FortiPenTest, Fortinet pentest-as-a-service cloud-based service has just been updated to version 21.2.
This new version brings some improvements to the portal and also new exciting features, that we will be discussing below.
Enhancements to asset scans
The general scan process has been updated to allow more fine grained setup for power users. For example, HTTP authentication schemes have been enhanced to now support Digest and NTLM methods.
Moreover, the UI is now letting you configure which vulnerability categories and subcategories you want to enable or disable for the scan.
If you have some specific paths you want to exclude or some hidden paths you absolutely want to be covered by the scan you can now specify those via the Inclusion/Exclusion lists.
As a matter of fact, you would want to exclude all the paths that can break the automatic scan to perform properly or could harm your web application integrity. For example, you should set exceptions for all /logout URL endpoints or endpoints that are interacting with your service accounts/credentials. Inclusion list is usually used when a path is hidden from the crawled web application and when there is no direct reference to that URL, that’s usually the case for example for /admin portals.
In that new version, we also introduced a remediation scan feature that allows you to run a partial rescan to validate whether a previously reported vulnerability was successfully fixed or not.
Add-ons to UI
It also comes with a graphical visualisation that depicts the threat mitigation trend via the threat level score evolution over time. In one glance, it allows you to see if the risk associated to an asset is increasing or decreasing.
Enhanced Detailed Report
The report feature has been enhanced to add new external references like those from OWASP 2013, OWASP 2017, CWE, WASC, CAPEC, HIPAA, ISO27001, and PCI v3.2.
The technical description has been templated to present relevant and precise information such as the payload used in the test request and the response obtained allowing you to manually replay the attack scenario if needed.
Please watch the short video showcasing the main new UI features, down below.
FortiPenTest Scripting Engine (FSE)
Last but not least, FortiPenTest is now embedding its own proprietary exploit engine to detect and determine exploitability of specific vulnerabilities using pre-defined scripts. These scripts are used to exploit vulnerabilities thus providing high confidence breachability result.
Currently, they are covering critical and high vulnerabilities identified in SAP and WordPress systems.
Summary
We've covered just a few of the new features of the 21.2 release.
Please log on to https://fortipentest.com/ to check out these exciting new features and much more.
You can contact your Fortinet sales representative to get a free evaluation license.
You can also check the release notes at https://docs.fortinet.com/document/fortipentest/21.2.0/fortipentest-release-notes/ for more details.
