ThreadFix 3.0: a New Look, a New Architecture, and Unified Vulnerability Management

In our previous post, we teased some of the new capabilities and updates coming with the release of ThreadFix 3.0.  Dan provided some technical details about what we’ve been doing under the hood; now that the launch is officially here, let’s take a quick look at what it means for you.

User Interface Reimagined

Debuting initially on the infrastructure vulnerability management components of our application, ThreadFix has a new look and feel which represents our future direction for all features of the product.  

The new front end was built with scalability and responsiveness in mind, leveraging Elastic Search for displaying complex reports for enterprise sized data sets in real-time.  

Infrastructure Vulnerability Management

ThreadFix now (finally!) officially and specifically manages infrastructure vulnerabilities as first class citizens within the product. Scan results from Tenable Nessus and, Qualys Cloud Platform, and Rapid7 InsightVM and Nexpose now are all natively managed by ThreadFix.  Organize your infrastructure into networks, dynamically create assets and vulnerability data through scan upload, and report on your infrastructure risk.

Unified Vulnerability Management

Now that infrastructure vulnerabilities are fully managed within ThreadFix, we are able to launch our first of many visualizations that allows you to report on your vulnerability exposure for a given application within the context of the vulnerabilities that exist on the infrastructure that application is run on. Applications can be correlated with the infrastructure assets that support them – either via the user interface or via the API in conjunction with your configuration management database (CMDB) – and these asset correlations allow you to have a comprehensive view of vulnerabilities and weaknesses in both applications and the underlying infrastructure.

Horizontal Performance Scaling

Injecting the “Sec” into “DevSecOps” has always been a balancing act of getting the best reasonable coverage in the shortest reasonable length of time. Slowing down DevOps decision pipelines is a sure way to get pulled out of the pipeline.  As a result, we’ve seen more drive to push a higher volume of vulnerability data through our patented merging and deduplication engine in less time. Our new microservice architecture allows us to scale our processing on-demand to meet your needs and make informed risk decisions in less time than it took to run the scan to begin with. This technology is initially available in the processing engine for infrastructure vulnerabilities, but will be arriving for our application vulnerability merge engine in the coming months.

We’re Just Getting Started

ThreadFix 3.0 is far more than the addition of infrastructure vulnerability management. It’s more than our new user interface. It’s even more than our entirely reimagined architecture.  ThreadFix 3.0 shows what can happen when you take almost a decade of customer and community contributions, guidance, and enthusiasm representing the largest and most cutting-edge enterprises in banking, healthcare, entertainment, insurance, and government, and you combine it with a passionate and deeply talented development team.  We’re so excited to bring you this revolutionary update, and 3.0 is only the beginning.

Contact us to learn more about how ThreadFix 3.0 can help you get unparalleled insight into the vulnerabilities in your applications and infrastructure.

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.