Below are the Faction Setup Instructions required to get you all set up and ready to start collaborating on assessments in just a few minutes.
CREATE AN ACCOUNT:
Every company or user that creates an account will get their own single tenant instance. To create a new instance go to https://portal.factionsecurity.com and create an account.
This will begin creating your instance of Faction. Wait until the spinner shows a green checkbox before you attempt access your site. You can then click the URL in site list to take you to your new Faction Instance.
SETTING UP FACTION FOR THE FIRST TIME:
The first time you access faction you will be presented with a page to create your admin account. Here you need to enter basic information about the user and the option to create a team. Hacking Team is the default.
ADDING THE DEFAULT VULNERABILITIES:
The Faction Default vulnerability database is what makes generating reports quick and painless for pen-testing teams. You can can upload your own templates or start with an open source list from https://github.com/vulndb/data.
To add the VulnDB data into Faction just navigate to Admin-> Default Vulnerabilities and click Update from VulnDB. This will import all of their vulnerabilities and set default Categories for the vulnerabilities.
Note this can call be edited or deleted later.
SETTING CUSTOM RISK LEVELS:
By default Faction adds Critical, High, Medium, Low, Recommended, and Informational risk levels but you have up to 9 that can be set and the defaults can be changed to anything that works for your environment. For instance Critical can be changed to Priority 1.
VULNERABILITY TRACKING AND REMEDIATION ALERTS:
Different Tiers allow enhanced features within Faction. The Teams Tier and above have verification and vulnerability tracking enabled. In Admin Settings you can set custom times to alert when the vulnerability needs to be remediated based on its risk setting. For instance you can set a reminder that a Critical vulnerability needs to be remediated 30 days after its reported and set a past due date of 60 days. This will trigger faction to alert the correct teams that important issues are close to being past due to ensure issues get closed on time and are never forgotten.
Notice the the following screenshot that we have Criticals and Highs set to warn at 30 and 60 days respectfully. These become paste due on 60 and 120 days respectfully.
Anything that is missing a date will not be tracked by Faction.
For some assessments you will want to add checklists to ensure all critical issues are tested. Below is an example of some potential checks that might need to happen on every assessment to ensure applications are tested consistently.
Once the above is created it will be available in assessments where the assessor can pass/fail the checklist item and even add notes related to why it failed or why it’s not necessary for the application being tested.
All assessments start with Assessment Scheduling. Faction keeps track of all projects your assessors are working on to prevent over-booking pen-tests or other consulting engagements. It keeps track of notes and other information relevant to the assessment so it’s easy to organize and share with the right people on the assessment.
You can add assessments manually or upload many from a CSV file.