ThreadFix Performance Benchmarking: 2.7.5

The major push that went into the 2.7.5 ThreadFix development effort was to increase performance and scalability. As ThreadFix deployment have become larger and as the shift to DevOps means that test results are coming more frequently, we needed to speed up results handling and address some page rendering issues that had cropped up in certain circumstances. For this release we focused in two areas: making scan ingestion faster and improving the render times for a couple of pages that were getting slow in large environments. Fortunately we have seen some great results. Our pre-release performance benchmarking provided the following results.

Two server configuration in AWS for ThreadFix 2.7.5 with MySQL:

  • 16 gig – 4 core Ubuntu for application server
  • 16 gig – 4 core Ubuntu for database serverrunning MySQL

We pre-loaded 500 applications with 500,000 vulnerabilities to establish a baseline of data. Then we uploaded a new 1000 vulnerability scan to each of the 500 applications. The run time to ingest all 500 scans was 39 minutes, or 12.8 scans/minute. Those represent scans with few/no changes versus the previous scan, but those are pretty typical in operational scenarios where subsequent scans only reflect a few new or remediated vulnerabilities.

In addition, we looked at the difference between page render times for certain key pages with the following results:

We’ve baked ever more performance updates into the upcoming 2.7.6 build – targeting improved render times for still more pages that were getting slow under certain conditions. In addition, we’re working to flesh out more performance testing scenarios so we can publish more information about the behavior to expect as well as options for tweaking performance in ThreadFix environments.

Contact us for more information about scaling your ThreadFix deployment.

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *