Open source vulnerability management software ThreadFix ready for production use

ThreadFix 1.0 can import vulnerability reports from different vulnerability scanners and export them to different bug tracking systems

The first production-ready version of ThreadFix, an open-source software vulnerability management tool, was released Monday by Denim Group, a secure software development firm in San Antonio, Texas.

ThreadFix was designed to bridge the communication gap between enterprise security teams and software development teams in an attempt to decrease the time required to fix software vulnerabilities. The product can import vulnerability reports from different vulnerability scanning sources and export them to a variety of bug tracking systems commonly used by developers.

Companies have gotten pretty good at finding vulnerabilities in their applications, said John Dickson, principal at Denim Group. However, it still takes a considerable amount of time to fix them, he said.

Dickson pointed to the annual statistics released by vulnerability testing firms WhiteHat Security and Veracode for an indication of how long it takes on average for enterprises to fix vulnerabilities in their websites or other types of applications. While network-level vulnerabilities get fixed in hours or days, application-level vulnerabilities get fixed in weeks or months, Dickson said.

Dickson thinks this is partially caused by the diversity of security testing approaches in enterprise environments. Companies can have multiple security teams that use different tools and technologies which generate reports in different formats and often for the same issues, he said.

This leaves the people responsible with managing vulnerabilities in a corporate environment with a very difficult task. There are companies that track vulnerabilities discovered through different means of security testing -- static and dynamic scanning, source code reviews, penetration testing, etc. -- manually using Excel spreadsheets, said Dickson.

"On top of that, still the main way that we see a lot of vulnerabilities passed from the security teams to the development teams is via PDFs," Dickson said. These are unactionable documents, Dickson noted, that cause developers to ask themselves "What do I do with this?"

ThreadFix aggregates vulnerability scanning results from a variety of sources and normalizes the data to an internal format. It then de-duplicates the data by determining whether different scanners have found the same vulnerabilities and generates a single unified list containing all the issues.

Based on that list a security analyst can then start to negotiate with the development team leader about which vulnerabilities need to be fixed as soon as possible and how to export them to the bug tracking system used by the development team. Multiple vulnerabilities can be grouped under the same bug ticket by vulnerability type, by vulnerability severity or by a specific developer in charge of an affected component, for example.

Once the vulnerability reports have been exported as new tickets in the development team's bug tracker of choice, the security analyst can monitor if they've been resolved directly from ThreadFix, because the system communicates with the bug tracker in real time and can read the ticket status.

ThreadFix can also generate rules based on the vulnerability data for Web application firewalls or intrusion detection systems. This ensures that a vulnerable application is protected against attacks until a particular issue gets fixed.

Version 1.0 of ThreadFix has built-in support for some of the most commonly used vulnerability scanners and bug tracking systems. However, support for other systems can be easily added through plug-ins, said Dan Cornell, principal and chief technology officer at Denim Group.

ThreadFix uses Java on the server side, but can be used to manage vulnerability reports through a standard Web-based interface that doesn't require Java support inside the browser. It can be downloaded either as a .zip archive that contains an SQL database server and the Apache Tomcat Web server and which is suitable for testing the product, or as a pre-configured virtual machine appliance based on Linux, MySQL and Apache, Cornell said.

ThreadFix has been in development internally at Denim Group for the past two years and a beta version has been publicly available since earlier this year. The company's strategy is to offer the product for free under an open source license and provide commercial support and consultancy services to organizations that need help deploying it in their environments.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?