There are multiple tools that organizations can use to scan applications for potential vulnerabilities, but it can sometimes be a challenge to make sense of all the information that different tools provide.
It’s a challenge that Denim Group has been aiming to help solve with its ThreadFix platform. On Jan. 10, Denim Group announced the debut of ThreadFix 2.4, providing enhanced capabilities to help organizations manage application vulnerability information.
“ThreadFix is a platform that allows organizations to manage and run their application security programs,” Dan Cornell, CTO of Denim Group, told eWEEK.
Cornell explained that with ThreadFix an organization can list all the development teams that they have that build software and all the applications that each team is responsible for. Results for all the different application scanning and threat assessment tools used by an enterprise can then be pulled into ThreadFix. The ThreadFix platform normalizes and de-duplicates the data, providing an organization with a full view of all the software vulnerabilities that are present.
With the complete view of application vulnerabilities, the ThreadFix platform then enables developers to monitor and manage the identified vulnerabilities through an organization’s bug defect resolution process. The ThreadFix platform also provides metrics and reporting capabilities for a company’s ability to handle and resolve application vulnerabilities.
Among the enhanced capabilities in the new ThreadFix 2.4 release is a feature Denim Group is calling Hot Spot detection. What Hot Spot does is it looks for vulnerabilities in shared components and libraries across an organization’s software.
“The Hot Spot technology identifies internal organization code re-use that results in vulnerabilities that are shared across applications,” Cornell said.
By identifying shared code vulnerabilities, Cornell expects that organizations will be able to more rapidly fix applications that are running in an organization.
Scanning for common library re-use is not a new idea in software vulnerability scanning. Among the vendors that also provide that capability is Black Duck software that looks for known vulnerabilities in re-used code. One way to identify vulnerable components is simply by identifying which version of a given open-source software library is being used and then looking to see if there are any known vulnerabilities, identified by a Common Vulnerabilities and Exposures (CVE) number.
In ThreadFix’s use-case, the technology is targeted more at internal custom code development by organizations, where vulnerabilities likely do not have assigned or known CVEs. Cornell explained that ThreadFix has a patented approach to identifying the common vulnerabilities.
“We get results from testing solutions and we do analysis of the software package and file names and looking at the contents of the files,” Cornell said.
He explained that, for example, with a SQL injection flaw, testing results could show that an attack will enter an application at a particular line of code, in a specific file, then the attack payload will get passed through to another point in the system.
“We analyze the data flow and look at the actual code and do some matching to identify situations where code has been shared,” Cornell said.
Cornell commented that a core goal of ThreadFix has always been to help organizations understand the most impactful risks.
“You’re never going to have enough resources, developers and budget to fix everything, so you have to make decisions,” Cornell said. “A big part of our evolution has been how to show application security managers what is important and how to we help them sift through data to identify what really needs to be fixed.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.