ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications

© 2016 Denim Group – All Rights Reserved
ThreadFix and SD Elements:
Unifying Security Requirements and
Vulnerability Management for Applications
November 17th, 2016
Dan Cornell
CTO, Denim Group
Shane Parfitt
Product Marketing Manager, Security Compass

Agenda
• State of Application Security
• Why Managed Security Requirements?
• SD Elements Overview/How it Works
• Business Value
• ThreadFix Overview
• ThreadFix / SD Elements Integration
Copyright © 2016 Security Compass. All rights reserved.

Why Manage Security Requirements?

S O F T W A R E D E V E L O P M E N T L I F E C Y C L E
REQUIREMENTS
MANAGEMENT
AppSec Products/Tools
CODE REVIEW
(SAST)
PEN TESTING
(DAST)

0
20
40
60
80
100
120
1x 6.5x
15x
100x
The later security vulnerabilities are found in the SDLC,
the greater is the cost and time required to remediate.
Source: IBM Systems Sciences Institute
Relative Cost of Fixing Defects

- STEP 1 -
Answer short
questionnaire
- STEP 2 -
Get threats relevant
and
countermeasures
- STEP 3 -
Deliver through your
development tools
- STEP 4 -
Build security in
- STEP 5 -
Verify Requirements
Repeatable. Scalable. Cost-Efficient.

Application modeling
takes just 15 minutes.
Information is gathered
about language, platform,
features, compliance and
tools in order to determine
the relevant threats and
countermeasures…
Copyright © 2016 Security Compass. All rights reserved..

A list of potential vulnerabilities
is drawn from a large expert
database of security content,
providing a clear risk analysis
of the application.
The expert database is regularly
updated with the latest threats
and countermeasures
Copyright © 2016 Security Compass. All rights reserved

SD Elements painlessly fits
into existing development
processes.
Synchronization with ALM
tools such as HP ALM, IBM
Rational CLM, JIRA, and
Microsoft TFS pushes
security requirements directly
to developers as work
items/tickets.

Seamless Integration

Task prioritization helps
guide agile teams choose
what to work on first.
Code samples and
embedded training help
developers understand both
the “WHY” and “HOW” of
security requirements

AppScan: FailThreadFix: Fail
Test results are easily
imported from
ThreadFix and popular
scanning tools.
Imported data is matched
to requirements for
validation and compliance
reporting

ROI CalculationForrester Case Study of a Fortune 500 Financial Institution:

ROI via Vulnerability Reduction
Avg. # of Vulnerabilities
0
20
40
60
MEDIUMHIGH MEDIUMHIGH
32.8
0
13.2
0.4
0
5
10
15
20
25
30
35
No SDE Full SDE Usage
0
20
40
60
App1 App2 App3 App4 App5

Risk Reduction
RISK
IDENTIFY MITIGATE VALIDATE
SDE PROJECT PROGRESS
10 1
…  Pass
DONE

Large ISV Client Anecdote
• Attempted to build a similar tool internally and failed. Twice.
• Decided to adopt SD Elements, and realized immediate efficiencies.
Before
SDE
After
SDE
Time
Less than 1 hour!
5 – 10 days!
Time required for Threat Profiling and Requirements Generation:

ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on
data
• Translate vulnerabilities to
developers in the tools they
are already using

ThreadFix Overview

Create a consolidated
view of your
applications and
vulnerabilities

Application Portfolio Tracking

Vulnerability Import

Vulnerability Consolidation

Prioritize application
risk decisions based on
data

Vulnerability Prioritization

Reporting and Metrics

Translate vulnerabilities
to developers in the
tools they are already
using

Defect Tracker Integration

SD Elements HomePage

Add Connection

Add ThreadFix Credentials

ThreadFix Connection
Established!

Add ThreadFix Integration to
Project (1)

Project (2)

Project (3)

Import Results

Track Results

Without ThreadFix
CheckMarx: Partial Pass
Conflicting Results

Report Results

Report Results
• Automatically generated
compliance report
showing Completion
Status and Verification
Status for each control.

Summary
• SD Elements 4 manages security requirements across the entire
software development lifecycle, from planning through to release.
• Scalable automation capabilities culminate in more secure
applications that cost less to develop and test.
• ThreadFix integration with SD Elements allows organizations to
reduce risk by validating requirements using multiple scanner
results, while maintaining the same level of automation.

ThreadFix
www.threadfix.it
Security Compass SD Elements
www.securitycompass.com/sdelements
Questions and Contact

About Denim Group
Denim Group is the leading secure software development firm,
serving as a trusted advisor on matters of software risk and security.
Our flagship ThreadFix product accelerates the process of software
vulnerability remediation, reflecting the company's understanding of
what it takes to fix application vulnerabilities faster.

Security Compass named as a Gartner Cool Vendor in
Application and Endpoint Security 2014
bit.ly/securitycompass
Security Compass is a leading application security firm specializing in solving root
application security problems for Fortune 500 companies. Our goal is to help you
build secure software by seamlessly unifying your application security needs
through eLearning, Security Requirements and Verification.
About Security Compass

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications

More Related Content

What's hot

Similar to ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications

More from Denim Group

Recently uploaded

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications