Glossary | Fluid Attacks Help

Glossary

B

Black box

The black box is a service where the hacker does not have access to source code or information on the project's infrastructure, having only access to IPs and URLs associated with environments where the project is deployed.

C

CI/CD pipeline

A CI/CD pipeline is a series of organized steps or tasks that, mainly in an automated way, allow the successful and fast release of a new software version. Among the activities that take place are the compilation of the source code, the distribution of packages, the execution of quality and security tests and the deployment to different environments.

Cloud security posture management (CSPM)

CSPM is a set of practices for monitoring and managing security configurations and compliance with standards across cloud resources. It assesses IaC scripts, container images and cloud environments and services to identify misconfigurations, policy violations and other security issues.

Continuous deployment (CD)

The CD is a process that follows the CI. When merged, the different code changes made by developers shape a software product that can be deployed in a test or production environment. Automated procedures are executed to build the product, verify that it meets acceptance requirements and perform a proper deployment at the expected time, often directly to the end users.

Continuous integration (CI)

The CI is a practice in which a development team constantly uploads changes, either additions or removals, to a central repository. Automated procedures are run each time to validate that the modifications made to the code meet predefined requirements and to ensure that they integrate smoothly into the software.

CVSS

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the risks. Scores are calculated based on a formula that depends on several metrics that approximate the ease and impact of exploitation. Scores range from 0 to 10, with 10 being the most severe.

CVSSF

The CVSSF is a metric generated by Fluid Attacks by modifying the CVSS metric, which shows the level of risk exposure represented by the vulnerabilities in your system.

D

Dynamic application security testing (DAST)

DAST is a security testing technique for detecting security vulnerabilities in an application. It assesses the running software without accessing its source code by using various attack vectors in search of unexpected behavior and weaknesses related to its deployment configuration, data and business logic.

H

Health Check

Health Check is part of Fluid Attacks' Continuous Hacking solution and consists of performing security testing on the software the client developed before purchasing the Advanced plan.
Note on Health CheckNote: Health Check is optional, but if it is not executed, parts of the application will not be tested, and, therefore, the possibility of vulnerabilities with the risk of exploitation will remain (in this case, the accuracy SLA does not apply).
M

Mailmap

Mailmap is a table on Fluid Attacks' platform that organizes and unifies the different email addresses and names employed by the authors or contributors.

P

Penetration testing as a service (PTaaS)

PTaaS is a cybersecurity assessment method in which skilled human testers (aka ethical hackers or pentesters) actively and continuously simulate real-world cyberattacks on infrastructure, applications, and other IT systems. PTaaS primarily aims to identify and exploit vulnerabilities that are out of reach for automated tools, combining them, even, to find out how big an impact they can have in the evaluated application's security.

R

Reachability

Reachability is a characteristic verified by SAST in which the known vulnerable functions of your application's direct dependencies are effectively called by your application, thus generating a higher risk of the vulnerability being exploited in the context of your application. The report that a dependency vulnerability is reachable cuts through the noise of potential vulnerabilities and highlights the ones that need immediate attention.

Reverse engineering (RE)

RE is an outside-in process of deconstructing software for analyzing and understanding its design, structure and functionality in depth. In RE, experts (aka reverse engineers) unravel the source code and its components and functions to discover how that specific technology works and whether it has security issues.

S

Software bill of materials (SBOM)

An SBOM is a comprehensive inventory of all components and dependencies, as well as their associated metadata, that make up a software application. Therefore, SBOMs provide insights into a software product's composition and potential vulnerabilities inherited from third-party code.

Software composition analysis (SCA)

SCA is a technique for identifying and analyzing third-party components and dependencies in software. Regarding security, SCA assesses libraries, frameworks, and packages to determine their versions and detect vulnerabilities, conflicting licenses and other software quality issues.

Static application security testing (SAST)

SAST is a security testing technique for identifying security vulnerabilities in an application's source code. It examines the non-running code to look for programming patterns, misconfigurations and insecure practices that attackers could exploit.

T

Target of Evaluation (ToE)

The ToE is the product or system that will be the subject of Fluid Attacks' security testing. It is mainly defined by adding Git repositories and environments in the Scope section of a group on the Fluid Attacks platform.

W

White box

The white box is a service where the hacker has all the information privileges such as Git roots, credentials, source code and environments.