Frequently asked questions about the platform | Fluid Attacks Help

Platform FAQ

This section answers frequently asked questions about Fluid Attacks' platform.

Groups

What is a group?

group is a project every Fluid Attacks' client creates to manage their security vulnerabilities separately. Inside a group on the platformthere are several sections that can be accessed according to the role and plan to which you are subscribed. (For more information on groups and sections, see the section Manage vulnerabilities.)

Why should you create several groups?

It is recommended that several separate groups, each dedicated to a specific software development project, be created to facilitate vulnerability management. This will allow you to keep a less cluttered and more organized collection of analytics and findings reports, track each issue and its solution more efficiently, and review progress in risk exposure reduction within each project more quickly.

Vulnerabilities

What are vulnerabilities?

Security vulnerabilities are weaknesses in IT systems that are usually the result of software bugs, design errors, or misconfigurations associated with noncompliance with cybersecurity requirements. When attackers exploit vulnerabilities, they can gain unauthorized access to and control over the system for the theft of information or other assets or the disruption of operations, among other things.

What is the difference between Age and Last report in the Vulnerabilities table?

Age refers to the number of days that have passed since the first discovery of that type of vulnerability in your software. In contrast, Last report refers to the number of days that have passed since a vulnerability of that type was last detected in your software.

How do I suggest that a reported vulnerability is a false positive?

You must select the option "Request zero riskon the platform as the treatment for that vulnerability.

How can I see only the findings of the dynamic application security testing (DAST)?

In the Locations table of a specific vulnerability type, you can use the search bar and type "DAST" to see only the vulnerabilities detected with this technique.

How can I see vulnerabilities specific to a particular Git root?

In the search bar  that you can find in the Vulnerabilities table , enter the nickname of the repository you are interested in, and the table will show you only the vulnerabilities reported in that repository.

Why are vulnerabilities found on very old files?

Some factors for this may be the following:

  1. The Continuous Hacking project started long after the software product started to be built and you decided not to do a Health Check that involves Fluid Attacks' hacking team's manual review of the old code.
  2. You added an old repository with code already built and the corresponding Health check was not requested.
  3. You requested a Health Check, which was conducted, but, as the members of Fluid Attacks' hacking team assessing your code are changed throughout time, only now the hacking team found these vulnerabilities.

Why did security testing under the Essential plan fail to find vulnerabilities?

Essential is an vulnerability scanning plan, i.e., security testing is done with automated tools only. Automatic scanning has the advantages of being fast to run and very scalable. However, it has these main disadvantages:

  1. It only finds between 10% to 30% of the total risk exposure of a system, the rest can only be confirmed manually (e.g., through business flows that require environment, authentication, test data, etc.).
  2. If the scanner is configured to detect a higher percentage of vulnerabilities than described above, it starts to report more false positives than real alerts.

For these reasons, in many occasions vulnerability detection is only possible through security testing in the Advanced plan (which includes penetration testing as a service and secure code review).

Does Fluid Attacks explain how to remediate a vulnerability?

For vulnerability remediation details, Fluid Attacks has a feature in its IDE extension and in its platform that allows generative artificial intelligence to create remediation guides that show developers the steps for remediation alternatives. These guides are not guaranteed to be precise and require validation by a developer having the system's context in mind. Considering these guides is, however, an excellent starting point to start remediating issues. No one at Fluid Attacks is authorized to give remediation recommendations. Advanced plan users do have an exclusive help option whereby they can talk to a member of Fluid Attacks' hacking team about the detected vulnerabilities. 

Can I have detailed conversations with someone at Fluid Attacks about the detected vulnerabilities?

Yes, but only with the Advanced plan. Any user from the client's side, including vendors, can request a vulnerability clarification meeting through the Talk to a Hacker feature. The individuals from Fluid Attacks' team assigned to these meetings are fully capable of effectively communicating the risks associated with a vulnerability, helping your organization to proceed with remediation. Depending on the complexity of the vulnerability, the Talk to a Hacker representative may invite the original security analysts who discovered it for further clarification. However, the Talk to a Hacker expert remains the most suitable person to facilitate these discussions.

Evidence

How many pieces of evidence (images and videos) do I have access to?

There is a limit of six files (images or videos). However, these are constantly updated according to the reattacks or new vulnerabilities that may be reported.

Scope

What is a nickname?

A nickname is a term a team gives to a root or set of credentials to make it easier to find or identify.

Where can I find my repository's nickname?

You can find it in the Git Roots table in the Scope section.

What is included in the scope of Continuous Hacking, and what is not?

What is included in the scope of Fluid Attacks follows these two conditions:
  1. Fluid Attacks has access to the repository and branch where the vulnerability is present before the corresponding vulnerable code was written.
  2. Fluid Attacks has access to the repository and branch where the vulnerability is present after the corresponding vulnerable code was written, and Continuous Hacking is requested. 
Any other scenario is outside the scope. Some examples, not necessarily exhaustive, include:  
  1. An environment is registered, but its source code is not. 
  2. An environment is registered, but it does not correspond to the registered source code. 
  3. A vulnerable service is consumed insecurely, and the service is not registered with its source code, but the consumer is. 

Reattacks

How many hours do I have to wait for a response to a reattack request?

The maximum time you would have to wait would be 16 office hours, according to our service-level agreement.

How do I request a reattack?

You can request a reattack from the Locations and To-do sections. Select the vulnerability to be reevaluated and click the Reattack button. Then, the chosen vulnerability will show the "Requested" status in the Reattack column for up to 16 hours. Remember to check the Consulting section for any new comments on the reattack.

How do I know that a requested reattack is in progress?

You must verify that the Reattack column in the Locations section shows the "Requested" status for the vulnerability you wish to be reevaluated. You can also check in the Consulting section whether there are comments on the request.

I am unable to request a reattack; why?

The most common reason is that the repository is not synchronized. See the Scope section to verify there were no errors when cloning the Git roots.

Another reason may be that you are trying to request a reattack for a vulnerability reported by our tool when, in fact, you have not made any new changes to your repository. That is, the last commit analyzed by the tool is the last one from your root. So, if you were to run the reattack, the results would be the same. Therefore, you should first try to remediate the vulnerability in your repository.

If you continue having problems with the reattack request after applying the above, please get in touch with us at help@fluidattacks.com.

Security testing certificates

How do I generate a service certificate?

In the Vulnerabilities section, click the Generate report button and select the Certificate option. However, this option will not be available if you have not filled out the Business Registration Number and Business Name fields in the Information section. Remember that the roles that can download certifications are User Manager and Vulnerability Manager.

Reports

How do I generate the vulnerability report?

In the Vulnerability section, click the Generate report button and select which type of report you want to download, either technical or executive. Remember that you must register your mobile number beforehand to enable two-factor authentication to download the report. The roles that can download reports are User Manager and Vulnerability Manager.

What is the difference between executive and technical reports?

The executive report is a summary report in PDF format generally intended for personnel in management roles. This report contains concise and clear information on the vulnerabilities reported in the group. On the other hand, the technical report is an XLSX file where you have all the vulnerabilities reported in the group with their technical details.

Members

What is the difference between members and authors?

Members refer to all users who can access your group to visualize information or manage vulnerabilities, scope and tags, among other things. Authors are all the developers or professionals who contribute to the repositories under evaluation.

Consulting

What is the difference between the two consulting alternatives?

Consulting is one of Fluid Attacks' communication channels with users. You can find it in the Locations and Events sections. Use the Locations one when you have questions regarding a specific vulnerability. And use the Events one to ask about the status or details of situations that prevent security testing from resuming.

Treatments

Why does a vulnerability status still appear as "Vulnerable" when I have permanently accepted it?

When you permanently accept a vulnerability, your organization assumes the risk of not remediating it, but this does not mean the vulnerability no longer exists or that your software is now free of it.

What happens when a temporary acceptance treatment expires?

In such a case, the treatment for the security issue in question is again shown as "Untreated" and the remediation is assigned to the user who requested the temporary acceptance.

Policies

If I apply policies to a group, will these apply to all roots of this?

Yes, they will apply to all repositories added to that group.

What is the difference between policy at the organization level and the group level?

Organization policies are those that you establish globally and are inherited by all groups belonging to an organization. Group-level policieson the other hand, allow you to set variations on the above policies for specific groups.

CI Agent

Must I only install Docker to run the CI Agent from my local machine?

Yes. For more information, please read Install the CI Agent to break the build.

Does Fluid Attacks' CI Agent run locally or on the development infrastructure?

You can run it both ways.

How many arguments can I pass to run Fluid Attacks' CI Agent?

You can pass multiple arguments.

How often is it advisable to do "docker pull" to update the image?

It is up to you to do it weekly or monthly.

In what mode can Fluid Attacks’ agent be run so it doesn't break the build?

In "lax mode," opposite to "strict mode."

Must all team members use the same token to run the CI Agent in a group?

Yes. To acquire the token, go to the DevSecOps agent section in Scope.

Platform problems

What can I do if I do not see information when I enter the groups?

Please log out of the platform, delete your browser's cache and cookies, log back in, and enter the groups with the inconvenience.

What can I do if I cannot access the platform?

Try to access the platform from incognito mode or another browser and check if the problem persists. If so, please email us at help@fluidattacks.com.