Introduction
The Fluid Attacks platform offers comprehensive features designed to manage all your applications and vulnerabilities detected in these. To access the platform, click here.
Requirements
Below, you will find a series of requirements that you need to consider.
Browser compatibility
We support the following web browsers, as well as any browser that is compatible with the ECMAScript 2019 standard.
| Browser | Version | |
|---|---|---|
| Firefox | 60, 68, 78, 81, 82, 83, 88, 89, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105 | |
| Chrome | 71, 75, 80, 81, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 98, 99, 100, 101, 102, 103, 104, 105, 106 | |
| Edge | 84, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105 | |
| Safari | 12.1, 13.1, 14, 14.1, 15, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6,16 | |
| Opera | 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90 | |
| Chrome iOS | 90, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 105 |
Login authentication
To authenticate in the platform, you need a valid user in at least one of these providers:
- Azure
- Bitbucket
For added security, we do not manage users, credentials or MFA (multi-factor authentication). We adopt our customers' policies.
Platform sections
Below, you will find a concise overview of all the sections that constitute our platform. Each section features links that will take you to their main page. We invite you to explore these links to understand each section better.
Organizations
All customer data is consolidated in this section of the platform. Each organization has a data bucket that only users of that organization can access.
In this section, you will find the following subsections (see the right-hand menu):
Analytics
Within the Analytics section, you can view tables and different types of graphs, which offer valuable information about how your software is performing in detecting and resolving identified vulnerabilities.
Information presented, among others, includes the following:
- Exposure management over time
- Exposure benchmark
- Accepted vulnerabilities by CVSS severity
- Vulnerabilities treatment
- Accepted vulnerabilities by user
Groups
You might have multiple apps within your organization, and it's likely that you want to keep separate their respective vulnerabilities.
You can create as many groups as needed. You have the option of having one group for each application or several groups for a single application; the choice is yours.
Within the "Groups" section, you will discover:
Vulnerabilities
One of the primary sections within the platform is where you can access all the confirmed security issues related to your application. This feature is located in the "Vulnerabilities" section.
This section is divided as follows:
Locations
In this section, you will see the list of vulnerabilities, each accompanied by its specific location. In addition, you have the possibility to perform actions such as requesting a reattack, change the treatment, assign a vulnerability to a specific coworker, among other available options.
We invite you to enter here if you want to discover more about this section.
Description
The "Description" tab offers technical insights about the vulnerability type, encompassing its nature, non-compliant security requisites, potential risks, and recommended remedial actions. For a deeper understanding, follow the provided link.
Severity
In the Severity section, you will find information about the level of severity of the vulnerability. This metric is determined using the Common Vulnerability Scoring System (CVSS) version 3.1.
Evidence
This section provides supporting evidence regarding the existence and exploitation of the specific type of vulnerability reported. The evidence can come in the form of images or videos. For more information, please click here.
Tracking
The detailed history information of each vulnerability is provided in the Tracking tab section. Here, you will see the entire vulnerability process.
Records
Records tab, you will find a table with data obtained by our ethical hackers after exploiting the vulnerability in your system. Here, you can see sensitive and relevant information for your organization. For more details, click here.
Consulting in the vulnerability
Consulting should be used to communicate with us when a problem is related to any of the reported vulnerabilities or to validate the executed reattacks.
Note: Consulting in the vulnerability view is available for users with Plan Machine in view mode.
Group analytics
Within Group-level analytics, you'll discover graphs, tables, and metrics tailored to your specific group.
DevSecOps
Fluid Attacks platform includes an agent that present in the CI pipelines can break the build for open vulnerabilities. This section shows the result of recent executions and more information such as the following:
- Execution date
- Execution status (secure or vulnerable)
- Checked vulnerabilities
- Strictness (Tolerant/Strict)
- Type (SAST/DAST)
Events
In this section, you can view events our analysts open when they cannot access the inputs. Events can be opened for various reasons; to learn more about these, click here.
Consulting
In this section you will find a field where you can add comments, questions or doubts you may have about the group in general.
Note: This section is only for the Squad plan.
Group members
You have group access control here to define who and what they can do. When you give access to the group, there are three role options available:
To get more information about it, check the Roles section.
Authors
The authors section gives you a list of git users that commit code to checked repositories.
Surface
The surface tab gives more information about the Target of Evaluation (ToE). This ToE is the result of repositories, environments and languages specified in the scope in roots section.
Scope
You need to define the surface that the Fluid Attacks team will check. The following information is required to enable the testing service:
- Roots: Git repositories where you version the application’s source code.
- Environments: URLs where applications are deployed.
- Files: Any information that could help the service.
- Tags: Keywords to build portfolios and get information and analytics for groups that share the tag.
- Services: Active services for the group.
- Deletion: Function to safely delete all group data.
If you want to see more of this section of scope, you can enter it here.
Portfolios
In the Analytics subsection, you have the data of all your groups. But if you want analytics for only a subset, you can go to the Portfolios subsection (we employ the same charts and indicators).
Please check the tags in Scope for more information.
Organization members
Some users can access your organization's data, but this permission does not guarantee access to groups or vulnerabilities, only access to organization-level analytics and policies.
Explore more of this section by clicking on this link.
Policies
You can use vulnerability treatments to plan remediation. To control the correct use of them, you can define rules that will apply to all groups in your organization. To explore this section further click here.
Outside
This section refers to repositories that are not yet associated with any group on the platform, which can consult with the credentials available in the Credentials tab. to learn more about this section, you can enter here.
Credentials
In this section, you can create, edit and delete credentials at the Organization level and use them in all the groups that compose that. These credentials help us to have access to the ToE
Compliance
Compliance
shows the compliance of all
standards validated by Fluid Attacks
at the Organization and group level.
Platform Update
When the platform was last deployed, be it because of new features or improvements to old features, is not top secret information we are keeping from our clients. You can see this information by clicking on the icon with the letter i on the platform's top-right menu.
Upon clicking, you will see the commit hash ID (a commit’s unique identifier) that corresponds to the update. Below, you will see the update deployment date and time. You can click on the commit hash to see on GitLab the specific lines of code that were changed, the developer who made the change, what was removed and added, and on what file.
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.