In the area of information security, we’re very fortunate to have a plethora of great open source tools that most security professionals use. Names like Snort, Metasploit, Nmap, and ClamAV might not be household names, but they are the meat and potatoes of many security administrator tools. A new tool is now added to this open source security toolset, ThreadFix. ThreadFix enables organizations to manage application vulnerability data, penetration test data, and threat modeling in a single application.
ThreadFix is a product of the Denim Group, a well-known security company specializing in the development of secure code. Like many open source projects, ThreadFix was born out of Denim Groups’ need for a place to keep all the data and findings they gathered while testing various applications and code. I had the chance to speak with Dan Cornell, CTO of Denim Group, about ThreadFix. Dan told me that if there was already something else doing what ThreadFix does, they wouldn’t have bothered to develop it. But the point is, there is nothing. Companies like Denim Group and even internal secure development teams within companies will typically use a variety of application vulnerability scanners and penetration testing tools to check for bugs in an application. Keeping track of what was in disparate scanners and tools, prioritizing and tracking them was a priority, but unless there was a good old spreadsheet, there was nothing to use. Denim therefore developed ThreadFix for its own internal use. Now they released it under an open source license for anyone to use. Cornell, of course, is hoping other users will help with whatever improvements they make, like importing even more scan data, perhaps.
Managing application vulnerabilities is a very hot and relatively new area of security. Managing vulnerabilities in operating systems, hardware, and other software is much more mature and established. Companies like Qualys, nCircle, Tenable Network Security, and Rapid 7 have well-established vulnerability scanners as part of their vulnerability management products. In fact, many of these companies have also added application analytics and in some cases penetration testing to their suites. Having a tool dedicated to the management of application vulnerabilities is tangential, but different from the vulnerability management offered by traditional vulnerability companies.
Cornell also believes ThreadFix is the first tool that will allow security teams to synchronize with the application development team. Too often, application managers develop an application and the security team then test it, but there is little communication between them. The security team will send a report to app developers who may or may not be very concerned about prioritizing the security team’s findings. ThreadFix will allow the two groups to work together.
By working together, application development and security will be able to plan an action plan based on established guidelines. The correction will take place in an order visible to all. Cornell believes that if ThreadFix can make these two teams work together, it will be a resounding success.
Another advantage of ThreadFix is that it can generate WAF (Web Application Firewall) rules based on vulnerabilities found and imported into the tool. This is a very useful feature that allows an organization to protect itself until the vulnerabilities in the code are fixed.
Overall, ThreadFix promises to be a great addition to the open source security tools matrix. It is released under the well-known and respected Mozilla license. The question that remains is whether teams outside of Denim Group are adopting this tool. If they don’t, it will be their downfall.
Copyright © 2012 IDG Communications, Inc.