Implemented

🦠 Malware in dependencies: We are now shining a light on any malicious packages hiding within your dependencies. See these threats instantly thanks to the "Malware" tag in the Supply chain section, no need to go to the advisory to check if it's malware!

Squashed bug

✔ Filter bug in Members: You filtered by the 'User' role once, and it was fine, then you removed the filter and applied it again, and it wrongly showed the 'User Manager' role as well! That is no longer the case. Filter on with no bug in sight!

Promised but not yet implemented

⛳️ Prioritized vulnerabilities table: We're taking a little more time working on this feature to supercharge your vulnerability management. You'll have a dedicated section in each group showcasing the top 50 vulnerabilities ranked by Priority score. This will help you prioritize like a pro and tackle the most critical issues first. (Enjoy this New Year's treat starting January 15.)

🧩 Overhauled Jira integration: It's almost here! We're working so you can manage our reports from Jira Cloud more smoothly and efficiently, centralizing your security posture management. (Coming up on December 18.)

🔢 Vulnerabilities per dependency: Ready to dive deep into your dependencies? Go to the Supply chain section and see the number of vulnerabilities lurking in each one of them. (Coming up on December 18.)

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

👌🏼 Centralized report download: Say goodbye to download dilemmas! We've created a special section on our platform for all downloadable content. Simply click the new "Downloads" button in the top right corner to view everything you've downloaded in the past 12 hours. This handy menu lets you monitor download progress and quickly redownload any required files, such as vulnerability and compliance reports, SBOMs, analytics, and more.

💥 Reachability as a prioritization criterion: As you have noticed, the "Reachable" tag is visible in the Supply chain section for vulnerabilities in your direct dependencies that can be exploited. Now, recognizing the importance of this information for your vulnerability remediation prioritization, we've introduced reachability as a prioritization criterion you can select, among others, within the Priority section of your organization's Policies on the platform.

📊 EPSS percentage column: We've added a column to the main table in the Supply chain section that shows the EPSS percentage (Exploit Prediction Scoring System). This value estimates the probability of a vulnerability in your direct dependencies being exploited. A higher percentage signifies a greater risk of exploitation. The EPSS score is intended to aid your teams in prioritizing vulnerability remediation.

Upcoming

By December 10 at the latest

⛳ Prioritized vulnerabilities table: Enhance your vulnerability management with our forthcoming prioritization feature! Each group will soon have a dedicated section showcasing the top 50 vulnerabilities ranked by priority score. This section will include details such as location, assigned team members, treatment status, and reporting date. This streamlined overview will empower your team to rapidly identify and address the most critical issues, ensuring their remediation efforts align with your organization's policies.

🦠 Malware in dependencies: In the next few days, we will report in the Supply chain section which of your software's dependencies are malicious packages published in open-source package repositories.

🔢 Vulnerabilities per dependency: Soon, you will be able to see in the table of the Supply chain section the number of vulnerabilities that we have recognized in each of your security-affected dependencies.

🧩 Overhauled Jira integration: We will improve the integration of our platform with the bug-tracking system Jira so that you can smoothly and efficiently manage our reports from there. In other words, we will give you greater compatibility with the tools within the Jira ecosystem so that you can keep your security posture management centralized.

Squashed bugs

✔️ Inconsistencies in root registration: First, a repository in a group could have several active branches when, in fact, it should only have one. Second, an active branch associated with a repository could appear in several groups of an organization when, in fact, this association should only appear in one group.

✔️ Issues with free trial accounts and groups: First, some user accounts and groups associated with the free trial were not deleted at the end of the trial when this should happen automatically unless an extension is requested. Second, if the account used remained active on our platform indefinitely, no other user of the same domain could start the free trial. Third, users who had already completed the free trial could re-access the auto-enrollment but not complete it when they really should not have access to it again.

✔️ Wrong status for reported findings: For a specific group on our platform, some identified vulnerabilities appeared in the reporting table of the Vulnerabilities section with the status “Draft” when, in fact, they should have been shown as “Vulnerable.”

Implemented

👌🏼 Centralized report download: No more download confusion! We've organized a dedicated area on our platform for all downloadable files. Just click the new "Downloads" button on the right side of the top bar to see everything you've downloaded in the last 12 hours. This convenient menu lets you check download progress and easily re-download any files you need. Currently, you'll find your vulnerability reports (executive and technical) there. We'll be adding SBOMs and other key platform resources to this download area soon!

📡 Reachability analysis: We've enhanced our automated tool to help you better understand the impact of vulnerabilities within your software supply chain. Our new "reachability module" examines the dependencies listed in the Supply chain section to determine if a reported security issue is an actual vulnerability that can be exploited in your applications. This analysis helps you prioritize and address the most critical issues first. With the latest upgrade, this module can assess Java components or dependencies.

Upcoming

⛳ Prioritized vulnerabilities table: Boost your vulnerability management efficiency with our upcoming prioritization feature! Each group will soon have a dedicated section listing the top 50 vulnerabilities by priority score, complete with location, assigned personnel, treatment status, and reporting date. This streamlined view will enable your team to quickly identify and address the most critical issues, ensuring their remediation efforts are aligned with your organization's policies.

📊 EPSS percentage column: To help you prioritize vulnerabilities, we'll add an EPSS percentage (Exploit Prediction Scoring System) column to the main table in the Supply chain section. This percentage shows how likely it is that a vulnerability in any of your direct dependencies will be exploited. A higher percentage means a higher likelihood of exploitation.

🧩 Overhauled Jira integration: We're enhancing our platform's integration with Jira to provide a smoother, more efficient way to manage our reports directly within your Jira environment. This improved compatibility with Jira will allow you to centralize your security posture management and streamline your workflows.

💥 Reachability as a prioritization criterion: Although the "Reachable" tag currently appears in the Supply chain section to identify confirmed exploitable vulnerabilities, it doesn't yet sufficiently influence their prioritization for remediation. Recognizing the importance of reachability, we will soon add it as a selectable prioritization criterion within the Priority section of your organization's policies in the platform.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

👌🏼 Centralized report download: Say goodbye to download chaos! We've created a dedicated space for all your important files. Simply click the new "Downloads" button on the right side of the platform's top bar to access your download history from the last 24 hours. This organized menu allows you to track download progress and effortlessly re-download any files you might need. For now, you'll find your vulnerability reports (executive and technical) ready and waiting. Stay tuned as we expand this feature to include SBOMs and other essential platform resources in the near future!

☁️ Status validation for all cloud environments: Stay ahead of potential problems in your cloud environments! The Environments table in the Scope section now features a dynamic Status column designed to keep you informed. This column proactively shows "Open events" —issues that can disrupt evaluations— across all your AWS, Azure, or GCP environments. Clearly flagging broken or misconfigured settings allows you to address them promptly, ensuring smooth operations and reliable results.

🔄 From Issues Identified to Vulnerable: Until recently, the components at security risk in the inventory of dependencies we offer you in the Supply chain section had the label "Issues Identified." Now, it has changed to "Vulnerable," making it more explicit that vulnerabilities are present. Nonetheless, remember that when we're sure they are exploitable, we add the label "Reachable."

Upcoming

💥 Reachability as a prioritization criterion: Although the "Reachable" tag is currently visible in the Supply chain section for vulnerabilities known to be exploitable, it doesn't yet influence their remediation priority. Given how important reachability is to this process, we'll soon add it as a selectable prioritization factor within the Priority section of your organization's Policies in the platform.

📊 EPSS percentage column: We'll add a column to the Supply chain section's main table that displays the EPSS percentage (Exploit Prediction Scoring System). This value indicates how likely it is that a vulnerability in any of your direct dependencies will be exploited. A higher percentage means a greater likelihood of exploitation. The EPSS score is designed to help you prioritize vulnerability remediation.

Implemented

📡 Reachability analysis: To better understand the impact of vulnerabilities in your software supply chain, we've added a new reachability analysis feature to our automated tool. This module examines the direct dependencies listed in the Supply chain section to determine if any reported security issue is actually exploitable in your applications. This analysis will help you prioritize vulnerabilities that need immediate attention. For more details, read our post Prioritize vulnerability remediation with Reachability!

📈 Custom vulnerability prioritization: Within the platform's Policies section, you'll find the Priority feature. This allows you to select various factors for ranking vulnerabilities. These factors include how a vulnerability might be exploited, how easily it can be attacked, and the potential consequences for your systems in the event of a cyberattack. You can assign weights to each factor based on your organization's specific needs. These weights will then determine the values displayed in the Priority column for each identified vulnerability. This empowers your teams to swiftly tackle the most critical threats. For more information, read Manage fix prioritization policies.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events. The most recent feature is that you can now see information about all your registered Docker images in the Environments table.

Upcoming

🧩 Overhauled Jira integration: We will improve the integration of our platform with the bug-tracking system Jira so that you can smoothly and efficiently manage our reports from there. In other words, we will give you greater compatibility with the tools within the Jira ecosystem so that you can keep your security posture management centralized.

👌🏼 Centralized report download: We have already implemented the "Downloads" button on the right side of the platform's top bar. This button will soon open a menu where you will see the download history of the last 24 hours. From this site, you will also be able to know the status of your downloads or redo them if necessary.

🔄 From Issues Identified to Vulnerable: Currently, within the inventory of dependencies that we offer you in the Supply chain section, those components at security risk have the label "Issues Identified." Soon, this will be changed to "Vulnerable," making it clearer that there are vulnerabilities there. However, remember that when we are certain that these are exploitable, we add the label "Reachable."

📊 EPSS percentage column: In the main table of the Supply chain section, we will implement a column with the EPSS (Exploit Prediction Scoring System) percentage. As its name suggests, this value gives you the probability of exploitation for the vulnerabilities present in your direct dependencies. The higher the percentage, the higher the probability. The EPSS is intended to contribute to vulnerability remediation prioritization.

💥 Reachability as a prioritization criterion: While the "Reachable" tag is already displayed in the Supply chain section for the vulnerabilities we have confirmed are exploitable, it is not currently a factor in their prioritization for remediation. Considering the relevance of reachability for this process, we will soon include it as a prioritization criterion to be chosen in the Priority section of your organization's policies in the platform.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

📡 Reachability analysis: We've added a new feature to our automated tool to better understand the impact of vulnerabilities in your software supply chain. The reachability module analyzes the dependencies listed in the Supply chain section and determines if any reported security issue is actually a vulnerability that could be exploited in your apps. This analysis will help you prioritize which issues need immediate attention. For more information, see our previous announcement.

🔬 Docker image scanning and SBOM: No matter where you store your Docker images, our tool can scan them for security risks. As long as your registry supports standard authentication (username and password), you can easily import your images. Simply provide the registry URL and credentials, and our platform will report a detailed software bill of materials (SBOM) for each image in the Supply chain section, highlighting any known security issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tool reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events. The most recent implementation is a pop-up window that allows you to view and manage your environments' secrets when clicking on the corresponding link in the Secrets column.

📃 Improved SBOMs: As part of a continuous improvement of our SBOMs to be reported in the Supply chain section, we recently introduced to our tool the ability to discover dependencies on Go, specifically go.mod.

✅ Expanded permissions for Events tab: We have granted User Managers and Vulnerability Managers access to the Events tab on our platform's To-do list. This will give them a holistic view, allowing them to manage and respond to events effectively, especially when supervising multiple groups.

🫱🏻‍🫲🏼 From MPT to PTaaS: Everything corresponding to the MPT (manual pentesting) evaluation technique is now labeled PTaaS (pentesting as a service) on the platform.

We're pleased to announce a powerful new feature of our automated tool that becomes tangible in our platform's Supply chain section: Reachability.

The Supply chain section shows your application's affected and unaffected third-party dependencies. Now, you can more efficiently prioritize and address dependencies with security issues by knowing which ones have exploitable vulnerabilities.

Here's how it works:

• Focused analysis: Reachability, a feature working with SAST, analyzes your application's direct dependencies reported by our SCA to determine whether their known vulnerabilities are actually exploitable in your specific case.
• Clear prioritization: In the Supply Chain section, look for the "Reachable" tag in the Status column. If it's there, prioritize remediation efforts for those tagged dependencies.
• Detailed vulnerability insights: For each reachable security issue, you'll see the location of the vulnerability within your code and a link to the vulnerability table of the corresponding type. This will help you thoroughly understand the vulnerability and prioritize it effectively in relation to the other reported issues.
• Reduced noise: No more guessing games! Reachability cuts through the noise of potential vulnerabilities and highlights the ones that need immediate attention.

Currently supported languages:

• Javascript
• Typescript
• Python

Coming soon:

• Java
• C#

Start prioritizing your vulnerability remediation today!

Log in to our platform and explore the new Reachability feature in the Supply Chain section.

Implemented

⚠️ Date limit on calendar for vulnerability acceptance: Whenever you enter a date earlier than the current day or that exceeds the number of days allowed by your organization's temporary vulnerability acceptance policy, you will see a message reminding you of the permitted range.

📃 Improved downloadable SBOMs: The SBOMs you can export from our platform in CycloneDX and SPDX formats now have new information. Beyond the default fields, you can now see, for each third-party component: its location, the latest version, and the time since that release. In case of associated security issues, you can see: the affected version, CVEs, their severity, and EPSS.

✅ New webhooks: We have added a couple of webhooks that will notify you when an event or a vulnerability has been closed within one of your groups.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events.

Upcoming

📡 Reachability analysis: We'll add a new feature to our automated tool to better understand the impact of vulnerabilities in your software supply chain. The reachability module will analyze the components and dependencies listed in the Supply chain section and determine if any reported vulnerabilities actually pose a risk to your application. Since vulnerabilities often only become a threat when specific functionalities are used in your code, this analysis will help you prioritize which issues need immediate attention.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in a cyberattack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain section: This section shows your application's affected and unaffected third-party components and dependencies. Because some may pose a risk to your company while others may not, we decided to separate these elements and security issues from the rest of the findings to make it easier to prioritize them for treatment. Currently, you can view them as a complete list or filter them by repository under evaluation.

🔬 Docker image scanning and SBOM: No matter where you store your Docker images, our tool can scan them for security risks. As long as your registry supports standard authentication (username and password), you can easily import your images. Simply provide the registry URL and credentials, and our platform will report a detailed software bill of materials (SBOM) for each image in the Supply chain section, highlighting any known security issues.

☁️ CSPM environment role status: We recently implemented alerts for those cases where users revoke or delete access roles in the cloud (e.g., STS in AWS), roles that allow us to request tokens to scan their infrastructure resources with CSPM. Not having these alerts could mean mostly incomplete or delayed vulnerability scans. Now, for each CSPM environment within the Scope section that presents this problem, you will see the message “Role status: Error”.

Upcoming

📡 Reachability analysis: We'll soon implement a reachability module in our automated tool. It will analyze the components and dependencies we currently report to you in the Supply chain section to confirm whether their vulnerabilities are putting your application at risk. This is because many times vulnerabilities only pose risks when specific functions of such components or dependencies are used in your code. Therefore, this feature will significantly contribute to your prioritization of vulnerability remediation in third-party software.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll exclusively use CVSS v4.0 for all vulnerability reports in the platform. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work only according to this new CVSS version. The final stage of this transition will wrap up on October 4, 2025, when the API is fully updated.

Implemented

🤖 PHP security scanning: Our SAST tool has leveled up! It can now scan codebases containing PHP to identify vulnerabilities specific to this language. This enhancement expands our testing scope to help you deploy even more secure applications.

🔬 Docker image scanning and SBOM: Now, our automated tool can scan your Docker images, which you can import from any registry that supports username and password authentication with no specific registry restrictions. You only need to provide the registry URL and credentials. Then, you can see in the Supply chain section of our platform a detailed listing (SBOM) of each package contained in the Docker image, including security issues associated with them.

⛓️ Supply chain section: You can see your application's affected and unaffected third-party components and dependencies in this section. We separated these elements and security issues from the rest of the findings because some may pose a risk to your company while others may not, making it easier to prioritize them for treatment. Nowadays, you can view such components and dependencies as a complete list or filter them by repository under assessment.

Upcoming

🧩 Enhanced IntelliJ plugin: We recently implemented our IntelliJ IDEA extension and are improving some of its features. Currently, we are establishing links so your development team can go from the IDE to the platform to see specific findings or receive descriptions of vulnerabilities and suggestions for fixing them in IntelliJ.

⏩ From CVSS 3.1 to CVSS 4.0: Mark your calendars! From April 4, 2025, we'll only use CVSS v4.0 for all vulnerability reports. This change implies that the toggle switch for CVSS v3.1 will be removed, and all our platform's resources, including the CI Agent for breaking the build, will work merely according to the new CVSS version. The final step of this transition will be completed on October 4, 2025, when the API is fully updated.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!