Open source vulnerability management software ThreadFix ready for production use

ThreadFix 1.0 can import vulnerability reports from different vulnerability scanners and export them to different bug tracking systems

The first production-ready version of ThreadFix, an open-source software vulnerability management tool, was released Monday by Denim Group, a secure software development firm in San Antonio, Texas.

ThreadFix was designed to bridge the communication gap between enterprise security teams and software development teams in an attempt to decrease the time required to fix software vulnerabilities. The product can import vulnerability reports from different vulnerability scanning sources and export them to a variety of bug tracking systems commonly used by developers.

Companies have gotten pretty good at finding vulnerabilities in their applications, said John Dickson, principal at Denim Group. However, it still takes a considerable amount of time to fix them, he said.

Dickson pointed to the annual statistics released by vulnerability testing firms WhiteHat Security and Veracode for an indication of how long it takes on average for enterprises to fix vulnerabilities in their websites or other types of applications. While network-level vulnerabilities get fixed in hours or days, application-level vulnerabilities get fixed in weeks or months, Dickson said.

Dickson thinks this is partially caused by the diversity of security testing approaches in enterprise environments. Companies can have multiple security teams that use different tools and technologies which generate reports in different formats and often for the same issues, he said.

This leaves the people responsible with managing vulnerabilities in a corporate environment with a very difficult task. There are companies that track vulnerabilities discovered through different means of security testing -- static and dynamic scanning, source code reviews, penetration testing, etc. -- manually using Excel spreadsheets, said Dickson.

"On top of that, still the main way that we see a lot of vulnerabilities passed from the security teams to the development teams is via PDFs," Dickson said. These are unactionable documents, Dickson noted, that cause developers to ask themselves "What do I do with this?"

ThreadFix aggregates vulnerability scanning results from a variety of sources and normalizes the data to an internal format. It then de-duplicates the data by determining whether different scanners have found the same vulnerabilities and generates a single unified list containing all the issues.

Based on that list a security analyst can then start to negotiate with the development team leader about which vulnerabilities need to be fixed as soon as possible and how to export them to the bug tracking system used by the development team. Multiple vulnerabilities can be grouped under the same bug ticket by vulnerability type, by vulnerability severity or by a specific developer in charge of an affected component, for example.

Once the vulnerability reports have been exported as new tickets in the development team's bug tracker of choice, the security analyst can monitor if they've been resolved directly from ThreadFix, because the system communicates with the bug tracker in real time and can read the ticket status.

ThreadFix can also generate rules based on the vulnerability data for Web application firewalls or intrusion detection systems. This ensures that a vulnerable application is protected against attacks until a particular issue gets fixed.

Version 1.0 of ThreadFix has built-in support for some of the most commonly used vulnerability scanners and bug tracking systems. However, support for other systems can be easily added through plug-ins, said Dan Cornell, principal and chief technology officer at Denim Group.

ThreadFix uses Java on the server side, but can be used to manage vulnerability reports through a standard Web-based interface that doesn't require Java support inside the browser. It can be downloaded either as a .zip archive that contains an SQL database server and the Apache Tomcat Web server and which is suitable for testing the product, or as a pre-configured virtual machine appliance based on Linux, MySQL and Apache, Cornell said.

ThreadFix has been in development internally at Denim Group for the past two years and a beta version has been publicly available since earlier this year. The company's strategy is to offer the product for free under an open source license and provide commercial support and consultancy services to organizations that need help deploying it in their environments.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts