Secure DevOps with ThreadFix 2.3
Thanks to everyone who attended our Secure DevOps with ThreadFix 2.3 webinar today and thanks to all the great ThreadFix contributors who help make it possible. Hopefully folks enjoyed the presentation, and I certainly enjoyed all the Q&A.
An expanded set of slides and a recording of the presentation can be found here:
In addition to the material in the slides, there were some great issues brought up during the Q&A. I wanted to address a subset of those here – so here we go:
How Can ThreadFix Handle Results From Currently Unsupported Dynamic Scanning Engines?
Firstly – if you are interested in seeing support for a new scanning technology, you can contact the ThreadFix team and we will take a look. If you are interested in building support for a new scanner on your own, we have documentation available as well as sample source code:
- For a file-based uploader, check out our Scanner Plugin Development page
- For pulling data from a network-based source of vulnerability data, check out our Remote Provider Plugin Development page
How Does the Correlation Process for Different Scan Engines Work?
At the moment, these documents are a bit out of date, but should provide a baseline understanding of how the merge process works. We have:
- Vulnerability Merging for better info on DAST-DAST and SAST-SAST merging
- HAM Merging Process for better info on our DAST-SAST merging via Hybrid Analysis Mapping (HAM)
What Services Are Available for ThreadFix?
Check out our online documentation for the ThreadFix enablement services that Denim Group provides.
When Will Some of the New Functionality Discussed In This Webinar Be Available?
ThreadFix 2.3 should be released in the September-ish time frame. In the meantime, we will be releasing milestone and RC builds and those should be starting shortly (within the next week or so). Keep an eye on this blog, the ThreadFix Google Group, and the @ThreadFix Twitter account.
Contact us for help putting application security into your DevOps pipeline.