John Dickson and I had a chance to catch up with Jack Daniel from the Uncommon Sense Security blog while we were at RSA a couple of weeks ago to talk about what we’ve been doing with ThreadFix. Jack took the time to write up a blog post about what we talked about (thanks!) and I wanted to highlight some points he made:
- When Jack mentions how he imagines organizations handling their application vulnerability management he uses phrases like “kludge” and “few spreadsheets tossed in” and that lines up exactly with our experience. Developers don’t speak “PDF” and Microsoft Excel is a horrible tool for managing vulnerabilities but that doesn’t mean organizations don’t try really hard to use those tools to manage their application-level vulns. A big driver behind us creating and releasing ThreadFix was trying to get organizations to do better managing application vulnerabilities by providing them the capability to get a handle on all of the vulnerability data coming from the variety of different sources – dynamic testing, code scanning, penetration tests and threat modeling. If you can’t even manage the inputs you are not going to be able to actually get the vulnerabilities resolved.
- Jack also highlights what we think is one of the great strengths of ThreadFix which is that it can be deployed in a way that fits pretty much any organization. It is freely-available under an open source license, but also has commercial support options available. No budget for licensing? Not a problem – pull down a VM image, fire it up and post to the Google Group or the bug tracker if you have questions. Need more help or want to customize it to for your environment? Great we can help you do that too.
Again – many thanks to Jack for sitting down with us and for taking the time to look at ThreadFix and write up some thoughts. We’ve accomplished quite a bit with it so far and we’re really excited about some of the things we have coming up. Most organizations are still getting their minds wrapped around managing application-level vulnerabilities and we’re thrilled that ThreadFix is a tool many organizations are finding valuable to help get this critical process under control.
dan _at_ denimgroup.com
PS – Jack made another solid point about scheduling time to sit down at RSA. The big conferences are great because they attract so many folks, but schedules can get so crazy it really helped to get the important people we wanted to talk with actually on the calendar. That worked a lot better than leaving it up to chance.