Open Source Vulnerability Management Software ThreadFix Ready for Production Use
The first production-ready version of ThreadFix, an open-source software vulnerability management tool, was released Monday by Denim Group, a secure software development firm in San Antonio, Texas.
ThreadFix was designed to bridge the communication gap between enterprise security teams and software development teams in an attempt to decrease the time required to fix software vulnerabilities. The product can import vulnerability reports from different vulnerability scanning sources and export them to a variety of bug tracking systems commonly used by developers.
Companies have gotten pretty good at finding vulnerabilities in their applications, said John Dickson, principal at Denim Group. However, it still takes a considerable amount of time to fix them, he said.
Dickson pointed to the annual statistics released by vulnerability testing firms WhiteHat Security and Veracode for an indication of how long it takes on average for enterprises to fix vulnerabilities in their websites or other types of applications. While network-level vulnerabilities get fixed in hours or days, application-level vulnerabilities get fixed in weeks or months, Dickson said.
Dickson thinks this is partially caused by the diversity of security testing approaches in enterprise environments. Companies can have multiple security teams that use different tools and technologies which generate reports in different formats and often for the same issues, he said.
This leaves the people responsible with managing vulnerabilities in a corporate environment with a very difficult task. There are companies that track vulnerabilities discovered through different means of security testing -- static and dynamic scanning, source code reviews, penetration testing, etc. -- manually using Excel spreadsheets, said Dickson.
"On top of that, still the main way that we see a lot of vulnerabilities passed from the security teams to the development teams is via PDFs," Dickson said. These are unactionable documents, Dickson noted, that cause developers to ask themselves "What do I do with this?"
ThreadFix aggregates vulnerability scanning results from a variety of sources and normalizes the data to an internal format. It then de-duplicates the data by determining whether different scanners have found the same vulnerabilities and generates a single unified list containing all the issues.
Based on that list a security analyst can then start to negotiate with the development team leader about which vulnerabilities need to be fixed as soon as possible and how to export them to the bug tracking system used by the development team. Multiple vulnerabilities can be grouped under the same bug ticket by vulnerability type, by vulnerability severity or by a specific developer in charge of an affected component, for example.
Once the vulnerability reports have been exported as new tickets in the development team's bug tracker of choice, the security analyst can monitor if they've been resolved directly from ThreadFix, because the system communicates with the bug tracker in real time and can read the ticket status.
ThreadFix can also generate rules based on the vulnerability data for Web application firewalls or intrusion detection systems. This ensures that a vulnerable application is protected against attacks until a particular issue gets fixed.
Version 1.0 of ThreadFix has built-in support for some of the most commonly used vulnerability scanners and bug tracking systems. However, support for other systems can be easily added through plug-ins, said Dan Cornell, principal and chief technology officer at Denim Group.
ThreadFix uses Java on the server side, but can be used to manage vulnerability reports through a standard Web-based interface that doesn't require Java support inside the browser. It can be downloaded either as a .zip archive that contains an SQL database server and the Apache Tomcat Web server and which is suitable for testing the product, or as a pre-configured virtual machine appliance based on Linux, MySQL and Apache, Cornell said.
ThreadFix has been in development internally at Denim Group for the past two years and a beta version has been publicly available since earlier this year. The company's strategy is to offer the product for free under an open source license and provide commercial support and consultancy services to organizations that need help deploying it in their environments.