Skip Links

Free Web tool consolidates data on code vulnerabilities

ThreadFix gives coders a central, strategic view of software bugs, status

By , Network World
February 08, 2012 11:06 AM ET

Network World - Enterprise coders can now use an open source Web application that lets them consolidate software vulnerability data from a range of scanning and test tools. With a centralized view, and reporting and management tools, ThreadFix speeds the work needed to fix software bugs and vulnerabilities, including those in proliferating mobile apps.

The beta version of ThreadFix is available via GoogleCode, along with tutorials and a range of support information (see links below). It can be easily configured to import test and scan results from open source tools such as Bugzilla for bug tracking, and Skipfish, an active Web application security reconnaissance tool, as well as commercial products like Fortify (now part of HP), a comprehensive software security assurance system, and IBM's Rational AppScan product set.

CAREERS: Speciality certification targets mobile app security 

ThreadFix has been in development for nearly two years at Denim Group, a San Antonio-based software development house that specializes in secure custom applications, and in secure application consulting services. It was developed internally to fill a gap in software shops that rely on multiple brands of security and coding tools, but often lack a single view across the development projects of the type, severity, and status of code vulnerabilities. It's being made available now, as a free, open beta release. Denim makes money on among other things, providing a range of secure software development services, including training and support.

"What we notice, is that development organizations even when they adopt comprehensive software security solutions, often do so in a 'shallow' way," says principal Dan Cornell, Denim's informally designated CTO. "For example, they may occasionally run code scans, but they're not doing it repeatedly over time. And most organizations don't standardize wholesale on a single-vendor solution: they have multiple tools, multiple languages, multiple approaches to development."

The result, Cornell says, is that software security often lacks a strategic focus, and companies can't see how their development practices are faring over time in minimizing vulnerabilities, nor how the effectiveness of those practices compare with peers in their industry segment.

Threadfix pulls data from this mix of tools, consolidates it, and lets developers and managers filter it based on a range of criteria. It also lets you, for example, export a group of SQL injection vulnerabilities to a bug tracking tool, for a team to remedy. Threadfix then picks up the updated code scan results and captures and reflects the fixed vulnerabilities.

Creating a central view of such information is critical for companies in the increasingly fast-moving world of online and mobile applications where not only enterprise data but private, confidential information of potentially millions of customers might be at risk.

Online scanning services, from companies such as Veracode and WhiteHat Security have quantified this risk, says Cornell's partner, John Dickson. "Some of the worst application vulnerabilities will last 70 to 100 days before they get patched," he says. One reason for that is that the enterprise security team, the people "who worry about software" - and the software development team - the people "who can do something about the software" - are often in separate organizations, and aren't able to coordinate effectively. ThreadFix's Web UI is intended to bridge this gap, Dickson says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News