ThreadFix: Fortify, Imperva, VM Appliance – Oh My!



We’re getting so close to the 1.0 release! I’m sure you all are as excited as I am. We just uploaded the Beta20 build to the Google Code download area – check it out. Highlights of this release include:

  • Much-improved Fortify support that can deal with arbitrarily large files. (We had a bit of a boneheaded bug before that copied the entire contents of the file into a byte array which pretty much negates any scalability benefits of using XML SAX parsing. Fixed now!)
  • An updated front-end UI that can deal with many more results. This has been tested with around 100k vulnerabilities for a single application; hopefully your apps aren’t on the high side of that number…
  • The first round-trip-tested version of our Imperva virtual patching. There will probably still be some updates, but at least what we are generating right now has been through the full scan/generate rules/install rules/re-scan sequence.
  • Overhauled JIRA bug tracker integration using their recommended REST API.
  • Various other bug fixes.

So…lots of good stuff. In other exciting news:

  • We now have a Google Group dedicated to ThreadFix. This should act as a project mailing list, message board, and so on. Join up here.
  • We also now have a pre-installed VM appliance that will be more suitable for production use than the beta builds we’ve been delivering as ZIP files with pre-configured Tomcat/HSQL. The VM is Linux-based and has pre-installed and pre-configured Apache/Tomcat/mod_jk/MySQL so you should just be able to give it some memory, assign it some disk space and be off to the races with a durable ThreadFix installation. To do this we used a combination of various DevOps tools – Fabric, Chef and Vagrant. We will be putting up a blog post (next week?). Check out this page for more information on downloading and spinning up the ThreadFix VM appliance. The current version is a starting point – we’ll be pushing some updates out here pretty quickly.
  • I just got back from a week in Las Vegas where we demonstrated ThreadFix at the BlackHat Arsenal and I gave a talk with Josh Sokol at BSidesLV on Symbiotic Security using ThreadFix as an example of how security tools can be made to work together. Check out this blog post for a recap of last week in Vegas showing off ThreadFix. Also the ToolsWatch folks put up a post about this as well.
  • I found out that Josh and I will be giving an updated version of our talk at HouSecCon on October 11th, 2012. I’ve been to all of the HouSecCons and they’ve been great – hope to see folks there.

I’ve been reaching out individually to our beta testers to upgrade to these more mature, updated builds. I’m also always thrilled to hear from new users so please fire these builds up and send along any thoughts or comments. You can report bugs to the Google Code issue tracker or you can email me directly (dan _at_ denimgroup dot com) Contact us to talk about running your software assurance program on ThreadFix. –Dan dan _at_ @danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.