After more than two years in development we’re finally publicly releasing our ThreadFix open source application vulnerability management system. It is still pre-production, but it represents an almost complete rewrite from the “Technology Preview” version we released when it was still called “Vulnerability Manager.”
A more complete description of the system and its capabilities is:
ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.
So what’s next? You can download ThreadFix here. The current beta is available as a pre-built Tomcat install (the final release will likely be a pre-configured virtual machine). Just unzip and run. During the beta period we will be looking to push new versions on a weekly basis. Also we have a “Getting Started” guide that runs through the major functionality as well as other documentation on the wiki to describe the different parts of the system.
There is still work to do – we need to improve the stability of the scan importers, we need to tighten up the security of parts of the system, and we need to build out the REST API. If you run into any issues using ThreadFix or if you have feature requests please use the online bug tracking system here or email me at the address listed below.
Also you can follow ThreadFix on Twitter: @threadfix
We’re tremendously excited to get this software released to a wider audience. Contact us if you are interested in learning more about using ThreadFix for application vulnerability management.
dan _at_ denimgroup.com