Fluid Attacks News logo

News

Subscribe to Updates

Labels

  • All Posts
  • Fix
  • Announcement
  • Improvement
  • new

Jump to Month

  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • July 2019
Product Roadmap
In Review
VEX Support
new
In Progress
Azure integration
new
Container images analysis
new
PHP SAST Suppport
new
Platform redesign
new
CVSS 4.0 in our platform
new
Improvementnew
6 months ago

See what's new at Fluid Attacks! 🎉

Implemented

⚠️ Date limit on calendar for vulnerability acceptance: Whenever you enter a date earlier than the current day or that exceeds the number of days allowed by your organization's temporary vulnerability acceptance policy, you will see a message reminding you of the permitted range.

📃 Improved downloadable SBOMs: The SBOMs you can export from our platform in CycloneDX and SPDX formats now have new information. Beyond the default fields, you can now see, for each third-party component: its location, the latest version, and the time since that release. In case of associated security issues, you can see: the affected version, CVEs, their severity, and EPSS.

✅ New webhooks: We have added a couple of webhooks that will notify you when an event or a vulnerability has been closed within one of your groups.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events.

Upcoming

📡 Reachability analysis: We'll add a new feature to our automated tool to better understand the impact of vulnerabilities in your software supply chain. The reachability module will analyze the components and dependencies listed in the Supply chain section and determine if any reported vulnerabilities actually pose a risk to your application. Since vulnerabilities often only become a threat when specific functionalities are used in your code, this analysis will help you prioritize which issues need immediate attention.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

Avatar of authordevelopment
Improvementnew
7 months ago

See what's new at Fluid Attacks! 🥁

​​​​

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in a cyberattack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain section: This section shows your application's affected and unaffected third-party components and dependencies. Because some may pose a risk to your company while others may not, we decided to separate these elements and security issues from the rest of the findings to make it easier to prioritize them for treatment. Currently, you can view them as a complete list or filter them by repository under evaluation.

🔬 Docker image scanning and SBOM: No matter where you store your Docker images, our tool can scan them for security risks. As long as your registry supports standard authentication (username and password), you can easily import your images. Simply provide the registry URL and credentials, and our platform will report a detailed software bill of materials (SBOM) for each image in the Supply chain section, highlighting any known security issues.

☁️ CSPM environment role status: We recently implemented alerts for those cases where users revoke or delete access roles in the cloud (e.g., STS in AWS), roles that allow us to request tokens to scan their infrastructure resources with CSPM. Not having these alerts could mean mostly incomplete or delayed vulnerability scans. Now, for each CSPM environment within the Scope section that presents this problem, you will see the message “Role status: Error”.

Upcoming

📡 Reachability analysis: We'll soon implement a reachability module in our automated tool. It will analyze the components and dependencies we currently report to you in the Supply chain section to confirm whether their vulnerabilities are putting your application at risk. This is because many times vulnerabilities only pose risks when specific functions of such components or dependencies are used in your code. Therefore, this feature will significantly contribute to your prioritization of vulnerability remediation in third-party software.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll exclusively use CVSS v4.0 for all vulnerability reports in the platform. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work only according to this new CVSS version. The final stage of this transition will wrap up on October 4, 2025, when the API is fully updated.

Avatar of authordevelopment
Improvementnew
7 months ago

See what's new at Fluid Attacks! 🎊

Implemented

🤖 PHP security scanning: Our SAST tool has leveled up! It can now scan codebases containing PHP to identify vulnerabilities specific to this language. This enhancement expands our testing scope to help you deploy even more secure applications.

🔬 Docker image scanning and SBOM: Now, our automated tool can scan your Docker images, which you can import from any registry that supports username and password authentication with no specific registry restrictions. You only need to provide the registry URL and credentials. Then, you can see in the Supply chain section of our platform a detailed listing (SBOM) of each package contained in the Docker image, including security issues associated with them.

⛓️ Supply chain section: You can see your application's affected and unaffected third-party components and dependencies in this section. We separated these elements and security issues from the rest of the findings because some may pose a risk to your company while others may not, making it easier to prioritize them for treatment. Nowadays, you can view such components and dependencies as a complete list or filter them by repository under assessment.

Upcoming

🧩 Enhanced IntelliJ plugin: We recently implemented our IntelliJ IDEA extension and are improving some of its features. Currently, we are establishing links so your development team can go from the IDE to the platform to see specific findings or receive descriptions of vulnerabilities and suggestions for fixing them in IntelliJ.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

Avatar of authordevelopment
Improvementnew
7 months ago

See what's new at Fluid Attacks! 💫

Implemented

🔄 Legacy filters: We are currently adding legacy filters in the Vulnerabilities section to align with attributes from the Locations section. The filters already implemented correspond to vulnerability locations and techniques with which we detect them. So, for example, from the first section, if you select the DAST option in the Technique filter, you will see all types of vulnerabilities that have at least one case identified using DAST. Consequently, when you access one of these types, the Locations section will display only those vulnerabilities detected with DAST.

🚯 Prevent file deletion: We have implemented a restriction to prevent the deletion of application files linked to specific environments. This allows us to avoid these environments from running out of valid files and becoming unmanageable. In cases where you want to delete files, you must delete the entire environment.

⛓️ Supply chain section: This new section shows your application's affected and unaffected third-party components and dependencies. Because some may pose a risk to your company while others may not, we decided to separate these elements and security issues from the rest of the findings to make it easier to prioritize them for treatment. Currently, you can view them as a complete list or filter them by repository under evaluation.

Upcoming

🔬 Docker image scanning: Very soon, our automated tool will be able to scan your Docker images. It will not only list the dependencies within the images but also notify the existing security issues, all in our new Supply chain section.

🧩 Enhanced IntelliJ extension: We recently implemented our IntelliJ IDEA plugin and are improving some of its features. Now, we are establishing links so developers can go from the IDE to the platform to view certain findings or receive descriptions of and remediation suggestions for vulnerabilities in IntelliJ.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll exclusively use CVSS v4.0 for all vulnerability reports in the platform. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work only according to this new CVSS version. The final stage of this transition will wrap up on October 4, 2025, when the API is fully updated.

Avatar of authordevelopment
Improvementnew
7 months ago

See what's new at Fluid Attacks! 🗞️

Implemented

🧩 IntelliJ IDEA extension: Our IntelliJ IDEA plugin is now available for your developers. Thanks to it, they will be able to identify affected lines of code or vulnerabilities we report to them without leaving their IDE.

📈 Priority option in the Policies section: This option allows you to select diverse criteria for ranking vulnerabilities on their potential impact on your company. You can customize the values of several variables, which will be reflected (along with estimates such as EPSS) in the figures displayed in the new "Priority" column for each identified vulnerability. This feature helps your teams quickly recognize and address the most critical risks.

⛓️ Supply chain section: This new section highlights security issues related to your applications' third-party components. Separating these problems from other vulnerabilities reduces noise in reports, allowing easier prioritization. There, you can view affected and unaffected components in two ways: as a full list or filtered by root or repository under assessment.

Upcoming

🔬 Docker image scanning: Soon, our automated tool will be able to analyze your Docker images (.tar files). It will not only list the dependencies within the image but also report the existing security vulnerabilities.

⏩ From CVSS 3.1 to CVSS 4.0: The toggle switch we have enabled to view your vulnerabilities based on CVSS v3.1 and CVSS 4.0 will soon disappear. Please keep in mind that we intend to complete this version transition across all of our platform resources in the near future.

Avatar of authordevelopment
Announcementnew
7 months ago

Review Fluid Attacks on Gartner Peer Insights and receive a $25 gift card

We greatly value your experience with our Continuous Hacking solution, and we would love for you to share a review on Gartner Peer Insights. It will take you just 10 to 15 minutes to complete.

Your feedback will be incredibly helpful to us and to other companies looking to develop and deploy secure software without delays.

To register, please use your business email address or LinkedIn account. Only reviews submitted from verified email addresses are accepted. Be sure to use the link provided in this email.

Once you enter the link, select USD from the available currencies:

Then, if you want the gift card, you can choose one of the available merchants; however, you also have the option to donate this money:

We encourage you to leave honest and transparent feedback without any obligation to give a 5-star rating. Reviews must be written in English, and you do not need to be a Gartner client to participate. You can also check the status of your review in the "My Reviews" section.

As a token of our appreciation for your time and support, you will receive a $25 gift card once your review is approved.

We look forward to your insights and to continuing to strengthen our support for your cybersecurity strategy.

Click here to submit your review.

Fluid Attacks

Avatar of authordevelopment
Improvementnew
8 months ago

Implemented and upcoming improvements on our platform! 🎉

Implemented improvements

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in an attack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain security section: In the Supply chain section, you can see all those security issues associated with third-party software components and dependencies in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it difficult to prioritize them. Currently, you have two ways to view these component listings: (a) the complete list and (b) the list where you can separate packages by root or repository under assessment.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is available for each of your groups within the platform (the latter is the default option). Remember that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in CVSS 4.0. We hope you become increasingly familiar with this transition, which we will try to finish soon.

Upcoming improvements

🧩  IntelliJ IDEA plugin: Very soon, you will have enabled our extension for IntelliJ IDEA, which will be available to all developers who use this IDE to manage vulnerabilities (including our GenAI support) reported by our tool and hacking team.

Avatar of authordevelopment
Improvementnew
8 months ago

Implemented and upcoming enhancements on our platform!✨

Implemented enhancements

🤖 Custom fix and Autofix support more and more languages: 100% of the programming languages that can be scanned with our SAST tool are currently supported by Custom fix and Autofix (our GenAI-based vulnerability remediation aids).

✅ Vulnerability filter by technique: In order to facilitate your vulnerability management, in the Locations section for each type of vulnerability, we have implemented a new option for you to filter the findings according to the detection techniques (e.g., SAST, SCA, SCR) that allowed us to report them to you.

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

Upcoming enhancements

📈 Improved vulnerability prioritization: The platform will soon enable you to set specific values for vulnerability prioritization criteria within the Policies section. This will result in more accurate figures for each vulnerability —which you will see in the "Priority" column— that better reflect your company's unique needs and principles than a standard CVSS score. This enhanced prioritization will help you make informed decisions on which security issues require immediate attention.

🧩 New IDE plugin: Thanks to our upcoming extension, IntelliJ IDEA users will soon be able to leverage the vulnerability management benefits we offer directly within their IDE, just like those currently enjoyed by VS Code users.

Avatar of authordevelopment
Improvementnew
8 months ago

New and upcoming enhancements on our platform for this month!✨

Implemented enhancements

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

In fact, you will soon see that the risk exposure charts in the Analytics sections will reflect substantial decreases because these types of vulnerabilities, we call "Use of software with known vulnerabilities" and "Use of software with known vulnerabilities in development," will be treated separately in the Supply chain section, which we hope you will get used to.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

📮 Mailmap management from the platform: Fluid Attacks' Git mailmap was a plain text file used to organize and unify the names and email accounts of contributing developers or "authors" in Continuous Hacking projects, which was managed within GitLab for billing. Now, the information that was there is part of the database of our platform, where there is already a Mailmap section for easier, faster, and more comfortable management. Today, only Customer Managers can edit the mailmap, while User Managers can view it. However, the latter will soon have the opportunity to manage it on their own, which will also help avoid billing issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tools reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🚫 Free trial account creation is unavailable for clients: Users from current client organizations are not allowed to start our free trial. This will avoid confusion with reports, new group creations, and extra work for both Fluid Attacks and clients. Furthermore, any attempt to do so will be reported to the organization's administrators.

Upcoming enhancements

🤖 Custom fix and Autofix increasingly support more languages: Currently, the GenAI-based vulnerability remediation support channel we offer (Custom fix and Autofix) supports about 70% of the programming languages that can be scanned by our SAST tool. We strive to reach 100% soon and assist you to the utmost possible extent through this valuable means, which you can enjoy in any of our Continuous Hacking plans.

📈 Enhanced vulnerability prioritization: You will soon have the opportunity to define concrete values in the Policies section of the platform for a list of vulnerability prioritization criteria. From this, you will get final values in the "Priority" column for each (type of) vulnerability, which, more tailored to your company's needs and principles than a mere CVSS score, will allow you to determine which security issues should be fixed before others.

🧩 New IDE extension: In the near future, we will add one more IDE plugin to our list of integrations with our platform. We are talking about an extension for IntelliJ IDEA, from which you will enjoy the same vulnerability management benefits that we offer for VS Code.

Avatar of authordevelopment
Improvementnew
8 months ago

Exciting update 📢 | Branch and URL management!

We've introduced a new feature that allows you to update branches or URLs of repositories under evaluation without affecting existing reports.

Now, you can make necessary updates while preserving all previous findings, as long as the code base remains consistent.

This enhancement ensures smoother processes and uninterrupted insights for your projects.

At Fluid Attacks, we're constantly improving our platform so our clients can benefit more and more.

Avatar of authordevelopment