New Release: November2021
This release is all about User Experience and Customization!
AttackForge development is driven by customers. This release is no exception!
Introduction of distinct centralised Vulnerability Libraries:
o Main Vulnerability Library
o Imported Vulnerability Library
o Project Specific Vulnerability Library
Custom forms, fields, and conditions
Group project access control management
Further improvements to global dashboard
Updates to ReportGen
Updates to Self-Service API
By the way – check this video tutorial to see why AttackForge report generation is considered the best and simplest in the industry: https://support.attackforge.com/attackforge-enterprise/modules/reporting#available-tags-for-individual-reports . No need to pay for additional professional service to build your report templates – just take your existent Word report and convert it.
Oh! Do you know that AttackForge is being used by our customers to manage and track their Bug Bounty programs?
But let’s get back to this release and its features.
New Vulnerability Libraries
One of the biggest benefits of AttackForge is that it brings consistency to pentesting and helps everyone involved by using uniform terminology. It is done thorough using a centralized vulnerability library.
This specific feature is one of the most important for our customers. It allows them to implement consistent vulnerability definitions across multiple pentesting teams – internal and external.
After some time, vulnerability libraries can grow big. Tracking, managing & doing QA for vulnerability write-ups becomes difficult – particularly if you have thousands of them. So, in this release we introduced three new vulnerability libraries:
Main Vulnerability Library
This is the primary source of your vulnerability write-ups. Most vulnerabilities for your projects should come from this library.
It contains 1300+ pre-loaded vulnerabilities that come with AttackForge. You can edit them, remove them if you want, and add your own.
This library is shared across your AttackForge tenant, which means any user on a project with permissions to create vulnerabilities for the project, will be able to see and use any of the vulnerabilities in this library.
Imported Vulnerabilities
This is the library where you can find all the vulnerabilities imported from various tools & scanners.
And again – this library is shared, which means any user on a project with permissions to create vulnerabilities for the project, will be able to see and use any of the vulnerabilities in this library.
Project Vulnerabilities
This is the library for vulnerability write-ups that are designated to specific projects.
Use this library when you have a project-specific vulnerability. Or if you have a vulnerability write-up that is so specific and sensitive that you would want to restrict access to the write-up for people with need to know.
Note that Admins will be able to see all write-ups/templates in this library.
Now, pentest teams have an option to select which library they would like to use when creating or importing new vulnerabilities on a project.
More exciting improvements coming to libraries in the next release!
Custom Forms & Fields
From this release onwards AttackForge has comprehensive support to create custom fields, forms and tables in the user interface.
So, your AttackForge tenant can capture information that is relevant to your organization, your customers, and vulnerabilities.
You can create custom fields and forms for:
Project requests
Project creation
Vulnerability Library write-ups
Vulnerabilities on a project
Your administrators can set up custom fields and logic that controls them from the Administration module.
There are multiple types of custom fields are available, and logic to control when they are available (or not) on the relevant part of user interface.
For example, you can add logic to only display a field once a user has made a particular selection in a previous field. Or you can extend this logic to check for certain values which have been selected.
These logic conditions fully support JavaScript methods and Boolean logic. This means you can create truly customized forms which are suited to your needs.
And as usual - after Custom Fields are set up, they are supported throughout the application:
in the relevant user interface,
in JSON exports,
ReportGen reports, and
also, via the Self-Service APIs.
Check our support site for further information: https://support.attackforge.com/attackforge-enterprise/getting-started/custom-fields-and-forms
User Experience Improvements across multiple areas of the application
Manage access control for your groups’ projects in one place
Groups play a significant role in simplifying access control in AttackForge. Especially when your tenant is integrated with your Identity and Access Management system.
You can now easily add and remove projects on one single page via Groups module. This saves a heck of a lot of time for Administrators on big pentesting programs.
Additional information on the Global Dashboard
There are some changes to user interface that has come after years of operations. Our long-time customers have asked to adjust the global dashboard to reflect on the years of information stored in their AttackForge tenant. And we added several components to make sure our users see what they need on the first page they usually open. These are new addition to the global dashboard:
Projects Overrun
Projects Ready for Retest
Open Critical Vulnerabilities
Open High Vulnerabilities
Open Medium Vulnerabilities
Open Low Vulnerabilities
Ability to Close/Risk Accept multiple vulnerabilities on a project
Another great benefit of AttackForge is ability to track the status of vulnerabilities found as part of your pentesting program. So naturally - AttackForge allows to update vulnerability status through the life of vulnerability – from Open, to Ready for Retest, to Closed, or (some times 😉) to Risk Accepted.
And it is not unusual when status of multiple vulnerabilities has to be updated at the same time. After all, vulnerabilities are often remediated at the same time. It is even more common when business chose to accept the risks associated with multiple vulnerabilities as part of a single risk assessment.
It means that the relevant information needs to be updated in AttackForge, and often in bulk.
This release includes the support for bulk updating of vulnerability status to individual reasons, reducing time spent on mundane tasks, and giving it back to something more exciting – like finding vulnerabilities.
Update to ReportGen
Reporting is still big part of pentesting. AttackForge ReportGen is the best and simplest way to generate a report. In this release, our engineers added multiple new tags to make your report template even more versatile and informative. New tags include:
Project Duration, and
Assets Equally Affected by a particular vulnerability (save space in your report)
Update to Self-Service API
New REST method:
UploadVulnerabilityEvidence. It is used to upload evidence files for a vulnerability. It is useful when importing vulnerabilities from external systems for example bug bounty systems.
Two new Events notifications added:
ProjectCreated. This event is generated when a new project has been created.
ProjectUpdated. This event is generated when a project has been updated.
Multiple SSAPI RESTful endpoints have also been updated to reflect the data available in AttackForge. It is our strong belief that everything in AttackForge should be accessible from Self-Service API so you can integrate it with your systems.
As usual – if you need full release notes – they can be found on our support site here: