The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release is full of key additions and progress across multiple areas of the platform.

We are sure that you’ll find these quite interesting!

• Application Security Posture Management
  • Teams Dashboard
  • Filter Assets and Vulnerabilities by Team
  • Link Teams to Components and Services
  • Triage Findings by Deployment Environment
  • Improved Threat Intelligence with Ransomware Alerts
• Asset and Vulnerability Management
  • New “Delta” Import Strategy
  • Auto-populate “location” for CSV Imports
  • Easy Triage of Duplicate Findings
  • Improved Tagging Capabilities
  • Set Criticality for Components and Services
  • Manual Closing of Vulnerabilities
• Integrations
  • Support for Custom Fields in ADO Tickets
  • Improved Asset Aggregation for Qualys Infra
  • Expanded Phoenix REST API
• Other Improvements
  • Remember User Choices
  • Additional Filtering in the Navigation Graph
  • Table Column Resizing
  • Improve the Risk Breakdown column
  • Remove Limits for Multi-selection in Lists

Application Security Posture Management

Teams Dashboard

With Phoenix, it has always been easy to track the progress of individual teams with our Team dashboards. Now, you can have an overall view of your teams’ performance using the aggregated Teams dashboard.

What is Risk Magnitude? Why Risk Magnitude?

• The risk magnitude is an aggregate value that measures the vulnerability risk score in the context where the vulnerability manifests and is based on the current state of the probability of exploitation.
• The Relative risk magnitude is a fairer scoring that takes into account the number of applications and assets that a team maintains,

Here, you can see at a glance which teams carry the highest (or lowest) risk magnitude, which ones have more open vulnerabilities, or which have had the best performance regarding vulnerabilities or risk reduction.

Filter Assets and Vulnerabilities by Team

As part of our team tracking improvements, we have added team filtering capabilities to our Findings and Asset screens. This allows users not only to use those filters directly on the lists, but it enables quick linking to the team’s vulns and assets directly from the team’s dashboards.

Link Teams to Components and Services

Continuing with the team-related improvements, we are increasing the granularity of teams’ association to Applications and Environments.

Users can now link teams directly to Components (Apps) and Services (Envs) by selecting them directly or dynamically through tags.

To provide a complete picture of a team’s scope, the edit team screen now displays all Applications, Environments, Components and Services, regardless of how they are linked to the team.

Triage Findings by Deployment Environment

Phoenix aims to provide users with a clear picture of what is running, especially for vulnerable software and applications. Our Deployed Applications concept underpins this feature.

We have now made the triaging of deployed applications even more powerful by providing a means to quickly select the findings that affect applications deployed in a particular environment directly from the list of findings. Users can also refine their selection by choosing specific applications and/or teams to focus on.

Improved Threat Intelligence with Ransomware Alerts

The number of organizations that became victims of ransomware attacks surged 143% between the first quarter of 2022 and first quarter of this year, as attackers increasingly leveraged zero-day vulnerabilities and one-day flaws to break into target networks – Dark Reading Report

We are continuously bringing additional threat intelligence information to the platform and making sure it’s available to our users where they need it the most.

This time, we add ransomware alert tags to vulnerabilities and assets whenever there is evidence of using the vulnerability in ransomware activities from the various vulnerabilities.

Asset and Vulnerability Management

New “Delta” Import Strategy

Up until now, one of the key premises of assessment import functionality was the uploading of “full” reports, i.e. reports that always include the full list of vulnerabilities found in the scope of the assessment (list of assets) at a given time. This allowed users to get the latest report from a given tool or testing exercise, upload it, and let the platform figure out “what has changed” between this and the previous report.

This is a very powerful and practical approach, but it didn’t cover all the use cases.

With the “delta” import, we are now able to support those use cases where the user has a subset of vulnerabilities that they know exist in certain assets (e.g. repository, website, etc.), but they don’t have a full report of a particular set of assets (assessment scope).

The delta import will create new or update existing vulnerabilities, but it will not try to detect which vulnerabilities have been resolved and, hence, have disappeared from the report.

This feature will also be added to the delta import in the API Vulnerability import. Refer to the Integration or API integration lists for the full list.

Auto-populate “location” for CSV Imports

If a “location” is not provided as part of a CSV import file, the platform will calculate one based on the other data available for each finding.

Easy Triage of Duplicate Findings

Vulnerability triaging has been improved by allowing users to see which findings are potential duplicates easily. This can be done in the findings list and the details page.

Working with duplicates is now even easier using the Duplicate Status filter on the vulnerability list page.

Improved Tagging Capabilities

Tagging is a key feature that allows users to easily mark and keep track of findings, assets and other entities in the Phoenix platform. In many scenarios, those tags come from the vulnerability and assets sources, but sometimes users need or prefer to tag elements directly in Phoenix.

We have expanded our tagging capabilities by allowing users to tag assets directly.

Furthermore, tagging across findings and assets can now be done in bulk, which makes this feature even more useful for manual tagging.

This can be done even for a whole group of findings.

Set Criticality for Components and Services

One of the main strengths of the Phoenix platform is that it provides context to each vulnerability, adapting the impact that each one has in the risk pasture to the scope affected by it. One of the key elements of contextualisation is the application or environment criticality level, i.e., how critical the app/environment is to the organisation’s business.

With this release, we have added an extra level of granularity to our criticality configuration, and now users can define specific criticality levels for each Component and Service, overriding that of their parent Application or Environment.

Manual Closing of Vulnerabilities

The Phoenix platform can automatically manage the status of individual findings by analysing each report (from scanners or imported) and calculating the changes compared with previous reports. This means that users can connect Phoenix to their scanners and let the platform do the heavy lifting or track individual vulnerabilities.

However, there are situations where the user knows that a finding is not present anymore, but the vulnerability source might not provide the correct update for it (e.g., a previous import without an update). For these cases, users can now manually request the closure of individual findings, with a built-in approval flow to ensure that the right roles vet these changes.

Integrations

Support for Custom Fields in ADO Tickets

Continuing with our work to make using ticketing platforms as seamless as possible, users can now populate the custom fields in Azure DevOps tickets that they have defined for their ticket type. This is particularly useful when those fields are mandatory, but it can help teams support their internal workflows when creating tickets from Phoenix. This functionality is available on request.

Improved Asset Aggregation for Qualys Infra

The Qualys scanner has multiple modes of asset aggregation, depending on the setting chosen by the user. In the least aggregated mode, assets can be reported multiple times if they have more than one “tracking method”. In these situations, each asset/method combination is reported separately, with its asset ID and details.

Phoenix supports these scenarios by identifying when the same asset has multiple entries in the Qualys report and merging its vulnerabilities to create a single asset and set of findings in the platform.

Expanded Phoenix REST API

We are continuously expanding the entities and operations available through our REST API. Please get in touch with us for further details or if you have a use case that you’d like to see supported.

Other Improvements

Remember User Choices

We are enhancing how the platform remembers which options the user has selected on each screen. This means that users don’t have to re-enter their selections like sorting columns, list sizes, or filters every time they navigate back to a particular screen.

In this release, we started with the Vulnerability list screens, which is one of the most frequently used parts of the interface and has many options!

Additional Filtering in the Navigation Graph

We have made the Navigation Graph even more useful by allowing users to filter the visible/highlighted nodes using the legend. This, combined with the name search at the top, provides a great tool to bring out the node(s) of particular interest at any time.

Table Column Resizing

Now, most of the lists in the user interface allow users to resize the columns to display more of their content.

Even though any information that doesn’t fit in the column is normally available as a mouse-over tooltip, sometimes it makes sense to expand a certain column to see the whole content across multiple items.

Improve the Risk Breakdown column.

Our users have spoken, and, as always, we have listened.

The Risk Breakdown column displays a breakdown of vulnerabilities by their risk level for whatever element is displayed in each row. This is quite useful and provides a visual indication of the proportion of vulnerabilities of each risk level.

However, we have been getting feedback that seeing the actual count of vulnerabilities directly on the column is more important than the relative proportion. Now, this column displays a numerical breakdown of vulnerabilities by risk level.

Remove Limits for Multi-selection in Lists

So far, most of our “select all” options in item lists had a limit on the number of items that would be selected. This was mostly to prevent situations where the user selects too many items inadvertently and triggers an action on all of them.

It’s become clear that this can be too limiting in some scenarios, so we are removing those limits, starting with the Vulnerabilities screen and the Security > Risk Exceptions page.