Versions Compared

Old Version 6

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated logo, added screenshot and formatting.

...

Image Added

📙 You will learn

How to configure applications to take advantage of ThreadFix's Hybrid Analysis Mapping (HAM) capabilities.

Introduction

This

...

guide on configuring

...

applications in ThreadFix to take advantage of ThreadFix's Hybrid Analysis Mapping (HAM) capabilities allows for better static-dynamic vulnerability merging.

Supported Languages and Frameworks for ThreadFix Hybrid Analysis Mapping (HAM)

Hybrid Analysis Mapping current works for:

  • Java/JSP

  • Java/Spring

  • Java/Struts

  • C#/ASP.NET WebForms

  • C#/ASP.NET MVC

  • Ruby/Ruby on Rails

Support for additional languages and frameworks is planned. Source code can be imported from git repositories, subversion repositories or from local or network folder locations with additional source code access methods planned.

Source Code Setup

HAM settings can be found by navigating to a desired application and from the Action drop-down button selecting Edit/Delete.

Image Added

Setting up an application to take advantage of HAM involves pointing ThreadFix toward the source code and (optionally) telling ThreadFix what language and framework the application uses

...

Image Removed

...

.

From within the Edit Application modal, the Source Code fields can be filled in order to configure it. Click the Save Changes button in order to complete the setup.

Image Added

The Source Code fields are as follows:

  • Application Type - What type (language and framework) does the application use? The "Detect" option is preferable

...

  • as ThreadFix will look at the project folder and attempt to detect the language and framework. If there are detection issues, the specific language and framework can be selected. 

  • Source Code URL: This is the git or Subversion URL where the application's source code can be found

...

  • Source Code Branch: The branch of the source code repository to use for analysis (optional)

  • Source Code Revision A specific source code revision to use for analysis (optional)

  • Source Code User Name: The user name to use for source code repository access. If none is provided, anonymous access to the source code repository will be used.

  • Source Code Password: The password to use for source code repository access

  • Source Code Folder: This is the folder (from the perspective of the ThreadFix server) where the application source code can be found if the application is not available via git or Subversion.

Providing ThreadFix with access to the application source code will allow the server to perform a lightweight static analysis of the source code and build an internal database of the application's attack surface and the source code elements responsible for each piece of attack surface. This attack surface database allows for the advanced interactions both inside of ThreadFix and with external tools that was mentioned above.

Table of Contents

Table of Contents