The document discusses the major updates to ThreadFix 2.4, including improved vulnerability triage features like saved view states and pivots. It allows for more flexible vulnerability management with defaults, multiple defect trackers, and integrations with Checkmarx and Contrast. Administration was updated with user auditing and SAML support. A new prioritization feature identifies vulnerabilities in shared code.

1. © 2016 Denim Group – All Rights Reserved
ThreadFix 2.4
Maximizing the Impact of Your
Application Security Resources
Dan Cornell
@danielcornell
1

2. © 2016 Denim Group – All Rights Reserved
Agenda
• ThreadFix Overview
• Major 2.4 Updates
• Questions
2

3. © 2016 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on
data
• Translate vulnerabilities to developers in the
tools they are already using
3

4. © 2016 Denim Group – All Rights Reserved
ThreadFix Overview
4

5. © 2016 Denim Group – All Rights Reserved
Major 2.4 Updates
• Vulnerability Triage
• Flexible Vulnerability Management
• Integrations
• Administration Updates
• Vulnerability Prioritization (“Hot Spots”)
5

6. © 2016 Denim Group – All Rights Reserved
Vulnerability Triage
• Saved view state
• Vulnerability pivots
• Version tracking
• Source code display
6

7. © 2016 Denim Group – All Rights Reserved
Saved View State
7
• Saves vulnerability display status
• Saves filter state
• Leads to easier, more intuitive navigation

8. © 2016 Denim Group – All Rights Reserved
Saved View State
8

9. © 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
9
• Previous pivots were fixed: Criticality, CWE
• Can now set:
• Primary
• Secondary
• Allows for more flexible and customized
filtering

10. © 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
10

11. © 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
11

12. © 2016 Denim Group – All Rights Reserved
Version Tracking
12
• Can now name “points in time” for
applications
• Display along trending graphs
• Tags vulnerabilities present in specific
versions
• Allows better progress tracking over time

13. © 2016 Denim Group – All Rights Reserved
Version Tracking
13

14. © 2016 Denim Group – All Rights Reserved
Version Tracking
14

15. © 2016 Denim Group – All Rights Reserved
Version Tracking
15

16. © 2016 Denim Group – All Rights Reserved
Version Tracking
16

17. © 2016 Denim Group – All Rights Reserved
Version Tracking
17

18. © 2016 Denim Group – All Rights Reserved
Source Code Display
18
• This used to be really bad
• Now it is better
• Allows for faster, more intuitive vulnerability
triage

19. © 2016 Denim Group – All Rights Reserved
Source Code Display
19

20. © 2016 Denim Group – All Rights Reserved
Flexible Vulnerability Management
• Defect defaults
• Multiple defect trackers
20

21. © 2016 Denim Group – All Rights Reserved
Defect Defaults
21
• Contributed by Samsung ARTIK (thanks!)
• Originally available in ThreadFix 2.3 releases
• Allows setting default to defects created by
ThreadFix
• Makes creating vulnerabilities much faster
and standardized

22. © 2016 Denim Group – All Rights Reserved
Defect Defaults
22

23. © 2016 Denim Group – All Rights Reserved
Defect Defaults
23

24. © 2016 Denim Group – All Rights Reserved
Defect Defaults
24

25. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
25
• Can now attach multiple defect trackers to an
application. For example:
• One for application vulnerabilities
• One for infrastructure/configuration vulnerabilities
• Allows for much more flexible handling of
vulnerabilities

26. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
26

27. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
27

28. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
28

29. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
29

30. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
30

31. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
31

32. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
32

33. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
33

34. © 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
34

35. © 2016 Denim Group – All Rights Reserved
Integrations
• Checkmarx Remote Provider
• On-Premise Contrast Support
• Bulk Application Import
35

36. © 2016 Denim Group – All Rights Reserved
Checkmarx Remote Provider
36
• Can now import via Checkmarx API
• Rather than individual file upload
• Makes integration with Checkmarx much
easier to set up and maintain

37. © 2016 Denim Group – All Rights Reserved
Checkmarx Remote Provider
37

38. © 2016 Denim Group – All Rights Reserved
On-Premise Contrast Support
38
• Have supported cloud-based Contrast for a
while
• Now supports On-Premise Contrast
Enterprise
• Allows support for more Contrast
implementations

39. © 2016 Denim Group – All Rights Reserved
On-Premise Contrast Support
39

40. © 2016 Denim Group – All Rights Reserved
Bulk Application Import
40
• Allows for creation of applications based on
the portfolio managed in a Remote Provider
• Allows for much faster initial ThreadFix
deployment and configuration

41. © 2016 Denim Group – All Rights Reserved
Bulk Application Import
41

42. © 2016 Denim Group – All Rights Reserved
Administration Updates
• User Auditing
• SAML Support
42

43. © 2016 Denim Group – All Rights Reserved
User Auditing
43
• Can see login history of ThreadFix users
• Including failed logins
• Allows for better situational awareness for
user activity

44. © 2016 Denim Group – All Rights Reserved
User Auditing
44

45. © 2016 Denim Group – All Rights Reserved
User Auditing
45

46. © 2016 Denim Group – All Rights Reserved
SAML Support
46
• Allows for login via SAML
• Supports enterprise authentication /
authorization implementations

47. © 2016 Denim Group – All Rights Reserved
SAML Support
47

48. © 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
• Detect vulnerabilities in shared internally-
developed code and components
• Which vulnerability fixes can be a “force
multiplier?”
• Get the most value from a limited remediation
budget
48

49. © 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
49

50. © 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
50

51. © 2016 Denim Group – All Rights Reserved
Major 2.4 Updates
• Vulnerability Triage
• Flexible Vulnerability Management
• Integrations
• Administration Updates
• Vulnerability Prioritization (“Hot Spots”)
51

52. © 2016 Denim Group – All Rights Reserved
Questions / Contact Information
Dan Cornell
Principal and CTO
dan@denimgroup.com
Twitter @danielcornell
(844) 572-4400
www.denimgroup.com
www.threadfix.it