UpGuard Release Notes

In this release we have added a new feature to store Trust and Security page links against each vendor organization, making it easier to source and access publicly available security information to perform risk assessments.

• We have added more than 4,000 links for relevant trust and security pages to the profiles of our most highly-monitored vendors. 
• Any organization that has a Shared Profile in UpGuard can add additional relevant links to their own profile, making them available to other organizations assessing them in the UpGuard platform.
• Vendor Risk users can also add links to the profile of any organization they are monitoring to use in their own vendor assessments.

To learn more see How to use Trust and Security pages in UpGuard.

Score change for public headers

The risks for security headers introduced in November 2022 have now been updated from unscored provisional risks to risks with score penalties applied. The penalties for these risks are averaged into the scoring algorithm, so there will be an equal number of domains that incur a score decrease as see a score increase, depending on whether they have implemented these controls at a lower or higher rate than average. You will see an indicator on the Risk Profile timeline so that changes in scores can be attributed to the introduction of penalties for these risks.

Portfolios view for your domains in BreachSight, now in beta

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. This feature is now in a limited beta test. If you’d like to try it out, get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Other improvements

• It’s now easier to find and use Shared Profile documents your vendor has uploaded. These can be found in the Questionnaires, Additional Evidence and Risk Assessments views. 
• We’ve added a warning if vendors try to submit questionnaire updates without making changes, to cut back on unnecessary steps.
• We’ve made some changes to the risk profile pages, adding a status column to improve visibility of risk waivers as well as remediation requests. We’ve also made it easier for you to edit your risk waivers if the scope changes.
• This release includes a number of bug fixes. 

This release includes two updates to questionnaires that we think you’re going to want to know about. Firstly, we’ve introduced a new version of our ISO 27001 questionnaire. This new version is in line with the ISO/IEC 27001:2022 standard which was published in late 2022. Secondly, we’ve added the ability for vendors to export the questionnaires from UpGuard, complete them, and import them back into the platform. Read on to learn more.

ISO 27001:2022 Questionnaire update

Now available in the Vendor Risk Questionnaire Library, this update brings our ISO 27001 questionnaire up to date with the latest standard. You will be able to continue to access both the previous version as well as the new one via the Questionnaire Library.

Questionnaire answer import tool – now in beta

Vendors can make use of this new feature to export questionnaires as .XSLX workbooks, add their responses offline, and then import them back to UpGuard to complete the process. This gives vendors the flexibility to complete questionnaires faster and more easily, in the tools of their choosing. This feature is now in beta, with feedback welcome. Learn more about it here. 

Other improvements

• We’ve made some layout and sorting improvements to the competitors table for subsidiary-type accounts. 
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

‍

We have added additional risks for domains at risk of hijacking. In addition to existing checks for websites that can be taken over, we have now added detection for expired domains in MX record, which could be registered to compromise email security. 

To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Add sorting to competitor analysis in BreachSight 

In the BreachSight Executive Summary, you can now sort the Competitor Analysis panel by name or score to more easily understand how your organization compares to peers.

Improved risk detection for primary domains 

When the example.com and www.example.com versions of a site are different, the risks associated with each version of the site are more accurately reported.

Other improvements

• Risk detection for Microsoft Exchange now uses the full build version for more accurate detection and resolution of vulnerabilities.
• Risks are now raised for domains that serve publicly listable cloud storage buckets. Buckets should be configured not to allow public file listing to prevent potential data leaks. 
• We have exempted more risks specific to Microsoft domains. Generally these risks pertain to SSL/TLS issues that do not appear exploitable and that the domain owners are not able to resolve. 
• Account administrators can now enforce MFA logins for all users in the account, without having to contact UpGuard support. This feature is available through the User Settings page, and only applies to users that are not using SSO authentication.
• We’ve streamlined the process for when you stop monitoring a vendor – now your open questionnaires and remediation requests will be automatically archived.
• This release includes a number of bug fixes.

Following on from the addition of risk assessment summary information to the Vendors page, we’ve added a new report showing risk assessment status across your vendors.

The report will give you a useful snapshot to help you:

• Track and follow up on the status of your in-progress risk assessments
• See which vendors are due for re-assessment, to help you plan for and schedule assessment activity 
• See which vendors have not been assessed, so you can plan for future assessments

To learn more see How to generate a vendor risk assessment summary report       

Additional risks for domain hijacking

We have added additional risks for domains at risk of hijacking. If a domain's DNS records point to an expired or unregistered domain, attackers can register that domain and gain access to part of the target's domain namespace. In this release we’ve added subdomain takeover detection for the following additional services:

• Shopify
• Campaign Monitor 
• Kajabi
• SmartJobBoard
• HatenaBlog
• Worksites
• Uptimerobot
• Help Juice

 To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Incorporating Managed Vendors into Vendor Risk, and Data Leaks into BreachSight 

In order to simplify our navigation and product offering, we have removed the Cyber Research section in UpGuard. Existing customers will now find Data Leaks included in the BreachSight section, and Managed Vendors included in the Vendor Risk section of the application. There are no changes to entitlements, plans, or the service levels of these products.

Other improvements

• We’ve made a few more improvements to the Notifications page, to re-order sections and add clearer description text for some notifications. 
• This release includes a number of bug fixes.

UpGuard’s granular notification system supports many customisable settings that can be overwhelming at first glance. To ensure more effective use of this powerful system, we’ve overhauled the grouping, naming and descriptions of each type of notification. Now, setting up your email and in-app notifications on the Manage Notifications screen is easier to keep track of and understand.

Read more about notifications here:  What are notifications in UpGuard?

Additional risks for domain hijacking

We have added additional risks for domains at risk of hijacking. If a domain's DNS records point to an expired or unregistered domain, attackers can register that domain and gain access to part of the target's domain namespace. In this release we’ve added subdomain takeover detection for the following services: Agile CRM, Strikingly, Anima, Surge.sh.

To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Ability to bulk-update custom vendor attributes

If you’ve been using custom vendor attributes to store important information such as contract expiry date, you will now be able to bulk-edit attributes from the vendors screen. Similar to how you manage tiers, labels and portfolios, this functionality will help you update and assign attributes more quickly and efficiently. 

To learn more see How to use custom vendor attributes. 

Other improvements

• In this release we’ve improved the speed of resolving risks relating to closed ports - risks are now resolved immediately when you request a rescan of a domain or IP.
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

To make it faster and easier for you to keep track of risk assessment statuses across all your vendors, we’ve added an Assessment summary section to the Vendors page. This lets you quickly filter your view based on risk assessment status, so you can choose which actions to take next. 

We’ve also added Assessment author and Reassessment date as columns on the vendors table, and made it easier for you to tailor your vendors page to see the information that’s most important to you. To learn more see What is the Vendors section?

Amazon S3 subdomain takeover detection

To detect sites at risk of subdomain takeover, UpGuard now checks domains for DNS records that point to resources that are not in use and thereby available for others to register. We are rolling this out initially to provide checks on Amazon S3 buckets, with more information available here. 

Notifications for date-type vendor attributes

If you’ve been using custom vendor attributes to store important dates such as contract expiry date, you will now be able to create custom notifications for these date-type attributes. These notifications will help you keep track of these important dates and can be added as in-app messages in your activity stream or email notifications (email notifications are turned off by default).

To learn more see How to use custom vendor attributes.

Other improvements

• Risk Profile xlsx exports now include columns for Domain and IP Labels.
• When viewing the Domains page for your organization or for a vendor, you can now filter the list of domains by their associated risks.
• We have made some improvements to the questionnaire autofill feature to more accurately detect non-exact matches.
• This release includes a number of bug fixes.

‍

We have enhanced the BreachSight risk profile to show the date that risks were discovered. This makes it easier for you to know when risks are introduced to your environment, and assess what changes could have caused them. 

We’ve also added Date Published for identity breaches to help you better understand the timeline for breach disclosures.  

Questionnaire changes view

Previously in beta, the questionnaire changes view is now available to all Vendor Risk customers. This feature makes it faster and easier to see how responses have changed between versions of a questionnaire, so that you can focus on the information that’s most relevant. To learn more see How to compare responses using the questionnaire changes view.

Other improvements

• We’ve added PDF export capability to the Data Leaks summary page
• We’ve increased the character limits for custom attribute and notes fields
• This release also includes a number of bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

We are rolling out ‘questionnaire changes view’ to our Beta program customers. This feature enables you to compare responses between two versions of a questionnaire side by side, making it significantly faster and easier for you to re-assess your vendors.

The questionnaire changes view allows you to focus in on the responses that have changed. It gives you a more accurate and up-to-date picture of the vendor’s security posture without the risk of having answers that have changed without your knowledge. To learn more about using the changes view, this article has more information.

We are initially releasing the questionnaire changes view to a group of Beta customers. If you would like to be part of the Beta, please reach out to your Customer Success representative or send a request on Intercom. 

Part of the Beta group and have feedback to leave? Share your thoughts here. 

Notifications for risk reassessment and due dates

We’ve added some new notifications to help keep track of and follow up on your activity within UpGuard including risk reassessment dates, remediation request and questionnaire due dates. 

You can configure these notifications to appear in-app on your home screen and/or via email in Settings. Email notifications will be switched off by default. To learn more check out Notifications in UpGuard.

Inviting a vendor to a free trial

We previously enabled UpGuard Vendor Risk customers to provide 14 days of free access to their vendors. We’ve improved this feature by making the invite button more visible in the platform—this can be found in any vendor’s header next to the vendor name.

Learn more about how you can proactively improve your third party security by providing your vendors access to the UpGuard platform here.

Addition of new HECVAT questionnaires

We’ve added two new questionnaires to the library—the Higher Education Community Vendor Assessment Tool (HECVAT) questionnaire, as well as a HECVAT Lite version—which will help institutions align their vendor risk posture to higher education-specific security controls.

Other improvements

• Added informational risks to identify unmaintained assets, like those serving default server pages and web directories.
• Added informational risks for sites without Certificate Authority Authorization records.
• Data leaks where the developer’s business email address is found in the event history will be broken out into a “Github User” source. Keyword matches that occur in the code contents will continue to be labeled with the “Github” source.
• Improvements to the performance of notifications. This includes batching a variety of notification types to reduce spam.
• Improvements to the vendor search experience when used in combination with filters and portfolios.
• This release includes a number of bug fixes.

You can now quickly identify which vulnerabilities on your assets are on CISA’s list of known exploited vulnerabilities (KEV), pointing you towards your highest areas of risk at a glance. 

At any given time, threat actors are only targeting a small number of vulnerabilities, and this feature will allow you to prioritize the remediation of those vulnerabilities that directly impact your business. As part of this feature, you can also set up notifications to be informed when a vulnerability you have is added to the KEV list.

New Data Leaks home page

The new Data Leaks Home page provides more reporting capabilities for understanding where those mentions of your brand keywords are occurring. UpGuard’s Data Leaks engine processes billions of files each day to identify the small number of sensitive data exposures affecting our customers. This information will help understand your risk profile for leaks and demonstrate your controls for the timely detection of data exposures. Over the coming weeks, this feature will be rolled out to accounts with Data Leaks enabled.

Additional risks for website security headers

We’ve added detection for more risks related to website security headers. These risks will be released in a “provisional state,” meaning they are visible but do not affect scoring. After a provisional period of one month, the risks will be updated to include scoring penalties. 

Improvements to remediation exports

We’ve added new capabilities to the remediation export to assist with tracking and auditing of remediation activity, including:

• Additional fields in the remediation summary exports
• Addition of export capability for individual remediation

To learn more about these improvements check out How to export your internal remediation requests and How to export your vendor remediation requests.

Other improvements

• Added detection for the OpenSSL 3.0 vulnerabilities CVE-2022-3786 and CVE-2022-3602
• You can now delete risk waivers in UpGuard BreachSight as opposed to archiving them
• This release includes some more performance improvements 
• This release includes a number of bug fixes

‍