ThreadFix 3.0 Teaser: Unified Vulnerability Management

Hot on the heels of ThreadFix 2.7 and the two patents on our Hybrid Analysis Mapping technology, the 3.0 release of ThreadFix is planned for early Q1 2019 – just in time for RSAC 2019! So what’s actually new in ThreadFix 3.0?


ThreadFix has always had a tremendous amount of capability and technology under the hood, but until now the UI/UX experience has taken a bit of a backseat. An industry analyst once described it as “engineering grade” and we don’t think it was intended to be a compliment. We have been hard at work refreshing these aspects of the system and the result is a UI that is a lot more modern, and a UX that makes ThreadFix much easier to use.

New Architecture: Microservices, Containers, XaaS

ThreadFix “Classic” was a monolithic Java/Spring/Hibernate-based application – a pretty standard architecture and one that served us well for a long time. That said, the ThreadFix platform is about 10 years old and, given the directions we’re taking it, the architecture was getting a bit creaky. With 3.0 we’ve reworked things to take a much more modern approach. ThreadFix has been broken up into a set of microservices that are packaged in containers. That’s all great from a technical standpoint, but why should ThreadFix users care about this? Two main reasons: scalability and maintainability:
  • Scalability– As we are dealing with significantly larger data sets and more frequent data upload volumes, larger ThreadFix installations need to scale far more than they used to. To handle these situations in the past we would tweak database queries and have folks add additional memory and processing power, but we were hitting some limits with this approach. The new architecture should scale nearly horizontally by deploying additional containers for services that are proving to be bottlenecks. This will help in large data volume environments as well as environments seeing much more frequent scan uploads from DevOps CI/CD pipelines.
  • Maintainability– Upgrades to ThreadFix have traditionally been a bit challenging, involving updates to the software as well as SQL updates to the database. With the new architecture you can simply pull an updated set of containers, and one of the services handles all of the database versioning for you.

API First

ThreadFix has always had an extensive API, but with 3.0 we are finally “API first” in our development methodology. This opens up even greater possibilities for creating advanced orchestrations between the ThreadFix platform and other parts of the security and development technology ecosystems. We have long been amazed at the cool things ThreadFix users have done with our API, and with this we hope to put even more power in their hands to solve serious security challenges with automation.

Unified Vulnerability Management – Infrastructure and Applications

Saving the best for last – after a long time in development, ThreadFix 3.0 will finally be providing unified vulnerability management across network and infrastructure vulnerabilities as well as application vulnerabilities, complete with correlation between the two. Until now, the ThreadFix platform has been focused on helping organizations run their application security and application vulnerability management programs. We are now expanding our capability to network and infrastructure vulnerability management and providing a consolidated view that provides insight into your overall risk. Out of the box we will be supporting imports from Qualys, Tenable Nessus, and Rapid7 insightVM with some more vulnerability scanning platforms in the works. If Dev and Ops teams need to work together for DevOps, teams moving toward SecDevOps need security insight across both their applications and the infrastructure supporting those applications, and ThreadFix will be there to provide it. Contact us if you’d like to talk more about how the ThreadFix platform can help you successfully manage risk in your organization.

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.