By Dan Cornell
We're getting so close to the 1.0 release! I'm sure you all are as excited as I am. We just uploaded the Beta20 build to the Google Code download area - check it out. Highlights of this release include:
- Much-improved Fortify support that can deal with arbitrarily large files. (We had a bit of a boneheaded bug before that copied the entire contents of the file into a byte array which pretty much negates any scalability benefits of using XML SAX parsing. Fixed now!)
- An updated front-end UI that can deal with many more results. This has been tested with around 100k vulnerabilities for a single application; hopefully your apps aren't on the high side of that number...
- The first round-trip-tested version of our Imperva virtual patching. There will probably still be some updates, but at least what we are generating right now has been through the full scan/generate rules/install rules/re-scan sequence.
- Overhauled JIRA bug tracker integration using their recommended REST API.
- Various other bug fixes.
- We now have a Google Group dedicated to ThreadFix. This should act as a project mailing list, message board, and so on. Join up here.
- We also now have a pre-installed VM appliance that will be more suitable for production use than the beta builds we've been delivering as ZIP files with pre-configured Tomcat/HSQL. The VM is Linux-based and has pre-installed and pre-configured Apache/Tomcat/mod_jk/MySQL so you should just be able to give it some memory, assign it some disk space and be off to the races with a durable ThreadFix installation. To do this we used a combination of various DevOps tools - Fabric, Chef and Vagrant. We will be putting up a blog post (next week?). Check out this page for more information on downloading and spinning up the ThreadFix VM appliance. The current version is a starting point - we'll be pushing some updates out here pretty quickly.
- I just got back from a week in Las Vegas where we demonstrated ThreadFix at the BlackHat Arsenal and I gave a talk with Josh Sokol at BSidesLV on Symbiotic Security using ThreadFix as an example of how security tools can be made to work together. Check out this blog post for a recap of last week in Vegas showing off ThreadFix. Also the ToolsWatch folks put up a post about this as well.
- I found out that Josh and I will be giving an updated version of our talk at HouSecCon on October 11th, 2012. I've been to all of the HouSecCons and they've been great - hope to see folks there.