The last couple of months have been busy for us.

The biggest news is that we have welcomed our new UX/UI specialist – Varun Ramani!

So, it should not be surprising that our latest release has been focused on User Experience!

These UX improvements are direct results of our ongoing conversations with our users, and their feedback. We listen to you! This is how we improve AttackForge.

Simplified Project Creation workflow

A new project can be created in AttackForge either through Create Project or Request Project->Approve Request workflows. These two important workflows have been extended to allow seamless creation of the team that would work on that project. Now you can invite the entire team to the project, assign their roles, set up their notifications, as well as assign test suites to the relevant team members.

For each project team member, you can specify the following:

• Access Level: Set the access level for the user on the project. This can be either View, Upload & Edit.

• Project Role: Set the users' project role on the project such as pentester, customer, developer, etc.

• Email Notifications: Set the email notifications that each user will receive on the project.

• Assign to Test Suite: Assign the user to a test suite. The user will be assigned to each of the test cases loaded on the project for the nominated test suite.

This improvement streamlines the process of project creation and reduce the workload on project coordinators and administrators.

Introduction of User-Friendly Vulnerability IDs

Each vulnerability in AttackForge has its own Id. Previously these Ids were not exactly user friendly. Asking someone to remember a guid is hardly a user-friendly task.

In this release, and indeed - by popular demand - our engineers introduced an alternative vulnerability code that is configurable and used to generate user-friendly unique vulnerability identifiers for all vulnerabilities on the project.

For example, if you choose to set a vulnerability code for a project as PRJ01 - the first vulnerability created on the project will have a user-friendly unique identifier of PRJ01-1. The next vulnerability will be PRG01-2 and so on.

You can update the vulnerability code on a project at any time, so long as it's a unique value (has not been used on any other projects) and is between three (3) to eight (8) characters in length.

When you update a vulnerability code on a project - all of the existing IDs for any of the projects' vulnerabilities will also be updated to match.

This means that when engineers and pentesters are discussing a particular persistent vulnerability they can reference it by using something that can be pronounced on the phone and typed into an email (instead of cutting & pasting a guid).

Email notifications are made configurable

AttackForge has extensive Project Team Notifications capabilities that are intended to keep the project team informed throughout the lifecycle of a project. For example, you can choose to be notified when testing has commenced or stopped daily, when new vulnerabilities are discovered, or when a project is put on-hold - plus much more.

The Project Team Notifications include the following:

• No Emails - Under normal circumstances, you will not receive any email notifications for any projects you are a team member.

• All Emails - You will receive all enabled emails for all projects you are a team member.

• Daily Start/Stop Testing - You will receive notifications each time a team member starts or stops testing each day, where this option is enabled on the project.

• New Critical Vulnerability - You will receive notifications each time a team member discovers a new critical vulnerability, where this option is enabled on the project.

• New High Vulnerability - You will receive notifications each time a team member discovers a new high vulnerability, where this option is enabled on the project.

• New Medium Vulnerability - You will receive notifications each time a team member discovers a new medium vulnerability, where this option is enabled on the project.

• New Low Vulnerability - You will receive notifications each time a team member discovers a new low vulnerability, where this option is enabled on the project.

• New Informational Vulnerability - You will receive notifications each time a team member discovers a new informational vulnerability, where this option is enabled on the project.

• Project Role Updated - You will receive notifications each time your role on a project has been updated, where this option is enabled on the project.

• Project On-Hold/Off-Hold - You will receive notifications each time the project is placed on-hold or off-hold, where this option is enabled on the project.

• Retest Completed - You will receive notifications each time a round of retesting has been completed, where this option is enabled on the project.

• Change of Role - We have also introduced new email notifications when a users’ role on a project is changed, and we also now include their role on the project invitation email.

To receive these notifications, a user must be a member on a project team. In addition, project-level notifications must be enabled on the project. AttackForge administrators and project coordinators would configure this per user, per project.

Now a user can choose to opt-out of project email notifications via Notifications module. If you decide to disable certain types of email notifications, even when they are enabled for you on the project - you will not receive them. You can (to a degree) control the project notifications you will receive. However, an administrator or project coordinator may decide to enforce some email notifications, for example when new critical vulnerability is found, and you should be made aware of it.

Email notifications now contain links. For example, notification on new vulnerability now contains a direct link to the actual vulnerability in AttackForge. If you have an AttackForge active session going, you would be able to get to that vulnerability directly by clicking on the link. If you do not have a session going but your AttackForge tenant is configured for Single-Sign-On that link would also take you to the relevant page.

New tenant configuration and customization options

AttackForge has a rich set of global tenant configuration options - allowing you to customize your workflows, access to features & user experience in general.

In this release, our engineering team have made these options available to AttackForge administrators in the interface - via the Administration module! That allows you to customize your tenant on-demand, when previously it would require raising a support request!

You can personalize your email templates, change workflows, introduce or remove fields in some forms, set default values, configure your security settings – and much more!

The list of supported configuration options is growing. You can see the current list on our support site: https://support.attackforge.com/attackforge-enterprise/configuration-options

At this point of time the following Configuration components are available from the Administration module in your AttackForge tenant:

• Emails

• Vulnerabilities

• Projects

• Reporting

• Modules

• Integrations

• Users

• Security

• Miscellaneous

Progress Update Notifications

In May 2021 release, we introduced a new Notifications module to provide dashboard-style email notifications to keep your teams informed. Every email notification is designed to provide important information relating to projects, vulnerabilities & user activity.

In this release, we have extended this feature to include Daily & Weekly Project Updates for project team members, as well as Daily & Weekly Admin Updates for administrators.

New information has been added to these emails such as Projects Overrun, Projects Completed, and more detailed information for each project. You can access Notifications via the global menu.

ReportGen Updates

Have we ever had a release without new capabilities added to the ReportGen? I don’t remember any. This release is no exception.

Here is the new capabilities added this time:

New Filter – Store

You can store custom data in arbitrarily defined tags using this filter. For example, we can create a new custom tag called 'AllVulns' and reference it, along with its data, later in the template.

This is useful if you are dynamically creating custom subsections/tables to reference in your report.

New Filter – FindVulns

You can use this filter to find a vulnerability based on a Title and Priority.

New Reporting Option - Remove Duplicate Proof-of-Concepts/Steps to Reproduce

This option can be set at the beginning of your template to remove duplicate Proof-of-Concepts/Steps to Reproduce for vulnerabilities which affected multiple assets, but with the same POC & Notes.

This option is useful to reduce duplicate entries where the POCs/Notes are the same, reducing report size and making it more useful to the reader.

New Reporting Option - Remove Duplicate Evidence

Similar to the previous option, but for removal of duplicate evidence

New Metatags for #assetVulnerabilityMapping

There are quite a few of them, helping to build more flexible mapping between assets and vulnerabilities in ReportGen reports. Check the support site for the full list:  https://support.attackforge.com/attackforge-enterprise/modules/reporting

Full release notes are here: https://support.attackforge.com/release-notes#2021-07-12

For those who managed to read this long post to the end – We are working on an exciting new project – AttackForge Citadel! Check this space soon…