Open source vulnerability management platform

Denim Group announced ThreadFix, an open source, freely-available vulnerability management platform that accelerates the process of resolving application-level vulnerabilities.

ThreadFix aggregates vulnerability test results from disparate static and dynamic scanning tools as well as the results of manual penetration testing, code review and threat modeling to create a single comprehensive view of the security status of all applications within an organization.

With this tool, the reporting, prioritization and remediation of an organization’s application security vulnerabilities are centralized, easing communications between the application development and security teams.

The industry trend of using multiple commercial and open source tools to test the security of applications has enabled security teams to become more effective at identifying vulnerabilities. However, the downside of this approach is the volume of data that is produced to detail these vulnerabilities. Until now, this information has been managed with tedious and error-prone processes such as manually entering data into Excel spreadsheets.

The ThreadFix platform simplifies this process by automatically integrating dissimilar scanning data from a wide variety of tools. Overlaps among the reports are de-duplicated to present a clearer picture of currently-open vulnerabilities.

To protect the organization’s assets during the remediation process, ThreadFix generates Web Application Firewall “virtual patches” that better protect the organization while the software vulnerabilities are addressed at a code level. These tailored firewall rules also generate additional data from actual attack attempts that is imported into ThreadFix.

Combining the vulnerability scans with the attack intelligence provides a more complete picture of an organization’s security state, making it much easier to properly prioritize the software defects severity.

With the ThreadFix “virtual patches” reducing the organization’s exposure, security analysts and development team leads can work together to decide which vulnerabilities will get fixed and which vulnerabilities represent an acceptable risk to the organization.

ThreadFix is used to bundle vulnerabilities by type, by responsible developer or by severity. The bundled vulnerabilities are exported to software defect trackers, the tools and processes developers already use in their daily job, eliminating the need to learn yet another security defect-specific system.

As the defects are resolved and entered in the defect tracking system, these changes are synchronized within ThreadFix, enabling the security team to schedule follow-up testing to confirm the security holes have indeed been closed.

“With the hundreds of concurrent application development projects taking place in a typical company today, staying on top of the mountain of security vulnerabilities is a huge challenge, especially when you are trying to manage that data with Excel spreadsheets,” said Dan Cornell, Denim Group CTO & Principal. “ThreadFix aggregates all of this data, making it much easier to pinpoint the critical risks that can get buried underneath an overwhelming number of lower-priority or irrelevant vulnerability information. We’re pleased to be able to release this as an open source product to enable companies of all sizes to accelerate secure application development initiatives across the market.”