In this article:
Some features mentioned in this article may only be available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
Learn about the latest product updates, features, early release features, and improvements, in the SecurityScorecard platform.
For scoring recalibrations and other changes that affect Scorecard scores, see scoring update release notes.
September
Questionnaire reports and custom templates, plus added CIS and ISO templates
You can easily set up custom templates and create questionnaire reports using the Questionnaires tool. This helps you automate and accelerate the vendor assessment process.
Additionally, we added two questionnaire templates:
- CIS (Critical Security Controls) - V8
- ISO 27001- 2022
To see templates, select Questionnaires from the Core Tools drop-down in the top navigation bar. Then, in Questionnaires, select All templates.
Learn how to send questionnaires.
Ability to view evidence for findings in subsidiary Scorecards
If you are an administrator for a Scorecard for a parent organization, you can view all evidence for issue findings for subsidiary Scorecards in your hierarchy.
This enhances your ability to manage risk for organizations that have a close corporate relationship with yours, such as those with a shared IT infrastructure.
Learn how to view evidence for subsidiaries.
ESG risk data in API
You can monitor the environmental, social and governance (ESG) risk of your IT vendors. Using the Ratings platform API, you can view ESG risk data for any Scorecard or Portfolio.
BreachDetails: In-house breach detection and collection tool
We have made breach notifications more timely and accurate with BreachDetails. Our in-house data crawlers continuously collect news articles, ransomware articles, Dark Web postings, government advisories, and other sources of breach intelligence around the world. This wide coverage and direct sourcing of key information enables us to detect breaches and report them to you faster. Our AI-powered translation and analysis tools ensure that the notifications are accurate.
To see breach notifications, select the Incidents tab in your Scorecard.
August
Coupa integration
You can now integrate SecurityScorecard data with your Coupa business spend management (BSM) platform to quickly assess the security posture of any of your suppliers.
With the integration, you can view a supplier's overall score, factor scores, five most critical issues, a graph showing the overall score over the past six months, and a link to view the supplier's Scorecard.
Learn how to set up the integration.
Improved display of attribution evidence in Digital Footprint
You can now see an asset's attribution source and underlying evidence in one click, in the Digital Footprint.
Learn more about using Digital Footprint.
Ability to generate Compliance tool reports
You can now generate a report in .csv format to show the current state of compliance for any Scorecard that you monitor, including your own.
To generate the report, go to the Compliance tab for a Scorecard, select any framework, and then click Export to CSV...
...To access the report, select Reporting Center from Core Tools in the top navigation menu. Then, in Reporting Center, select Generated Reports.
Questionnaires added as evidence in Compliance tool
You can now view relevant questionnaire responses when assessing the compliance evidence for an organization.
When an answer given in a questionnaire maps to a specific compliance control, that evidence appears under that control in the Compliance tab of the relevant Scorecard. You can then link to the relevant questionnaire.
Improved process for inviting vendors and requesting Evidence Locker documents
When requesting security documents in Evidence Locker, you can automatically engage vendors already in your Contact Manager without having to reenter their contact details. You can also add additional contacts in your request for evidence.
Improved visual platform accessibility
Button and letter grade colors have been changed for better visual accessibility.
Visual Query Builder in Attack Surface Intelligence
You can now use simple visual search filters in Attack Surface Intelligence to find and correlate IPs, domains, vulnerabilities, threat actors, malware, and other data points to analyze risks to a region, organization, or individual assets.
Learn how to use visual queries in Attack Surface Intelligence.
July
Desktop Analytics dashboard for browsers
You can monitor browser health at a glance to help you quickly address out-of-date versions. The Desktop Analytics dashboard, accessible from your Scorecard, visualizes relevant browser data collected. Learn about using this dashboard.
Ability to import Salesforce vendors into a Portfolio
If you have integrated Salesforce with SecurityScorecard, you can import multiple SalesForce accounts into SecurityScorecard to create Scorecards and Portfolios with one click. This enables you to monitor your Salesforce vendor accounts more easily.
When you start to create a new Portfolio, select the option to import Salesforce vendors. Learn more about the Salesforce integration.
User activity logs
If you are a SecurityScorecard administrator, you can easily track who is accessing your Scorecard data, what data is being accessed, and where it is being accessed from. This enables you to improve your internal controls, data security, and meet compliance and regulatory requirements. Learn more about using activity logs.
Custom Compliance frameworks
You can check your compliance against any framework, including your own. You can add industry frameworks not currently defined in the Ratings platform. And, if you have your own security controls, you can monitor your compliance status against them, using the Compliance tool. Learn about using Compliance Frameworks.
Issue type for potential vulnerabilities
You can investigate your internet-facing assets that have potential vulnerabilities. We flag these for products that have associated vulnerabilities but do not have applicable version numbers. The Potential Vulnerability Detected issue type is in the Application Security factor. It is informational and does not affect your score. Learn about using this issue type.
Tags filter for Custom Scorecards
You can use your tags to filter which assets to include in Custom Scorecards, leveraging the important business or security context that your tags provide. When you filter based on a given tag, any new assets that you assign that tag automatically are included in the Custom Scorecard. These accelerates our ability to allocate assets to key stakeholders, such as regional teams. Learn more about using Custom Scorecards.
Asset categories in Digital Footprints
When you view your Digital Footprint, you can check asset categories for immediate context to help you understand how assets are connected to your organization. By checking the Asset Category column in your Digital Footprint, you can see, for example, that an asset is in a vendor's cloud or content delivery network, which means any issue findings to not affect your score. Learn more about asset categories.
Automatic issue resolution
When resolving an issue finding you select I have fixed this as a reason, we automatically resolve the issue if we can verify your fix. This speeds up the resolution process so that your Scorecard reflects your current security posture sooner. Learn more about issue resolution.
June
Reviewing questionnaires in Assessments
You can now use the Assessments tool in the Ratings platform to review questionnaires that your vendors respond to. We are gradually building all questionnaire-related operations into Assessments, enabling you to integrate platform capabilities more directly with your questionnaire management so that you can get more done faster. Atlas is currently is also available while we complete this transition.
Control of Custom Scorecard editing permissions
You can now select specific people in your organization to edit Custom Scorecards. Learn more about Custom Scorecards.
May
Sending questionnaires in Assessments
You can now send questionnaires to vendors using the Assessments tool in the SecurityScorecard platform. We are gradually building all questionnaire-related operations into Assessments, enabling you to integrate platform capabilities more directly with your questionnaire management so that you can get more done faster. Atlas is currently is also available while we complete this transition.
Public Tags for Scorecards
You can now use public tags to help you consider your monitored Scorecards through different external lenses. Public Tags identify Scorecards as belonging to commercial, financial, industrial, or other categories based on published information about their related organizations. SecurityScorecard uses public data sources, such as the Fortune 100 index, to generate these tags. Learn more about Public Tags.
More accurate detection of parked domains
We now detect and classify parked domains more accurately, so that issue findings on those assets do not impact your score. Learn about issue resolution and parked domains.
Compliance tool integration with Google Cloud Platform
You can now integrate the Compliance tool Google Cloud Platform (GCP) and pull in configuration data from your GCP account to analyze against industry frameworks. This expands the number of available integrations, which also includes:
- Amazon Web Services
- GitHub
- Microsoft Azure
Learn more about the Compliance tool.
API support for custom IP and domain tags
You can now use the platform API to get, create, edit, and delete tags for IPs and domains in your Digital Footprint. This enables you to integrate tag data into your internal automated systems for easier tracking. See the ip-domain-tags section of API reference guide, starting with the call for getting IP and domain tags.
ThreatQuotient integration
You can now integrate SecurityScorecard with the ThreatQuotient's ThreatQ security operations platform, which enables you to:
- Automatically monitor your ecosystem for vulnerable third parties by ingesting Scorecard reports for registered domains into ThreatQ.
- Import your organization’s Scorecard data on 10 key risk factors into ThreatQ.
- Prioritize investigation and remediation based on events identified by SecurityScorecard.
To install and use the integration, go to the SecurityScorecard listing in ThreatQuotient's Marketplace.
April
Natural Language Search
Using AI-powered search, you can ask about scores, issues, vulnerabilities, and breach history for a Portfolio. Enter your queries in the global search bar that appears at the top of every page in the platform.
CVE-triggered loss control workflows
You can now use common vulnerability enumerations (CVEs) to trigger workflows in your Risk Control campaigns, expanding your vendors' and partners' awareness of security issues. Learn more about Risk Control.
Web link for invitations
You can now invite vendors, partners, or teammates to join the platform by copying and sharing a web link URL. This frees you to extend invitations in chats, emails, and other communication channels that you have established outside of SecurityScorecard. Learn more about sending invitations.
Attack surface summary views in Portfolios
You can get a quick view of important attack surface data for your monitored vendors and partners. When you click the Attack Surface Intelligence tab in a Portfolio, you can see summary views of more than average open ports, organizations affected by ransomware attacks, and more. You can then click these views for more details. Learn more about Attack Surface Intelligence.
Ability to export .json files of attack surface data
You can now download and export .json files of your search results in Attack Surface Intelligence, so that you can sure this information with your teams and consume the information in your internal systems.
Ability to export report widget content
You can now export the information in Reporting Center widgets to .csv files. This makes it more flexible to share report data with your teams. Click the three dots in the upper-right corner of a widget to use the export option. Learn more about using widgets in Reporting Center.
Custom report tags
You can now apply tags to custom reports, enabling your team to find, organize, and use these reoprts more easily.
Ability to control more of your Scorecard's appearance
If you are a SecurityScorecard administrator, you can now manage certain aspects of your Scorecard's appearance, without having to ask our Support team to do it for you:
- Change your industry name in your company profile.
- Change your Scorecard display name.
- Change your organization's logo on your Scorecard.
Also, users in your organization can now see you their SecurityScorecard account administrator is by going to their platform settings.
Breadcrumbs for easier navigation
You can now use breadcrumbs to see how pages are related in the platform and to help you find what you are looking for in the platform more easily.
Faster loading of Portfolio overview pages
The overview pages for your Portfolios load faster, even with large Portfolios, so you can start working faster with the Scorecards you monitor.
Ability to remind invitees to join
When inviting organizations to join SecurityScorecard, you can now set reminders for non-responding invitees.
Better tracking of contacts
You can use your Contact Manager to see all the contacts you have invited and set score expectations with, including useful information such as engagement dates and current scores.
Learn more about Contact Manager.
New capabilities for Issue Types report
With the updated Issue Types report, you can take advantage of more capabilities:
- Get German, French, Spanish, Japanese, Chinese (CN or TW), and Korean translations.
- Add your own logo.
- See new issue findings, which are automatically added with out any manual effort.
March
Compliance module with cloud support
The Compliance module provides a more efficient audit of requirements by expanding evidence collection and simplifying visibility. You can now add cloud service provider account data for AWS and GitHub to the compliance assessment.
Learn more about the Compliance module and how to integrate it.
MITRE and breach filters added to Attack Surface Intelligence
You can enrich your Attack Surface Intelligence searches with breach information and MITRE ATT@CK adversary tactics, techniques, and procedures (TTPs).
Learn more about facets in Attack Surface Intelligence.
Improved Portfolio performance
When you open Portfolios that contain thousands of Scorecards, you can instantly view and filter of Scorecards.
Faster attribution updates
With faster and more frequent attribution updates, you see more accurate and current asset information in your Digital Footprint.
Digital Footprint domain details and workflow
When managing your Digital Footprint assets, see right away how we attributed IP addresses and domains to your organization. The page details attribution sources and methods for each domain.
After reviewing this evidence, you can categorize certain assets so that they have appropriate score impact. For example, for a tenant domain, all related issue findings do not impact the score. You also can still refute assets if you can demonstrate that they do not belong to your organization.
Learn more about Digital Footprint and this workflow.
WHOIS added for attribution data collection
SecurityScorecard now includes the WHOIS public database as a source for collecting attribution data. This improves attribution accuracy, enables identification of more related domains, and speeds detection of domain additions. Digital Footprints update faster, with more precise enumeration of domains.
Custom Scorecard Version 3
You can precisely filter and control which assets appear on your Custom Scorecard, select multiple source scorecards, aggregate multiple scorecards entirely, apply new issue type filters, and have control over the migration and updates applied to your existing Custom Scorecard.
Learn how to make your Custom Scorecards.
Active resolution of findings for SPF-related issue types
We now resolve findings for the following issue types if we no longer detect them in subsequent scans:
- SPF Record Missing
- Malformed SPF Record
- SPF Record Found Ineffective
- SPF Record Contains a Softfail without DMARC
We remove such findings from the Scorecard as soon as we assert that they are no longer present in a weekly, recurring scan. This means you do not need manually submit resolution requests in the platform after you address findings, so that you can focus on more impactful issues.
Netskope CCI integration
With their partnership, SecurityScorecard Netskope enrich each other’s security and risk posture data, so you can make more informed policy access decisions about the risk associated with cloud applications. With the new Marketplace integration, Netskope’s Cloud Confidence Index (CCI) provides SecurityScorecard with public and private signals for over 55,000 SaaS applications.
Netskope's installation page in Marketplace
After you install the integration and the SecurityScorecard starts collecting the data, the findings appear in the Application Security factor of your Scorecard.
Netskope issue type details page and findings
February
Global navigation
Simpler, clearer, smarter menus help you get where you need to go and get more done faster. Dedicated menus consolidate all your Scorecards, Portfolios, toolsets, and services.
Additional search facets in Attack Surface Intelligence
You can refine searches based on additional facets related to location, SSL certificates, information returned by HTTP headers, and attributed domain counts. New boolean (yes/no) facets expand search options, too.
Learn about all available search facets in ASI.
Automatic Vendor Detection enhancements for Portfolios
You can now assess and understand the supply chain risk for Portfolios. Search for potential issues across Portfolios. For example, see all the organizations in your Portfolios that use Atlassian.
January
Self-monitoring Launchpad
Get a quick view of important Scorecard updates and actions that help you monitor your organization's security posture and respond to critical events.
Access your launchpads from the Dashboard menu in the top navigation bar.
Report branding and legal disclaimer
You can brand your exported reports with your corporate logo and apply disclaimers for protection against legal claims.
Learn about how uploading your logo.
Invited vendor landing page
When partners and other third parties accept invitations to join SecurityScorecard, they are directed to a personalized landing page, where they are welcomed and can set their account passwords before starting their free account onboarding process.