Applied ThreadFix: Application Portfolio Tracking


Asset management is a serious issue across the information security space. A very common challenge we see for organizations running an application security program is just getting an idea of what applications they have available and what infrastructure has been deployed to support them. You can’t protect attack surface that you don’t know about, so trying to run a successful program without at least a decent concept of what your portfolio’s attack surface looks like is a non-starter. Note that this isn’t even looking at all the challenges associated with vulnerability management – this is the problem you have to address before you get to start addressing the vulnerability management problem. The issue is something I had been talking a lot about a year or so ago, and I presented at a couple of conferences.

Fortunately, we have built some capabilities into ThreadFix that can help address this issue. ThreadFix licensing is tied to assets under management. However, this doesn’t mean any and all application assets loaded into the system count towards your license. Instead, only application assets where you are actively tracking results from scans, code reviews, or penetration tests. That means you can load up a ThreadFix installation with as many application assets as you’d like – but they only impact your licensing when you want to start tracking data for them.

With even a small ThreadFix deployment – license-wise – you can still track large portfolios of application assets and expand your deployment over time as your vulnerability management program – scanning and testing, triage, remediation – grows.

Tracking Application Assets in ThreadFix

So let’s look at what ThreadFix lets you track about the application assets in your portfolio. Below are some screenshots of the Create/Edit screen for applications. Most of the fields are both optional and self-explanatory, but we’ll call out a couple of fields that may be of particular interest.

It is worth looking at a couple of fields in particular:

  • Unique ID – This field is not required, but if used, allows you to enter a unique identifier for the application separate from the one that ThreadFix assigns. It is most frequently used as a foreign key to link applications in ThreadFix to applications being tracked in another IT asset management system.
  • Criticality – This field is required and allows you to enter a raw risk criticality for the application so you can focus on the applications and vulnerabilities that matter most.
  • Tag – Tags are one method for attaching metadata to applications that can be used for filtering and reporting. See below for some additional resources on how powerful tagging can be in ThreadFix.
  • Source Code Information – ThreadFix allows you to optionally attach application assets to their source code repositories. This supports more in-depth analysis with our Hybrid Analysis Mapping (HAM)
  • Metadata Values – In addition to the pre-configured fields that ThreadFix provides associated with applications, ThreadFix also allows you to define additional metadata fields. See below for some more information about configuring and using application metadata values.
  • IP Address Details – ThreadFix allows for the import of network and infrastructure scans from tools such as Tenable Nessus, Rapid7 Nexpose, and Qualys. The IP Address Details field allows ThreadFix users to optionally correlate between the application assets you are managing and the network and infrastructure assets that support those applications. This provides greater insight into an organization’s total security posture.

ThreadFix Tagging

Tags are a powerful way to attach metadata to ThreadFix application assets that feed into several other facilities such as reporting filters, and policies. You can review this video to see more information about how Tagging works in ThreadFix and how ThreadFix Tags can be best used in managing your application portfolio.

ThreadFix Application Metadata Values

Application Metadata values are a fine-grained way to attach additional information to applications in ThreadFix. Whereas application tags are somewhat structured and tie into other ThreadFix facilities, metadata values allow for much more free-form metadata to be associated with an application asset. Metadata field names are managed via the Metadata Keys option under the Customize menu.

Metadata field values for an application are managed via the application create/edit screens.


The ThreadFix platform – though licensed based on asset counts – only counts application assets where testing and scan results are being tracked. This allows users to manage an arbitrarily sized portfolio of application assets in ThreadFix, regardless of licensing. This, in turn, allows security teams to use ThreadFix as a simple configuration management database (CMDB) for application and network/infrastructure assets while they work toward getting all of these under active vulnerability management. If you don’t already have this in place – why not start accumulating this information in your ThreadFix deployment?

Contact us for more information about how to manage your application portfolio in ThreadFix.

[Deck of cards graphic from ]

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.