UpGuard Release Notes

Learn about new features, changes, and improvements to UpGuard this month.

One of the key reasons why many organizations look to UpGuard is to reduce the time it takes to perform and document a vendor risk assessment. With remediation requests within the risk assessment, you can now send remediation requests, track the progress of each item under remediation and have a record of the remediation request embedded directly in a point-in-time risk assessment. For help, please see  ‘How to complete a risk assessment’.

Other improvements

• This release includes a number of bug fixes

Stay up to date with your organization’s attack surface changes with the new Breach Risk email digest. You’ll receive a monthly email outlining any changes to your security rating, information about any risks added or resolved, updates to IPs and domains as well as a quick way to review and resolve any associated risks. You can enable/disable this feature in the Manage Notifications section on your home page or from the link within the email itself.

Other improvements

• Add and remove custom domains/IPs using the public API
• Add descriptions to files uploaded to questionnaires
• Bug fixes

Jira Cloud Integration

You can now send issues directly into your Jira Cloud project from UpGuard with our native Jira Cloud integration. Most Jira issue field types are supported and can be automated based on the content of a notification, providing robust customization options. For example, you could set up this integration to assign a Jira issue to a specific person whenever we detect a new vulnerability among your web assets. Check out this article to learn how to set up the Jira Cloud Integration. 

Essential Eight Questionnaire

The Australian Cyber Security Center (ACSC) developed the Essential Eight in 2017 to protect Microsoft Windows-based internet-connected networks. While the Essential Eight may be applied to cloud services, enterprise mobility, or other operating systems, it was not primarily designed for such purposes. Alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments. 

This iteration of the UpGuard Essential Eight Questionnaire will assess your vendors thoroughly across all eight mitigation strategies and provide the risks identified and scoring out of 950 (as our other questionnaires operate). We understand that the Essential Eight is typically based on maturity ratings which we may explore in future iterations of this questionnaire.

The Essential Eight Questionnaire can be used in conjunction with UpGuard's Anatomy of a Cloud questionnaire to analyze organizations’ cloud computing environments further.

Other improvements

• You can now amend/edit remediation requests.
• Bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

Send a questionnaire to multiple vendors at once

Sending a questionnaire to multiple vendors previously required you to repeat the questionnaire sending process for each vendor. Now we have streamlined this process, enabling you to easily send many questionnaires at once by selecting multiple vendors within the one workflow. This is particularly useful when a broad impact vulnerability such as Solarwinds or Log4j is discovered and you need to quickly assess your Tier 1 vendors to determine the risk exposure of your organization.

For more information on sending questionnaires, visit our knowledge base article ‘How to send security questionnaires in UpGuard’.

Other improvements

• Bug fixes

Until now, only automatically discovered fourth parties were able to be viewed in our Fourth Parties feature. Now corporate+ customers can map out fourth party vendors as you become aware of them, and optionally add corresponding information about the specific products being utilized. For more information, see the knowledge base article ‘How to add a fourth party vendor in UpGuard’

Other improvements

• Performance improvements for the vendor portfolio risk profile.
• Bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

Risk remediation requests now include both web and questionnaire risks

You can now send remediation requests that combine both automated web scanning and questionnaire-based risks, simplifying the process for you and your vendors. It’s also much easier to preview your vendor's projected score once the remediation request has been resolved, allowing you to consider your risk appetite for that vendor.

For help requesting remediation from a vendor, check out: ‘How to request remediation from a vendor’ 

Export Compliance reports into PDF and Excel

In October 2021 we released the compliance reporting feature which enables you to assess your vendor's risk profile against recognized security frameworks such as NIST CSF and ISO27001. You are now able to export these results into PDF or Excel formats for your auditors and other stakeholders.

Granular user permissions for Shared Profiles

You can now assign user specific permissions for your Shared Profile:

• Read access to the organization's Shared Profile
• Respond to Shared Profile access requests and invite people to view your Shared Profile
• Update Shared Profile questionnaires and documents, and set the Shared Profile to published

Check out the ‘Managing user permission for your Shared Profile’  for more information.

Other improvements

• Vendor comparison selection functionality has been restored and improved
• Control/Command clicking View questionnaires buttons will now open a new tab
• Various bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

New and improved risk assessments

Over 60% of cyber security incidents come from trusted vendors. Secure your data and prevent this from happening to your business with our new and improved risk assessments. You can now send questionnaires, request or use shared questionnaires and add additional evidence from inside a risk assessment. When the assessment is completed, set a reassessment date to make sure that you stay up to date with your vendor's risk profiles. Check out ‘How to complete a risk assessment’ for assistance in completing a risk assessment.

Apache Log4J - Critical Vulnerability Questionnaire and automated scanning

Control your Log4J critical vulnerability risk by sending your vendors our new Log4J questionnaire. We've also added an automated scan and verified vulnerability for Log4j CVE-2021-44228. This uses a basic detection mechanism as part of a GET request to a scanned domain, in order to keep our scanning as non-invasive as possible. It is important to note that the absence of this verified vulnerability does not mean that you or your vendors are 100% safe from this vulnerability, but the presence of the vulnerability means that you are likely exposed. Please see our blog post for more information on CVE-2021-44228 (Log4Shell) and how you can minimize your exposure.

Custom Domain for outbound emails

Tailor your workflow notifications to best represent your business, improving your vendors confidence and diligence at opening/fulfilling your requests. By default, notifications and invites to outside parties come from an UpGuard email address. Now customers with co-branding can set up a customized mailing address such as UpGuard@yourbusiness.com or set notifications to come directly from their own email address wherever possible. For help setting this up, check out the knowledge base article ‘Sending outbound emails from a custom address’.

Slack Integration

Get more value from UpGuard with the new Slack integration. You can create a Slack integration directly within UpGuard, enabling you to securely get the information you need from UpGuard, direct to Slack. You’ll be able to set up notifications to trigger directly into Slack, with the flexibility to display the information you need to act promptly.

Check out our ‘Setting up a Slack integration’ knowledge base article for help getting started.

VIP Identity breach list

The first question we hear our customers ask when an identity breach is reported is ‘are any of our executives exposed’? Now you’ll be able to get peace of mind by adding them to a VIP list within the identity breaches module. You can then set up a VIP identity breach notification to let you know when your VIPs are exposed in an identity breach. It might even be worth setting up a separate Slack channel for VIP identity breach notifications! For more information about the Identity Breaches module - check out this article. 

Other improvements

• Domains marked as belonging to you on the Domains screen will now be automatically set to “Owned by us” in Typosquatting
• A number of bug fixes