ThreadFix 3.X Application Security Features Overview

Owned by Daniel Colon
Last updated: Jan 27, 2023Version comment
16 min read

You will learn

An overview for some of the new features and capabilities of ThreadFix 3.X’s application security features.

Prerequisites

Audience: IT Professional, or End User
Difficulty: Basic
Time needed: Approximately 15 minutes
Tools required: Sample scan file w3af-demo-site.xml (optional)

This section is a simple demo that walks through the basic ThreadFix setup and functionality after having set up ThreadFix per the Installation Guides and starting Tomcat.

Accessing the Login Page

  1. After launching Tomcat for the first time following ThreadFix deployment, ThreadFix will connect to the organization’s database server and populate the schema. This can take several minutes; the progress can be monitored via the <threadfix_deploy>/logs/threadfix.log file.

  2. Locate a "Finished updating Enterprise Tags" entry to signal the deployment is complete. Access the login page to verify.

Example deployment URL

If the ThreadFix artifact was deployed in the <catalina_home>/webapps/threadfix directory, the ThreadFix URL, by default, would be the user’s Tomcat URL plus "/threadfix" at the end. For instance, If the user is connected to Tomcat at http://my.tomcat.server:8080, the user’s ThreadFix URL would be http://my.tomcat.server:8080/threadfix.

If the login prompt does not render correctly in Internet Explorer, ensure that Compatibility View is disabled. Users may need to disable the "Display intranet sites in Compatibility View" setting.

Logging In

Log in with the following default credentials:

  • Username: user

  • Password: password

After logging in for the first time, change the default user's username and password or create a new local admin user and delete the default.

Application Usage

Dashboard

After logging in, users are presented with the Dashboard. To be able to upload a scan, the user needs to create at least one team and at least one application within that team. Note a Dashboard populated with scan data below:

Portfolio

The Portfolio page hosts a directory of created Teams and Applications. The Portfolio page offers a drop-down menu allowing users to sort the page by Applications or Teams. Teams can be created from the Portfolio page as noted with the Add Team button below.

The example below shows the page sorted by Teams.

Users can also add applications to created teams from within this page.

New Application modal dialog allows the user to fill it in order to create the application.

Note the created application below is added to the previously created team.

The example below shows the page sorted by Applications.

Upload Scan

Whether the page is sorted by Teams or Applications, users are able to upload scans from this page by expanding a desired application and utilizing the Upload Scan button. Users can either drag and drop a scan file into the Upload Scans modal or click Browse to navigate to the file. A sample scan file, w3af-demo-site.xml, has been provided.

Alternately, clicking on the application name redirects to its Application Details page where users can either drag and drop a scan file into it or click the Action button and select the Upload Scan option as shown below.

Multiple Scan Upload

Users can upload more than one scan file at a time into ThreadFix by dragging them into the Application Details page or the Upload Scan dialog. ThreadFix will ask the user to choose between uploading them as a single scan (combining all of the scans' findings into a single scan) or as multiple scans. Note the example use cases for each option below:

  • Single scan: If an application was scanned in parts (e.g., microservices) by the same scanning tool, the user can upload all of the scans encompassing the entire application as a single scan. Note that all subsequent uploads will need to include the newest available scan for all of the parts, whether they've all been re-scanned or not.

  • Multiple scans: If a single application was scanned by more than one scanning tool, the user can upload all of the scans as multiple scans, which will result in ThreadFix aggregating and/or merging the findings from all of the scans.

Scan Queue

The uploaded scan will be put into a queue. Check its progress from the Application Details page by clicking on the application. A banner at the top will indicate that changes are pending. Clicking the banner will expand it to show the scan upload being executed. When complete, the banner at the top will indicate as such. Clicking the banner to refresh the page which will show the result of the uploaded scan.

Note: As of version 3.3 scans retained within the scan file retention policy settings can be downloaded using the Download Scan button. Note the user must have the Download Scans permission enabled.

 

Scans

The Scans page offers a quick view of uploaded scans and pertinent details included the associated application, team, scanner and more. The view scan link redirects to the scan findings for the application, showing Scan Details, Mapped and Unmapped Findings. Scans can also be exported or deleted from the particular scan’s details page.

Note: As of version 3.3 scans retained within the scan file retention policy settings can be downloaded using the Download Scan button. Note the user must have the Download Scans permission enabled.

 

Clicking the Scan Details expander reveals metadata for the findings.

Clicking on the expander for a particular finding displays more details as well as the ability to view further information by clicking View Finding. This redirects to the Finding Details allowing the user to view even more vulnerability information or merge with other findings.


Analytics

The Analytics page provides the ability to view a multitude of report types. These reports can be filtered by several different parameters.

The page is divided into several tabs, each hosting a different type of report:

  • Trending - The Trending Report displays how the number and composition of vulnerabilities for an application have changed over time. Filters can be applied to narrow the focus to a specific application if desired.

  • Snapshot - The Snapshot tab provides several selectable report types for viewing specific aspects of applications and their vulnerability statuses. The drop-down menu displays list of selectable report types including: Point in Time, Progress By Vulnerability, Most Vulnerable Applications, OWASPS Top 10, Portfolio, DISA STIG, and Scan Comparison Summary.

  • Remediation - The Remediation Report provides details of an applications' vulnerability state, progress of a team's remediation efforts, and a table showing starting and ending vulnerability counts.

  • Vulnerability Search - Vulnerability Search allows users to filter and explore specific vulnerabilities and view details for the origin of the vulnerabilities, the scanner which detected them, criticality, and more.

  • Hotspot - The Hotspot tab displays summaries of shared static vulnerabilities analyzed across applications for any overlapping vulnerabilities.

 

Integrations

ThreadFix integrates with remote providers, defect trackers, Governance, Risk and Compliance (GRC) tools, as well as displaying scan agent tasks. The Integrations sub-menu can be accessed from the Navigation side bar by clicking on Applications and selecting the Integrations sub-menu.

Remote Providers

Remote Providers are an interface that ThreadFix uses to import scans from SaaS platforms. From the Remote Providers page, users can create providers, schedule import times/dates, and schedule synchronizations.

 

Defect Trackers

From the Defect Trackers page, ThreadFix enables the user to package vulnerabilities and push them to developers in the remediation tools and systems they are already using. Users can create defect trackers from the Defect Trackers tab as well as edit or delete trackers.

The Show Default Profiles button allows users to view profile details as seen below.

The Scheduled Update tab allows users to set a scheduled time and date for defect trackers to update.

GRC Tools

The GRC Tools page allows users to create Governance, Risk, and Compliance (GRC) tools for integration. Note: ThreadFix currently only supports ServiceNow.

The Scheduled Update tab allows users to set a scheduled time and date for the GRC Tool to update.

 

 

Scan Agent Tasks

Scan Agents Tasks allow ThreadFix to interact with scanners and applications not on the same network as itself.

 

Customize

The Customize menu contains several pages providing ThreadFix users the ability to customize ThreadFix Vulnerability Types, Scanner Vulnerability Types, ThreadFix Severities, Scanner Severities, Metadata Keys, Tags, Policies, and Filters.

Customize ThreadFix Vulnerability Types

Users can configure severities for CWE types and configure custom remediation text for a CWE that will be included in any defects submitted for that vulnerability.

Severity Mappings

Severity Mappings tab in ThreadFix gives the administrator the ability to remap vulnerabilities to standard CWE types.

Custom Text

ThreadFix provides users the ability to configure severities for CWE types. Users can also configure custom remediation text for a CWE that will be included in any defects submitted for that vulnerability.

Scanner Vulnerability Types

Users can configure severities for any scanner vulnerability type. Severity Mappings for different scanner vulnerability types allow ThreadFix administrators to customize their installation by remapping the severity of scanner vulnerabilities.

Severity Mappings

Severity Mappings for different scanner vulnerability types allow the ThreadFix administrator to customize their installation by remapping the severity of scanner vulnerabilities.

CWE Mappings

CWE Mappings allows users with Manage Vulnerability Types permission to manually map scanner vulnerability types.

The following example displays a scan with unmapped vulnerabilities.

 

Unmapped vulnerabilities can be mapped via the Create Mapping modal.

Once mapped they will appear under the Custom Scanner Vulnerability Type Mappings where its can be remapped if necessary and its mapping history can be viewed.

Deny List/Allow List

On a per-scanner basis, users can exclude specific scanner vulnerabilities (Deny List) or limit which scanner vulnerabilities are allowed (Allow List) when ingesting scans. Within the Deny List/Allow List tab, users can expand a desired scanner and toggle select either Deny List Mode or Allow List Mode to the add with the respective button.

ThreadFix Severities

ThreadFix provides the ability to rename its five default severities (Info, Low, Medium, High, and Critical,) as well as the ability to toggle the display of severities on and off.

Custom Names

From the Custom Names tab severities can be renamed; the example below uses a numeric rating scale for severities.

Show and Hide

The Show and Hide tab contains controls that allow users to choose whether to display specific severities or not. Clicking the Enable checkbox at the top of the page activates the Show|Hide buttons. The default is to show all severities. The example below shows the Severity of 1 set to Hide.

 

Scanner Severities

ThreadFix has a set of predefined mappings from scanner severities to ThreadFix severities. Users can edit any ThreadFix severity mapping on the Customize Scanner Severities page.

ThreadFix Severity Mappings

After opening the predefined mapping for a chosen scanner, in this example, Fortify SCA was chosen (note its Generic Severity level), select the Generic Severity from the drop-down menus to map to its associated Scanner Severity. In the example below the administrator has remapped Fortify SCA’s Code Quality severity from a ThreadFix High level to a ThreadFix Info level.

Exclude Severities

In addition to remapping scanner severities, users can exclude them from being processed at all, to save resources. E.g., If a user does not want Low nor Note findings from Contrast to be saved into the ThreadFix database and processed, exclude them, as shown below. In the following example, Low and Note finding data from Contrast will not be added to the ThreadFix database.

Suppress Scanner Results

From the Suppress Scanner Results tab users can choose to create rules that suppress certain scanner results. This differs from exclusions, shown above, in that the findings are ingested & processed by ThreadFix, but they're simply not shown nor counted.

When creating a new result filter, the user selects the scanner type and severity. Once created, it is added to the list of created rules.

 

Through this tab, additional rules can be created and existing rules can be edited or deleted.

Metadata Keys

Within the Metadata Keys page, users can create scan and application metadata keys for applications. The created key(s) will be displayed under the appropriate category. Keys can also be edited or disabled.

Keys that have been disabled are hidden from view automatically. To view a disable key, click the Show Disabled checkbox. Note the images below respectively.

 

Tags

ThreadFix provides the ability to "tag" applications, vulnerabilities, and comments to provide another method of manipulating the application vulnerability data viewed. These can segregate applications with regulatory compliance demands in the medical or payment-processing spheres from the rest of the organization’s application portfolio. Custom tags can also be created, organizing applications, vulnerabilities and comments according to a desired schema.

Tags are separated into three categories when being created: Application Tags, Vulnerability Tags, and Vulnerability Comment Tags.

When creating a new tag, users can select whether it is intended to be an Application, Vulnerability, or Vulnerability Comment Tag.

Application Tags

Tags can be added to an application from its Application Details page.

Within the Edit Application modal users can add the desired tags.

The added tag will now display on the application and on the Tags page respectively.

 


Vulnerability Tags

The process for creating a vulnerability tag via the Create New Tag modal is the same as for an application tag, as previously discussed above. However, a tag can be attached to a vulnerability in an application, within a vulnerability’s details page. From the vulnerability’s details page the Action drop-down menu offers a Manage Tags option.

Once the desired tag has been selected and added, it will display within the vulnerabilities' details. Through the same process additional tags can be added or deleted.

Vulnerability Comment Tags

Vulnerability Comment Tags allow users to filter comments by sorting criteria. Users can sort tagged comments by author, type of vulnerability, feature commented upon, and more. Users create vulnerability comment tags in the same manner as the other two tag types through the Create New Tag modal.

From an application, a vulnerability can be selected to view basic details, including a comment button (highlighted below) which displays a Comments section for the vulnerability. The example below displays an added comment. Clicking the Add Comment button allows for the addition of more comments.

Policies

The Policies page allows for the creation and application of Policies, Defect Reporters, and Time to Remediate Policies through their respective tabs.

Filter Policies

ThreadFix provides users the means to create a new filter policy and apply it to a team, application, and tag.

Through a New Policy modal, users can create a policy by naming it and selecting an available filter from the Filters drop-down.

Once a policy filter is created the user can expand the policy to apply it to a team, application, and/or tag by making use of the Applications, Teams, and Tags entry fields along with their respective buttons.

In the example below note the created Filter “Document Example Filter” and that two applications have been added to the policy along with a team. If desired a tag can also be added at any time.

Optionally, an Email Notification List can be created for the policy by clicking the Add Emails button. A pop-up will appear with an entry field for email addresses to be added and a drop-down list allowing selection of existing email lists.

Pass Criteria

Pass Criteria allows users to evaluate applications based on the amount of vulnerabilities a severity has, or the amount of vulnerabilities for a severity introduced since a point in time.

Users can create a new Pass Criteria Group by utilizing the respective button. From the associated modal, a name is added and criteria is selected.

Once created it is added to the Pass Criteria list as seen below.

Criteria and applications can be mapped together with the Manage Applications button. From the Manage Applications modal, a desired application’s name can be entered and added in order to be mapped.

Once mapped, the application modal will display it under the Currently Mapped Applications list as well as the Pass Criteria tab as seen below respectively. It can be removed from here if necessary or more applications can be added.

Defect Reporter

The Defect Reporter tab allows users to create criteria for new vulnerabilities found during a scan import. When a new vulnerability is found during the import matching the specified criteria, ThreadFix automatically submits defects for it.

 

An application can be mapped to a Defect Tracker as well with the Applications button above. This displays a Manage Application Defect Trackers modal which allows an application to be searched for and added. Once added it will appear on the list of mapped applications for the defect tracker.

Note the application mapped below.

Time To Remediate Policies

As of 3.1 Time to Remediate Date policy creation has been disabled, this feature will be reinstated.

Time to Remediate Policies allow users to set time frames that vulnerabilities need to be remediated by, based on severity.

To create a Time to Remediate policy, the Create Policy button brings up a New Time to Remediate Policy modal. In the modal users can enter the name and number of days allotted for a vulnerability to be remediated based on severity. Not all severities require a time frame set, so if no time to remediate setting is desired for a specific severity it can be left blank.

The Time to Remediate Policy will be created, displayed, and Notification and email options become available. Policies can be applied to any application, team, or tag. Created polices can also be edited or removed and email notifications can be turned on/off from this tab. To select what to apply the policy to, use the input fields shown below to enter the name of the desired application, team, or tag.

Optionally, an Email Notification List can be created for the policy with the Add Emails button. A pop-up will appear with an entry field for email addresses to be added and a drop-down list allowing selection of existing email lists. Below is a sample Time to Remediate Policy status change email notification.

Filters

Users can define and save custom filters that can be utilized in a workflow.

As an example, note the many available options and details available when creating filters found under the Vulnerability Detail section.

 

Filters can be applied to an application in an application’s details page under the Load Filters tab to the right of the vulnerability tree. Loaded filters can be copied, deleted, and/or cleared as well.

Table of Contents

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.