ThreadFix: Software vulnerability aggregation and management system

ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.


A view of the application portfolio

Application security programs tend to involve a number of technologies and activities, and application security teams struggle managing these testing activities and all the data they are generating.

“We built ThreadFix so that application security teams can create a consolidated view of their applications and identified vulnerabilities, make risk-based decisions on which vulnerabilities to address and how, and then communicate those vulnerabilities to developers in the tools they’re already using,” Dan Cornell, ThreadFix Project Creator and Denim Group CTO, told Help Net Security.

“What we want to do is provide a vulnerability resolution platform that takes care of the rote data management tasks so that security analysts can focus their time on higher-value activities. Also having all this data in a single location lets teams run reports and track metrics, and this allows them to take a much more quantitative approach to running and evolving their security programs.”

ThreadFix integrates with 30+ tools, services and technologies, so keeping all of those integrations up to date can be challenging. “Every organization runs their testing program a little bit differently, so we’ve had to be very flexible in how we allow data to be loaded into the system – manually, via our REST API, or via a series of plugins to things like Jenkins, etc.,” says Cornell.


Looking at a list of all the currently-open vulnerabilities for an application

Future plans

At the moment, the developers are doing a lot of work to make it easier to use ThreadFix to integrate security testing in developers’ Continuous Integration / Continuous Delivery (CI/CD) pipelines.

“That way developers can do more security testing, more often, and they can take advantage of a lot of opportunities to automate these tasks. We’re also looking to integrate with emerging application security technologies like Realtime Application Self-Protection (RASP),” concluded Cornell.

If you’re at Black Hat USA 2016 in Las Vegas this week, you can see ThreadFix in action at the Arsenal.

Black Hat USA 2016