by hovering over the project name, status or completed test cases in the Projects page.

This will provide an update on the project team and also the progress for each of the test suites/methodologies assigned to the project.

Order Test Suites & Test Cases

Every test suite & test case now allows you to add a ‘Code’ which can be used for sorting & ordering test cases when displayed in projects & reports.

Code will appear before the details of the test case. For example: WEB-APP-001 Test for X, Y & Z; WEB-APP-002 Test for A, B & C; etc.

Updates to Global Dashboard for Admins

Admins can now see the status for each of their project requests, including total requested; total pending; total approved; and total rejected.

Clicking on any of the dashboard boxes will drill-down to view the data.

Updates to Test Case Notes & Evidence

Adding test case notes & evidence will no longer refresh the page. You can apply a custom filter or sort to the test cases, and then create notes or upload evidence, without losing your customer filter or sort.

Group Members Shortcut

You can now easily view users assigned to a group (group members) from the main Groups page, by using the Actions menu for a selected Group.

This will redirect you to the Group Membership page without having to drill-down into each group.

Group Members Full Details

When viewing the group members page, it now includes their email’s and usernames – to help with search, particularly if using SSO/AD integration.

Better Error Handling for File Uploads

We have made changes to the error handling for file uploads so that it now provides you with the exact details why file was rejected in the alert box.

We have also removed the automated logout on failed upload, to help improve user experience.

Delete Users & Project Requests

You can now delete a user or project request from AFE. When a user is deleted, any data they have created in the application will remain for integrity & auditing purposes.

Updates to Project Request Form

We have now included an optional text field for users when submitting a project request. The field is Reason Testing Is Required (Justification).

This field can be used to gather details why the user is submitting the request for testing, for example it’s a new application; annual pentest; compliance exercise; etc.

Scope Meta-tag Now Supported on Project Daily Start/Stop Emails

You can now include project scope in the daily start/stop testing email notifications. This is useful if you need to inform SOC teams with the details for assets which are being tested.

Vulnerability Search Now Supports Tags

When searching for a vulnerability in the library when adding/updating vulnerability on a project, the keyword search field now includes searching the associated tags assigned to the vulnerabilities, in addition to the vulnerability titles.

This makes it easier to search for a group or type of vulnerability, without having to know keywords in its title.

Updates to User Search Fields

When searching a user in the application, the search field will now display the First Name, Last Name & Email address for the users – making it easier to find the user(s) you need.

Updates to ReportGen

We have included additional tags which can now be used in your ReportGen templates:

• {cvssv3_vector} - includes the CVSS v3.1 vector string e.g. /AV/...

• {cvssv3_base_score} - includes the CVSS v3.1 base score e.g. 10.0

• {cvssv3_temporal_score} - includes the CVSS v3.1 temporal score e.g. 10.0

• {cvssv3_environmental_score} - includes the CVSS v3.1 environmental score e.g. 10.0

• {remediation_status} - either Open or Closed. Only Closed if all affected assets are also Closed.

• {#abuseCases} - list of all abuse cases on the project

• {proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).

• {testcase_code} - code assigned to the test case.

• {testsuite_name} - name of the associated test suite.

• {testsuite_code} - code of the associated test suite.

When downloading a report via ReportGen, the filename will now include the project’s name – making it easier to identify the report you need.

You can also now access the Offline ReportGen Diagnostic Tool to help with building your own custom ReportGen templates for AFE.

The tool can be accessed from the ReportGen page menu.

Updates to Analytics Filter

We have now removed the placeholder Start & End dates when accessing the filter in Analytics – making it easier to add your own dates.

Updates to Self-Service API

In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.

Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.

The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.

The updates in this release include:

• GetProjectWorkspace

  • this new method allows authorized users to view project workspace notes & metadata for uploaded files.

• CreateProjectWorkspaceNote

  • this new method allows authorized users to create new project workspace notes.

• UpdateProjectWorkspaceNote

  • this new method allows authorized users to update an existing project workspace note.

• GetProjectNotes

  • this new method allows authorized users to view project notes, including private notes (where applicable).

• CreateProjectNote

  • this new method allows authorized users to create new project notes.

• UpdateProjectNote

  • this new method allows authorized users to update an existing project note.

Support for Acunetix

We have now included support for Acunetix when importing vulnerabilities on your projects.