The Magic of Symbiotic Security Creating an Ecosystem of Security Systems: ThreadFix

Dan Cornell

Tue, 16th July 2013

Speaker Bio 1:
Dan Cornell is Principal at Denim Group, Ltd. and Owner, Denim Group, Ltd. Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception.

Questions and answers

Max, Concise Courses:
How do you update ThreadFix? Do you pull recently detected viruses from some central database?

Dan Cornell:
Great question. OK, so ThreadFix is a app-level management vulnerability system, so typically folks are going to use this to manage the security of apps specific to their environment. If your organization has built an ecommerce site or if you have an online banking site this is software that only exists in your environment and so if you have a program where you are using a tool like AppScan or an external service like White Hat or Qualys to do scanning against your web application – that is where ThreadFix pulls in the data about those types of data assurance and application scanning activity. [ThreadFix is therefore] less about your normal infrastructure like the types of things you would find with Nessus or an infrastructure level scan, so we do provide updates as the scanning tools have new vulerability classes made available to them and [at the same time] we provide updates for ThreadFix both for the code as well as the database.

I do want to be clear that the vulnerability typically managed with ThreadFix are web or mobile application level vulnerability not for infrastructure configuration.

Max, Concise Courses:
What is the biggest threat that you guys are detecting and is that going to influence the direction that ThreadFix takes?

Dan Cornell:
Seven years ago when we were working with folks on the security of their applications (typically medium to large-sized organizations) they would say, ‘hey, I’ve got these five applications that are really important and valuable to us [can you] take a look at these applications? The progression we have seen is that organizations have realized that they don’t just have five applications that are important; they have a lot more than that. [Potentially organizations can have hundreds of applications that can be under attack].

The biggest challenge for an organization is to transition from a very tactical small sub-set of applications because that is where I am concerned the attacks are going, but instead to adopt a much more problematic approach to assurance. [Rather than] looking really closely at a core of applications, I need to look into a lot more applications: that was a big driver for us at ThreadFix.

We see organizations open their aperture from being very focused on a couple of very specific apps to saying that they need a problematic approach across my entire organization and I need to be able to scale my program. That is one of the things that we are going to be talking about at Black Hat Arsenal in a couple of weeks, like some of the new scanning orchestration capabilities that are building into ThreadFix so taht you can schedule find ways to increase its’ automation as well as increase the fluidity of communication between teams, [for example] how do you take security vulnerabilities and turn them into software defects. That is really the problem that we are trying to solve for the folks that we see out there.

Max, Concise Courses:
You touched on the need for more standards, what additional programs can you share with us?

Dan Cornell:
If you look across the security space, the application software level security is a comparatively new discipline, versus network infrastructure security, we have had standards for a long time in the infrastructure world and we started to see more of these start to get developed as organizations and programs get more sophisticated.

We have some things that we are announcing; such as working with different government organizations and they are also saying, ‘hey we are also interested in seeing these tools operate with one another[ and that’s really important in environments that use multiple scanning tools.

Hacker Tools have different strengths and weaknesses and in more sophisticated programs we are seeing more than one tool being run and so organizations are asking how we can bring this stuff together, again the stuff that might working on the OWASP project SSVL, I’m a little biased because I worked on the demo spec for it but that supports directly different the types of data manipulation that we see the more mature programs starting to. We are starting to see a lot more interest from the customer side, and other consulting organizations that so hopefully that is going to start percolating to the vendors so that they can get behind and say, ‘the market has matured enough that we need to start playing nice with one another’ and be the ‘only vendor in this space’. We have to play well with others which ultimately is going to be good for our customers and we are able to use the tools in the way that they would want.

Max, Concise Courses:
Does ThreadFix have a BYOD application – meaning, can it test for vulnerabilities on mobile within a network?

Dan Cornell:
What ThreadFix does for mobile apps is, if you are using a service like a Veracode on a White Hat to test the security of your mobile applications, either a third party apps that you are deploying to phones or applications that you have developed internally for internal or external use, ThreadFix can pull in the results of that analysis and help you manage that over time. So, again, it’s not going out looking for specific mobile malware, but if you have custom mobile development and you are doing testing of those applications then again a lot of the static analysis tools will now have rules that will let you test for things like that or if you are doing manual testing you can test those manual results. It’s a way to manage app mobile vulnerabilities through their lifecycle to make sure that they get transferred to the developers and when the developers said that they can fix them, you can actually go in and confirm that that fix has been successful.