Please Stop Managing Vulnerabilities in Excel Spreadsheets

July 14, 2020

This blog has been updated with new information for 2020.

Do your best Excel users work in application security? Are you trying to manage thousands of vulnerabilities across hundreds of applications in an increasingly elaborate series of Excel spreadsheets? Most companies are using multiple scanning technologies as well as a variety of manual testing practices and need to have a single view into current open vulnerabilities as well as the ability to report on resolution performance. Excel is a wonderful tool, but it doesn’t always scale. Or, more correctly, application vulnerability management programs can’t scale if they’re based on Excel.

Why not?

Merging the results of different reports to de-duplicate vulnerabilities must be done manually and it is time-consuming and error-prone
Comparing incremental scans from the same scanner to identify when vulnerabilities appear, disappear and reappear has to be done manually as well
Excel only tracks data for a single point in time and doesn’t maintain a usable version history that can be used for reporting. If you want to track when vulnerability states change you have to do it manually. You might be able to keep track of different versions if you store the spreadsheets in SharePoint or a similar system, but that isn’t really a solution.
And so on…

So what is to be done? As an industry we need to get better. Folks need to start looking for ways to mature their application vulnerability management practices. And that doesn’t just mean adopting more advanced tools and methods to find vulnerabilities; it also means adopting more tools and practices to manage them to resolution.

That’s why we released ThreadFix. ThreadFix helps address these pain points by:

Managing all of your development teams and applications in a single, centralized location
Importing vulnerability data from a variety of sources – static scanners, dynamic scanners, SaaS providers – into a vendor-independent data format and merging/de-duping those vulnerabilities into a single, unified list
Tracking the results of scanning over time so that you can run reports on the types of vulnerabilities you’re identifying, which vulnerabilities have been addressed and how long they take to fix.

And the best part about it? It’s free – it is available under the Mozilla Public License and you can download it from Google Code.

Having all of this done across various scanning methods in an automated and tracked manner frees up security analysts to do what they ought to be doing – helping development teams to get the right vulnerabilities addressed as quickly as possible and working with those same teams so they don’t introduce new vulnerabilities into their applications.

Here are a couple of screenshots – compare using ThreadFix with trying to sort this problem out in Excel.

Please stop managing vulnerabilities in excel_screen shot_201001at9_1

When you first log in to ThreadFix you see a list of the teams in your organization who are building and fielding software systems. You can also see a summary of the apps managed by each team and currently-open vulnerabilities.

Please stop managing vulnerabilities in excel_screen shot_201001at9_2

When you drill into a specific team you can see all of the applications managed by that team as well as some metadata such as where the application is hosted, its risk-ranking and a view into the current set of open vulnerabilities.

Please stop managing vulnerabilities in excel_screen shot_201001at9_3

When you look at a specific application you can see all of the open vulnerabilities as well as whether or not they’ve been packaged into a software defect and if they have had virtual patches generated. As has been mentioned before, ThreadFix can import and normalize the results from a bunch of static scanners, dynamic scanners and SaaS scanning services so this gives you a single unified list across your entire portfolio.

Please stop managing vulnerabilities in excel_screen shot_201001at9_4

Looking at a specific vulnerability you can see all of the different scanners that have found this vulnerability, when it was found and other useful tracking info. If you’re using Excel to manually merge the results of different scanning tools you’ll really enjoy ThreadFix’s automagic vulnerability merge functionality – it should be a huge timesaver.

Please stop managing vulnerabilities in excel_screen shot_201001at9_5

And because all of the scans are tracked inside of ThreadFix you can start to collect metrics on your software security program for free. What vulnerabilities are prevalent for a specific team or application? How long does it take to fix these vulnerabilities? What percentage of the identified vulnerabilities have you actually fixed? Let’s see Excel do that!

If this sounds helpful, pull down ThreadFix and take it for a spin. Here are a couple of useful links:

Updated 7/14/20:

Well it has been almost eight years since I originally made this blog post and a lot of things have changed:

ThreadFix now does even better supporting application security teams by importing Software Composition Analysis (SCA) results for open source libraries with vulnerabilities as well as providing direct support for application penetration testing teams.
ThreadFix now allows you to import the results of network and infrastructure security scanners like Nessus, Nexpose, and Qualys – and it allows you to correlate between applications and the infrastructure supporting those applications
DevSecOps teams are aggressively looking to “shift left” and incorporate security testing into CI/CD pipelines, and ThreadFix makes this easy to do via our Jenkins plugin and CI/CD pass/fail policies.
ThreadFix is unfortunately no longer open source. The code is still online but we stopped maintaining it a while ago. This was a tough decision but was necessary given the costs of maintaining the development team.

One thing that hasn’t changed? Too many organizations we talk to are still trying to run their vulnerability management programs on Excel spreadsheets! Doing this for a handful of applications and developers would be a mess. Trying to do it for tens, hundreds, or thousands of applications is a disaster. Application security is a problem that is never going to be “solved,” but teams can make progress and meaningfully impact the security of the software they are releasing for the better, but only if they take a programmatic view of the problem and arm themselves with the tools and automation needed to scale.

–Dan

dan _at_ denimgroup.com

@danielcornell

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

Please Stop Managing Vulnerabilities in Excel Spreadsheets

About Dan Cornell

Recent Posts

AppSec Bites: What Opportunities Does Remote Working Create for AppSec Teams? (Part 3)

AppSec Bites: Top 3 Things to Consider When Maturing Your AppSec Programs (Part 2)

AppSec Bites: A Podcast on Balancing Speed and Thorough AppSec Coverage (Part 1)

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

ThreadFix Filters Tutorial

Resources Archives

Media Inquiries

Press Resources

Have a Question?