ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources

© 2016 Denim Group – All Rights Reserved

ThreadFix 2.4Maximizing the Impact of Your Application Security Resources

Dan Cornell@danielcornell

1


Agenda• ThreadFix Overview• Major 2.4 Updates• Questions

2


ThreadFix Overview• Create a consolidated view of your

applications and vulnerabilities

• Prioritize application risk decisions based on data

• Translate vulnerabilities to developers in the tools they are already using

3


ThreadFix Overview

4


Major 2.4 Updates• Vulnerability Triage• Flexible Vulnerability Management• Integrations• Administration Updates• Vulnerability Prioritization (“Hot Spots”)

5


Vulnerability Triage• Saved view state• Vulnerability pivots• Version tracking• Source code display

6


Saved View State

7

• Saves vulnerability display status• Saves filter state

• Leads to easier, more intuitive navigation


Saved View State

8


Vulnerability Pivots

9

• Previous pivots were fixed: Criticality, CWE• Can now set:• Primary• Secondary

• Allows for more flexible and customized filtering



10



11


Version Tracking

12

• Can now name “points in time” for applications

• Display along trending graphs• Tags vulnerabilities present in specific

versions

• Allows better progress tracking over time


Version Tracking

13


Version Tracking

14


Version Tracking

15


Version Tracking

16


Version Tracking

17


Source Code Display

18

• This used to be really bad• Now it is better

• Allows for faster, more intuitive vulnerability triage


Source Code Display

19


Flexible Vulnerability Management

• Defect defaults• Multiple defect trackers

20


Defect Defaults

21

• Contributed by Samsung ARTIK (thanks!)• Originally available in ThreadFix 2.3 releases• Allows setting default to defects created by

ThreadFix

• Makes creating vulnerabilities much faster and standardized


Defect Defaults

22


Defect Defaults

23


Defect Defaults

24


Multiple Defect Trackers

25

• Can now attach multiple defect trackers to an application. For example:• One for application vulnerabilities• One for infrastructure/configuration vulnerabilities

• Allows for much more flexible handling of vulnerabilities



26



27



28



29



30



31



32



33



34


Integrations• Checkmarx Remote Provider• On-Premise Contrast Support• Bulk Application Import

35


Checkmarx Remote Provider

36

• Can now import via Checkmarx API• Rather than individual file upload

• Makes integration with Checkmarx much easier to set up and maintain


Checkmarx Remote Provider

37


On-Premise Contrast Support

38

• Have supported cloud-based Contrast for a while

• Now supports On-Premise Contrast Enterprise

• Allows support for more Contrast implementations


On-Premise Contrast Support

39


Bulk Application Import

40

• Allows for creation of applications based on the portfolio managed in a Remote Provider

• Allows for much faster initial ThreadFixdeployment and configuration


Bulk Application Import

41


Administration Updates• User Auditing• SAML Support

42


User Auditing

43

• Can see login history of ThreadFix users• Including failed logins

• Allows for better situational awareness for user activity


User Auditing

44


User Auditing

45


SAML Support

46

• Allows for login via SAML

• Supports enterprise authentication / authorization implementations


SAML Support

47


Vulnerability Prioritization (“Hot Spots”)

• Detect vulnerabilities in shared internally-developed code and components

• Which vulnerability fixes can be a “force multiplier?”

• Get the most value from a limited remediation budget

48



49



50


Major 2.4 Updates• Vulnerability Triage• Flexible Vulnerability Management• Integrations• Administration Updates• Vulnerability Prioritization (“Hot Spots”)

51


Questions / Contact InformationDan CornellPrincipal and [email protected] @danielcornell

(844) 572-4400www.denimgroup.comwww.threadfix.it

ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources

Technology

Transcript of ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources