UpGuard Release Notes

We have enhanced the BreachSight risk profile to show the date that risks were discovered. This makes it easier for you to know when risks are introduced to your environment, and assess what changes could have caused them. 

We’ve also added Date Published for identity breaches to help you better understand the timeline for breach disclosures.  

Questionnaire changes view

Previously in beta, the questionnaire changes view is now available to all Vendor Risk customers. This feature makes it faster and easier to see how responses have changed between versions of a questionnaire, so that you can focus on the information that’s most relevant. To learn more see How to compare responses using the questionnaire changes view.

Other improvements

• We’ve added PDF export capability to the Data Leaks summary page
• We’ve increased the character limits for custom attribute and notes fields
• This release also includes a number of bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

We are rolling out ‘questionnaire changes view’ to our Beta program customers. This feature enables you to compare responses between two versions of a questionnaire side by side, making it significantly faster and easier for you to re-assess your vendors.

The questionnaire changes view allows you to focus in on the responses that have changed. It gives you a more accurate and up-to-date picture of the vendor’s security posture without the risk of having answers that have changed without your knowledge. To learn more about using the changes view, this article has more information.

We are initially releasing the questionnaire changes view to a group of Beta customers. If you would like to be part of the Beta, please reach out to your Customer Success representative or send a request on Intercom. 

Part of the Beta group and have feedback to leave? Share your thoughts here. 

Notifications for risk reassessment and due dates

We’ve added some new notifications to help keep track of and follow up on your activity within UpGuard including risk reassessment dates, remediation request and questionnaire due dates. 

You can configure these notifications to appear in-app on your home screen and/or via email in Settings. Email notifications will be switched off by default. To learn more check out Notifications in UpGuard.

Inviting a vendor to a free trial

We previously enabled UpGuard Vendor Risk customers to provide 14 days of free access to their vendors. We’ve improved this feature by making the invite button more visible in the platform—this can be found in any vendor’s header next to the vendor name.

Learn more about how you can proactively improve your third party security by providing your vendors access to the UpGuard platform here.

Addition of new HECVAT questionnaires

We’ve added two new questionnaires to the library—the Higher Education Community Vendor Assessment Tool (HECVAT) questionnaire, as well as a HECVAT Lite version—which will help institutions align their vendor risk posture to higher education-specific security controls.

Other improvements

• Added informational risks to identify unmaintained assets, like those serving default server pages and web directories.
• Added informational risks for sites without Certificate Authority Authorization records.
• Data leaks where the developer’s business email address is found in the event history will be broken out into a “Github User” source. Keyword matches that occur in the code contents will continue to be labeled with the “Github” source.
• Improvements to the performance of notifications. This includes batching a variety of notification types to reduce spam.
• Improvements to the vendor search experience when used in combination with filters and portfolios.
• This release includes a number of bug fixes.

You can now quickly identify which vulnerabilities on your assets are on CISA’s list of known exploited vulnerabilities (KEV), pointing you towards your highest areas of risk at a glance. 

At any given time, threat actors are only targeting a small number of vulnerabilities, and this feature will allow you to prioritize the remediation of those vulnerabilities that directly impact your business. As part of this feature, you can also set up notifications to be informed when a vulnerability you have is added to the KEV list.

New Data Leaks home page

The new Data Leaks Home page provides more reporting capabilities for understanding where those mentions of your brand keywords are occurring. UpGuard’s Data Leaks engine processes billions of files each day to identify the small number of sensitive data exposures affecting our customers. This information will help understand your risk profile for leaks and demonstrate your controls for the timely detection of data exposures. Over the coming weeks, this feature will be rolled out to accounts with Data Leaks enabled.

Additional risks for website security headers

We’ve added detection for more risks related to website security headers. These risks will be released in a “provisional state,” meaning they are visible but do not affect scoring. After a provisional period of one month, the risks will be updated to include scoring penalties. 

Improvements to remediation exports

We’ve added new capabilities to the remediation export to assist with tracking and auditing of remediation activity, including:

• Additional fields in the remediation summary exports
• Addition of export capability for individual remediation

To learn more about these improvements check out How to export your internal remediation requests and How to export your vendor remediation requests.

Other improvements

• Added detection for the OpenSSL 3.0 vulnerabilities CVE-2022-3786 and CVE-2022-3602
• You can now delete risk waivers in UpGuard BreachSight as opposed to archiving them
• This release includes some more performance improvements 
• This release includes a number of bug fixes

‍

Learn about new features, changes, and improvements to UpGuard this month.

We've added notifications that will alert you when new domains and IPs are detected as part of your organization's attack surface.

The appearance of new active domains or IPs can pose a risk in itself if the assets are not securely configured for production use, are applications intended only for internal use, or are unauthorized shadow IT. Notifications for new assets can help reduce the time to remediate when such incidents occur. 

These notifications will be enabled by default for the Home page in the Cyber Risk platform. You can also enable email notifications and modify in-app notifications any time in the Account Settings page. To learn more about configuring notifications in UpGuard see What are notifications in UpGuard.

Other improvements

• For customers that use webhook integrations: all webhook requests from UpGuard will now come from a small set of static source IP addresses. The list of IP addresses is available at https://cdn.cyber-risk.upguard.com/webhook-ips.json. If you have set up webhook integrations behind a firewall you will have to ensure the above IP addresses are allowed by the firewall rules.
• This release includes some performance improvements 
• This release includes a number of bug fixes

In this release we have streamlined the risk assessment process by incorporating risk waivers into the risk review section. The feature allows you to document justifications and approvals for waiving known risks, in addition to requesting remediation. This streamlines the risk assessment workflow so that you have all the relevant information when managing the risks presented. Learn all about using the risk assessment framework in UpGuard. 

HIPAA questionnaire with risk mapping

We have added a new risk-mapped security questionnaire to the questionnaire library: the Health Insurance Portability and Accountability Act (HIPAA) questionnaire. The HIPAA questionnaire allows organizations to determine if their vendors are compliant with the US Federal HIPAA standard, which relates to the secure handling of Protected Health Information (PHI). 

Simply send this security questionnaire to your vendor and UpGuard will automatically generate risks based on the responses. They can save time by using our new auto-fill functionality to complete the same questionnaire at the touch of a button: Learn more about using questionnaire autofill.

Other improvements

• We’ve added unverified checks for Microsoft Exchange ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082).
• We’ve made improvements to our detection of Windows Server versions.
• Creating a risk waiver will now close associated remediation request risks.
• Additional audit log events for shared profiles:

            - Revoking a user or organization access

            - Adding, editing or removing assets on the profile

            - Customizing the public info on the profile

• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

Shared profiles are a great way to proactively provide security information to cut down the time it takes for you to be assessed by another party. You might choose to publish a completed ISO27001 questionnaire or a SOC 2 type 2 report, and share that proactively with your customers instead of being sent another lengthy questionnaire that covers much of the same information. To ensure that these documents are accessed only by the customers you choose, you can set up access protection controls, add an NDA to be agreed to before documents can be downloaded, or a combination of both. Learn more about how to add an NDA to your shared profile here.

As part of this release we’ve made improvements to Shared Profiles. This is part of our commitment to making it easier and faster for you to assess vendors, and be assessed by vendors. The display of nested documents has been revamped, to make it easier to understand the relationship between questionnaires and their attached documents. Additionally, empty sections of your Shared Profile are no longer displayed to viewers, keeping the focus on the evidence you’ve made available.

For more information on Shared Profiles see this link.

Other improvements

• A tweak to the Vendor Summary Domains and IPs section, to make it easier to see domains and IPs separately
• This release includes a number of bug fixes

This release includes the ability to enable NDA Protection for your Shared Profile. 

NDA protection for your Shared Profile

To make it easier and faster for Shared Profile owners to ensure that the right users have access to their documents, Shared Profile owners can now upload an NDA (non-disclosure agreement) template. When enabled, visitors to the Shared Profile must accept the terms of the NDA before documents and questionnaires within the Shared Profile can be accessed. 

This feature sits alongside the existing Access Protection feature for Shared Profiles. Shared Profile owners can manage their NDA settings, see which organizations have agreed to the NDA, request an NDA from existing customers, or revoke access to the Shared Profile. 

Learn more about how to implement NDA protection for a Shared Profile.

Other improvements

• This release also includes a number of bug fixes.

This release includes some exciting enhancements to make it easier to manage and assess your vendors.

Vendor summary page redesign

We’ve redesigned the vendor summary page to make it easier to see all the information that’s critical to understanding and assessing the security posture of your vendors. This includes consolidating all risk assessment activities and evidence together under the risk assessment framework to help you quickly determine the assessment state of the vendor, manage your workflow, and follow up on any outstanding activities.

To learn more about this change and how to use the risk assessment framework check out using the risk assessment framework within the UpGuard platform.

Invite vendors to access their full security profile

UpGuard Vendor Risk customers can now provide their vendors with 14 days of access to the UpGuard Platform. This will give them free access to proactively review and improve their cyber security posture, and help you to build stronger and safer business partnerships with your vendors.

To learn more check out Inviting a vendor to access their full security profile in UpGuard

Other improvements

• When business email addresses are found in the analysis of documents leaked from ransomware blogs, they will now be published through the Identity Breaches module. Access to this information can help identify the impact of breaches of third or fourth parties. To learn more check out Identity breaches from ransomware leak blogs.
• This release includes UI improvements to Shared Profile settings and Shared Profile access pages. This includes a new status pill that indicates whether the existing Access Protection option is on or off, and an expanded Settings page replacing the old slide-out modal.
• We’ve added detection of CVE-2022-36804, a critical severity command injection vulnerability in Atlassian BitBucket Server and Data Center.
• This release also includes a number of bug fixes.

‍

Learn about new features, changes, and improvements to UpGuard this month.

‍