✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

👌🏼 Centralized report download: Say goodbye to download chaos! We've created a dedicated space for all your important files. Simply click the new "Downloads" button on the right side of the platform's top bar to access your download history from the last 24 hours. This organized menu allows you to track download progress and effortlessly re-download any files you might need. For now, you'll find your vulnerability reports (executive and technical) ready and waiting. Stay tuned as we expand this feature to include SBOMs and other essential platform resources in the near future!

☁️ Status validation for all cloud environments: Stay ahead of potential problems in your cloud environments! The Environments table in the Scope section now features a dynamic Status column designed to keep you informed. This column proactively shows "Open events" —issues that can disrupt evaluations— across all your AWS, Azure, or GCP environments. Clearly flagging broken or misconfigured settings allows you to address them promptly, ensuring smooth operations and reliable results.

🔄 From Issues Identified to Vulnerable: Until recently, the components at security risk in the inventory of dependencies we offer you in the Supply chain section had the label "Issues Identified." Now, it has changed to "Vulnerable," making it more explicit that vulnerabilities are present. Nonetheless, remember that when we're sure they are exploitable, we add the label "Reachable."

Upcoming

💥 Reachability as a prioritization criterion: Although the "Reachable" tag is currently visible in the Supply chain section for vulnerabilities known to be exploitable, it doesn't yet influence their remediation priority. Given how important reachability is to this process, we'll soon add it as a selectable prioritization factor within the Priority section of your organization's Policies in the platform.

📊 EPSS percentage column: We'll add a column to the Supply chain section's main table that displays the EPSS percentage (Exploit Prediction Scoring System). This value indicates how likely it is that a vulnerability in any of your direct dependencies will be exploited. A higher percentage means a greater likelihood of exploitation. The EPSS score is designed to help you prioritize vulnerability remediation.

Implemented

📡 Reachability analysis: To better understand the impact of vulnerabilities in your software supply chain, we've added a new reachability analysis feature to our automated tool. This module examines the direct dependencies listed in the Supply chain section to determine if any reported security issue is actually exploitable in your applications. This analysis will help you prioritize vulnerabilities that need immediate attention. For more details, read our post Prioritize vulnerability remediation with Reachability!

📈 Custom vulnerability prioritization: Within the platform's Policies section, you'll find the Priority feature. This allows you to select various factors for ranking vulnerabilities. These factors include how a vulnerability might be exploited, how easily it can be attacked, and the potential consequences for your systems in the event of a cyberattack. You can assign weights to each factor based on your organization's specific needs. These weights will then determine the values displayed in the Priority column for each identified vulnerability. This empowers your teams to swiftly tackle the most critical threats. For more information, read Manage fix prioritization policies.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events. The most recent feature is that you can now see information about all your registered Docker images in the Environments table.

Upcoming

🧩 Overhauled Jira integration: We will improve the integration of our platform with the bug-tracking system Jira so that you can smoothly and efficiently manage our reports from there. In other words, we will give you greater compatibility with the tools within the Jira ecosystem so that you can keep your security posture management centralized.

👌🏼 Centralized report download: We have already implemented the "Downloads" button on the right side of the platform's top bar. This button will soon open a menu where you will see the download history of the last 24 hours. From this site, you will also be able to know the status of your downloads or redo them if necessary.

🔄 From Issues Identified to Vulnerable: Currently, within the inventory of dependencies that we offer you in the Supply chain section, those components at security risk have the label "Issues Identified." Soon, this will be changed to "Vulnerable," making it clearer that there are vulnerabilities there. However, remember that when we are certain that these are exploitable, we add the label "Reachable."

📊 EPSS percentage column: In the main table of the Supply chain section, we will implement a column with the EPSS (Exploit Prediction Scoring System) percentage. As its name suggests, this value gives you the probability of exploitation for the vulnerabilities present in your direct dependencies. The higher the percentage, the higher the probability. The EPSS is intended to contribute to vulnerability remediation prioritization.

💥 Reachability as a prioritization criterion: While the "Reachable" tag is already displayed in the Supply chain section for the vulnerabilities we have confirmed are exploitable, it is not currently a factor in their prioritization for remediation. Considering the relevance of reachability for this process, we will soon include it as a prioritization criterion to be chosen in the Priority section of your organization's policies in the platform.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

📡 Reachability analysis: We've added a new feature to our automated tool to better understand the impact of vulnerabilities in your software supply chain. The reachability module analyzes the dependencies listed in the Supply chain section and determines if any reported security issue is actually a vulnerability that could be exploited in your apps. This analysis will help you prioritize which issues need immediate attention. For more information, see our previous announcement.

🔬 Docker image scanning and SBOM: No matter where you store your Docker images, our tool can scan them for security risks. As long as your registry supports standard authentication (username and password), you can easily import your images. Simply provide the registry URL and credentials, and our platform will report a detailed software bill of materials (SBOM) for each image in the Supply chain section, highlighting any known security issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tool reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events. The most recent implementation is a pop-up window that allows you to view and manage your environments' secrets when clicking on the corresponding link in the Secrets column.

📃 Improved SBOMs: As part of a continuous improvement of our SBOMs to be reported in the Supply chain section, we recently introduced to our tool the ability to discover dependencies on Go, specifically go.mod.

✅ Expanded permissions for Events tab: We have granted User Managers and Vulnerability Managers access to the Events tab on our platform's To-do list. This will give them a holistic view, allowing them to manage and respond to events effectively, especially when supervising multiple groups.

🫱🏻‍🫲🏼 From MPT to PTaaS: Everything corresponding to the MPT (manual pentesting) evaluation technique is now labeled PTaaS (pentesting as a service) on the platform.

We're pleased to announce a powerful new feature of our automated tool that becomes tangible in our platform's Supply chain section: Reachability.

The Supply chain section shows your application's affected and unaffected third-party dependencies. Now, you can more efficiently prioritize and address dependencies with security issues by knowing which ones have exploitable vulnerabilities.

Here's how it works:

• Focused analysis: Reachability, a feature working with SAST, analyzes your application's direct dependencies reported by our SCA to determine whether their known vulnerabilities are actually exploitable in your specific case.
• Clear prioritization: In the Supply Chain section, look for the "Reachable" tag in the Status column. If it's there, prioritize remediation efforts for those tagged dependencies.
• Detailed vulnerability insights: For each reachable security issue, you'll see the location of the vulnerability within your code and a link to the vulnerability table of the corresponding type. This will help you thoroughly understand the vulnerability and prioritize it effectively in relation to the other reported issues.
• Reduced noise: No more guessing games! Reachability cuts through the noise of potential vulnerabilities and highlights the ones that need immediate attention.

Currently supported languages:

• Javascript
• Typescript
• Python

Coming soon:

• Java
• C#

Start prioritizing your vulnerability remediation today!

Log in to our platform and explore the new Reachability feature in the Supply Chain section.

Implemented

⚠️ Date limit on calendar for vulnerability acceptance: Whenever you enter a date earlier than the current day or that exceeds the number of days allowed by your organization's temporary vulnerability acceptance policy, you will see a message reminding you of the permitted range.

📃 Improved downloadable SBOMs: The SBOMs you can export from our platform in CycloneDX and SPDX formats now have new information. Beyond the default fields, you can now see, for each third-party component: its location, the latest version, and the time since that release. In case of associated security issues, you can see: the affected version, CVEs, their severity, and EPSS.

✅ New webhooks: We have added a couple of webhooks that will notify you when an event or a vulnerability has been closed within one of your groups.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events.

Upcoming

📡 Reachability analysis: We'll add a new feature to our automated tool to better understand the impact of vulnerabilities in your software supply chain. The reachability module will analyze the components and dependencies listed in the Supply chain section and determine if any reported vulnerabilities actually pose a risk to your application. Since vulnerabilities often only become a threat when specific functionalities are used in your code, this analysis will help you prioritize which issues need immediate attention.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in a cyberattack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain section: This section shows your application's affected and unaffected third-party components and dependencies. Because some may pose a risk to your company while others may not, we decided to separate these elements and security issues from the rest of the findings to make it easier to prioritize them for treatment. Currently, you can view them as a complete list or filter them by repository under evaluation.

🔬 Docker image scanning and SBOM: No matter where you store your Docker images, our tool can scan them for security risks. As long as your registry supports standard authentication (username and password), you can easily import your images. Simply provide the registry URL and credentials, and our platform will report a detailed software bill of materials (SBOM) for each image in the Supply chain section, highlighting any known security issues.

☁️ CSPM environment role status: We recently implemented alerts for those cases where users revoke or delete access roles in the cloud (e.g., STS in AWS), roles that allow us to request tokens to scan their infrastructure resources with CSPM. Not having these alerts could mean mostly incomplete or delayed vulnerability scans. Now, for each CSPM environment within the Scope section that presents this problem, you will see the message “Role status: Error”.

Upcoming

📡 Reachability analysis: We'll soon implement a reachability module in our automated tool. It will analyze the components and dependencies we currently report to you in the Supply chain section to confirm whether their vulnerabilities are putting your application at risk. This is because many times vulnerabilities only pose risks when specific functions of such components or dependencies are used in your code. Therefore, this feature will significantly contribute to your prioritization of vulnerability remediation in third-party software.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll exclusively use CVSS v4.0 for all vulnerability reports in the platform. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work only according to this new CVSS version. The final stage of this transition will wrap up on October 4, 2025, when the API is fully updated.

Implemented

🤖 PHP security scanning: Our SAST tool has leveled up! It can now scan codebases containing PHP to identify vulnerabilities specific to this language. This enhancement expands our testing scope to help you deploy even more secure applications.

🔬 Docker image scanning and SBOM: Now, our automated tool can scan your Docker images, which you can import from any registry that supports username and password authentication with no specific registry restrictions. You only need to provide the registry URL and credentials. Then, you can see in the Supply chain section of our platform a detailed listing (SBOM) of each package contained in the Docker image, including security issues associated with them.

⛓️ Supply chain section: You can see your application's affected and unaffected third-party components and dependencies in this section. We separated these elements and security issues from the rest of the findings because some may pose a risk to your company while others may not, making it easier to prioritize them for treatment. Nowadays, you can view such components and dependencies as a complete list or filter them by repository under assessment.

Upcoming

🧩 Enhanced IntelliJ plugin: We recently implemented our IntelliJ IDEA extension and are improving some of its features. Currently, we are establishing links so your development team can go from the IDE to the platform to see specific findings or receive descriptions of vulnerabilities and suggestions for fixing them in IntelliJ.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

Implemented

🔄 Legacy filters: We are currently adding legacy filters in the Vulnerabilities section to align with attributes from the Locations section. The filters already implemented correspond to vulnerability locations and techniques with which we detect them. So, for example, from the first section, if you select the DAST option in the Technique filter, you will see all types of vulnerabilities that have at least one case identified using DAST. Consequently, when you access one of these types, the Locations section will display only those vulnerabilities detected with DAST.

🚯 Prevent file deletion: We have implemented a restriction to prevent the deletion of application files linked to specific environments. This allows us to avoid these environments from running out of valid files and becoming unmanageable. In cases where you want to delete files, you must delete the entire environment.

⛓️ Supply chain section: This new section shows your application's affected and unaffected third-party components and dependencies. Because some may pose a risk to your company while others may not, we decided to separate these elements and security issues from the rest of the findings to make it easier to prioritize them for treatment. Currently, you can view them as a complete list or filter them by repository under evaluation.

Upcoming

🔬 Docker image scanning: Very soon, our automated tool will be able to scan your Docker images. It will not only list the dependencies within the images but also notify the existing security issues, all in our new Supply chain section.

🧩 Enhanced IntelliJ extension: We recently implemented our IntelliJ IDEA plugin and are improving some of its features. Now, we are establishing links so developers can go from the IDE to the platform to view certain findings or receive descriptions of and remediation suggestions for vulnerabilities in IntelliJ.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll exclusively use CVSS v4.0 for all vulnerability reports in the platform. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work only according to this new CVSS version. The final stage of this transition will wrap up on October 4, 2025, when the API is fully updated.

Implemented

🧩 IntelliJ IDEA extension: Our IntelliJ IDEA plugin is now available for your developers. Thanks to it, they will be able to identify affected lines of code or vulnerabilities we report to them without leaving their IDE.

📈 Priority option in the Policies section: This option allows you to select diverse criteria for ranking vulnerabilities on their potential impact on your company. You can customize the values of several variables, which will be reflected (along with estimates such as EPSS) in the figures displayed in the new "Priority" column for each identified vulnerability. This feature helps your teams quickly recognize and address the most critical risks.

⛓️ Supply chain section: This new section highlights security issues related to your applications' third-party components. Separating these problems from other vulnerabilities reduces noise in reports, allowing easier prioritization. There, you can view affected and unaffected components in two ways: as a full list or filtered by root or repository under assessment.

Upcoming

🔬 Docker image scanning: Soon, our automated tool will be able to analyze your Docker images (.tar files). It will not only list the dependencies within the image but also report the existing security vulnerabilities.

⏩ From CVSS 3.1 to CVSS 4.0: The toggle switch we have enabled to view your vulnerabilities based on CVSS v3.1 and CVSS 4.0 will soon disappear. Please keep in mind that we intend to complete this version transition across all of our platform resources in the near future.