2024

21 May 2024

Secure Code Learning with SecDim

We're excited to be the first Pentest Management Platform to release a Secure Code Learning collaboration with SecDim - Dev-Native Attack & Defence Wargames.

With the power πŸ’ͺ of SecDim and AttackForge, you can:

  • Explore a real vulnerability in a cloud native app. Debug and verify if your security patch can remediate the vulnerability

  • Train developers on how to fix vulnerabilities identified in their applications, during a pentest

  • Collaborate between engineers and security teams on how to best remediate vulnerabilities

  • Improve retesting pass rates for discovered vulnerabilities

  • Test your knowledge on how to fix common vulnerabilities and measure your effectiveness

Every Sandbox comes with a security test suite to simulate the exploitation of the vulnerability.

Sandboxes are integrated with git so you can save your progress and pick it up again where you left off.

SecDim's catalogue is extensive, covering everything from AI, GraphQL, React, Kubernetes, to Web3. You can test your skills against modern security vulnerabilities inspired by real-world issues.

Each sandbox is deployed in a secure isolated Cloud Development Environment directly in your browser. You can debug, patch and test your code as if you were building an app.

Start by learning more about this integration, and when ready - switch the integration on.

Search SecDim's catalogue of vulnerable sandboxes which you can link to your Writeups.

When you create a vulnerability on a project, users will be able to see the linked SecDim sandboxes and launch a sandbox to get started.

Auto-Add Groups to Project Requests

You can now automatically assign Groups to Project Requests when they get created by group members.

This means any custom access controls you have created on the group will take effect immediately.

This makes it easy to have dedicated teams of people who can work together to view, edit and approve project requests - without the involvement of Administrators or Project Coordinators.

UX Improvements

Now when you open and close the Info panels on Vulnerabilities, Project Test Cases and Reporting - this action will be remembered for the duration of your session. This means you can easily switch between pages and see the information you want to see more easily and with less clicks.

We added new Core Fields for Hide Expressions to provide more flexibility when it comes to controlling your forms.

We also improved the behaviour of how CVSSv3.1 scoring is used on vulnerabilities, including better support for Nessus.

SSAPI Enhancements

We have made the following enhancements to the Self-Service APIs:

  • Get Assets In Library now supports the Advanced Query filter

  • Create Vulnerability and Create Vulnerability With Library now supports passing in Asset Library Ids.

  • Update Vulnerability and Update Vulnerability With Library now supports updating the Affected Asset(s).

  • Get Project Report Data endpoint was created to allow programmatic creation of reports for selected vulnerabilities only.

ReportGen Improvements

We have improved ReportGen to make your reports even better!

  • $declare, $push and $assign Functions now support 'this' and 'this[number]'

  • $includes now supports Dictionaries

3 May 2024

New Project Request Access Controls

You can now configure custom access controls on Project Requests.

This means you can now:

  • Create multi-stage review and approval workflows for Project Requests, particularly when combined with custom field access controls.

  • Delegate additional persons or group members to View, Edit or Action selective Project Requests.

  • Improve efficiency when it comes to project scoping workflows.

To get started, as an Administrator or Project Coordinator - access the Settings on the Project Request:

You can assign access to application user Roles, Groups or individual Users.

Each access control can be assigned with View, Edit or Action:

  • View means the user will be able to view the Project Request, but not make any changes.

  • Edit means the user will be able to view and edit the Project Request, and upload any supporting files.

  • Action means the user will be able to view and edit the Project Request, upload any files, request more information, and reject and approve the Project Request. Approving the Project Request will result in creation of a new Project.

When assigning Group access to the Project Request, the group members can be assigned with View, Edit and Action. This will apply to the Project Requests linked to the Group.

Project Coordinators and Administrators will continue to have access to all Project Requests, along with any additional Roles or Users who have been delegated global privileges to Action all Project Requests.

Vulnerability Imports Now Support Multiple Files

You can now import multiple scan files in one import. This means you can now take advantage of Grouped Assets on vulnerabilities across multiple scans - making it easier to identify and track unique vulnerabilities on the project, and associate affected assets more easily.

Simply select multiple scan files when prompted to select a file.

We also made improvements to user feedback during parsing of vulnerabilities.

Bulk Action Retest Vulnerabilities

We have now made it easier to see all vulnerabilities associated with a retest, and perform bulk actions.

Create Reports on Pending Vulnerabilities

You can now create reports on pending vulnerabilities. This makes it easier to review vulnerabilities in your custom reports, before releasing them to customers.

Filterable Project Team Details

You can now view the entire project team and filter on team members more easily:

Email Updates

Vulnerability-related events on projects, for example New Vulnerability Discovered email, now support {vulnerability.<tag>} Custom Email Meta Tags

Daily Start/Stop Testing Notifications on projects now support {project.<tag>} Custom Email Meta Tags

All emails which support the {link} tag now also support {link.url} which returns only the URL. This means you can use {link.url} inside custom buttons and achors in your emails.

Updates to ReportGen

We have added a new function $percentage that can be used to calculate the percentage of two values.

We also updated $keys to support $keys[this] which can be used to iterate on any object and return each key/value pair in the object as an array.

15 April 2024

Project Test Case custom fields

Project test cases now support custom fields.

This opens up many possibilities, for example:

  • Capturing Red-Team and Blue-Team information on Purple-Team assessments

  • Filtering on additional test case sub-status

  • Persisting additional testing details

You can also now re-order your project test case view to personalize how you want your test cases to appear on different projects.

Soon you will be able to use the Self-Service APIs to import custom project test cases for dynamic and reactive testing, for example importing scanner policies for scans performed.

Defining a Purple-Team project

Start by adding a custom field to your project which will be referenced by your test cases and vulnerabilities.

This will show purple-team fields on test cases and vulnerabilities for only purple-team projects, without creating additional overheads for other assessments.

Defining your Red-Team custom fields on Test Cases

Define your red-team project test case custom fields in Adminstration β†’ Projects β†’ Test Cases β†’ Form

  1. Create a Section for your red-team fields, this makes it easier to group your fields.

  2. Add a Hide Expression to ensure your red-team section and its related fields only show on project test cases for purple-team projects.

  3. Add Custom Field Access Controls to ensure that:

    • Red Teamers can View and Edit red-team fields;

    • Blue Teamers can only View red-team fields;

    • All others have no access to these fields.

Defining your Blue-Team custom fields on Test Cases

Define your blue-team project test case custom fields in Adminstration β†’ Projects β†’ Test Cases β†’ Form

  1. Create a Section for your blue-team fields, this makes it easier to group your fields.

  2. Add a Hide Expression to ensure your blue-team section and its related fields only show on project test cases for purple-team projects.

  3. Add Custom Field Access Controls to ensure that:

    • Blue Teamers can View and Edit blue-team fields;

    • Red Teamers can only View blue-team fields;

    • All others have no access to these fields.

Defining your Red-Team custom fields on Vulnerabilities

Define your red-team vulnerability custom fields in Adminstration β†’ Projects β†’ Vulnerabilities β†’ Form

Create a Section for your red-team fields, this makes it easier to group your fields.

Add a Hide Expression to ensure your red-team section and its related fields only show on vulnerabilities for purple-team projects.

Set your project as a Purple-Team project

When creating or editing a project, select Purple Team from the Testing Types custom field.

Complete Purple-Team project test case fields on purple-team projects

When working on a purple team assessment, you can now complete the purple-team fields on the project test cases.

Complete Purple-Team vulnerability fields on purple-team projects

When working on a purple team assessment, you can now complete the purple-team fields on the vulnerabilities.

Configuring sub-status on project test cases

Defining a sub-status on project test cases

Start by adding a custom field to your project test cases which will be used to capture the sub-status of a test case.

Track and manage sub-status on project test cases

When working on a project, you can now complete the relevant sub-status on project test cases.

You can also filter and sort your project test cases on sub-status.

Capturing additional information on project test cases

Defining additional information on project test cases

Start by adding custom fields to your project test cases which will be used to capture additional information relevant for your test cases.

Entering additional information on project test cases

When working on a project, you can now complete the relevant fields when working on project test cases.

New time-based custom email options

You can now configure custom time-based emails for Projects, Project Requests and Users - in addition to previously supported Vulnerabilities.

Some examples of custom time-based emails could include:

  • Notify vulnerability owners when vulnerabilities are 7-days from breaching SLAs

  • Notify remediation teams when vulnerabilities are 10-days from reaching Target Remediation Date

  • Notify security teams when vulnerabilities exceed SLAs

  • Notify project teams when projects have overrun

  • Notify project coordinators when project requests have not been actioned for some time

  • Notify users when their account will be locked out due to inactivity

Check Custom Time-Based Emails for more details.

Import vulnerabilities via JSON file

You can now import vulnerabilities directly from a JSON file.

This makes it easy to import vulnerabilities from any source, where the data can be formatted into JSON format.

A template is provided to help make this process easy, as well as details for required fields.

Rich-text custom fields now support images

The following rich-text custom fields now support display of images in-app and in-reports:

  • Project Requests

  • Vulnerabilities

  • Writeups

  • Project Test Cases

  • Test Suite Test Cases

Config change detection

Changes to configuration will now trigger all users to reload their app to retrieve the new configuration, at a time suitable for the user.

Custom field dates now support time picker

You can now enable capturing and display of time for your Datepicker custom fields.

This can be useful if you need to capture time, for example Execution Start Time and Execution End Time for Red-Team activities or for captured logs.

This option can be configured using the Display Time option configured on the the Datepicker custom field.

Project Request information now available in reports

You can now add information from your linked Project Request into your reports.

First, start by enabling this option in Administration β†’ Projects β†’ Export Project as JSON β†’ Project Request

Now in your reports, you can access the Project Request information using {projectRequest} for example:

{projectRequest.name} - {projectRequest.created}

Vulnerability imports now support Qualys Guard

You can now import vulnerabilities from Qualys Guard.

Reports now support email addresses for project team

You can now include email addresses for your project team members in your reports.

Start by enabling this option in Administration β†’ Projects β†’ Export Project as JSON β†’ Team Member Email

You can print the emails of the team members in your report as follows:

{#data.testing_summary.project_team_details}
{first_name} {last_name} - {email}
{/}{/}

ReportGen - $help now supports [scope] and [var]

You can now use {$help[scope]} and {$help[var]} in your report templates to show debugging and help information in your ReportGen browser console.

31 January 2024

Asset Libraries

You can now use Asset Libraries to manage your assets better!

Asset libraries will help you to:

  • Group and manage assets across different teams, technologies, products, customers, business units, networks or compliance;

  • Control who can see assets, and which assets they can see;

  • Manage who can create and modify assets;

  • Assign assets to many groups for better tracking and de-duplication;

You can view your asset libraries directly from the Assets module:

Take advantage of libraries when adding scope to a project:

Control which libraries get used when importing vulnerabilities:

Assign libraries when importing assets:

Asset libraries can be configured from the Administration module.

Assets can belong to one or more libraries, allowing to share access or ownership of assets and reducing asset duplication.

Assets are unique to each library.

Asset libraries can have access controls to manage who can view or edit the assets.

Access controls can be applied to:

  • Application Roles

  • Groups

  • Users

Access to libraries can be assigned with either View or Edit privileges.

Users with View access to an asset library will be able to see the asset and any vulnerabilities for which that user has access to via their projects.

Users with Edit access to an asset library will be able to create assets in that library; and make changes to any asset in that library, including ability to archive the asset or link additional asset libraries.

Bulk actions can be used to bulk (re)assign assets to libraries.

You can now also import assets from CSV and JSON formats – making it even easier to bring existing assets into AttackForge!

For more details, please visit https://support.attackforge.com/attackforge-enterprise/modules/assets

Portfolios Enhancements

You can now provide access to Portfolios and Streams for:

  • Your customers;

  • Your engineering teams and product owners;

  • Your security, risk and compliance teams;

  • Your business management and senior leadership;

  • Your external auditors and 3rd parties;

This makes it possible to have custom dashboards which are relevant and tailored to your stakeholders, which they can now access.

Access can be granted to the entire Portfolio, or individuals Streams. This enforces need-to-know.

Users will only see project, vulnerability and asset related data which is relevant to their existing projects.

Users will not be able to see project, vulnerability and asset data for which they do not already have access.

We have also enriched the data available for projects, vulnerabilities and assets.

Users can also configure their own table preferences to consume the data the way they prefer.

ReportGen v2.9

We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!

This release includes three (3) new functions; one (1) new style; and access to user profile data in reports!

You can use this new function to construct hyperlinks in your reports.

Hyperlinks can be built using data from your project (scope), manual creation or based on values from other variables.

For more information on how to use this function, visit this link.

This release introduces support for hyperlinks for rich-text fields. We have also released a new style which allows you to independently set the style for hyperlinks contained within the styled tags. You can apply this style to any of the {@..._styled} fields.

For more information on how to use this style, visit this link.

New Function: $comment

You can use this new function to include comments in your template which do not get shown in the report.

This can be useful to help with adding explanations and also debugging.

For more information on how to use this function, visit this link.

New Function: $multiply

You can use this new function to multiply a variable which has a numeric value.

For more information on how to use this function, visit this link.

User Profiles Now Available

You can now include user profile information in your reports for each team member on the project.

For examples how to include this information in your reports, visit this link.

Updated Testing Methodologies and Vulnerability Libraries

We have updated to the latest version of MITRE ATT&CK framework, which you can now easily import into your Test Suites.

  • MITRE ATT&CK Enterprise Version 14.1

  • MITRE ATT&CK Mobile Version 14.1

  • MITRE ATT&CK ICS Version 14.1

To get started, head over to https://github.com/AttackForge/TestSuites

Download the relevant methodologies and follow the guide to import them into your Test Suites.

We have also updated to the latest version of MITRE CWE and MITRE CAPEC, which you can now easily import into your Writeups.

  • MITRE CWE Version 4.13

  • MITRE CAPEC Version 3.9

To get started, head over to https://github.com/AttackForge/Writeups

Download the relevant vulnerability libraries and follow the guide to import them into your Writeups.

Report Locking

You can now control when reports are available for download on any given project.

This is particularly useful if you want to restrict your customers from generating reports until a point in time on the project, for example when testing is completed or when QA has finished.

When creating or updating a project, you can now configure the minimum Access Level required on the project in order to generate reports.

Custom Project Roles

You can now configure custom project roles which can be assigned to any project team member.

This is particularly useful if you want to create roles which align with your internal operating processes.

These roles can be reflected in emails, reports and in automations and integrations.

These roles are not used for access control.

You can manage the project roles from Administration -> Projects -> Fields -> Team Members.

Custom System Email Notifications

You can now configure and personalize every system email!

You can independently for each system email notification:

  • Enable or Disable the email notification;

  • Configure a custom Subject with HTML and {metatags} support

  • Configure a custom Body with HTML and {metatags} support

You can manage the email notifications from Administration -> Notifications.

For a full list of {metatags} supported – please visit this link.

Custom Report Names

You can now configure the custom report name for all of your downloaded reports.

This configuration option also supports (metatags}.

You can update your report name from Administration -> Reporting -> Report Name.

Manage User Roles via SSO Groups

For SSO users – you can now opt into managing application user roles via SSO groups.

This ensures that every time an SSO user logs in, their application user role will be automatically updated to match their expected role via the mappings.

This makes it easier for AttackForge Administrators managing tenants with hundreds or thousands of users.

It also helps to comply with internal policies for privileged access management.

You can opt into this setting from Administration -> Users -> Manage Application User Roles via SSO Groups.

UX Enhancements

Inline vulnerability view on tables

When viewing vulnerabilities in a table, you can now preview the vulnerability without having to navigate away.

To do so, click on the eye icon next to the vulnerability name.

Retest rounds now should on schedules

Retest rounds now have an optional end date and will now also show on your global and project schedules.

Rich-text fields now support option to include hyperlinks. These hyperlinks will also automatically show in reports for any β€˜_styled’ fields.

Warnings to help prevent data loss

We have added warnings when you have data entered into a form and try navigating away, or when you try to close a popup window with data.

This UX improvement will help to prevent any accidental data loss on common user actions.

Wider, taller and draggable form fields

We have reviewed all forms within AttackForge and where needed we have made fields wider and taller.

We have also enabled ability for rich-text fields to have draggable adjustable height.

Set custom error message for blocked accounts

You can now configure a custom error message for blocked accounts.

This is useful if you have company-specific instructions on account reactivation process that you want to show blocked users.

Bulk add tags on grouped assets

You can now bulk add tags to grouped assets when working on vulnerabilities.

Bulk overwrite on vulnerabilities now supports mixed asset selections

You can now perform bulk overwrite actions on vulnerability selections with mixed asset types i.e. individual or grouped assets.

Hovering on project name shows full name

We made adjustments to show more information when hovering on data, including on the project name.

Linking Vulnerabilities to Test Cases

You can now link vulnerabilities to test cases directly from the test cases.

This makes is easier to fail test cases in bulk, and to show direct correlation between testing and findings.

Importing Vulnerabilities

We added support for Nuclei Scanner and Acunetix 360 when importing vulnerabilities on a project.

Updates to Self-Service API

We made updates to the Invite User To Project and Invite Users To Project Team RESTful API endpoints to include additional fields.

We also added support for Asset Libraries for all of the relevant RESTful APIs.

Video Tutorials

Introduction to AttackForge and On-Demand Trial Environments

We recently released a new trial service for AttackForge – https://try.attackforge.io – which allows people to deploy a dedicated, on-demand private tenant of AttackForge with just their email address. The entire process takes less than two minutes from signup to deployment!

We created a short video to demonstrate this process for deploying new trial environments, as well as a brief introduction to AttackForge.

This video might be useful to you if:

  • You need access to on-demand non-production AttackForge tenants for testing configuration, integrations or scripts;

  • You want to access the newest features in an environment that is already configured with optimal settings for the latest features;

  • You want your customers or users to get a preview for what the AttackForge application is about and key workflows, prior to interacting with your own AttackForge.

The video is available on YouTube:

Pentest Report Automation with AttackForge

We created a short video to demonstrate how to set up an automation for PDF report generation and delivery to customers.

This video might be useful to you if:

  • You need to send encrypted PDF reports to your customers via email and programmatically;

  • You are interested in exploring automations in AttackForge;

  • You are interested in how custom fields can be used to enforce custom workflows.

The video is available on YouTube:

Red Teaming with AttackForge

We created a short video to demonstrate how to do Red Teaming in AttackForge.

This video might be useful to you if:

  • You are considering starting to perform Red Team assessments in AttackForge;

  • You are already performing Red Teaming in AttackForge.

The video is available on YouTube:

Last updated

Check YouTube for more tutorials: https://youtube.com/@attackforge