April 2023 Release is out!
This is the first release since AttackForge V2 was launched in January. What is your expectation – do you think our engineers slowed down after the V2?
No! This is another huge release filled to the brim with features!
Here are some of them:
Significant extension of Custom Fields capabilities
Custom fields added to Test Suites.
Ability to restrict access to custom fields - now administrators could choose which users would have access to different custom fields.
New types of custom fields – Table, Rich-Text, User and Group.
Rich-text information messages for custom fields.
Improved re-ordering for custom fields.
Ability to restrict access to reporting templates – now administrator could set who can access to which reporting templates.
Preset mapping rules for imported vulnerabilities.
Vulnerabilities could be linked between different projects.
Reports can be created against a hand-picked subset of vulnerabilities.
Update to Qualys parser – to support the new format.
Updated ReportGen 2.6
New Configuration settings.
Updates to Self-Service API.
Multiple User Experience improvements.
Extension of Custom Fields capabilities
We observed that our customers - especially Enterprise customers – have very specific requirements when it comes to the information they collect. AttackForge has proven to enable our customers to configure their AttackForge tenants to satisfy those requirements! And Custom Fields capability is one of the most important parts to achieve that.
This April Release introduces Custom Fields to Test Cases.
I think this is the last major component that did not have custom fields available. What does it mean? Now our customers can configure Test Cases to reflect their own structure of the methodologies used for pentesting. Also – customers may find other uses for test suites and test cases – outside of just security testing.
Ability to restrict access to custom fields.
Now administrators can restrict access to custom fields based on user roles, user ids and groups. It means that some fields could be visible to only users with specific roles and not for others.
Just think about it!
Now our you can:
Create custom project request forms for different business units, customers, teams and even individual users.
Set up tailored forms for your pentest-as-a-service (PTaaS) to match your customers’ needs or subscription-levels.
Set up custom project fields visible for admins only, or for pentesters only – without your customers seeing them.
It could be project budgets, administrators’ notes, fields to manage external integrations – ensure confidentiality of that information and necessary access controls. It could also be project-level information that only your project coordinators or pentesters has need to know.
Define custom vulnerability and writeup fields for different pentest teams.
Create personalized vulnerability and writeup forms for infrastructure teams, application teams, remediation teams, etc.
Configure custom vulnerability and writeup fields for different business units, engineering teams or customers (if your organisation is a consultancy)
You can control what vulnerability information is shared with which customers or teams.
Assign custom asset and portfolio fields for different customers.
That allows administrators to configure information that is only relevant for specific customer’ assets or portfolios.
And of course – access control to custom fields is enforced when Self Service API is used.
Considering the complexity of configuring custom fields - our engineers came up with the ability to preview what your users can see using the ‘view-as’ feature.
New custom field types
New types of custom fields are not available:
Table
Rich-text
User(s)
Group(s)
Many customers asked for tables and rich text custom fields, as well as the ability to record specific users and groups as part of custom fields. Now you can capture this information on projects, vulnerabilities, assets, writeups, portfolios and test cases in ways never seen before in AttackForge.
Imagine, now you can create rich-text custom fields to capture more information on your vulnerabilities and render them beautifully in your reports! Or say your doing a configuration review and you now need to import your tabular data in to AttackForge to present in the portal and in your reports – now you can do that!
Combine these new custom field types with set access controls on custom fields – and you can have this information available only to people with need-to-know.
Custom workflow using Custom fields
New functionality enables our customers to build new workflows.
For example – custom fields with access control allows to create Peer Review and Tech Review fields on your vulnerabilities, assign users accordingly – and introduce custom Review workflow. Another workflow could be built around vulnerability ownership and associated activities. This is all now possible.
User custom fields support single-select and multi-select, for cases when either one or many users can be assigned.
For example, you may want to associate a particular group with a vulnerability, if this group is tasked with responsibility to fix it.
Re-Ordering of Custom Fields
Re-ordering of custom fields has been a pain. This release (on the basis of great V2 UI) allows administrators to reorder custom fields using drag-and-drop or clicking on the up and down buttons. This makes it easy and efficient to set up your forms the way you need them to look!
Access controls on reporting templates
AttackForge encourages organisations to allow end users to generate reports themselves using the templates provided by the organisation. Still – our customers want to restrict access to templates based on users’ role, group membership and user id. This is completely justified:
Separate reports may be needed for executive team, security team, or for engineering teams.
Different business units may not want to have their templates shared with other units.
MSSP and consulting customers require different templates for different clients.
Configure presets for custom import mapping rules
You can now configure custom rules for your pentesters to use when performing an import of vulnerabilities.
These rules work as dynamic custom parser actions, telling AttackForge how to map the imported vulnerability to a correct entry in the writeups library.
It’s a great timesaver and made even more efficient now that you can save predefined rules and let your pentesters choose the relevant rule (and extend upon it) when importing.
Custom rules can be configured by administrators in Vulnerabilities section of Administration module.
ReportGen v2.6
A lot of new features in our free reporting tool! If it’s not already the best reporting tool out there, this release have just sent it to the top spot!
New Pentest Report Template v3.
You now have another example of how to use AttackForge ReportGen to get the most out of it! This is a showcase for the new capabilities added in last months.
The new Pentest Report Template v3 includes:
Logic for a multi-phase project such as Web App Pentest + Infrastructure.
Redesigned Executive Summary, using custom Charts.
Redesigned Summary Findings.
Redesigned Vulnerability Details with more information and enhancements.
Redesigned Test Cases Details.
Introducing Charts
The most visually exciting is support for charts – you can add different types of charts to your reports:
Vertical Bar Charts
Horizontal Bar Charts
Pie Charts
Donut Charts
Charts work with any data. You can create charts for your vulnerabilities, exec summary, test cases, attack chains or even categorize your data. Charts also support Scope and Variables.
Every chart comes with configuration options (e.g. colors, font sizes, spacing, etc.) so you can configure and style the chart to your preferences.
Also - four new functions, three new filters; new options; new styles, new variables and updates to existing filters and functions add even more power to your reports!
Link vulnerabilities between projects
You can now link vulnerabilities from one project to another.
This is useful when you actually have one vulnerability (or a set of vulnerabilities) that affects multiple projects. And you want to make sure that it is reflected as such in analytics, and all updates are automatically applied across multiple projects.
Linking vulnerabilities does not duplicate/clone the vulnerability, therefore your dashboards and analytics will be preserved.
Also, when linking vulnerabilities, any changes on the vulnerability, for example its set to Closed, will be applied to all projects it is linked to.
This makes it easy to fix it in one place, and have the results propagate everywhere.
However, if you have multiple vulnerabilities of the same nature – AttackForge advises to create a clone of a vulnerability, you can do that using the duplicate vulnerability feature instead.
Updates to Self-Service API
Endpoints have been updated (while maintaining backward compatibilities!) to reflect the changes to custom fields. So – new types of custom fields are supported by the relevant endpoints.
Also, Self-Service API has been updated:
to improve ability to import historical vulnerabilities when migrating to AttackForge from other systems 😉(we have quite a few customers with that requirement recently).
Capability to run advanced queries while using GetVulnerabilityLibraryWriteups REST endpoint.
GetGroups and GetProjectReport endpoints are also updated.
Other Functionality
Self-Service API endpoints are so many now… our engineers grouped them and introduced ability to search.
Pentesters can filter vulnerabilities by tags when importing from external tools.
Improved error handling for JIRA exports.
New parser for new Qualys format.
Improvement for User Experience across the entire product. Big Thank You goes to our customers for their feedback!
And many more – check the Release notes for the full list!