ThreadFix 2.7: Strengthening Your Security Profile with On-Demand Services

Now that ThreadFix 2.7 is available, we wanted to expand on our previous post with some more specifics of what all had been added to the platform for this release. Quick Check Assessments Delivered via ThreadFix ThreadFix has just increased your access to both capacity and expertise by putting Denim Group’s world class Application Testing team at your fingertips.  Request application assessments directly from ThreadFix and have the results automatically delivered when available. Specially privileged users can provide details about the applications they would like assessed and have those sent directly to Denim Group for processing and assignment.   Once received, your teams will receive status updates within ThreadFix indicating where in the assessment process we are.  Once completed, the assessment results will be sent directly into your ThreadFix deployment to be processed like any other scan result.  You’ll see our results alongside all the scan history for your application.   For existing ThreadFix users, access to this capability will require contacting your sales consultant for a new license file. Application Risk Ranking ThreadFix now provides a new way of organizing your applications in addition to the “Team” grouping we’ve always provided.  With the 2.7 release Applications can be optionally grouped by relative risk to your organization, allowing your team to focus your assessment and triaging efforts on those applications first.  We utilize information about your applications such as quantity and severity of vulnerabilities, time since last scanned, and custom metadata you provide around your applications to determine an inherent relative risk within your broader portfolio.   CVE Filtering While ThreadFix has always focused a portion of its reporting around the classification of application vulnerability types as described by Mitre’s Common Weakness Enumeration or CWE List, many of the tools we integrate with provide specific instances of a vulnerability exploit which exist on Mitre’s Common Vulnerability Exposures or CVE List.  With 2.7, ThreadFix now allows you to filter on CVE’s specifically and target specific exploits for remediation. Deeper Filter Policy Evaluation Support Filter policies are now evaluated for a much wider variety of user activity allowing for a much more up-to-date policy status based on activity within ThreadFix. Always know where your applications stand with regard to your organization’s requirements for security compliance.   New Vulnerability Statuses ThreadFix now allows for users or scanners to mark vulnerabilities with additional statuses beyond just the “False Positive” and “Hidden” values that have long been available.  Vulnerabilities can now be labeled as “Exploitable”, “Contested”, and “Verified” with updated Filtering and API support for those new statuses.  The filtering has also been made more flexible to give you the ability to find the exact combination of vulnerability statuses you care about. ThreadFix 2.7 We have always believed organizations are strongest when they focus on maximizing the value of their teams by allowing them to execute on their core competencies.  This belief is what led us to create ThreadFix almost 10 years ago. With our automated vulnerability merging and de-duplication, automated developer defect tracker issue creation, and automated reporting and policy evaluation, we’ve taken huge strides in freeing up security testing teams to focus on what they do best. Now with ThreadFix 2.7, we take this one very large step further by enabling our customers to leverage Denim Group’s almost two decades of application and information security assessment expertise directly in our platform. Getting an assessment performed on a high-risk application doesn’t have to take your team away from developing your organization’s security strategy, building security architecture around CI/CD pipelines, or working with your development teams on training or threat modeling. Our assessment teams give you the scale and expertise you need to focus your team where they’re needed most. Contact us to talk more about how you can take advantage of the ThreadFix platform to build your ideal application security program.

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.