🎉 We're thrilled to announce that Fluid Attacks is now an AWS partner and is officially listed on FIRST's website as one of the vendors using EPSS in their products! 🎉

Implemented

👩‍⚖️ Improved Policies section: In the Policies section, you can now centrally manage both your organization's policies and those of each of your groups. Only members with the role of User Manager at the organizational level (soon to be known as Organization Manager; see upcoming feature) can edit such policies, i.e., those related to temporary acceptance of vulnerabilities, the execution of our CI Agent, and the removal of users due to inactivity.

Squashed bug

✔️ Improperly displayed table: In the Members section at the organization level, the tables with information about members to remove were not displayed correctly, and the Details column presented readability problems.

Upcoming

🔤 Renaming roles: The name "User Manager" is used both at the group and organization levels within the platform when, in fact, it refers to two different roles. Hence, to avoid confusion, mainly regarding permissions, the name will change to "Group Manager" for the former and "Organization Manager" for the latter. (Coming up on February 21.)

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

🎉 We're thrilled to announce that Fluid Attacks is now an AWS partner! 🎉

Implemented

⏩ Improved vulnerability tables: We implemented a new version of the vulnerability tables that handles a different query strategy. These tables load information much faster, provide more visual feedback, and enhance your browsing experience.

🏛️ Column management: You have a new interface to manage the columns in the tables of vulnerability types and specific vulnerabilities. You can choose which to enable and which to disable, organize them as you wish, and save the applied changes.

🦠 Reporting use of software with malware: We started reporting the use of third-party software components with code publicly known to be affected by malware as a type of vulnerability in your software products.

Implemented unexpectedly

🔧 Vuln. management menu: The options to request reattacks and accept treatments have been grouped into a single drop-down menu called "Vuln. Management," located at the top right above the table corresponding to each type of vulnerability.

🔁 Redirection for inactive users: You no longer see an alert window with an unauthorized access message due to your session being closed due to inactivity on the platform. Now, in such cases, you are simply redirected to the login page, avoiding unnecessary clicks.

🪛 DevSecOps report name: We have modified the name of the downloadable execution report file of our DevSecOps or CI/CD Agent to match the name within the platform and thus avoid confusion.

Squashed bugs

✔️ Incorrect package display for Docker images: Sometimes, when users in the Surface section wanted to see only the packages associated with a Docker image, they were erroneously redirected to the list of all packages.

✔️ Filtering issues: When filtering data in tables was done through a text input field, and the expected result was not on the first page of results, the message "No data to display" was mistakenly displayed to the user.

✔️ Error changing Docker image credentials: When trying to modify credentials previously added to the platform using the "user:pass" mode, the user encountered an error stating that the credentials were invalid.

Promised but not implemented yet / Upcoming

🎫 Reporting issues in permissions for CSPM: When running CSPM tests, these can sometimes fail due to changes in credential permission settings by users. The idea is to be able to start reporting these problems as events within the platform. (Coming up on February 14.)

👩‍⚖️ Improved Policies section: In the Policies section, you will be able to centrally manage both your organization's policies and those of each of your groups. Only members with the role of User Manager at the organizational level will be able to edit these policies. (Coming up on February 14.)

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

We've recently streamlined vulnerability management on our platform. The options to request reattacks and accept treatments are now conveniently located in a single drop-down menu called "Vuln. Management." This menu is in the top right corner above the table of each type of vulnerability.

To reattack vulnerabilities and verify the success of your team's remediation efforts, click Vuln. Management and then select Reattack. Next, from the table, choose the vulnerabilities you wish to reattack and click Reattack again.

If you need to stop this process anytime, just click the Cancel button.

We hope this change simplifies your workflow and makes vulnerability management more efficient.

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

🖥️ Testing your production environment: From now on, you can also add the production environment of your system under assessment to undergo our continuous security testing. Being more stable than the pre-production environment, evaluating your production environment can give us a broader understanding of your real risks. This way, our testing is carried out during all phases of your software development lifecycle. Please note that you can enjoy all of this at no additional cost.

🛠️ Injected and Inherited sections modified: The section where you can see all your third-party components or dependencies, including those highlighted as vulnerable, reachable, or affected by malware, which we called Inherited for a short time, is now called Packages and is part of the Surface section. Likewise, the Injected section got its previous name back, Vulnerabilities, where you will continue to find reports of all your security issues.

⚠️ Active policy announcements: Each day you access the DevSecOps and Members sections, you will find an announcement about the policies you have active. In the DevSecOps section, you will see information about your policies relating to the temporary acceptance of vulnerabilities and the severity ranges in which our CI Agent breaks the build after a certain grace period. In the Members section, you will see your current inactivity policy for member removal.

➕ Amazon ECR is now supported: We have extended the capability of our scanner to assess container images stored, shared, and deployed in the Amazon Elastic Container Registry (ECR).

⬇️ Export of filtered event lists: Each time you apply a filter in the Events section list and click on the Export button, you will see a drop-down menu where you can choose whether to download the filtered or all the data from the list.

🪚 Environment URL modification: When the URLs of the environments under assessment include at the end unnecessary query parameters that may affect the evaluations and reports, these are removed, leaving only the base URLs.

🔕 Fewer alerts in treatment windows: We removed unnecessary alerts you received while filling in the required fields to improve your experience when assigning treatments to your software vulnerabilities.

❌ Change in the Vulnerabilities column: In the Vulnerabilities column of the list of groups in your organization, we mistakenly mentioned the number of types of vulnerabilities we "found" in each. We have corrected the message since what we really show you is the number of vulnerability types you have open in each group.

Squashed bugs

✔️ Failed folder exclusion for SBOM: We had to readjust the exclusion logic for the SBOM definition, as it failed in the case of listed folders such as ".git/," commonly located in the root directory.

✔️ Endless SBOM generation: The creation of SBOMs for download sometimes became interminable, so we had to make several adjustments to ensure this was always achieved within reasonable time frames.

Upcoming

⏩ Improved vulnerability tables: We are implementing a new version of the vulnerability tables that handles a different query strategy. These tables will load information much faster, provide more visual feedback, and enhance your browsing experience. (Coming up on February 7.)

🏛️ Column management: Linked to the previous feature, you will have a new interface to manage the columns in the tables of vulnerability types and specific vulnerabilities. You will be able to choose which ones to enable and which ones to disable, organize them as you wish, and save the applied changes. (Coming up on February 7.)

🎫 Reporting issues in permissions for CSPM: When running CSPM tests, these can sometimes fail due to changes in credential permission settings by users. The idea is to be able to start reporting these problems as events within the platform. (Coming up on February 7.)

🦠 Reporting use of software with malware: We will begin reporting the use of third-party software components with code publicly known to be affected by malware as a type of vulnerability in your software products. (Coming up on February 7.)

👩‍⚖️ Improved Policies section: In the Policies section, you will be able to centrally manage both your organization's policies and those of each of your groups. Only members with the role of User Manager at the organizational level will be able to edit these policies. (Coming up on February 11.)

Implemented

🪃 Easier report generation: Currently, every time you go to download a certificate report, if you have not entered all the required information in the Information subsection of the Scope section, you will be prompted to complete this step and be able to download the report. Also, when you click the Generate report button, you can now see the download options within a drop-down menu.

🌿 A more flexible acceptance policy: The maximum number of days your team could temporarily accept a vulnerability was 90 days. After reviewing a customer request, you can now adjust this policy to a maximum of 999 days.

Squashed bugs

✔️ Issues with event registration: Sometimes, when an analyst wanted to add several events (circumstances preventing the regular application assessment) to the platform, only one of them was registered, so the duplication prevention mechanism had to be readjusted.

✔️ Duplicate vulnerabilities: Some types of vulnerabilities sometimes had duplicate specific cases among their corresponding lists, so several solutions were implemented to prevent them from appearing.

✔️ Unavailable Git root upload via CSV: When trying to add a Git root to the platform through a CSV file, an error message was generated as if the repository was already present when, in fact, it was not.

Implemented unexpectedly

🛠️ Injected and Inherited sections modified: We did well months ago in creating a section where you can see all your third-party components or dependencies, including those highlighted as vulnerable, reachable, or affected by malware. However, we realized we should change its name and location within the platform. Therefore, this section, which we used to call Inherited, is now called Packages and is part of the Surface section. Likewise, the Injected section got its previous name back, Vulnerabilities, where you will continue to find reports of all your security issues.

Promised but not implemented

❌ Prioritized vulnerabilities table: In the end, we decided that this table would not appear. While it was going to be useful when we had the Inherited and Injected sections (both with vulnerability reports), now that there is only one list of types of vulnerabilities detected, this table becomes unnecessary.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

We keep improving our information about your supply chain and the corresponding inherited vulnerabilities. When you open the details of one of your vulnerable third-party components, you can see the following:

🧭 Direct or transitive dependency: In the Type column, you can find out whether the listed vulnerable files of your software are directly or indirectly related to the third-party component in question. In other words, we show you for every affected element if it has a direct ("D") or a transitive dependency ("T," i.e., with at least an intermediate package) on the detailed third-party component. In cases where it is impossible to determine the type of dependency, you see an interrogation sign ("?").

🚉 Development or production dependency: In the Environment column, we show you "Build" when your software’s vulnerable files depend on the third-party component only in the software development stage and "Run" when it is in the live production environment.

Squashed bugs

✔️ Reports of removed environments: In projects where users removed URLs from environments under assessment, vulnerability reports associated with those environments were sometimes still being delivered when they should not have been.

✔️ Failure to load/retrieve information in the VSC plugin: Some users were experiencing difficulties when using our VS Code extension for the first time. The extension failed to load or retrieve any information, displaying no relevant errors.

Promised but not implemented yet / Upcoming

⛳️ Prioritized vulnerabilities table: The platform's section showing the top 50 vulnerabilities ranked by Priority score for each of your groups will appear on January 30, two weeks after the scheduled deadline. We apologize for the delay.

Implemented

📈 Enhanced accuracy SLA: We now measure accuracy with both the F2 score and the F0.5 score, offering exceptionally low rates of false negatives and false positives. This improvement was made to better address management's pain from critical, overlooked issues and the development team's pain from erroneous alerts. Read the accuracy SLA for detailed information.

Upcoming

⛳️ Prioritized vulnerabilities table: The feature that will supercharge your vulnerability management is almost ready. Each group will showcase the top 50 vulnerabilities ranked by Priority score, so you'll know with issues to tackle first. (Coming up on January 15.)

🔢 Vulnerabilities per dependency: We're planning the UI of the Inherited section with all the current and soon-to-come features, including the number of vulnerabilities lurking in each of the software dependencies in your projects.

✨New to Fluid Attacks or want to brush up on your vulnerability management with us?✨

Join our meetup on January 15, where we'll demo how to use Fluid Attacks' technology to identify vulnerabilities in your application, manage their remediation, and leverage AI to quickly obtain suggestions that can help strengthen your code's security. (The meetup will be in Spanish.)

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

🗄️ Injected and Inherited sections: The old names, "Vulnerabilities" and "Supply chain", have been changed to "Injected" and "Inherited," respectively. This way we make it clear that we report the vulnerabilities that your own team wrote and those your code may invoke from third-party code.

🔍 Zero risk column in Locations: No more time-consuming searches for vulnerabilities' zero risk request status. The Locations table shows you this information immediately in its new column.

🧳 Moving environments across Git roots: You can now move environments from a root to another within the same group. What's more, the reported vulnerabilities keep their current status.

🧩 Overhauled Jira integration: Install now the up-to-date Jira integration, thanks to which you can manage our reports from Jira Cloud more smoothly and efficiently, centralizing your security posture management.

Squashed bug

✔ Layout bug in Group settings: If you ever had a very long string of characters within your Group context field, you'd see it squish the accompanying Disambiguation field to the end of the screen. Say goodbye to that awkward layout. Have the information you need, and it will look good.

Upcoming

⛳️ Prioritized vulnerabilities table: We're working on a group section showcasing the top 50 vulnerabilities ranked by Priority score. This will help you prioritize like a pro and tackle the most critical issues first. (Coming up on January 15.)

Promised but not yet implemented

🔢 Vulnerabilities per dependency: We're taking a little more time as we plan the UI of the Inherited section with all the current and soon-to-come features.

Implemented

🦠 Malware in dependencies: We are now shining a light on any malicious packages hiding within your dependencies. See these threats instantly thanks to the "Malware" tag in the Supply chain section, no need to go to the advisory to check if it's malware!

Squashed bug

✔ Filter bug in Members: You filtered by the 'User' role once, and it was fine, then you removed the filter and applied it again, and it wrongly showed the 'User Manager' role as well! That is no longer the case. Filter on with no bug in sight!

Promised but not yet implemented

⛳️ Prioritized vulnerabilities table: We're taking a little more time working on this feature to supercharge your vulnerability management. You'll have a dedicated section in each group showcasing the top 50 vulnerabilities ranked by Priority score. This will help you prioritize like a pro and tackle the most critical issues first. (Enjoy this New Year's treat starting January 15.)

🧩 Overhauled Jira integration: It's almost here! We're working so you can manage our reports from Jira Cloud more smoothly and efficiently, centralizing your security posture management. (Coming up on December 18.)

🔢 Vulnerabilities per dependency: Ready to dive deep into your dependencies? Go to the Supply chain section and see the number of vulnerabilities lurking in each one of them. (Coming up on December 18.)

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

✨Make your voice heard in the AppSec world!✨

Share your thoughts on Fluid Attacks' solution on Gartner Peer Insights and get a $25 gift card! It will only take 10-15 minutes to help shape the future of the application security industry.

Implemented

👌🏼 Centralized report download: Say goodbye to download dilemmas! We've created a special section on our platform for all downloadable content. Simply click the new "Downloads" button in the top right corner to view everything you've downloaded in the past 12 hours. This handy menu lets you monitor download progress and quickly redownload any required files, such as vulnerability and compliance reports, SBOMs, analytics, and more.

💥 Reachability as a prioritization criterion: As you have noticed, the "Reachable" tag is visible in the Supply chain section for vulnerabilities in your direct dependencies that can be exploited. Now, recognizing the importance of this information for your vulnerability remediation prioritization, we've introduced reachability as a prioritization criterion you can select, among others, within the Priority section of your organization's Policies on the platform.

📊 EPSS percentage column: We've added a column to the main table in the Supply chain section that shows the EPSS percentage (Exploit Prediction Scoring System). This value estimates the probability of a vulnerability in your direct dependencies being exploited. A higher percentage signifies a greater risk of exploitation. The EPSS score is intended to aid your teams in prioritizing vulnerability remediation.

Upcoming

By December 10 at the latest

⛳ Prioritized vulnerabilities table: Enhance your vulnerability management with our forthcoming prioritization feature! Each group will soon have a dedicated section showcasing the top 50 vulnerabilities ranked by priority score. This section will include details such as location, assigned team members, treatment status, and reporting date. This streamlined overview will empower your team to rapidly identify and address the most critical issues, ensuring their remediation efforts align with your organization's policies.

🦠 Malware in dependencies: In the next few days, we will report in the Supply chain section which of your software's dependencies are malicious packages published in open-source package repositories.

🔢 Vulnerabilities per dependency: Soon, you will be able to see in the table of the Supply chain section the number of vulnerabilities that we have recognized in each of your security-affected dependencies.

🧩 Overhauled Jira integration: We will improve the integration of our platform with the bug-tracking system Jira so that you can smoothly and efficiently manage our reports from there. In other words, we will give you greater compatibility with the tools within the Jira ecosystem so that you can keep your security posture management centralized.

Squashed bugs

✔️ Inconsistencies in root registration: First, a repository in a group could have several active branches when, in fact, it should only have one. Second, an active branch associated with a repository could appear in several groups of an organization when, in fact, this association should only appear in one group.

✔️ Issues with free trial accounts and groups: First, some user accounts and groups associated with the free trial were not deleted at the end of the trial when this should happen automatically unless an extension is requested. Second, if the account used remained active on our platform indefinitely, no other user of the same domain could start the free trial. Third, users who had already completed the free trial could re-access the auto-enrollment but not complete it when they really should not have access to it again.

✔️ Wrong status for reported findings: For a specific group on our platform, some identified vulnerabilities appeared in the reporting table of the Vulnerabilities section with the status “Draft” when, in fact, they should have been shown as “Vulnerable.”