ThreadFix 2.7 Teaser: Do What Cha Want

The 2.7 release of ThreadFix should be available in late October – not too long after Security Summer Camp in Vegas. If you’re going to be at BlackHat and want a sneak preview reach out and let us know. We will get you a demo and an invite to our happy hour.

There are two big things in the 2.7 release, and both are geared toward one goal: letting you decide what you don’t want to do for your application security program and what you do want to do. Freedom of choice – a beautiful thing. So what’s actually new in ThreadFix 2.7?

Portfolio Risk View

We’ve reworked the entire team/application view to center it around risk management. How critical is the application? How bad are the vulnerabilities that are currently open? When was the last time you ran a scan or an actual assessment? Which vulnerabilities should you fix first? All of these factors feed into a risk-centric view of your application portfolio so you can quickly identify your most serious issues and your most glaring blind spots.

Service Delivery via ThreadFix

And now we come to what I think is the important (cool) part of all of this – when you want stuff done in your application security program you can just assign it off to Denim Group. Bought a bunch of Fortify but don’t want to run it? Send it to Denim Group. Need to get some DAST scans run but haven’t bothered to purchase a scanner? Assign it over to Denim Group. Need to get lightweight manual testing done across your application portfolio? You are just a couple of clicks away from having that sorted out. ThreadFix 2.7 lets you turn over work to Denim Group in a seamless and easy manner and the results just flow into your ThreadFix instance. Too many organizations deal with friction trying to get assessments completed – with ThreadFix 2.7 you get on-demand testing and application vulnerability resolution in the same unified platform. What could be easier than that?

What Does All This Mean?

What this means is that you have the freedom to easily craft the application security program you want. You can make both strategic and tactical decisions about how you want to run your program. Testing is usually the easiest and most understandable thing to outsource. This gives you the viable option to outsource components of your program – assessments and source code review – that free you up to focus on the “higher order appsec math,” namely things that only you and your appsec team can do within your organizations. This includes things like developing strategy, interacting with your executives to get buy-in on managing software risk, developing security architecture around CI/CD pipelines, and working with development teams to threat model their new applications. With ThreadFix 2.7 we meet security teams where they are and help them get to where they want to be. Application security programs aren’t “one size fits all.” They vary based on the organization, its structure, its culture, the strategy, and any number of other factors. With ThreadFix 2.7 Denim Group provides the flexibility and capability so that any organization can help tune their program for maximum effectiveness. So – what cha want to do? ThreadFix 2.7 lets you decide. Contact us to talk more.

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.