DHS-Sponsored Research Can Help Secure Web Applications Faster
Denim Group, the leading secure software development company, today announced the release of ThreadFix 2.0, the first application vulnerability management product in the industry which can point to the exact line of source code responsible for an application vulnerability that has been identified by a dynamic security scan. This new capability and ThreadFix’s new IDE (integrated developer environment) plug-in bridges a challenging communications gap between security and software development teams that can dramatically simplify and accelerate the time-to-fix of critical application vulnerabilities.
Originally released in 2012, ThreadFix was one of the first products in the industry to provide a comprehensive and easy-to-understand view of the state of an organization’s software security. By aggregating multiple vulnerability test results into a centralized platform, ThreadFix automates the prioritization of the application’s vulnerabilities into a unified list that application security managers can further prioritize via a centralized dashboard. As the development team resolves defects, status updates are synchronized within ThreadFix, enabling the security team to schedule follow-up testing to confirm that security holes have indeed been closed. This can transform the application remediation process by improving and simplifying the collaboration between security and development teams.
HYBRID ANALYSIS MAPPING
ThreadFix 2.0 was enhanced with the support of a Department of Homeland Security (DHS) Hybrid Analysis Mapping research contract, As a result of this new research, ThreadFix can now better combine and deduplicate the results from dynamic and static application security tests which frequently use different labels for the exact same logical problem. The new technology creates a more accurate list of vulnerabilities which can improve the overall state of software security within an organization.
PINPOINTS CODE DEFECT LOCATION FROM DYNAMIC SCANS
ThreadFix 2.0 can now take dynamic scanner reports and pinpoint exactly where vulnerabilities exist in application source code. To do this, ThreadFix leverages the application attack models that the newly created Hybrid Analysis Mapping engine is now able to create, and maps those vulnerabilities back to the source code. ThreadFix 2.0 can also export this code data into the developer’s Eclipse or IntelliJ Integrated Development Environment (IDE) which eliminates the vast amount of time previously spent manually searching for the offending line of code. ThreadFix provides the contextual relevant information as to exactly where the problem resides and what the problem is. By delivering this data when the developers are coding in their code editor, the time-to-fix for each vulnerability can be shortened dramatically.
“The ability to identify the line of code associated with dynamic testing is huge,” saidDan Cornell, Denim Group CTO. “Now security managers can provide better information to the developers who are the ones that actually fix the vulnerable code. This provides an organization with another important capability that is needed to resolve software vulnerabilities more quickly.”
MAKES DYNAMIC SCANNERS EVEN SMARTER
Another technology breakthrough that resulted from the Hybrid Analysis Mapping research improves the efficacy of dynamic scanners by identifying specific vulnerabilities which are not typically found by standard dynamic scanning crawls. The ThreadFix 2.0 platform accomplishes this by conducting a lightweight scan of an application’s source code to enumerate an application’s complete attack surface. The platform then exports the results of the scan back to the dynamic scanner, enabling that scanner to test “hidden” web pages and additional HTTP parameters that might have been missed in a typical dynamic scan. This new feature enables ThreadFix to improve the intelligence of dynamic scanners by feeding the scanner with additional threat model data, which in turn enables more comprehensive scans.
“Hybrid Analysis Mapping technology can accelerate the discovery, identification and remediation of application vulnerabilities in order to better protect the software systems that power our nation’s critical infrastructure and e-commerce industries,” said Kevin E. Greene, Department of Homeland Security Science & Technology Cyber Security Division Program Manager. “This research has made substantial progress towards its core goal of bringing together the results of static and dynamic testing technologies which will help improve the tool coverage and provide better analysis results. In the long-term, this gives U.S. companies the capability to identify key weaknesses throughout the software development lifecycle which will help reduce the cost of software failures, the number of software-related breaches and the potential loss of confidential information which continues to occur with alarming frequency.”
ThreadFix 2.0 also offers another substantial new feature in the Enterprise edition which provides dynamic scan orchestration capabilities. By offering a central facility that can store scan configurations for a variety of vendor scanner technologies, ThreadFix enables application security professionals to schedule software testing using multiple dynamic scanners without the need for human intervention at every step of the process. This new scan orchestration capability empowers companies to scale the dynamic testing of more web applications, making it possible to automate the inspection of a company’s entire portfolio of applications for the first time in the industry. This will also enable inspections to take place on a more frequent and recurring basis as well.
THREADFIX 2.0 ENTERPRISE EDITION
To respond to customer demand, ThreadFix 2.0 Enterprise Edition is also now available. ThreadFix Enterprise Edition offers enhanced features for multi-user deployments in large organizations such as LDAP (Lightweight Directory Access Protocol) and AD (Active Directory) integration, as well as role-based access control to enforce separation of duties within organizations. ThreadFix 2.0 Enterprise Edition also provides enhanced vulnerability reporting to address specific compliance requirements and offers additional tech support. ThreadFix Community Edition, which is typically used by companies that have just a few applications under development, will remain an open source project and can be downloaded at http://www.threadfix.org/download. To learn more, visit http://www.threadfix.org or contact Denim Group firstname.lastname@example.org or at (844) 572-4400.
About Denim Group
Denim Group is the leading secure software development firm. The company builds custom large-scale software development projects across multiple platforms, languages and applications. What makes Denim Group unique is that the company brings significant core competencies in software security to the table, offering an innovative blend of secure software development, testing and training capabilities that protect a company’s biggest asset, its data. Denim Group customers span an international client base of commercial and public sector organizations across the financial services, insurance, healthcare, education, government and defense industries. Its depth of experience building large-scale software development systems in a secure fashion has made the company’s leaders recognized experts in their fields. Denim Group has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine five years in a row, and has won multiple awards including its accolades as one of the best places to work in San Antonio. For more information about Denim Group visit www.denimgroup.com.