- What is ThreadFix?
ThreadFix is an application vulnerability management platform that provides a window into the state of your application security program and helps bridge the communications gap between security and software development teams. ThreadFix allows security teams to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using.
- How does vulnerability merging work?
Vulnerability data is normalized to an internal data format to identify duplicated static and dynamic application scan results. For certain platforms we can also consolidate static and dynamic mapping results based on our Hybrid Analysis Mapping (HAM) technology. Our format uses the MITRE Common Weakness Enumeration (CWE) as its vulnerability type taxonomy, and also incorporates elements of vulnerability attack surface location and/or path through the source code.
- What tools integrate with ThreadFix?
ThreadFix currently supports 20+ popular commercial and open source static, dynamic and interactive scanning technologies as well as major application security SaaS providers. The good news is we’re building new tool integrations all the time. If there’s a specific scanning tool, defect tracker or WAF that you’re looking to integrate with, please let us know.
- How is ThreadFix deployed?
ThreadFix is currently deployed as an on premise web application. Most production installations of ThreadFix use a MySQL database for scalability. Because ThreadFix uses Hibernate for data access, other database engines can also be supported. Please contact us if you are interested in running ThreadFix with another database back-end.
- Can ThreadFix really map dynamic scan results to code locations in IDEs?
You bet. Most commercial static analysis tools make Integrated Development Environment (IDE) plugins available to their users that can highlight the code location of vulnerabilities found by the scanner. This is easy because static analysis tools have ready access to source code (including filenames and line numbers). However, with the application models created by our Hybrid Analysis Mapping (HAM) engine, we can now take the application attack surface locations provided by dynamic scanners and map those back to code locations. Therefore we can link any vulnerability (static, dynamic or interactive) stored in ThreadFix to its code location in an IDE. ThreadFix currently integrates with IntelliJ IDEA, Visual Studio IDEs and Eclipse IDEs.
- Can ThreadFix pre-seed dynamic scanners?
Another interesting benefit of our Hybrid Analysis Mapping technology is that ThreadFix can perform lightweight static analysis of an application and use that to calculate the application’s entire attack surface. This can help scanners identify more vulnerabilities by providing better coverage than a standard web application crawl. For example, this attack surface calculation can identify hidden landing pages and unused debug parameters that would be invisible to a scanner when operating without this pre-seeded attack surface information. Currently ThreadFix plugins are available for OWASP ZAP and BurpSuite.
- What databases does ThreadFix work with?
Most production installations of ThreadFix use MySQL database for scalability. Because ThreadFix uses Hibernate for data access, other database engines can also be supported. Please contact us if you are interested in running ThreadFix with another database back-end.
- What are Threadfix’s system requirements?
ThreadFix currently runs on most modern Windows, Mac, and Linux platforms. ThreadFix is a Java EE based application using the Java Spring framework and Hibernate. ThreadFix requires Java 8 and Tomcat 7 or 8 web application server. A minimum of 20GB of disk space and 8 GB RAM is required (16 GB RAM is recommended).
- How do I schedule a demo?
To schedule a demo, please contact Denim Group at (844) 847-3233 or submit the online form.
- What is Hybrid Analysis Mapping (HAM)?
Hybrid Analysis Mapping (HAM) enables ThreadFix to merge vulnerabilities from static application scans (SAST) with vulnerabilities from dynamic (DAST) and interactive (IAST) application scans. ThreadFix currently supports Hybrid Analysis Mapping for Java/JSP, Java/Spring, Java/Struts, ASP.NET MVC, and ASP.NET WebForms applications. Support for additional frameworks such as PHP and Ruby on Rails is planned for later this year. HAM technology in ThreadFix resulted from a project funded by the U.S. Department of Homeland Security’s (DHS) Small Business Innovation Research (SBIR) program.
Denim Group also offers professional services to help you customize ThreadFix to your organization’s unique requirements.
- What kinds of resources do you offer to help my organization get started using ThreadFix?
Please visit our online documentation to view our getting started guide, and environment setup instructions. We also offer a ThreadFix Kickstart program through which we can send our consultants onsite to expedite the setup and configuration of ThreadFix within your organization. At the end of the engagement, you will have a fully functional, production-ready deployment of ThreadFix. Please contact us for additional details or to obtain a quote.
- Can ThreadFix authenticate via LDAP or Active Directory?
Yes, ThreadFix Enterprise allows for role based user management and offers authentication via LDAP or Active Directory. Administrators can control which tasks and data specific users can view. An administrator can create different roles and permissions, limiting users’ access to certain teams or specific applications and also limit the types of tasks that can be completed in the system.
- How can I stay informed on latest ThreadFix news/development?
We’ll send you updates to let you know about product updates (new releases/bug fixes and enhancements) and product roadmap details, including planned features and integrations with new tools and technologies.
- What if I find a security issue?
Obviously with ThreadFix we take security very seriously. Any security issues should be reported directly to the ThreadFix team and those items will be handled promptly.