Assessing Business Operations Risk With Unified Vulnerability Management in ThreadFix 3.0
0 likes408 views
Threadfix 3.0 offers a unified vulnerability management platform that consolidates application vulnerabilities and integrates security into existing workflows to improve application security programs. It enables faster resolution of vulnerabilities, enhances testing throughput, and supports both in-house and outsourced testing strategies. The new architecture promotes ease of installation and scalability while ensuring comprehensive risk management by correlating applications with their infrastructure.
Assessing Business Operations Risk With Unified Vulnerability Management in ThreadFix 3.0
- 1. © 2019 Denim Group – All Rights Reserved Assessing Business Operations Risk with Unified Vulnerability Management in ThreadFix 3.0 03/28/2019 Dan Cornell, CTO Kyle Pippin, ThreadFix Product Manager
- 2. © 2019 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted • Since 2001, helping secure software • Development background • Tools + services model
- 3. © 2019 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using • Provide access to powerful analytics 2 44% Reduction in Time-To-Fix Vulnerabilities Up To 5x Increase in AppSec Assessment Productivity
- 4. © 2019 Denim Group – All Rights Reserved ThreadFix Data Flow 3
- 5. © 2019 Denim Group – All Rights Reserved Who Benefits and How? • Security Team • Run more efficient and effective application security programs (200-500% increase in testing throughput, 15-35% reduction in findings requiring triage) • Development Teams • Direct testing and receive results via tools and platforms already in use (Jenkins, JIRA, etc) • Risk-management Team • Faster resolution of key vulnerabilities (up to 44% reduction in mean-time-to-fix) 4
- 6. © 2019 Denim Group – All Rights Reserved Test Result Consolidation 5 • Organizations typically see a 15-35% reduction in finding count due to normalization and de- duplication. • Includes technology from Denim Group patents: • US 10,043,012 Method of Correlating Static and Dynamic Application Security Testing Results for Web Applications • US 10,043,004 Method of Correlating Static and Dynamic Application Security Testing Results for a Web and Mobile Application
- 7. © 2019 Denim Group – All Rights Reserved Integrate & Automate 6 i.o. SecurityCenter De-Dup Merge Correlate History Settings Policy False Positives Risk Triage Consolidate Remediation Profiles Templates Actionable Tracked Insights Verification HotSpots Alerting Findings & Vulnerability Management Pipeline Automated/Orchestrated Pre-Processing Reduce Vulns to Manage Manage by Policy & Settings Single Portal for: ITAO’s Dev’s SME’s SecChamps Dev’s & SME’s Work in daily tools, and existing workflows Security Program & Policy Management and reporting Tableau Business Object Power BI Archer Custom Reporting External System Integration Manual
- 8. © 2019 Denim Group – All Rights Reserved Orchestrate 7 Build Sec into DevOps: • Integrate automated Sec into CI/CD • Orchestrate scans • Rapid pass/fail/warn based on predefined policies • Auto creation of bugs for Dev Team ScannersBug Trackers Dev (CI/CD) Sec Auto build Sec check Sec pass/fail/warn Bugs (Sec Vulns) Auto execute scanners An example of ThreadFix’s security orchestration
- 9. © 2019 Denim Group – All Rights Reserved Defect Tracker Integration 8 • Bi-directional integration: bundle vulnerabilities into software defects, track development team progress resolving them • Reduction of Mean Time To Fix (MTTF) up to 44%
- 10. © 2019 Denim Group – All Rights Reserved Outsource Testing via ThreadFix • Make service requests from ThreadFix and receive and view results directly within the platform • Gives organizations both strategic and tactical flexibility: • Strategic: “What technologies and capabilities do we want to manage in-house, and what do we want to outsource?” • Tactical: Provides surge access to delivery capabilities when needed 9
- 11. © 2019 Denim Group – All Rights Reserved Demo
- 12. © 2019 Denim Group – All Rights Reserved Demo AppSec
- 13. © 2019 Denim Group – All Rights Reserved Applications and Their Infrastructure • Applications expose organizations to risk • But applications run on infrastructure • Servers, routers, NLBs • Infrastructure also exposes organizations to risk • ThreadFix 3.0 treats network and infrastructure assets as first-class items 12
- 14. © 2019 Denim Group – All Rights Reserved Unified Vulnerability Management • Define “networks” • Import scanning results • Tenable Nessus • Qualys • Rapid7 InsightVM • Correlate applications with their infrastructure • Provides a unified view into risk from vulnerabilities 13
- 15. © 2019 Denim Group – All Rights Reserved Bonus: New UI/UX 14
- 16. © 2019 Denim Group – All Rights Reserved Demo InfoSec 15
- 17. © 2019 Denim Group – All Rights Reserved Architectural Changes • Microservices architecture • Stream-based data ingestion • Elastic Search-based reporting • More powerful and flexible tuning and scaling • Containerized • Easy to install • Easy to maintain 16
- 18. © 2019 Denim Group – All Rights Reserved Demo Unified Environment 17
- 19. © 2019 Denim Group – All Rights Reserved ThreadFix 3.0 Summary • Network and infrastructure support and correlation provides unified vulnerability management • Embedded outsourced testing allows for strategic and tactical decisions about your security program • New architecture provides for easier installation, maintenance, and scaling 18
- 20. © 2019 Denim Group – All Rights Reserved www.threadfix.it www.denimgroup.com 19 [email protected] [email protected] threadfix.it