Presenting AttackForge July 2022 Release!
Oh! Before I get carried away with what our engineers did – we launched new product last week – AttackForge Core: Action Pack – the first (and the best) on-demand, dedicated tenant pentest management platform. Core capabilities of AttackForge with minimal upfront commitment. Check it here: https://attackforge.com/core.html. I will write a separate blog post about it!
Back to this release - we have delivered a lot over past two months! Probably the longest post ever posted on AttackForge blog!
The focus has been on enhancing the features that made AttackForge so valuable for our customers.
We listen – and we deliver:
Advanced Email notification – extending email notifications engine to support customisable content and sophisticated logic for remediation SLAs and regular status updates. These features save time for pentesting managers and remediation teams.
Enhancing Test Suite module with ability to set up a workspace for each test case – with execution flows, notes, and associated evidence. This makes bringing junior pentesters up to speed easier and less time consuming. It also helps to when auditors ask for evidence how security testing was performed.
New version of ReportGen – the best free penetration reporting engine – now with ability to use your custom data to generate reports and more sophisticated reporting templates. BTW – we are going to present it at BlackHat in a few weeks.
Portfolios have custom fields now, just like Projects, Project Requests, Vulnerabilities, Libraries, etc.
Remediation SLAs can be manually re-applied
Asset vulnerabilities are now visible from Asset module
More data columns in tables and more customization for tables – projects, assets, vulnerabilities & library
More Self-Service API endpoints,
And numerous user experience improvements across the entire product
Advanced Email notification
Timely discovery and remediation of vulnerabilities is one of the main reasons why business pays for pentesting. Another is compliance 😉
This release makes timely remediation simpler. We introduced time-based custom email notifications – extending the already robust notifications that come standard with AttackForge workflows.
Now you can generate custom notification emails based on our new rules-based engine – you can craft those emails on a daily or weekly recurring cycle.
Custom emails allow you to create your own workflows for reminders, escalations, or just regular reporting:
Automated reminders for vulnerabilities which are nearing or overdue on their SLAs or Remediation Plans – just in case people responsible for remediation need a little bit of a nudge 😉
Automated summary emails of vulnerabilities over defined periods, for example Critical Vulnerabilities in Past 72 Hours – so the relevant stakeholders are aware what is going on, and can plan accordingly
Automated notifications for vulnerabilities based on their custom tags or custom fields, for example Vulnerabilities Ready for QA in Past 24 Hours, or newly discovered vulnerabilities in Cardholder Data Environment
And many other use cases – the engine is highly configurable!
AttackForge supports twelve filters & functions you can use to filter the data set that is relevant to your custom email.
AttackForge also supports sixteen fields for vulnerabilities – helping you filter to the right data set that is relevant to your custom email.
The recipients of your custom emails can include twenty different audiences – helping to ensure the right people are informed, every time.
Every recipient will receive a personalized vulnerability list based on vulnerabilities & projects for which they have access to.
The data which can be inserted into your custom emails is extensive, with over sixty (60) metatags currently supported.
And emails can be sent at a particular time of the day 😊
Administrators can design custom emails from the Administration à Configuration à Custom Emails tab.
Please check our Support site for the full list of options and capabilities here:
https://support.attackforge.com/attackforge-enterprise/getting-started/custom-emails
Test Case Workspaces & Execution Flows
Ability to set up your methodologies using Test Suite and Test Cases were one of the first features that stood AttackForge aside from just reporting engines.
Now we are extending this module - Test Cases now have their own page with:
dedicated test case workspace to capture notes and evidence; and
set up execution flows and steps to guide a tester through the process of how to perform the test case.
This makes bringing new pentesters up to speed with your methodologies faster. And also help to keep those pesky auditors off your back.
Dedicated Workspaces
Every test case has its own dedicated workspace, where testers can document information and upload supporting files relating to the testing process.
Workspace notes are a great way to:
store evidence for how the test case was performed.
capture notes and observations during testing.
record information relating to the tested assets.
document conversations and events relevant to the test case; and
maintain relevant knowledge base for the team.
Every workspace note has ability to upload supporting files.
There is one particular fact that should make pentesters like this feature - Testcase Workspace notes are only visible to other testers on the project 😉
Other Notes and Evidence components of AttackForge are still visible to non pentesters, customer and can be used for reporting.
Execution Flows
Each test case can have defined Execution Flows. That would come handy in many cases such as:
Document steps and procedures guiding a person in how to perform the test case.
Document which tools should be used to perform the test case.
Document internal processes and procedures required by the test case; and
Provide links to external resources.
ReportGen v2.3 Released
We have just released version 2.3 for AttackForge ReportGen!
Pentest Report Template v2
We have introduced Pentest Report Template v2. As you may be aware AttackForge ReportGen comes with multiple templates already. This release we have added new template for you to use:
You can see the next level of the sophistication and power we have been building into ReportGen over the past 18 months, highlighting the possibilities available in ReportGen v2+.
This template contains the following capabilities you can also use in your reports:
Redesigned Executive Summary - new dual-column layout + extra tags + styled executive summary notes
Redesigned Testing Summary - new layout + extra tags for overview of testing progress
New Section 'Summary Findings' - color-coded tables with overview of all vulnerabilities
Custom AttackChain Images - use your own images in your attack chains. New placeholders are included
Redesigned Vulnerability Details - new dual-column layout + color-coded vulnerability headings + styled POCs with center-aligned images and italicized captions
Whitespace Reductions - reduced whitespace to make reports more practical and concise
Redesigned Test Cases - new dual-column layout + color-coded section headings
New Section 'OWASP Top 10 Mapping' - demonstrates power of Functions to create custom dynamic sections within your reports
Updated Vulnerability-to-Asset & Asset-to-Vulnerability Mappings - color-coded for easy consumption of data
Updated Table of Contents
{#projectCustomTags} & {#assetCustomTags} - utilizes custom tagging to display new data in the report
New fonts & headings
DateFormat() filter - filter has been applied to dates & times
You can download this new template from Templates section inside ReportGen.
We have also released an updated example JSON test data which can be used for creating templates.
Custom JSON Data Now Supported
This is our giving back to the community - you can now use ReportGen with custom JSON data and files! Yes – you do not need AttackForge anymore to use ReportGen to generate your reports.
In more technical terms from our brilliant engineering team - ReportGen now supports the {data} tag which provides access to the top-level array or object in your JSON file.
This tag provides direct access to the entire JSON file - providing support for custom data which is not included in a standard AF JSON project export file.
More information on out support site here: https://support.attackforge.com/release-notes/2022#all-reportgen-v2.3-released
New Style: AF Images
We have added support for a new style AF Images which can be used to create a custom style for images and their captions inserted via the {..._styled} tags.
This new style provides ability to have custom formatting for how your images and captions are displayed in your reports, for example in your executive summary or steps to reproduce.
To use this feature - create a new style inside Word with the name 'AF Images'. Then apply a format to this style.
When ReportGen builds your report, it will automatically use this style for your images and captions.
Project Vulnerability Links
You can now generate reports with links to your projects and vulnerabilities in AttackForge.
This would help the recipients of reports to find the relevant items directly on your AttackForge tenant.
Other New Interesting Functionality
Portfolio custom fields
Custom fields are not available for Portfolios as well. You can configure portfolios the same way you were doing it for Project Requests, Projects, Vulnerabilities, Libraries, etc. You can also enable and disable the standard portfolio fields.
Administrators can modify the portfolio field settings from Administration à Configuration à Custom Fields – Portfolios.
Active Directory integration – options for Upload and Edit groups, and allow group members to receive project notifications
When linking Active Directory groups to AttackForge groups, you can now specify which level of privileges will be assigned to the group member. Engineering or security teams could be automatically assigned the relevant permissions to the related AttackForge group’s projects.
Groups can also now receive project email communications. This can be configured when creating or editing the group settings.
Manually re-apply and delete vulnerability SLAs
Vulnerability SLAs can now be automatically or manually enabled per project.
Usually, SLAs will be automatically applied to any new vulnerabilities created or imported on your projects. However, you can opt-out of applying SLAs automatically, and instead apply them manually on selected vulnerabilities. This is useful if you want SLAs to applied only under certain conditions, for example:
Apply SLAs only at the end of the project.
Apply SLAs only when the application team acknowledges the findings.
Apply SLAs only on certain projects, for example compliance/regulatory projects.
Apply SLAs only on certain vulnerabilities that require an SLA.
There is also ability to bulk re-apply SLAs on vulnerabilities. This will remove the existing SLA on the vulnerability and replace it with a new SLA from the SLA ruleset. This can also be performed on an individual vulnerability.
View asset vulnerabilities in Assets module
Users can now view vulnerabilities for assets they have access to. It is done via the Assets module. The vulnerabilities can be viewed by clicking on the name of the asset within the Assets module.
UX Improvements
As always – out customers send us feedback on the user experience with AttackForge. And we always listen. This release is no exception:
More data columns are available in data tables
More customization for Data Tables – projects, assets, vulnerabilities, and libraries.
We have enhanced the number of columns which are now available in the data tables, particularly relating to vulnerabilities.
This provides access to more data which can be used for filtering vulnerabilities, or as part of the CSV table export.
We have also combined this with new options to configure your tables to set your preferences relating to:
Default page size
Default Column to Sort On
Default Column Sort Order
Toggle columns which are displayed
Toggle column position/order in which they are displayed
Updates to Self-Service API – with every Release!
Integration with Enterprise ecosystem is the key to the success of our customers! In this release, we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.
New APIs:
New REST methods: GetPortfolio and GetPortfolios
New REST method: GetPortfolioStream
New REST method: GetVulnerabilityRevisionHistory
And even more new features… but this post is already well outside the usual size. Check our Release Notes for the full details.