ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This tutorial will walk through the capabilities of the ecosystem of ThreadFix applications, showing how ThreadFix can be used to:
•Manage a risk-ranked application portfolio
•Consolidate, normalize and de-duplicate the results of DAST, SAST and other application security testing activities and track these results over time to produce trending and mean-time-to-fix reporting
•Convert application vulnerabilities into software defects in developer issue tracking systems
•Pre-seed DAST scanners such as OWASP ZAP with application attack surface data to allow for better scan coverage
•Instrument developer Continuous Integration (CI) systems such as Jenkins to automatically collect security test data
•Map the results of DAST and SAST scanning into developer IDEs
The presentation walks through these scenarios and demonstrates how ThreadFix, along with other open source tools, can be used to address common problems faced by teams implementing software security programs. It will also provide insight into the ThreadFix development roadmap and upcoming enhancements.