Scope | Fluid Attacks Help

Scope

The scope establishes the boundaries of what is included in security testing. This is particularly important for maintaining a clear service-level agreement (SLA). In the context of Continuous Hacking, the scope is determined mainly by four criteria:
  1. Parity: The active repositories and matching environments registered on Fluid Attacks' platform (read more details in Continuous Hacking methodology).
  2. Health Check: Whether or not it is requested that Fluid Attacks' pentesters analyze the development prior to the start of Continuous Hacking
  3. Supported technologies: Whether or not Fluid Attacks supports the technologies used in the development
  4. Ownership: Whether or not Fluid Attacks has the consent from the application's owner to analyze their application
Bear in mind that for Fluid Attacks' accuracy SLA to apply several other criteria must be met.

Parity

The following environment and code parity analysis serves to define Fluid Attacks' scope and, therefore, what potentially constitutes a false negative (FN) and what is considered added value.
Parity in and out of scope scenarios by Fluid Attacks

Examples

Below are illustrative (though simplified) examples demonstrating how to identify each scenario.

A. Complete Match

You have written a small Python script, calculator.py, that contains exactly five functions (add, subtract, multiply, divide, and modulo). Inspecting the environment you provided (say, a dedicated microservice container) the following is found:
  1. Only those five functions exist in the environment.
  2. There are no additional scripts, libraries, or utilities included.
Since the environment exactly mirrors your code — no more, no less. This is a Complete Match.

B. Fully Contained

Your calculator.py with five functions is deployed on a large ML platform environment that also includes data manipulation libraries, unrelated scripts, and logging frameworks. The following can be said about the environment:
  1. It does contain your entire calculator.py.
  2. It also has multiple other scripts and libraries not related to your code.
As the entire code is there, but the environment also has "extras," this is a Fully Contained.

C. Partial Match

In the environment you provided, only the add and subtract functions from your calculator.py are present. The other three (multiply, divide, and modulo) are missing. The following can be said about your environment:
  1. Part of the code is included.
  2. It does not contain all five functions.
Because only some of the functions appear, this is a Partial Match.

D. Complete Mismatch

The provided environment is purely a text-processing service. It shares no common functions, structure, or code segments with your calculator.py.

Since none of your code's functionality is present, this is a Complete Mismatch.

E. No Environment

You provide only your calculator.py code; there is no container, no platform, no hosted environment — no context in which it is deployed.

Since no environment at all is provided, this is a No Environment.

Health Check

Health Check involves performing SCR, PTaaS, and RE on code written prior to acquiring the Continuous Hacking Advanced plan. Choosing whether or not to conduct a Health Check is a risk-based decision for the organization. The absence of Health Check could leave the organization unaware of existing vulnerabilities. If not performed on all the repositories of the group, the accuracy SLA does not apply.

The following analysis, combining parity and Health Check, serves to define Fluid Attacks' scope in a more accurate way than when only parity is taken into account (i.e., the analysis above). therefore, what potentially constitutes a false negative (FN) and what is considered added value.

Health Check performed

Health Check in and out of scope scenarios by Fluid Attacks
To identify the scenarios, it suffices to take those described for parity analysis and add the presence of Health Check, i.e., all the code developed before your subscription to the Advanced plan was analyzed by Fluid Attacks' pentesters.

Health Check not performed

No Health Check in and out of scope scenarios by Fluid Attacks

To identify the scenarios, again, take those described for parity analysis, but in each of them Health Check was not performed, i.e., the code developed before your subscription to the Advanced plan was not analyzed by Fluid Attacks' pentesters.

Supported technologies

The scope of Continuous Hacking is limited to the technologies officially supported by Fluid Attacks. Accordingly, any vulnerability found in unsupported stack by anyone different from Fluid Attacks does not constitute a false negative. See the current supported technologies in the Support information page.

Ownership

Fluid Attacks does not analyze applications without explicit authorization from the application's owner. Accordingly, a vulnerability found in software that Fluid Attacks has no consent to test (e.g., third-party software) does not constitute a false negative.