Sunday, March 17, 2013

ThreadFix, an Open Source tool for software vulnerability management

As many know, I’ve spent the last couple of years in the vulnerability management world- at least what we generally accept as “vulnerability management”.  Although I think what we do at my “day job” (what a quaint concept, “day job”) is stellar, there is a hole in vulnerability management- vulnerability management for applications from a code review and process management perspective.  Known and published application vulnerabilities are part of a mature vulnerability management programs, but what about the results of internal and external code review and testing- how do you manage disparate data sources on vulnerabilities in your organizations code?  How do you share that information, and get the right information to the right people- in the format they want?  How do you leverage the information as quickly and effectively as possible?  For many people, I assume a kludge of ticketing and bugtracking tools are used, probably with a few spreadsheets tossed into connect dots that the tools don’t support.


Enter the good folks at Denim Group, they have created ThreadFix an Open Source “application vulnerability management platform”.  I had a chance to sit down with Dan and John from Denim at the recent RSA conference and take look at ThreadFix, I’m impressed.  Application security is not a major part of my day to day work, but it is still an area I try to keep an eye on- and ThreadFix looks like a great project.  As I mentioned, it is Open Source, but it also has an establish application security company behind it- this means you can grab the code from Google code and run with it on your own, or you can turn to Denim for assistance and support if you need some corporate backing in your environment.  The features of ThreadFix (from Denim’s ThreadFix page) include:

  • Simplified View of Application Test Results
    • Consolidate and de-duplicate imported results from open source, commercial dynamic and static scanning tools, as well as the results of manual testing and threat modeling to get a complete view of the state of your applications.
  • Reports
    • Get the latest security status of your applications while providing an eagle’s-eye view of your organization’s progress over time to pinpoint any process problems.
  • Defect Tracker Integration
    • Help security professionals translate application vulnerabilities into software defects and push tasks to developers in the tools and systems they are already using.
  • Virtual Patching
    • Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being resolved. While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injections.
  • Compatible with Open Source and Commercial Products
    • ThreadFix is compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers.

Version 1.1 of ThreadFix is available as a release candidate now, and should be available as a stable release very soon; 1.1 adds support for additional scanners, including NTO Spider and IBM AppScan, and numerous other enhancements (and, of course, bug fixes).

If application security is part of your world, take a look at ThreadFix.

Side note and conference tip: if you want to talk with friends at an event like RSA, and know you’ll be crazy busy- go ahead and schedule a meeting, even through their PR folks’ messages in your inbox.  If you don’t, the week will disappear. Just don’t say “I’ll meet you in the lobby” at events the size of RSA, several thousand other people have the same idea and you end up playing cell phone Marco Polo.  If I hadn’t scheduled time with Dan and John I might have waved to them at a party, but couldn’t have had a meaningful conversation.