Implemented

🪃 Easier report generation: Currently, every time you go to download a certificate report, if you have not entered all the required information in the Information subsection of the Scope section, you will be prompted to complete this step and be able to download the report. Also, when you click the Generate report button, you can now see the download options within a drop-down menu.

🌿 A more flexible acceptance policy: The maximum number of days your team could temporarily accept a vulnerability was 90 days. After reviewing a customer request, you can now adjust this policy to a maximum of 999 days.

Squashed bugs

✔️ Issues with event registration: Sometimes, when an analyst wanted to add several events (circumstances preventing the regular application assessment) to the platform, only one of them was registered, so the duplication prevention mechanism had to be readjusted.

✔️ Duplicate vulnerabilities: Some types of vulnerabilities sometimes had duplicate specific cases among their corresponding lists, so several solutions were implemented to prevent them from appearing.

✔️ Unavailable Git root upload via CSV: When trying to add a Git root to the platform through a CSV file, an error message was generated as if the repository was already present when, in fact, it was not.

Implemented unexpectedly

🛠️ Injected and Inherited sections modified: We did well months ago in creating a section where you can see all your third-party components or dependencies, including those highlighted as vulnerable, reachable, or affected by malware. However, we realized we should change its name and location within the platform. Therefore, this section, which we used to call Inherited, is now called Packages and is part of the Surface section. Likewise, the Injected section got its previous name back, Vulnerabilities, where you will continue to find reports of all your security issues.

Promised but not implemented

❌ Prioritized vulnerabilities table: In the end, we decided that this table would not appear. While it was going to be useful when we had the Inherited and Injected sections (both with vulnerability reports), now that there is only one list of types of vulnerabilities detected, this table becomes unnecessary.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

We keep improving our information about your supply chain and the corresponding inherited vulnerabilities. When you open the details of one of your vulnerable third-party components, you can see the following:

🧭 Direct or transitive dependency: In the Type column, you can find out whether the listed vulnerable files of your software are directly or indirectly related to the third-party component in question. In other words, we show you for every affected element if it has a direct ("D") or a transitive dependency ("T," i.e., with at least an intermediate package) on the detailed third-party component. In cases where it is impossible to determine the type of dependency, you see an interrogation sign ("?").

🚉 Development or production dependency: In the Environment column, we show you "Build" when your software’s vulnerable files depend on the third-party component only in the software development stage and "Run" when it is in the live production environment.

Squashed bugs

✔️ Reports of removed environments: In projects where users removed URLs from environments under assessment, vulnerability reports associated with those environments were sometimes still being delivered when they should not have been.

✔️ Failure to load/retrieve information in the VSC plugin: Some users were experiencing difficulties when using our VS Code extension for the first time. The extension failed to load or retrieve any information, displaying no relevant errors.

Promised but not implemented yet / Upcoming

⛳️ Prioritized vulnerabilities table: The platform's section showing the top 50 vulnerabilities ranked by Priority score for each of your groups will appear on January 30, two weeks after the scheduled deadline. We apologize for the delay.

Implemented

📈 Enhanced accuracy SLA: We now measure accuracy with both the F2 score and the F0.5 score, offering exceptionally low rates of false negatives and false positives. This improvement was made to better address management's pain from critical, overlooked issues and the development team's pain from erroneous alerts. Read the accuracy SLA for detailed information.

Upcoming

⛳️ Prioritized vulnerabilities table: The feature that will supercharge your vulnerability management is almost ready. Each group will showcase the top 50 vulnerabilities ranked by Priority score, so you'll know with issues to tackle first. (Coming up on January 15.)

🔢 Vulnerabilities per dependency: We're planning the UI of the Inherited section with all the current and soon-to-come features, including the number of vulnerabilities lurking in each of the software dependencies in your projects.

✨New to Fluid Attacks or want to brush up on your vulnerability management with us?✨

Join our meetup on January 15, where we'll demo how to use Fluid Attacks' technology to identify vulnerabilities in your application, manage their remediation, and leverage AI to quickly obtain suggestions that can help strengthen your code's security. (The meetup will be in Spanish.)

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

🗄️ Injected and Inherited sections: The old names, "Vulnerabilities" and "Supply chain", have been changed to "Injected" and "Inherited," respectively. This way we make it clear that we report the vulnerabilities that your own team wrote and those your code may invoke from third-party code.

🔍 Zero risk column in Locations: No more time-consuming searches for vulnerabilities' zero risk request status. The Locations table shows you this information immediately in its new column.

🧳 Moving environments across Git roots: You can now move environments from a root to another within the same group. What's more, the reported vulnerabilities keep their current status.

🧩 Overhauled Jira integration: Install now the up-to-date Jira integration, thanks to which you can manage our reports from Jira Cloud more smoothly and efficiently, centralizing your security posture management.

Squashed bug

✔ Layout bug in Group settings: If you ever had a very long string of characters within your Group context field, you'd see it squish the accompanying Disambiguation field to the end of the screen. Say goodbye to that awkward layout. Have the information you need, and it will look good.

Upcoming

⛳️ Prioritized vulnerabilities table: We're working on a group section showcasing the top 50 vulnerabilities ranked by Priority score. This will help you prioritize like a pro and tackle the most critical issues first. (Coming up on January 15.)

Promised but not yet implemented

🔢 Vulnerabilities per dependency: We're taking a little more time as we plan the UI of the Inherited section with all the current and soon-to-come features.

Implemented

🦠 Malware in dependencies: We are now shining a light on any malicious packages hiding within your dependencies. See these threats instantly thanks to the "Malware" tag in the Supply chain section, no need to go to the advisory to check if it's malware!

Squashed bug

✔ Filter bug in Members: You filtered by the 'User' role once, and it was fine, then you removed the filter and applied it again, and it wrongly showed the 'User Manager' role as well! That is no longer the case. Filter on with no bug in sight!

Promised but not yet implemented

⛳️ Prioritized vulnerabilities table: We're taking a little more time working on this feature to supercharge your vulnerability management. You'll have a dedicated section in each group showcasing the top 50 vulnerabilities ranked by Priority score. This will help you prioritize like a pro and tackle the most critical issues first. (Enjoy this New Year's treat starting January 15.)

🧩 Overhauled Jira integration: It's almost here! We're working so you can manage our reports from Jira Cloud more smoothly and efficiently, centralizing your security posture management. (Coming up on December 18.)

🔢 Vulnerabilities per dependency: Ready to dive deep into your dependencies? Go to the Supply chain section and see the number of vulnerabilities lurking in each one of them. (Coming up on December 18.)

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

👌🏼 Centralized report download: Say goodbye to download dilemmas! We've created a special section on our platform for all downloadable content. Simply click the new "Downloads" button in the top right corner to view everything you've downloaded in the past 12 hours. This handy menu lets you monitor download progress and quickly redownload any required files, such as vulnerability and compliance reports, SBOMs, analytics, and more.

💥 Reachability as a prioritization criterion: As you have noticed, the "Reachable" tag is visible in the Supply chain section for vulnerabilities in your direct dependencies that can be exploited. Now, recognizing the importance of this information for your vulnerability remediation prioritization, we've introduced reachability as a prioritization criterion you can select, among others, within the Priority section of your organization's Policies on the platform.

📊 EPSS percentage column: We've added a column to the main table in the Supply chain section that shows the EPSS percentage (Exploit Prediction Scoring System). This value estimates the probability of a vulnerability in your direct dependencies being exploited. A higher percentage signifies a greater risk of exploitation. The EPSS score is intended to aid your teams in prioritizing vulnerability remediation.

Upcoming

By December 10 at the latest

⛳ Prioritized vulnerabilities table: Enhance your vulnerability management with our forthcoming prioritization feature! Each group will soon have a dedicated section showcasing the top 50 vulnerabilities ranked by priority score. This section will include details such as location, assigned team members, treatment status, and reporting date. This streamlined overview will empower your team to rapidly identify and address the most critical issues, ensuring their remediation efforts align with your organization's policies.

🦠 Malware in dependencies: In the next few days, we will report in the Supply chain section which of your software's dependencies are malicious packages published in open-source package repositories.

🔢 Vulnerabilities per dependency: Soon, you will be able to see in the table of the Supply chain section the number of vulnerabilities that we have recognized in each of your security-affected dependencies.

🧩 Overhauled Jira integration: We will improve the integration of our platform with the bug-tracking system Jira so that you can smoothly and efficiently manage our reports from there. In other words, we will give you greater compatibility with the tools within the Jira ecosystem so that you can keep your security posture management centralized.

Squashed bugs

✔️ Inconsistencies in root registration: First, a repository in a group could have several active branches when, in fact, it should only have one. Second, an active branch associated with a repository could appear in several groups of an organization when, in fact, this association should only appear in one group.

✔️ Issues with free trial accounts and groups: First, some user accounts and groups associated with the free trial were not deleted at the end of the trial when this should happen automatically unless an extension is requested. Second, if the account used remained active on our platform indefinitely, no other user of the same domain could start the free trial. Third, users who had already completed the free trial could re-access the auto-enrollment but not complete it when they really should not have access to it again.

✔️ Wrong status for reported findings: For a specific group on our platform, some identified vulnerabilities appeared in the reporting table of the Vulnerabilities section with the status “Draft” when, in fact, they should have been shown as “Vulnerable.”

Implemented

👌🏼 Centralized report download: No more download confusion! We've organized a dedicated area on our platform for all downloadable files. Just click the new "Downloads" button on the right side of the top bar to see everything you've downloaded in the last 12 hours. This convenient menu lets you check download progress and easily re-download any files you need. Currently, you'll find your vulnerability reports (executive and technical) there. We'll be adding SBOMs and other key platform resources to this download area soon!

📡 Reachability analysis: We've enhanced our automated tool to help you better understand the impact of vulnerabilities within your software supply chain. Our new "reachability module" examines the dependencies listed in the Supply chain section to determine if a reported security issue is an actual vulnerability that can be exploited in your applications. This analysis helps you prioritize and address the most critical issues first. With the latest upgrade, this module can assess Java components or dependencies.

Upcoming

⛳ Prioritized vulnerabilities table: Boost your vulnerability management efficiency with our upcoming prioritization feature! Each group will soon have a dedicated section listing the top 50 vulnerabilities by priority score, complete with location, assigned personnel, treatment status, and reporting date. This streamlined view will enable your team to quickly identify and address the most critical issues, ensuring their remediation efforts are aligned with your organization's policies.

📊 EPSS percentage column: To help you prioritize vulnerabilities, we'll add an EPSS percentage (Exploit Prediction Scoring System) column to the main table in the Supply chain section. This percentage shows how likely it is that a vulnerability in any of your direct dependencies will be exploited. A higher percentage means a higher likelihood of exploitation.

🧩 Overhauled Jira integration: We're enhancing our platform's integration with Jira to provide a smoother, more efficient way to manage our reports directly within your Jira environment. This improved compatibility with Jira will allow you to centralize your security posture management and streamline your workflows.

💥 Reachability as a prioritization criterion: Although the "Reachable" tag currently appears in the Supply chain section to identify confirmed exploitable vulnerabilities, it doesn't yet sufficiently influence their prioritization for remediation. Recognizing the importance of reachability, we will soon add it as a selectable prioritization criterion within the Priority section of your organization's policies in the platform.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

👌🏼 Centralized report download: Say goodbye to download chaos! We've created a dedicated space for all your important files. Simply click the new "Downloads" button on the right side of the platform's top bar to access your download history from the last 24 hours. This organized menu allows you to track download progress and effortlessly re-download any files you might need. For now, you'll find your vulnerability reports (executive and technical) ready and waiting. Stay tuned as we expand this feature to include SBOMs and other essential platform resources in the near future!

☁️ Status validation for all cloud environments: Stay ahead of potential problems in your cloud environments! The Environments table in the Scope section now features a dynamic Status column designed to keep you informed. This column proactively shows "Open events" —issues that can disrupt evaluations— across all your AWS, Azure, or GCP environments. Clearly flagging broken or misconfigured settings allows you to address them promptly, ensuring smooth operations and reliable results.

🔄 From Issues Identified to Vulnerable: Until recently, the components at security risk in the inventory of dependencies we offer you in the Supply chain section had the label "Issues Identified." Now, it has changed to "Vulnerable," making it more explicit that vulnerabilities are present. Nonetheless, remember that when we're sure they are exploitable, we add the label "Reachable."

Upcoming

💥 Reachability as a prioritization criterion: Although the "Reachable" tag is currently visible in the Supply chain section for vulnerabilities known to be exploitable, it doesn't yet influence their remediation priority. Given how important reachability is to this process, we'll soon add it as a selectable prioritization factor within the Priority section of your organization's Policies in the platform.

📊 EPSS percentage column: We'll add a column to the Supply chain section's main table that displays the EPSS percentage (Exploit Prediction Scoring System). This value indicates how likely it is that a vulnerability in any of your direct dependencies will be exploited. A higher percentage means a greater likelihood of exploitation. The EPSS score is designed to help you prioritize vulnerability remediation.

Implemented

📡 Reachability analysis: To better understand the impact of vulnerabilities in your software supply chain, we've added a new reachability analysis feature to our automated tool. This module examines the direct dependencies listed in the Supply chain section to determine if any reported security issue is actually exploitable in your applications. This analysis will help you prioritize vulnerabilities that need immediate attention. For more details, read our post Prioritize vulnerability remediation with Reachability!

📈 Custom vulnerability prioritization: Within the platform's Policies section, you'll find the Priority feature. This allows you to select various factors for ranking vulnerabilities. These factors include how a vulnerability might be exploited, how easily it can be attacked, and the potential consequences for your systems in the event of a cyberattack. You can assign weights to each factor based on your organization's specific needs. These weights will then determine the values displayed in the Priority column for each identified vulnerability. This empowers your teams to swiftly tackle the most critical threats. For more information, read Manage fix prioritization policies.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events. The most recent feature is that you can now see information about all your registered Docker images in the Environments table.

Upcoming

🧩 Overhauled Jira integration: We will improve the integration of our platform with the bug-tracking system Jira so that you can smoothly and efficiently manage our reports from there. In other words, we will give you greater compatibility with the tools within the Jira ecosystem so that you can keep your security posture management centralized.

👌🏼 Centralized report download: We have already implemented the "Downloads" button on the right side of the platform's top bar. This button will soon open a menu where you will see the download history of the last 24 hours. From this site, you will also be able to know the status of your downloads or redo them if necessary.

🔄 From Issues Identified to Vulnerable: Currently, within the inventory of dependencies that we offer you in the Supply chain section, those components at security risk have the label "Issues Identified." Soon, this will be changed to "Vulnerable," making it clearer that there are vulnerabilities there. However, remember that when we are certain that these are exploitable, we add the label "Reachable."

📊 EPSS percentage column: In the main table of the Supply chain section, we will implement a column with the EPSS (Exploit Prediction Scoring System) percentage. As its name suggests, this value gives you the probability of exploitation for the vulnerabilities present in your direct dependencies. The higher the percentage, the higher the probability. The EPSS is intended to contribute to vulnerability remediation prioritization.

💥 Reachability as a prioritization criterion: While the "Reachable" tag is already displayed in the Supply chain section for the vulnerabilities we have confirmed are exploitable, it is not currently a factor in their prioritization for remediation. Considering the relevance of reachability for this process, we will soon include it as a prioritization criterion to be chosen in the Priority section of your organization's policies in the platform.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

📡 Reachability analysis: We've added a new feature to our automated tool to better understand the impact of vulnerabilities in your software supply chain. The reachability module analyzes the dependencies listed in the Supply chain section and determines if any reported security issue is actually a vulnerability that could be exploited in your apps. This analysis will help you prioritize which issues need immediate attention. For more information, see our previous announcement.

🔬 Docker image scanning and SBOM: No matter where you store your Docker images, our tool can scan them for security risks. As long as your registry supports standard authentication (username and password), you can easily import your images. Simply provide the registry URL and credentials, and our platform will report a detailed software bill of materials (SBOM) for each image in the Supply chain section, highlighting any known security issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tool reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🎯 More accurate and eye-catching event reports: The events reported were only associated with roots. We now make these reports more precise by indicating which specific environments are affected by those events. Additionally, we have improved the presentation tables of roots and environments with visual elements that contribute to prioritizing the resolution of open events. The most recent implementation is a pop-up window that allows you to view and manage your environments' secrets when clicking on the corresponding link in the Secrets column.

📃 Improved SBOMs: As part of a continuous improvement of our SBOMs to be reported in the Supply chain section, we recently introduced to our tool the ability to discover dependencies on Go, specifically go.mod.

✅ Expanded permissions for Events tab: We have granted User Managers and Vulnerability Managers access to the Events tab on our platform's To-do list. This will give them a holistic view, allowing them to manage and respond to events effectively, especially when supervising multiple groups.

🫱🏻‍🫲🏼 From MPT to PTaaS: Everything corresponding to the MPT (manual pentesting) evaluation technique is now labeled PTaaS (pentesting as a service) on the platform.