Enterprise coders can now use an open source Web application that lets them consolidate software vulnerability data from a range of scanning and test tools. With a centralized view, and reporting and management tools, ThreadFix speeds the work needed to fix software bugs and vulnerabilities, including those in proliferating mobile apps.
The beta version of ThreadFix is available via GoogleCode, along with tutorials and a range of support information (see links below). It can be easily configured to import test and scan results from open source tools such as Bugzilla for bug tracking, and Skipfish, an active Web application security reconnaissance tool, as well as commercial products like Fortify (now part of HP), a comprehensive software security assurance system, and IBM's Rational AppScan product set.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]
ThreadFix has been in development for nearly two years at Denim Group, a San Antonio-based software development house that specializes in secure custom applications, and in secure application consulting services. It was developed internally to fill a gap in software shops that rely on multiple brands of security and coding tools, but often lack a single view across the development projects of the type, severity, and status of code vulnerabilities. It's being made available now, as a free, open beta release. Denim makes money on among other things, providing a range of secure software development services, including training and support.
"What we notice, is that development organizations even when they adopt comprehensive software security solutions, often do so in a 'shallow' way," says principal Dan Cornell, Denim's informally designated CTO. "For example, they may occasionally run code scans, but they're not doing it repeatedly over time. And most organizations don't standardize wholesale on a single-vendor solution: they have multiple tools, multiple languages, multiple approaches to development."
The result, Cornell says, is that software security often lacks a strategic focus, and companies can't see how their development practices are faring over time in minimizing vulnerabilities, nor how the effectiveness of those practices compare with peers in their industry segment.
Threadfix pulls data from this mix of tools, consolidates it, and lets developers and managers filter it based on a range of criteria. It also lets you, for example, export a group of SQL injection vulnerabilities to a bug tracking tool, for a team to remedy. Threadfix then picks up the updated code scan results and captures and reflects the fixed vulnerabilities.
Creating a central view of such information is critical for companies in the increasingly fast-moving world of online and mobile applications where not only enterprise data but private, confidential information of potentially millions of customers might be at risk.