AttackForge May 2022 Release is out!
Project Cloning
Exciting release this month. Features that we promised and delivered for our customers!
Project Clone capabilities – how many times did we want to simplify running recurring rounds of pentesting? Reduce the manual efforts, track vulnerabilities across many rounds, and focus retests on specific vulnerabilities?
ReportGen v2.2 - with updated filtering capabilities, concept of Parent object, and styles support for Executive Summary (there are more about it below)
Executive Summary has Rich Text support now with WYSIWYG in UI, and Review Notes for better QA!
More control of user accounts – we introduced Inactivity Lockout and Account Expiration policies for internal users.
UX Improvements
New configuration options
And – as always - updates to Self-Service API
Project Cloning
These days significant part of pentesting activities is recurring pentesting of the same applications and infrastructure – sort of Business As Usual pentesting. Same assets, similar methodologies, same preparations. And – more often that we like – same vulnerabilities.
Project Clone is the workflow that helps to simplify this process – cloning the data from the last quarter (or year) pentest – to the next one.
Here is what you get:
Less manual copying when preparing for the next round of BAU testing
Track unique vulnerabilities across many rounds - making sure that you do not double count the same issues. After all – usually there are plenty of vulnerabilities -without counting the same issues many times.
And ability to focus a specific round of pentesting on specific vulnerabilities – sometimes it could be new features, or sometimes a specific high-risk area.
Cloned project would get access to usual repeating data:
Project settings (can be adjusted for the new project - including name, codes, test suites, scope, email templates, portfolios, custom fields, and project team)
Project workspace, including previously uploaded or created notes and files
Executive summary
Specific vulnerabilities (if any) you would choose to carry forward into the new project
Interesting and very important point - when carrying vulnerabilities into the cloned project, these would be exactly the same – that means vulnerability status, remediation notes, revision history, any changes to the vulnerability will remain intact.
Vulnerabilities are not transferred. These vulnerabilities will become available in the new project and will also remain available in the source project.
Vulnerabilities are not copied. This means there will be no duplication of vulnerabilities.
Vulnerabilities are universal. Any changes to these vulnerabilities in source project, will also apply to the new project, and vice-versa.
This important feature ensures that your vulnerability dashboards, analytics, and vulnerability management activities remain true, no matter how many projects would be cloned.
More details in our Support site: https://support.attackforge.com/attackforge-enterprise/getting-started/creating-and-managing-projects#cloning-projects
Set max date option for SLAs
In the last release we introduced vulnerability SLAs to help improve vulnerability management and reduce risks.
In this release we have added ability to set a max date option for each SLA.
For example, you may have a specific SLA rule for Critical Vulnerabilities in Cardholder Data Environment.
You may also have an internal company policy that all critical vulnerabilities in CDE must be fixed within 10 days or no later than Q1 of the year.
Now you can define that policy when setting or modifying your SLAs
ReportGen v2.2
Another update to our brilliant AttackForge ReportGen!
This time we have introduced Parent objects. ReportGen now automatically includes the parents for each object in your project(s) JSON file. Now you can access the right data within JSON file by traversing up or down through the parent objects. More flexibility, more options.
For example, when you were looping through each vulnerability, and you wanted to print the project name as well as the vulnerability title - you could do just the following:
{#vulnerabilities}
{parent.projectName} – {title}
{/}
Or if you are looping through affected assets and you want to print the project name + vulnerability title + affected asset name - you could do just the following:
{#vulnerabilities}
{#affected_assets}
{parent.parent.projectName} – {parent.title} – {asset}
{/}{/}
If you are unsure of what data or parents are available to you at anywhere in your report, you can use help function:
{#vulnerabilities}
{#affected_assets}
{$help["%()"]}
{/}{/}
This will print a help section in your browser console when you try to run the report, which will detail all data you can access, including any parents, at that time and section within your template.
This release also introduces a new universal filter called (Surprise!) 'filter'.
You can use this filter to select objects within a list that match a particular condition.
For example, if you wanted to filter your vulnerabilities by critical AND easily exploitable you could use the following:
{#vulnerabilities | filter:’easily_exploitable === true AND priority === “Critical”’}
{title}
{/}
Another example is filtering affected assets based on remediation status AND priority. Note this example applies the filter to the {#affected_assets} and utilises "parent" to access the priority from the vulnerability.
{#vulnerabilities}
{#affected_assets | filter:’remediation_status === "Open" AND parent.priority === “Critical”’}
{title}
{/}{/}
For more information, please visit https://support.attackforge.com/attackforge-enterprise/modules/reporting/template-filters
And – to match new capabilities in UI our engineers introduced support for a new tag {@execSummaryNotesStyled} which can be used to display styled executive summary with images. More here: https://support.attackforge.com/attackforge-enterprise/modules/reporting/template-tags
Executive Summary – with QA and WYSIWYG
Executive Summary is quite often the only thing that Executives read out of entire pentesting results. At least in some places. So - our customers asked us to make Executive Summary better – better UX, rich-text support, images, and ability to QA it. And, as usual – we listened.
From this release Executive Summary supports rich text which means you can style your executive summary and render it styled in your custom reports.
Project team members can view the executive summary within the UI, without having to download the reports. And Review Notes have also been added to the executive summary, making QA faster and easier!
Inactivity account lockout policy
Admins can now configure a global inactivity account lockout policy for non-admin accounts.
This policy can be used to prevent users from signing in if they have exceeded the policy, for example have not logged into the application for at least 6 months. When a user is blocked due to inactivity, the Users module will indicate this within the Status column. And of course - Admins can re-activate the affected user if necessary.
User account expiration
Admins can now set expiration dates for users. Once a user is expired, they will no longer be able to log into the application or use the Self-Service API.
This feature would be especially useful to control access to AttackForge by contractors, external partners or temporary service accounts used for integrations.
UX Improvements
Multiple UX improvements:
Project team notifications now includes vulnerability ready for retest, re-opened & closed events
Import vulnerabilities as pending or visible
Custom tags can be added prior to importing vulnerabilities
Asset fields now available in daily start/stop testing emails
Redesigned vulnerability page, including rendering images
And many more in many AttackForge modules
New configuration options
AttackForge administrators (you) can:
Pick new UI theme colours for the default standard theme for all users, as well as adjust the logos used for login page, in-app and on reports.
Upload new logos for UI and reports
These settings can be configured from Administration -> Configuration -> Miscellaneous
Also – new custom field type – Table
This field type can be used to capture complex data, such as multiple records of data with different types of fields per record.
The table field displays ability to define columns, where the user can then create rows of data against these columns.
Disable new user admin emails + welcome email
Admins can now disable the email which is sent to admins when a new user is registered, invited, or created.
This option can be toggled from Administration Configuration Emails
Disable CSV / JSON / ReportGen custom reports
Admins can now disable ability to download CSV, JSON or ReportGen custom reports for either client users or all users.
And – as always - updates to Self-Service API
CreateUsers
This can be used to create bulk users. It is useful when pre-registering users in AttackForge.
UploadWorkspaceFile
InviteUsersToProjectTeam
RemoveProjectTeamMembers
And many more functionality that would get this Blog post well outside the usual size. Check our Release Notes for the full details.