How Collaboration Improves Security for Everyone

In addition to giving our talk “Making Security Agile” at LASCON 2015, we were honored to be featured in the presentation by Denim Group, the makers of ThreadFix. We’ve previously blogged about how, as early adopters, we adapted the ThreadFix platform to enhance our security needs. In the spirit of collaboration—and cutting-edge security—the Denim Group highlighted how the development community has improved ThreadFix, including some details on the SAMI team’s own contributions to version 2.3.

ThreadFix is a platform that consolidates security vulnerabilities identified by variety of open source and commercial tools. The Denim Group’s presentation focused on the community of both individual and corporate contributors that has emerged around the Community Edition of ThreadFix. Dan Cornell, CTO and a Principal at Denim Group, told us:

“The features contributed by community members don’t tend to be long-term strategic changes, but reflect the real-world problems of application security teams and help us make ThreadFix more usable, valuable, and easy to implement. It is great to get that sort of insight into the problems real security teams need to solve.”

Below, see the presentation slides.

As we previously mentioned, some of the improvements we built into ThreadFix are now included with the 2.3 release, and available for everyone. They are as follows:

  1. Improved the UI to make sure that we get to the vulnerability information faster. This sped up our review process by reducing routine manual work.
  2. Improved integration with JIRA to pre-populate JIRA fields with data stored in ThreadFix’s database.
  3. Improved data import to make sure that we have request and response information available.
  4. Added email notifications to make sure that we receive information about new findings.

We’ve also made some additional enhancements to ThreadFix for the SAMI team:

  1. Implemented ThreadFix health monitoring to know when it’s down.
  2. Added automatic QA regression security scanning with Zap and Burp security scanners.
  3. Continued developing an open source security automation tool (bscan) that allows us to run Burp proxy in a headless mode and monitor QA regression traffic for security vulnerabilities in real time.

“We’re tremendously grateful for all members of the ThreadFix community—those contributing code as well as those filing bugs and feature requests,” Cornell said. “That helps us to make the best product possible.”