ThreadFix is an open source tool developed by Denim Group to help organizations manage application security programs. The presentation discusses new features in version 2.1 including support for additional vulnerability scanning tools and defect trackers. It demonstrates how ThreadFix consolidates scan results, merges findings across scanners, and maps vulnerabilities to defects in development tools to prioritize remediation. The speaker also outlines upcoming enhancements and how the enterprise version provides additional support and capabilities.

1. ThreadFix 2.1 and Your Application Security Program!
!
Dan Cornell!
@danielcornell
© Copyright 2014 Denim Group - All Rights Reserved

2. My Background
• Dan Cornell, founder and CTO of
Denim Group
• Software developer by background
(Java, .NET, etc)
• OWASP San Antonio
© Copyright 2014 Denim Group - All Rights Reserved 2

3. Denim Group Background
• Secure software services and products company
– Builds secure software
– Helps organizations assess and mitigate risk of in-house developed and third party
software
– Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security
– Application security experts are practicing developers
– Development pedigree translates to rapport with development managers
– Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution
– Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix
– OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI
– World class alliance partners accelerate innovation to solve client problems
© Copyright 2014 Denim Group - All Rights Reserved
3

4. Agenda
• Background
• What is ThreadFix?
– What’s New in ThreadFix 2.1?
• What’s Next?
© Copyright 2014 Denim Group - All Rights Reserved 4

5. List of Supported Tools / Technologies:
Dynamic Scanners
Acunetix
Arachni
Burp Suite
Checkmarx
HP WebInspect
IBM Security AppScan Standard
IBM Security AppScan Enterprise
Mavituna Security Netsparker
NTO Spider
OWASP Zed Attack Proxy
Tenable Nessus
Trustwave/Cenzic Hailstorm
Skipfish
w3aF
Static Scanners
FindBugs
IBM Security AppScan Source
HP Fortify SCA
Microsoft CAT.NET
Brakeman
© Copyright 2014 Denim Group - All Rights Reserved
5
SaaS Testing Platforms
WhiteHat
Veracode
QualysGuard WAS
IDS/IPS and WAF
DenyAll
F5
Imperva
Mod_Security
Snort
Defect Trackers
Atlassian JIRA
HP Quality Center
Microsoft Team Foundation Server
Mozilla Bugzilla
Version One
*Plugin Architecture for Additional Defect Trackers

6. Supported Technologies
© Copyright 2014 Denim Group - All Rights Reserved
5

7. New In ThreadFix 2.1: More Tool Support
• Added support for:
– Cenzic/Trustware Hailstorm
– Checkmarx
– HP Quality Center
– VersionOne
– Riverbed Stingray
• Plugin architecture for
scanners
• Benefit: Manage your
application security program
regardless of your vendor
mix
© Copyright 2014 Denim Group - All Rights Reserved
7

8. Create a consolidated
view of your
applications and
vulnerabilities
© Copyright 2014 Denim Group - All Rights Reserved 8

9. Demo: Application Portfolio Tracking
© Copyright 2014 Denim Group - All Rights Reserved
9

10. Fill ThreadFix Up With Vulnerability Data
• Manual file upload
• REST API
– https://github.com/denimgroup/threadfix/wiki/Threadfix-REST-Interface
• Command Line Interface (CLI)
– https://github.com/denimgroup/threadfix/wiki/Command-Line-Interface
– JAR can also be used as a Java REST client library
• Jenkins plugin
– Contributed from the ThreadFix community (yeah!)
– https://github.com/automationdomination/threadfix-plugin
© Copyright 2014 Denim Group - All Rights Reserved
10

11. New In ThreadFix 2.1: API Updates
• Many updates to REST API
• New methods
• Better consistency
• Better versioning
• Benefit: MOAR Automation!
© Copyright 2014 Denim Group - All Rights Reserved
11

12. What Does ThreadFix Do With Scan Results
• Diff against previous scans with same technology
– What vulnerabilities:
• are new?
• went away?
• resurfaced?
• Findings marked as false positive are remembered across scans
– Saving analyst time
• Normalize and merge with other scanners’ findings
– SAST to SAST
– DAST to DAST
– SAST to DAST via Hybrid Analysis Mapping (HAM)
© Copyright 2014 Denim Group - All Rights Reserved
12

13. Demo: Vulnerability Merge
© Copyright 2014 Denim Group - All Rights Reserved
13

14. Hybrid Analysis Mapping (HAM)
• Initial research funded by the US Department of Homeland Security
(DHS) Science and Technology (S&T) Directorate via a Phase 1 and
(now) Phase 2 Small Business Innovation Research (SBIR) contract
– Acronyms!
• Initial goal: SAST to DAST merging
• Results: That, plus other stuff
© Copyright 2014 Denim Group - All Rights Reserved
14

15. Demo: Merging Static and Dynamic Scanner Results
© Copyright 2014 Denim Group - All Rights Reserved
15

16. Demo: Merging Static and Dynamic Scanner Results
© Copyright 2014 Denim Group - All Rights Reserved
16

17. Demo: De-Duplicate Dynamic RESTful Scanner Results
© Copyright 2014 Denim Group - All Rights Reserved
17

18. Demo: De-Duplicate Dynamic RESTful Scanner Results
© Copyright 2014 Denim Group - All Rights Reserved
18

19. Prioritize application
risk decisions based on
data
© Copyright 2014 Denim Group - All Rights Reserved 19

20. New In ThreadFix 2.1: Vulnerability Filtering
• Ability to slice and dice vulnerability data across the entire enterprise
• Ability to save specific filters
– Implement policies
– Custom reports
• Ability to access filtering via the API
• Benefit: Focus on the most important vulnerabilities first
© Copyright 2014 Denim Group - All Rights Reserved
20

21. Vulnerability Filtering
• Filter vulnerability data
– Scanner, scanner count
– Vulnerability type
– Path, parameter
– Severity
– Status
– Aging
• Save filters for future use
© Copyright 2014 Denim Group - All Rights Reserved
21

22. Demo: Vulnerability Filtering
© Copyright 2014 Denim Group - All Rights Reserved
22

23. Reporting
• Trending
• Progress by Vulnerability
– For program benchmarking
• Portfolio Report
– For resource prioritization
• Comparison
– For scanner/technology benchmarking
© Copyright 2014 Denim Group - All Rights Reserved
23

24. Demo: Reporting
© Copyright 2014 Denim Group - All Rights Reserved
24

25. Translate vulnerabilities to
developers in the tools
they are already using
© Copyright 2014 Denim Group - All Rights Reserved 25

26. Mapping Vulnerabilities to Defects
• 1:1 mapping is (usually) a horrible idea
– 500 XSS turned into 500 defects?
– If it takes longer to administer the bug than it does to fix the code…
• Cluster like vulnerabilities
– Using the same libraries / functions
– Cut-and-paste remediation code
– Be careful about context-specific encoding
• Combine by severity
– Especially if they are cause for an out-of-cycle release
• Which developer “owns” the code?
© Copyright 2014 Denim Group - All Rights Reserved
26

27. Defect Tracker Integration
• Bundle multiple vulnerabilities into a defect
– Using standard filtering criteria
• ThreadFix periodically updates defect status from the tracker
© Copyright 2014 Denim Group - All Rights Reserved
27

28. Demo: Defect Tracker Integration
© Copyright 2014 Denim Group - All Rights Reserved
28

29. What’s Next for ThreadFix
• Further updates to reporting and analytics
• HAM support for additional languages and frameworks
– Java/Struts
• Importing additional sources of vulnerability data
– IAST
– Known Vulnerable Component
© Copyright 2014 Denim Group - All Rights Reserved
29

30. ThreadFix: Community vs. Enterprise
• Phone and Email Support
• Access to Product Management and Development Teams
• Authentication via Active Directory/LDAP
• Authorization
– Role-Based
– Data-Based
• Native Proxy Support
• Scan Orchestration
– Via ThreadFix Scan Agents
© Copyright 2014 Denim Group - All Rights Reserved
30

31. Important Links
• Main ThreadFix website: www.threadfix.org
– General information, downloads
• ThreadFix GitHub site: www.github.com/denimgroup/threadfix
– Code, issue tracking
• ThreadFix GitHub wiki: https://github.com/denimgroup/threadfix/wiki
– Project documentation
• ThreadFix Google Group:
https://groups.google.com/forum/?fromgroups#!forum/threadfix
– Community support, general discussion
© Copyright 2014 Denim Group - All Rights Reserved
31

32. Questions / Contact Information
Dan Cornell
Principal and CTO
dan@denimgroup.com
Twitter @danielcornell
(210) 572-4400
www.denimgroup.com
www.threadfix.org
© Copyright 2014 Denim Group - All Rights Reserved 32