UpGuard Release Notes

The new version of our ServiceNow Vendor Risk integration is now available. You can add UpGuard as a Third Party Risk Score provider, and sync your monitored vendors within UpGuard with the vendors listed in ServiceNow.

The integration also allows you to view UpGuard vendor information in ServiceNow, including tiers, labels, domain counts, score and risk count by severity, as well as industry average score and score trend information. To learn more see How to set up ServiceNow Vendor Risk integration with UpGuard or access the integration from the ServiceNow Store.

Predictive scoring for vulnerability exploitation

To help improve the prioritization of vulnerabilities, we’ve integrated the Exploit Prediction Scoring System (EPSS) into UpGuard’s Vulnerabilities module. EPSS uses a machine learning model trained to determine the likelihood that a CVE will be exploited in the next 30 days. Comparisons with CVSS show that EPSS is about 10x more efficient at identifying which vulnerabilities will and will not be exploited, making the most of your security and IT teams’ finite resources. Learn more about EPSS and how to use it in UpGuard.

Other improvements

• Trust Exchange users can now save requested documents into their content library for re-use.
• Collaborating on imported questionnaires is now easier as you can add collaborators via the questionnaire details view.
• Imported questionnaires can now be published to the shared profile.
• This release also includes a number of bug fixes.

Your imported questionnaires can now be used as a source for AI Autofill, so each questionnaire you answer in UpGuard Trust Exchange makes your subsequent questionnaires more accurate, faster, and easier. We’ve also added the ability to archive and delete imported questionnaires, as well as see suggested documents from your content library in the questionnaire viewer. Try these features out for yourself by importing a questionnaire.

Improvement to Vendor Risk Executive Summary 

We’ve enhanced the monthly distribution of vendor risk ratings on the Executive Summary page, updating the graph to show 13 months of data (allowing for a full 12 month comparison period) and changed to a stacked bar graph to improve readability. These changes also extend to the Vendor Risk Executive Summary export, and the Board report. To learn more see What is in the UpGuard Vendor Risk Executive Summary Report?

Other improvements

• Added vulnerability detection for Openfire administration consoles.
• Added detections for potential subdomain takeovers for Heroku, Netlify, Vercel, and Github pages.
• This release also includes a number of bug fixes.

To help you keep on top of your vendor risk management, we’ve introduced the Vendor Risk digest, a monthly email highlighting key information related to your vendor portfolio in UpGuard. The email includes team activity such as risk assessments, remediations and questionnaires, and changes to vendor risk profile, highlighting key risk areas. 

All full-access users will receive the digest monthly by default. This can be configured in Manage Notifications.

New vulnerability detections added

We’ve added detections for Jenkins and TeamCity instances and any vulnerabilities associated with their respective product versions to protect against ongoing campaigns against CI/CD infrastructure. 

Added IP reputation data to Typosquatting

To help identify malicious domains impersonating your brand, we have enhanced the Typosquatting module to show whether those domains or IP addresses have been flagged by DNS blocklists. This information provides a strong signal that these similar domains are used by malicious actors. 

Infostealer malware alerts added to Identity Breaches

Employee credentials can be stolen when their devices are infected with malware. We’ve added the option for alerts for this kind of event to Identity Breaches, included with Professional, Corporate, and Enterprise plans. 

Other improvements

• We’ve added an Export to the Detected Products pages in BreachSight.
• To make it easier for you to tag and identify historical reports we’ve added the ability to re-name generated reports. To learn more see Reporting in UpGuard
• We’ve added more flexibility to user permissions, by adding the option for portfolio restricted users to have access to the questionnaire builder. This is controlled by setting permissions in the user settings and is set to off by default. 
• AI Autofill is now available on more questionnaire types. 
• Duplicate document detection has been added to the Content Library, to make it easier to manage your security documentation. 
• Shared Profile users can now add an “Other” category for their Trust & Security Pages. 
• We have updated our Platform Terms & Conditions and Subprocessors to better reflect the services we provide.
• This release also includes a number of bug fixes

We’re making it easier than ever to answer security questionnaires with UpGuard’s Trust Exchange. You can now import any security questionnaire in Excel format, along with past responses and other documentation, and use that information to populate the questionnaire with AI-driven suggestions. Save your responses for next time and export the questionnaire back to its original format.

The UpGuard Trust Exchange is free to use. BreachSight and Vendor Risk customers can invite your colleagues to start using the Trust Exchange without affecting your plan’s user limits. 

Other improvements

• You can now request additional report types through the API. In addition to the Vendor detail, Vendor summary and Board reports you can now request Custom vendor reports, as well as Risk profile, Vulnerability and Domain list exports. To learn more see  How to request a report via the UpGuard API. 
• To give you more flexibility to customize your communications when sharing reports we’ve added a new email template for Generated Reports. To learn more see How to set up templates in UpGuard.
• You can now store longer notes against your Vendors records, with a new character limit of 1000 characters (increased from 500 characters). 

To give you more flexibility when conducting risk assessments, we’ve added the ability to create multiple concurrent risk assessments for a single vendor. You can now add custom names and scope for each risk assessment, to correspond to the specific purpose and scope of each assessment, such as product or region-based risk assessments.

To learn more about vendor risk assessments and these changes see How to complete a risk assessment.

Introducing the UpGuard Trust Exchange and Content Library

We’re consolidating our existing tools to answer security questionnaires, respond to requests for documentation and choose what to share in your Shared Profile under one banner: the UpGuard Trust Exchange. Plus, we’re introducing a content library, where you can manage and reuse previously uploaded documents. 

• New: "Trust Exchange" menu item in your navigation
• New: Content library feature to manage and reuse documents uploaded as part of security questionnaires
• Move: "My Shared Profile" moves into Trust Exchange 

Improved visibility into your asset inventory with Detected Products

To extend the visibility into your asset inventory in BreachSight, we’ve added a new section called Detected Products that displays in depth information about the software and other products used on your domains and IPs. 

This information extends what is already available in Vulnerabilities – an inventory of software products with known vulnerabilities– to show products in use that may not yet have CVEs. Having this information allows you to audit for unapproved software and respond more quickly when a new vulnerability is discovered for one of the products you use. 

Added link to registrar's abuse page to typosquatting 

When malicious domains impersonating your brand are detected by the Typosquatting module, the next step is to remediate the risk by contacting the domain registrar and reporting the abuse. You can now go straight to the page of the registrar or other relevant internet authority from Typosquatting to begin the takedown process.

Other improvements

• We have begun the process of rolling out credentials stolen by infostealer malware as an enhancement to Identity Breaches for all customers on the Professional plan and above. 
• We have added detection for CVE-2024-1709 and other vulnerabilities in ConnectWise ScreenConnect.
• To make it quicker to download reports we’ve added the ability for users to  download multiple reports at the same time from the Generated reports page
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

CVE-2024-0204, a critical authentication bypass vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) software, allows unauthorized users to create admin users and bypass authentication requirements.

While this vulnerability is not yet in the Known Exploited Vulnerabilities catalog, GoAnywhere was previously targeted by the Cl0p ransomware group in early 2023, making it crucial to patch now before it’s too late.

Other improvements

• This release includes a number of bug fixes
• To give you more control over questionnaire statuses, we’ve added the ability to restore canceled questionnaires and re-open completed questionnaires
• To help you easily get an overview of tasks statuses, we’ve added % complete and due date columns to remediation request pages, and   % complete to questionnaire list pages

We have added the ability to customize which domains to include in risk assessments scope, giving you more flexibility to perform risk assessments on specific products or sub-set of an organization rather than the entire vendor. This is one of a broader set of improvements to add more flexibility to the risk assessment workflow delivered over the coming weeks.

To learn more see How to complete a risk assessment.

Detections for Ivanti Connect Secure, Apache Superset, and Gitlab

To help with auditing for technologies affected by recent, high impact vulnerabilities, we have added detections for Ivanti Connect Secure, Apache Superset, and Gitlab. For Superset, any vulnerabilities associated with the affected version will appear. There is currently no patch for the Connect Secure vulnerability, only mitigations, so any detected instances should be investigated to ensure those protections are in place.  

Additional filtering for labels in Domains and IP Addresses

There are now more operators available when filtering the Domains and IPs pages based on labels. Similar to existing functionality in the Vendor Risk Portfolio, you can now choose to match any or all labels, exclude labels, and filter to assets with no labels. 

Other improvements

• This release includes a number of bug fixes

Following on from our recent release that provided the ability to adjust the severity of a questionnaire risk, Vendor Risk customers can now reduce (or increase) the criticality of a risk that originates from additional evidence. This makes it easier for you to manage vendor risks within the platform, and provides you with a more nuanced view of the risks that incorporate compensating controls or other information provided by the vendor. 

Other improvements

• This release also includes a number of bug fixes

We’ve added the ability to allow users to reduce the criticality of a risk based on compensating control/information provided by the vendor, making it easier for you to manage vendor risks within the platform. In this release we’ve made this available for risks raised from questionnaires, and will be extending this capability for scanning and additional evidence risks in future releases.

To learn more see How to adjust the severity of a risk.

Automation of tiers, labels, portfolios and custom attributes

Vendor Risk customers on our Professional, Corporate, and Enterprise plans can now say ‘goodbye’ to the time-consuming manual work of classifying vendors. Our automation feature allows you to set up rules that trigger when a relationship questionnaire is returned, automatically populating the vendor’s attributes with information gathered in the relationship questionnaire.

Not only does this save time and reduce manual repetitive tasks, it is useful in codifying your vendor classification processes, so you know that the information you’re storing is accurate and consistent. 

To learn more see How to use automation to apply tiers, labels, portfolios and custom attributes to your vendors.

Other improvements

• We’ve made some improvements to risk assessments including making changes to ensure commentary edits are carried over between versions and on re-assessment
• This release also includes a number of bug fixes

We’ve added the ability to create a shortlist of key risks as part of a risk assessment, allowing you to highlight important risks and those requiring follow-up. You can choose to include only key risks as part of your risk assessment report,  in lieu of displaying the full list of risks. To learn more see How to complete a risk assessment. 

API flexible permissions

We’ve revised API permissions to allow a finer-grained set of permissions and visibility:

• Added a Read/Read&Write flag to allow a given API key to only access GET functions or to be able to access GET/PUT/POST and DELETE functions.
• Expanded on the current Data Leaks permission to allow an API key to be defined by role.
• To protect existing integrations all existing API Keys will be granted full access. The new model will only relate to keys generated after this release.

To learn more see UpGuard’s API documentation.

Vendor monitoring API changes

We’ve created specific API endpoints to start monitoring and stop monitoring a vendor. This allows us to follow more established and consistent API design practices as well as restrict the monitoring to only those API Keys that have Vendor Risk Read&Write permissions. In subsequent releases, we will deprecate the “start_monitoring” flag in the /vendor API endpoint and remove that feature:

• Vendor ID or Primary Host Name) to the list of monitored vendors. This supports the same functionality as our existing /vendor API when start_monitoring = true, such as:

         - The ability to apply labels and tiers; 

          - A wait for a scan feature that scans the vendor before returning the results; 

          - Checks on UpGuard licenses maximum Vendor counts.

• /vendor/unmonitor – A new endpoint that will remove the specific vendor (based on Vendor ID or Primary Host Name) from the list of monitored vendors.

To learn more see UpGuard’s API documentation.

SysAid vulnerability detection

We’ve added detection for the SysAid product, its version, and associated vulnerabilities, notably CVE-2023-47246 being exploited by the Clop group.

Other improvements

• This release includes a number of bug fixes.

We’ve made it easier for you to manage risks you have raised for additional evidence documentation by adding the ability to request remediation from your vendors. To learn more see How to capture additional evidence.

Edit Lock-out for completed questionnaires

To give customers more control over their assessment process we’ve added a feature to be able to prevent vendors from updating completed questionnaires. The default behaviour will be to prevent vendor updates to completed questionnaires, but this can be easily controlled at an account level by the Allow changes to completed questionnaires toggle in Questionnaires settings.

Other improvements

• New fields have been added to Vendor Details API including: risk assessment status, last assessment date, portfolios and notes
• This release includes a number of bug fixes