New Release: November 2020

2020-11-10
Written By Stas Filshtinskiy
November 2020.png

Another release – another big set of features! It is so big it does not fit in my usual format, so I might write about some of the features in next months’ post!

Big update to Analytics module

Vulnerability data, and especially pentesting results have always been hard to aggregate and analyze. In a past life working for a Tier 1 bank, the department I was working in was asked by one of the very big bosses to report what are the most prevalent vulnerabilities found in our multi-million dollar pentesting program. Reasonable question, I have to say. But how would you aggregate a few hundred PDF files into coherent data set to analyse it… A couple of weeks later, and one burnt out intern - it was all in one spreadsheet.

 

From the very beginning providing analytics was one of the key features of AttackForge.

AttackForge ensures that data is consistent, accurate, and collected in one database where it can be used for analysis. Measuring and tracking performance of security & pentesting program is crucial in understanding how individual business units, or the entire organisation, is performing over time.
It enables leaders to identify systemic issues; and helps to make informed decisions on remediation and placement of resources to improve security.

 

This release we added several big capabilities to the Analytics module - new SLAs, Mean-Time-To-Remediate (MTTR), and included ability track Assets with Open Vulnerabilities.

Introducing Abuse Cases

Every good pentest has the creative component – considering those elusive solution-specific ways to bypass security and business logic. Those are the most interesting (for me at least) and usually, the most dangerous vulnerabilities that could not be picked up by any automated scans, application firewalls, or intrusion detection tools.

These vulnerabilities are unique. Recording the method would allow the teams to share the knowledge and expand the expertise across the team. Re-using them allows the pentesting to be more efficient. How can we capture the approach taken by a pentester to find them?

AttackForge has brought to you Abuse Cases. Abuse Cases are assessment specific test cases. They are unique test cases which apply to the assets on the project or relate to the objective of the assessment.
For example, consider a web application pentest for a reverse auction website. Typically, the pentest may cover the standard OWASP ASVS test cases, however a quality assessment also requires testing the business logic to examine the bidding functionality whether it can be cheated or not. Abuse cases can be created to specifically test this functionality. This provides a higher level of assurance beyond standard test cases.

Project progress tracking and the extension of Schedule

We are grateful to our clients for the feedback on Scheduling module. We listened and extended the module. From this release you could see the following:

  • Percentage completion for each project in calendar

    • Every project now has a percentage completion value next to the name in the calendar. This helps to identify at a glance how far the project has progressed.

  • Daily tracker now includes detailed progress per each test suite assigned to the project, for example:

    • Planning & Preparations (100%)

    • Web Application Pentesting (60%)

    • Abuse Cases (10%)

    • Retesting (0%)

  • Filter by User now shows list of all the users’ projects

    • This helps to see which projects the user is working on, and information relating to each of those projects such as status, vulnerabilities, test window, etc.

    • As this information is in a data table, it can be filtered or even exported to CSV for offline schedule copy

Testing Notifications

For those on the receiving end of pentest - it is often an unsettling experience to wait for someone to find a vulnerability in your application. Communication is key to keep your engineers’ anxiety at bay. Also, it is often required to notify the SOC team that they might see strange events popping up in the logs. AttackForge has capability to send notification emails when testing starts and stops. This release our engineers added the ability to customise the email messages, and to include recipients who are not on the project team, such as SOC teams.

This helps to create personalized notifications which relate to the specific project; and to also keep other stakeholders informed of testing where they are not explicitly invited to the project in AFE.

Project Notes Gets A Rich Text Editor

We introduced Project Notes a few releases back. Since then it has been one of the most popular features, allowing pentesters on a project to create private notes, share notes across the team and export reporting notes.

In this release we have included support for Rich Text Editor for the Notes. This allows pentesters to create detailed notes with sections, headings, tables, etc. which can be used by others as example to capture observations and can be shared with the project team to help collaborate on a project. Or just stored privately for personal use.

This release has many more features. Don’t forget to check new color schemes: The Matrix, Lightning, Halloween and (tribute to one of Australian famous deadly critters) Redback.

Stas Filshtinskiy
Previous

New Release: January 2021
Next

New Release: October 2020