Security Snafu on ThreadFix: Don’t Code Your Own Vulnerability Management System

Security_snafu
Recently Securty Snafu took a look at ThreadFix and posted some thoughts. First I wanted to thank them for taking a look – we’re always thrilled to have folks work witih ThreadFix and provide feedback. Also I wanted to emphasize a couple of things they mentioned:

  • If You’re Thinking About Rolling Your Own Application Vulnerability Management System: Don’t – This is something we’ve encountered over and over again as we’ve talked to different organizations in the course of developing ThreadFix. We have found so many home-grown, in-house vulnerabilty management solutions. What we typically see in these cases is that something got built to solve a specific need and then the project ballooned, resulting in a whole bunch of code that no one wants to maintain. We think ThreadFix is a great alternative in cases like this because it provides all the basics of importing and consolidating vulnerability results, is under active development and is freely available under the Mozilla Public License (MPL). Commercial support is available for organizations who are interested so they don’t have to rely on tracking down internal resources that have probably moved on to other initiatives. This provides a much better base for most vulnerability management programs than a bunch of unmaintainable in-house code. And if you need special functionality, you can fork ThreadFix and build your in-house solution on it as a base (or have us do it for you). But before you do that, be sure to understand that…
  • ThreadFix’s API Makes It Possible To Integrate It With Your Processes – Every organization handles vulnerability management a little different and some handle it very differently. With ThreadFix we’ve tried to implement the basic workflows that we see over and over again and we’ve provided a REST-based API that can be used to drive ThreadFix’s behavior and to integrate it with the wide variety of tools and processes that interact with organizations’ vulnerability management initiatives. Josh Sokol and I talked about this in our presentation “The Magic of Symbiotic Security” (take a look at the bottom of this post if you want to watch a video of this presentation) In addition to the REST API we also provide a command-line tool to simplify these integrations. With the combination of these facilities, it should be possible to integrate ThreadFix into your continuous integration builds, GRC system and so on.

Again – thanks to Security Snafu for taking a look at ThreadFix. We hope that having a resource like ThreadFix available will make organizations think twice before rolling their own vulnerability management solution. It covers the basics, can be extended and modified and it is free. With commercial support available what is not to like?

Contact us for help building your vulnerability management program with ThreadFix.

–Dan

dan _at_ denimgroup.com

@danielcornell

About dancornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

5 Responses to "Security Snafu on ThreadFix: Don’t Code Your Own Vulnerability Management System"

Leave a reply