The document presents an overview of ThreadFix, a software vulnerability management system developed by Denim Group that aggregates vulnerability data and assists organizations in remediation efforts. It discusses the integration of technology with the Department of Homeland Security's Small Business Innovation Research program to enhance application security testing methodologies, including hybrid analysis mapping of static and dynamic vulnerability results. Additionally, it outlines community support, contributions from various companies, and the future directions for ThreadFix's development and usage.

1. © 2015 Denim Group – All Rights Reserved
The ThreadFix Ecosystem:
Vendors, Volunteers, and Versions
Dan Cornell
@danielcornell
This%presentation%contains%information%about%DHS5funded%research:
Topic'Number:'H/SB013.1/002'/ Hybrid'Analysis'Mapping'(HAM)'
Proposal'Number:'HSHQDC/13/R/00009/H/SB013.1/002/0003/I

2. © 2015 Denim Group – All Rights Reserved
My%Background
• Dan'Cornell,'founder'and'CTO'of'
Denim'Group
• Software'developer'by'background'
(Java,'.NET,'etc)
• OWASP'San'Antonio
2

3. © 2015 Denim Group – All Rights Reserved
Denim%Group%Background
• Secure'software'services'and'products'company
• Builds'secure'software
• Helps'organizations'assess'and'mitigate'risk'of'in/house'developed'and'third'party'
software
• Provides'classroom'training'and'e/Learning'so'clients'can'build'software'securely
• Software/centric'view'of'application'security
• Application'security'experts'are'practicing'developers
• Development'pedigree'translates'to'rapport'with'development'managers'''
• Business%impact:%shorter%time5to5fix% application%vulnerabilities%
• Culture'of'application'security'innovation'and'contribution
• Develops'open'source'tools'to'help'clients'mature'their'software'security'programs
• Remediation*Resource*Center,*ThreadFix
• OWASP'national'leaders'&'regular'speakers'at'RSA,'SANS,'OWASP,'ISSA,'CSI
• World'class'alliance'partners'accelerate'innovation'to'solve'client'problems
3

4. © 2015 Denim Group – All Rights Reserved
Agenda
• What'Is'ThreadFix?
• DHS'SBIR'Program
• Vendor'Supporters
• Corporate'/'Individual'Supporters
• What’s'Next?
**'Disclaimer:'This'presentation'reflects'my'opinions'and'is'not'
endorsed'by'DHS'or'any'other'sponsor/contributor/supporter'**

5. © 2015 Denim Group – All Rights Reserved
5
ThreadFix
Accelerate'Software'Remediation
ThreadFix' is'a'software'vulnerability' aggregation' and'
management' system'that'helps'organizations' aggregate'
vulnerability' data,'generate' virtual'patches,'and'interact'with'
software'defect'tracking'systems.

6. © 2015 Denim Group – All Rights Reserved
What%Can%We%Do%With%ThreadFix?
• Create'a'consolidated'view'of'your'applications'and'vulnerabilities
• Prioritize'application'risk'decisions'based'on'data
• Translate'vulnerabilities'to'developers'in'the'tools'they'are'already'
using
6

7. © 2015 Denim Group – All Rights Reserved
Create%a%consolidated%
view%of%your%
applications%and%
vulnerabilities
7

8. © 2015 Denim Group – All Rights Reserved
Prioritize%application%
risk%decisions%based%on%
data
8

9. © 2015 Denim Group – All Rights Reserved
Translate%vulnerabilities%
to%developers%in%the%
tools%they%are%already%
using
9

10. © 2015 Denim Group – All Rights Reserved
ThreadFix Overview%Demo

11. © 2015 Denim Group – All Rights Reserved
What%Did%We%Do%To%Try%and%Foster%Community?
• Open'Source'(Mozilla)'License
• Hosting'at'GitHub
• Google'Group
• REST'API
• Contribution'Model

12. © 2015 Denim Group – All Rights Reserved
What%Are%Companies%Doing%With%ThreadFix?
What'does'your'pipeline'look'like?
http://www.slideshare.net/mtesauro/mtesauro/keynote/appseceu
http://www.slideshare.net/denimgroup/rsa2015/blending/
theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting/security/up/to/
speed.html

13. © 2015 Denim Group – All Rights Reserved
Department%of%Homeland%Security%Support
• Currently'in'Phase'2'of'a'DHS'S&T'SBIR
• Acronyms!
• DHS'='Department'of'Homeland'Security
• S&T'='Directorate'of'Science'and'Technology
• SBIR'='Small'Business'Innovation'Research
• Geared'toward'developing'new'technologies'for'Federal'customers
• Hybrid'Analysis'Mapping'(HAM)
• Technology'has'been'included'with'ThreadFix

14. © 2015 Denim Group – All Rights Reserved
Hybrid%Analysis%Mapping%(HAM)
• Initial'goal:'Correlate'and'merge'results'from'SAST'and'DAST
• After'we'made'that'work,'we'found'other'stuff'we'could'do'with'the'
technology
14

15. © 2015 Denim Group – All Rights Reserved
Hybrid%Analysis%Mapping%(HAM)
• Determine%the%feasibility%of%developing%a%system%that%can%
reliably%and%efficiently%correlate%and%merge%the%results%of%
automated%static%and%dynamic%security%scans%of%web%
applications.
HP%Fortify%SCA IBM%AppScan%Standard
15

16. © 2015 Denim Group – All Rights Reserved
Dynamic%Application%Security%Testing%(DAST)
• Spider'to'enumerate'attack'surface
• Crawl'the'site'like'Google'would
• But'with'authentication'/'session'detection
• Fuzz'to'identify'vulnerabilities'based'on'analysis'of'
request/response'patterns
• If'you'send'a'SQL'control'character'and'get'a'JDBC'error'message'back,'that'
could'indicate'a'SQL'injection'vulnerability
• A'finding'looks'like'(CWE,'relative'URL,'[entry'point])
16

17. © 2015 Denim Group – All Rights Reserved
Static%Application%Security%Testing%(SAST)
• Use'source'or'binary'to'create'a'model'of'the'application
• Kind'of'like'a'compiler'or'VM
• Perform'analysis'to'identify'vulnerabilities'and'weaknesses
• Data'flow,'control'flow,'semantic,'etc
• A'finding'looks'like'(CWE,'code/data'flow)
17

18. © 2015 Denim Group – All Rights Reserved
Hybrid%Analysis%Mapping
Sub5Goals
• Standardize'vulnerability'types
• Settled'on'MITRE'Common'Weakness'Enumeration'(CWE)
• Match'dynamic'and'static'locations
• Use'knowledge'of'language/web'framework'to'build'attack'surface'database
• Improve'static'parameter'parsing
• Parse'out'of'source'code'to'match'with'DAST'result
18

19. © 2015 Denim Group – All Rights Reserved
Information%Used
• Source'Code
• Git,'Subversion,'Local'Copy
• Framework'Type'
• Java:'JSP,'Spring,'Struts
• C#:'.NET'WebForms,'.NET'MVC
• Ruby:'Rails
• PHP:'in'progress
• Extra'information'from'SAST'results'(if'available)
19

20. © 2015 Denim Group – All Rights Reserved
Unified%Endpoint%Database
• EndpointQuery
• dynamicPath
• staticPath
• Parameter
• httpMethod
• codePoints [List<CodePoint>]
• informationSourceType
• EndpointDatabase
• findBestMatch(EndpointQuery query):'Endpoint
• findAllMatches(EndpointQuery query):'Set<Endpoint>
• getFrameworkType():'FrameworkType

21. © 2015 Denim Group – All Rights Reserved
Merging%SAST%and%DSAT%Results
• I'have'a'DAST'result:
• (“Reflected'XSS”,'/login.jsp,'“username”'parameter)
• Query'the'Endpoint'Database:
• Entry'point'is'com.something.something.LoginController.java,'line'62
• Search'the'other'findings'for'SAST'results'like:
• (“Reflected'XSS”,'source'at'com.something.something.LoginController.java,'line'62)
• If'you'find'a'match'– correlate'those'two'findings
• Magic!

22. © 2015 Denim Group – All Rights Reserved
That’s%Great%But%I%Want%More
• So'our'research'produced'a'successful/valuable'outcome
• Hooray
• But'– given'these'data'structures,'what'else'can'we'do?
• From'an'EndpointDatabase we'can:
• Get'all of'the'application’s'attack'surface
• Map'DAST'results'to'a'specific'line'of'code
• Given'those'capabilities'we'can:
• Pre/seed'scanners'with'attack'surface
• Map'DAST'results'to'lines'of'code'in'a'developer'IDE
• Map'DAST'results'to'lines'of'code'in'SonarQube

23. © 2015 Denim Group – All Rights Reserved
Scanner%Seeding
• What'if'we'could'give'the'DAST'spidering process'a'head'start?
• Pre/seed'with'all of'the'attack'surface
• Landing'pages'that'link'in'to'the'application
• Hidden'directories
• Backdoor'or'“unused”'parameters
• Currently'have'plugins'for'OWASP'ZAP'and'BurpSuite
• Plugin'for'IBM'Rational'AppScan Standard'is'in'progress
https://github.com/denimgroup/threadfix/wiki/Scanner/Plugins

24. © 2015 Denim Group – All Rights Reserved
Scanner%Seeding%Demo

25. © 2015 Denim Group – All Rights Reserved
IDE%Plugins
• Showing'developers'where'to'start'fixing'vulnerabilities'helps'reduce'
friction'in'the'remediation'process
• SAST'tools'have'IDE'plugins
• Which'is'awesome!
• We'can'pinpoint'entry'lines'of'code'for'DAST'results'with'HAM
• Currently'have'plugins'for'Eclipse'and'IntelliJ
• Plugin'for'Visual'Studio'.NET'is'in'progress
https://github.com/denimgroup/threadfix/wiki/IDE/Plugins

26. © 2015 Denim Group – All Rights Reserved
IDE%Plugin%Demo

27. © 2015 Denim Group – All Rights Reserved
SonarQube Plugin
• Development'teams'use'SonarQube to'track'technical'debt'(quality)
• Let’s'put'security'technical'debt'in'that'tool'as'well.'.'.
• Some'SAST'tools'already'have'SonarQube plugins
• Which'is'awesome!
• Earlier'version'of'plugin'API'required'line'numbers'for'findings
• Which'we'can'provide'for'DAST'results'via'HAM!
• Provides'a'unified'pipeline'for'security'findings'to'be'tracked'in'
SonarQube
https://github.com/denimgroup/threadfix/wiki/Sonar/Plugin

28. © 2015 Denim Group – All Rights Reserved
SonarQube Plugin%Demo

29. © 2015 Denim Group – All Rights Reserved
Final%Thoughts%on%SBIR%Work%with%DHS%S&T
• Great'use'of'the'SBIR'program
• In'my'humble'and'totally unbiased'opinion
• Proved'to'be'the'tipping'point'to'developing'HAM
• HAM'was'interesting,'but'required'material'investment
• Research'produced'a'successful'outcome'(we'think)
• We'found'other'things'we'could'do'with'the'technology
• Released'much'of'it'open'source'to'increase'adoption

30. © 2015 Denim Group – All Rights Reserved
Vendor%Supporters
• Virtual'Forge
• Donated'support'for'their'CodeProfiler SAST'tool
• Brocade'(Riverbed)
• Donated'support'for'their'SteelApp web'application'firewall

31. © 2015 Denim Group – All Rights Reserved
Corporate%/%Individual%Supporters
• Rackspace
• Axway
• Automation'Domination
• Samsung
• Pearson

32. © 2015 Denim Group – All Rights Reserved
Rackspace
• Longtime'contributor'to'open'source'software
• Developed'and'contributed'initial'VersionOne support

33. © 2015 Denim Group – All Rights Reserved
Axway
• Developed'and'contributed'HP'Fortify'SSC'support
• Still'being'fully'integrated
• Developed'alternate'dashboard'widgets

34. © 2015 Denim Group – All Rights Reserved
Automation%Domination
• Brandon'Spruth
• Developed'ThreadFix Jenkins'plugin
• Integrating'security'tools'into'the'developers’'CI'pipeline'– great!
https://wiki.jenkins/ci.org/display/JENKINS/ThreadFix+Plugin

35. © 2015 Denim Group – All Rights Reserved
ThreadFix Jenkins%Plugin

36. © 2015 Denim Group – All Rights Reserved
Samsung
• Developed'and'contributed'a'number'of'features'to'be'released'with'
ThreadFix 2.3

37. © 2015 Denim Group – All Rights Reserved
Samsung%SSIC%Links
• Samsung'blog'post'about'their'ThreadFix architecture:
https://blog.samsungsami.io/development/security/2015/06/16/getting/security/up/to/speed.html
Many'thanks'to'Samsung'SSIC'for'their'donation'of:
• Default'system'for'defect'submissions
• Scheduled'email'reports'for'new'vulnerabilities
• Defect'description'more'extensive'and'flexible'with'velocity'template'
engine
• Ability'to'submit'defects'from'vulnerability'details'page

38. © 2015 Denim Group – All Rights Reserved
Pearson
• Sponsored'development'of'a'number'of'features
• Have'developed'a'number'of'supporting'tools
• Helped'make'some'of'our'documentation'less'…'crappy

39. © 2015 Denim Group – All Rights Reserved
Pearson%Links
Aaron'Weaver'and'Matt'Tesauro’s presentations'at'OWASP'AppSecEU
2015:
• http://www.denimgroup.com/blog/denim_group/2015/06/threadfix/pearson.html
Matt'Tesauro:
• Go'client'library:'
• https://github.com/mtesauro/tfclient
• Checkmarx/ThreadFix integration
• https://github.com/mtesauro/tfCheckmarxUpload
Adam'Parson:
• Python'client'library:
• https://github.com/aparsons/threadfix_api

40. © 2015 Denim Group – All Rights Reserved
Pearson%Notes
Many'thanks'to'Pearson'for'their'sponsorship'of:
• Defect'Tracker'Default'Credentials
• Deep'Linking'After'Authentication
• Scan'Details'REST'Call
• Scan'List'REST'Call
• Unmapped' Findings'Data'in'Scan'Upload'REST'Response
• Full'URL'in'Vulnerability'Tree
• Custom'CWE'Remediation'Advice'on'Defects
• Set'CWE'Text'REST'Call,'and'CWE'Text'in'Vuln Search
• Multi/File'Scan'Upload
• Multi/File'Scan'Upload'Endpoint
• Scanner/Specific'Filters
• Tag'REST'Calls
• REST'Application'Update'Call
• REST'Team'Update'Call
• AppScan Enterprise'Support

41. © 2015 Denim Group – All Rights Reserved
What%Have%We%Learned?
• Running'an'Open'Source'project:'“Free”'as'in'“puppy”
• Nobody'seems'to'care'(too'much)'about'the'license
• We'need'to'be'more'“API'First”
• Having'a'community'drives'innovation

42. © 2015 Denim Group – All Rights Reserved
I%Want%to%Contribute!
• Great!
• Let'us'know'what'you’re'interested'in
• Sign'a'contributor'agreement
• Contribute!
Main'Contributor'Page:
https://github.com/denimgroup/threadfix/wiki/ThreadFix/Development/Community

43. © 2015 Denim Group – All Rights Reserved
Important%Links
• Main'ThreadFix website:'www.threadfix.org
• General'information,'downloads
• ThreadFix GitHub site:'www.github.com/denimgroup/threadfix
• Code,'issue'tracking
• ThreadFix GitHub wiki:'https://github.com/denimgroup/threadfix/wiki
• Project'documentation
• ThreadFix Google'Group:'
https://groups.google.com/forum/?fromgroups#!forum/threadfix
• Community'support,'general'discussion
43

44. © 2015 Denim Group – All Rights Reserved
Questions%/%Contact%Information
Dan%Cornell
Principal'and'CTO
dan@denimgroup.com
Twitter'@danielcornell
(844)'572/4400
www.denimgroup.com
www.threadfix.org
44