Security Snafu on ThreadFix: Don’t Code Your Own Vulnerability Management System

Recently Securty Snafu took a look at ThreadFix and posted some thoughts. First I wanted to thank them for taking a look – we’re always thrilled to have folks work witih ThreadFix and provide feedback. Also I wanted to emphasize a couple of things they mentioned:

  • If You’re Thinking About Rolling Your Own Application Vulnerability Management System: Don’t – This is something we’ve encountered over and over again as we’ve talked to different organizations in the course of developing ThreadFix. We have found so many home-grown, in-house vulnerabilty management solutions. What we typically see in these cases is that something got built to solve a specific need and then the project ballooned, resulting in a whole bunch of code that no one wants to maintain. We think ThreadFix is a great alternative in cases like this because it provides all the basics of importing and consolidating vulnerability results, is under active development and is freely available under the Mozilla Public License (MPL). Commercial support is available for organizations who are interested so they don’t have to rely on tracking down internal resources that have probably moved on to other initiatives. This provides a much better base for most vulnerability management programs than a bunch of unmaintainable in-house code. And if you need special functionality, you can fork ThreadFix and build your in-house solution on it as a base (or have us do it for you). But before you do that, be sure to understand that…
  • ThreadFix’s API Makes It Possible To Integrate It With Your Processes – Every organization handles vulnerability management a little different and some handle it very differently. With ThreadFix we’ve tried to implement the basic workflows that we see over and over again and we’ve provided a REST-based API that can be used to drive ThreadFix’s behavior and to integrate it with the wide variety of tools and processes that interact with organizations’ vulnerability management initiatives. Josh Sokol and I talked about this in our presentation “The Magic of Symbiotic Security” (take a look at the bottom of this post if you want to watch a video of this presentation) In addition to the REST API we also provide a command-line tool to simplify these integrations. With the combination of these facilities, it should be possible to integrate ThreadFix into your continuous integration builds, GRC system and so on.

Again – thanks to Security Snafu for taking a look at ThreadFix. We hope that having a resource like ThreadFix available will make organizations think twice before rolling their own vulnerability management solution. It covers the basics, can be extended and modified and it is free. With commercial support available what is not to like?

Contact us for help building your vulnerability management program with ThreadFix.


dan _at_


About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

5 Responses to “Security Snafu on ThreadFix: Don’t Code Your Own Vulnerability Management System”


    Excellent article. I certainly appreciate this website. Keep writing!

  2. Raymundo

    Paragraph writing is also a fun, if you be familiar with then you can write otherwise it is complex to write.


    I’m not sure why but this blog is loading very slow for me. Is anyone else having this issue or is it a issue on my end? I’ll check back later on and see if the problem still exists.

  4. home warranty policy

    Spot on with this write-up, I honestly believe this site needs far more attention. I’ll probably be returning to read more, thanks for the advice!

  5. Lake Tahoe real estate agents

    Does your website have a contact page? I’m having trouble locating it but, I’d like to send you an email. I’ve got some ideas for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it grow over time.

Leave a Reply

Your email address will not be published. Required fields are marked *