Enterprise coders can now use an open source web application that lets them consolidate software vulnerability data from a range of scanning and test tools. With a centralised view and reporting and management tools, ThreadFix speeds the work needed to fix software bugs and vulnerabilities, including those in proliferating mobile apps.
The beta version of ThreadFix is available via Google Code, along with tutorials and a range of support information. It can be easily configured to import test and scan results from open source tools such as Bugzilla for bug tracking, and Skipfish, an active web application security reconnaissance tool, as well as commercial products like Fortify, a comprehensive software security assurance system, and IBM's Rational AppScan product set.
ThreadFix has been in development for nearly two years at Denim Group, a software development house that specialises in secure custom applications, and in secure application consulting services. It was developed internally to fill a gap in software shops that rely on multiple brands of security and coding tools, but often lack a single view across the development projects of the type, severity and status of code vulnerabilities. It's being made available now, as a free open beta release. Denim makes money on among other things, providing a range of secure software development services, including training and support.
"What we notice is that development organisations even when they adopt comprehensive software security solutions, often do so in a 'shallow' way," says principal Dan Cornell, Denim's CTO. "For example, they may occasionally run code scans, but they're not doing it repeatedly over time. And most organisations don't standardise wholesale on a single-vendor solution: they have multiple tools, multiple languages, multiple approaches to development."
The result, Cornell says, is that software security often lacks a strategic focus, and companies can't see how their development practices are faring over time in minimising vulnerabilities, nor how the effectiveness of those practices compare with peers in their industry segment.
ThreadFix pulls data from this mix of tools, consolidates it, and lets developers and managers filter it based on a range of criteria. It also lets you, for example, export a group of SQL injection vulnerabilities to a bug tracking tool for a team to remedy. Threadfix then picks up the updated code scan results and captures and reflects the fixed vulnerabilities.
Creating a central view of such information is critical for companies in the increasingly fast moving world of online and mobile applications where not only enterprise data but private confidential information of potentially millions of customers might be at risk.
Online scanning services, from companies such as Vericode and WhiteHat Security have quantified this risk, says Cornell's partner, John Dickson. "Some of the worst application vulnerabilities will last 70 to 100 days before they get patched," he says. One reason for that is that the enterprise security team, the people "who worry about software" - and the software development team - the people "who can do something about the software" - are often in separate organisations, and aren't able to coordinate effectively. ThreadFix's web UI is intended to bridge this gap, Dickson says.
A scanning tool can come up with a long list of vulnerabilities. But ThreadFix can break the list into chunks, filtered by type of vulnerability and severity for example. Development teams can be assigned to attack a cluster of the same kind of problems, cranking out fixes more efficiently than if each one was separately assigned to a separate developer. "That sounds simple, but it's actually a huge issue between the security/vulnerabilities group and the software developers," Cornell says.
With centralised data, software and security staff can see all vulnerabilities for a given application or across the entire software inventory, see trends to know if code vulnerabilities are becoming more or less frequent and calculate the average time it takes to implement bug fixes.
ThreadFix can be downloaded at no charge from Google Code. You then configure user groups, such as the developers for an ecommerce application, or teams in geographical locations. With each group, you create a record for each application and identify the scanning and tracking tools being used. You configure ThreadFix to import data from each tool, and ThreadFix collects, aggregates and tracks this information over time. A "getting started" tutorial walks you through this initial configuration.