Online scanning services, from companies such as Vericode and WhiteHat Security have quantified this risk, says Cornell's partner, John Dickson. "Some of the worst application vulnerabilities will last 70 to 100 days before they get patched," he says. One reason for that is that the enterprise security team, the people "who worry about software" - and the software development team -- the people "who can do something about the software" -- are often in separate organizations, and aren't able to coordinate effectively. ThreadFix's Web UI is intended to bridge this gap, Dickson says.
A scanning tool can come up with a long list of vulnerabilities. But ThreadFix can break the list into chunks, filtered by type of vulnerability and severity for example. Development teams can be assigned to attack a cluster of the same kind of problems, cranking out fixes more efficiently than if each one was separately assigned to a separate developer. "That sounds simple, but it's actually a huge issue between the security/vulnerabilities group and the software developers," Cornell says.
With centralized data, software and security staff can see all vulnerabilities for a given application, or across the entire software inventory; see trends to know if code vulnerabilities are becoming more or less frequent; and calculate the average time it takes to implement bug fixes, per application or per development team, for example, and see the trend over time.
ThreadFix can be downloaded at no charge from GoogleCode. You then configure user groups, such as the developers for an ecommerce application, or teams in geographical locations. With each group, you create a record for each application, and identify the scanning and tracking tools being used. You configure ThreadFix to import data from each tool, and ThreadFix collects, aggregates, and tracks this information over time. A "getting started" tutorial walks you through this initial configuration.
Denim Group also offers a how-to guide for fixing software vulnerabilities (registration required).
Awareness of security in mobile applications is especially weak, except for the financial services sector, according to the two executives. Last November, Denim announced a set of courses for its ThreadStrong e-learning system aimed at mobile applications. The new offerings are an overview of mobile app security and classes on authentication and authorization specifically for the Android and iPhone operating systems.
John Cox covers wireless networking and mobile computing for Network World.
Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.