Denim Group's ThreadFix: Open Source Application Vulnerability Management

New open source tools makes rhyme and reason of application vulnerability management

In the information security space we are very luck to have a plethora of great open source tools that most all security pros use. Names like Snort, Metasploit, Nmap and ClamAV may not be household names, but they are meat and potatoes of many a security admin's tool set. A new tool is now being added to this open source security toolset, ThreadFix. ThreadFix allows organizations to manage application vulnerability data, pen test data and threat modeling in one application.

ThreadFix is a product of the Denim Group, a well-known security company that specializes in secure code development. Like many open source projects, ThreadFix was borne out of Denim Groups own need for a place to keep all of the data and findings they gathered when testing various applications and code. I had a chance to speak with Dan Cornell, Denim Group CTO, about ThreadFix. Dan told me that if there was something else already out there that did what ThreadFix does, they would have not bothered to develop it. But the fact is there is nothing. Companies like Denim Group and even internal secure development teams at enterprises will typically use a variety of different app vulnerability scanners and pen testing tools to look for bugs in an application. Keeping track of what was found in disparate scanners and tools, prioritizing them and tracking them was a priority, but short of just a good old spreadsheet, there was nothing to be used. So Denim developed ThreadFix for their own internal use. Now, they have released it under an open source license for everyone to use. Cornell, of course, hopes that others using it will contribute any improvements they make, like importing even more scan data, perhaps.

Application vulnerability management is a very hot and relatively newer area in security. The vulnerability management of operating systems, hardware and other software is much more mature and established. Companies like Qualys, nCircle, Tenable Network Security and Rapid 7 have well-established vulnerability scanners as part of their vulnerability management products. In fact, many of these companies have also added app scanning and in some cases pen testing to their suites as well. Having a tool dedicated to managing application vulnerabilities is tangential, but different than the vulnerability management that traditional vulnerability companies offer. 

Cornell also believes that ThreadFix is the first tool that will bring the security teams in sync with the application development team. Too often the application folks develop an application and after the fact the security team tests it, but there is little communication between them. The security team will send back a report to the app developers who may or may not be very concerned about prioritizing the security team's findings. ThreadFix will allow both groups to work together.

In working together both app development and security will be able to plan a course of action based upon established guidelines. Remediation will proceed in an order that is visible to everyone. Cornell feels if ThreadFix can get these two teams to work together it will be a smashing success.

Another plus that ThreadFix provides is that it can generate WAF (Web Application Firewall) rules based upon the vulnerabilities that are found and imported into the tool. This is a really valuable feature that allows an organization to protect itself until vulnerabilities in the code are fixed.

All in all, ThreadFix promises to be a great addition to the open source security tools matrix. It is released under the well-known and respected Mozilla license. The question that remains is whether teams outside of Denim Group adopt this tool. If they don't, it will be their loss.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.