September 17, 2012, 12:16 PM — The first production-ready version of ThreadFix, an open-source software vulnerability management tool, was released Monday by Denim Group, a secure software development firm in San Antonio, Texas.
ThreadFix was designed to bridge the communication gap between enterprise security teams and software development teams in an attempt to decrease the time required to fix software vulnerabilities. The product can import vulnerability reports from different vulnerability scanning sources and export them to a variety of bug tracking systems commonly used by developers.
Companies have gotten pretty good at finding vulnerabilities in their applications, said John Dickson, principal at Denim Group. However, it still takes a considerable amount of time to fix them, he said.
Dickson pointed to the annual statistics released by vulnerability testing firms WhiteHat Security and Veracode for an indication of how long it takes on average for enterprises to fix vulnerabilities in their websites or other types of applications. While network-level vulnerabilities get fixed in hours or days, application-level vulnerabilities get fixed in weeks or months, Dickson said.
Dickson thinks this is partially caused by the diversity of security testing approaches in enterprise environments. Companies can have multiple security teams that use different tools and technologies which generate reports in different formats and often for the same issues, he said.
This leaves the people responsible with managing vulnerabilities in a corporate environment with a very difficult task. There are companies that track vulnerabilities discovered through different means of security testing -- static and dynamic scanning, source code reviews, penetration testing, etc. -- manually using Excel spreadsheets, said Dickson.
"On top of that, still the main way that we see a lot of vulnerabilities passed from the security teams to the development teams is via PDFs," Dickson said. These are unactionable documents, Dickson noted, that cause developers to ask themselves "What do I do with this?"
ThreadFix aggregates vulnerability scanning results from a variety of sources and normalizes the data to an internal format. It then de-duplicates the data by determining whether different scanners have found the same vulnerabilities and generates a single unified list containing all the issues.
Based on that list a security analyst can then start to negotiate with the development team leader about which vulnerabilities need to be fixed as soon as possible and how to export them to the bug tracking system used by the development team. Multiple vulnerabilities can be grouped under the same bug ticket by vulnerability type, by vulnerability severity or by a specific developer in charge of an affected component, for example.