See the target of evaluation's status and SBOM

Fluid Attacks' platform allows you to identify the statuses of your group's assets in the Surface section. Notably, within it, there is a Packages section that informs you of the security of third-party components and lets you generate a software bill of materials (SBOM).

Surface provides a comprehensive overview of the target of evaluation (ToE), which refers to a specific part of a system or product being tested for security vulnerabilities. It defines the boundary within which the evaluation is conducted. On Fluid Attacks' platform, the ToE is dynamically generated based on the repositories and environments defined by your team in the Scope section.

The Surface section is further organized into five distinct sections.

Inspect the target of evaluation on the Fluid Attacks platform

The following are, in short, the components of your ToE that each section of Surface provides:

Lines: The code files present in the added Git repositories
Inputs: The environments designated for testing, such as URLs/IPs
Packages: The third-party components on which your software depends
Ports: The ports associated with the IP addresses to test
Languages: The different programming languages utilized within your codebase

Lines

A line ToE represents a file in the source code that is analyzed from active roots registered in Git Roots. These ToEs are automatically created and updated based on cloning results. A new line ToE is generated whenever a new file is added, and it is updated when the file length changes or the file is removed. Further, line ToEs persist even if their associated root is deactivated.

The Lines section on the platform breaks down the root directories and the files within them, representing the part of the ToE that is source code. The latter is evaluated by Fluid Attacks with methodologies such as static application security testing (SAST) and secure code review.

View code files security status on the Fluid Attacks platform

Lines shows a table providing the following information (to show or hide table columns, use the Columns filter):

Root: Name of the code repository that was added in Git Roots
Filename: Path of the file within the code repository
LOC: Total number of LOC (lines of code) in the file
Status: Indicates whether the file is vulnerable or safe
Modified date: The last time the file was modified
Last commit: The most recent commit identified modifying the file
Last author: The last author who modified the file
Seen at: The date the file was added to the ToE
Sorts Priority Factor: A column shown to Fluid Attacks staff only, it shows the probability of a file containing vulnerabilities on the basis of a machine learning model
Be present: Confirms if the file exists in the repository

Several filters are available in the Lines section to help you find information quickly. Access these filters by clicking on the Filters button.

Filter lines table on the Fluid Attacks platform

Next to the button you can see the specific filters that have been applied, if any. To clear filters, simply click on the X button next to them.

Clear filters in Lines section on the Fluid Attacks platform

Another way to clear filters is by clicking on Cancel in the right-side bar where you pick the filters.

Inputs

An input ToE represents any accessible resource from an analyzed environment. It has a component (URI) and one entry point (access identifier or hint) to describe a target of evaluation. Input ToEs must be added or modified manually by Fluid Attacks' security analysts but are removed automatically if they are associated with inactive roots and no vulnerabilities are linked to the ToE.

The Inputs section on the platform displays the environments specified in the Scope section along with the application's entry points that are under evaluation with techniques such as dynamic application security testing (DAST) and, exclusively for the Advanced plan, penetration testing as a service (PTaaS).

View inputs security status on the Fluid Attacks platform

The Inputs section shows a table providing the following information (to show or hide table columns, use the Columns filter):

Root: Name of the code repository to which the environment is associated, as specified in the Scope section
Component: The URLs/IPs associated with the environment
Entry point: Specific input field within the component
Status: Indicates whether the component is vulnerable or safe
Seen at: The date the component was added
Be present: Confirms if the file or document exists in the repository

Various filter options are available in the Inputs section. Click on the Filters button to access these options. (Read the instructions to clear filters above on this page.)

Filter inputs table on the Fluid Attacks platform

Packages

A package ToE represents a third-party component on which the application depends. The Packages section of Surface allows you to pinpoint your usage of these components within your software and identify those with reachable security weaknesses. Detailed information about this section is available in Analyze your supply chain security.

Ports

A port ToE represents a valid port (0-65595) where the application is ready to be tested. It has an IP root and the port. IP roots and port TOEs manually are added or modified manually and are currently not removed.

The Ports section of Surface displays the ports associated with your IP address. This section will only contain content if your group's Service is classified as Black (meaning that only black-box testing is performed).

View ports security status on the Fluid Attacks platform

The Ports section shows a table providing the following information (to show or hide table columns, use the Columns filter):

Root: The nickname your organization has given the IP root added in the Scope section
Address: The IP address
Port: The port that is under evaluation
Status: Indicates whether the port is safe or vulnerable
Seen at: The date the port was added
Be present: Confirms if the IP address is present

Several filters are available in the Ports section. Access these filters by clicking on the Filters button.

Filter ports table on the Fluid Attacks platform

Languages

This section of Surface shows the programming languages used in your repositories added in Scope. To know which languages are supported by Fluid Attacks' vulnerability scanning, read the page Supported languages, frameworks and files in SAST. Bear in mind that Advanced plan users benefit from greater programming language support, as the hacking team covers languages that the scanner does not support.

Know languages used in source code on the Fluid Attacks platform

The Languages section shows a table providing the following information:

Language: The specific programming language detected in your source code
Lines of code: Total lines of code written in the language in question
Percentage: The percentage of usage of the language throughout the project

Export to CSV

The Lines, Inputs and Ports sections have an Export button that allows you to download the information in the section in comma-separated values (CSV) format.

Export SBOM

Application security extends beyond proprietary code, as your development project's security depends on that of your software supply chains.

Fluid Attacks' platform offers a Packages section within Surface, where you can keep track of your software's dependencies, specially, their security status. Further, you can download a software bill of materials (SBOM). This document, available in the CycloneDX and SPDX formats, provides you with a useful, standardized inventory. In Packages, click on Export SBOM and follow the prompts. For details, read Analyze your supply chain security.

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

See the target of evaluation's status and SBOM | Fluid Attacks Help