ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
-
Upload
denim-group -
Category
Technology
-
view
688 -
download
0
Transcript of ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
![Page 1: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/1.jpg)
© 2016 Denim Group – All Rights Reserved
ThreadFix 2.4Maximizing the Impact of Your Application Security Resources
Dan Cornell@danielcornell
1
![Page 2: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/2.jpg)
© 2016 Denim Group – All Rights Reserved
Agenda• ThreadFix Overview• Major 2.4 Updates• Questions
2
![Page 3: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/3.jpg)
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
3
![Page 4: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/4.jpg)
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
4
![Page 5: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/5.jpg)
© 2016 Denim Group – All Rights Reserved
Major 2.4 Updates• Vulnerability Triage• Flexible Vulnerability Management• Integrations• Administration Updates• Vulnerability Prioritization (“Hot Spots”)
5
![Page 6: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/6.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Triage• Saved view state• Vulnerability pivots• Version tracking• Source code display
6
![Page 7: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/7.jpg)
© 2016 Denim Group – All Rights Reserved
Saved View State
7
• Saves vulnerability display status• Saves filter state
• Leads to easier, more intuitive navigation
![Page 8: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/8.jpg)
© 2016 Denim Group – All Rights Reserved
Saved View State
8
![Page 9: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/9.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
9
• Previous pivots were fixed: Criticality, CWE• Can now set:• Primary• Secondary
• Allows for more flexible and customized filtering
![Page 10: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/10.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
10
![Page 11: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/11.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
11
![Page 12: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/12.jpg)
© 2016 Denim Group – All Rights Reserved
Version Tracking
12
• Can now name “points in time” for applications
• Display along trending graphs• Tags vulnerabilities present in specific
versions
• Allows better progress tracking over time
![Page 13: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/13.jpg)
© 2016 Denim Group – All Rights Reserved
Version Tracking
13
![Page 14: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/14.jpg)
© 2016 Denim Group – All Rights Reserved
Version Tracking
14
![Page 15: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/15.jpg)
© 2016 Denim Group – All Rights Reserved
Version Tracking
15
![Page 16: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/16.jpg)
© 2016 Denim Group – All Rights Reserved
Version Tracking
16
![Page 17: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/17.jpg)
© 2016 Denim Group – All Rights Reserved
Version Tracking
17
![Page 18: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/18.jpg)
© 2016 Denim Group – All Rights Reserved
Source Code Display
18
• This used to be really bad• Now it is better
• Allows for faster, more intuitive vulnerability triage
![Page 19: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/19.jpg)
© 2016 Denim Group – All Rights Reserved
Source Code Display
19
![Page 20: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/20.jpg)
© 2016 Denim Group – All Rights Reserved
Flexible Vulnerability Management
• Defect defaults• Multiple defect trackers
20
![Page 21: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/21.jpg)
© 2016 Denim Group – All Rights Reserved
Defect Defaults
21
• Contributed by Samsung ARTIK (thanks!)• Originally available in ThreadFix 2.3 releases• Allows setting default to defects created by
ThreadFix
• Makes creating vulnerabilities much faster and standardized
![Page 22: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/22.jpg)
© 2016 Denim Group – All Rights Reserved
Defect Defaults
22
![Page 23: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/23.jpg)
© 2016 Denim Group – All Rights Reserved
Defect Defaults
23
![Page 24: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/24.jpg)
© 2016 Denim Group – All Rights Reserved
Defect Defaults
24
![Page 25: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/25.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
25
• Can now attach multiple defect trackers to an application. For example:• One for application vulnerabilities• One for infrastructure/configuration vulnerabilities
• Allows for much more flexible handling of vulnerabilities
![Page 26: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/26.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
26
![Page 27: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/27.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
27
![Page 28: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/28.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
28
![Page 29: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/29.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
29
![Page 30: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/30.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
30
![Page 31: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/31.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
31
![Page 32: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/32.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
32
![Page 33: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/33.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
33
![Page 34: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/34.jpg)
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
34
![Page 35: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/35.jpg)
© 2016 Denim Group – All Rights Reserved
Integrations• Checkmarx Remote Provider• On-Premise Contrast Support• Bulk Application Import
35
![Page 36: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/36.jpg)
© 2016 Denim Group – All Rights Reserved
Checkmarx Remote Provider
36
• Can now import via Checkmarx API• Rather than individual file upload
• Makes integration with Checkmarx much easier to set up and maintain
![Page 37: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/37.jpg)
© 2016 Denim Group – All Rights Reserved
Checkmarx Remote Provider
37
![Page 38: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/38.jpg)
© 2016 Denim Group – All Rights Reserved
On-Premise Contrast Support
38
• Have supported cloud-based Contrast for a while
• Now supports On-Premise Contrast Enterprise
• Allows support for more Contrast implementations
![Page 39: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/39.jpg)
© 2016 Denim Group – All Rights Reserved
On-Premise Contrast Support
39
![Page 40: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/40.jpg)
© 2016 Denim Group – All Rights Reserved
Bulk Application Import
40
• Allows for creation of applications based on the portfolio managed in a Remote Provider
• Allows for much faster initial ThreadFixdeployment and configuration
![Page 41: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/41.jpg)
© 2016 Denim Group – All Rights Reserved
Bulk Application Import
41
![Page 42: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/42.jpg)
© 2016 Denim Group – All Rights Reserved
Administration Updates• User Auditing• SAML Support
42
![Page 43: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/43.jpg)
© 2016 Denim Group – All Rights Reserved
User Auditing
43
• Can see login history of ThreadFix users• Including failed logins
• Allows for better situational awareness for user activity
![Page 44: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/44.jpg)
© 2016 Denim Group – All Rights Reserved
User Auditing
44
![Page 45: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/45.jpg)
© 2016 Denim Group – All Rights Reserved
User Auditing
45
![Page 46: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/46.jpg)
© 2016 Denim Group – All Rights Reserved
SAML Support
46
• Allows for login via SAML
• Supports enterprise authentication / authorization implementations
![Page 47: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/47.jpg)
© 2016 Denim Group – All Rights Reserved
SAML Support
47
![Page 48: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/48.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
• Detect vulnerabilities in shared internally-developed code and components
• Which vulnerability fixes can be a “force multiplier?”
• Get the most value from a limited remediation budget
48
![Page 49: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/49.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
49
![Page 50: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/50.jpg)
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
50
![Page 51: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/51.jpg)
© 2016 Denim Group – All Rights Reserved
Major 2.4 Updates• Vulnerability Triage• Flexible Vulnerability Management• Integrations• Administration Updates• Vulnerability Prioritization (“Hot Spots”)
51
![Page 52: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources](https://reader031.fdocuments.in/reader031/viewer/2022030311/58ef5f051a28ab17728b45eb/html5/thumbnails/52.jpg)
© 2016 Denim Group – All Rights Reserved
Questions / Contact InformationDan CornellPrincipal and [email protected] @danielcornell
(844) 572-4400www.denimgroup.comwww.threadfix.it