January 2024 Release – starting the year with a BANG!
Hope everyone had a great break over the holiday season! The season continues with our engineers releasing a whole bunch of excellent new features!
This release is focused on Enterprise capabilities and includes updated industry best practice methodologies and vulnerability writeups. Plus, usual updates to AttackForge ReportGen.
So – here we go:
Asset Libraries
Group and Manage your assets using Asset libraries;
Access controls for your assets in Asset libraries;
Import assets using JSON and CSV formats;
Portfolios Enhancements
Portfolio module and analytics are now available for all users – with proper access controls;
Enriched data and personalization for vulnerabilities, projects and assets within Portfolios
Current MITRE ATT&CK Testing Methodologies and MITRE CWE and MITRE CAPEC Vulnerability Libraries are included in AttackForge
Improved report regeneration workflow – enforcing when reports can be generated on any given project
Manage AttackForge User Roles via SSO Groups
Updated ReportGen v2.9 – new functions and User profiles
Custom Project Roles
Custom System Email Notifications - configure and personalize every AttackForge email
Support for Nuclei Scanner and Acunetix 360 when importing vulnerabilities on a project.
UX Enhancements
Configurable report names for all of your downloaded reports.
Rich-text fields now support hyperlinks
Wider, taller and draggable form fields
Inline vulnerability view in tables
Retest rounds now show on schedules
System Warnings to help prevent data loss
Configure custom error message for blocked accounts
Bulk add tags on grouped assets
Bulk overwrite on vulnerabilities now supports mixed asset selections
Hovering on project name shows full name
New scanners supported - Nuclei Scanner and Acunetix 360
Updates to Self-Service API
And of course - AttackForge YouTube Channel has new Video Tutorials:
Introduction to AttackForge and On-Demand Trial Environments (more about it in the next blog post)
Pentest Report Automation with AttackForge
Red Teaming with AttackForge
Asset Libraries
Here, at AttackForge, we believe in listening to our customers. This is why we have so many great customers across every continent (except Antarctica).
We introduced Asset Module years ago – because customers needed it.
Now we have improved on that distinctive feature!
Enterprises are tracking and managing their Penetration Testing programs by tracking their digital Assets. And the best way of doing that efficiently is to have Assets grouped in Asset Libraries!
Asset libraries helps to:
Group and manage assets across different teams, technologies, products, customers, business units, networks and compliance regimes;
Control who can see assets, and which assets they can see;
Manage who can create and modify assets - and in which library.
This release gives you access to your asset libraries directly from the Assets module:
You can take advantage of asset libraries when:
Adding scope to a project,
Control which libraries get used when importing vulnerabilities,
Assign libraries when importing assets.
Each asset is unique but can belong to one or more libraries, allowing to share access or ownership of assets and reducing asset duplication.
Asset libraries are access controlled - to manage who can view, create or edit the assets.
Administrators can configure Asset libraries from the Administration module.
Portfolios Module Enhancements
Portfolios is one of the unique AttackForge features – if you ever managed a big Enterprise pentesting program – and reported on it upstairs… you know how difficult it is to compare different security performance of different business units, or teams, or geographies… I remember the day when one of the poor souls in my team was assigned to analyse a few hundred pentesting reports to compare common vulnerabilities across divisions to know where training needs to be targeted… Portfolios module was created to make that (and many other tasks) easier!
And now – AttackForge extended access to this module to non-administrative users. And yes – admins can set up access control to make sure that only authorized users can get there.
Who can benefit from Portfolio module?
The answer is – quite a few different roles, depending on if your organisation is an Enterprise, MSSP, or Consultancy:
Your customers. You can give access to Portfolios to your customers (internal or external) so they would be able to see how their businesses (or business units) are performing. As a reminder – AttackForge Enterprise comes with unlimited users.
Your engineering teams and product owners. They would be able to also analyse their performance.
Your security, risk and compliance teams. Security teams do appreciate when their job is made easier.
Your business management and senior leadership.
Your external auditors and regulators.
Portfolio module makes it possible to have custom dashboards which are relevant and tailored to your stakeholders, which they can now access.
Access can be granted on a Need-To-Know basis – either to the entire Portfolio, or individual Streams. Users will only see projects, vulnerabilities and asset related data which are relevant to their existing projects. Users will not be able to see project, vulnerability, and asset data for which they do not already have access.
And as usual - users can configure their own table preferences to consume the data the way they prefer.
Recent Testing Methodologies and Vulnerability Libraries
AttackForge came with a comprehensive set of pre-loaded testing methodologies and writeups libraries – so our customers can start using it immediately.
This release updates these great libraries with the most recent versions MITRE.
You can get these methodologies from AttackForge GitHub and import into your AttackForge tenant:
MITRE ATT&CK Enterprise Version 14.1
MITRE ATT&CK Mobile Version 14.1
MITRE ATT&CK ICS Version 14.1
Same for writeups - update to the latest version of MITRE CWE Version 4.13 and MITRE CAPEC Version 3.9 from https://github.com/AttackForge/Writeups.
You will find the guide on AttackForge GitHub – follow the guide and you shall have it!
Report Locking
AttackForge is built to be an interactive platform – to facilitate collaboration between security teams, engineers and business. Reporting is part of that.
This release improves the QA workflow by introducing the ability to control when reports are available for download on any given project. This is particularly useful if you want to restrict your customers from generating reports until a point in time on the project, for example when testing is completed or when QA has finished.
Also - you can now configure the minimum Access Level to the project required to generate reports.
Manage User Roles via SSO Groups
Single-Sign-On is a must for Enterprises. AttackForge has extended SSO support by enabling comprehensive authorisation management using Enterprise own Identity and Access Management groups.
This ensures that every time an SSO user logs in, their application user role will be automatically updated to match their expected role via the mappings.
This feature further integrates AttackForge Enterprise into Enterprise security ecosystem and reduces the load on AttackForge administrators!
It also helps to comply with internal access management policies.
You can opt into this setting from Administration->Users->Management Application User Roles via SSO Groups.
ReportGen v2.9
Another massive update for AttackForge ReportGen - the ultimate pentest reporting tool!
User Profiles Now Available
You can now include user profile information in your reports for each team member on the project.
For examples how to include this information in your reports, visit this link.
New Function: $hyperlink
You can use this new function to construct hyperlinks in your reports.
Hyperlinks can be built using data from your project (scope), manual creation or based on values from other variables.
For more information on how to use this function, visit this link.
New Style: hyperlink_style
This release introduces support for hyperlinks for rich-text fields. We have also released a new style which allows you to independently set the style for hyperlinks contained within the styled tags. You can apply this style to any of the {@..._styled} fields.
For more information on how to use this style, visit this link.
New Function: $comment
You can use this new function to include comments in your template which do not get shown in the report. This can be useful to help with adding explanations and also debugging.
For more information on how to use this function, visit this link.
New Function: $multiply
You can use this new function to multiply a variable which has a numeric value.
For more information on how to use this function, visit this link.
Custom Project Roles
Say goodbye to pre-set user roles! You can now configure custom project roles which can be assigned to any project team member.
This is particularly useful when you need to align project roles with your organisation internal operating processes. These roles can be reflected in AttackForge emails and reports – as well as automations and integrations with other parts of your Enterprise ecosystem.
You can manage the project roles from Administration à Projects à Fields à Team Members.
Please note - these roles are not used for access control.
Custom System Email Notifications
AttackForge introduced custom email notifications years ago – now this functionality is available for AttackForge system emails!
You can independently for each system email notification:
Enable or Disable the email notification;
Configure a custom Subject with HTML and {metatags} support
Configure a custom Body with HTML and {metatags} support
For a full list of {metatags} supported – please visit this link.
You can manage the email notifications from Administration à Notifications.
This blog post is getting too long! UX Enhancements along would take a few pages… But they are great – so keep reading!
UX Enhancements
Inline vulnerability view on tables
When viewing vulnerabilities in a table, you can now preview the vulnerability without having to navigate away. To do so, click on the eye icon next to the vulnerability name.
Retest rounds now shown on schedules
Retest rounds now have an optional end date and will be shown on your schedules.
Rich-text fields now support hyperlinks
Rich-text fields now support the option to include hyperlinks. These hyperlinks will also automatically show in reports for any ‘_styled’ fields.
Warnings to help prevent data loss
We have added warnings when you have data entered into a form and try navigating away, or when you try to close a popup window with data.
Wider, taller and draggable form fields
We have reviewed all forms within AttackForge and where needed we have made fields wider and taller. We have also enabled the ability for rich-text fields to have draggable adjustable height.
Set custom error message for blocked accounts
You can now configure a custom error message for blocked accounts. This is useful if you have company-specific instructions on the account reactivation process that you want to show blocked users.
Bulk add tags on grouped assets
You can now bulk add tags to grouped assets when working on vulnerabilities.
Bulk overwrite on vulnerabilities now supports mixed asset selections
You can now perform bulk overwrite actions on vulnerability selections with mixed asset types i.e. individual or grouped assets.
Hovering on project name shows full name
We made adjustments to show more information when hovering on data, including on the project name.
Linking Vulnerabilities to Test Cases
You can now link vulnerabilities to test cases directly from the test cases.
This makes is easier to fail test cases in bulk, and to show direct correlation between testing and findings.
Full details on this release can be found in our Release Notes