threadfix 2.4: maximizing the impact of your application security resources
Post on 13-Apr-2017
688 Views
Preview:
TRANSCRIPT
© 2016 Denim Group – All Rights Reserved
ThreadFix 2.4Maximizing the Impact of Your Application Security Resources
Dan Cornell@danielcornell
1
© 2016 Denim Group – All Rights Reserved
Agenda• ThreadFix Overview• Major 2.4 Updates• Questions
2
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
3
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
4
© 2016 Denim Group – All Rights Reserved
Major 2.4 Updates• Vulnerability Triage• Flexible Vulnerability Management• Integrations• Administration Updates• Vulnerability Prioritization (“Hot Spots”)
5
© 2016 Denim Group – All Rights Reserved
Vulnerability Triage• Saved view state• Vulnerability pivots• Version tracking• Source code display
6
© 2016 Denim Group – All Rights Reserved
Saved View State
7
• Saves vulnerability display status• Saves filter state
• Leads to easier, more intuitive navigation
© 2016 Denim Group – All Rights Reserved
Saved View State
8
© 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
9
• Previous pivots were fixed: Criticality, CWE• Can now set:• Primary• Secondary
• Allows for more flexible and customized filtering
© 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
10
© 2016 Denim Group – All Rights Reserved
Vulnerability Pivots
11
© 2016 Denim Group – All Rights Reserved
Version Tracking
12
• Can now name “points in time” for applications
• Display along trending graphs• Tags vulnerabilities present in specific
versions
• Allows better progress tracking over time
© 2016 Denim Group – All Rights Reserved
Version Tracking
13
© 2016 Denim Group – All Rights Reserved
Version Tracking
14
© 2016 Denim Group – All Rights Reserved
Version Tracking
15
© 2016 Denim Group – All Rights Reserved
Version Tracking
16
© 2016 Denim Group – All Rights Reserved
Version Tracking
17
© 2016 Denim Group – All Rights Reserved
Source Code Display
18
• This used to be really bad• Now it is better
• Allows for faster, more intuitive vulnerability triage
© 2016 Denim Group – All Rights Reserved
Source Code Display
19
© 2016 Denim Group – All Rights Reserved
Flexible Vulnerability Management
• Defect defaults• Multiple defect trackers
20
© 2016 Denim Group – All Rights Reserved
Defect Defaults
21
• Contributed by Samsung ARTIK (thanks!)• Originally available in ThreadFix 2.3 releases• Allows setting default to defects created by
ThreadFix
• Makes creating vulnerabilities much faster and standardized
© 2016 Denim Group – All Rights Reserved
Defect Defaults
22
© 2016 Denim Group – All Rights Reserved
Defect Defaults
23
© 2016 Denim Group – All Rights Reserved
Defect Defaults
24
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
25
• Can now attach multiple defect trackers to an application. For example:• One for application vulnerabilities• One for infrastructure/configuration vulnerabilities
• Allows for much more flexible handling of vulnerabilities
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
26
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
27
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
28
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
29
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
30
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
31
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
32
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
33
© 2016 Denim Group – All Rights Reserved
Multiple Defect Trackers
34
© 2016 Denim Group – All Rights Reserved
Integrations• Checkmarx Remote Provider• On-Premise Contrast Support• Bulk Application Import
35
© 2016 Denim Group – All Rights Reserved
Checkmarx Remote Provider
36
• Can now import via Checkmarx API• Rather than individual file upload
• Makes integration with Checkmarx much easier to set up and maintain
© 2016 Denim Group – All Rights Reserved
Checkmarx Remote Provider
37
© 2016 Denim Group – All Rights Reserved
On-Premise Contrast Support
38
• Have supported cloud-based Contrast for a while
• Now supports On-Premise Contrast Enterprise
• Allows support for more Contrast implementations
© 2016 Denim Group – All Rights Reserved
On-Premise Contrast Support
39
© 2016 Denim Group – All Rights Reserved
Bulk Application Import
40
• Allows for creation of applications based on the portfolio managed in a Remote Provider
• Allows for much faster initial ThreadFixdeployment and configuration
© 2016 Denim Group – All Rights Reserved
Bulk Application Import
41
© 2016 Denim Group – All Rights Reserved
Administration Updates• User Auditing• SAML Support
42
© 2016 Denim Group – All Rights Reserved
User Auditing
43
• Can see login history of ThreadFix users• Including failed logins
• Allows for better situational awareness for user activity
© 2016 Denim Group – All Rights Reserved
User Auditing
44
© 2016 Denim Group – All Rights Reserved
User Auditing
45
© 2016 Denim Group – All Rights Reserved
SAML Support
46
• Allows for login via SAML
• Supports enterprise authentication / authorization implementations
© 2016 Denim Group – All Rights Reserved
SAML Support
47
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
• Detect vulnerabilities in shared internally-developed code and components
• Which vulnerability fixes can be a “force multiplier?”
• Get the most value from a limited remediation budget
48
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
49
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization (“Hot Spots”)
50
© 2016 Denim Group – All Rights Reserved
Major 2.4 Updates• Vulnerability Triage• Flexible Vulnerability Management• Integrations• Administration Updates• Vulnerability Prioritization (“Hot Spots”)
51
© 2016 Denim Group – All Rights Reserved
Questions / Contact InformationDan CornellPrincipal and CTOdan@denimgroup.comTwitter @danielcornell
(844) 572-4400www.denimgroup.comwww.threadfix.it
top related