I recently had the opportunity to speak at the 2014 OWASP MSP Day of Talks. It was fun – I always enjoy my opportunities to talk to the OWASP MSP crowd. They’ve got a great group up there and I can always expect a lot of smart questions.
I gave a detailed presentation and demo of recent developments in ThreadFix – especially some of the changes that have come about as ThreadFix has expanded from just being a web-based vulnerability management application to more of a platform with an ecosystem of related tools and plugins.
The talk was titled “Managing Your Application Security Program with the ThreadFix Ecosystem” and slides are available online:
The abstract of the talk is:
ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This tutorial will walk through the capabilities of the ecosystem of ThreadFix applications, showing how ThreadFix can be used to:
- Manage a risk-ranked application portfolio
- Consolidate, normalize and de-duplicate the results of DAST, SAST and other application security testing activities and track these results over time to produce trending and mean-time-to-fix reporting
- Convert application vulnerabilities into software defects in developer issue tracking systems
- Pre-seed DAST scanners such as OWASP ZAP with application attack surface data to allow for better scan coverage
- Instrument developer Continuous Integration (CI) systems such as Jenkins to automatically collect security test data
- Map the results of DAST and SAST scanning into developer IDEs
The presentation walks through these scenarios and demonstrates how ThreadFix, along with other open source tools, can be used to address common problems faced by teams implementing software security programs. It will also provide insight into the ThreadFix development roadmap and upcoming enhancements.
Contact us to talk about running your software security program on ThreadFix.