The tempo for software delivery to the warfighter continues to accelerate to meet the goals and demands of their missions. Pressures to rapidly build and deploy mission software drive the need to deliver new capabilities via DevSecOps pipelines. Many of the latest leading-edge DevSecOps practices draw heavily from commercial tech companies and innovative programs across DoD like Kessel Run. What are these latest trends, and how do you take advantage of them? How do you quantify the risk of microservices, new languages and frameworks, and cloud environments and still obtain authority to operate (ATO)? The ThreadFix platform has built-in automation and orchestration capabilities to enable your teams to provide immediate feedback in the form of policy evaluation, notifications in the form of emails and automated developer defect creation, and decision-making on your CI program as scan results are generated. In addition to built-in automation, plugins and the ThreadFix API enable CI programs to seamlessly integrate security testing into existing build/release pipelines to provide evaluation of code changes directly to your development tools. These key issue items and other trends will be discussed in this highly interactive briefing, providing critical insights on how to inject agility and responsiveness into environments that have traditionally struggled to keep pace with modern development approaches.

1. © 2020 Denim Group – All Rights Reserved
Thanks for joining our webinar!
We will begin shortly.
ATO with ThreadFix – Bringing Commercial Insights to the DoD
Presented by John Dickson and Dan Cornell
AF Contract: FA864920P0045 (SBIR Phase I)
CAGE: 3UNB6

2. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
ATO with ThreadFix – Bringing
Commercial Insights to the DoD
AF Contract: FA864920P0045 (SBIR Phase I)
CAGE: 3UNB6
John B. Dickson, CISSP #4649
Principal, Denim Group
@johnbdickson
Dan Cornell, CTO
@danielcornell

3. © 2020 Denim Group – All Rights Reserved
Overview
• Commercial Insights
• ThreadFix in a CI/CD Workflow
• Walkthrough

4. © 2020 Denim Group – All Rights Reserved
John Dickson, CISSP
• Ex-USAF Intel & Cyber Officer
• AFIWC and early AFCERT member
• 20+ years in commercial security
• Security Author and Speaker

5. © 2020 Denim Group – All Rights Reserved
Dan Cornell
• Founder and CTO of Denim Group
• Software developer by background
• OWASP San Antonio co-leader
• 20 years experience in software
architecture, development, and
security

6. © 2020 Denim Group – All Rights Reserved
Advisory Services Assessment
Services
Vulnerability Resolution
Platform
Building a world where technology is trusted
How we can help:
Denim Group is solely focused on helping build resilient
software to withstand sophisticated attacks
• Help industry build secure software
• Web, mobile, ioT, and cloud testing leader
• DevSecOps leader

7. © 2020 Denim Group – All Rights Reserved
Commercial Trends
• Business wants instant features and functions
• Pressure to push products to services to the market faster with a
better customer experience
• Time to market beats many other considerations
• Heavy use of user behavior analytics to customize buying
experience
• Internal customers are becoming better at appreciating product
quality
• Centralized IT becoming fragmented
• https://www.denimgroup.com/resources/whitepaper/security-the-other-side-
of-digital-transformation/

8. © 2020 Denim Group – All Rights Reserved
While Tech Stack Changing…
• Microservices
• Serverless Applications
• New(er) Languages & Frameworks
• All via CI/CD Pipelines
• All Landing in Cloud!

9. © 2020 Denim Group – All Rights Reserved
Impact to Commercial World
• Rollout of new features measured in days
& weeks, not months
• Connected systems throughout the
organization
• Organizational changes are accelerating
• Security might be a consideration, but
time-to-market considerations are
paramount

10. © 2020 Denim Group – All Rights Reserved
What DoD can Learn from
Commercial
• Security must be mindfully baked into
DevSecOps pipelines
• Tailored to tech stack and mission function
• The shift to microservices will necessitate
DevSecOps
• Need automation to certify the build
• Need automation for alternative workflow if
you ”break the build”

11. © 2020 Denim Group – All Rights Reserved
ThreadFix
Commercial Use
• Integrates security and DevOps
• Aggregates and consolidates
vulnerabilities
• Reports and helps prioritize
remediation
• Reduces time to remediation
• Enables security automation for
assessment and authorization
processes
• Enables responsive, timely and
secure software capabilities
11

12. © 2020 Denim Group – All Rights Reserved
How ThreadFix is Used Today
• ThreadFix is used by DoD and IC
Develop/Operations (DevSecOps)
programs
• ThreadFix enables agencies to automate
capability development and the Risk
Management Framework (RMF)
• ThreadFix helps avoid delays saving the
government approximately $2M

13. © 2020 Denim Group – All Rights Reserved
Problem/Opportunity
Air Force struggles with the
software development process
not meeting warfighter needs.
Impact
Enables secure automated
capability development for
accreditation processes
Proposed Solution
A security platform for
DevSecOps software factories
to enable secure development
and faster accreditation.
ThreadFix: DevSecOps Vulnerability Management Platform
13
“This technological innovation is a pivotal investment in protecting software systems that power our nation’s critical
infrastructure and e-commerce industries.” Keven E. Greene, Department of Homeland Security Science & Technology
Cyber Security Division Program Manager

14. © 2020 Denim Group – All Rights Reserved
Key Takeaways
• ThreadFix Application Vulnerability Management Platform for
USAF Software Development, Security and Operations
• ThreadFix has proven to reduce mean to resolution (MTTR) by up
to 44%.
• ThreadFix has patented hybrid analysis technology which provides
better vulnerability merge capabilities resulting in fewer false
positives.
• ThreadFix builds security into the development process by
integrating into DevSecOps pipeline tools, significantly reducing
the time and cost to field new software applications and remediate
vulnerabilities.

15. © 2020 Denim Group – All Rights Reserved
ThreadFix – Orchestrate
Build Security into Development:
• Integrate automated security
into CI/CD
• Orchestrate scans
• Rapid pass/fail/warn based on
predefined policies
• Auto creation of bugs for Dev
Team
Dev (CI/CD) Security
Auto build
Sec check
Sec pass/fail/warn
Bug
Trackers
Bugs (Sec Vulns)
Scanners
Auto
execute
scanners
An example of ThreadFix’s security orchestration

16. © 2020 Denim Group – All Rights Reserved
Authority to Operate
• Using FedRamp as an example:
• https://www.fedramp.gov/issuing-an-authority-
to-operate/
• https://www.fedramp.gov/assets/resources/do
cuments/Agency_Authorization_Playbook.pdf
• https://www.fedramp.gov/assets/resources/te
mplates/Agency-ATO-Report-Template-
Version.pdf
16

17. © 2020 Denim Group – All Rights Reserved
Challenges with Traditional
Approaches
• Slow
• Manual
• Documentation-centric
• But it does not have to be done this way
• Lock down the aspects that have far less drift
• Use technology to accelerate the parts that
move quickly
17

18. © 2020 Denim Group – All Rights Reserved
Thinking (and Moving) Fast and Slow
18

19. © 2020 Denim Group – All Rights Reserved
Thinking (and Moving) Fast and Slow
• Some aspects of the ATO documentation move
slowly
• Overall system architecture
• Other aspects move faster, but not terribly so
• Testing plans
• Other aspects need to be fully re-run for every
version
• Results of specific testing activities
• Infrastructure testing
• Database testing
• Application testing
• Manual testing
19

20. © 2020 Denim Group – All Rights Reserved
Accelerating via ThreadFix
• Creating a centralized view
• Network/infrastructure
• Application: SAST/DAST/IAST/SCA
• Other results as-needed
• Orchestration and automation
• CI/CD pipelines
• Normalization and de-duplication
• Patented techniques for making sense of disparate
data sources
• Policy reporting
• OWASP Top 10
• DISA STIG
20

21. © 2020 Denim Group – All Rights Reserved
Walkthrough
21

22. © 2020 Denim Group – All Rights Reserved
Walkthrough
• Software Asset Management
• Result Consolidation
• CI/CD Build and Post-Build
• Reporting and Metrics
22

23. © 2020 Denim Group – All Rights Reserved
Tracking Software Assets
23

24. © 2020 Denim Group – All Rights Reserved
Consolidated/Comprehensive View
24

25. © 2020 Denim Group – All Rights Reserved
CI/CD Build
25

26. © 2020 Denim Group – All Rights Reserved
CI/CD Post-Build
26

27. © 2020 Denim Group – All Rights Reserved
Managing Policies/Criteria
27

28. © 2020 Denim Group – All Rights Reserved
Metrics and Reporting
28

29. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
@denimgroup
www.denimgroup.com
@johnbdickson
@danielcornell