UpGuard Release Notes

Learn about new features, changes, and improvements to UpGuard this month:

We've added support for viewing a vendor and its subsidiaries in its Risk Profile.

This view lets you see all the risks present across the vendor and its subsidiaries. Each of the identified risks has a severity, name, risk type, category, and a number of organizations impacted. By default, findings are sorted by severity, with critical severity items at the top.

You can drill down into each identified risk to see the impacted organizations and their associated domains. However, you will need to be monitoring the subsidiary as a vendor to request remediation or to waive the risk. You can do this by clicking Monitor vendor.

Additional SSL-based checks

We've added support for three new SSL-based checks:

1. Untrusted SSL certificate (informational severity): The certificate presented by this domain was not issued by a trusted certificate authority and therefore cannot be verified by browsers.
2. SSL certificate chain missing from server response (medium severity): There is an invalid or missing intermediate certificate. This can cause some browsers to break the padlock. An intermediate/chain certificate may need to be installed to link it to a trusted root certificate.
3. SSL expiration period longer than 398 days (medium severity): Certificates issued on or after September 1, 2020 must not have a validity period greater than 398 days. The certificate will need to be reissued with a maximum validity of 397 days.

Other fixes and improvements

• Creating vendors with no web presence is now available for all customers with vendors
• Added notification for news articles in Incidents & News
• Increased upload limit from 10MB to 50MB
• Added highlight for news articles tagged as Advisory in Incidents & News
• Improved handling of WAFs and CAPTCHA for our automated scanning engine
• Fixed issue causing inactive subdomains to not be scanned in some situations

Now when you send a vendor a questionnaire through UpGuard, they'll be prompted to create a free Shared Profile that lets them proactively share their security rating, completed questionnaires, and other security documentation.

If a vendor chooses to create one, it will drastically cut down the time it takes for you and other UpGuard customers to assess them in the future. It also benefits the vendor as they'll spend less time filling out the same questionnaire while ensuring their customers have an accurate and up-to-date view of their security posture.

Vendors will be able to publish the following information on their Shared Profile:

• Security ratings: Toggle the inclusion of their own and their industry average security rating. Learn more about security ratings here.
• Security contact: Share contact information for the team or key employee who is responsible for security.
• Company description: Help users quickly understand what the vendor does.
• Security questionnaires: Proactively share complete security questionnaires to reduce time spent on answering similiar assessments.
• Supporting documentation: Share security-related documentation or compliance certifications such as PCI DSS, SOC 2, ISO 27001, FedRAMP, etc.

Learn more about Vendor Shared Profiles.

You can now add and assess vendors with no web presence. Prior to this release, vendors needed a website to be added to UpGuard. Now you can add any vendor you like, even if they don't have a website.

This is great for situations where you need to assess an independent contractor who doesn't have a web presence but will handle your organization's sensitive information. Once you've added them as a vendor with no web presence, you'll be able to send them a questionnaire and assess them based on their responses. You'll also be able to add contacts, upload additional evidence, and perform a risk assessment inside UpGuard.

This feature is currently in closed beta. If you would like to beta test the feature, please contact us.

Learn how to create a vendor with no web presence.

Improvements to the questionnaire process for customers

In May, we rolled out an improved questionnaire experience for vendors that was designed to reduce the time it takes for you to get a complete and accurate questionnaire.

In this release, we're taking what we've learned from that process and applying it to the customer-facing experience. The new page replaces, improves, and streamlines our previous questionnaire details page.

You can now quickly see the progress of the questionnaire, view unanswered questions, and view any associated remediation requests you have created. Messages now appear in the top-right corner of your screen which makes it simple to respond to any vendor queries.

The page has been split into three separate tabs:

1. Overview: Questionnaire metadata, progress, remediation requests, and unanswered questions.
2. Documents: Any attached documents
3. Timeline: The version history and timeline of the questionnaire

Other fixes and improvements

• Any users that are invited to a questionnaire or remediation request will now appear in the timeline
• Added support for retrieving all risks for an organization via the API
• Added support for IP addresses in the risks diff API
• Fixed issue causing domains parked at Gandi to be marked as active rather than inactive
• Added questionnaire designed to determine exposure to the recent supply chain ransomware attack that impacted Kaseya VSA
• Fixed issue causing questionnaire reminders to not be sent if one or more emails associated with the reminder bounced
• Added modal to inform you when you've hit your vendor limit
• Fixed issue causing security ratings and labels to not appear in domain view from a risk assessment

Learn about new features, changes, and improvements to UpGuard this month:

We've significantly improved and simplified the management of your Shared Profile.

For background, a Shared Profile lets you proactively share security-related information with companies that need to assess you. This typically includes completed security questionnaires and compliance certifications like PCI DSS, SOC 2, ISO 27001, or FedRAMP.

By completing your Shared Profile, you'll build trust with your business partners and show that your organization is taking cybersecurity seriously. You'll also spend less time filling in manual assessments while ensuring customers have an accurate and current view of your security posture.

When you go to manage your Shared Profile, you'll now see a checklist of what you need to do to complete it. As you fill out more of your profile, we'll automatically check off the associated line item in the checklist. This makes it easy to see what you have added and what you may be missing.

As part of these improvements, we've also improved the design of your Shared Profile, added support for adding a security contact and company description, and added the ability to toggle the inclusion of your security rating.

Learn how to publish your shared profile.

Remediation workflow enhancements

We're making it even easier to create and manage remediation requests. Creating an internal remediation request is now just two steps down from four. Likewise, vendor remediation requests are now a maximum of four steps down from six. Each request will take you less time to create freeing you up to focus on other activities.

After creating a request, you'll also notice that we've significantly improved the information hierarchy of the remediation request details page. The page has been split into two tabs:

• Overview: Metadata about the request, detailed insights into the progress of the request, and the risks and assets that are under remediation
• Timeline: The important events that have happened in the request

Messages now appear in the top right corner of your screen which makes it easy to respond to any queries recipients may have.

Learn how to send an internal remediation request or a vendor remediation request.

Other fixes and improvements

• You can now export all your audit log events or export the last 30, 60, 90, 120, or 365 days
• Added support for pulling your own, your vendors', and your subsidiaries' domains, IPs, and IP ranges, as well as associated information like the asset's security rating via the API
• Domains, IP addresses, IP ranges, and vendors can now be labelled via the API
• Improved design of login, signup, and password reset screens.

Our Vendor Risk Reports are one of our most used features. In fact, many of you have gone as far as to monitor yourself as a vendor so you can get access to a similar report on yourself!

The good news is you no longer need to do this. You can now generate a Risk Report that outlines the security posture of your organization. This report can be configured to include automated scanning results, competitor analysis, geolocation data, and underlying risk details.

It provides context about identified risks, remediation recommendations, and information about how each risk category contributes to your overall security rating.

Like our Vendor Risk Report, the language in the Risk Report is simple, easy to understand, and suitable for non-technical audiences which makes it a great tool to drive decision-making, speed up remediation, and highlight areas that could use additional resources.

Learn how to generate a risk report.

Improvements to BreachSight Executive Summary

The improved BreachSight Executive Summary is designed to make it even easier for you to communicate your security posture to stakeholders. The page and associated PDF export now outline the average security rating for your industry and provide a description and weighting for each risk category. This makes it simple for new users and internal stakeholders to understand what UpGuard measures, how you're tracking against your industry, and your strengths and weaknesses.

To see a breakdown of how each category contributes to your security rating, click How does each risk category attribute to this score? in the BreachSight overview section or click on the weighting in any of the risk categories.

We've also invested in improving the add competitors modal in the Competitor Analysis. The new design makes it easy to find and add competitors, just type in the name or URL then click Add competitor.

Learn more about the BreachSight Executive Summary and how to add a competitor.

Other fixes and improvements

• Added support for pulling Typosquatting information via the API
• Added Last Assessed to PDF export of Vendors
• Added letter grade to XLS export of Vendors
• Fixed issue causing Status and Risks detected columns to not match across the app and PDF export of Questionnaires
• Improved error and alert feedback design
• Email addresses that hard bounce are now automatically ignored in Identity Breaches

Learn about new features, changes, and improvements to UpGuard this month:

Current UpGuard customers rely on Identity Breaches to identify and notify employees who have had their credentials exposed in a third-party data breach. But not every breach impacts your organization nor do we have access to the details of every breach. 

Prior to this release, these breaches that fall under this definition weren’t visible inside UpGuard nor were other important security-related events such as ransomware attacks or M&A activity. Even if these incidents don’t impact your organization, they provide important context that can feed into your risk assessment on a vendor. 

Incidents & News is designed to provide you with a searchable, chronological feed of publicly disclosed data breaches and other security-related information such as cyber attacks, ransomware, malware, acquisitions, spin-offs, mergers, and more. 

The feed is broken down into individual items that have a date, severity, type, impacted company, summary, and where applicable other related companies. At the top of Incidents & News, you’ll see three tabs that filter down results:

1. Incidents: Think data breaches, cyber attacks, ransomware, malware, etc.
2. News: Mergers, acquisitions, spin-offs, and other security-related news. 
3. You and your vendors: Incidents and news related to you or your vendors. 
   

By default, results that are shown are limited to the last twelve months but you can adjust this timeframe as you like.

Incidents & News is currently in closed beta and will be rolled out to all customers soon. 

Learn more about Incidents & News here.

Improved questionnaire process for vendors

We’re rolling out an improved questionnaire experience for vendors to reduce the time it takes for you to get a complete and accurate questionnaire. The new page replaces, improves, and streamlines our previous questionnaire details page which vendors told us was confusing. 

Vendors can now quickly start answering the questionnaire, track their progress, discover unanswered questionnaires, and see any associated remediation requests. Messages sent to vendors will now appear in the top right corner of their screen which makes it simple to respond to your queries. 

The page has been split into three separate tabs: 

1. Overview: Questionnaire metadata, progress, remediation requests, and unanswered questions.
2. Documents: Any attached documents 
3. Timeline: The version history and timeline of the questionnaire
   

Learn more about UpGuard makes it easy for vendors answer questionnaires.

Better remediation reporting

Managing and reporting on your remediation activity gets harder as you scale. That’s why we’re excited to be improving the reporting functionality for Remediation Requests. 

Remediation request tables now show the total number of active requests as well as a breakdown of the number of requests at each stage (in progress, awaiting review, completed, archived). 

This makes it simple to keep track of your overall progress and to dive deeper into the requests that need your attention.  We’ve also added support for exporting remediation requests to PDF or Excel, making it easy to share progress to internal stakeholders, auditors, and regulators. 

Learn how to export your internal or vendor remediation activity here.

Other fixes and improvements

• Added Date Published field to Identity Breaches API
• Added Last Assessed field to Vendors API
• Improved Typosquatting results by adding support for commonly used prefixes and suffixes
• Improved performance of Domains in tree view
• There is now a task for when a questionnaire needs to be resent

You likely already restrict access to a portion of your UpGuard account to specific users. For example, not every user on your account should have administrative access. But what we’ve heard from you is that as you onboard more users, it gets harder and harder to manage, keep track of, and update the permissions of each user. 

That’s why we’re introducing role-based access control. Administrators can now create and manage custom roles, making it easy to ensure each teammate has the right permissions and that your organization is following the principle of least privilege. You can learn more about RBAC and the principle of least privilege on our blog. 

Managing roles is as simple as creating a role, configuring your desired permissions, and assigning it to users. If you need to update a role later, any changes will cascade down to the assigned users too. 

We also heard that you wanted more granular permissions. That’s why you can now decide whether a user has access to BreachSight, Vendor Risk, or CyberResearch. This is great for situations where one team manages your attack surface and another separate team manages your vendors. 

In addition to these improvements, you can now decide whether a user has read-only or full access to BreachSight’s or Vendor Risk’s core features, as well as whether a user has access to Identity Breaches and Typosquatting. 

Role-based access control is currently in closed beta and only available for certain plans. Please reach out to us if you would like to learn more. 

Learn how to create and manage roles.

Label vendor and subsidiary domains, IP addresses, and IP ranges plus support for labelling in tree-view

Another frequent bit of feedback we receive is that you want to be able to label your vendor’s or your subsidiary’s domains, IP addresses, and IP ranges so you can drill down into the specific assets that mean something to you. Now you can. 

Next time you’re on a vendor’s or subsidiary’s Domains or IP Addresses page, you’ll see an Add label on the far right of the table. Clicking Add label will allow you to add an existing or create a new label. For context, labels in UpGuard are broken down into vendor and assets labels. This means that domain and IP address labels are shared across BreachSight and Vendor Risk. 

As part of these improvements, we’ve refreshed the design of the labels modal, moved the management of labels to Settings under the Labels tab, and added support for labelling domains in tree view across BreachSight and Vendor Risk. 

These improvements make it easier than ever to track your and your vendors’ assets and to keep your team’s labels under control. 

Learn how to label your vendor domains, IP addresses, and IP ranges and your subsidiary’s domains, IP addresses and IP ranges as well as how to manage your labels. 

Trigger webhook calls from audit log events

Administrators can now push Audit Log events into other platforms using our Integrations feature. For background, Integrations uses webhooks to notify your other applications when an event happens in your account. Examples of these events include when an identity breach or data leak is detected, the score of a watched vendor drops below a threshold, and now any Audit Log event of your choosing.

Learn how to integrate UpGuard with other services.

Other fixes and improvements

• Added an exception for Kubernetes clusters that sit behind AWS Elastic Load Balancing. This means that scores won’t change unexpectedly when Kubernetes stops and starts.
• Fixed bug causing Excel report generation to break for large exports
• Vulnerabilities that have been waived will no longer produce notifications
• Improved design of domain side panel to indicate when a risk is coming from www or the root domain

Learn about new features, changes, and improvements to UpGuard this month:

Geolocation Risk lets you discover and drill down into the geographies that your infrastructure and your vendors’ infrastructure is operating in. It’s similar to Fourth Parties but focused on geographies instead of fourth-parties. 

Monitoring Geolocation Risk is a great way to understand whether data is being hosted in different countries and what data and privacy laws may be in place to protect it.

It’s also a great way to keep track of what countries your data may be stored in. This is particularly important for organizations in regulated industries like financial services or healthcare who may have regulatory requirements that dictate what countries data can be stored in. 

Geolocation Risk information is available in the BreachSight Executive Summary, Vendor Risk Executive Summary, Vendor Summary, and the Vendor Risk Report.

Geolocation Risk is currently in beta, if you would like us to enable it on your account please contact us.

Other fixes and improvements

• Changed names of Concentration Risk and Supply Chain to Fourth Parties to improve consistency across the product and to better reflect what the feature does
• Improved the subject line of invitation emails making it even easier for new users to get started
• Removed the register a domain button from Typosquatting 
• Owned IP ranges with no active IP addresses are now shown in your or your vendors’ IP Addresses
• IP addresses that are part of an owned IP range and are discovered through a DNS record will now be labelled as Owned and DNS rather than only one