Manage environments | Fluid Attacks Help

Manage environments

Fluid Attacks evaluates environments you have appropriately matched with source code repositories. Security testing of environments is done through dynamic application security testing (DAST), cloud security posture management (CSPM) and, exclusively in the Advanced plan, penetration testing as a service (PTaaS) and software reverse engineering. You are encouraged to have Fluid Attacks test two environments for every repository you add, provided that one of them is the production environment (read the benefits below).

Idea
To learn to add environments located in an AWS or Azure cloud, or GCP, take a look at the articles in Use cloud integrations.

Know your environments table

InfoRole required: User, Vulnerability Manager or Group Manager

The table listing the environments under evaluation is found in your group's Scope section. Its columns show the following information:
  • URL: The URL address of the environment
  • Type: Whether the environment is located in a supported cloud, is for a mobile app, is at a URL or is for a Docker image
  • Status: The inclusion or exclusion of the environment in the security testing scope; its value can be one of the following:
    • Included: The environment is included for security testing
    • Excluded: The environment is excluded from security testing
    • Open event: A situation prevents the inclusion of the environment for security testing (an icon is provided linking to the event report on the platform)
  • Secrets: Indicates the number of secrets (credentials) that you or other members have registered to access the environment
  • Connection type: The custom connection through which Fluid Attacks must access the environment; its value can be one of the following:
    • Connector: Environment is behind a private network; a Cloudflare tunnel is configured
    • Egress: Environment is behind a private network; Fluid Attacks' egress IP addresses are whitelisted
    • Legacy: Access to environment is through a VPN
    • N/A: No custom connection
  • Is Production: Whether or not the environment is a production environment
  • Requires Authentication: Whether or not Fluid Attacks needs credentials to access the environment

See environments tested by Fluid Attacks on the platform

Clicking the downward-facing arrow reveals more information about the environment. Namely, the date it was added, the email address of the group member who added it, and the Git root(s) to which it is associated.

Know environment details on the Fluid Attacks platform

Add environments

InfoRole required: User or Group Manager

Notes
You can add two environments per Git root to be tested, as long as one of the two corresponds to a production environment. Here is why adding the latter, with no additional cost, is recommended:
  1. It includes comprehensive security testing in the production stage.
  2. In the absence of environment parity, testing the production environment means targeting the system's behavior that is not present in pre-production environments and is what attackers would likely interact with.
  3. Production environments are more stable and less prone to unexpected issues than pre-production ones, which facilitates continuous testing.
For more information, read the FAQ.
Warning
Environments you have marked as 'production' (step 6) are not analyzed by the DAST scanner; they are exclusively analyzed by Fluid Attacks' security analysts in the Advanced plan.
Notes
A vulnerability found in your production environment is reported for production only when it does not also exist in the other non-production environment you have registered.
Idea on making environments accessibleBelow (step 5) are links for guidance on making environments accessible when located within a private network.
To add environments to the security testing scope, follow these steps:
  1. Access the group's Scope section and click the URL of the active Git repository whose environment you wish to add.
    2. Choose repository to add environment on the Fluid Attacks platform

  2. In the pop-up window, choose the Environments tab.
    3. View linked environments on the Fluid Attacks platform

  3. Click on Add environment.

  4. Select the environment type and provide the required information in each case.
    5. Add environment to test on the Fluid Attacks platform

    Here is a short definition of each of the options:
    • CSPM: The environment to test is located in an AWS or Azure cloud, or GCP. This type requires you to provide the necessary credentials.
      • IdeaThe descriptions of the further fields to fill out when choosing one of the supported cloud services, as well as the instructions to get the required information (e.g., secrets), are in dedicated pages: AWSAzureGCP.
    • Mobile: The environment to test corresponds to a mobile application. This type requires you to choose the previously added mobile app file.
    • URL: The environment to test is at a URL where the application is deployed. This type requires you to provide the URL.
  5. If access is behind a private network, check the condition accordingly. If it is not, leave the Connector and Egress options unchecked.

    6. Specify connection to environment on the Fluid Attacks platform

  6. Specify whether or not the environment is a production environment.

  7. Click on Confirm to add the environment.
Warning

When checking an environment, an HTTP response code 200 usually means that the request was processed correctly. If this code is not received, there may be several reasons why the environment could have problems, which include

  1. authentication or authorization errors;
  2. data validation errors;
  3. connection or infrastructure problems;
  4. internal server errors.
A status code other than 200 can indicate something is wrong with the environment you are trying to add. In this case, check that you correctly followed the above configuration steps. After verifying this, you can add your environment disregarding the platform warning. Keep in mind that the DAST scanner cannot analyze your environment if it is unreachable.
Idea
Remember to provide the credentials to your pre-production and production environments.

Manage environment secrets

InfoRole required: User, Vulnerability Manager or Group Manager
On the platform, you can securely manage secrets (credentials) that grant Fluid Attacks access to environments in order to test them. Follow these steps to add secrets:
  1. Access the group's Scope section and click the environment's URL.

  2. Click the Add secret button.
    3. Add environment secret on the Fluid Attacks platform

  3. Add as Key the kind of secret it is (e.g., token) and as Value the actual secret. Optionally, provide a description that can help its use.
    4. Manage environment secrets on the Fluid Attacks platform

  4. Click on Confirm.

The environment secret is added to the table and made available for Fluid Attacks to view. You can view, edit or remove only the secrets you added.
View, edit, or remove secrets on the Fluid Attacks platform

Edit environments

InfoRole required: User, Vulnerability Manager or Group Manager
You may edit the information on connection type and whether the environment is a production environment. These are the steps:
  1. Access the group's Scope section and click the URL of the active Git repository whose environment you wish to edit.

  2. Switch to the Environments tab.

  3. From the Actions column, click on the edit icon.
    4. Edit environment on the Fluid Attacks platform

  4. Make the desired changes and click on Confirm.
    5. Edit production environment on the Fluid Attacks platform

Remove environments

InfoRole required: Group Manager

In order to remove an environment, follow these steps:
  1. Click on the Git repository to which the environment is linked.

  2. Switch to the Environments tab.

  3. From the Actions column, click the trash can icon corresponding to the environment you wish to delete.
    4. Remove environment on the Fluid Attacks platform

  4. Confirm removal.
    5. Confirm environment removal on the Fluid Attacks platform

Move environments

InfoRole required: Group Manager
You can move environments across Git roots within the same group or in a different one. These are the steps:
  1. Access the group's Scope section and click the URL of the active Git repository whose environment you wish to move.

  2. Switch to the Environments tab.

  3. From the Actions column, click on the move icon.
    4. Move environment on the Fluid Attacks platform

  4. Select the target group.
    5. Move environment to a group on the Fluid Attacks platform

  5. Type in the search box either part of the target root's URL, branch or nickname, to activate the dropdown menu from which you can choose the root.
    6. Change environment root on the Fluid Attacks platform

  6. Click Confirm.

Exclude Environments

InfoRole required: User or Group Manager
Warning
Warnings:
  1. Excluding a subpath implies it is not considered in vulnerability analysis.
  2. Excluding a main path automatically excludes all of its subpaths.
  3. You cannot activate a subpath if its main environment is inactive.

If you want to exclude from security testing  a subpath of a specific environment, follow the steps below:
  1. Go to your group's Scope section.

  2. Add the subpath you wish to exclude as you would add an environment to test. To learn how to do the latter, read Add environments.
    3. Add environment to exclude on the Fluid Attacks platform

  3. Click Confirm.

  4. In the table, locate the added subpath and switch the corresponding toggle in the Exclusion status column to off.
    5. Exclude environment from tests on the Fluid Attacks platform

  5. Click on Confirm to apply the exclusion.
    6. Confirm environment exclusion on the Fluid Attacks platform
Note on path existenceNote: Make sure the main path exists before excluding a specific path.


Manage mobile apps

InfoRole required: User, Vulnerability Manager or Group Manager

Add mobile apps to test

To add mobile apps for testing, you need to first add the mobile app file (e.g., .aab, .ipa, .apk) and then add an environment linking to that file. Here are the steps:
  1. Access the group's Scope section and scroll down to Files.
    2. View files section on the Fluid Attacks platform

  2. Click on Add.

  3. Click on the Add file button and choose the mobile app file. Its size must not exceed 5GB.
    4. Add mobile app file on the Fluid Attacks platform

  4. Click on Confirm. Your file should now be visible in the table.

  5. Scroll up to Git roots. If you have not yet added the repository related to the mobile app in question, do it following the steps in Add a new Git Root.

  6. Click on the repository URL and choose Environments > Add environment.

  7. Choose Mobile App as Environment type, then select the corresponding file from Mobile App file and specify if it is a production environment.
    8. Add mobile app environment on the Fluid Attacks platform

  8. Click on Confirm.

Update mobile app file

Notes
The platform does not allow replacing a file with one of a different extension.
Follow these steps to add a newer version of your mobile app. Do not delete the file, as this causes the platform to mark any 'Open' vulnerabilities found in the app as 'Closed' (this is undesirable, as you want us to continue testing the app).
  1. Go to Scope > Files.

  2. Click on the mobile app file.

  3. Click on Add file and upload the newer app version.
    4. Update mobile app file on the Fluid Attacks platform

  4. Click on Replace file.

  5. Read the warning message. You acknowledge that the file is linked to an environment, vulnerabilities found in the older file can refer to the newer file, and the latter corresponds to the same mobile app. If you wish to proceed, click on Confirm.
    6. Confirm file update on the Fluid Attacks platform

Remove mobile app file

Warning
Removal causes 'Open' vulnerabilities found in the file to be marked as 'Closed'. Please ensure that you would not rather update the file.
If you are removing a file associated to an environment, you get the following message after step 3 below.
View file removal message on the Fluid Attacks platform

In this case, follow the steps described in Remove environments instead. This should be done by a Group Manager. As the message says, removing the environment removes also the mobile app file.

If the file is not associated to an environment, do the following:
  1. Go to Scope > Files.

  2. Click on the file to be removed.

  3. Click on Remove.


  4. Click on Confirm.
    5. Confirm file deletion on the Fluid Attacks platform

Free trial messageFree trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.