Blog

Many applications have some form of external API that allows users to call actions or return information from outside of the UI. As the functionality of an application grows, the number of available API calls will likely (and will hopefully)... Read more…

The Task ThreadFix offers a command line interface jar to create teams, add applications, assign tags, search for vulnerabilities, and much, much more from the shell or command prompt. The number of actions available in the CLI has grown over... Read more…

Automation is a big theme of ThreadFix’s QA strategy, and almost nowhere is that more apparent than in our workflow for SCM (“source code management” for the purposes of this post). Background ThreadFix has three repositories that comprise the application... Read more…

ThreadFix has several modules, including one for Hybrid Analysis Mapping. Using HAM as a module provides us a good degree of flexibility in several areas: 1. Decoupling data types from ThreadFix allows database-free unit testing 2. The module can be... Read more…

SonarQube is “an open platform to manage code quality.” As security is certainly an aspect of code quality, we wrote a Sonar plugin to allow Sonar users to view ThreadFix security issues alongside results from other Sonar sensors. See Everything... Read more…

LASCON 2015 was last week and, as always, it was a great conference. Friday I had the opportunity to give a talk about the ThreadFix Ecosystem. It looks through a number of organizations we've had the opportunity to work with... Read more…

DevOps puts an intense focus on automation – taking humans out of the loop whenever possible to allow frequent, incremental updates to production systems. However, thorough application testing often has multiple components – much of this can be automated, but... Read more…

As part 2 of the Analyzing HAM series, this week I’ll try to summarize the main strategy behind HAM. Or, as one ThreadFix developer once referred to the HAM system, the Matrix. [caption id="attachment_2591" align="aligncenter" width="570"] Wake up, HAM data.[/caption] The... Read more…

This post will start a new series on ThreadFix’s Hybrid Analysis Mapping (HAM) library. Today I’ll cover the background on the SBIR contract, why ThreadFix was a good candidate for the program, and why HAM tastes so good in sandwiches.... Read more…

Thanks to everyone who attended our Secure DevOps with ThreadFix 2.3 webinar today and thanks to all the great ThreadFix contributors who help make it possible. Hopefully folks enjoyed the presentation, and I certainly enjoyed all the Q&A. An expanded... Read more…

The ThreadFix team has been hard at work to bring you the best of their efforts and those of the community via the ThreadFix Community Edition for application vulnerability management. We are excited to announce that the latest version is... Read more…

On July 29, 2015 at 11:30 AM CDT, learn more about the updates to ThreadFix and the new ways to integrate ThreadFix into your secure devops program. Click the Register Now button below to get signed up for the ThreadFix... Read more…