The problem with IT security and vulnerability analysis in complex enterprise application environments is (it is argued) that companies are prone to using almost too many protection tools.
This scenario could in fact lead to a situation where security officers and development managers have trouble pinning down the vulnerabilities which they have in fact identified.
ThreadFix is a newly launched open source vulnerability management platform from Denim Group designed to "substantially accelerate" the process of resolving application-level vulnerabilities.
This new product works by aggregating vulnerability test results from the "list" of tools that might be in place such as:
1. 'disparate static' vulnerability analysis tools
2. 'dynamic' scanning tools
3. manual penetration testing reports
4. code review processes
5. threat modelling
The concept here is the construction of a single view of the security status of all applications within an organisation to help security analysts and development managers to make the right remediation decisions.
Normalisation of de-duplication is the answer
This has been described as the "normalisation of data" from multiple scanning sources to bring much needed de-duplication to vulnerability reports.
"The industry trend of using multiple commercial and open source tools to test the security of applications has enabled security teams to become more effective at identifying vulnerabilities. However, the downside of this approach is the volume of data that is produced to detail these vulnerabilities. Until now, this information has been managed with tedious and error-prone processes such as manually entering data into Excel spreadsheets," said the company, in a press statement.
To protect the organisation's assets during the remediation process, ThreadFix generates application firewall "virtual patches" while the software vulnerabilities can be addressed at a code level.
... and it's open source?
Denim Group CTO Dan Cornell confirms that "ThreadFix aggregates [all of this] data, making it much easier to pinpoint the critical risks that can get buried underneath an overwhelming number of lower-priority or irrelevant vulnerability information. We're pleased to be able to release this as an open source product to enable companies of all sizes to accelerate secure application development initiatives across the market."
You can read more on this story here.