- What is ThreadFix?
ThreadFix is an application vulnerability management platform that provides a window into the state of your application security program and helps bridge the communications gap between security and software development teams. ThreadFix allows security teams to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using.
- How does vulnerability merging work?
Vulnerability data is normalized to an internal data format to identify duplicated application scan results. For certain platforms we can also consolidate static and dynamic mapping results based on our patented Hybrid Analysis Mapping (HAM) technology. Our format uses the MITRE Common Weakness Enumeration (CWE) as its vulnerability type taxonomy, and also incorporates elements of vulnerability attack surface location and/or path through the source code.
- What tools integrate with ThreadFix?
ThreadFix currently supports 20+ popular commercial and open source static, dynamic and interactive scanning technologies, software composition analysis scanners as well as major application security SaaS providers. The good news is we’re building new tool integrations all the time. If there’s a specific scanning tool or defect tracker that you are looking to integrate with, please let us know.
- How is ThreadFix deployed?
ThreadFix is currently typically deployed as an on premise web application. Production installations of ThreadFix use a MySQL or Microsoft SQL Server database for scalability. Denim Group is also now offering Managed ThreadFix where we manage your ThreadFix installation for you –contact us for more information.
- Can ThreadFix pre-seed dynamic scanners?
Another interesting benefit of our Hybrid Analysis Mapping technology is that ThreadFix can perform lightweight static analysis of an application and use that to calculate the application’s entire attack surface. This can help scanners identify more vulnerabilities by providing better coverage than a standard web application crawl. For example, this attack surface calculation can identify hidden landing pages and unused debug parameters that would be invisible to a scanner when operating without this pre-seeded attack surface information. Currently a ThreadFix plugin is available for BurpSuiteand a legacy plugin is available for OWASP ZAP.
- What databases does ThreadFix work with?
Production installations of ThreadFix use MySQL or Microsoft SQL Server databases for scalability.
- What are Threadfix’s system requirements?
ThreadFix currently runs on most modern Windows, Mac, and Linux platforms. ThreadFix is a Java EE based application using the Java Spring framework and Hibernate. ThreadFix requires Java 8 and the Tomcat 8 web application server. A minimum of 20GB of disk space and 8 GB RAM is required (16 GB RAM is recommended).
- How do I schedule a demo?
To schedule a demo, please contact Denim Group at (844) 847-3233 or submit this online form.
- What is Hybrid Analysis Mapping (HAM)?
Denim Group’s patented Hybrid Analysis Mapping (HAM) technology enables ThreadFix to merge vulnerabilities from static application scans (SAST) with vulnerabilities from dynamic (DAST) and interactive (IAST) application scans. ThreadFix currently supports Hybrid Analysis Mapping for Java/JSP, Java/Spring, Java/Struts, ASP.NET MVC, and ASP.NET WebForms applications. Support for additional frameworks such as PHP and Ruby on Rails is planned. HAM technology in ThreadFix resulted from a project funded by the U.S. Department of Homeland Security’s (DHS) Small Business Innovation Research (SBIR) program.
- What kinds of resources do you offer to help my organization get started using ThreadFix?
Please visit our online documentation to view our getting started guide, and environment setup instructions. We also offer a ThreadFix Kickstart program through which we can send our consultants onsite to expedite the setup and configuration of ThreadFix within your organization. At the end of the engagement, you will have a fully functional, production-ready deployment of ThreadFix. Please contact us for additional details or to obtain a quote.
- Can ThreadFix authenticate via LDAP or Active Directory?
Yes, ThreadFix allows for role based user management and offers authentication via LDAP or Active Directory. Administrators can control which tasks and data specific users can view. An administrator can create different roles and permissions, limiting users’ access to certain teams or specific applications and also limit the types of tasks that can be completed in the system.
- How can I stay informed on latest ThreadFix news/development?
We’ll send you updates to let you know about product updates (new releases/bug fixes and enhancements) and product roadmap details, including planned features and integrations with new tools and technologies.
- What if I find a security issue?
Obviously with ThreadFix we take security very seriously. Any security issues should be reported directly to the ThreadFix team and those items will be handled promptly.