Pen Test 3.X

Owned by Daniel Colon
Last updated: Nov 04, 2021
5 min read

You will learn

How to add manual vulnerabilities to applications for tracking through the Pen Test feature.

Prerequisites

Audience: IT Professional and/or End User
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: ThreadFix

Importing vulnerabilities from scanner files is quick and convenient, but ThreadFix also allows users to easily add manual vulnerabilities to applications for tracking through the Pen Test feature. The Pen Test feature allows users with the necessary permissions to build a list of manual findings over time and submit them as an assessment once the test is complete. This guide details the process for creating static, dynamic, and dependency findings with a Pen Test and interacting with these vulnerabilities afterward.

For information on how to create and manage Pen Test Teams, refer to the Manage Pen Test Teams guide. Permissions are required for creating, editing and deleting Pen Test Teams and findings. For information on permissions please see the documentation on Manage Roles.

Performing a Pen Test

To access the Pen Test page, open the application details page for a desired application and from the Action menu button select Perform Pen Test.

Pen Test Teams are comprised of users that have been placed on that team. More info on managing Pen Test team found on the Manage Pen Test Teams page.

Only users on a Pen Test Team can access the Pen Test page. Users will only have the option to select Pen Test Teams that they are members of. If a Pen Test Team has an active test, all users who access that Pen Test Team page will be brought to that active Pen Test. Members of the same Pen Test Team will all be able to add findings to the same Pen Test to be submitted as vulnerabilities from one Pen Test assessment. 

 

When the Start Pen Test button is selected, all users with the appropriate permissions will be able to add findings to this Pen Test. This test will remain active until the test is submitted, at which point the findings are added to the application's vulnerabilities and editing of findings is limited. 

Depending on permissions, the user now has the option to add a Finding, submit the Pen Test, and delete the Pen Test.

Add Findings

When the Add Finding is selected, the user is taken to the Add Finding page.

Here users are given the option to create a static, dynamic, or dependency finding within the appropriate tabs. Severity, Parameter, and a CWE or Summary are required for Static and Dynamic findings. Severity and CWE or Summary are required for Dependency findings. These fields are important as this is how ThreadFix merges findings. Dependency findings can merge without a matching CWE. For static and dynamic findings the CWE and parameter have to match in order for the findings to merge. For more information on finding merge requirements please see the examples of these findings below.  

Files can be added to findings as evidence (Note: files are saved as-is and not used as scans). Files can only be deleted before a Pen Test is submitted; afterward, the files are permanently attached to the finding.

Examples

Dynamic Finding

Required Fields

  • Severity

  • Parameter

  • CWE or Summary

  • URL

Dynamic findings will only merge with other findings whose parameter, CWE and URL match. Note that a dynamic finding can have both static and dynamic information. 

Static Finding

Required Fields

  • Severity

  • Parameter

  • CWE or Summary

  • Source and Sink information

Static findings will only merge with other findings whose parameter, CWE, and source and sink information (file path and line number) match. Note that a static finding can have both static and dynamic information.

Dependency Finding

Required Fields

  • Severity

  • CWE or Summary (though summary is more common for dependency findings)

  • Library

  • Issue type

  • Reference

Dependency findings will only merge with other findings whose library, version number, and reference match (for dependency findings the CWE/summary and parameter are not required to match to merge with another finding).

Active Pen Test

After a finding is submitted to the Pen Test Team, it is listed under New Pen Test Findings’ where members of the team can edit and delete the finding.

Deleting an Assessment After Creating a Pen Test

Once a Pen Test has been started and is active, users cannot delete assessments from that Pen Test scanner type or upload a ThreadFix file for that scanner type in that application until the active Pen Test has been submitted or deleted.

Once the Pen Test has been submitted, the option to delete assessments from the Assessments tab will be provided.

Submitting a Pen Test

After clicking Submit Pen Test, a modal will display to set the date and time of the assessment.

Note: Once a Pen Test is submitted, it can no longer be edited or deleted from the Pen Test Findings page, they will be treated as scan findings.

After Pen Test Submission

After the Pen Test is submitted the vulnerabilities will display with the rest of the application's vulnerabilities. If another Pen Test is created from the same Pen Test Team, the user will be prompted to review open Pen Tests created by that team. 

Not Remediated

If the Not Remediated button is selected, the finding is moved to the Not Remediated Pen Test Findings section.

Remediated

If the Remediated button is selected, it can be changed to Not Remediated or reverted. Again if revert is selected the finding is sent back to its original state of needing review.

Note: Remediating the findings will remove the vulnerabilities that Pen Test added from the application.

 

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.