By Dan Cornell
ThreadFix 1.1 (final) is now available for download! You can pick up the ZIP (demonstration) install from the Google Code downloads site or you can pick up the VM image (for production use).
There were a whole lot of new features added and bugs updated during the 1.1 development cycle. You can see a full list of the Release 1.1 changes in the Google Code issue tracker. Some highlights include:
- New dynamic scanner support for IBM Rational AppScan Enterprise and NTObjectives NTOSpider
- New static scanner support for IBM Rational AppScan Source which is a HUGE update over the previous Ounce-based importer
- Support for Microsoft Team Foundation Server (TFS) as a defect tracker
- Overhauled support for the JIRA defect tracker
- Vastly improved Active Directory (AD) and LDAP support
- Vulnerability comments and discussions
- Updated role-based security model to support larger enterprise deployment requirements
- License update from Mozilla Public License (MPL) 1.1 to 2.0
- Lots of usability improvements, bug fixes and minor feature enhancements
I wanted to extend a personal thanks to the invidivuals and organizations who have helped ThreadFix get to this point by providing funding, sending feedback, submitting bugs and otherwise just being a part of the growing ThreadFix community. Hearing from ThreadFix users is thrilling, occasionally humbling and always valuable for us. Feedback is the breakfast of champions, so we really appreciate hearing the good, bad and the ugly.
Looking to keep track of ThreadFix? Here are some resources:
- Join the ThreadFix Google Group for release announcements and discussions with other users on how to get ThreadFix set up and how to get the most from your installation
- Submit bugs and feature requests to our issue tracker
- Keep an eye on the Denim Group blog for posts about TheadFix releases as well as general discussion of related topics like running software security programs
- If you're interested in commercial support for ThreadFix - installation, configuration, customization - let us know and we will be happy to help
We also sent out a press release for the occasion and the text of that release is:
Denim Group releases Vulnerability Management Platform ThreadFix 1.1 With More Enterprise-Class Features to Meet Customer Demand
ThreadFix Aggregates Disparate Vulnerability Test Results And Delivers A Prioritized List of Software Defects To The Development Team To Secure Applications Faster & More Easily
SAN ANTONIO, TX – March 25, 2013 - Denim Group, the leading secure software development company, today announced ThreadFix 1.1, an intelligent open-source application management platform that imports test results from a variety of testing tools to present a centralized view of the security status of corporate applications throughout the organization. ThreadFix 1.1 has been upgraded with a variety of enterprise-class capabilities, all sponsored by large organizations eager to adopt this innovative platform into their organization to speed up the securing of their customer-facing and internal applications.
“Large organizations are seeing the value of consolidating duplicate vulnerability information generated by overlapping reports into a centralized dashboard, enabling their teams to release applications into the marketplace that are not only feature-rich but resilient and secure,” said Dan Cornell, Denim Group CTO. “Having access to all the available information about a given vulnerability in one spot improves the communications conduit between the developers and security team to such a level that productivity is increased without sacrificing quality, and that’s a win-win for the whole industry.”
ThreadFix imports dynamic, static and manual testing results into a centralized console that removes duplicate findings across multiple testing platforms to provide a prioritized list of the security vulnerabilities for each corporate application. These results can be quickly exported into defect trackers used by the company’s software developers, injecting these security tasks into their regular work flow. ThreadFix also uses this vulnerability data to automatically generate web application firewall and IDS/IPS rules that ensure sensitive corporate data is protected during the application repair process. Based on alerts from these virtual patch rules, ThreadFix also tracks current attack attempts, enabling the system to provide a real-world view of the criticality of individual vulnerabilities. Finally, ThreadFix provides trending reports, enabling team members as well as management to track and improve productivity over time.
The new version of ThreadFix is now compatible with several sophisticated tools to better fulfill the needs of enterprise-wide application development teams. For example, in addition to the Bugzilla and JIRA bug trackers, ThreadFix’s prioritized and aggregated results can now also be exported into Microsoft Team Foundation Server, the collaboration platform at the core of Microsoft's application lifecycle management used in many enterprises. As a result of this integration, it is much easier to work with both the developers and the security analysts as both teams continue to use tools they already know. The integration of both the NTOSpider and IBM Security AppScan Enterprise dynamic analysis testing platforms as well as the static analysis IBM Security AppScan Source tool enables ThreadFix to now import testing results from more than 20 software security testing tools and services, making ThreadFix useable to a wider number of organizations.
ThreadFix 1.1 also offers a tighter integration with Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory (AD) authentication protocols enabling ThreadFix to be better integrated inside of the enterprise workflow. As a result, ThreadFix users can now be included in the centralized enterprise management system provided by LDAP and AD to manage user accounts. The corporation’s software developers and security experts that use ThreadFix across the enterprise will no longer need to manage multiple users IDs and passwords. The integration also allows access rules to be applied based on a “need-to-know” basis to better reflect real-world team roles to further improve the organization’s overall security posture.
ThreadFix also now allows security and development teams to add comments and context to individual vulnerability content, enabling meaningful two-way communications that enhance the quality of remediation efforts. The individualized notes decrease team distractions while improving internal communication about the code’s content. The result is shorter development and test cycles, once again, accelerating the application vulnerability resolution process.
With these multi-tool and multi-team capabilities, ThreadFix is setting the standard for application security management within organizations of all sizes. Initially released in September of 2012, the open-source application has been downloaded over two thousand times and has been used to successfully reduce the time required to fix critical application software vulnerabilities. The product’s growing momentum with several Fortune 500 and government organizations demonstrates how large enterprises are embracing ThreadFix as a critical enabling platform to more effectively manage application software security programs.
Immediately available, ThreadFix 1.1 can be downloaded through the following link: http://www.denimgroup.com/threadfix. Denim Group also offers additional commercial support and implementation services for organizations deploying ThreadFix. To learn more, contact Denim Group at firstname.lastname@example.org or (210) 572-4400.
About Denim Group
Denim Group is the leading secure software development firm. The company builds custom large-scale software development projects across multiple platforms, languages and applications. What makes Denim Group unique is that the company brings significant core competencies in software security to the table, offering an innovative blend of secure software development, testing and training capabilities that protect a company's biggest asset, its data.
Denim Group customers span an international client base of commercial and public sector organizations across the financial services, banking, insurance, healthcare and defense industries. Its depth of experience building large-scale software development systems in a secure fashion has made the company’s leaders recognized experts in their fields. Denim Group has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine five years in a row, and has won multiple awards including its recent accolades as one of the best places to work in San Antonio. For more information about Denim Group visit http://www.denimgroup.com.
Denim Group is a registered service mark of Denim Group, Ltd. Other names and brands may be claimed as the property of others.
dan _at_ denimgroup.com