Per-Application and Per-Team Customization 3.0

Owned by Daniel Colon
Jun 28, 2021
5 min read

You will learn

How to customize what levels of vulnerabilities and severities are displayed per Application and/or per Team.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 30 minutes
Tools required: N/A

Per-Application and Per-Team Customization

ThreadFix users can customize Vulnerability Types and Severities, however, these controls are global. ThreadFix offers another entry point to the customization process, giving administrators fine-grained control over the display of vulnerabilities and severities at the Application level.

Per-Application Customization

  1. To begin vulnerability and severity customization at the application level, click on the Portfolio page from the Navigation sidebar. This displays an index of applications.


    Note the Portfolio page can be set to either display Applications or Teams by utilizing the Applications/Teams drop-down list on the upper right corner of the screen. For Per-Application Customization, the page must be set to Applications.

  2. Click on one of the applications, to display its details page. Then click on the upper Action drop-down button and select Customize ThreadFix Vulnerability Types from the list.

     

  3. This will display the customization page for the application. On this page, there are three tabs, Application, Team, and Global. Initially the Application tab is open by default.

     

  4. Note at the top of this page there are no application-level mappings yet. To create a new mapping, click the Create New Mapping button. This will display a modal dialog. Begin typing the CWE number or description. A drop-down list will populate with entries that contain the CWE number or text. Select the vulnerability to remap.

     

  5. Select the desired Target Severity Type drop-down list for the mapping. The following example shows mapping the vulnerability to Critical. Click the Save Mapping button.

    Setting the severity to Ignore will cause all vulnerabilities with the selected CWE to have a status of Hidden, they will not be included in the vulnerability count. These can be viewed in a vulnerabilities tree by expanding the Field Controls filter and checking the Hidden box within the Status section.

     

  6. ThreadFix will add the new application-level mapping to the display list.

     

  7. To undo this change or delete the mapping created above, click the Edit/Delete button to display an edit menu. To delete, click the Delete button from the Edit/Delete menu.

Per-Application Severity Display

At the bottom of the page is an area allowing the user to either show or hide vulnerabilities of a given severity by toggling its visibility.

  1. Click the Enable checkbox to turn toggling on for the application.

  2. Toggle the Show | Hide state to choose the severity types the user would like to not display to anyone working with this application.

     

  3. Click the Save Changes button. ThreadFix will display a success message and the toggled vulnerability options. In this example, Info level vulnerabilities have been toggled to Hide in the scope of this application.

     

  4. Returning to the details page, see the vulnerability tree no longer contains Info-level vulnerabilities.

Per-Team Customization

  1. To begin vulnerability and severity customization at the application level, click the Portfolio page from the Navigation sidebar, and click on the desired Team.


    Note the Portfolio page can be set to either display Applications or Teams by utilizing Applications/Teams drop-down list on the upper right corner of the screen. For Per-Team Customization, the page must be set to Teams.

     

  2. From the desired Team details page, click on the Action drop-down button to reveal a list of options. Select Customize ThreadFix Vulnerability Types and Severities.

     

  3. From the Customize Vulnerability Types Team page, click the Create New Mapping button. This will display a modal dialog. Fill in the vulnerability to remap by typing in the CWE number or part of its description.

     

  4. Select the new severity type, and click the Save Mapping button.

    Setting the severity to Ignore will cause all vulnerabilities with the selected CWE to have a status of Hidden; they will in turn not be included in the vulnerability count. View these in a vulnerabilities tree by expanding the Field Controls filter and checking the Hidden box within the Status section.

     

  5. A success message and the new Team-specific mapping will display.

     

  6. To undo this change, delete the mapping created above by clicking the Edit/Delete button and click the red Delete button.

Per-Team Severity Display

  1. The process for customizing the display of severities for teams is the same as for applications. Enable the severity toggle by clicking the Enable checkbox, then select the severity or severities the user does not want displayed to this team. Click the Save Changes button. A success message and the toggled severities will be displayed.

    In the example below, both Low and Info level vulnerabilities have been set to hidden.

     

  2. Returning to the details page of one of the team’s applications, note no Info or Low level vulnerabilities are visible. This applies to all applications assigned to this team.

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.