SlideShare une entreprise Scribd logo

Thread Fix Tour Presentation Final Final

Robin Lutchansky
Robin Lutchansky

Presentation I just finished creating for Denim Group, my clients new vulnerability management platform launch.. we\'ve gotten over 10 articles so far and several analyst quotes!

1  sur  34
A Powerful Vulnerability Management Platform That Simplifies Secure Application Development & Delivery © Copyright 2012 Denim Group - -All Rights Reserved © Copyright 2012 Denim Group All Rights Reserved
Denim Group Overview • Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of existing software – Provides e-Learning and classroom training so clients can build secure software • Software-centric view of application security – Application security experts are practicing developers delivering a rare combination of expertise in today’s industry – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Remediation Resource Center – Released Sprajax & CSRF publicly – OWASP national leaders & regular speakers at RSA, OWASP, ISSA, CSI © Copyright 2012 Denim Group - All Rights Reserved 1
The Facts • Founded in 2001 with almost 60 employees currently • Headquartered in San Antonio, Texas • Profitable since inception • Customer base spans Fortune 500 • Deep penetration in Financial Services, Banking, Insurance, Healthcare and Defense market sectors • Offers unique service blend of Software Development, Application Security and Developer Education • Contributes to industry best practices through the Open Web Application Security Project (OWASP) • Consecutively honored as an Inc. Magazine 5000 Fastest Growing Company for five years © Copyright 2012 Denim Group - All Rights Reserved 2
Executive Team • John Dickson – Certified Information Systems Security Professional (CISSP), Master in Bus. Admin – Hands-on experience with network security, intrusion detection systems and software security – Honorary commander of the 67th Network Warfare Wing, which organizes, trains and equips cyberspace forces to conduct network defense, attack and exploitation. – Former U.S. Air Force officer • Dan Cornell – Over 12 years architecting, developing and securing web-based software systems – Leads Denim Group’s technology team overseeing methodology and project execution – Also heads Denim Group’s application security research team – Holds B.S. and graduated Magna Cum Laude from Trinity University • Sheridan Chambers – Responsible for facilities, administration, finance, sales, marketing, and client services. – Previously held P&L responsibility for Rare Medium where he managed his office to over $1.5 million per month in billings with a 60% net margin -- the highest in the company. – Recognized as North Chamber Entrepreneur of the Year, one of the San Antonio Business Journal's Top 40 Under 40, San Antonio Business Journal 2011 Top CFO, and as a Texas Monthly "30 Multimedia Whizzes Under 30" © Copyright 2012 Denim Group - All Rights Reserved 3
The Problem • Application security testing typically uses automated static and dynamic test results as well as manual testing results to assess the security of an application • Each test delivers results in different formats • Different test platforms also can describe the same flaws differently, creating multiple duplications • Security teams end up using spreadsheets to keep track manually • It is extremely difficult to prioritize the severity of flaws as a result • Software development teams receive unmanageable reports and only a small portion of the flaws get fixed © Copyright 2012 Denim Group - All Rights Reserved 4
The Result • Application vulnerabilities persist in applications – The average number of serious vulnerabilities found per website per year is 79 – The average number of days a website is exposed to at least one serious vulnerability is 231 days – The overall percentage of serious vulnerabilities that are fixed annually is only 63% • Part of that problem is there is no easy way for the security team and application development teams to work together on these issues • Remediation quickly becomes an overwhelming project • Trending reports that track the number of reduced vulnerabilities are impossible to create Sources: https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf , pages 2 & 3 http://www.veracode.com/reports (registration required) © Copyright 2012 Denim Group - All Rights Reserved 5
Introducing ThreadFix • An open source software vulnerability aggregation and management system • Imports dynamic, static and manual testing results into a centralized platform • Removes duplicate findings across all testing platforms to provide an easy to prioritize list of security faults • Eases communication across development, security and QA teams • Exports the prioritized list into the company’s bug tracker of choice to streamline software remediation efforts • Auto generates web application firewall rules to protect corporate data while the software vulnerability is being fixed • Empowers managers with vulnerability trending reports that can pinpoint team issues and illustrate application security progress © Copyright 2012 Denim Group - All Rights Reserved 6
ThreadFix Consolidates reports so managers can speak intelligently about the status and trends of security within their organization © Copyright 2012 Denim Group - All Rights Reserved 7
• Pulls in static and dynamic results Vulnerability Import • Eliminates duplicate results • Allows for results to be grouped © Copyright 2012 Denim Group - All Rights Reserved 8
Real-Time Protection Virtual patching helps protect organizations during remediation © Copyright 2012 Denim Group - All Rights Reserved 9
• ThreadFix can connect to common defect trackers Defect Tracking • Defects can be created for developers Integration • Work can continue uninterrupted © Copyright 2012 Denim Group - All Rights Reserved 10
Product Demonstration © Copyright 2012 Denim Group - -All Rights Reserved © Copyright 2012 Denim Group All Rights Reserved
The Dashboard • Lists all the development teams in the organization including number of apps for each team and a summary of the security status of those apps. • Clicking on a team reveals the details on the apps that team is working on. © Copyright 2012 Denim Group - All Rights Reserved 12
Viewing The Applications By Team • Now all of the applications managed by the eCommerce team are revealed. • The security analyst now wants to upload new vulnerability scan data for the "Replacement Part Auctions" application and clicks on that link. © Copyright 2012 Denim Group - All Rights Reserved 13
Fixing an eCommerce Team “Auction” Application – • Vulnerability data from AppScan, Arachani, Netsparker and W3af scans are uploaded into ThreadFix. © Copyright 2012 Denim Group - All Rights Reserved 14
Large Range of Tool Compatibility © Copyright 2012 Denim Group - All Rights Reserved 15
Compatible Tool Categories Dynamic Scanners Static Scanners Burp Suite HP Fortify SCA HP WebInspect Microsoft CAT.NET IBM Rational AppScan FindBugs Mavituna Security Netsparker Ounce IBM Security AppScan Source Tenable Nessus Acunetix SaaS Testing Platforms OWASP Zed Attack Proxy WhiteHat Arachni Veracode Skipfish QualysGuard WAS 2.0 Defect Trackers IDS/IPS and WAF Mozilla Bugzilla F5 Atlassian JIRA Deny All Snort mod_security Imperva © Copyright 2012 Denim Group - All Rights Reserved 16
The ThreadFix Consolidation  All of the vulnerability scans have been aggregated into ThreadFix providing a centralized view of the security status of the Auction application. © Copyright 2012 Denim Group - All Rights Reserved 17
Web Application Firewall Rules Are Generated • ThreadFix now uses the vulnerability data to automatically generate additional Web Application Firewall (WAF) “virtual patch” rules designed to protect those specific applications and their vulnerabilities. • Since the additional WAF rules are created based on real vulnerabilities, they greatly strengthen the protection offered by the firewall system. © Copyright 2012 Denim Group - All Rights Reserved 18
Protecting the Application While It Is Vulnerable • The WAF and Intrusion Detection Systems use the ThreadFix generated “virtual patch” rules to isolate application attacks. • The ThreadFix user can analyze this attack data to further fine-tune the WAF to actively block application exploit attempts while the application is being fixed. • Applications are susceptible to fewer risks as a result. © Copyright 2012 Denim Group - All Rights Reserved 19
Attack Data Is Also Aggregated in ThreadFix • The attack data is also imported into ThreadFix to present a more complete picture of the organization’s security profile. © Copyright 2012 Denim Group - All Rights Reserved 20
The Negotiations Begin • The ThreadFix aggregated data report for the Auction application provides the basis needed to decide what is to be fixed and by who • The security analyst and the eCommerce development team leader use the report which includes both vulnerability and attack data to decide which vulnerabilities will get fixed and which vulnerabilities represent an acceptable risk to the organization • Next, the two team leaders agree on how to best package the targeted vulnerabilities for the development team – By type (i.e. Cross Site Scripting vulnerabilities because it’s more efficient to fix a class of vulnerabilities regardless of where they are located in the application.) – By developer (i.e. Joe created the user interface and is the only developer that knows how to work in that part of the application) – By severity (i.e. the critical vulnerabilities that need to be fixed now.) – Or any combination of the above © Copyright 2012 Denim Group - All Rights Reserved 21
Agreeing On The Workload • An example of bundling the Critical Severity identified vulnerabilities into a single defect to prioritize the remediation of the application. © Copyright 2012 Denim Group - All Rights Reserved 22
The Defect Tracking System • The security analyst exports vulnerabilities with Critical Severity to the Defect Tracking System which is Bugzilla in this example. • The eCommerce development team then uses Bugzilla to keep track of the outstanding bugs and management tasks still to be done. © Copyright 2012 Denim Group - All Rights Reserved 23
Vulnerabilities Now Become Defects • All the vulnerabilities to be fixed are packaged in a manner that makes sense to the development team’s work process. • These vulnerabilities, which are now recognized as defects to software developers, are transferred to Bugzilla, the platform the development team is used to using. © Copyright 2012 Denim Group - All Rights Reserved 24
The Defect Categories & Status Inside of ThreadFix • At the same time, the security analyst can see all of the open vulnerabilities as well as the defects they are linked to. • Currently none of the bugs have been resolved by the development team. First Defect Second Defect Third Defect © Copyright 2012 Denim Group - All Rights Reserved 25
A Defect (Security Vulnerability) Is Fixed (Or is it?) • The developers look into the bug containing the Critical vulnerabilities. • They work with representatives from security to resolve the issue and then mark the bug as fixed in Bugzilla. © Copyright 2012 Denim Group - All Rights Reserved 26
Bugzilla Updates Are Synchronized With ThreadFix • When a ThreadFix update is performed, Bugzilla’s developer notes regarding bug status are synchronized with ThreadFix • The security team then performs additional scans to confirm that the bugs have, indeed, been fixed. © Copyright 2012 Denim Group - All Rights Reserved 27
Trending Reports Help Improve Quality By repeating this process over time, the security teams can start to collect trending data about vulnerabilities as well as statistics of how long it is taking to resolve security issues. © Copyright 2012 Denim Group - All Rights Reserved 28
ThreadFix Feature Summary • Vulnerability Import – Imports dynamic, static and manual testing results from a variety of sources (both commercial and freely-available scanning tools as well as SaaS testing providers) – Correlates and normalizes application vulnerabilities across different sources • Defect Tracking Integration – Allows application security teams to group vulnerabilities into individual defects • Real-Time Protection Generation – Virtual patching provides protection while code-level fixes are in development – Application-specific rules based upon identified vulnerabilities • Application Portfolio Management – Tracks security status of applications across the enterprise – Enables critical communication with developers in tools they are already using • Maturity Evaluation – Store and report on software security program progress – Benchmarks security improvement against industry standards © Copyright 2012 Denim Group - All Rights Reserved 29
ThreadFix Benefits • Reduces the time required to fix vulnerable applications. • Dramatically simplifies the effort required • Compares the relative performance and test coverage of application vulnerability scanning technologies. • Provides centralized visibility into current security state of applications as well as trending • Facilitates communication between security analysts and development teams • Provides enterprise-wide software security metrics in support of benchmarking and budget justification efforts • No licensing fees • Open community support © Copyright 2012 Denim Group - All Rights Reserved 30
ThreadFix Target Markets • Organizations with multiple application scanning technologies – There is no method to easily compile reports from multiple sources, both paid and open source, onto a central vulnerability management platform • Large organizations with multiple teams and divisions – Teams can all upload reports to ThreadFix for visibility into the workflow. • Organizations looking to improve their development process – ThreadFix creates trending reports and tracks vulnerability coverage to show maturation over periods of time. • Organizations who have deployed IDS/IPS or WAF technologies – Protects organization during remediation efforts • CSO, CISO, VP of Security – ThreadFix delivers near real-time status reports in minutes that consolidate all testing and remediation activities. © Copyright 2012 Denim Group - All Rights Reserved 31
Where to Get ThreadFix • Go to http://code.google.com/p/threadfix/ and download the zip file. • Click on the Threadfix.bat icon in Windows, or, in Linux, navigate to the folder and execute bash threadfix.sh. • Go on the wiki and open the “Getting Started” file for more step by step directions. • For more information, go to http://www.denimgroup.com/threadfix © Copyright 2012 Denim Group - All Rights Reserved 32
Contact Information John B. Dickson, CISSP Dan Cornell Robin Lutchansky Principal Principal and CTO Public Relations john@denimgroup.com dan@denimgroup.com robinl@lcomm.com Twitter @johnbdickson Twitter @danielcornell Twitter @Lcomm (210) 572-4400 (210) 572-4400 (408) 607-7118 www.denimgroup.com www.threadstrong.com blog.denimgroup.com © Copyright 2012 Denim Group - All Rights Reserved 33

Recommandé

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4EnterpriseGRC Solutions, Inc.
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...CA Technologies
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the DotsInnoTech
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...HyTrust
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Smarter Business 2012 - IBM Security: Threat landscapeIBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Smarter Business 2012 - IBM Security: Threat landscapeIBM Sverige
 

Recommandé

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4EnterpriseGRC Solutions, Inc.
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...CA Technologies
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the DotsInnoTech
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...HyTrust
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Smarter Business 2012 - IBM Security: Threat landscapeIBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Smarter Business 2012 - IBM Security: Threat landscapeIBM Sverige
 
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Skybox Security
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeTUESDAY Business Network
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud SecurityIT@Intel
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorOlmedo Abril Arboleda
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
Axoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesAxoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesBulent Buyukkahraman
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Securing access inabyod-world-final-ext
Securing access inabyod-world-final-extSecuring access inabyod-world-final-ext
Securing access inabyod-world-final-extOracleIDM
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationOracleIDM
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copyOracleIDM
 
Automotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityAutomotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityRealTime-at-Work (RTaW)
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 

Contenu connexe

Tendances

Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Skybox Security
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud SecurityIT@Intel
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
Axoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesAxoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesBulent Buyukkahraman
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Securing access inabyod-world-final-ext
Securing access inabyod-world-final-extSecuring access inabyod-world-final-ext
Securing access inabyod-world-final-extOracleIDM
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationOracleIDM
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copyOracleIDM
 
Automotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityAutomotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityRealTime-at-Work (RTaW)
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 

Tendances (20)

Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Servers
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud Security
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - Ecuador
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
 
Axoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesAxoss Network Penetration Testing Services
Axoss Network Penetration Testing Services
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Securing access inabyod-world-final-ext
Securing access inabyod-world-final-extSecuring access inabyod-world-final-ext
Securing access inabyod-world-final-ext
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformation
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copy
 
Automotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityAutomotive communication systems: from dependability to security
Automotive communication systems: from dependability to security
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 

Similaire à Thread Fix Tour Presentation Final Final

Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityLumension
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 

Similaire à Thread Fix Tour Presentation Final Final (20)

Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater Insanity
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 

Thread Fix Tour Presentation Final Final

  • 1. A Powerful Vulnerability Management Platform That Simplifies Secure Application Development & Delivery © Copyright 2012 Denim Group - -All Rights Reserved © Copyright 2012 Denim Group All Rights Reserved
  • 2. Denim Group Overview • Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of existing software – Provides e-Learning and classroom training so clients can build secure software • Software-centric view of application security – Application security experts are practicing developers delivering a rare combination of expertise in today’s industry – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Remediation Resource Center – Released Sprajax & CSRF publicly – OWASP national leaders & regular speakers at RSA, OWASP, ISSA, CSI © Copyright 2012 Denim Group - All Rights Reserved 1
  • 3. The Facts • Founded in 2001 with almost 60 employees currently • Headquartered in San Antonio, Texas • Profitable since inception • Customer base spans Fortune 500 • Deep penetration in Financial Services, Banking, Insurance, Healthcare and Defense market sectors • Offers unique service blend of Software Development, Application Security and Developer Education • Contributes to industry best practices through the Open Web Application Security Project (OWASP) • Consecutively honored as an Inc. Magazine 5000 Fastest Growing Company for five years © Copyright 2012 Denim Group - All Rights Reserved 2
  • 4. Executive Team • John Dickson – Certified Information Systems Security Professional (CISSP), Master in Bus. Admin – Hands-on experience with network security, intrusion detection systems and software security – Honorary commander of the 67th Network Warfare Wing, which organizes, trains and equips cyberspace forces to conduct network defense, attack and exploitation. – Former U.S. Air Force officer • Dan Cornell – Over 12 years architecting, developing and securing web-based software systems – Leads Denim Group’s technology team overseeing methodology and project execution – Also heads Denim Group’s application security research team – Holds B.S. and graduated Magna Cum Laude from Trinity University • Sheridan Chambers – Responsible for facilities, administration, finance, sales, marketing, and client services. – Previously held P&L responsibility for Rare Medium where he managed his office to over $1.5 million per month in billings with a 60% net margin -- the highest in the company. – Recognized as North Chamber Entrepreneur of the Year, one of the San Antonio Business Journal's Top 40 Under 40, San Antonio Business Journal 2011 Top CFO, and as a Texas Monthly "30 Multimedia Whizzes Under 30" © Copyright 2012 Denim Group - All Rights Reserved 3
  • 5. The Problem • Application security testing typically uses automated static and dynamic test results as well as manual testing results to assess the security of an application • Each test delivers results in different formats • Different test platforms also can describe the same flaws differently, creating multiple duplications • Security teams end up using spreadsheets to keep track manually • It is extremely difficult to prioritize the severity of flaws as a result • Software development teams receive unmanageable reports and only a small portion of the flaws get fixed © Copyright 2012 Denim Group - All Rights Reserved 4
  • 6. The Result • Application vulnerabilities persist in applications – The average number of serious vulnerabilities found per website per year is 79 – The average number of days a website is exposed to at least one serious vulnerability is 231 days – The overall percentage of serious vulnerabilities that are fixed annually is only 63% • Part of that problem is there is no easy way for the security team and application development teams to work together on these issues • Remediation quickly becomes an overwhelming project • Trending reports that track the number of reduced vulnerabilities are impossible to create Sources: https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf , pages 2 & 3 http://www.veracode.com/reports (registration required) © Copyright 2012 Denim Group - All Rights Reserved 5
  • 7. Introducing ThreadFix • An open source software vulnerability aggregation and management system • Imports dynamic, static and manual testing results into a centralized platform • Removes duplicate findings across all testing platforms to provide an easy to prioritize list of security faults • Eases communication across development, security and QA teams • Exports the prioritized list into the company’s bug tracker of choice to streamline software remediation efforts • Auto generates web application firewall rules to protect corporate data while the software vulnerability is being fixed • Empowers managers with vulnerability trending reports that can pinpoint team issues and illustrate application security progress © Copyright 2012 Denim Group - All Rights Reserved 6
  • 8. ThreadFix Consolidates reports so managers can speak intelligently about the status and trends of security within their organization © Copyright 2012 Denim Group - All Rights Reserved 7
  • 9. • Pulls in static and dynamic results Vulnerability Import • Eliminates duplicate results • Allows for results to be grouped © Copyright 2012 Denim Group - All Rights Reserved 8
  • 10. Real-Time Protection Virtual patching helps protect organizations during remediation © Copyright 2012 Denim Group - All Rights Reserved 9
  • 11. • ThreadFix can connect to common defect trackers Defect Tracking • Defects can be created for developers Integration • Work can continue uninterrupted © Copyright 2012 Denim Group - All Rights Reserved 10
  • 12. Product Demonstration © Copyright 2012 Denim Group - -All Rights Reserved © Copyright 2012 Denim Group All Rights Reserved
  • 13. The Dashboard • Lists all the development teams in the organization including number of apps for each team and a summary of the security status of those apps. • Clicking on a team reveals the details on the apps that team is working on. © Copyright 2012 Denim Group - All Rights Reserved 12
  • 14. Viewing The Applications By Team • Now all of the applications managed by the eCommerce team are revealed. • The security analyst now wants to upload new vulnerability scan data for the "Replacement Part Auctions" application and clicks on that link. © Copyright 2012 Denim Group - All Rights Reserved 13
  • 15. Fixing an eCommerce Team “Auction” Application – • Vulnerability data from AppScan, Arachani, Netsparker and W3af scans are uploaded into ThreadFix. © Copyright 2012 Denim Group - All Rights Reserved 14
  • 16. Large Range of Tool Compatibility © Copyright 2012 Denim Group - All Rights Reserved 15
  • 17. Compatible Tool Categories Dynamic Scanners Static Scanners Burp Suite HP Fortify SCA HP WebInspect Microsoft CAT.NET IBM Rational AppScan FindBugs Mavituna Security Netsparker Ounce IBM Security AppScan Source Tenable Nessus Acunetix SaaS Testing Platforms OWASP Zed Attack Proxy WhiteHat Arachni Veracode Skipfish QualysGuard WAS 2.0 Defect Trackers IDS/IPS and WAF Mozilla Bugzilla F5 Atlassian JIRA Deny All Snort mod_security Imperva © Copyright 2012 Denim Group - All Rights Reserved 16
  • 18. The ThreadFix Consolidation  All of the vulnerability scans have been aggregated into ThreadFix providing a centralized view of the security status of the Auction application. © Copyright 2012 Denim Group - All Rights Reserved 17
  • 19. Web Application Firewall Rules Are Generated • ThreadFix now uses the vulnerability data to automatically generate additional Web Application Firewall (WAF) “virtual patch” rules designed to protect those specific applications and their vulnerabilities. • Since the additional WAF rules are created based on real vulnerabilities, they greatly strengthen the protection offered by the firewall system. © Copyright 2012 Denim Group - All Rights Reserved 18
  • 20. Protecting the Application While It Is Vulnerable • The WAF and Intrusion Detection Systems use the ThreadFix generated “virtual patch” rules to isolate application attacks. • The ThreadFix user can analyze this attack data to further fine-tune the WAF to actively block application exploit attempts while the application is being fixed. • Applications are susceptible to fewer risks as a result. © Copyright 2012 Denim Group - All Rights Reserved 19
  • 21. Attack Data Is Also Aggregated in ThreadFix • The attack data is also imported into ThreadFix to present a more complete picture of the organization’s security profile. © Copyright 2012 Denim Group - All Rights Reserved 20
  • 22. The Negotiations Begin • The ThreadFix aggregated data report for the Auction application provides the basis needed to decide what is to be fixed and by who • The security analyst and the eCommerce development team leader use the report which includes both vulnerability and attack data to decide which vulnerabilities will get fixed and which vulnerabilities represent an acceptable risk to the organization • Next, the two team leaders agree on how to best package the targeted vulnerabilities for the development team – By type (i.e. Cross Site Scripting vulnerabilities because it’s more efficient to fix a class of vulnerabilities regardless of where they are located in the application.) – By developer (i.e. Joe created the user interface and is the only developer that knows how to work in that part of the application) – By severity (i.e. the critical vulnerabilities that need to be fixed now.) – Or any combination of the above © Copyright 2012 Denim Group - All Rights Reserved 21
  • 23. Agreeing On The Workload • An example of bundling the Critical Severity identified vulnerabilities into a single defect to prioritize the remediation of the application. © Copyright 2012 Denim Group - All Rights Reserved 22
  • 24. The Defect Tracking System • The security analyst exports vulnerabilities with Critical Severity to the Defect Tracking System which is Bugzilla in this example. • The eCommerce development team then uses Bugzilla to keep track of the outstanding bugs and management tasks still to be done. © Copyright 2012 Denim Group - All Rights Reserved 23
  • 25. Vulnerabilities Now Become Defects • All the vulnerabilities to be fixed are packaged in a manner that makes sense to the development team’s work process. • These vulnerabilities, which are now recognized as defects to software developers, are transferred to Bugzilla, the platform the development team is used to using. © Copyright 2012 Denim Group - All Rights Reserved 24
  • 26. The Defect Categories & Status Inside of ThreadFix • At the same time, the security analyst can see all of the open vulnerabilities as well as the defects they are linked to. • Currently none of the bugs have been resolved by the development team. First Defect Second Defect Third Defect © Copyright 2012 Denim Group - All Rights Reserved 25
  • 27. A Defect (Security Vulnerability) Is Fixed (Or is it?) • The developers look into the bug containing the Critical vulnerabilities. • They work with representatives from security to resolve the issue and then mark the bug as fixed in Bugzilla. © Copyright 2012 Denim Group - All Rights Reserved 26
  • 28. Bugzilla Updates Are Synchronized With ThreadFix • When a ThreadFix update is performed, Bugzilla’s developer notes regarding bug status are synchronized with ThreadFix • The security team then performs additional scans to confirm that the bugs have, indeed, been fixed. © Copyright 2012 Denim Group - All Rights Reserved 27
  • 29. Trending Reports Help Improve Quality By repeating this process over time, the security teams can start to collect trending data about vulnerabilities as well as statistics of how long it is taking to resolve security issues. © Copyright 2012 Denim Group - All Rights Reserved 28
  • 30. ThreadFix Feature Summary • Vulnerability Import – Imports dynamic, static and manual testing results from a variety of sources (both commercial and freely-available scanning tools as well as SaaS testing providers) – Correlates and normalizes application vulnerabilities across different sources • Defect Tracking Integration – Allows application security teams to group vulnerabilities into individual defects • Real-Time Protection Generation – Virtual patching provides protection while code-level fixes are in development – Application-specific rules based upon identified vulnerabilities • Application Portfolio Management – Tracks security status of applications across the enterprise – Enables critical communication with developers in tools they are already using • Maturity Evaluation – Store and report on software security program progress – Benchmarks security improvement against industry standards © Copyright 2012 Denim Group - All Rights Reserved 29
  • 31. ThreadFix Benefits • Reduces the time required to fix vulnerable applications. • Dramatically simplifies the effort required • Compares the relative performance and test coverage of application vulnerability scanning technologies. • Provides centralized visibility into current security state of applications as well as trending • Facilitates communication between security analysts and development teams • Provides enterprise-wide software security metrics in support of benchmarking and budget justification efforts • No licensing fees • Open community support © Copyright 2012 Denim Group - All Rights Reserved 30
  • 32. ThreadFix Target Markets • Organizations with multiple application scanning technologies – There is no method to easily compile reports from multiple sources, both paid and open source, onto a central vulnerability management platform • Large organizations with multiple teams and divisions – Teams can all upload reports to ThreadFix for visibility into the workflow. • Organizations looking to improve their development process – ThreadFix creates trending reports and tracks vulnerability coverage to show maturation over periods of time. • Organizations who have deployed IDS/IPS or WAF technologies – Protects organization during remediation efforts • CSO, CISO, VP of Security – ThreadFix delivers near real-time status reports in minutes that consolidate all testing and remediation activities. © Copyright 2012 Denim Group - All Rights Reserved 31
  • 33. Where to Get ThreadFix • Go to http://code.google.com/p/threadfix/ and download the zip file. • Click on the Threadfix.bat icon in Windows, or, in Linux, navigate to the folder and execute bash threadfix.sh. • Go on the wiki and open the “Getting Started” file for more step by step directions. • For more information, go to http://www.denimgroup.com/threadfix © Copyright 2012 Denim Group - All Rights Reserved 32
  • 34. Contact Information John B. Dickson, CISSP Dan Cornell Robin Lutchansky Principal Principal and CTO Public Relations john@denimgroup.com dan@denimgroup.com robinl@lcomm.com Twitter @johnbdickson Twitter @danielcornell Twitter @Lcomm (210) 572-4400 (210) 572-4400 (408) 607-7118 www.denimgroup.com www.threadstrong.com blog.denimgroup.com © Copyright 2012 Denim Group - All Rights Reserved 33