What You May Have Missed in the ThreadFix 2.2 Release


The engineering has been completed for a couple of weeks, but the formal ThreadFix 2.2 release was announced today. Folks who came by our booth at the RSA conference this year could get a demo of all the great work the ThreadFix team has been doing for the past couple of months and you can read the press release online.

Major updates in the 2.2 release include:

  • Support for new types of application vulnerability data – We have specifically added support for Interactive Application Security Testing (IAST) via our importer for Contrast Security. In addition, we’ve beefed up our support for Component Lifecycle Management (CLM) results via our importer for Sonatype.
  • Completely overhauled analytics and reporting – We started this process during the 2.1 development cycle, but we’ve now reworked every report to allow for fine-grained customization and the ability to save these customized filter settings. When you combine this with the application tagging capability added in 2.2, this allows ThreadFix to easily answer far more sophisticated questions about your application security program than you ever could before.
  • Support for Governance, Risk and Compliance (GRC) system integration – Getting application vulnerability data into GRC systems is a critical step in getting application security an appropriate seat at the table when risk management decisions are being made. The 2.2 release support ServiceNow’s GRC offering, with others currently underway.

In addition to these high-profile (read: press release worthy) items, we’ve also added some additional capabilities and components to the ThreadFix platform that I think are really interesting and bear further discussion:

  • SonarQube pluginSonarQube is the way many development teams track code quality and technical debt for portfolios of applications. The ThreadFix SonarQube plugin is essentially a universal adapter to take data from any security-testing tool that ThreadFix supports and map that into a SonarQube dashboard. This is very much in line with our mantra of “get information to developers in the tools they are already using.” In addition, we’ve embedded the Hybrid Analysis Mapping (HAM) technology directly in the plugin, so you can either send vulnerability data from a ThreadFix server to the SonarQube server or you can merge a set of scan files together into a set of vulnerabilities and ship them to SonarQube without having to run a complete ThreadFix server environment.
  • Updated Portswigger BurpSuite and OWASP ZAP plugins – We cleaned up the user interfaces and user experiences of both plugins and we embedded the Hybrid Analysis Mapping (HAM) technology in the plugin itself – much like we did with the SonarQube plugin. That way application penetration testers can either pull application attack surface information from a ThreadFix server or they can just calculate it based on a local copy of the application source code. I think there are a lot more interesting things we can do to support source code-assisted application penetration testing – if folks have ideas please reach out and let us know.
  • SSVL Converter utility – We’ve been slowly evolving the Simple Software Vulnerability Language (SSVL) specification and we’re starting to see some more interest from vendors in supporting it. In addition, we’ve started tackling the problem of vulnerability and penetration test data that gets delivered in Excel spreadsheets. What this utility does is take an Excel spreadsheet or CSV file and convert it to a complete SSVL document that can then be uploaded into ThreadFix. So – if you have a bunch of lightly-structured vulnerability data from manual testing or some other source this is a solution to help push that data into ThreadFix for management.
  • Data Migration tool – We see a lot of ThreadFix installations that start out pretty informal (“Let me unzip the installation ZIP on my workstation and fire it up!”) These installations then need to get more “locked down” as the deployment progresses. To support folks that find themselves in this situation we created a utility that would help upgrade a ThreadFix installation using the default HSQL database – which is not meant for production use – to a MySQL database that is acceptable for production use.

The cool thing about these supplemental tools is that they stem directly from requests from the ThreadFix community and ThreadFix Enterprise customers. It has been really gratifying to see this community grow and evolve and we will be posting some more specific examples of what different organizations are doing with ThreadFix in the coming weeks. In the meantime – check out ThreadFix 2.2 and contact us if you’d like to talk more about getting control of your application security program with ThreadFix.

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.