Safety Detectives’ Aviva Zacks had the opportunity to interview Mauricio Gomez, Chairman and Co-Founder of Fluid Attacks. She asked him about his company’s unique tagline, “We hack your software”.
Safety Detective: Tell me about Fluid Attacks.
Mauricio Gomez: Fluid Attacks is an IT security company that performs security testing, pentesting, and ethical hacking. In the cybersecurity space, red teams attack, and blue teams defend. Fluid Attacks is a red team. We attack 24/7 in order to find vulnerabilities and report back to our clients as soon as possible.
SD: Can you tell me about the Fluid Attacks’ tagline “We hack your software”?
MG: We perform security testing before the company deploys its software into production. The customer is not able to fix most vulnerabilities when almost all software has already been developed. For example, if we report a hundred vulnerabilities, the customer can remediate only four of them. It’s too late for repairs when the security design, the technology, and the setup are done.
So, for this reason, despite Fluid Attacks being a red team, we never make ourselves the solution. We start working together with the software developer team. This way, when the developer makes a commitment to the repositories, we attack, understand this change, and analyze. We perform security testing and review every single commitment in order to notify and provide feedback to the developer to fix the vulnerability. We also use the technology to break the build if the customer performs software development using CI/CD.
Our role is to provide feedback promptly so that remediation occurs as soon as possible. This is our journey 24/7.
SD: What kinds of companies would use your services?
MG: Our main customers are financial services, banking, healthcare, utilities, telecommunication companies, retail, fintech, and startups.
SD: What do you think are the worst cyberthreats today?
MG: Technology is dynamic. We are moving all the time. Anyone can make a mistake, including misconfiguration when performing software development. So, from my perspective, vulnerabilities, threats, fraud, and scams come from anywhere, any time.
When Fluid Attacks finds a vulnerability, it provides all the details, the customer tries to fix it, and after that, Fluid Attacks re-attacks in order to verify the status of the vulnerability. There are four possible outcomes:
- The vulnerability is closed.
- The vulnerability is already closed, but a new one was injected.
- The vulnerability is still open, and you injected a new vulnerability.
- The vulnerability is still open.
So, for these reasons, we need to establish a dynamic: the red team attacks and the blue team defends all the time in order to perform an unlimited cycle of security testing.
The most important thing here is to review and repair mainly the source code. This is because, worldwide, developers are responsible for injecting 85% of all vulnerabilities. Our mission is to provide feedback quickly to the development team in order to fix the vulnerability ASAP.
SD: Now that we’re living through COVID-19, where do you think cybersecurity is headed?
MG: I’m really sorry that many industries are struggling financially, but cybersecurity is actually going pretty well now. Fluid Attacks’ revenue has risen by about 38% since last year.
But threats are increasing all the time because it’s a very good environment to attack companies. Before COVID-19, everyone came into the office and the company protected the perimeter. Since the pandemic started, everyone has been working remotely from home, so the protection—firewalls, IDS, antiviruses, user controls—are not enough. People are more susceptible to being attacked.