Free Web Tool Consolidates Data on Code Vulnerabilities
Enterprise coders can now use an open source Web application that lets them consolidate software vulnerability data from a range of scanning and test tools. With a centralized view, and reporting and management tools, ThreadFix speeds the work needed to fix software bugs and vulnerabilities, including those in proliferating mobile apps.
The beta version of ThreadFix is available via GoogleCode, along with tutorials and a range of support information (see links below). It can be easily configured to import test and scan results from open source tools such as Bugzilla for bug tracking, and Skipfish, an active Web application security reconnaissance tool, as well as commercial products like Fortify (now part of HP), a comprehensive software security assurance system, and IBM's Rational AppScan product set.
ThreadFix has been in development for nearly two years at Denim Group, a San Antonio-based software development house that specializes in secure custom applications, and in secure application consulting services. It was developed internally to fill a gap in software shops that rely on multiple brands of security and coding tools, but often lack a single view across the development projects of the type, severity, and status of code vulnerabilities. It's being made available now, as a free, open beta release. Denim makes money on among other things, providing a range of secure software development services, including training and support.
"What we notice, is that development organizations even when they adopt comprehensive software security solutions, often do so in a 'shallow' way," says principal Dan Cornell, Denim's informally designated CTO. "For example, they may occasionally run code scans, but they're not doing it repeatedly over time. And most organizations don't standardize wholesale on a single-vendor solution: they have multiple tools, multiple languages, multiple approaches to development."
The result, Cornell says, is that software security often lacks a strategic focus, and companies can't see how their development practices are faring over time in minimizing vulnerabilities, nor how the effectiveness of those practices compare with peers in their industry segment.
Threadfix pulls data from this mix of tools, consolidates it, and lets developers and managers filter it based on a range of criteria. It also lets you, for example, export a group of SQL injection vulnerabilities to a bug tracking tool, for a team to remedy. Threadfix then picks up the updated code scan results and captures and reflects the fixed vulnerabilities.
Creating a central view of such information is critical for companies in the increasingly fast-moving world of online and mobile applications where not only enterprise data but private, confidential information of potentially millions of customers might be at risk.
Online scanning services, from companies such as Vericode and WhiteHat Security have quantified this risk, says Cornell's partner, John Dickson. "Some of the worst application vulnerabilities will last 70 to 100 days before they get patched," he says. One reason for that is that the enterprise security team, the people "who worry about software" - and the software development team - the people "who can do something about the software" - are often in separate organizations, and aren't able to coordinate effectively. ThreadFix's Web UI is intended to bridge this gap, Dickson says.
A scanning tool can come up with a long list of vulnerabilities. But ThreadFix can break the list into chunks, filtered by type of vulnerability and severity for example. Development teams can be assigned to attack a cluster of the same kind of problems, cranking out fixes more efficiently than if each one was separately assigned to a separate developer. "That sounds simple, but it's actually a huge issue between the security/vulnerabilities group and the software developers," Cornell says.
With centralized data, software and security staff can see all vulnerabilities for a given application, or across the entire software inventory; see trends to know if code vulnerabilities are becoming more or less frequent; and calculate the average time it takes to implement bug fixes, per application or per development team, for example, and see the trend over time.
ThreadFix can be downloaded at no charge from GoogleCode. You then configure user groups, such as the developers for an ecommerce application, or teams in geographical locations. With each group, you create a record for each application, and identify the scanning and tracking tools being used. You configure ThreadFix to import data from each tool, and ThreadFix collects, aggregates, and tracks this information over time. A "getting started" tutorial walks you through this initial configuration.
Denim Group also offers a how-to guide for fixing software vulnerabilities (registration required).
Awareness of security in mobile applications is especially weak, except for the financial services sector, according to the two executives. Last November, Denim announced a set of courses for its ThreadStrong e-learning system aimed at mobile applications. The new offerings are an overview of mobile app security and classes on authentication and authorization specifically for the Android and iPhone operating systems.
John Cox covers wireless networking and mobile computing for Network World.
Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.