secure devops with threadfix 2.3
TRANSCRIPT
![Page 1: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/1.jpg)
© 2015 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix 2.3!!Dan Cornell!@danielcornell
This presentation contains information about DHS-funded research: Topic Number: H-SB013.1-002 - Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-13-R-00009-H-SB013.1-002-0003-I
![Page 2: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/2.jpg)
© 2015 Denim Group – All Rights Reserved
2
ThreadFix Accelerate Software Remediation
ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
![Page 3: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/3.jpg)
© 2015 Denim Group – All Rights Reserved
What Can We Do With ThreadFix?
• Create a consolidated view of your applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
3
![Page 4: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/4.jpg)
© 2015 Denim Group – All Rights Reserved
Create a consolidated view of your
applications and vulnerabilities
4
![Page 5: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/5.jpg)
© 2015 Denim Group – All Rights Reserved
Application Portfolio Tracking
• Track multiple “Teams” • Arbitrary distinction – geography, line of business, common tools and practices
• Track multiple “Applications” per “Team” • Unit of scanning or testing
• Track Application metadata • Criticality, hosted URL, source code location
• Reporting can be done at the organization, Team or Application level
5
![Page 6: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/6.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Application Portfolio Tracking
6
![Page 7: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/7.jpg)
© 2015 Denim Group – All Rights Reserved
Fill ThreadFix Up With Vulnerability Data
• Manual file upload
• REST API • https://github.com/denimgroup/threadfix/wiki/Threadfix-REST-Interface
• Command Line Interface (CLI) • https://github.com/denimgroup/threadfix/wiki/Command-Line-Interface • JAR can also be used as a Java REST client library
• Jenkins plugin • Contributed from the ThreadFix community (yeah!) • https://github.com/automationdomination/threadfix-plugin
7
![Page 8: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/8.jpg)
© 2015 Denim Group – All Rights Reserved
What Does ThreadFix Do With Scan Results
• Diff against previous scans with same technology • What vulnerabilities are new? • What vulnerabilities went away? • What vulnerabilities resurfaced?
• Findings marked as false positive are remembered across scans • Hopefully saving analyst time
• Normalize and merge with other scanners’ findings • SAST to SAST • DAST to DAST • SAST to DAST via Hybrid Analysis Mapping (HAM)
8
![Page 9: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/9.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Vulnerability Merge
9
![Page 10: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/10.jpg)
© 2015 Denim Group – All Rights Reserved
Hybrid Analysis Mapping (HAM)
• Initial research funded by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate via a Phase 1 and (now) Phase 2 Small Business Innovation Research (SBIR) contract
• Acronyms!
• Initial goal: SAST to DAST merging • Results: That, plus other stuff
10
![Page 11: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/11.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Merging Static and Dynamic Scanner Results
11
![Page 12: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/12.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: De-Duplicate Dynamic RESTful Scanner Results
12
![Page 13: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/13.jpg)
© 2015 Denim Group – All Rights Reserved
Prioritize application risk decisions based on
data
13
![Page 14: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/14.jpg)
© 2015 Denim Group – All Rights Reserved
Vulnerability Filtering
• Filter vulnerability data • Scanner, scanner count • Vulnerability type • Path, parameter • Severity • Status • Aging
• Save filters for future use
14
![Page 15: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/15.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Vulnerability Filtering
15
![Page 16: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/16.jpg)
© 2015 Denim Group – All Rights Reserved
Reporting
• Trending • Progress by Vulnerability
• For program benchmarking
• Portfolio Report • For resource prioritization
• Comparison • For scanner/technology benchmarking
16
![Page 17: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/17.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Reporting
17
![Page 18: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/18.jpg)
© 2015 Denim Group – All Rights Reserved
Translate vulnerabilities to developers in the
tools they are already using
18
![Page 19: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/19.jpg)
© 2015 Denim Group – All Rights Reserved
Mapping Vulnerabilities to Defects
• 1:1 mapping is (usually) a horrible idea – 500 XSS turned into 500 defects? – If it takes longer to administer the bug than it does to fix the code…
• Cluster like vulnerabilities – Using the same libraries / functions – Cut-and-paste remediation code – Be careful about context-specific encoding
• Combine by severity – Especially if they are cause for an out-of-cycle release
• Which developer “owns” the code?
19
![Page 20: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/20.jpg)
© 2015 Denim Group – All Rights Reserved
Defect Tracker Integration
• Bundle multiple vulnerabilities into a defect • Using standard filtering criteria
• ThreadFix periodically updates defect status from the tracker
20
![Page 21: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/21.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Defect Tracker Integration
21
![Page 22: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/22.jpg)
© 2015 Denim Group – All Rights Reserved
Important Links
• Main ThreadFix website: www.threadfix.org • General information, downloads
• ThreadFix GitHub site: www.github.com/denimgroup/threadfix • Code, issue tracking
• ThreadFix GitHub wiki: https://github.com/denimgroup/threadfix/wiki • Project documentation
• ThreadFix Google Group: https://groups.google.com/forum/?fromgroups#!forum/threadfix
• Community support, general discussion
22
![Page 23: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/23.jpg)
© 2015 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
![Page 24: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/24.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Scheduling a Recurring Scan
![Page 25: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/25.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: On Demand Scan Agent Task
![Page 26: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/26.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Kicking off a Scan via Command Line
![Page 27: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/27.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Getting Notified of Policy Violations
![Page 28: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/28.jpg)
© 2015 Denim Group – All Rights Reserved
Demo: Jenkins Plugin
https://wiki.jenkins-ci.org/display/JENKINS/ThreadFix+Plugin
![Page 29: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/29.jpg)
© 2015 Denim Group – All Rights Reserved
Contributor Spotlight
![Page 30: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/30.jpg)
© 2015 Denim Group – All Rights Reserved
Pearson Links
Aaron Weaver and Matt Tesauro’s presentations at OWASP AppSecEU 2015: • http://www.denimgroup.com/blog/denim_group/2015/06/threadfix-pearson.html
Matt Tesauro: • Go client library:
• https://github.com/mtesauro/tfclient
• Checkmarx/ThreadFix integration • https://github.com/mtesauro/tfCheckmarxUpload
Adam Parson: • Python client library:
• https://github.com/aparsons/threadfix_api
![Page 31: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/31.jpg)
© 2015 Denim Group – All Rights Reserved
Pearson Notes
Many thanks to Pearson for their sponsorship of: • Defect Tracker Default Credentials • Deep Linking After Authentication • Scan Details REST Call • Scan List REST Call • Unmapped Findings Data in Scan Upload REST Response • Full URL in Vulnerability Tree • Custom CWE Remediation Advice on Defects • Set CWE Text REST Call, and CWE Text in Vuln Search • Multi-File Scan Upload • Multi-File Scan Upload Endpoint • Scanner-Specific Filters • Tag REST Calls • REST Application Update Call • REST Team Update Call • AppScan Enterprise Support
![Page 32: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/32.jpg)
© 2015 Denim Group – All Rights Reserved
Samsung SSIC Links
• Samsung blog post about their ThreadFix architecture: https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
Many thanks to Samsung SSIC for their donation of: • Default system for defect submissions • Scheduled email reports for new vulnerabilities • Defect description more extensive and flexible with velocity template
engine • Ability to submit defects from vulnerability details page
![Page 33: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/33.jpg)
© 2015 Denim Group – All Rights Reserved
I Want to Contribute!
• Great!
• Let us know what you’re interested in
• Sign a contributor agreement
• Contribute!
Main Contributor Page: https://github.com/denimgroup/threadfix/wiki/ThreadFix-Development-Community
![Page 34: Secure DevOps with ThreadFix 2.3](https://reader034.vdocument.in/reader034/viewer/2022042511/55d158c1bb61eb6d4a8b4623/html5/thumbnails/34.jpg)
© 2015 Denim Group – All Rights Reserved
Questions / Contact Information
Dan Cornell Principal and CTO [email protected] Twitter @danielcornell (844) 572-4400
www.denimgroup.com www.threadfix.org
34