Addressing enterprise application security vulnerabilities before attackers discover them is often slowed down by security officers and development leads using multiple types of defect trackers, a common practice. Denim Group's ThreadFix, a new open source application vulnerability management platform, promises to speed up vulnerability fixes by condensing security bug reports from several tools into one developer-friendly resource.
Better communications between security officers and development leads and managers is critical to rapidly identify and fix vulnerabilities, said John Dickson, principal at San Antonio, Texas-based Denim Group. “While many companies have effective means of scanning for and collecting data on vulnerabilities, they may struggle with interpreting and analyzing all that data,” he said. Often, security and development teams have to hurry through analyzing and prioritizing, which leads to application vulnerabilities persisting too long. "Remediation becomes an overwhelming problem," he said.
When evaluating the security of an application, one must consider the platform, the network, the network connection and other variables, according to Wendy Nather, research director of security for 451 Research. "You have to use multiple tools to look at the security. Getting all those results and de-duplicating and correlating them and weeding out false positives can turn into a huge nightmare," she said.
A veteran chief information security officer, Nather has experienced the inefficiency of doing this work manually. "Trying to do this work by hand can take an additional full-time employee's effort."
Dickson further described the problem: "Organizations have a shocking attack surface when it comes to the Web and custom software they have developed and deployed.” Due to inefficient and redundant tools and practices, it takes too long for the quality assurance (QA) administrator to manage bugs; that’s time that should be spent on fixing the code. “We're focusing on the mismatch between the type of information delivered by scanning tools and the type of information developers need to resolve these issues," Dickson said.
How ThreadFix works
ThreadFix is a software vulnerability aggregation system. It imports dynamic, static and manual testing results into a centralized platform. "One of the key features of ThreadFix is to condense hundreds, even thousands, of findings from any given tool into general categories of problems that can be fixed across the board," Nather explained. "Other tools do it to some extent, but ThreadFix does it across the board and across tools instead of it being siloed. That's a big step forward."
This system allows users to cull results from various scanning tools and automatically review all the results together, said Dan Cornell, chief technology officer at Denim Group. "Our focus is to do this in a vendor-independent manner," he said.
Nather agreed: "It's vendor-agnostic in what it takes in. Denim Group understood that it was important to integrate and be able to output the findings from ThreadFix into bug repositories. This is helpful because developers only want to look at one place; they want all the bugs lined up clearly to know what they need to work on and in what order."
Dickson explained how ThreadFix packages vulnerabilities into bundles and passes the bundles into the defect tracker, the developer's most-used tool. "Developers get 95% of their bug reports from the defect trackers and about 5% in PDFs from security analysts." The disparate nature of the data collection "makes security vulnerabilities easier for developers to lose or ignore," he said.
Security analysts often find a disconnect between their desire to present all of the testing results and the tools available to do so—the tools they have to present findings do not make the results accessible from the developers' perspective. Nather explained: "Denim Group has looked at this from the developers' standpoint. The ThreadFix design understands what the developers want and what they need, instead of what the security officer wants to tell them."
Dickson confirmed that "ThreadFix helps security analysts work with development leads by putting security and development bugs in the same place."
"ThreadFix lets you take vulnerabilities (what security analysts care about) and bundle them up as software defects (what developers care about)," Cornell added. Organizations can now evaluate the code vulnerabilities and negotiate which vulnerabilities to fix first or to fix at all.
Furthermore, the Web application firewall (WAF) blocks potentially threatening applications while vulnerabilities are being fixed. The WAF and intrusion detection systems (IDS) make use of the ThreadFix-generated "virtual patch" rules to isolate and block application attacks and reduce risks to applications, while code-level fixes are in development.
"Threadfix knows when new vulnerabilities show up and when they go away," Cornell said. He added that attack data is aggregated in defect management tools. The system also generates reports on how quickly defects are being fixed so teams can evaluate trends over time. "Organizations can start to have a quantitative conversation about their success and progress," he said.
Who can use ThreadFix
Cornell explained that both SMBs and large, Fortune 1000 organizations can use ThreadFix. Denim Group plans to accelerate features for large enterprises in the next couple of system releases. "ThreadFix brings efficiency and acceleration to fixing security vulnerabilities. It helps organizations make it a tractable problem they can approach in a systematic way rather than in an ad hoc manner," Cornell said.
Nather agreed that "just about any organization that is doing in-house or outsourced application development and application remediation" can use ThreadFix. "It fosters communication with outsourced developers, with third parties. I see it having widespread capability."
To learn more or to download ThreadFix, visit the Denim Group resource page.