A group is a project every Fluid Attacks' client creates to manage their security vulnerabilities separately. Inside a group on the platform, there are several sections that can be accessed according to the role and plan to which you are subscribed. (For more information on groups and sections, see the section Manage vulnerabilities.)
It is recommended that several separate groups, each dedicated to a specific software development project, be created to facilitate vulnerability management. This will allow you to keep a less cluttered and more organized collection of analytics and findings reports, track each issue and its solution more efficiently, and review progress in risk exposure reduction within each project more quickly.
Security vulnerabilities are weaknesses in IT systems that are usually the result of software bugs, design errors, or misconfigurations associated with noncompliance with cybersecurity requirements. When attackers exploit vulnerabilities, they can gain unauthorized access to and control over the system for the theft of information or other assets or the disruption of operations, among other things.
Age refers to the number of days that have passed since the first discovery of that type of vulnerability in your software. In contrast, Last report refers to the number of days that have passed since a vulnerability of that type was last detected in your software.
You must select the option "Request zero risk" on the platform as the treatment for that vulnerability.
In the Locations table of a specific vulnerability type, you can use the search bar and type "DAST" to see only the vulnerabilities detected with this technique.
In the search bar
that you can find in the Vulnerabilities table
, enter the nickname of the repository you are interested in, and the table will show you only the vulnerabilities reported in that repository.
Some factors for this may be the following:
Essential is an vulnerability scanning plan, i.e., security testing is done with automated tools only. Automatic scanning has the advantages of being fast to run and very scalable. However, it has these main disadvantages:
For these reasons, in many occasions vulnerability detection is only possible through security testing in the Advanced plan (which includes penetration testing as a service and secure code review).
For vulnerability remediation details, Fluid Attacks has a feature in its IDE extension and in its platform that allows generative artificial intelligence to create remediation guides that show developers the steps for remediation alternatives. These guides are not guaranteed to be precise and require validation by a developer having the system's context in mind. Considering these guides is, however, an excellent starting point to start remediating issues. No one at Fluid Attacks is authorized to give remediation recommendations. Advanced plan users do have an exclusive help option whereby they can talk to a member of Fluid Attacks' hacking team about the detected vulnerabilities.
There is a limit of six files (images or videos). However, these are constantly updated according to the reattacks or new vulnerabilities that may be reported.
A nickname is a term a team gives to a root or set of credentials to make it easier to find or identify.
You can find it in the Git Roots table in the Scope section.
The maximum time you would have to wait would be 16 office hours, according to our service-level agreement.
You can request a reattack from the Locations and To-do sections. Select the vulnerability to be reevaluated and click the Reattack button. Then, the chosen vulnerability will show the "Requested" status in the Reattack column for up to 16 hours. Remember to check the Consulting section for any new comments on the reattack.
You must verify that the Reattack column in the Locations section shows the "Requested" status for the vulnerability you wish to be reevaluated. You can also check in the Consulting section whether there are comments on the request.
The most common reason is that the repository is not synchronized. See the Scope section to verify there were no errors when cloning the Git roots.
Another reason may be that you are trying to request a reattack for a vulnerability reported by our tool when, in fact, you have not made any new changes to your repository. That is, the last commit analyzed by the tool is the last one from your root. So, if you were to run the reattack, the results would be the same. Therefore, you should first try to remediate the vulnerability in your repository.
If you continue having problems with the reattack request after applying the above, please get in touch with us at help@fluidattacks.com.
In the Vulnerabilities section, click the Generate report button and select the Certificate option. However, this option will not be available if you have not filled out the Business Registration Number and Business Name fields in the Information section. Remember that the roles that can download certifications are User Manager and Vulnerability Manager.
In the Vulnerability section, click the Generate report button and select which type of report you want to download, either technical or executive. Remember that you must register your mobile number beforehand to enable two-factor authentication to download the report. The roles that can download reports are User Manager and Vulnerability Manager.
The executive report is a summary report in PDF format generally intended for personnel in management roles. This report contains concise and clear information on the vulnerabilities reported in the group. On the other hand, the technical report is an XLSX file where you have all the vulnerabilities reported in the group with their technical details.
Members refer to all users who can access your group to visualize information or manage vulnerabilities, scope and tags, among other things. Authors are all the developers or professionals who contribute to the repositories under evaluation.
Consulting is one of Fluid Attacks' communication channels with users. You can find it in the Locations and Events sections. Use the Locations one when you have questions regarding a specific vulnerability. And use the Events one to ask about the status or details of situations that prevent security testing from resuming.
When you permanently accept a vulnerability, your organization assumes the risk of not remediating it, but this does not mean the vulnerability no longer exists or that your software is now free of it.
In such a case, the treatment for the security issue in question is again shown as "Untreated" and the remediation is assigned to the user who requested the temporary acceptance.
Yes, they will apply to all repositories added to that group.
Organization policies are those that you establish globally and are inherited by all groups belonging to an organization. Group-level policies, on the other hand, allow you to set variations on the above policies for specific groups.
Yes. For more information, please read Install the CI Agent to break the build.
You can run it both ways.
You can pass multiple arguments.
It is up to you to do it weekly or monthly.
In "lax mode," opposite to "strict mode."
Yes. To acquire the token, go to the DevSecOps agent section in Scope.
Please log out of the platform, delete your browser's cache and cookies, log back in, and enter the groups with the inconvenience.