Fluid Attacks News logo

News

Subscribe to Updates

Labels

  • All Posts
  • Fix
  • Announcement
  • Improvement
  • new

Jump to Month

  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • July 2019
Product Roadmap
In Review
VEX Support
new
In Progress
Azure integration
new
Container images analysis
new
PHP SAST Suppport
new
Platform redesign
new
CVSS 4.0 in our platform
new
Fix
4 years ago

About Integrates Login Error on 2020-08-20

What happened

  • We were looking to improve Integrates’ session management to allow concurrency between our mobile app and web. After introducing this change, new sessions were not handled properly due to a missing attribute.

What we’ve done

  • After identifying the problem with our error tracking tools and some reports from our users, we’ve committed the fix.

What the impact was

  • There were approximately 70 unsuccessful login attempts from 9:00 A.M. to 9:30 A.M. (30 minutes in total).

What we are doing to help

  • We created an issue to review and work towards removing production-only behaviors to avoid this kind of problem.
Avatar of authorJuan
Fix
4 years ago

About Integrates Evidence Issue on 2020-08-05

What happened

  • We are currently renaming some of Integrates’s URLs.
  • After introducing this change, evidence stopped loading.

What we’ve done

  • We noticed the issue today, Aug 5, at 14:49, and committed the fix at 15:20.

What the impact was

  • Evidence was not loading due to the /organizations URL name change.

What we are doing to help

  • We are improving our tests in order to cover all the scenarios related to the URL path—open issue.
Avatar of authorJuan
new
4 years ago

New Analytical Dashboard

Integrates provides you with information about the current security status of all your company’s applications, and now we update the charts. These new analytics show you the security status and trends of your systems.

unnamed (2).png

Also, if Forces is active, you get access to a Docker container built to specifically verify the status of security findings discovered in your system.

unnamed (3).png

All these features are the product of a team effort. You can be part of it and create new elements by joining the Fluid Attacks Community or sending your comments to help@fluidattacks.com.

Avatar of authorJuan
Improvement
4 years ago

Email Report and PNG Download

In the last days, we released a brand-new chart view, leaving behind performance issues and putting new charts and a universe of possibilities on the table.

I hope that you enjoy it!

Now we are releasing unprecedented functionality. You can schedule an email or download a chart report (daily/weekly/monthly) from today.

This functionality is available both in groups and organizations. You can get a report for a specific group or your entire organization.

image

You will find these buttons at the bottom of the charts tab.

I almost forget it. The email will be sent

  • daily at 11 AM GMT,
  • weekly on Mondays at 11 AM GMT, or
  • monthly on the first day of the month at 11 AM GMT.

Please feel free to use it!

Avatar of authorJuan
Improvement
4 years ago

Change of Technical XLS Report Style on Integrates

The format of the technical XLS report has changed on Integrates. You can request this report the same way as before, by going to Project -> Findings -> Reports.

image

Now, this XLS report includes all the project’s vulnerabilities instead of just the findings.
Each row represents a vulnerability, including all the data listed below:

  • Where
  • Related finding
  • Status
  • Severity
  • CVSS v3 Metrics vector
  • Pending Reattack
  • Is Exploitable
  • Report Date
  • Close Date
  • Age in days
  • Treatment
  • Treatment date
  • Treatment justification
  • Treatment expiration date
  • Treatment manager

As usual, this report is delivered to your inbox along with its passphrase. The Export to CSV option from the Findings table has been removed in favor of this change.

Avatar of authorJuan
Improvement
4 years ago

Changes in Integrates Indicators

Yesterday, we made some changes on Integrates, including the replacement of the Indicators view with the Charts view.

As part of these changes, new information was added for you to have a graphical analysis of the group's state, and the appearance of all the charts is now different.

Moreover, something may happen when you click, drag or hover over them.
I’m not going to spoil. 😉 


image


Avatar of authorJuan
Fix
4 years ago

About Integrates permissions error

What happened

  • In the past months we’ve been working to improve our authorization system so it becomes more flexible, allowing us to have granular control over each action a user can perform (ABAC).
  • After this change was introduced, permissions within a group didn’t match if the group name wasn’t in lowercase. This has always been a backend transformation totally transparent to the user

What we’ve done

  • We first received reports on May 19 and committed the fix on July 1 at 08:16 AM after investigating it for the past 3 weeks.
  • We implemented a new tracking tool: LogRocket. With it, we were able to monitor our API’s responses to the affected users, which helped us identify and reproduce the problem

What’s the impact

  • Some users have reported that they sometimes weren’t able to view some buttons even if they had access to a group.

What we are doing to help

  • We are improving our tests and error reporting to better spot and avoid this kind of problem.
Avatar of authorJuan
Fix
4 years ago

About API queries error on 2020-06-23

What happened

  • We are currently improving our security by enforcing our session user token validations.
  • After this change was introduced, API tokens were accidentally validated when they shouldn’t.

What we’ve done

  • We noticed the issue today Jun 23 at 14:37 PM, and committed the fix at 15:40 PM.

What’s the impact

  • Today, Jun 23, we introduced the token validation change at 13:40 PM and some users weren’t able to successfully query our API.

What we are doing to help

  • We are improving our tests in order to cover all the scenarios related with that token functionality.
Avatar of authorJuan
Fix
4 years ago

About performance issues on 2020-06-03

What happened

On June 3rd, from 6:30 PM to 7:00 PM, users experienced a performance degradation in the platform, making the browsing really slow. This occurred because one of our analysts was performing a DDoS attack on the site. At the same time, there was a failed deployment in production that halved the number of machines processing requests; half of them had the previous version of the app and were responding correctly, while the other half were stuck in a loop trying to deploy the new version which had issues. This attenuated the effect of the DDoS.

What we’ve done

After we detected the error, we immediately reverted that change, deploying a new version of Integrates without the bug, so the whole fleet was available.

What’s the impact

The incident occurred outside of working hours, so only 3 users were affected, and they experienced a really slow platform, with group information taking too long to load or not loading at all.

What we are doing to help

We are constantly performing security tests over our own platform to discover these kinds of flaws. Right now, we are working on concurrency improvements to achieve a better performance. Also, this vulnerability was reported to our developer team and will be addressed shortly

Avatar of authorJuan
Fix
5 years ago

About portfolios’ performance

What happened

  • We detected a performance degradation on large portfolios, which caused pages to have high response times and, in some cases, not to load at all.

What we’ve done

  • On 2020-05-14, we decided to temporarily revoke access to these resources.

What’s the impact

  • 6 users no longer have access to this resource.

What we are doing to help

  • We started to add mock data to simulate scenarios with large portfolios, so that we can better understand their behavior and find solutions to improve their performance.
  • We are experimenting with various design patterns that allow us to get the necessary data without degrading the performance.
  • We will make the appropriate announcement once we enable these features again.
Avatar of authorJuan