As seasons change – AttackForge’s brilliant engineering team continues to release new great capabilities!

This release has two great parts.

Part I – a groundbreaking integration and a new set of features.

What is groundbreaking in another integration? Actually – this is the first ever integration between a Pentesting Management Platform and a Security Learning platform. I will have a separate blog post about it later this week.

Part II – usual extensive list of new features~

Here we go in no particular order:

• Project Test Case Custom Fields – enabling true Purple-Teaming

  • Capturing Red-Team and Blue-Team specific information on Purple-Team assessments.

  • Filtering on additional test case sub-status.

  • Persisting additional testing details.

• Project Request workflow great improvements

  • New features allow for multi-staged QA and approval for project requests – making sure you can implement your enterprise approval process within AttackForge.

  • You can now automatically assign project requests to access control groups (means less work for you).

  • Improve efficiency when it comes to project scoping workflows.

• New Time-Based custom email notification options

  • New triggers for notification emails to vulnerability owners, remediation teams, security teams

• Import Vulnerabilities now supports

  • JSON format

  • Qualys Guard

  • Multiple files support.

• UX Enhancements

  • Easy filtering in Project Team Details

  • Time-picker type is available as a Custom Field

• Reporting

  • Pending vulnerabilities can now be part of reports as well.

  • New functions added to ReportGen.

• Updates to Self-Service API

• ReportGen update – new functions and other capabilities.

Secure Code Learning with SecDim

AttackForge introduces the first ever Pentest Management Platform to include a Secure Code Learning collaboration. AttackForge now integrates with SecDim - Dev-Native Attack & Defence Wargames.

Secure coding training for developers is a given these days. And it is great! SecDim integration brings learning right into the context of real vulnerabilities. Not an annual training, not a generic course – “Engineer sees the vulnerability found by pentesters – and learns what it is and how to fix it right there – without losing the context.” As I mentioned – there will be another blog post about it later. If you want more details – check out our Press Release:

Or – deploy an AttackForge trial on demand (https://try.attackforge.io/) and see it for yourself.

Project Test Case Great Improvements

Project test cases now support custom fields. Sounds simple, doesn’t it?

This opens huge possibilities:

Purple Team assessments

Custom fields enable you to fully plan and run Purple Team assessments.

• Capturing your Red-Team and Blue-Team specific flows and information on Purple Team assessments

• Filtering on additional test case sub-status

• Persisting additional testing details

You can also now re-order your project test case view to personalize how you want your test cases to appear on different projects. 

Soon you will be able to use the Self-Service APIs to import custom project test cases for dynamic and reactive testing, for example importing scanner policies for scans performed.

Please check the following videos to see how this feature works:

• Setting up Red Team Project Test Case Custom Fields: https://www.youtube.com/watch?v=REfbmQfepBU

• Setting up Blue Team Project Test Case Custom Fields: https://www.youtube.com/watch?v=vtwD_NHGJHM

• Setting up Red Team Vulnerability Custom Fields: https://www.youtube.com/watch?v=viAf7U0P6Mo

• Setting up Purple-Team Projects: https://www.youtube.com/watch?v=q8ZhMzDzDiQ

• Completing Purple-Team Test Cases: https://www.youtube.com/watch?v=PJMYzpQEoSM

• Creating Purple-Team Vulnerabilities: https://www.youtube.com/watch?v=xXgfSAOlZhI  

Also check this link for more information: https://support.attackforge.com/release-notes/2024#project-test-case-custom-fields

New Project Request Access Controls

Again – sounds simple. The result is that AttackForge users can now build

• Multi-staged QA and approval process for project requests.

• Delegate specific users View, Edit or Action rights to specific Project Requests.

• Improve efficiency when it comes to project scoping workflows.

To get started, as an Administrator or Project Coordinator you access the Settings on the Project Request. You can assign access to application user Roles, Groups, or individual Users.

Each access control can be assigned with View, Edit or Action.

You can also assign access to the Project Request on Group level, the group members can be assigned with View, Edit and Action. This will apply to the Project Requests linked to the Group.

Project Coordinators and Administrators will continue to have access to all Project Requests, along with any additional Roles or Users who have been delegated global privileges to Action all Project Requests.

Please check the following videos to see how this feature works:

• Configuring Direct Project Request Access Controls: https://www.youtube.com/watch?v=sJVJhy7uG34

• Configuring Project Request Access Controls via Groups: https://www.youtube.com/watch?v=Ak_wbUZFK60

New Time-Based Custom Email Options

You can now configure custom time-based notification emails for Projects, Project Requests and Users - in addition to previously supported Vulnerabilities.

Some examples of custom time-based emails could include:

• Notify vulnerability owners when vulnerabilities are 7-days from breaching SLAs

• Notify remediation teams when vulnerabilities are 10-days from reaching Target Remediation Date

• Notify security teams when vulnerabilities exceed SLAs

• Notify project teams when projects have overrun

• Notify project coordinators when project requests have not been actioned for some time

• Notify users when their account will be locked out due to inactivity

Check Custom Time-Based Emails for more details.

Also check this link for more information: https://support.attackforge.com/release-notes/2024#new-time-based-custom-email-options

New Import Vulnerabilities options

• Import Vulnerabilities via JSON File

You can now import vulnerabilities directly from a JSON file.

This makes it easy to import vulnerabilities from any source, where the data can be formatted into JSON format.A template is provided to help make this process easy, as well as details for required fields.

• Qualys Guard is now supported

• Vulnerabilities can be imported from multiple files simultaneously.

You can now import multiple scan files in one import. This means you can now take advantage of Grouped Assets on vulnerabilities across multiple scans - making it easier to identify and track unique vulnerabilities on the project, and associate affected assets more easily.

Simply select multiple scan files when prompted to select a file.

We also made improvements to user feedback during parsing of vulnerabilities.

Please check this video to see how it works: https://www.youtube.com/watch?v=oY-US-h0mlw

UX Enhancements

Multiple UX updates:

• Easy filtering in Project Team Details

• Time-picker type is now available as a Custom Field

• Bulk Action Retest Vulnerabilities

We have now made it easier to see all vulnerabilities associated with a retest and perform bulk actions.Please check this video to see how it works: https://www.youtube.com/watch?v=LlHVVBrECmY

• Now when you open and close the Info panels on Vulnerabilities, Project Test Cases and Reporting - this action will be remembered for the duration of your session.

• You can now also view the entire project team and filter on team members more easily.

ReportGen Updates

• Pending vulnerabilities can now be part of reports as well.

You can now create reports on pending vulnerabilities. This makes it easier to review vulnerabilities in your custom reports, before releasing them to customers. Please check this link for more information: https://support.attackforge.com/release-notes/2024#create-reports-on-pending-vulnerabilities

• You can now add information from your linked Project Request into your reports.

• $declare, $push and $assign Functions now support 'this' and 'this[number]'.

• $includes now supports Dictionaries.

• We have added a new function $percentage that can be used to calculate the percentage of two values.

• We updated $keys to support $keys[this] which can be used to iterate on any object and return each key/value pair in the object as an array.

• You can now include email addresses for your project team members in your reports.

• $help now supports [scope] and [var] to show debugging and help information in your ReportGen browser console

New extensions for SSAPI

• Get Assets In Library now supports the Advanced Query filter

• Create Vulnerability and Create Vulnerability With Library now supports passing in Asset Library Ids.

• Update Vulnerability and Update Vulnerability With Library now supports updating the Affected Asset(s).

• Get Project Report Data endpoint was created to allow programmatic creation of reports for selected vulnerabilities only.