Applied ThreadFix: Effective Security Team Collaboration

Modern enterprises are distributed. Most ThreadFix deployments have stakeholders spanning development and security teams and those team members are spread around the globe. To support these distributed organizations, ThreadFix has a number of collaboration features that make teams more efficient working across different stakeholder teams as well as across geographies and time zones.

Automated scanners are great, but they all produce false positives (come at me, xAST vendors!) As a result, you can’t just take the vulnerabilities coming from a scanner, bundle them up, and ship them off to development teams – the false positives will be a huge distraction and will rapidly erode the security team’s credibility. Security analysts typically need to review the results coming from scanners, cull out false positives, and potentially modify the scanner-provided severities of these vulnerabilities before they make it into the remediation pipeline. In addition, sometimes analysts need to work together to communicate between one another – applications are complicated and often a single analyst will need help from someone more senior or someone with more domain knowledge to provide context.

To support this, ThreadFix allows analysts to attach comments to vulnerabilities. These comments can be used to ask and respond to questions, to capture the rationale for triage decisions that were made, to capture information that may be of value to auditors down the road, and to generally provide a space for collaboration and commentary around vulnerabilities.

Figure 1: A security analyst uses the ThreadFix comment feature to register a question about the true status of a vulnerability.

ThreadFix also gives you the ability to attach tags to vulnerabilities . These can be used for a number of use cases, and a popular one is to flag vulnerabilities that either need review or that have had their review completed. These tags can then be used in searching and filtering.

Figure 2: After attaching their question about the vulnerability as a comment, the security analyst flags the vulnerability as needing review via a tag

Figure 3: At this point, another analyst can filter the identified vulnerabilities to show only those marked as needing review

Regarding a specific use case – being able to capture information for auditors – ThreadFix comments also provide you with the ability to tag comments  and report on them at a later date. This allows for general discussions to be had around vulnerabilities, and to capture certain aspects of that discussion “for the record” when that may be valuable later on.

Figure 4: This analyst responds to the first by attaching another comment. In addition, the analyst also attaches a tag to the comment, indicating that the comment may be of interest to PCI auditors at a later date

Figure 5: Because all open questions have been answered, the analyst also marks the vulnerability as having been reviewed

ThreadFix reporting provides a flexible filtering system, and one of the aspects available for filters is to show vulnerabilities that have comments, and specifically, comments with a given tag. This can be used by auditors and other stakeholders to pull up information relevant to their audit activities. The Vulnerability Search report can be used to drill into the data in ThreadFix and identify the proper vulnerabilities with the relevant comments.

This post is an overview of a handful of the features in ThreadFix that support effective collaboration between security stakeholders. We will follow up with another post demonstrating how ThreadFix facilitates collaboration between security and development teams. Contact us for help getting your security teams collaborating to efficiently address application vulnerabilities.