UpGuard Release Notes

We’re making it easier than ever to answer security questionnaires with UpGuard’s Trust Exchange. You can now import any security questionnaire in Excel format, along with past responses and other documentation, and use that information to populate the questionnaire with AI-driven suggestions. Save your responses for next time and export the questionnaire back to its original format.

The UpGuard Trust Exchange is free to use. BreachSight and Vendor Risk customers can invite your colleagues to start using the Trust Exchange without affecting your plan’s user limits. 

Other improvements

• You can now request additional report types through the API. In addition to the Vendor detail, Vendor summary and Board reports you can now request Custom vendor reports, as well as Risk profile, Vulnerability and Domain list exports. To learn more see  How to request a report via the UpGuard API. 
• To give you more flexibility to customize your communications when sharing reports we’ve added a new email template for Generated Reports. To learn more see How to set up templates in UpGuard.
• You can now store longer notes against your Vendors records, with a new character limit of 1000 characters (increased from 500 characters). 

To give you more flexibility when conducting risk assessments, we’ve added the ability to create multiple concurrent risk assessments for a single vendor. You can now add custom names and scope for each risk assessment, to correspond to the specific purpose and scope of each assessment, such as product or region-based risk assessments.

To learn more about vendor risk assessments and these changes see How to complete a risk assessment.

Introducing the UpGuard Trust Exchange and Content Library

We’re consolidating our existing tools to answer security questionnaires, respond to requests for documentation and choose what to share in your Shared Profile under one banner: the UpGuard Trust Exchange. Plus, we’re introducing a content library, where you can manage and reuse previously uploaded documents. 

• New: "Trust Exchange" menu item in your navigation
• New: Content library feature to manage and reuse documents uploaded as part of security questionnaires
• Move: "My Shared Profile" moves into Trust Exchange 

Improved visibility into your asset inventory with Detected Products

To extend the visibility into your asset inventory in BreachSight, we’ve added a new section called Detected Products that displays in depth information about the software and other products used on your domains and IPs. 

This information extends what is already available in Vulnerabilities – an inventory of software products with known vulnerabilities– to show products in use that may not yet have CVEs. Having this information allows you to audit for unapproved software and respond more quickly when a new vulnerability is discovered for one of the products you use. 

Added link to registrar's abuse page to typosquatting 

When malicious domains impersonating your brand are detected by the Typosquatting module, the next step is to remediate the risk by contacting the domain registrar and reporting the abuse. You can now go straight to the page of the registrar or other relevant internet authority from Typosquatting to begin the takedown process.

Other improvements

• We have begun the process of rolling out credentials stolen by infostealer malware as an enhancement to Identity Breaches for all customers on the Professional plan and above. 
• We have added detection for CVE-2024-1709 and other vulnerabilities in ConnectWise ScreenConnect.
• To make it quicker to download reports we’ve added the ability for users to  download multiple reports at the same time from the Generated reports page
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

CVE-2024-0204, a critical authentication bypass vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) software, allows unauthorized users to create admin users and bypass authentication requirements.

While this vulnerability is not yet in the Known Exploited Vulnerabilities catalog, GoAnywhere was previously targeted by the Cl0p ransomware group in early 2023, making it crucial to patch now before it’s too late.

Other improvements

• This release includes a number of bug fixes
• To give you more control over questionnaire statuses, we’ve added the ability to restore canceled questionnaires and re-open completed questionnaires
• To help you easily get an overview of tasks statuses, we’ve added % complete and due date columns to remediation request pages, and   % complete to questionnaire list pages

We have added the ability to customize which domains to include in risk assessments scope, giving you more flexibility to perform risk assessments on specific products or sub-set of an organization rather than the entire vendor. This is one of a broader set of improvements to add more flexibility to the risk assessment workflow delivered over the coming weeks.

To learn more see How to complete a risk assessment.

Detections for Ivanti Connect Secure, Apache Superset, and Gitlab

To help with auditing for technologies affected by recent, high impact vulnerabilities, we have added detections for Ivanti Connect Secure, Apache Superset, and Gitlab. For Superset, any vulnerabilities associated with the affected version will appear. There is currently no patch for the Connect Secure vulnerability, only mitigations, so any detected instances should be investigated to ensure those protections are in place.  

Additional filtering for labels in Domains and IP Addresses

There are now more operators available when filtering the Domains and IPs pages based on labels. Similar to existing functionality in the Vendor Risk Portfolio, you can now choose to match any or all labels, exclude labels, and filter to assets with no labels. 

Other improvements

• This release includes a number of bug fixes

Following on from our recent release that provided the ability to adjust the severity of a questionnaire risk, Vendor Risk customers can now reduce (or increase) the criticality of a risk that originates from additional evidence. This makes it easier for you to manage vendor risks within the platform, and provides you with a more nuanced view of the risks that incorporate compensating controls or other information provided by the vendor. 

Other improvements

• This release also includes a number of bug fixes

We’ve added the ability to allow users to reduce the criticality of a risk based on compensating control/information provided by the vendor, making it easier for you to manage vendor risks within the platform. In this release we’ve made this available for risks raised from questionnaires, and will be extending this capability for scanning and additional evidence risks in future releases.

To learn more see How to adjust the severity of a risk.

Automation of tiers, labels, portfolios and custom attributes

Vendor Risk customers on our Professional, Corporate, and Enterprise plans can now say ‘goodbye’ to the time-consuming manual work of classifying vendors. Our automation feature allows you to set up rules that trigger when a relationship questionnaire is returned, automatically populating the vendor’s attributes with information gathered in the relationship questionnaire.

Not only does this save time and reduce manual repetitive tasks, it is useful in codifying your vendor classification processes, so you know that the information you’re storing is accurate and consistent. 

To learn more see How to use automation to apply tiers, labels, portfolios and custom attributes to your vendors.

Other improvements

• We’ve made some improvements to risk assessments including making changes to ensure commentary edits are carried over between versions and on re-assessment
• This release also includes a number of bug fixes

We’ve added the ability to create a shortlist of key risks as part of a risk assessment, allowing you to highlight important risks and those requiring follow-up. You can choose to include only key risks as part of your risk assessment report,  in lieu of displaying the full list of risks. To learn more see How to complete a risk assessment. 

API flexible permissions

We’ve revised API permissions to allow a finer-grained set of permissions and visibility:

• Added a Read/Read&Write flag to allow a given API key to only access GET functions or to be able to access GET/PUT/POST and DELETE functions.
• Expanded on the current Data Leaks permission to allow an API key to be defined by role.
• To protect existing integrations all existing API Keys will be granted full access. The new model will only relate to keys generated after this release.

To learn more see UpGuard’s API documentation.

Vendor monitoring API changes

We’ve created specific API endpoints to start monitoring and stop monitoring a vendor. This allows us to follow more established and consistent API design practices as well as restrict the monitoring to only those API Keys that have Vendor Risk Read&Write permissions. In subsequent releases, we will deprecate the “start_monitoring” flag in the /vendor API endpoint and remove that feature:

• Vendor ID or Primary Host Name) to the list of monitored vendors. This supports the same functionality as our existing /vendor API when start_monitoring = true, such as:

         - The ability to apply labels and tiers; 

          - A wait for a scan feature that scans the vendor before returning the results; 

          - Checks on UpGuard licenses maximum Vendor counts.

• /vendor/unmonitor – A new endpoint that will remove the specific vendor (based on Vendor ID or Primary Host Name) from the list of monitored vendors.

To learn more see UpGuard’s API documentation.

SysAid vulnerability detection

We’ve added detection for the SysAid product, its version, and associated vulnerabilities, notably CVE-2023-47246 being exploited by the Clop group.

Other improvements

• This release includes a number of bug fixes.

We’ve made it easier for you to manage risks you have raised for additional evidence documentation by adding the ability to request remediation from your vendors. To learn more see How to capture additional evidence.

Edit Lock-out for completed questionnaires

To give customers more control over their assessment process we’ve added a feature to be able to prevent vendors from updating completed questionnaires. The default behaviour will be to prevent vendor updates to completed questionnaires, but this can be easily controlled at an account level by the Allow changes to completed questionnaires toggle in Questionnaires settings.

Other improvements

• New fields have been added to Vendor Details API including: risk assessment status, last assessment date, portfolios and notes
• This release includes a number of bug fixes

SIG Lite questionnaire added to library

The Shared Assessments Standardized Information Gathering (SIG) Lite questionnaire has been added to our questionnaire library. SIG Lite is designed to provide a broad, high-level understanding of a third party's internal information security controls. Like our other questionnaires SIG includes incorporated cybersecurity ratings, automated risk detection and is integrated with standard questionnaire workflows. To learn more, see Questionnaire Library.

Improved risk assessments 

We’ve made improvements to the risk assessment workflow to make it more intuitive and flexible including:

• The ability to add comments to individual risks in risk assessments, making it easier to capture all your risk management activity within the platform.
• Improvements to the commentary section, with a more flexible template that is divided into sections, giving you more flexibility to present the risk assessment report according to your needs.
• Addition of more merge tags to pre-fill vendor information including scores, tiers and attributes, so you can generate comprehensive pre-filled commentary for your risk assessment.

These improvements have been available in limited release, and are now generally available to all Vendor Risk customers. To learn more see Using the risk assessment framework in UpGuard.

Show date when domains/IPs are first detected

Maintaining control of your asset inventory requires knowing when new sites first become publicly accessible. To help with this we now show the date the domain was first scanned on the domain or IP address details panel.

New workflow to request additional evidence documents

To assist with vendor risk assessments, we have made the process of collecting additional evidence documents (such as certifications and other security documentation) easier by adding a workflow to request additional evidence documents directly from vendors. Vendors can load documents directly to the platform, avoiding having to request and upload those documents outside the platform. To learn more see How to capture additional evidence.

Other improvements

• We’ve added an unverified vulnerability and compromise detection for Cisco IOS XE CVE-2023-20198.
• We’ve added a column on the Typosquatting page to allow users to sort by creation date. When a permutation has been registered more recently, it can be an indicator that it is more likely a threat.
• We’ve built more flexibility into the questionnaire builder, allowing you to add custom numbering to your questionnaire. To learn more see How to use the questionnaire builder.
• This release also includes a number of bug fixes.

• We added detection for CVE-2023-22515, a vulnerability in Atlassian Confluence that has been actively exploited to add administrators to hosted Confluence instances. 
• To add visibility into less highly publicized but still commonly exploited vulnerabilities, we’ve also added detections for over 200 WordPress plugins known to have vulnerabilities in some versions. 

Other improvements

• This release includes a number of bug fixes
• We’ve enhanced the Vendor Details API to add Score Breakdown, Score Trend, Risk Counts, Automated Scanning Counts, and Attributes

Learn about new features, changes, and improvements to UpGuard this month.