Each group corresponds to individual projects our clients create to manage their vulnerabilities separately. Inside a group on the platform, there are several sections that can be accessed according to the role and plan you are subscribed to. For more information on groups and sections, please see our Documentation.
It is recommended to create several separate groups, each dedicated to one project; you can have better visibility of vulnerabilities for their management, generate focused reports and certificates independently, have an organized view of the analytics, and have a better track of the details of each project you work on.
Vulnerabilities are the noncompliance with cybersecurity requirements, which are rules based on the several international standards we check in our comprehensive tests.
Age refers to how many days the vulnerability has been open, whereas last report is the total number of days passed since the vulnerability was last reported.
Choose Request zero risk as its treatment.
Find the search bar in the Vulnerabilities table. By entering "HTTP" as a keyword, you will see the great majority of vulnerabilities as “dynamic” (found through DAST)
In the search bar that you can find in the Vulnerabilities table, enter the nickname of the repository you are interested in, and the table will show you only the vulnerabilities reported in that repository.
There is a limit of six files (images or videos). However, these are constantly updated according to the reattacks or new vulnerabilities that may be reported.
A nickname is how the team can identify a root or set of credentials, making it easier to search for or identify them.
In the Git root table in the Scope section.
Up to 16 hours, according to our service-level agreement.
A reattack can be requested from the Locations and To-do list section. You must select the vulnerability to attack followed by clicking the Reattack button. Then, the selected vulnerability will show the status Requested in the Reattack column for up to 16 hours. Remember to check the Consulting section for any new comments regarding the reattack.
You can check the reattack status in the column called Reattack in the Locations section. You can also check in the Consulting whether there are comments on the request.
The most common reason for this is that your repository is out of sync. Please check the Scope section to verify that there are no errors cloning the related roots' repositories.
If there are no cloning errors and you are trying to request a reattack for reports from our AppSec tool, it could be that you have not added any new changes, and the last commit analyzed by the tool is the latest commit from your root.
That means, if the reattack were to be executed, the results would be exactly the same, so you need to add new changes to your repository or again, make sure there are no cloning issues.
If these errors do not apply to your case, and you are still not able to request the reattack, please contact us at help@fluidattacks.com.
In the Vulnerabilities section, click on the Generate report button and select the Certificate option. However, this option will not be available if you have not filled out the Business Registration Number and Business Name fields in the Information section. Remember that the roles that can download certifications are User Manager and Vulnerability Manager.
In the Vulnerability section, click the Generate report button and select which type of report you want to download, either technical or executive. Remember that you must register your mobile number beforehand to enable two-factor authentication to download the report. Remember that the roles that can download reports are User Manager and Vulnerability Manager.
The executive report is a summary report in PDF format, generally intended for personnel in management roles. This report contains concise and clear information on the vulnerabilities reported in the group. On the other hand, the technical report is an XLSX file where you have all the vulnerabilities reported in the group with their technical details.
Members refer to all users who can access your group to visualize information or manage vulnerabilities, scope and tags, among other things. Authors are all the developers or professionals who contribute to the repositories under evaluation.
Consulting is one of the communication channels with users. You can find it in Locations, Groups and Events. Use the one in Locations when you have questions regarding a specific vulnerability. Use the one in Events to ask about the status or details of situations that are preventing security testing from resuming. And use the one in the main screen of a group to ask general questions about that group.
When a vulnerability is permanently accepted, the organization assumes the risk, not remediating it, so it will continue to be regarded as vulnerable.
The treatment for that specific security issue reverts to Untreated, and the remediation of such issue is assigned to the user who had requested the temporary acceptance.
Yes, it will apply to all repositories added in that group.
Organization policies are those that you set globally and that will be inherited by all groups pertaining to that organization. For your management purposes, you may prefer to set specific group policies.
Yes, it is only necessary to use Docker if you manage the DevSecOps agent from your local machine. To see the Docker and agent installation steps visit our Documentation.
You can run it both ways.
You can pass multiple arguments. To see the different options, check out our Documentation.
It is up to the user to do it weekly or monthly.
In lax mode, opposite to strict mode.
Yes, all team members who want to run the agent in the same group require the same token. To acquire the token, you must go to the DevSecOps Agent section in Scope.
If you have any problems logging in to the platform, we recommend the following:
Log out of the platform, delete browser cache and cookies, log back in, and enter the group(s) with the inconvenience.
Try to access the platform from incognito mode or another browser and check if the problem also occurs.
Once the screenshot is displayed, you can also run one of the following JS commands from the browser's development console (usually accessed by pressing F12 in Windows and Linux environments): sessionStorage.clear() or localStorage.clear() and then refresh the web page.