Implemented

🧩 IntelliJ IDEA extension: Our IntelliJ IDEA plugin is now available for your developers. Thanks to it, they will be able to identify affected lines of code or vulnerabilities we report to them without leaving their IDE.

📈 Priority option in the Policies section: This option allows you to select diverse criteria for ranking vulnerabilities on their potential impact on your company. You can customize the values of several variables, which will be reflected (along with estimates such as EPSS) in the figures displayed in the new "Priority" column for each identified vulnerability. This feature helps your teams quickly recognize and address the most critical risks.

⛓️ Supply chain section: This new section highlights security issues related to your applications' third-party components. Separating these problems from other vulnerabilities reduces noise in reports, allowing easier prioritization. There, you can view affected and unaffected components in two ways: as a full list or filtered by root or repository under assessment.

Upcoming

🔬 Docker image scanning: Soon, our automated tool will be able to analyze your Docker images (.tar files). It will not only list the dependencies within the image but also report the existing security vulnerabilities.

⏩ From CVSS 3.1 to CVSS 4.0: The toggle switch we have enabled to view your vulnerabilities based on CVSS v3.1 and CVSS 4.0 will soon disappear. Please keep in mind that we intend to complete this version transition across all of our platform resources in the near future.

Implemented improvements

📈 Custom vulnerability prioritization: In the Policies section of the platform, you have the Priority option to choose different criteria for prioritizing vulnerabilities. These criteria range from attack vectors and vulnerability exploitability to the various impacts that your systems could receive in an attack. Each criterion can be rated according to its importance for your company, and this will be reflected in the values shown for each vulnerability reported in the new "Priority" column. This will allow your teams to promptly address the most significant risks.

⛓️ Supply chain security section: In the Supply chain section, you can see all those security issues associated with third-party software components and dependencies in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it difficult to prioritize them. Currently, you have two ways to view these component listings: (a) the complete list and (b) the list where you can separate packages by root or repository under assessment.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is available for each of your groups within the platform (the latter is the default option). Remember that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in CVSS 4.0. We hope you become increasingly familiar with this transition, which we will try to finish soon.

Upcoming improvements

🧩  IntelliJ IDEA plugin: Very soon, you will have enabled our extension for IntelliJ IDEA, which will be available to all developers who use this IDE to manage vulnerabilities (including our GenAI support) reported by our tool and hacking team.

Implemented enhancements

🤖 Custom fix and Autofix support more and more languages: 100% of the programming languages that can be scanned with our SAST tool are currently supported by Custom fix and Autofix (our GenAI-based vulnerability remediation aids).

✅ Vulnerability filter by technique: In order to facilitate your vulnerability management, in the Locations section for each type of vulnerability, we have implemented a new option for you to filter the findings according to the detection techniques (e.g., SAST, SCA, SCR) that allowed us to report them to you.

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

Upcoming enhancements

📈 Improved vulnerability prioritization: The platform will soon enable you to set specific values for vulnerability prioritization criteria within the Policies section. This will result in more accurate figures for each vulnerability —which you will see in the "Priority" column— that better reflect your company's unique needs and principles than a standard CVSS score. This enhanced prioritization will help you make informed decisions on which security issues require immediate attention.

🧩 New IDE plugin: Thanks to our upcoming extension, IntelliJ IDEA users will soon be able to leverage the vulnerability management benefits we offer directly within their IDE, just like those currently enjoyed by VS Code users.

Implemented enhancements

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

In fact, you will soon see that the risk exposure charts in the Analytics sections will reflect substantial decreases because these types of vulnerabilities, we call "Use of software with known vulnerabilities" and "Use of software with known vulnerabilities in development," will be treated separately in the Supply chain section, which we hope you will get used to.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

📮 Mailmap management from the platform: Fluid Attacks' Git mailmap was a plain text file used to organize and unify the names and email accounts of contributing developers or "authors" in Continuous Hacking projects, which was managed within GitLab for billing. Now, the information that was there is part of the database of our platform, where there is already a Mailmap section for easier, faster, and more comfortable management. Today, only Customer Managers can edit the mailmap, while User Managers can view it. However, the latter will soon have the opportunity to manage it on their own, which will also help avoid billing issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tools reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🚫 Free trial account creation is unavailable for clients: Users from current client organizations are not allowed to start our free trial. This will avoid confusion with reports, new group creations, and extra work for both Fluid Attacks and clients. Furthermore, any attempt to do so will be reported to the organization's administrators.

Upcoming enhancements

🤖 Custom fix and Autofix increasingly support more languages: Currently, the GenAI-based vulnerability remediation support channel we offer (Custom fix and Autofix) supports about 70% of the programming languages that can be scanned by our SAST tool. We strive to reach 100% soon and assist you to the utmost possible extent through this valuable means, which you can enjoy in any of our Continuous Hacking plans.

📈 Enhanced vulnerability prioritization: You will soon have the opportunity to define concrete values in the Policies section of the platform for a list of vulnerability prioritization criteria. From this, you will get final values in the "Priority" column for each (type of) vulnerability, which, more tailored to your company's needs and principles than a mere CVSS score, will allow you to determine which security issues should be fixed before others.

🧩 New IDE extension: In the near future, we will add one more IDE plugin to our list of integrations with our platform. We are talking about an extension for IntelliJ IDEA, from which you will enjoy the same vulnerability management benefits that we offer for VS Code.

We've introduced a new feature that allows you to update branches or URLs of repositories under evaluation without affecting existing reports.

Now, you can make necessary updates while preserving all previous findings, as long as the code base remains consistent.

This enhancement ensures smoother processes and uninterrupted insights for your projects.

At Fluid Attacks, we're constantly improving our platform so our clients can benefit more and more.

Custom fix, our AI-based feature for generating guides for vulnerability remediation, is now available within our platform, regardless of the code editor or IDE your development team uses. 

Bear in mind that this feature is only available for some vulnerabilities. 

At Fluid Attacks, we're continually upgrading our platform so our clients can enjoy more and more benefits.

You can now update mobile environments (e.g., .aab, .ipa, and .apk files) without losing the record of reported vulnerabilities. When updating a mobile environment, you will be notified that dynamic findings from the old file will be retained in the newly added one, provided they successfully pass our consistency validations.

Keep in mind that to use this feature (only available for Users and User Managers), you do not have to delete the file you currently have on the platform's Scope section but replace it by selecting the "Add file" option:

🛠️ Custom fix inside the platform: Currently, Custom fix, our AI-based feature for the generation of guides for vulnerability remediation, is available only in our VS Code extension. However, you will soon have it available from within the Fluid Attacks platform regardless of the code editor or IDE your development team uses.

🔄 Branch or URL update management: When you tried to update a branch or URL corresponding to a repository already under our evaluation, this could mean the alteration and loss of findings reported so far since it was more of a target replacement. Fortunately, you will soon have the option to make updates without deactivating the previous repository and, consequently, without altering the reports obtained, as long as the new root retains the same code base as the previous one.

⚠️ Enhanced vulnerability prioritization: You will soon have the opportunity to define concrete values in the Policies section of the platform for a list of vulnerability prioritization criteria. From this, you will get final values in the "Priority" column for each (type of) vulnerability, which, more tailored to your company's needs and principles than a mere CVSS score, will allow you to determine which security issues should be fixed before others.

🧩 New IDE extension: In the near future, we will add one more IDE plugin to our list of integrations with our platform We are talking about an extension for IntelliJ IDEA, from which you will enjoy the same vulnerability management benefits that we offer for VS Code.

📤 Continuous improvement of EaC: We are currently working on overcoming limitations and making it easier for you to configure and use our .fluidattacks file. This file allows you to exclude reports from our tool's SAST, SCA, and DAST scans with what's commonly known as exceptions as code (EaC).

We are beyond excited to announce that Fluid Attacks' information security practices have been recognized by independent external auditors as meeting the rigorous SOC 2 security trust principle.

SOC 2 is a widely regarded standard developed by the American Institute of Certified Public Accountants (AICPA). It ensures that service providers securely manage data to protect the privacy and interests of their clients.

This significant milestone reflects our ongoing dedication to maintaining the highest standards of security as well as your trust. We understand the critical importance of safeguarding your data and are proud to have our efforts validated by this rigorous standard.

Visit our Trust Center to learn more about our commitment to security.