Seeding Web Application Scanners with Attack Surface Data

We’ve talked previously on this blog about web application attack surface – why it is important to understand all of the URLs an application will respond to and all of the injection points where an application will “listen” for inputs that will impact its behavior. As part of the Phase 1 Hybrid Analysis Mapping (HAM) research we did for the…
Read the full post >>

Mobile Application Security Assessment By the Numbers – a Whole-Istic View

In addition to exposure from their web applications, organizations are realizing  their expanding portfolio of mobile applications also provides avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts – they have code that runs on untrusted user devices, code running on corporate web services, and often also rely on…
Read the full post >>

ThreadFix 2.0M2 Now Available

The 2.0M2 builds for ThreadFix are now available. You can download: The main ThreadFix server Updated IDE and scanner plugins This update includes a bunch of bugs fixes, overall performance enhancements, and a handful of new features: Switch to JSON for all REST responses Issue #100 Add ScanAgent Support for AppScan Standard Issue #130 Burp Suite Scanner Plugin Issue #131 Improve Veracode-HAM interaction Issue #137 Add…
Read the full post >>

Let’s Talk About Application Attack Surface

Have you ever wondered about your application’s attack surface? What URLs will respond to requests? And what HTTP methods will they respond to? And what parameters can be passed in? You probably think you know what is exposed but do you really? Why is this something you should even care about? I’d suggest a couple of reasons: Your attack surface is where…
Read the full post >>

Threadfix 1.2 Released

The ThreadFix development team has been hard at work since our last official product release (v1.1) in March. We are excited to announce that 1.2 official is available for download. Please download and test drive today! Again, we encourage any and all feedback. Please report any bugs you might find (or cool feature requests) into our Google Code Issue Tracker. Today’s update…
Read the full post >>

ThreadFix 1.2 RC3 Now Available

The ThreadFix product development team has been hard at work since our ThreadFix 1.2 RC2 released in late July and today we’ve made a 3rd 1.2 Release Candidate available for users and organizations to download and put it through its paces. This update includes some great new features like: file attachments, severity filtering, support for Dependency Check, and a ton of…
Read the full post >>

Press Coverage of ThreadFix and Hybrid Analysis Mapping (HAM)

We recently announced the SBIR Phase 1 contract we won with the Department of Homeland Security (DHS) to do research into Hybrid Analysis Mapping (HAM). This research is investigating better ways to integrate the results of static and dynamic security scanning tools and we are in the process of integrating this research into the ThreadFix open source application vulnerability management…
Read the full post >>

AppSecEU 2013: Do You Have a Scanner or a Scanning Program?

I just got back from OWASP AppSecEU in Hamburg, Germany and I have to say I had a great time. The conference was very well run, the talks were very interesting and I had the opportunity to both reconnect with and meet a lot of great folks. While I was there, I gave a talk titled “Do You Have a…
Read the full post >>

NTOSpider Support in ThreadFix, Getting the Most From Your Web Testing Results

Today we issues a press release with NTObjectives announcing ThreadFix’s support for importing DAST scanning results from their NTOSpider scanner. We’ve had a number of ThreadFix users asking for this and we’re thrilled to be able to announce it is now available. Also, NTObjectives’ co-CEO Dan Kuykendall and I recently had a great discussion with Dark Reading’s Ericka Chickoswki talking about…
Read the full post >>

The PHP Protocol, Filters and Local File Inclusion

Andrew wrote up some notes for our internal blog about an experience he had on a recent Capture the Flag (CTF) event. I thought they were interesting so we talked and decided to republish them here. <Andrew> I came across an interesting twist on exploiting a PHP local file inclusion vulnerability while participating in a CTF. LFIs are the little sister vulnerability to…
Read the full post >>

DHS Funding Research for ThreadFix Hybrid Analysis Mapping (HAM)

We have been working on this for a couple of months now, but only recently got around to talking about it publicly. Denim Group was recently awarded a contract with the Departmernt of Homeland Security (DHS) to do some research on Hybrid Analysis Mapping (HAM.) Specifcally, we are looking at merging the results of separate static and dynamic scanning scans….
Read the full post >>

ThreadFix 1.2 RC2 Now Available

Earlier today we pushed up the binary downloads for ThreadFix 1.2RC2. Major changes include: Support for NTO Spider 6 Added scan type auto-detection to the Command Line Interface (CLI) Added visual indicator to bug icon to indicate bug status Added “Import All” button to Remote Providers configuration page Various bug fixes and system enhancements Main ThreadFix code moved into threadfix-main/ subdirectory…
Read the full post >>