2024

5 July 2024

New Feature: Project Pages

We've introduced a new feature on projects - Pages - which can be used to create, group and manage custom content on your projects.

Pages are a dynamic way to interact with your project teams. Their content can also be used in reports and in the Self-Service APIs.

Here's some examples for how you can use Pages:

Create dedicated places for project teams to enter and track information
Provide additional options for teams to collaborate
Group content into topics

Each page comes with its own access controls to manage who can View, Upload or Edit content on the page.

For this first release, we have made a Summary page available. You can control which sections and fields can be created on this page. Some examples might include:

Customer Goals for the testing team, and Testing Team goals for the customer
Assumptions, Constraints and Limitations
Scope-related notes such as Out-of-Scope

We will be adding more pages in the future to provide even more flexibility on how you can use your projects.

Reporting Enhancements

We have extended the capabilities of the Reporting section on your project.

You can now create custom sections and custom fields to personalize your Reporting data to the project.

Some ideas for sections and fields you can now create:

Project Summary - including Executive Summary, Summary of Recommendations and Positive Security Observations
Testing Overview - including Background, Approach and Methodology
Document Control - including Author(s), Reviewer, Approver and Version History

Dont forgot to try Hide Expressions on Custom Fields to make your Reporting tailored to your project.

Check out GitHub AttackForge ReportGen site for details on how to add these fields to your reports

Project Features

You can now personalize your project experience even further with Project Features.

Project Features are a new way to help you:

Control when Test Cases are viewable on a project, and by whom.
Determine if Retesting is needed, and who can have access.
Determine if Attack Chains are relevant, and who can have access.
Determine if Reporting is needed, and when Reporting section and downloadable reports are made available.

Every feature comes with access controls for better management of information and workflows

Self-Service API Improvements

We made a bunch of improvements to our Self-Service APIs namely:

New REST endpoint: Create Project Test Case
- This endpoint can be used to create dynamic test cases on the project, for example you could import all of the checks that your scanner performed to provide better and programmatic testing coverage
Major updates to REST endpoints:
- Update Test Case - we updated this API to provide the full suite of options when it comes to managing your project test cases. You can even insert custom fields on your test cases via the API!
- Get Project Test Cases - we updated this API to provide more comprehensive information about the test cases, such as linked vulnerabilities, assignment to project scope, and assignment to tester.
Minor updates to REST endpoints:
- Get Project, Get Projects, Get Projects and Vulnerabilities & Get Projects by Group - now supports project_scope_details
- Create Vulnerability, Create Vulnerability Bulk, Create Vulnerability With Library - now supports linked_testcases
- Update Vulnerability & Update Vulnerability With Library - now supports project_id and linked_testcases
- Get Vulnerability, Get Vulnerabilities, Get Vulnerabilities by Group, Get Vulnerabilities by Asset, Get Project Vulnerabilities & Get Projects and Vulnerabilities - now supports vulnerability_testcases

Have you tried our Events API yet? It's perfect for real-time integrations with your scanners, ticketing tools, analytics and data lakes.

UX Improvements

We've added new email notification settings which can be configured to determine who gets notified when Project Requests are either created or updated. You can configure this from Administration -> Notifications -> Project Requests.

We've improved the experience after creating a Vulnerability or a Writeup. You now have options to create another, create and view or go straight to evidence upload.

We also improved the Administration module navigation experience to make it easier to find the configuration settings you need.

18 June 2024

Customize Vulnerability and Project Colors

You can now customize your vulnerability and project colors!

Personalize your AttackForge and make it your own. Tailor your color scheme to match your identity and messaging.

You can now change the following color options in the Administration module:

Vulnerability priorities
Vulnerability statuses
Project statuses
Project Request statuses

We've also lightened the status colors to blend in better with the rest of the application, and to keep the eyes focused on the most important messages on the page.

Assign Users and Groups to Manage Project Teams

You can now assign users and groups to be responsible for managing access to individual projects.

This can help you to:

Empower customers and engineering teams to provide access to the project and vulnerabilities on a needs basis.
Delegate project team management to persons better suited for the role.
Save time and effort on project team management.

When assigning a user or a group to manage access to the project, you can configure the following:

Access Level Limit: Set the highest level of access the user or group is allowed to assign to project team members.
Add User Method: Configure how project team members can be added - either by selecting an existing user from a drop-down list, or by entering in an email address.
Allow User Invite: Allow user to invite new persons to your AttackForge tenant.

Delegate User Management of Groups

You can now delegate management of your groups to other users and groups.

This can help you to:

Empower customers and engineering teams to manage stakeholder access to relevant projects and project requests.
Delegate security teams to manage groups on a needs basis.
Reduce the burden on application administrators.

When assigning a user or a group to manage access to the group, you can configure the following:

Project Access Level Limit: Set the highest level of access the user or group is allowed to assign for access to the groups' projects.
Project Request Access Level Limit: Set the highest level of access the user or group is allowed to assign for access to the groups' project requests.
Add User Method: Configure how group members can be added - either by selecting an existing user from a drop-down list, or by entering in an email address.
Allow User Invite: Allow user to invite new persons to your AttackForge tenant.

You can now also set None for group members access to Projects and Project Requests.

Invite Users to Projects, Groups and AttackForge

You can now allow specific users or groups to invite other users to your AttackForge.

This makes it convenient to get access to the right people, quickly and without the need to involve application administrators.

This can help you to:

Empower customers to invite their engineering teams directly to the relevant projects or groups.
Delegate account managers to better manage their customer accounts.
Share vulnerability information faster, to help remediate vulnerabilities sooner.

When combined with the new project team and group membership administration options (above) - this feature provides full autonomy for user management!

SSO Improvements

We have now enabled support for two (2) independant identity providers (IdPs) which each can be supported with their own unique configurations, including SSO User Role Mappings.

We have also now added the option to disable Just-In-Time SSO user creation, helping to restrict access to AttackForge via SSO to users whom have been invited only.

ReportGen Enhancements

We have added support for additional project team member data in reports, namely About Me. See example below:

{#data.testing_summary.project_team_details}
{first_name} {last_name} ({role}) – {about_me}
{/}

We also added an extra option for Charts which can be configured to increase the y-axis on vertical bar charts. This can help to add some padding above the bars to improve the aesthetic of the chart.

21 May 2024

Secure Code Learning with SecDim

We're excited to be the first Pentest Management Platform to release a Secure Code Learning collaboration with SecDim - Dev-Native Attack & Defence Wargames.

With the power 💪 of SecDim and AttackForge, you can:

Explore a real vulnerability in a cloud native app. Debug and verify if your security patch can remediate the vulnerability
Train developers on how to fix vulnerabilities identified in their applications, during a pentest
Collaborate between engineers and security teams on how to best remediate vulnerabilities
Improve retesting pass rates for discovered vulnerabilities
Test your knowledge on how to fix common vulnerabilities and measure your effectiveness

Every Sandbox comes with a security test suite to simulate the exploitation of the vulnerability.

Sandboxes are integrated with git so you can save your progress and pick it up again where you left off.

SecDim's catalogue is extensive, covering everything from AI, GraphQL, React, Kubernetes, to Web3. You can test your skills against modern security vulnerabilities inspired by real-world issues.

Each sandbox is deployed in a secure isolated Cloud Development Environment directly in your browser. You can debug, patch and test your code as if you were building an app.

Start by learning more about this integration, and when ready - switch the integration on.

Search SecDim's catalogue of vulnerable sandboxes which you can link to your Writeups.

When you create a vulnerability on a project, users will be able to see the linked SecDim sandboxes and launch a sandbox to get started.

Auto-Add Groups to Project Requests

You can now automatically assign Groups to Project Requests when they get created by group members.

This means any custom access controls you have created on the group will take effect immediately.

This makes it easy to have dedicated teams of people who can work together to view, edit and approve project requests - without the involvement of Administrators or Project Coordinators.

UX Improvements

Now when you open and close the Info panels on Vulnerabilities, Project Test Cases and Reporting - this action will be remembered for the duration of your session. This means you can easily switch between pages and see the information you want to see more easily and with less clicks.

We added new Core Fields for Hide Expressions to provide more flexibility when it comes to controlling your forms.

We also improved the behaviour of how CVSSv3.1 scoring is used on vulnerabilities, including better support for Nessus.

SSAPI Enhancements

We have made the following enhancements to the Self-Service APIs:

Get Assets In Library now supports the Advanced Query filter
Create Vulnerability and Create Vulnerability With Library now supports passing in Asset Library Ids.
Update Vulnerability and Update Vulnerability With Library now supports updating the Affected Asset(s).
Get Project Report Data endpoint was created to allow programmatic creation of reports for selected vulnerabilities only.

ReportGen Improvements

We have improved ReportGen to make your reports even better!

$declare, $push and $assign Functions now support 'this' and 'this[number]'
$includes now supports Dictionaries

3 May 2024

New Project Request Access Controls

You can now configure custom access controls on Project Requests.

This means you can now:

Create multi-stage review and approval workflows for Project Requests, particularly when combined with custom field access controls.
Delegate additional persons or group members to View, Edit or Action selective Project Requests.
Improve efficiency when it comes to project scoping workflows.

To get started, as an Administrator or Project Coordinator - access the Settings on the Project Request:

You can assign access to application user Roles, Groups or individual Users.

Each access control can be assigned with View, Edit or Action:

View means the user will be able to view the Project Request, but not make any changes.
Edit means the user will be able to view and edit the Project Request, and upload any supporting files.
Action means the user will be able to view and edit the Project Request, upload any files, request more information, and reject and approve the Project Request. Approving the Project Request will result in creation of a new Project.

When assigning Group access to the Project Request, the group members can be assigned with View, Edit and Action. This will apply to the Project Requests linked to the Group.

Project Coordinators and Administrators will continue to have access to all Project Requests, along with any additional Roles or Users who have been delegated global privileges to Action all Project Requests.

Vulnerability Imports Now Support Multiple Files

You can now import multiple scan files in one import. This means you can now take advantage of Grouped Assets on vulnerabilities across multiple scans - making it easier to identify and track unique vulnerabilities on the project, and associate affected assets more easily.

Simply select multiple scan files when prompted to select a file.

We also made improvements to user feedback during parsing of vulnerabilities.

Bulk Action Retest Vulnerabilities

We have now made it easier to see all vulnerabilities associated with a retest, and perform bulk actions.

Create Reports on Pending Vulnerabilities

You can now create reports on pending vulnerabilities. This makes it easier to review vulnerabilities in your custom reports, before releasing them to customers.

Filterable Project Team Details

You can now view the entire project team and filter on team members more easily:

Email Updates

Vulnerability-related events on projects, for example New Vulnerability Discovered email, now support {vulnerability.<tag>} Custom Email Meta Tags

Daily Start/Stop Testing Notifications on projects now support {project.<tag>} Custom Email Meta Tags

All emails which support the {link} tag now also support {link.url} which returns only the URL. This means you can use {link.url} inside custom buttons and achors in your emails.

Updates to ReportGen

We have added a new function $percentage that can be used to calculate the percentage of two values.

We also updated $keys to support $keys[this] which can be used to iterate on any object and return each key/value pair in the object as an array.

15 April 2024

Project Test Case custom fields

Project test cases now support custom fields.

This opens up many possibilities, for example:

Capturing Red-Team and Blue-Team information on Purple-Team assessments
Filtering on additional test case sub-status
Persisting additional testing details

You can also now re-order your project test case view to personalize how you want your test cases to appear on different projects.

Soon you will be able to use the Self-Service APIs to import custom project test cases for dynamic and reactive testing, for example importing scanner policies for scans performed.

Defining a Purple-Team project

Start by adding a custom field to your project which will be referenced by your test cases and vulnerabilities.

This will show purple-team fields on test cases and vulnerabilities for only purple-team projects, without creating additional overheads for other assessments.

Defining your Red-Team custom fields on Test Cases

Define your red-team project test case custom fields in Administration → Projects → Test Cases → Form

Create a Section for your red-team fields, this makes it easier to group your fields.
Add a Hide Expression to ensure your red-team section and its related fields only show on project test cases for purple-team projects.
Add Custom Field Access Controls to ensure that:
- Red Teamers can View and Edit red-team fields;
- Blue Teamers can only View red-team fields;
- All others have no access to these fields.

Defining your Blue-Team custom fields on Test Cases

Define your blue-team project test case custom fields in Administration → Projects → Test Cases → Form

Create a Section for your blue-team fields, this makes it easier to group your fields.
Add a Hide Expression to ensure your blue-team section and its related fields only show on project test cases for purple-team projects.
Add Custom Field Access Controls to ensure that:
- Blue Teamers can View and Edit blue-team fields;
- Red Teamers can only View blue-team fields;
- All others have no access to these fields.

Defining your Red-Team custom fields on Vulnerabilities

Define your red-team vulnerability custom fields in Administration → Projects → Vulnerabilities → Form

Create a Section for your red-team fields, this makes it easier to group your fields.

Add a Hide Expression to ensure your red-team section and its related fields only show on vulnerabilities for purple-team projects.

Set your project as a Purple-Team project

When creating or editing a project, select Purple Team from the Testing Types custom field.

Complete Purple-Team project test case fields on purple-team projects

When working on a purple team assessment, you can now complete the purple-team fields on the project test cases.

Complete Purple-Team vulnerability fields on purple-team projects

When working on a purple team assessment, you can now complete the purple-team fields on the vulnerabilities.

Configuring sub-status on project test cases

Defining a sub-status on project test cases

Start by adding a custom field to your project test cases which will be used to capture the sub-status of a test case.

Track and manage sub-status on project test cases

When working on a project, you can now complete the relevant sub-status on project test cases.

You can also filter and sort your project test cases on sub-status.

Capturing additional information on project test cases

Defining additional information on project test cases

Start by adding custom fields to your project test cases which will be used to capture additional information relevant for your test cases.

Entering additional information on project test cases

When working on a project, you can now complete the relevant fields when working on project test cases.

New time-based custom email options

You can now configure custom time-based emails for Projects, Project Requests and Users - in addition to previously supported Vulnerabilities.

Some examples of custom time-based emails could include:

Notify vulnerability owners when vulnerabilities are 7-days from breaching SLAs
Notify remediation teams when vulnerabilities are 10-days from reaching Target Remediation Date
Notify security teams when vulnerabilities exceed SLAs
Notify project teams when projects have overrun
Notify project coordinators when project requests have not been actioned for some time
Notify users when their account will be locked out due to inactivity

Check Custom Time-Based Emails for more details.

Import vulnerabilities via JSON file

You can now import vulnerabilities directly from a JSON file.

This makes it easy to import vulnerabilities from any source, where the data can be formatted into JSON format.

A template is provided to help make this process easy, as well as details for required fields.

Rich-text custom fields now support images

The following rich-text custom fields now support display of images in-app and in-reports:

Project Requests
Vulnerabilities
Writeups
Project Test Cases
Test Suite Test Cases

Config change detection

Changes to configuration will now trigger all users to reload their app to retrieve the new configuration, at a time suitable for the user.

Custom field dates now support time picker

You can now enable capturing and display of time for your Datepicker custom fields.

This can be useful if you need to capture time, for example Execution Start Time and Execution End Time for Red-Team activities or for captured logs.

This option can be configured using the Display Time option configured on the the Datepicker custom field.

Project Request information now available in reports

You can now add information from your linked Project Request into your reports.

First, start by enabling this option in Administration → Projects → Export Project as JSON → Project Request

Now in your reports, you can access the Project Request information using {projectRequest} for example:

{projectRequest.name} - {projectRequest.created}

Vulnerability imports now support Qualys Guard

You can now import vulnerabilities from Qualys Guard.

Reports now support email addresses for project team

You can now include email addresses for your project team members in your reports.

Start by enabling this option in Administration → Projects → Export Project as JSON → Team Member Email

You can print the emails of the team members in your report as follows:

{#data.testing_summary.project_team_details}
{first_name} {last_name} - {email}
{/}{/}

ReportGen - $help now supports [scope] and [var]

You can now use {$help[scope]} and {$help[var]} in your report templates to show debugging and help information in your ReportGen browser console.

31 January 2024

Asset Libraries

You can now use Asset Libraries to manage your assets better!

Asset libraries will help you to:

Group and manage assets across different teams, technologies, products, customers, business units, networks or compliance;
Control who can see assets, and which assets they can see;
Manage who can create and modify assets;
Assign assets to many groups for better tracking and de-duplication;

You can view your asset libraries directly from the Assets module:

Take advantage of libraries when adding scope to a project:

Control which libraries get used when importing vulnerabilities:

Assign libraries when importing assets:

Asset libraries can be configured from the Administration module.

Assets can belong to one or more libraries, allowing to share access or ownership of assets and reducing asset duplication.

Assets are unique to each library.

Asset libraries can have access controls to manage who can view or edit the assets.

Access controls can be applied to:

Application Roles
Groups
Users

Access to libraries can be assigned with either View or Edit privileges.

Users with View access to an asset library will be able to see the asset and any vulnerabilities for which that user has access to via their projects.

Users with Edit access to an asset library will be able to create assets in that library; and make changes to any asset in that library, including ability to archive the asset or link additional asset libraries.

Bulk actions can be used to bulk (re)assign assets to libraries.

You can now also import assets from CSV and JSON formats – making it even easier to bring existing assets into AttackForge!

For more details, please visit https://support.attackforge.com/attackforge-enterprise/modules/assets

Portfolios Enhancements

You can now provide access to Portfolios and Streams for:

Your customers;
Your engineering teams and product owners;
Your security, risk and compliance teams;
Your business management and senior leadership;
Your external auditors and 3rd parties;

This makes it possible to have custom dashboards which are relevant and tailored to your stakeholders, which they can now access.

Access can be granted to the entire Portfolio, or individuals Streams. This enforces need-to-know.

Users will only see project, vulnerability and asset related data which is relevant to their existing projects.

Users will not be able to see project, vulnerability and asset data for which they do not already have access.

We have also enriched the data available for projects, vulnerabilities and assets.

Users can also configure their own table preferences to consume the data the way they prefer.

ReportGen v2.9

We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!

This release includes three (3) new functions; one (1) new style; and access to user profile data in reports!

New Function: $hyperlink

You can use this new function to construct hyperlinks in your reports.

Hyperlinks can be built using data from your project (scope), manual creation or based on values from other variables.

For more information on how to use this function, visit this link.

New Style: hyperlink_style

This release introduces support for hyperlinks for rich-text fields. We have also released a new style which allows you to independently set the style for hyperlinks contained within the styled tags. You can apply this style to any of the {@..._styled} fields.

For more information on how to use this style, visit this link.

New Function: $comment

You can use this new function to include comments in your template which do not get shown in the report.

This can be useful to help with adding explanations and also debugging.

For more information on how to use this function, visit this link.

New Function: $multiply

You can use this new function to multiply a variable which has a numeric value.

For more information on how to use this function, visit this link.

User Profiles Now Available

You can now include user profile information in your reports for each team member on the project.

For examples how to include this information in your reports, visit this link.

Updated Testing Methodologies and Vulnerability Libraries

We have updated to the latest version of MITRE ATT&CK framework, which you can now easily import into your Test Suites.

MITRE ATT&CK Enterprise Version 14.1
MITRE ATT&CK Mobile Version 14.1
MITRE ATT&CK ICS Version 14.1

To get started, head over to https://github.com/AttackForge/TestSuites

Download the relevant methodologies and follow the guide to import them into your Test Suites.

We have also updated to the latest version of MITRE CWE and MITRE CAPEC, which you can now easily import into your Writeups.

MITRE CWE Version 4.13
MITRE CAPEC Version 3.9

To get started, head over to https://github.com/AttackForge/Writeups

Download the relevant vulnerability libraries and follow the guide to import them into your Writeups.

Report Locking

You can now control when reports are available for download on any given project.

This is particularly useful if you want to restrict your customers from generating reports until a point in time on the project, for example when testing is completed or when QA has finished.

When creating or updating a project, you can now configure the minimum Access Level required on the project in order to generate reports.

Custom Project Roles

You can now configure custom project roles which can be assigned to any project team member.

This is particularly useful if you want to create roles which align with your internal operating processes.

These roles can be reflected in emails, reports and in automations and integrations.

These roles are not used for access control.

You can manage the project roles from Administration -> Projects -> Fields -> Team Members.

Custom System Email Notifications

You can now configure and personalize every system email!

You can independently for each system email notification:

Enable or Disable the email notification;
Configure a custom Subject with HTML and {metatags} support
Configure a custom Body with HTML and {metatags} support

You can manage the email notifications from Administration -> Notifications.

For a full list of {metatags} supported – please visit this link.

Custom Report Names

You can now configure the custom report name for all of your downloaded reports.

This configuration option also supports (metatags}.

You can update your report name from Administration -> Reporting -> Report Name.

Manage User Roles via SSO Groups

For SSO users – you can now opt into managing application user roles via SSO groups.

This ensures that every time an SSO user logs in, their application user role will be automatically updated to match their expected role via the mappings.

This makes it easier for AttackForge Administrators managing tenants with hundreds or thousands of users.

It also helps to comply with internal policies for privileged access management.

You can opt into this setting from Administration -> Users -> Manage Application User Roles via SSO Groups.

UX Enhancements

Inline vulnerability view on tables

When viewing vulnerabilities in a table, you can now preview the vulnerability without having to navigate away.

To do so, click on the eye icon next to the vulnerability name.

Retest rounds now should on schedules

Retest rounds now have an optional end date and will now also show on your global and project schedules.

Rich-text fields now support hyperlinks

Rich-text fields now support option to include hyperlinks. These hyperlinks will also automatically show in reports for any ‘_styled’ fields.

Warnings to help prevent data loss

We have added warnings when you have data entered into a form and try navigating away, or when you try to close a popup window with data.

This UX improvement will help to prevent any accidental data loss on common user actions.

Wider, taller and draggable form fields

We have reviewed all forms within AttackForge and where needed we have made fields wider and taller.

We have also enabled ability for rich-text fields to have draggable adjustable height.

Set custom error message for blocked accounts

You can now configure a custom error message for blocked accounts.

This is useful if you have company-specific instructions on account reactivation process that you want to show blocked users.

Bulk add tags on grouped assets

You can now bulk add tags to grouped assets when working on vulnerabilities.

Bulk overwrite on vulnerabilities now supports mixed asset selections

You can now perform bulk overwrite actions on vulnerability selections with mixed asset types i.e. individual or grouped assets.

Hovering on project name shows full name

We made adjustments to show more information when hovering on data, including on the project name.

Linking Vulnerabilities to Test Cases

You can now link vulnerabilities to test cases directly from the test cases.

This makes is easier to fail test cases in bulk, and to show direct correlation between testing and findings.

Importing Vulnerabilities

We added support for Nuclei Scanner and Acunetix 360 when importing vulnerabilities on a project.

Updates to Self-Service API

We made updates to the Invite User To Project and Invite Users To Project Team RESTful API endpoints to include additional fields.

We also added support for Asset Libraries for all of the relevant RESTful APIs.

Video Tutorials

Introduction to AttackForge and On-Demand Trial Environments

We recently released a new trial service for AttackForge – https://try.attackforge.io – which allows people to deploy a dedicated, on-demand private tenant of AttackForge with just their email address. The entire process takes less than two minutes from signup to deployment!

We created a short video to demonstrate this process for deploying new trial environments, as well as a brief introduction to AttackForge.

This video might be useful to you if:

You need access to on-demand non-production AttackForge tenants for testing configuration, integrations or scripts;
You want to access the newest features in an environment that is already configured with optimal settings for the latest features;
You want your customers or users to get a preview for what the AttackForge application is about and key workflows, prior to interacting with your own AttackForge.

The video is available on YouTube:

Pentest Report Automation with AttackForge

We created a short video to demonstrate how to set up an automation for PDF report generation and delivery to customers.

This video might be useful to you if:

You need to send encrypted PDF reports to your customers via email and programmatically;
You are interested in exploring automations in AttackForge;
You are interested in how custom fields can be used to enforce custom workflows.

The video is available on YouTube: