How to use ThreadFix to simplify the vulnerability management process

How to use ThreadFix to simplify the vulnerability management process

How to use ThreadFix to simplify the vulnerability management process

Date: Jun 24, 2013

For any enterprise that develops several applications simultaneously, making security a focus during the development process can be a struggle. Scanning tools can analyze applications for vulnerabilities, but ranking the relative importance of each vulnerability and its fix status can be challenging: Exporting data from multiple scanners involving numerous applications in development can create confusion.

How can enterprises get a better handle on the vulnerability management process and ensure security issues aren't being overlooked? The open source security tool ThreadFix may just be the answer.

In this SearchSecurity screencast, Keith Barker, a Certified Information Systems Security Professional (CISSP) and trainer for CBT Nuggets LLC, presents a demonstration of ThreadFix, a vulnerability management tool offered by security consultancy Denim Group Ltd. With ThreadFix installed on one machine, Barker uses a client machine's browser to visit via proxy the BodgeIt store, a vulnerable Web application designed for penetration testing. Once the proxy captures the vulnerabilities from the BodgeIt store, Barker shows how simple it is to export the scanner data to ThreadFix. The tool is capable of aggregating export data from a variety of open source and commercial security scanners, including OWASP's Zed Attack Proxy and Nessus, which means most enterprises will have no problem using their scanner of choice. ThreadFix even accepts input from manual scans.

Barker then demonstrates how the exported scanner data can be sorted by team and by application, which helps simplify the enterprise vulnerability management process. If your organization is struggling to keep track of the security vulnerabilities discovered in a variety of applications, the free and open source ThreadFix tool can prioritize vulnerabilities and allocate precious infosec resources.

CBT Nuggets

About CBT Nuggets:
CBT Nuggets is a computer-based technology company specializing in cutting-edge online IT training. Founded in 1999 by current CEO Dan Charbonneau, CBT Nuggets provides quick, easy and affordable learning by renowned instructors for individuals, small teams and large organizations. CBT Nuggets also offers free videos on a variety of IT topics on the CBT Nuggets YouTube video channel.

About Keith Barker:
Keith Barker, CISSP, is a trainer for CBT Nuggets and has more than 27 years of IT experience. He is a double CCIE and has been named a Cisco Designated VIP. Keith is also the author of numerous Cisco Press books and articles.

More on Application security