Continuous Hacking methodology | Fluid Attacks Help

Continuous Hacking methodology

Description

Fluid Attacks' Continuous Hacking is a solution that combines its application security testing tools, artificial intelligence (AI), and team of pentesters to accurately find and help remediate security vulnerabilities throughout the software development lifecycle (SDLC) and ensure secure deployments.

Fluid Attacks reports risk exposure promptly to its clients and supports them to achieve high remediation rates and guarantee high-quality and safe products to their end users. Fluid Attacks' security testing involves different techniques, namely, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), cloud security posture management (CSPM), secure code review (SCR) penetration testing as a service (PTaaS), and reverse engineering (RE). Further, Fluid Attacks uses its own AI tool to sort files in a code repository by their probability of containing security vulnerabilities, thus informing Fluid Attacks' pentesters of which files to prioritize in their tests to start finding vulnerabilities faster.

Fluid Attacks accurately detects vulnerabilities in continuous cycles that involve the following:
  1. Automated deterministic attack: Fluid Attacks' automated tool scans your system and reports the common vulnerabilities, showing low false positive rates. The tool performs the following techniques: SAST, DAST, SCA, and CSPM.
  2. AI-powered triage: Fluid Attacks' AI is specially trained with thousands of snippets of vulnerable code. A dedicated module helps prioritizing potentially vulnerable files for review.
  3. Attack team: Fluid Attacks' highly certified red team continuously examines code, infrastructure and applications for security vulnerabilities through secure code review, PTaaS and reverse engineering.
  4. Release team: Fluid Attacks' experts review the findings, discard potential false positives and assess the validity of results.
  5. Escapes team: Fluid Attacks' experts seek to reduce false negatives by searching even deeper for vulnerabilities.
  6. Reattack team: Fluid Attacks' experts evaluate the effectiveness of your fixes and whether new vulnerabilities emerged due to the implementation.
The Fluid Attacks vulnerability detection cycle
Visual depiction of Fluid Attacks' vulnerability detection cycle
Fluid Attacks helps you develop secure software and have secure deployments into production. To ensure secure development, Fluid Attacks performs tests during the entire SDLC. It reports all findings both by its tool and pentesters to you on its platform. There, you can learn about the specific lines of code affected, find links to documentation with examples of compliant code, control the remediation process, request retests to verify fixes and keep track of their progress in risk mitigation, among other vulnerability management tasks. To help developers easily incorporate vulnerability management into their workflow, Fluid Attacks offers integrations with several tools developers often use.

Fluid Attacks' support in the vulnerability remediation process is through custom and automated fixes generated by AI from its platform and VS Code extension. Additionally, Fluid Attacks' feature called "Talk to a Pentester" allows you to meet with an expert for help understanding vulnerabilities. Further, Fluid Attacks offers a CI agent to prevent your development team from deploying software versions with unmanaged vulnerabilities, thus helping to enforce your policies and urge the development team to fix the software security issues.

Learn about the different plans in Continuous Hacking free trial, plans and pricing.

Needed supplies

  1. Version control system with Git technology
  2. Internet access to code repositories, with read and clone privileges (if access is through a private network, its proper configuration and credentials are needed)
  3. URLs of the environments and/or installers for mobile apps (.apk, .ipa) to test
  4. Access credentials to every application (for each role to test)
  5. Access permissions to the integration environment
Notes
Ideally, all system credentials should be usable from Linux without human intervention.

Scope

The scope of testing is defined by the active elements within it. Specifically, it is made up of active repositories and mobile environments registered on the platform, excluding those URLs and endpoints expressly excluded by the client. Furthermore, if an unexpected endpoint is identified in the code, the client's authorization is needed to include it within the scope.

All documentation about managing the scope is in Manage assets to test.

Verification of security requirements

Fluid Attacks Continuous Hacking reviews the client's compliance with all the security requirements carefully curated from several important international standards. These checks are mandatory and not customizable, as the solution is designed for comprehensive testing. The client can alternatively use the Fluid Attacks CLIs for targeting specific weaknesses, which are linked to requirement violations.

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.