Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.



February 2018

Release Date:  2018-02-27

Features

Scale Internal (64-Bit Only)

With this release we are announcing the availability of Appsec Scale for the scanning of internal Web applications. Appsec Scale can now be installed as part of the latest 4.1.148 upgrade to HIABs. Customers who already have Appsec Scale can take advantage of this by installing HIABs internally following the installation information found here - Outscan Portal - Support - Deployment guide for HIAB

For customers wishing to utilize Appsec Scale for application security testing should contact their Outpost24 sales rep for information on how they can obtain the relevant licenses and software.

Application Security UI (Beta) refresh

As we continue to improve our Application security offerings, a new consolidated UI is being released as a public beta for all existing SWAT and Scale customers. This will appear in the Outscan portal as a new menu option. Note this will not replace or impact your current usage of the existing SWAT or Scale UI's.

The UI follows a similar look and feel to the recently released AppSec Scale product and combines SWAT into the UI alongside Scale. Customers are encouraged to review the UI, and report bugs, feature requests or general feedback through the Outpost24 support portal (https://outpost24.com/support). Pending feedback from customers, the GA for the new AppSec UI will be Mid Q2 2018, where we will continue to run the existing UI's for a further 3 months as customers adjust to the transition. We anticipate the existing SWAT and Scale UI's to be removed in mid Q3 2018.

Restful API for AppSec

A new restful API has been released as part of the AppSec UI refresh. The API supports usual RestAPI methods such as Get, Put, Post and Delete. Additional documentation will be provided for customers wishing to understand how they can use the API within their security ecosystem. This can be located in the Support section of the Outscan portal.

As this API is part of the Application Security UI refresh, it should be considered to be in Beta test. A further notification will be issued once the beta test phase concludes and the API is deemed generally available (GA), currently scheduled for mid Q2 2018.

ServiceNow integration

As well as the existing ServiceNow integration, we have now released an application into the ServiceNow App store. The Outpost24 Vulnerability Management app integrates into the ServiceNow Vulnerability Response and CMDB modules. Using the ServiceNow application allows integration into the CMDB, the ability to run vulnerability scans from within the ServiceNow Security Operations module, raise security incidents based on vulnerabilities and a unique way of using ScanningLess Scanning (SLS) against the ServiceNow CMDB from the Outpost24 engine. The ServiceNow app is available from the ServiceNow App store at https://store.servicenow.com https://store.servicenow.com</a> and searching for Outpost24.

API Changes

  • UPDATECOMPLIANCEQUESTION Parameter: APPROVED Changed from Boolean to Integer.
  • SETSCANNERTYPE Parameter: XID XID of scanner entry.
  • SETSCANNERTYPE Parameter: APPSECSCALE Boolean (Default False).
  • UPDATEACCOUNTDATA Parameter: EMAILENCRYPTIONKEY String. Encryption key data.
  • UPDATETEMPLATEDATA Parameter: snmp_hashalg Acceptable values: sha, md5.
  • UPDATETEMPLATEDATA Parameter: snmp_version Acceptable values: v1, v2c, v3.
  • UPDATETEMPLATEDATA Parameter: snmp_encryptalg Acceptable values: aes, des, none. For v3 only.
  • UPDATETEMPLATEDATA Parameter: snmp_password String. For v3 only.
  • UPDATETEMPLATEDATA Parameter: snmp_encryptionkey String. For v3 only.

Announcements

End of Life Announcement

A reminder that we have announced the End Of Life of the 32-Bit HIAB platform in Q4 2017. As such no new development is being undertaken on 32bit versions. We continue to encourage customers running 32bit versions of HIAB to contact us at https://outpost24.com/support who will be able to assist with migration documentation.

Improvements

Bug fixes & minor improvements

  • Improvements to the XMLAPI.
  • Can now select HTTP and HTTPS as proxies.
  • Improvements to event handling.
  • Improved the handling of scanners removed from scanner groups.
  • Extended SNMP configuration options.
  • Improved handling of scans where unrealistically large numbers of open ports are found.
  • Internal encryption libraries have been improved.
  • Improved offline update functionality.
  • Changed out of license HIAB functionality.
  • Changes the way soft compliance questions are configured by adding a required answer.
  • Added the ability to now encrypt ticket emails.
  • Improved file clean up after an update.
  • Fixed an issue where saving network settings may fail if no proxy is set.
  • General improvement to database performance.
  • General Improvements to PCI reporting.
  • Fixed an issue with receiving scheduled Outscan reports.
  • Fixed an issue with compliance scans sending incomplete settings to a scanner.
  • Improved trend report performance.
  • Fixed the hierarchy of Compliance Requirements when exporting a Compliance Report.
  • Fixed an issue where copying a Scan Schedule with an ARN set did not copy the ARN.
  • Fixed an issue where, on rare occasions, deleting a Target Group would result in an error.
  • Fixed an issue with filtering on Platform in Reporting Tools.
  • Fixed an issue where sorting in Manage Targets would not sort blank fields correctly.
  • Improved file clean-up for Temp and Blueprint files.
  • Fixed a display issues with some windows appearing larger than the browser window.
  • Fixed some spelling issues.
  • Updated SAML integration to include cache Duration.
  • Fixed issue with Backups when audit log contains more than 1.3 entries.
  • SWAT reports now contain standard Penetration testing report information.
  • Update Soft Compliance answers to include required and optional operators.
  • Made it possible to reject an answer within Soft Compliance.
  • Fixed an issue with enrolling a HIAB from the console due to improper initialization.
  • Fixed an issue with HIAB sometimes not sending out a notification upon update completion.
  • Removed obsolete libraries which are no longer in use.
  • General scan engine improvements.
  • General account handling improvements.


March 2018

Release Date: 2018-03-27

Features

ServiceNow Integration

We continue to improve the ServiceNow integration, this release adds support for both Jakarta and Kingston.

Other new features

This release focuses on small, incremental enhancements to the product portfolio and as such there are no additional new features added to Outscan in this release.

Improvements

Bug fixes & minor improvements

  • Add possibility to set the IP address of the Outscan instance during appliance enrollment.
  • Added the ability to perform offline enrollment with a HIAB appliance.
  • Added additional functionality to support Outpost24's growing MSSP community.
  • Added the ability for customers to optionally use Reverse lookup information during a scan.
  • Removed the option to store large reports.
  • Removed the ability to use shared comments.
  • Improved offline update functionality.
  • Renamed Server not responding message to Request timed out.
  • Improved Regex support for use in scanning.
  • Target Scan: Failed event notification now provides a cause of the error.
  • Renamed Scan time to Scan Duration.
  • Improved the information provided when adding a VLAN on an appliance.
  • Removed support for Axis as its no longer supported by IBM Q1Radar nor works on 64bit.
  • Added incremental improvements to the API.


April 2018

Release Date: 2018-04-24

Features

OWASP 2017 Top 10

We have added support for the 2017 OWASP top 10 in the Appsec UI. When scanning web applications, you can now see the 2017 impact of a finding.

Web application Authentication improvements

Added a new Form based Authentication option for web application scanning using Appsec Scale. This feature is currently in beta and available from the Beta Appsec UI.

The ability to use SSL certificates as part of the web application authentication process has also been added to the (Beta) Appsec UI.

As always we encourage our customers to try out the new Appsec UI - currently marked as in Beta - to help test and review the new features.

Improvements

Bug fixes & minor improvements

  • Added possibility to set the address of the Outscan instance for the appliance enrollment.
  • Added the ability to set an auto close remote support based on an idle time.
  • Add support for the OWASP 2017 top ten in Application security.
  • Added the ability to use encrypted SSH keys for backup over SCP.
  • Added new authentication methods in Appsec Scale to better support web form authentication.
  • Added support for SSH non-authenticated scanning.
  • Added support for HIAB version restrictions to limit installation of older packages.
  • Added support for CVSSv3 severity attribute to findings.
  • Added support for SSL certificate authentication in Appsec Scale.
  • Added an option to include an executive summary in SWAT reports.
  • Added new options in the brute force password list in Outscan.
  • Changed default URL prefix for Appsec Scale to Https unless specified.
  • General enhancements and bug fixes to the Outscan platform to improve security and performance.
  • Added incremental improvements to the API.


May 2018

Release Date: 2018-05-29

Features

Appsec Scale improvements

We continue to improve Appsec Scale, and the new Appsec UI (Currently in beta) with new features to help support our Enterprise and Managed service customers. In this release we have added the following new features.

  • Apply scan schedules to many applications.
    When adding applications into Appsec Scale, users can now apply the same schedule to multiple applications by selecting the applications to be updated, adding the new schedule and committing the changes.
  • Findings can be filtered, and risk priority changed.
    We are releasing the ability for customers to interact with findings in Appsec Scale. Initially customers can apply filters and change risk levels. In future releases we will improve on this to add more granular filtering, as well as handling false positives.
  • Grouping of Assets.
    To support the ability to apply a single scan schedule to many applications, the ability to group applications has been added.

Updated CIS policies

We are pleased to have joined CIS and be able to work with them to improve our Compliance scanning by having policies certified by CIS. As the first step towards this, and to avoid any confusion, the existing policies will be renamed Hardening, and only certified policies will appear in the CIS compliance folder.

This will not have any effect on any compliance scanning taking places using the existing policies, as this will still be linked to existing scans.

We will begin to have the policies certified by CIS in the coming weeks, and these will be released as soon as they are available and further notifications will be made.

Announcements

End of Life Announcement

With the release of Appsec Scale, the standalone Web Application Scanner (WAS) has been superseded. We are now formerly announcing both the end of life and end of support dates for this product.

  • Official End of Life date: 30th September 2018.
  • Official End of Support date: 31st December 2018.

We recommend all remaining Web Application Scanner customers to contact their account mangers to discuss upgrading to the Appsec Scale platform before the formal end of support date.

Improvements

Bug fixes & minor improvements

  • Improved PCI ASV scanning for PCI DSS v3' in Outscan.
  • Removed the ability to turn off 2FA on a password reset in Outscan.
  • Added support for encryption keys to encrypt email notifications from Outscan.
  • Improved support for updating appliances when using Outscan internal in an MSSP configuration.
  • Added payload randomization support for future time-based SQLi enhancements.
  • Added support for AWS ELB API v2 on Outscan.
  • Added the ability to upload CA certs for SSL/TLS certificate validation in Outscan.
  • Improved the contextual information regarding where the vulnerability was detected in Appsec Scale.
  • Improved the web application scanning options in the ServiceNow application.
  • General enhancements and bug fixes to the Outscan platform to improve security and performance.


June 2018

Release Date: 2018-06-26

This release focuses on small, incremental enhancements to the product portfolio, with a focus on Appsec Scale.

Outscan & HIAB

Focus has been on improving the architecture available to Outscan/HIAB users, and includes the following:

  • Increased the scan window time on Outscan Internal schedules.
  • Added Third-party licenses as a tab in Main Menu > APPSEC (Beta) > Account.

Appsec Scale

This releases includes a number of detection improvements in the Scale product, including:

  • Improved Frameable Response Due on the X-Frame-Options check.
  • Added the possibility to create event notifications for Scale applications.
  • Added detection for HSTS.
  • Adding a Recommendation tag in Risk Level.
  • Extended the git payloads.
  • Added support for custom user agent Scale.
  • Added the ability to export reports in the portal.
  • Added an X-XSS-Protection Disabled check.
  • Added Missing X-XSS-Protection HTTP Response Header check.
  • Added the possibility to change risk level of Scale findings.
  • Add possibility to mark Scale findings as false positives.

EWP & ED

As well as improving architecture availability, a focus has been on bringing EWP into the Outpost24 platform, including:

  • Improved scanner performance by implementing functionality from the Outpost24 scanner.
  • Added Workload Analytics into the Global Report.
  • Added Regions Support to Microsoft Azure.
  • Rebranded the portal to Outpost24.
  • Created an AWS image for EWP.
  • Added Hardening Benchmark for Microsoft Azure.
  • Added Hardening Benchmark for Kubernetes and Federated deployment.
  • Improvement of Workload Analytics & Auto-Checks API.
  • Improvement of filters in Graphical User Interface.
  • Improvement of FR language in Graphical user Interface.

Announcements

End of Life Announcement

With the release of Appsec Scale, the standalone Web Application Scanner (WAS) has been superseded. We are now formerly announcing both the end of life and end of support dates for this product.

  • Official End of Life date: 30th September 2018.
  • Official End of Support date: 31st December 2018.

We recommend all remaining Web Application Scanner customers to contact their account mangers to discuss upgrading to the Appsec Scale platform before the formal end of support date.

Improvements

Bug fixes & minor improvements

Outscan & HIAB

  • Improved logging efficiency and retention.
  • Removed DNS lookup for SLS for improved performance.
  • Improved database storage and efficiency.
  • Improved reliability by introducing service based modules.
  • Improved the way reports link to Bugtraq.
  • Removed old compliance policies which were incomplete.
  • Changed the behavior hen restarting a paused scan.
  • Improved reporting performance to eliminate unrequired fields in a database query.
  • Minor spelling and grammar changes.
  • Fixed an issue where under certain circumstances filters were not taken into account when exporting a Solution Summary report.
  • Changed an error message when exporting excessively large excel reports.
  • Improved handling of End Of Life products.
  • Improved the way uploaded files are handled.
  • Changed the handling of data when uploading lists of hosts from a file.
  • Fixed an issue when sending SWAT findings to Jira.
  • Improved onscreen visuals to avoid occasional truncated input fields.
  • Improved session token handling for GUI.
  • Fixed an issue where, under specific circumstances, scan policies with Webapp enabled will cause the scan engine to stop responding.
  • Fixed an issue where filtering for a hostname may cause exported reports to not include vulnerability details.

ED & EWP

  • SMTP Auto-Check supports starttls.
  • Hardening Benchmark for Kubernetes.
  • Clone&Scan for AWS scans Windows instance (using unauthenticated mode).
  • Clone&Scan for VMware supports French operating system.
  • Improvement of Cross-Site request Forgery for Web Application Scanning.
  • CSV import in Auditor mode does no consume token on error.
  • HSTS detection has been fixed.
  • Worker information such as version and Knowledge Base are accurate.
  • Monitoring and Un-monitoring an instance has been reworked to avoid loss of token.
  • Language settings have been improved to avoid issue between Account and User settings.
  • Risk export in PDF is now properly exporting all Key Risk Indicator (including PCI).
  • VMware vCenter Connector releases VMware session to avoid connection issue to VMware vCenter.
  • Internal Polling System has been reworked to avoid memory and CPU excessive consumption for all Infrastructure.


July 2018

Release Date: 2018-07-24

Features

This release focuses on small, incremental enhancements to the product portfolio, with a focus on Scale.

Outscan & HIAB

Focus has been on improving the architecture available to Outscan/HIAB users, and includes the following:

  • Add detection for FortiOS.
  • Deprecate detection of Apple Airport.

Appsec Scale & SWAT

This releases includes a number of detection improvements in the Scale product, including:

  • Synchronize datasets between SWAT and Scale.
  • Add passive plugin check for NetScaler cookie IPv4 disclosure.
  • Start doing backup-files fuzzing in Scale and SWAT.
  • Add OWASP 3 recommendation on SameSite cookies.
  • Add REST API based login and logout functionality.
  • Add detection for multiple WAFs.

EWP & ED

As well as improving architecture availability, a focus has been on brining EWP into the Outpost24 platform, including:

  • Enhance LDAP Authentication module to support 'sAMAccountName' attribute for authentication.
  • Enhance Key Risk Indicators scoring.
  • Improve performance in web view, notably the Vulnerabilities Report View.
  • Create EWP image for Azure.

Announcements

End of Life Announcement


Web Application Scanner (WAS)
With the release of Appsec Scale, the standalone Web Application Scanner (WAS) has been superseded. We are now formerly announcing both the end of life and end of support dates for this product.

  • Official End of Life date: 30th September 2018.
  • Official End of Support date: 31st December 2018.

We recommend all remaining Web application scanner customers to contact their account managers to discuss upgrading to the Appsec Scale platform before the formal end of support date.

Elastic Detector (ED)
Elastic Detector assessment features will be merged into Outscan and HIAB products. We are now formerly announcing both the end of life and end of support dates for Elastic Detector.

  • Official End of Life date: 31th December 2018.
  • Official End of Support date: 30th June 2019.

We recommend all remaining Elastic Detector customers to contact their account managers to discuss upgrading to Outscan and HIAB as soon as possible and no longer than the formal end of life date.

Improvements

Bug fixes & minor improvements

Outscan & HIAB

  • Add support for vacuuming logs.
  • Deploy event microservice for better scalability.
  • Improve detection of HP iLO.
  • Improve detection of OpenConnect.
  • Improve registry crawling.
  • Apply global settings on the SLS scans like filtering fallback kernels.
  • Improve verbosity of multiple error messages.
  • Add additional guidelines to the Authentication view.
  • Improve performance of offline updates.

Appsec Scale & SWAT

  • Add headers to the output from the web application scanner.
  • Restrict the seed URLs in Applications to one and the same scheme://hostname:port.
  • Replace Explanation with Impact.
  • Synchronize patterns between SWAT and Scale.
  • Synchronize URL suffixes between SWAT and Scale.
  • Synchronize payloads between SWAT and Scale.
  • Rename virtualHost to hostname.

ED & EWP

  • Enhance translation in several Views and Reports.
  • Fix filtering issue in Scanning Report View for Audit mode.
  • Fix UI problems under some IE versions on Windows 10.
  • Improve Workload Analytics filtering.
  • Enhance Auto-Discovery for Network Connector (start discovery after saving Connector configuration).
  • Update initialization to automatically handle manual update of network configuration.


August 2018

Release Date: 2018-08-21

Features

This release focuses on small, incremental enhancements to the product portfolio.

Outscan & HIAB

  • Outscan and HIAB now support Critical as a Risk Level when using CVSSv3.

Appsec Scale & SWAT

  • Scale reports will now include additional findings based on infrastructure scans which are included in the testing.

EWP

  • Hardening Amazon Web Services Foundations Benchmark for AWS v1.2.0.

Announcements

End of Life Announcement

Web Application Scanner (WAS)

With the release of Appsec Scale, the standalone Web Application Scanner (WAS) has been superseded. We are now formerly announcing both the end of life and end of support dates for this product.

  • Official End of Life date: 30th September 2018.
  • Official End of Support date: 31st December 2018.

We recommend all remaining Web application scanner customers to contact their account managers to discuss upgrading to the Appsec Scale platform before the formal end of support date.

Elastic Detector (ED)
Elastic Detector assessment features will be merged into Outscan and HIAB products. We are now formerly announcing both the end of life and end of support dates for Elastic Detector.

  • Official End of Life date: 31th December 2018.
  • Official End of Support date: 30th June 2019.

We recommend all remaining Elastic Detector customers to contact their account managers to discuss upgrading to Outscan and HIAB as soon as possible and no longer than the formal end of life date.

Improvements

Bug fixes & minor improvements

  • Improved the Appsec REST API functionality.
  • Changed the way authentication credentials are used during the scan.
  • Improve the underlying Bruteforce functionality for better performance.
  • Fixed occasional error when sorting dates within Scan History.
  • Fixed an issue with displaying crawled URI's during a 'Normal + Webapp' scan.
  • Removed password reset popup when using 3rd party authentication methods.
  • Added a link to the Support module for requesting support portal access.
  • Removed redundant code to improve HIAB efficiency.
  • Added the ability to 'Stop All Scans' when using the Outscan Internal deployment method.
  • Improved performance in Administration UI of EWP.
  • Fixed FR translation issues in Administration UI of EWP.
  • Improved EWP API for Workload Analytics (filtering and pagination).


September 2018

Release Date: 2018-09-25

Features

This release focuses on small, incremental enhancements to the product portfolio.

Outscan & HIAB

  • Implement support for HIAB console over serial within Azure.
  • Standardise syslog to RFC standards.

Appsec Scale & SWAT & Snapshot

  • Snapshot customers can now see the duration of their Snapshot engagement within the user interface.
  • Scale customers will now be able to easily view the subscription details of their account.


Announcements

End of Life Announcements

Web Application Scanner (WAS)

With the release of Appsec Scale, the standalone Web Application Scanner (WAS) has been superseded. We are now formally announcing both the end of life and end of support dates for this product.

  • Official End of Life date: 30th September 2018.
  • Official End of Support date: 31st December 2018.

We recommend all remaining Web Application Scanner customers to contact their account managers to discuss upgrading to the Appsec Scale platform before the formal end of support date.

Elastic Detector (ED)

Elastic Detector assessment features will be merged into Outscan and HIAB products. We are now formally announcing both the end of life and end of support dates for Elastic Detector.

  • Official End of Life date: 31th December 2018.
  • Official End of Support date: 30th June 2019.

We recommend all remaining Elastic Detector customers to contact their account managers to discuss upgrading to Outscan and HIAB as soon as possible and no longer than the formal end of life date.

Legacy syslog Implementation

The current syslog implementation is undergoing a number of changes to correctly follow the necessary RFC's (RFC5424 & RFC3164). We are formally announcing the end of life of the current syslog implementation. The current implementation will still be active until this time.

  • Official End of Life date: 25th September 2018.
  • Official End of Support date: 26th February 2019.

Appsec Scale UI & Swat UI

Outpost24 is pleased to announce that the Appsec User Interface (UI) has today been released to General Availability and is no longer considered to be Beta. Over the last 9 months Outpost24 has added new features and functionality to enhance the Appsec solution family, all of which has been exclusively developed for this UI. We encourage all of our customers to start using the new UI. However, the old Appsec Scale and SWAT UI's will remain available for customers to use until January 22nd 2019 after which we will remove these from the menu.

Additionally, Appsec functionality is addressable through a new RESTful API. This API can be used to automate setup, operation, and reporting functions to any extent. Swagger specs for the API can be obtained from the following location: https://outscan.outpost24.com/opi/rest/openapi.json.

Improvements

Bug fixes & minor improvements

  • Now possible to disable the Web App element of scanning when overriding a scan policy.
  • Improved the layout for registry key functions in the Compliance module.
  • Improved handling of registry keys for compliance scanning.
  • Improved database scanning.
  • Improved offline update functionality to improve efficiency.
  • Improve Hardening AWS Benchmark v1.2.0.
  • Fixed an issue where the database would show different numbers than the solution report.
  • Made changes to the Reporting module to improve performance.
  • Added the ability to disable Web App scanning when overriding a scan policy.
  • Fixed an issue where syslog priority was not displayed in the Event Notification module.
  • Resolved several issues within the Compliance module when parsing results.
  • Fixed a rare issue when exporting Excel reports which could result in corrupted columns.
  • Fixed validation of PGP keys when uploading for use when sending encrypted reports.
  • Improved performance when generating PDF reports.
  • Fixed an issue where it was not possible to select the Notify on Failing checkbox for updates.
  • Improved performance when accepting a large number of risks.


October 2018

Release Date: 2018-10-30

Features

This release focuses on small, incremental enhancements to the product portfolio.

Outscan & HIAB

  • PCI Special notes now include port and protocol information.
  • We have now increased SSH authentication timeouts to account for missing reverse DNS lookup.
  • Outscan PCI will now provide port and product information in the Vulnerabilities Noted section for Product End Of Life software.
  • Using HIABs with Outscan Internal now uses a more random timing for backing off.

Scale & SWAT & Snapshot

  • Added the ability to view the scan log in the Appsec UI when running Scale scans.
  • Added the ability to download URLs in Appsec UI.

EWP

  • First integration with Outscan, making it possible to configure EWP from Outscan and retrieve the results to Outscan.
  • Increase coverage and error handling for hardening MS Azure Foundations Benchmark v1.0.0.
  • Add possibility to export workload analytics report via public API.
  • Strengthen EWP API security.

Compliance

  • Approved CIS policy for Windows 10 is now available in the CIS policy folder.
  • Approved CIS policy for CentOS 7 is now available in the CIS policy folder.

Announcements

Important Notise

As our business grows, and with more customers joining us, it has been necessary to grow our infrastructure accordingly to ensure we can continue to offer an ever-improving level of service to our customers.

To meet these needs, it has been necessary to extend the IP range from which scanning may originate.

The additional IPv4 range from which scans may originate is:

80.254.228.0/22

This is in addition to our existing network range of:

IPv4: 91.216.32.0/24

IPv6: 2001:67c:1084::/48

These IP ranges are exclusive to Outpost24, and any IPS whitelisting for PCI ASV scans should include these new ranges.

This information will also be available in the Support > Guides > Outpost24 network scanning range area of Outscan.


End of Life Announcements

Web Application Scanner (WAS)

With the release of Appsec Scale, the standalone web application scanner (WAS) has been superseded. We are now formally announcing both the end of life and end of support dates for this product.

  • Official End of Life date: 30th September 2018.
  • Official End of Support date: 31st December 2018.

We recommend all remaining Web application scanner customers to contact their account managers to discuss upgrading to the Appsec Scale platform before the formal end of support date.

Elastic Detector (ED)

Elastic Detector assessment features will be merged into Outscan and HIAB products. We are now formally announcing both the end of life and end of support dates for Elastic Detector.

  • Official End of Life date: 31th December 2018.
  • Official End of Support date: 30th June 2019.

We recommend all remaining Elastic Detector customers to contact their account managers to discuss upgrading to Outscan and HIAB as soon as possible and no longer than the formal end of life date.

Legacy syslog Implementation

The current syslog implementation is undergoing a number of changes to correctly follow the necessary RFC's (RFC5424 & RFC3164). We are formally announcing the end of life of the current syslog implementation. The current implementation will still be active until this time.

  • Official End of Life date: 25th September 2018.
  • Official End of Support date: 26th February 2019.

Appsec Scale UI & Swat UI

Outpost24 is pleased to announce that the Appsec user interface (UI) has today been released to General Availability and is no longer considered to be Beta. Over the last 9 months Outpost24 has added new features and functionality to enhance the Appsec solution family, all of which has been exclusively developed for this UI. We encourage all of our customers to start using the new UI. However, the old Appsec Scale and SWAT UI's will remain available for customers to use until January 22nd 2019 after which we will remove these from the menu.

Additionally, Appsec functionality is addressable through a new RESTful API. This API can be used to automate setup, operation, and reporting functions to any extent. Swagger specs for the API can be obtained from the following location: https://outscan.outpost24.com/opi/rest/openapi.json.

Improvements

Vulnerability Detection

  • Added support for applications installed via the Microsoft Store.
  • Improvements to the MySQL banner detection.
  • Improvements in the handling of X-Frame-Options header for Appsec.
  • Fixed a rare issue with Telnet detection.
  • Improved detection for .Net Framework to reduce False Positives.
  • Added detection for system.runtime.remoting.dll.
  • Added detection for Microsoft.vsa.vb.codedomprocessor.dll.
  • Increased the number of paths used for potential .net file locations.
  • Added detection for system.security.dll.
  • Added detection or system.web.extensions.dll.
  • Added detection for system.configuration.dll.
  • Added detection for system.data.linq.dll.
  • Added detection for mscorlib.dll
  • Windows systems will not report if they are Pending Reboot.
  • Improved RFI detection for Scale.
  • Improved Regex compatibility in Compliance scanning.
  • Added support for Private Key detection in Scale.
  • Improved Citrix detection to eliminate False Positives.
  • Added the ability to fingerprint exec.
  • Updated detection for EMET.
  • Implemented Moodle detection for Scale.

Bug fixes & minor improvements

  • Upgraded the database version to provide better performance & scalability.
  • Performance improvements to both the SSH and SMB scanners.
  • Improvements to supported translations.
  • Changed the handing of quick portscans.
  • Improvements to AWS Hardening guide for EWP.
  • Improvements on Cloudwatch support for EWP.
  • Added improvements to patching scripts for EWP.
  • Fixed an issue in the Linux Distribution Independent v1.1.0 hardening policy.
  • Fixed an issue in the Windows 7 v3.1.0 hardening policy.
  • Improvements to the Windows 2008 Server r2 v3.1.0 hardening policy.
  • Improvements to the Ubuntu 16.04 v1.1.0 hardening policy.
  • Fixed a bug which could mean that Event Notifications would only be sent by email.
  • Improved performance for trending graphs.
  • Upgraded Swagger for improved RestAPI documentation.
  • Added a number of new Outscan specific endpoints to the RestAPI.
  • Improved LDAP & Active Directory search queries.
  • Multiple performance improvements in the reporting module.
  • Improved view of Server Status to improve readability.
  • Improved functionality of email alerts for Managed Reports.
  • Updates to functionality of ServiceNow app to meet requirements for London release.
  • Added update information to log files when used for logfile downloads.
  • Improved scheduling for Scale.
  • Fixed an issue which would occasionally stop offline updates receiving full vulnerability information.
  • Clarified wording when accepting risks across multiple scan schedules.
  • Improved handling of MySQL default credential checks.
  • Fixed an error when looking at subscription information in Outscan for HIAB only customers.
  • Improved packaging for offline updates.
  • Fixed error handling for SAML integration.
  • Added support for CHACHA20-POLY1305 TLS.


November 2018


Release Date: 2018-12-04

Features

Appsec Scale / SWAT / Snapshot

  • Appsec Scale now shows exploit information.
  • Appsec Scale scan configurations can now display a name rather than a configuration ID in Scans.

Outscan & HIAB

Outscan and HIAB now have basic scan functionality as a REST API. This functionality will be extended and improved over the coming months. Currently available configuration includes:

  • Target Management
  • Scan Configuration
  • Reporting

Documentation can be found at https://outscan.outpost24.com/opi/rest/openapi.json. It should be noted that this is the first version of the Outscan and HIAB REST API, and may be subject to change without warning.

EWP

  • Now includes VMWare ESX 5.5 Hardening Benchmark v1.2.0.

Compliance

  • Now includes Windows 1709 Hardening Benchmark v1.4.0.

Announcements

Important Notice

As our business grows, and with more customers joining us, it has been necessary to grow our infrastructure accordingly to ensure we can continue to offer an ever-improving level of service to our customers.

To meet these needs, it has been necessary to extend the IP range from which scanning may originate.

The additional IPv4 range from which scans may originate is:

80.254.228.0/22

This is in addition to our existing network range of:

IPv4: 91.216.32.0/24

IPv6: 2001:67c:1084::/48

These IP ranges are exclusive to Outpost24, and any IPS whitelisting for PCI ASV scans should include these new ranges.

This information will also be available in the 'Support > Guides > Outpost24 network scanning range' area of Outscan.



End of Life Announcements

Web Application Scanner (WAS)

With the release of Appsec Scale, the standalone Web Application Scanner (WAS) has been superseded. We are now formally announcing both the end of life and end of support dates for this product.

  • Official End of Life date: 30th September 2018.
  • Official End of Support date: 31st December 2018.

We recommend all remaining Web application scanner customers to contact their account managers to discuss upgrading to the Appsec Scale platform before the formal end of support date.

Elastic Detector (ED)

Elastic Detector assessment features will be merged into Outscan and HIAB products. We are now formally announcing both the end of life and end of support dates for Elastic Detector.

  • Official End of Life date: 31th December 2018.
  • Official End of Support date: 30th June 2019.

We recommend all remaining Elastic Detector customers to contact their account managers to discuss upgrading to Outscan and HIAB as soon as possible and no longer than the formal end of life date.

Legacy syslog Implementation

The current syslog implementation is undergoing a number of changes to correctly follow the necessary RFC's (RFC5424 & RFC3164). We are formally announcing the end of life of the current syslog implementation. The current implementation will still be active until this time.

  • Official End of Life date: 25th September 2018.
  • Official End of Support date: 26th February 2019.

Appsec Scale UI & Swat UI

Outpost24 is pleased to announce that the Appsec User Interface (UI) has today been released to General Availability and is no longer considered to be Beta. Over the last 9 months Outpost24 has added new features and functionality to enhance the Appsec solution family, all of which has been exclusively developed for this UI. We encourage all of our customers to start using the new UI. However, the old Appsec Scale and SWAT UI's will remain available for customers to use until January 22nd 2019 after which we will remove these from the menu.

Additionally, Appsec functionality is addressable through a new RESTful API. This API can be used to automate setup, operation, and reporting functions to any extent. Specifications for the API can be found at https://outscan.outpost24.com/opi/rest/openapi.json
This API is the first version of the Appsec REST API and may be subject to change without warning.

Mobile Applications removal from App Stores

From December 2018, the Outpost24 app will no longer be available from either the Apple App Store or Google App Store.

Improvements

Vulnerability Detection

Vulnerability Management

  • Added detection for SMT (PortSmash).
  • Added detection for the Yammer desktop client.
  • Improved fingerprinting of Kerberos on Windows.
  • Will no longer report SSL/TLS Certificate Validation Failure if no Virtual Hosts are set.
  • Resolved issue where HP-UX was being mis-detected.
  • Resolved issue causing scan timeouts.
  • Minor improvements and bugfixes in certain Windows checks.

Appsec Scale

  • Resolved issue causing false positives on certain JavaScript files.
  • Improved JIRA detection.

Bug fixes & minor improvements

  • Improved timeout settings for detection scripts.
  • Improved SMTP connection test.
  • Improved HIAB Console performance.
  • Added a limit to retrieved banner sizes.
  • Fixed a bug where Scale webforms may use the wrong encoding.
  • Fixed a rare bug where HIAB console may crash if no serial console is present.
  • Upgraded to the latest database software.
  • Fixed an issue with Appsec Scale reports sent via Event Notifications were not named correctly.
  • SMS 2FA options are now removed if SMS is disabled as an option.
  • Fixed an issue when exporting solution reports.
  • Improved the information included in an exported Appsec Scale report.
  • Fixed an error which occasionally occurred when importing a HIAB backup.
  • Improved error messaging in Appsec Scale.
  • Fixed an issue which could cause scheduled Dashboard reports to fail.
  • Increased the level of information provided in Outscan PCI reports for Web Application components.
  • Fixed an issue when changing an event notification which included an attached report would clear out the details for the attached report.
  • Improved visuals for Cloudsec UI.
  • Improved readability of Cloudsec UI.