As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Pen Test 3.X
- Daniel Colon
You will learn
How to add manual vulnerabilities to applications for tracking through the Pen Test feature.
Prerequisites
Audience: IT Professional and/or End User
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: ThreadFix
Importing vulnerabilities from scanner files is quick and convenient, but ThreadFix also allows users to easily add manual vulnerabilities to applications for tracking through the Pen Test feature. The Pen Test feature allows users with the necessary permissions to build a list of manual findings over time and submit them as an assessment once the test is complete. This guide details the process for creating static, dynamic, and dependency findings with a Pen Test and interacting with these vulnerabilities afterward.
For information on how to create and manage Pen Test Teams, refer to the Manage Pen Test Teams guide. Permissions are required for creating, editing and deleting Pen Test Teams and findings. For information on permissions please see the documentation on Manage Roles.
Performing a Pen Test
To access the Pen Test page, open the application details page for a desired application and from the Action menu button select Perform Pen Test.
Pen Test Teams are comprised of users that have been placed on that team. More info on managing Pen Test team found on the Manage Pen Test Teams page.
Only users on a Pen Test Team can access the Pen Test page. Users will only have the option to select Pen Test Teams that they are members of. If a Pen Test Team has an active test, all users who access that Pen Test Team page will be brought to that active Pen Test. Members of the same Pen Test Team will all be able to add findings to the same Pen Test to be submitted as vulnerabilities from one Pen Test assessment.Â
Â
When the Start Pen Test button is selected, all users with the appropriate permissions will be able to add findings to this Pen Test. This test will remain active until the test is submitted, at which point the findings are added to the application's vulnerabilities and editing of findings is limited.Â
Depending on permissions, the user now has the option to add a Finding, submit the Pen Test, and delete the Pen Test.
Add Findings
When the Add Finding is selected, the user is taken to the Add Finding page.
Here users are given the option to create a static, dynamic, or dependency finding within the appropriate tabs. Severity, Parameter, and a CWE or Summary are required for Static and Dynamic findings. Severity and CWE or Summary are required for Dependency findings. These fields are important as this is how ThreadFix merges findings. Dependency findings can merge without a matching CWE. For static and dynamic findings the CWE and parameter have to match in order for the findings to merge. For more information on finding merge requirements please see the examples of these findings below. Â
Uploading Evidence to Pentest Findings
Files can be added to findings as evidence (Note: files are saved as-is and not used as scans). Files can only be deleted before a Pen Test is submitted; afterward, the files are permanently attached to the finding.
Note the list of currently accepted file types for uploading to findings:
.csv
.fpr
.json
.nessus
.ozasmt
.xml
csv
doc
docx
JPEG
JPG
PDF
PNG
xls
xlsx
Note the following accepted file types that can be uploaded as scans:
Â
From the Add Finding menu, users can scroll down to the Files section and with the Add File button, upload files.
Note the upload widget below:
Uploaded files will then be added to the files list.
Examples
Dynamic Finding
Required Fields
Severity
Parameter
CWE or Summary
URL
Dynamic findings will only merge with other findings whose parameter, CWE and URL match. Note that a dynamic finding can have both static and dynamic information.Â
Static Finding
Required Fields
Severity
Parameter
CWE or Summary
Source and Sink information
Static findings will only merge with other findings whose parameter, CWE, and source and sink information (file path and line number) match. Note that a static finding can have both static and dynamic information.
Dependency Finding
Required Fields
Severity
CWE or Summary (though summary is more common for dependency findings)
Library
Issue type
Reference
Dependency findings will only merge with other findings whose library, version number, and reference match (for dependency findings the CWE/summary and parameter are not required to match to merge with another finding).
Active Pen Test
After a finding is submitted to the Pen Test Team, it is listed under New Pen Test Findings’ where members of the team can edit and delete the finding.
Deleting an Assessment After Creating a Pen Test
Once a Pen Test has been started and is active, users cannot delete assessments from that Pen Test scanner type or upload a ThreadFix file for that scanner type in that application until the active Pen Test has been submitted or deleted.
Once the Pen Test has been submitted, the option to delete assessments from the Assessments tab will be provided.
Submitting a Pen Test
After clicking Submit Pen Test, a modal will display to set the date and time of the assessment.
Note: Once a Pen Test is submitted, it can no longer be edited or deleted from the Pen Test Findings page, they will be treated as scan findings.
After Pen Test Submission
After the Pen Test is submitted the vulnerabilities will display with the rest of the application's vulnerabilities. If another Pen Test is created from the same Pen Test Team, the user will be prompted to review open Pen Tests created by that team.Â
Not Remediated
If the Not Remediated button is selected, the finding is moved to the Not Remediated Pen Test Findings section.
Remediated
If the Remediated button is selected, it can be changed to Not Remediated or reverted. Again if revert is selected the finding is sent back to its original state of needing review.
Note: Remediating the findings will remove the vulnerabilities that Pen Test added from the application.
Â
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 2 Performing a Pen Test
- 2.1 Add Findings
- 2.1.1 Uploading Evidence to Pentest Findings
- 2.1.2 Examples
- 2.1.2.1 Dynamic Finding
- 2.1.2.1.1 Required Fields
- 2.1.2.2 Static Finding
- 2.1.2.2.1 Required Fields
- 2.1.2.3 Dependency Finding
- 2.1.2.3.1 Required Fields
- 2.1.2.1 Dynamic Finding
- 2.1 Add Findings
- 3 Active Pen Test
- 4 Submitting a Pen Test
- 5 After Pen Test Submission
- 5.1 Not Remediated
- 5.2 Remediated
- 6 Table of Contents
Â
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.