Changelog | Fluid Attacks Help

Changelog

2024

December

Release 51

  1. (SCA) Malware packages tagged: Packages in Supply chain with detected malware are tagged.
  2. (SCA) Split environment dependencies: Identify whether dependencies are related with production or development environments.
  3. (SCA) SBOM Export: Include docker packages in SBOM export file.
  4. (ASPM) Environments migration: Migration modal has the option to lookup required root.

Release 50

  1. (Integrations) Jira Security module: All the vulnerabilities are presented in the Security feature of Jira.
  2. (SAST) New Methods: 
    1. F332 Java Unsafe TLS Renegotiation.
    2. F151 Java Telnet Request.
    3. F372 Java Insecure HTTP Open Connection.
    4. F007 Java CSRF Unrestricted Request Mapping.
    5. F372 Java Insecure HTTP Request.
    6. F372 Java Insecure HTTP Components.
  3. (ASPM) Component improvements: Ghost buttons, section header, and tabs.
  4. (SCA) Docker packages in SBOM: Docker packages are included in SBOM file. 
  5. (ASPM) Zero Risk column: An indicator of requested ZR is available in the Locations table.
  6. (ASPM) Scope table: Show what Roots and Environments has active events.

Release 49

  1. (ASPM) Improved table exports names: Exported CSV files now have meaningful names, including organization or group name and timestamp.
  2. (ASPM) Country is deprecated: Country field is not required anymore to create an organization.
  3. (SAST) New Java SAST Methods: 
    1. F016 Java Unsafe SSL/TLS Protocol.
    2. F148 Java Insecure FTP Client.
    3. F372 Java Insecure Spring HTTP Request.
    4. F007 Java Insecure FTP Session Factory.

November

Release 48

  1. (ASPM) Centralized report download: Access all your downloadable files through the new Downloads button in the platform header. This includes executive and technical vulnerability reports, with plans to add SBOMs and other resources soon. Track download progress and redownload files effortlessly.
  2. (ASPM) Improved CSV repos import: Add connection method and priority in the CSV file and get an example CSV file. Improved error messages.
  3. (ASPM) Custom priority: Use reachability attribute as a priorization criterion.
  4. (SCA) New methods:
    1. CSharp CVE 2021 43045.
  5. (SAST) New methods:
    1. Java insecure channel.
    2. Java null cipher.
    3. Python hc aes key.
    4. Java anonymous ldap bind.

Release 47

  1. (ASPM/CSPM) Status validation for cloud environments: A new Status column in the Environments table shows open events for AWS, Azure, or GCP environments, helping you address misconfigurations promptly.
  2. (ASPM/SBOM) Updated labels for vulnerable components: The label 'Issues identified' in Supply chain has been updated to 'Vulnerable' to clarify the presence of security risks.  vulnerabilities will display the 'Reachable' label.
  3. (SAST) New methods:
    1. Java unsafe default http client.

Release 46

  1. (SBOM/SAST) Reachability analysis: A feature is available that examines direct dependencies in the Supply chain section to identify exploitable vulnerabilities. This helps prioritize remediation efforts for dependency issues.
  2. (ASPM) Custom vulnerability prioritization: Use the Priority feature in the Policies section to rank vulnerabilities by impact, exploitability, and more, tailored to your organization's needs.
  3. (ASPM) Enhanced event reporting: Events now specify affected environments and feature improved root and environment tables for better prioritization.
  4. (CSPM) New methods:
    1. AWS Document DB Cluster TLS Disabled.
    2. AWS EKS Unrestricted CIDR.
    3. AWS DAX Cluster Without Encryption at Rest.
    4. AWS Unencrypted ECR Repository.
    5. AWS RDS Unencrypted DB Cluster Snapshot.
    6. AWS RDS Unencrypted DB Snapshot.
    7. AWS ALB Does Not Drop Invalid Header Fields.
    8. AWS Public Accessible DMS Replication.
    9. AWS CloudFront Distribution Viewer Policy Allows HTTP.
    10. AWS ALB HTTP Not Redirected to HTTPS.
    11. AWS Document DB Without Audit Logs.
    12. AWS RDS DB Cluster Logs Disabled.
    13. AWS RDS DB Instance Logs Disabled.
    14. AWS Global Accelerator Flow Logs Disabled.
    15. AWS Neptune DB Instance Logs Disabled.
    16. AWS MSK Cluster Logging Disabled.
    17. AWS Workspaces Has Volume Encryption Disabled.
    18. AWS Route53 Transfer Lock Disabled.
    19. AWS SageMaker Training Job Intercontainer Encryption.
    20. AWS SageMaker Notebook Instance Encryption.
    21. AWS Athena Workgroup Query Results Not Encrypted.
  5. (SAST) New methods:
    1. Python flask log injection.
    2. JS express SSRF.
    3. TS express SSRF.
    4. Python insecure redirect.
    5. Python aws hardcoded credentials.
    6. CSharp sql conn hardcoded secret.
    7. CSharp insecure x509 cert 2.
    8. CSharp hardcoded credentials.
    9. Python flask hardcoded secret key.
  6. (SCA) New methods:
    1. Java CVE 2021 37573.

Release 45

  1. (SCA) Docker image scanning: Scan Docker images from any standard registry, generating detailed SBOMs with associated security issues in the Supply chain section.
  2. (ASPM) Vulnerability closing reasons: View detailed reasons for closed vulnerabilities in the Tracking and Analytics sections.
  3. (ASPM) Expanded permissions for Events tab: User Managers and Vulnerability Managers now have access to the Events tab in the To do section, providing a comprehensive view of issues when managing multiple groups.
  4. (ASPM) Automatic filename formatting: Upon file upload, filename is formatted to avoid issues and vulnerabilities in the platform.
  5. (SAST) New methods:
    1. CSharp insecure fspickler des.
    2. CSharp dir entry hardcoded secret.

October

Release 44

  1. (SCA) Improved SBOMs: CycloneDX and SPDX SBOM exports now include component details like location, latest version, and associated security issues.
  2. (ASPM) New webhooks: Notifications added for closed events and vulnerabilities within groups.
  3. (ASPM) From MPT to PTaaS: Former 'MPT' technique is clarified and changed to 'PTaaS'.
  4. (ASPM) Event tab in To-do: Granted Events tab access for additional roles: User Managers and Vulnerability Managers.
  5. (SCA) New methods:
    1. JS CVE 2020 8203.
    2. TS CVE 2020 8203.
    3. JS CVE 2019 10744.
    4. TS CVE 2019 10744.
    5. JS CVE 2018 16487.
    6. JS CVE 2018 16487.
    7. JS CVE 2017 18214.
    8. TS CVE 2017 18214.
    9. JS CVE 2023 42282.
    10. TS CVE 2023 42282.
    11. JS CVE 2021 26540.
    12. TS CVE 2021 26540.
  6. (SAST) New methods:
    1. JS weak ssl tls protocol.
    2. TS weak ssl tls protocol.
    3. PHP insecure content  policy.
    4. CSharp weak rsa encrypt padding.
    5. CSharp http listener wildcard.
    6. Java spring concurrent sessions.
    7. PHP insecure referrer policy.
    8. CSharp insecure fastJSon des.
    9. CSharp memory marshal create span.
    10. JS express insec httponly.
    11. TS express insec httponly.
    12. JS express cookie secure.
    13. TS express cookie secure.
    14. Python django insecure cors.
    15. Python fastapi insecure cors.
    16. Python flask insecure cors.
    17. JS express debug mode enabled.
    18. Python django debug mode enabled.
    19. Python fastapi starlette debug on.
    20. Python flask debug mode enabled.
    21. TS express debug mode enabled.
    22. CSharp stacktrace disclosure.
    23. CSharp insecure ecb mode.
    24. Python django sql injection.
    25. Java hardcoded jwt secret.
    26. JS expressJS hardcoded sess secret.
    27. JS hardcoded jwt secret.
    28. Python django hardcoded creds.
    29. TS express hardcoded sess secret.
    30. TS hardcoded jwt secret.
    31. CSharp hardcoded init vector.

Release 43

  1. (ASPM) Supply chain section:  Separated affected and unaffected third-party dependencies from the Vulnerabilities section for easier prioritization. Users can filter components by repository under evaluation.
  2. (ASPM) Temporary acceptance: Selected dates must comply with the established policies.
  3. (ASPM) New events in webhooks: Events and vulnerabilities closed added to webhooks.
  4. (CSPM) New methods:
    1. AWS RDS Instance TLS Disabled.
    2. AWS RDS Cluster TLS Disabled.
    3. AWS OpenSearch Domain Insecure TLS Version.
    4. AWS MSK Client Broker TLS Disabled.
    5. AWS MSK Broker Broker TLS Disabled.
    6. AWS Unrestricted Access to MSK Brokers.
    7. AWS ECR Repository Exposed.
    8. AWS OpenSearch Domain Exposed.
    9. AWS RDS Instance Backup Retention Period.
    10. AWS RDS Cluster Backup Retention Period.
    11. AWS ElastiCache Replication Group WO Auto Backups.
    12. AWS ElastiCache Replication Backup Retention Period.
    13. RDS Unrestricted Cluster Groups.
    14. Backup Vault Policy Allow Delete Recovery Points.
    15. AWS Bedrock Guardrails No Sensitive Info Filter.
    16. AWS Event Bridge Default Event Bus Exposed.
    17. AWS Lambda URL Without Authentication.
    18. AWS Lambda Function Exposed.
    19. AWS Comprehend Analysis Without Encryption.
    20. AWS EBS Public Snapshot.
    21. AWS EKS Unencrypted Secrets.
    22. AWS EMR Has Not Config.
    23. AWS OpenSearch Without Encryption at Rest.
    24. AWS OpenSearch Domain Node to Node Encryption.
    25. AWS Glue Catalog Without Encryption at Rest.
    26. AWS Kinesis Stream Without Encryption at Rest.
    27. AWS MQ Broker Publicly Accessible.
    28. AWS MSK Cluster Is Publicly Accessible.
    29. AWS Neptune DB Instance Without Encryption at Rest.
    30. AWS CloudFront Traffic Allows HTTP.
    31. AWS OpenSearch Domain Allows HTTP.
    32. AWS CloudFront Is Not Protected With WAF.
    33. AWS Cloud Trail Delivery Failing.
    34. AWS Config Referencing Missing S3 Bucket.
    35. AWS EKS Cluster Logging Disabled.
    36. AWS Beanstalk Persistent Logs.
    37. AWS OpenSearch Without Audit Logs.
    38. AWS MQ Broker Logs Disabled.
    39. AWS Route53 DNS Query Logging Disabled.
  5. (SCA) New methods:
    1. JS CVE 2021 23771.
    2. TS CVE 2021 23771.
    3. JS CVE 2021 23566.
    4. TS CVE 2021 23566.
    5. JS CVE 2019 10775.
    6. TS CVE 2019 10775.
    7. JS CVE 2019 1010266.
    8. TS CVE 2019 1010266.
  6. (SAST) New methods:
    1. Apk unprotected exported receivers.
    2. Apk unprotected exported services.
    3. Docker insecure context directory.

Release 42

  1. (ASPM) Transition to CVSS v4.0: CVSS v4.0 is now the default for Analytics data. A toggle is available for viewing data in CVSS v3.1.
  2. (ASPM) Prevent file deletion: Restrictions prevent deleting application files linked to environments to maintain manageability.
  3. (SCA) New methods:
    1. JS CVE 2018 3721.
    2. TS CVE 2018 3721.
  4. (SAST) New methods:
    1. CSharp csrf.

Release 41

  1. (IDE) IntelliJ IDEA extension: Developers can now identify reported vulnerabilities within IntelliJ IDEA, similar to existing support for VS Code.
  2. (ASPM) Improved Unauthorized Access message: Improved message, as users do not necessarily need to contact their administrator to access the platform.
  3. (ASPM) Repositories deactivation: Included vulnerabilities of all techniques in repository deactivation notifications.
  4. (SCA) New methods:
    1. JS CVE 2023 25813.
    2. TS CVE 2023 25813.
    3. JS CVE 2022 23540.
    4. TS CVE 2022 23540.
    5. JS CVE 2020 15084.
    6. TS CVE 2020 15084.
    7. JS CVE 2023 32314.
    8. TS CVE 2023 32314.
    9. JS CVE 2023 37466.
    10. TS CVE 2023 37466.
    11. JS CVE 2023 37903.
    12. TS CVE 2023 37903.

September

Release 40

  1. (ASPM) Branch and URL management: Update branches or URLs for repositories without losing existing findings, ensuring consistent reporting.
  2. (ASPM) Vulnerabilities table: Added option to filter vulnerabilities by technique.
  3. (SCA) New methods:
    1. JS CVE 2022 25881
    2. TS CVE 2022 25881
    3. JS CVE 2022 25887
    4. TS CVE 2022 25887
    5. JS CVE 2020 28500
    6. TS CVE 2020 28500

Release 39

  1. (IDE) Custom fix and Autofix: Fluid Attacks' GenAI-based vulnerability remediation now supports all languages scanned by the SAST tool.
  2. (SCA) New methods:
    1. TS CVE 2017 16016.
    2. JS CVE 2016 1000237.
    3. TS CVE 2016 1000237.
    4. JS CVE 2021 26539.
    5. TS CVE 2021 26539.
    6. JS CVE 2024 29415.
    7. TS CVE 2024 29415.
    8. JS CVE 2023 28155.
    9. Ts CVE 2023 28155.
  3. (SAST) New methods:
    1. Docker debugging enabled

Release 38

  1. (ASPM) Mailmap management: Manage developer data directly within the platform to avoid billing issues
  2. (ASPM) Free trial restrictions: Users from existing client organizations can no longer initiate free trials to prevent confusion with reports.
  3. (SCA) New methods:
    1. Python CVE 2024 39303.
  4. (SAST) New methods:
    1. Improper certificate validation default

Release 37

  • (ASPM) Mobile environment updates: Update mobile environments without losing dynamic findings from previous files, provided consistency validations are met.
  • (ASPM) Branch in technical report: Included repository branch names in technical reports.
  • (SCA) New methods:
    • JS CVE 2021 3918.
    • TS CVE 2021 3918.
    • JS CVE 2021 23337.
    • TS CVE 2021 23337.
    • JS CVE 2022 31129.
    • TS CVE 2022 31129.
    • JS CVE 2017 16016.
  • (SAST) New methods:
    • TS express insecure rate limit.
    • JS sql injection in sequelize.
    • TS sql injection in sequelize.
    • Docker hardcoded credentials.
    • Docker downgrade protocol.

August

Release 36

  1. (ASPM) Free trial unavailable for clients: Un free trial for current clients, preventing new groups and organizations creation.
  2. (ASPM) Custom fix from the platform: Generate a custom fix inside platform. 
  3. (ASPM) Enhanced reattack requests for multiple vulnerabilities: Improved the vulnerabilities verification request flow. This also includes some UX improvements.
  4. (ASPM) Closing reasons: The reason why a vulnerability was closed is specified.
  5. (ASPM) Show relevant files for Mobile environments: Hid files not related to mobile type ones from dropdown list on Add environment screen.
  6. (ASPM) Total types in Analytics: Enhanced information on total types of vulnerabilities in Analytics.
  7. (ASPM) Onboarding notifications: Updated free trial enrollment and abandonment emails.
  8. (ASPM) Mailmap management: Granted mailmap editing role to Customer Managers and view role to User Managers.
  9. (SAST) New methods:
    1. TS XSS pug from file precompiled.

Release 35

  1. (CSPM) New methods:
    1. AWS API Gateway Insecure TLS Version.
    2. AWS ACM Certificate Expired.
    3. AWS API Gateway Cache Encryption Disabled.
    4. AWS App Mesh Virtual Gateway TLS Disabled.
    5. AWS App Mesh Virtual Gateway Access Logging Disabled.
  2. (SAST) New methods:
    1. Java insecure cors web view.
    2. Java declare insecure trust manager.
    3. Java insecure biometric auth.
    4. TS sequelize injection.
    5. JS jwt secret insecure source.
    6. TS jwt secret insecure source.
    7. Docker weak ssl TLS.
    8. Docker insecure builder sandbox.
    9. Docker insecure cleartext protocol.
    10. Docker weak hash algorithm.
    11. Docker insecure network host.

Release 34

  1. (ASPM) First-letter search in dropdowns: Filter the available options of dropdown menus by typing the first letters of the name or identifier of the desired item.
  2. (ASPM) Branch and URL change: Implemented branch and URL change in roots for specific cases.
  3. (ASPM) Improved root moving notifications: Accurate messages to group members when roots are moved.
  4. (ASPM) Enhanced mailmap management: Multiple enhancements to the mailmap to prevent errors and improve alias management.
  5. (SAST) New methods:
    1. TS XSS pug from file.
    2. TS unvalidated xml parsed in vm.
    3. TS file unauthorized access.
    4. CSharp XXE resolver.
    5. CSharp insecure cbc iv.
    6. Docker sensitive mount.
    7. Curl insecure certificates.

Release 33

  1. (ASPM) Compliance CSV export: New CSV report that shows the relationship between the unmet security requirement and the location where the non-compliance is occurring.
  2. (SAST) New methods:
    1. Android apk keyboard cache exposure.
    2. TS NoSql injection ternary.
    3. JS NoSql injection ternary.
    4. CSharp technical info leak.
    5. CSharp token validation checks.
    6. CSharp code injection.

Release 32

  1. (CSPM) New methods:
    1. Azure app service mutual TLS is disabled.

July

Release 31

  1. (ASPM/SAST) Reattacking a machine vulnerability: Remove justification to request reattacks for automatic reported vulnerabilities.
  2. (ASPM) Group consulting: Feature is deprecated.
  3. (ASPM) Mobile environments: Preserve vulnerabilities for mobile apps, improving related environment(file) update.
  4. (ASPM) Compliance report notifications: An alert is shown when the user doesnt have a mobile number registered.
  5. (ASPM) SSH root cloning: Port configuration is required for non standart ports.
  6. (ASPM) Mailmap import: Add bulk import feature to mailmap.
  7. (SAST) New methods:
    1. CSharp insec direct write.

Release 30

  1. (ASPM) CVSS Migration: Transition entirely to version 4.
  2. (ASPM) AWS Marketplace: Enable integration.
  3. (CSPM) New methods:
    1. AWS S3 Log delivery write access.
    2. AWS EC2 Instance has multiple network interfaces.
  4. (SAST) New methods:
    1. JS/TS cookie service sensitive info.
    2. CSharp log injection.
    3. CSharp insecure elliptic curve.
    4. PHP insecure elliptic curve.

Release 29

  1. (ASPM) CVSS Update: Transition from CVSS 3.1 to version 4 in policies.
  2. (ASPM) Root Removal Option: Allow users to remove a new root without returning to the previous step.
  3. (ASPM) Exposure Column: Include "Exposure" in the Technical Report.
  4. (ASPM) Branch Flexibility: Allow the same repository with a different branch in a group if one is deactivated.
  5. (CSPM) New methods:
    1. AWS EC2 Instance using IMDS V1.
  6. (SAST) New methods:
    1. PHP discloses server version.
    2. PHP insecure expiration time.
    3. PHP server leaks errors.
    4. PHP http only disabled.

Release 28

  1. (ASPM) Access Granted: Include the granted role in the notification.
  2. (CSPM) New methods:
    1. Azure SQL DB Transparent Encryption Is Disabled.
    2. Azure VM Scale Set Does Not Have Zonal Redundancy.
  3. (SAST) New methods:
    1. TF K8s Host IPC Enabled.
    2. TF K8s Host Network Enabled.
    3. TF K8s HostPID Enabled.
    4. TF K8s Host Path Volumes.
  4. (DAST) New methods:
    1. X permitted cross domain policies.

Release 27

  1. (ASPM) Webhooks: Relocate to the Integrations Hub.
  2. (ASPM) New ASPM: Launch the platform's new design for external users.
  3. (SAST) New methods:
    1. TF K8s Container Without Context.
    2. TF K8s Host Process Enabled.
  4. (DAST) New methods:
    1. Unsafe http xframe options.
    2. CDN vulnerable element.
    3. Access control any origin.
    4. HTTP error in response.

June

Release 26

  1. (ASPM) Token Management: Use SecretStorage to securely store tokens.
  2. (CSPM) New methods:
    1. Azure DB PSQL Flex Server Insecure TLS Version.
    2. Azure Redis Cache Allows Connections Without SSL.
    3. Azure DB PSQL Flex Server Firewall Allows Public Access.
    4. Azure DB PSQL Flex Server Connection Throttling Disabled.
  3. (SAST) New methods:
    1. TF K8s Check Run as User.
    2. TF K8s Check Privileged Used.
    3. TF K8s Check If Sys Admin Exists.
    4. JS hardcoded key hmac.
    5. TS hardcoded key hmac.
    6. TF K8s host network enabled.
    7. TF K8s hostpid enabled.
    8. TF K8s host process enabled.
    9. TF K8s host path volumes.
    10. PHP insecure ssl tls stream.
    11. PHP sensitive http sent.
    12. CSharp http only cookie.

Release 25

  1. (SAST) New methods:
    1. TF K8s Check Add Capability.
    2. TF K8s Root Filesystem Read Only.
    3. TF K8s Check Seccomp Profile.
    4. TF K8s Check Drop Capability.
    5. TF K8s Check If Capability Exists.
    6. TF K8s SA Token Enabled.
    7. TF K8s SA Token Enabled.
    8. TF K8s Image Has Digest.
    9. TS nosql injection.
    10. JS nosql injection.
    11. PHP insecure SSL TLS HTTP.

Release 24

  1. (ASPM) Migrate Authors: Authors data is available in the platform.
  2. (ASPM) GitLab Integration: Implement integration with GitLab.
  3. (ASPM) Azure DevOps Integration: Implement integration with Azure DevOps.
  4. (CSPM) New methods:
    1. Azure API Mgmt Uses the Triple DES Cipher Algorithm.
    2. Azure MongoDB NSG Allows Unrestricted Access.
    3. Azure MS SQL Server NSG Allows Unrestricted Access.
    4. Azure MySQL NSG Allows Unrestricted Access.
    5. Azure NetBIOS NSG Allows Unrestricted Access.
    6. Azure Oracle Database NSG Allows Unrestricted Access.
    7. Azure PostgreSQL DB NSG Allows Unrestricted Access.
    8. Azure VMs NSG Allows Unrestricted Access.
    9. Azure RPC NSG Allows Unrestricted Access.
    10. Azure SMTP NSG Allows Unrestricted Access.
    11. Azure SSH NSG Allows Unrestricted Access.
    12. Azure UDP Ports NSG Allows Unrestricted Access.
  5. (SAST) New methods:
    1. TF K8s Allow Privilege Escalation Enabled.
    2. TF K8s Root Container.
    3. TF Kubernetes Insecure Port.
  6. (SCA) New methods:
    1. Poetry toml deps.
  7. (DAST) New methods:
    1. SSL certificate expired.
    2. SSL self signed certificate.
    3. SSL wrong cn.
    4. SSL wildcard certificate.

Release 23

  1. (ASPM) Vulnerability Remediation: Create a comprehensive guide for the remediation of vulnerabilities.
  2. (ASPM) Token Workflow: Update the process for creating and renewing DevSecOps tokens.
  3. (CSPM) New methods:
    1. Azure API Mgmt SVC Does Not Use a Managed Identity.
    2. Azure Key Vault Admin Permissions on Keys.
    3. Azure Search Service Public Network Access Is Enabled.
  4. (SAST) New methods:
    1. PHP insecure mcrypt.
    2. PHP insecure openssl.

May

Release 22

  1. (ASPM) Safe Vulnerabilities Tracking: Enable tracking for safe vulnerabilities and specify the cause of their closure.
  2. (ASPM) VM Permissions: Modify permissions assigned to vulnerability managers related to roots management.
  3. (AGENT) Specific Path Argument: Add an argument to define and analyze specific paths within a repository.
  4. (CSPM) New methods:
    1. Azure DB PSQL Flexible Server SSL Disabled.
    2. Azure Data Lake Allows Access from Any Source.
    3. Azure Synapse Firewall Allows Public Access.
    4. Azure Cosmos DB Public Network Access Is Enabled.
    5. Azure DataFactory Public Network Access Is Enabled.
    6. Azure API Mgmt SVC Public Network Access Is Enabled.
    7. Azure Key Vault Public Network Access Is Enabled.
  5. (SAST) New methods:
    1. C sharp sql injection request.
    2. PHP XML parser.

Release 21

  1. (ASPM) Table Sorting: Enable sorting options for items listed in the Jira table.
  2. (ASPM) Credentials Table Usage Info: Indicate which credentials are currently in use within the credentials table.
  3. (SAST) New methods:
    1. PHP generates insecure token.
    2. PHP uses sha1 in query.

Release 20

  1. (ASPM) WhatsApp OTP: Enable OTP delivery via WhatsApp when users add or update their mobile number.
  2. (CSPM) New methods:
    1. Azure API Mgmt Front Insecure TLS Version.
    2. Azure Subscription Does Not Have a Locking Resource Manager.
    3. Azure App Service HTTP2 Is Disabled.
    4. Azure Subscription Has at Least Two Owners.
    5. Azure Search Service Does Not Use a Managed Identity.
    6. Azure Search Service Insufficient Replicas Configured.
    7. Azure Search Service Has Insufficient Replicas Configured.
  3. (SAST) New methods:
    1. APK task hijacking.
    2. APK clear text traffic.
    3. PHP sql leak errors.
    4. PHP insecure file upload.
    5. PHP unsafe path traversal.
    6. PHP excessive access mode.
    7. PHP technical info leak.
    8. PHP weak random.
    9. PHP insecure deserialization.
  4. (DAST) New methods:
    1. Cont sec pol frame ancestors.
    2. Cont sec pol wild uri.
    3. Cont sec pol missing obj.
    4. Cont sec pol missing script.
    5. Cont sec pol unsafe line.
    6. Cont sec pol hosts jsonp.
    7. Missing referrer policy.
    8. Strict transport low max age.
    9. Strict transport include subdomains.
    10. X content type options nosniff.

Release 19

  1. (ASPM) Expanded Export Columns: Add new columns to the DevSecOps view table and include them in the related CSV export.
  2. (ASPM) Nickname edition: Allow customers to edit the nicknames of Git roots.
  3. (ASPM) Vulnerability filters: Add filters to the API for sorting and categorizing vulnerabilities.
  4. (ASPM) Grouped Vulnerabilities: Show summary of vulns grouped by technique on result log
  5. (CSPM) New methods:
    1. Azure Dev Portal Has Auth Methods Inactive.
  6. (SAST) New methods:
    1. JS hardcoded credentials in test.
    2. TS hardcoded credentials in test.

April

Release 18

  1. (SAST) CLI using parameters:  Allow execution of the CLI using configurable parameters.
  2. (SAST) New methods:
    1. JS command injection serialize.
    2. JS exposed private key.
    3. TS exposed private key.
    4. JS sensitive info in endpoint.
    5. TS sensitive info in endpoint.
    6. TS xml parser inside context.
    7. PHP unsafe xss content.

Release 17

  1. (ASPM/AGENT) Execution details: Include the final status indicating if the build was broken in the Execution details.
  2. (ASPM) Secrets management: Allow permissions to be granted to other users for managing secrets in environment URLs.
  3. (ASPM) Tables management: Add a marker to inform users when some columns are hidden.
  4. (ASPM) Environments management: Automatically close vulnerabilities when the associated environment is deleted.
  5. (CSPM) New methods:
    1. Azure DB for MySQL Flex Servers Insecure TLS Version.
    2. Azure Role-Based Access Control on Key Vault Is Not Enabled.
    3. Azure Function App with Admin Privileges.
    4. Azure Role Actions Is a Wildcard.
    5. Azure App Service Allows HTTP Traffic.
    6. Azure API Not Enforce HTTPS.
    7. AZ Subscription Not Allowed Resource Types Policy.
    8. Azure App Service Does Not Use a Managed Identity.
    9. Azure Function App Logging Is Disabled.
    10. Azure Keys Expiration Date Is Not Enabled.
    11. Azure Secret Expiration Date Is Not Enabled.
    12. Azure App Service Always On Is Not Enabled.
    13. Azure Batch Jobs Runs in Admin Mode.
    14. Azure Function App Use Not Host Keys.
    15. Azure Publicly Exposed Funct App.
  6. (SAST) New methods:
    1. TS express accepts any mime.
    2. JS express accepts any mime.
    3. JS insecure cors origin.
    4. TS insecure cors origin.
    5. Github actions without hash.

Release 16

  1. (ASPM) Warning message: Display a warning message indicating the existence of environments associated with a root when it is deactivated.
  2. (CSPM) New methods:
    1. Azure db mysql firewall allows public access.
    2. Azure db mysql ssl disabled.
    3. Storage lifecycle is not defined.
    4. Azure db sql insecure audit retention period.
    5. Azure db sql extended audit disabled.
    6. Azure db sql firewall allows public access.
  3. (SAST) New methods:
    1. PHP hardcoded init vector.
    2. PHP harcoded password.
    3. PHP insecure hash.
    4. TS local file inclusion.
    5. TS open redirect.
    6. JS hardcoded password.
    7. TS hardcoded password.
    8. TS sensitive info in params.

Release 15

  1. (IDE) Jira integration: Enable access to all vulnerability information directly within the IDE.
  2. (ASPM) Require OTP for login: Implement a security measure to reduce associated risks.
  3. (ASPM) Delete group: Send an email notification when a group is deleted.
  4. (CSPM) New methods:
      1. Azure db postgresql connection throttling disabled.
      2. Azure db postgresql ssl disabled.
      3. Azure db postgresql insecure tls version.
      4. Azure db postgresql log settings disabled.
      5. Azure db postgresql log checkpoints disabled.
      6. Azure db postgresql firewall allows public access.
      7. Azure db postgresql insecure log retention.
    1. (SAST) New methods:
      1. Html uses innerhtml.
      2. JS file size limit missing.
      3. TS file size limit missing.
      4. JS directory listing.
      5. TS directory listing.
      6. JS error handler enabled.
      7. TS error handler enabled.

    Release 14

    1. (ASPM) Simplify free trial: Reduce the steps required to start a free trial.
    2. (ASPM) Notifications subjects: Update notification subjects for improved clarity.
    3. (ASPM) Group created notifications: Add notifications to keep users updated on group creation events.
    4. (SCA) SCA reports in lock files: Publish SBOMs for Fluid Attacks components.
    5. (SCA) Fluid Attacks SBOMs: Publish SBOMs for Fluid Attacks components.
    6. (CSPM) New methods:
      1. Azure vm encryption at host disabled.
      2. Azure aks has rbac disabled.
    7. (SAST) New methods:
      1. PHP insecure encrypt AES.
      2. PHP remote command execution.
      3. PHP has empty catch.

    March

    Release 13

    1. (ASPM/AGENT) Technical debt policy: Implement a grace period before the agent breaks the build due to new vulnerabilities.
    2. (SAST) Analyze PHP code: Add support for analyzing PHP code with the scanner.
    3. (CSPM) New methods:
      1. Azure aks api server allows public access.
      2. Azure aks has kubenet network plugin.
      3. Azure storage not enabled infrastructure encryption.
    4. (SAST) New methods:
      1. PHP basic authentication.
    5. (SCA) New methods:
      1. Gradle wrapper properties.
      2. CycloneDX JSON deps.
      3. SPDX JSON deps.

    Release 12

    1. (SCA) Standard format: Ensure compliance with Fluid SBOM format requirements.
    2. (ASPM) Approve ZR: Address misuse of ZR requests by customers attempting to bypass build failures.
    3. (CSPM) New methods:
      1. Azure aks has enable local accounts.
      2. Azure aks is not using latest version.
      3. Azure container registry is not using replication.
    4. (SAST) New methods:
      1. PHP info leak errors.
      2. Java insecure engine cipher ssl.
      3. Docker compose ssh pass.
    5. (SCA) New methods:
      1. Gemfile missing package lock.
      2. Erlang missing package lock.
      3. Cargo missing package lock.
      4. Conan missing package lock.
      5. Pipfile missing package lock.
      6. Composer missing package lock.
      7. Nuget missing package lock.

    Release 11

    1. (ASPM) Plans' names: Update and standardize the names of plans.
    2. (ASPM) Videos on evidences: Add an additional field to upload video file evidence into findings.
    3. (ASPM) Connector notifications: Send email alerts when a secure connector goes offline.
    4. (ASPM) Environment secrets: Add an indicator to show the existence of secrets on the Environment URL.
    5. (SCA) Lock files: Add support for lock files.
    6. (SCA) Gradle wrapper: Enable SCA support for gradle-wrapper.properties.
    7. (CSPM) New methods:
      1. Azure blob soft deleted disabled.
      2. Azure network app gateway waf is disabled.
      3. Azure network watcher not enabled.
      4. Azure network flow log insecure retention period.
      5. Azure network  group using port ranges.
      6. Azure firewall network rules unrestricted.
      7. Azure network firewall app rules unrestricted.
      8. Azure container registry admin user enabled.
      9. Azure network out of date owasp rules.
      10. Azure insecure TLS version.
      11. Azure allows FTP deployments.
      12. Azure key vault soft delete retention.
      13. Azure remote debugging enabled.
      14. Azure authentication is not enabled.
    8. (SAST) New methods:
      1. PHP insecure cors.
      2. DB credentials exposed in code.
      3. Java credentials exposed in code.
      4. Swift credentials exposed in code.
      5. Python credentials exposed in code.
    9. (SCA) New methods:
      1. Nuget pkgs lock json.

    Release 10

    1. (ASPM) Org/group policy: Update policy to address temporary acceptance of vulnerabilities based on CVSS scores.
    2. (ASPM) Vulnerabilities evidences: Increase the allowable size limit for supporting evidence submissions.
    3. (ASPM) Events alert: Implement a color-coded circle indicator to flag groups with pending events.
    4. (SCA) Vulnerabilities prioritization: Integrate EPSS scoring into SCA advisories and vulnerability assessments.
    5. (CSPM) New methods:
      1. TF allows priv escalation by policies versions.
      2. Azure network ftp ingress not restricted.
      3. Azure network dns ingress not restricted.
      4. Azure network cifs ingress not restricted.
      5. Azure network rdp ingress not restricted.
      6. Azure network ssh ingress not restricted.
      7. Azure network  group allows public access.
      8. Azure network telnet ingress not restricted.
      9. Azure network icmp ingress not restricted.
      10. Azure network https ingress not restricted.
      11. Azure network http ingress not restricted.
      12. Azure disabled accidental purge.
    6. (SAST) New methods:
      1. PHP uses eval.
    7. (SCA) New methods:
      1. Pipfile lock.
      2. Pipfile deps.

    February

    Release 9

    1. (ASPM) Exclusions as Code: Enable EaC functionality for all SKIMS modules.
    2. (ASPM) Organization analytics: Ensure downloaded CSV files from Analytics graphics include complete and relevant information for all groups within the organization.
    3. (ASPM) Secrets modal: Replace the dropdown for "Secret Description" with a dedicated column inside the Secrets modal.
    4. (ASPM) Reattacks overhaul: Implement checks to prevent reattack reviews on outdated locations or files.
    5. (ASPM) Notifications: Update notification wording regarding resolved vulnerabilities for improved clarity
    6. (SAST) Multi-file scanning: for SAST methods.
    7. (CSPM) New methods:
      1. Azure storage account not enforcing latest tls.
      2. Azure storage account allows public network access.
      3. Azure redis public network access enabled.
      4. Azure redis authnotrequired enable.
      5. Azure redis insecure tls version.
      6. Azure redis insecure port.
      7. Azure storage account microsoft bypass.
      8. Azure containers soft deleted disabled.
      9. Azure redis firewall allows public access.

      Release 8

      1. (ASPM) Closing date filter: Allow users to define a date range for closing dates when generating custom technical reports for groups.
      2. (ASPM) Root nickname: Display the root nickname associated with a vulnerability.
      3. (CSPM) New methods:
        1. Azure blob containers are public.
        2. Azure storage account allows public blobs.

      Release 7

      1. (ASPM) Webhooks: Enable integration with any application that supports the webhook standard.
      2. (ASPM) Move roots in batch: Allow batch moving of roots to keep the ToE updated and organized.

      Release 6

      1. (ASPM) Vulnerabilities report: Ensure the vulnerabilities report is available 24/7.
      2. (ASPM) AWS authentication for CodeCommit: Enable cloning of CodeCommit repositories using IAM credentials.
      3. (ASPM) Import repositories: Allow importing multiple repositories into the platform using a CSV file.
      4. (SAST/DAST/CSPM) Initialization time: Optimize CLI executions for improved speed.

      January

      Release 5

      1. (IDE) Automatic extension restart: Automatically apply new changes without manual restarts.
      2. (CSPM) GCP and Azure regions on CSPM module: Extend CSPM coverage to include more regions in GCP and Azure.
      3. (ASPM) Display a cancel button when editing: Improve user experience by adding a cancel button when editing.
      4. (ASPM) Organization column: Add an "Organization" column in the To Do and Events sections, including its export in the CSV file.
      5. (CSPM) New methods:
        1. Azure vm SSH key authentication.

      Release 4

      1. (ASPM) New support platform: Implement a seamless process for customer support.
      2. (ASPM) Checkly and Statuspage integration: Provide more detailed information about Fluid Attacks service status.
      3. (ASPM) Requirements descriptions: Add comprehensive descriptions for all requirements.
        1. (ASPM) Improve Pop-ups: Display emergent messages for adding new API tokens and mobile numbers.
        2. (CSPM) New methods:
          1. AWS report inspector lambda vulns.

        Release 3

        1. (ASPM) Implement new status page: Implement a live status page to monitor service availability.
        2. (ASPM) Describe Help process: Describe and explain the support process in the documentation.
        3. (ASPM) Update OWASP MASVS: Update to the latest OWASP MASVS standard version.
        4. (ASPM) Add new standard compliance FISMA: Add FISMA as a new standard in the compliance documentation.
        5. (ASPM) Replace field in events: Replace the "Client" field with "Root" (nickname) in Events.
        6. (ASPM) Last requested reattack in technical reports: Display the last requested reattack date for each location in technical reports.
        7. (ASPM) Sbom linking lines to vulnerabilities: Provide direct links to vulnerabilities for more detailed information.
        8. (ASPM) Exposure management over time (%): Add more decimal precision for improved understanding of percentages over time.
        9. (CSPM) New methods:
          1. AWS report inspector vulns.
          2. AWS report inspector ecr vulns.

        Release 2

        1. (CSPM) Reducing F325 wildcards FP: Improve detection methods to reduce false positives for F325 wildcards.
        2. (CSPM) AWS region in CSPM module: Run CSPM checks across all AWS regions.
        3. (ASPM) Upgrade prices: Update and display the latest service prices on the platform.
        4. (ASPM) Display secure connector logsMake secure connector logs available for viewing on the platform.
        5. (ASPM/SAST/DAST) Egress support: Add more connection methods to clone repositories and access environments.

        Release 1

        1. (ASPM) Add links to breadcrumbs: Add links to breadcrumbs for easier navigation within the documentation

        Free trial message
        Free trial
        Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.