Contenu connexe Similaire à Assessing Business Operations Risk With Unified Vulnerability Management in ThreadFix 3.0 (20) Assessing Business Operations Risk With Unified Vulnerability Management in ThreadFix 3.01. © 2019 Denim Group – All Rights Reserved
Assessing Business Operations
Risk with Unified Vulnerability
Management in ThreadFix 3.0
03/28/2019
Dan Cornell, CTO
Kyle Pippin, ThreadFix Product Manager
2. © 2019 Denim Group – All Rights Reserved 1
Advisory
Services
Assessment
Services
Remediation
Services
Vulnerability Resolution
Platform
Building a world where technology is trusted
• Since 2001, helping secure software
• Development background
• Tools + services model
3. © 2019 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your applications and
vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are
already using
• Provide access to powerful analytics
2
44% Reduction
in Time-To-Fix
Vulnerabilities
Up To 5x Increase in
AppSec Assessment
Productivity
4. © 2019 Denim Group – All Rights Reserved
ThreadFix Data Flow
3
5. © 2019 Denim Group – All Rights Reserved
Who Benefits and How?
• Security Team
• Run more efficient and effective application security
programs
(200-500% increase in testing throughput, 15-35%
reduction in findings requiring triage)
• Development Teams
• Direct testing and receive results via tools and platforms
already in use (Jenkins, JIRA, etc)
• Risk-management Team
• Faster resolution of key vulnerabilities (up to 44%
reduction in mean-time-to-fix)
4
6. © 2019 Denim Group – All Rights Reserved
Test Result Consolidation
5
• Organizations typically
see a 15-35% reduction in
finding count due to
normalization and de-
duplication.
• Includes technology from
Denim Group patents:
• US 10,043,012 Method
of Correlating Static and
Dynamic Application
Security Testing Results
for Web Applications
• US 10,043,004 Method
of Correlating Static and
Dynamic Application
Security Testing Results
for a Web and Mobile
Application
7. © 2019 Denim Group – All Rights Reserved
Integrate & Automate
6
i.o.
SecurityCenter
De-Dup
Merge
Correlate
History
Settings
Policy
False Positives
Risk Triage
Consolidate
Remediation
Profiles
Templates
Actionable
Tracked
Insights
Verification
HotSpots
Alerting
Findings & Vulnerability Management Pipeline
Automated/Orchestrated
Pre-Processing
Reduce Vulns to Manage
Manage by Policy & Settings
Single Portal
for:
ITAO’s
Dev’s
SME’s
SecChamps
Dev’s & SME’s
Work in daily
tools, and
existing
workflows
Security
Program &
Policy
Management
and reporting
Tableau
Business
Object
Power BI
Archer
Custom
Reporting
External
System
Integration
Manual
8. © 2019 Denim Group – All Rights Reserved
Orchestrate
7
Build Sec into DevOps:
• Integrate automated Sec
into CI/CD
• Orchestrate scans
• Rapid pass/fail/warn
based on predefined
policies
• Auto creation of bugs for
Dev Team
ScannersBug
Trackers
Dev (CI/CD) Sec
Auto build
Sec check
Sec pass/fail/warn
Bugs (Sec Vulns)
Auto
execute
scanners
An example of ThreadFix’s security orchestration
9. © 2019 Denim Group – All Rights Reserved
Defect Tracker Integration
8
• Bi-directional
integration: bundle
vulnerabilities into
software defects,
track development
team progress
resolving them
• Reduction of Mean
Time To Fix (MTTF)
up to 44%
10. © 2019 Denim Group – All Rights Reserved
Outsource Testing via ThreadFix
• Make service requests from ThreadFix and
receive and view results directly within the
platform
• Gives organizations both strategic and
tactical flexibility:
• Strategic: “What technologies and capabilities do
we want to manage in-house, and what do we
want to outsource?”
• Tactical: Provides surge access to delivery
capabilities when needed
9
13. © 2019 Denim Group – All Rights Reserved
Applications and Their Infrastructure
• Applications expose organizations to risk
• But applications run on infrastructure
• Servers, routers, NLBs
• Infrastructure also exposes organizations
to risk
• ThreadFix 3.0 treats network and
infrastructure assets as first-class items
12
14. © 2019 Denim Group – All Rights Reserved
Unified Vulnerability Management
• Define “networks”
• Import scanning results
• Tenable Nessus
• Qualys
• Rapid7 InsightVM
• Correlate applications with their infrastructure
• Provides a unified view into risk from
vulnerabilities
13
15. © 2019 Denim Group – All Rights Reserved
Bonus: New UI/UX
14
16. © 2019 Denim Group – All Rights Reserved
Demo InfoSec
15
17. © 2019 Denim Group – All Rights Reserved
Architectural Changes
• Microservices architecture
• Stream-based data ingestion
• Elastic Search-based reporting
• More powerful and flexible tuning and scaling
• Containerized
• Easy to install
• Easy to maintain
16
18. © 2019 Denim Group – All Rights Reserved
Demo Unified Environment
17
19. © 2019 Denim Group – All Rights Reserved
ThreadFix 3.0 Summary
• Network and infrastructure support and
correlation provides unified vulnerability
management
• Embedded outsourced testing allows for
strategic and tactical decisions about your
security program
• New architecture provides for easier
installation, maintenance, and scaling
18
20. © 2019 Denim Group – All Rights Reserved
www.threadfix.it
www.denimgroup.com
19
dan@denimgroup.com
kyle@denimgroup.com
threadfix.it