Organization-level sections
Once you log in to the platform, you are at this level, which collects and presents information related to all the groups or projects your company has with Fluid Attacks.
You can change between the sections at this level from everywhere in the platform by using the collapsible menu. Here is how the menu looks like to User Managers (access to sections and functions in the platform is managed through roles):
Groups
Your company may have several applications or software products and want to keep track of their security assessments and risk exposure separately. This is why you can create a group in the platform for each of them. In the Groups section, you find the list of your groups and several bits of information about each of them, as well as the total amounts of covered and missed contributing authors and repositories across the organization's groups.
Analytics
In the Analytics section at the organization level, you can view various charts, tables and figures with valuable information on security testing results, vulnerability management strategies, and progress in reducing risk exposure in your organization (i.e., including data from all its groups), among other things. Here are some examples of the information available:
Portfolios
Portfolios are sets of groups that you can create to establish and observe comparisons of some of the data displayed in their respective Analytics sections. In the Portfolios section, you will find the list of portfolios created by your organization.
Members
Role required: Vulnerability Manager or User manager.
The Members section at the organization level is where you can view or manage the members of the organization. These are platform users who, according to their role, may have permission to visualize organization-level sections or access the organization's groups and perform more management functions.
Policies
Fluid Attacks allows you to view or establish policies around accepting security vulnerabilities, preventing deployment into production when vulnerabilities are present, and prioritizing vulnerabilities for remediation. Those defined in the Policies section are inherited by all the groups in your organization, although group-specific policies may be established in the Scope section.
Mailmap
Role required: User Manager
Since contributing developers may create commits using different email addresses, it is useful to consolidate contributor information. The Mailmap section allows you to view single contributors and all their associated user names and email addresses.
Billing
Role required: User Manager
In the Billing section, you find the number of monthly active authors in each group (which helps calculate the cost of Continuous Hacking) and the saved payment methods.
Outside
Fluid Attacks recommends you use Open Authorization (OAuth) to import the repositories to be tested. This entails connecting Fluid Attacks' platform to your account on a code repository hosting provider (such as GitLab) to retrieve the repositories there without sharing credentials with Fluid Attacks. The Outside section shows the repositories that were not selected to be imported in the mentioned process and included in one of the groups. Therefore, those repositories are not yet within the scope of Fluid Attacks' security testing. In this section, you may add them to groups.
Credentials
In the Credentials section, if you have a User Manager role, you can authorize Fluid Attacks to retrieve your repositories on Azure, Bitbucket, GitHub or GitLab through OAuth. Such authorization is saved in the platform as credentials that can in future be associated to more assets they give access to so that they can be tested. However, actual credentials, such as username and password pairs, can also be added on this section. Fluid Attacks uses OAuth and credentials safely to have access to the target of evaluation (ToE).
Compliance
The Compliance section shows details of your organization's compliance with several international standards which are the basis for the security requirements that Fluid Attacks tests in your systems. Among the useful information provided here are how well your organization is doing with particular standards in comparison to other organizations and how many days it will take your organization to achieve compliance with all standards.
Logs
The Logs section shows the HTTP, network, and session logs related to access to your organization's assets when it has enabled zero trust network access (ZTNA).
Integrations
Group-level sections
Click on the name of a group in the Groups section to enter its dedicated space. You can change between sections using the tabs under the group's name. Here is what the group-level sections menu looks like to User Managers (access to group sections and functions in the platform is managed through roles).
Vulnerabilities
The Vulnerabilities section on the platform is where you can access detailed information on all the confirmed security vulnerabilities found in your group, including the recommendations for remediating them.
When you click on a reported type of vulnerability, you are presented with sections dedicated to it. The main features of these sections are summarized below on this page.
Locations
In the Locations section, you see the list of specific locations (i.e., file paths and specific inputs/lines of code/ports) where Fluid Attacks found the type of vulnerability you are exploring. Useful functions in this section include the options to define the treatment for the vulnerability (e.g., assign fix work to yourself or someone in your team) and request a reattack (i.e., a retest to verify whether the vulnerability was successfully remediated).
To learn more about a vulnerability or use generative artificial intelligence (gen AI) to get a custom guide to remediate the vulnerability (when applicable), click on its entry in the Location column. This causes a pop-up window to appear. The following screenshot is of this window for an instance of a reported remote code execution vulnerability.
Each tab in the pop-up window provides you with useful information:
- Details: Description and current treatment, among other information
- Severity: Breakdown of the assigned severity score using the Common Vulnerability Scoring System (CVSS) v3.1 and v4.0
- Code: The actual line(s) of code presenting the vulnerability and lines that surround it/them
- Treatments: The current treatment and assigned tags with the option to change them
- Tracking: The treatment and reattack history
- How to fix: The AI-generated custom guide to remediate the vulnerability
Description
In the Description section you can learn the definition of the type of vulnerability along with the security requirements that may have been violated, the impacts expected of vulnerability exploitation, the characteristics of the threat actor that may exploit it, and recommended actions to fix the code.
Severity
In the Severity section, you find the values in the CVSS Exploitability and Impact metrics calculated for the type of vulnerability.
Evidence
The Evidence section provides supporting evidence of the existence and exploitability of the specific type of vulnerability reported. The evidence can come in the form of images or videos.
Tracking
The detailed treatment history of the type of vulnerability is provided in the Tracking section, along with information on the number of vulnerabilities reported and remediated.
Records
In the Records section you find a table with sensitive information obtained by Fluid Attacks' hacking team after exploiting the vulnerability in your system. The data may be financial information (e.g., account numbers), personal information (e.g., phone numbers), and technical information (e.g., access tokens).
Consulting
The Consulting section is a forum-like section to communicate with Fluid Attacks about the reported vulnerabilities or to find out the outcome of reattacks.
Note: Consulting for vulnerabilities is available for users with the Essential plan in view mode.
Supply chain
The Supply chain section helps you keep track of the third-party dependencies in your software. In this section, you can find out which dependencies might mean trouble and where you are using them, enabling you to analyze and make informed decisions about their use.
Analytics (group-level)
Within the group-level Analytics section, you discover graphs and figures on the status and characteristics of reported vulnerabilities and your remediation practices related to that specific group. Among the group-specific analytics are those related to the status and executions of Fluid Attacks' CI agent.
DevSecOps
Fluid Attacks offers its CI agent that you can install in your CI pipelines to break the build when attempting to deploy software versions with vulnerabilities into production. Breaking the build, when enabled, follows the policies set by your organization. The DevSecOps section shows the details and results of recent CI agent executions.
You can select an execution to see the vulnerabilities detected in it or see the agent log. This is shown in a pop-up window with tabs corresponding to the two mentioned options.
Events
Fluid Attacks calls an "event" a situation that prevents testing of a part of the target of evaluation (ToE) or its entirety. Further, Fluid Attacks categorizes events into several types, for example, "credentials issues," when the information given for authentication is invalid. In the Events section, you can view the events that Fluid Attacks reports to you for your prompt action. Each reported event has sections dedicated to it, as shown in the following screenshot. The main features of these sections are summarized below on this page.
- Description: What the situation is, what part of the ToE it refers to, and whether it prevents reattacks
- Evidence: Images or videos that provide proof of the event
- Consulting: Forum-like space to discuss the event
Members (group-level)
Role required: Vulnerability Manager or User Manager
In the Members section at the group level, according to your role on the platform, you can either only view or fully manage who has access to the group and what permissions they have to use platform functions.
Authors
By "authors" Fluid Attacks refers to the developers contributing to the code repository each month. The Authors section gives you a list of such users and informs you whether they have registered to Fluid Attacks' platform. If you have the User Manager role, you can invite authors not yet on the platform to register.
Surface
The Surface section gives information about the Target of Evaluation (ToE) specified in the Scope section in regards to the existent lines, inputs and ports, and used languages, each category having its own section.
Scope
In the Scope section you mainly define Fluid Attacks' Target of Evaluation (ToE). The following information is entered in this section to facilitate, or in some cases enable, security testing with Fluid Attacks' Continuous Hacking:
- Roots: Git repositories where you version the application’s source code
- Environments: URLs where applications are deployed
- Files: Any documents (i.e., software documentation) that could help understand or use the system under evaluation
- Portfolio: Keywords to build portfolios, thus getting information and analytics for groups that share the tag
- Information: General information about your company, useful, for example, for generating complete security testing certificates
- Policies: Group-specific policies on vulnerability acceptance and breaking the build
- Group Settings: Specific configuration options for the group, i.e., group context, group disambiguation, DevSecOps agent token management, function for the user to unsubscribe from the group, and function to delete the group
The top part of Fluid Attacks' platform, like the collapsible menu, is always visible as you navigate the application. Its functions include providing you access to your tasks and user information and settings.
This drop-down menu allows you to change between your organizations on Fluid Attacks' platform, in case you have more than one.
Group search box
You can use the search box in the platform's header to type a group name within the organization and be directed to it upon tapping Enter.
To do
This item in the platform header takes you, upon click, to the To do section, which has a table showing general information about the vulnerabilities which you are responsible to remediate.
News
Clicking on this item opens a pop-up window that shows the headlines of Fluid Attacks' posts on new functions of the platform, enhancements to Fluid Attacks' scanners, and more. These preview texts link to the corresponding complete posts at Fluid Attacks' News page. The pop-up window also presents you with the options to subscribe to Fluid Attacks' News and request a new feature.
The option furthest to the right on the platform header is your user menu, which you can open by clicking on your name. Apart from your role, email, and phone number, the menu shows your individual user options.
API token
This option allows you to manage the API token used for retrieving or modifying data and triggering actions to build custom integrations.
Notifications
Clicking on this option directs you to the Notifications section, which displays and allows you to manage your preferences on the emails that you receive from Fluid Attacks informing you of activity such as newly reported vulnerabilities, reported events that impede testing, and more.
Trusted devices
The platform login process allows you to opt for trusting the device you are using so that you are not asked for a one-time password while using that device in the following 180 days. By clicking on the Trusted devices option in your user menu, you are directed to the section where you can see a list of the devices and information such as the date of the most recent login.
Mobile
Ethics Hotline
It is important for Fluid Attacks to allow reporting (anonymous or otherwise) of matters that concern ethics. Clicking on the Ethics Hotline option of the user menu, you are directed to an equally safe web application where you can report complaints on your behalf or other's. However, you can also use this option to send suggestions, questions or even thank-you messages.
Delete account
This option within the user menu allows you to safely delete your account, meaning that your information is completely erased with no option of anyone retrieving it.
Log out
This option within the user menu is pretty self-explanatory. Click it and, after confirmation, you are logged out of the platform.
Platform version
At the bottom of the user menu, you can see the commit hash ID (a commit's unique identifier) that corresponds to the Fluid Attacks platform's latest update, along with the update deployment date and time. You can click on the commit hash to see it on GitLab. By clicking it on GitLab, you can learn the specific lines of code that were changed, the developer who made the change, what was removed and added, and in what file.
Help options
Fluid Attacks has options that you can use when you need help regarding its AppSec solution, Continuous Hacking, or guidance in remediating vulnerabilities or using our platform. To access these options on the platform, click on Help, located at the bottom of the collapsible menu. This makes a bar appear on the right side of the screen.
These are the help options offered by Fluid Attacks within the menu:
- Talk to a hacker: Use this Advanced-plan-exclusive feature to have a videoconference with one member of Fluid Attacks' hacking team about complex reported vulnerabilities and how to remediate them. (You can view and use this option only while you are inside a group that is subscribed to the Advanced plan.)
- Live chat: Use this option to send Fluid Attacks questions about any feature of the platform and its use that you have not found the answer to in the Help Center.
- Learn how to use: Click on this option to find a link to the Fluid Attacks' certification tailored to your role that you can achieve in about one hour or to schedule a live demo.
- Help Center: This should be your go-to option for any doubt you have. If Fluid Attacks' documentation does not help you, you can consider the other help options.
- Contact support: You can click on this option to send an email to Fluid Attacks.