NTOSpider Support in ThreadFix, Getting the Most From Your Web Testing Results

Today we issues a press release with NTObjectives announcing ThreadFix’s support for importing DAST scanning results from their NTOSpider scanner. We’ve had a number of ThreadFix users asking for this and we’re thrilled to be able to announce it is now available.

Also, NTObjectives’ co-CEO Dan Kuykendall and I recently had a great discussion with Dark Reading’s Ericka Chickoswki talking about ways to get the most value out of your web application testing activities. Here’s a quick preview:

  1. View Vulnerabilities as Software Defects
  2. Make Defect Information Available in Existing Developer Tools
  3. Package Defects for Less Development Administrative Time
  4. Offer Guidance Along with the Submitted Defect
  5. Center Scanning Around Process, Not Product

That was a fun conversation that exposed some actionable next steps and you can read our full discussion online.

Also the full text of the release describing the ThreadFix/NTOSpider integration is below:

Denim Group, the leading secure software development company, and NT OBJECTives (NTO), a leading provider of automated, comprehensive and accurate web application security software and services, today announced their alliance to provide enterprise customers with a comprehensive dynamic vulnerability management solution for web and mobile applications. Denim Group’s ThreadFix application vulnerability management platform is now able to import the results from NTO’s application scanner, enabling organizations to compare and analyze the results of other testing efforts and have a more complete picture of the results of their application security testing program.

“NTO is doing some very interesting things with their scanning technology, particularly related to testing for thick client applications and web services,” saidDenim Group CTO Dan Cornell. “By building the connector with ThreadFix, NTOSpider users can now import the results of their scanning efforts and manage them alongside static analysis or manual testing results to get a deeper understanding of where their application vulnerabilities lie.”

NTOSpider’s dynamic application security testing (DAST) engine allows companies to test mobile and web applications built with the newest programming technologies like REST, AJAX, JSON and GWT. Prior to NTOSpider, this testing had to be done manually. NTOSpider offers a repeatable, rapid, and comprehensive automated application security testing solution that now frees up security analysts to spend more time on other activities that must be done to properly secure software. NTOSpider offers more comprehensive application coverage combined with sophisticated attack methodologies as well as high rates for eliminating false positive and false negative findings. This makes the scanner an important weapon in the security team’s arsenal for speeding up time to market.

“Application security teams can now use the efficiency of both ThreadFix and NTO Spider to analyze test results faster, creating a holistic view of the corporation’s security posture that reduces the risk of damage to the company’s intellectual property, data, and web applications,” said Dan Kuykendall, NT OBJECTives co-CEO. “ThreadFix users benefit from this integration and can now consolidate the results of other testing activities to provide a full view of these efforts.”

Typically, an organization’s security team uses a combination of dynamic and static scanners as well as manual testing to identify potentially thousands of vulnerabilities in applications. In the past, these disparate results were typically haphazardly managed with inefficient Excel spreadsheets to track the status of each of these vulnerabilities. ThreadFix simplifies this process by importing dynamic, static and manual testing results into a centralized console that removes duplicate findings across testing platforms resulting in a prioritized security vulnerability list for each application. Unlike infrastructure security problems inside an organization, application vulnerabilities can only be fixed by software development teams. To enable this cooperation, ThreadFix exports its prioritized security vulnerability list into the defect trackers already used by development teams, translating vulnerabilities into software defects and essentially injecting these security tasks into the developer’s regular work flow. By acting as a crucial link between the security and development teams, ThreadFix creates meaningful and productive two-way communications that dramatically streamline and accelerate the application vulnerability resolution process. The result is that with ThreadFix, applications vulnerabilities get fixed faster, reducing software risk and protecting corporate assets.

Contact NTObjectives to learn more about NTOSpider and contact us to talk about ways you can use ThreadFix and NTOSpider together.


dan _at_ denimgroup.com


About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.