Fluid Attacks News logo

News

Subscribe to Updates

Labels

  • All Posts
  • Fix
  • Announcement
  • Improvement
  • new

Jump to Month

  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • July 2019
Product Roadmap
In Review
VEX Support
new
In Progress
Azure integration
new
Container images analysis
new
PHP SAST Suppport
new
Platform redesign
new
CVSS 4.0 in our platform
new
Improvementnew
7 months ago

See what's new at Fluid Attacks! 🗞️

Implemented

🧩 IntelliJ IDEA extension: Our IntelliJ IDEA plugin is now available for your developers. Thanks to it, they will be able to identify affected lines of code or vulnerabilities we report to them without leaving their IDE.

📈 Priority option in the Policies section: This option allows you to select diverse criteria for ranking vulnerabilities on their potential impact on your company. You can customize the values of several variables, which will be reflected (along with estimates such as EPSS) in the figures displayed in the new "Priority" column for each identified vulnerability. This feature helps your teams quickly recognize and address the most critical risks.

⛓️ Supply chain section: This new section highlights security issues related to your applications' third-party components. Separating these problems from other vulnerabilities reduces noise in reports, allowing easier prioritization. There, you can view affected and unaffected components in two ways: as a full list or filtered by root or repository under assessment.

Upcoming

🔬 Docker image scanning: Soon, our automated tool will be able to analyze your Docker images (.tar files). It will not only list the dependencies within the image but also report the existing security vulnerabilities.

⏩ From CVSS 3.1 to CVSS 4.0: The toggle switch we have enabled to view your vulnerabilities based on CVSS v3.1 and CVSS 4.0 will soon disappear. Please keep in mind that we intend to complete this version transition across all of our platform resources in the near future.

Avatar of authordevelopment
Announcementnew
7 months ago

Review Fluid Attacks on Gartner Peer Insights and receive a $25 gift card

We greatly value your experience with our Continuous Hacking solution, and we would love for you to share a review on Gartner Peer Insights. It will take you just 10 to 15 minutes to complete.

Your feedback will be incredibly helpful to us and to other companies looking to develop and deploy secure software without delays.

To register, please use your business email address or LinkedIn account. Only reviews submitted from verified email addresses are accepted. Be sure to use the link provided in this email.

Once you enter the link, select USD from the available currencies:

Then, if you want the gift card, you can choose one of the available merchants; however, you also have the option to donate this money:

We encourage you to leave honest and transparent feedback without any obligation to give a 5-star rating. Reviews must be written in English, and you do not need to be a Gartner client to participate. You can also check the status of your review in the "My Reviews" section.

As a token of our appreciation for your time and support, you will receive a $25 gift card once your review is approved.

We look forward to your insights and to continuing to strengthen our support for your cybersecurity strategy.

Click here to submit your review.

Fluid Attacks

Avatar of authordevelopment
Improvementnew
8 months ago

Implemented and upcoming improvements on our platform! 🎉

Implemented improvements

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in an attack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain security section: In the Supply chain section, you can see all those security issues associated with third-party software components and dependencies in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it difficult to prioritize them. Currently, you have two ways to view these component listings: (a) the complete list and (b) the list where you can separate packages by root or repository under assessment.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is available for each of your groups within the platform (the latter is the default option). Remember that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in CVSS 4.0. We hope you become increasingly familiar with this transition, which we will try to finish soon.

Upcoming improvements

🧩  IntelliJ IDEA plugin: Very soon, you will have enabled our extension for IntelliJ IDEA, which will be available to all developers who use this IDE to manage vulnerabilities (including our GenAI support) reported by our tool and hacking team.

Avatar of authordevelopment
Improvementnew
8 months ago

Implemented and upcoming enhancements on our platform!✨

Implemented enhancements

🤖 Custom fix and Autofix support more and more languages: 100% of the programming languages that can be scanned with our SAST tool are currently supported by Custom fix and Autofix (our GenAI-based vulnerability remediation aids).

✅ Vulnerability filter by technique: In order to facilitate your vulnerability management, in the Locations section for each type of vulnerability, we have implemented a new option for you to filter the findings according to the detection techniques (e.g., SAST, SCA, SCR) that allowed us to report them to you.

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

Upcoming enhancements

📈 Improved vulnerability prioritization: The platform will soon enable you to set specific values for vulnerability prioritization criteria within the Policies section. This will result in more accurate figures for each vulnerability —which you will see in the "Priority" column— that better reflect your company's unique needs and principles than a standard CVSS score. This enhanced prioritization will help you make informed decisions on which security issues require immediate attention.

🧩 New IDE plugin: Thanks to our upcoming extension, IntelliJ IDEA users will soon be able to leverage the vulnerability management benefits we offer directly within their IDE, just like those currently enjoyed by VS Code users.

Avatar of authordevelopment
Improvementnew
8 months ago

New and upcoming enhancements on our platform for this month!✨

Implemented enhancements

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

In fact, you will soon see that the risk exposure charts in the Analytics sections will reflect substantial decreases because these types of vulnerabilities, we call "Use of software with known vulnerabilities" and "Use of software with known vulnerabilities in development," will be treated separately in the Supply chain section, which we hope you will get used to.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

📮 Mailmap management from the platform: Fluid Attacks' Git mailmap was a plain text file used to organize and unify the names and email accounts of contributing developers or "authors" in Continuous Hacking projects, which was managed within GitLab for billing. Now, the information that was there is part of the database of our platform, where there is already a Mailmap section for easier, faster, and more comfortable management. Today, only Customer Managers can edit the mailmap, while User Managers can view it. However, the latter will soon have the opportunity to manage it on their own, which will also help avoid billing issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tools reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🚫 Free trial account creation is unavailable for clients: Users from current client organizations are not allowed to start our free trial. This will avoid confusion with reports, new group creations, and extra work for both Fluid Attacks and clients. Furthermore, any attempt to do so will be reported to the organization's administrators.

Upcoming enhancements

🤖 Custom fix and Autofix increasingly support more languages: Currently, the GenAI-based vulnerability remediation support channel we offer (Custom fix and Autofix) supports about 70% of the programming languages that can be scanned by our SAST tool. We strive to reach 100% soon and assist you to the utmost possible extent through this valuable means, which you can enjoy in any of our Continuous Hacking plans.

📈 Enhanced vulnerability prioritization: You will soon have the opportunity to define concrete values in the Policies section of the platform for a list of vulnerability prioritization criteria. From this, you will get final values in the "Priority" column for each (type of) vulnerability, which, more tailored to your company's needs and principles than a mere CVSS score, will allow you to determine which security issues should be fixed before others.

🧩 New IDE extension: In the near future, we will add one more IDE plugin to our list of integrations with our platform. We are talking about an extension for IntelliJ IDEA, from which you will enjoy the same vulnerability management benefits that we offer for VS Code.

Avatar of authordevelopment
Improvementnew
8 months ago

Exciting update 📢 | Branch and URL management!

We've introduced a new feature that allows you to update branches or URLs of repositories under evaluation without affecting existing reports.

Now, you can make necessary updates while preserving all previous findings, as long as the code base remains consistent.

This enhancement ensures smoother processes and uninterrupted insights for your projects.

At Fluid Attacks, we're constantly improving our platform so our clients can benefit more and more.

Avatar of authordevelopment
Improvementnew
8 months ago

New feature 📢 | Custom fix inside the platform!

Custom fix, our AI-based feature for generating guides for vulnerability remediation, is now available within our platform, regardless of the code editor or IDE your development team uses. 

Bear in mind that this feature is only available for some vulnerabilities. 

At Fluid Attacks, we're continually upgrading our platform so our clients can enjoy more and more benefits.

Avatar of authordevelopment
Improvement
8 months ago

Retain findings in mobile environment updates 🧲

You can now update mobile environments (e.g., .aab, .ipa, and .apk files) without losing the record of reported vulnerabilities. When updating a mobile environment, you will be notified that dynamic findings from the old file will be retained in the newly added one, provided they successfully pass our consistency validations.

Keep in mind that to use this feature (only available for Users and User Managers), you do not have to delete the file you currently have on the platform's Scope section but replace it by selecting the "Add file" option:


Avatar of authordevelopment
Improvementnew
9 months ago

Unwrap new features and enhancements on our platform this August! 🎁

🛠️ Custom fix inside the platform: Currently, Custom fix, our AI-based feature for the generation of guides for vulnerability remediation, is available only in our VS Code extension. However, you will soon have it available from within the Fluid Attacks platform regardless of the code editor or IDE your development team uses.

🔄 Branch or URL update management: When you tried to update a branch or URL corresponding to a repository already under our evaluation, this could mean the alteration and loss of findings reported so far since it was more of a target replacement. Fortunately, you will soon have the option to make updates without deactivating the previous repository and, consequently, without altering the reports obtained, as long as the new root retains the same code base as the previous one.

⚠️ Enhanced vulnerability prioritization: You will soon have the opportunity to define concrete values in the Policies section of the platform for a list of vulnerability prioritization criteria. From this, you will get final values in the "Priority" column for each (type of) vulnerability, which, more tailored to your company's needs and principles than a mere CVSS score, will allow you to determine which security issues should be fixed before others.

🧩 New IDE extension: In the near future, we will add one more IDE plugin to our list of integrations with our platform We are talking about an extension for IntelliJ IDEA, from which you will enjoy the same vulnerability management benefits that we offer for VS Code.

📤 Continuous improvement of EaC: We are currently working on overcoming limitations and making it easier for you to configure and use our .fluidattacks file. This file allows you to exclude reports from our tool's SAST, SCA, and DAST scans with what's commonly known as exceptions as code (EaC).

Avatar of authordevelopment
new
9 months ago

🎉 Exciting news: Fluid Attacks is SOC 2 compliant! 🎉

We are beyond excited to announce that Fluid Attacks' information security practices have been recognized by independent external auditors as meeting the rigorous SOC 2 security trust principle.

SOC 2 is a widely regarded standard developed by the American Institute of Certified Public Accountants (AICPA). It ensures that service providers securely manage data to protect the privacy and interests of their clients.

This significant milestone reflects our ongoing dedication to maintaining the highest standards of security as well as your trust. We understand the critical importance of safeguarding your data and are proud to have our efforts validated by this rigorous standard.

Visit our Trust Center to learn more about our commitment to security.


Avatar of authordevelopment