System Settings 3.X

Owned by Daniel Colon
Last updated: Jan 17, 2024Version comment
11 min read

You will learn

About the various system settings, configuration options and default settings available for many ThreadFix administrative functions.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 30 minutes
Tools required: N/A

ThreadFix’s System Settings can be accessed by clicking on Global from the Navigation sidebar, clicking Administration and selecting System Settings.

image-20240111-221740.png

Login Settings Tab

To configure per-team and per-application permissions for an LDAP or SAML user prior to their first login, create a ThreadFix user corresponding with their LDAP or SAML username and add them to the desired group(s) and/or role(s).

On a user’s first login, based on their LDAP group, they are assigned to any associated ThreadFix Groups. Users access permissions are based on their assigned ThreadFix Group. Users removed from a Group will not have the permissions granted by the Group.

Default LDAP\SAML Role

When LDAP or SAML users log in, ThreadFix can assign them a default role. If a role is not selected from the available list of roles here, the user will be unable to access any data in ThreadFix. See the image highlighted below.

LDAP Settings

  1. For LDAP authentication click the Create New LDAP Server button to create a new LDAP Server.

  2. Fill the Name, URL, Search Base, User Display Name and Password fields. Click the Create LDAP Server button to connect to an LDAP (Microsoft Active Directory) server.

     

  3. Use Active Directory Overrides to integrate with non-AD LDAP services. Specify the following filters: Login, Users, Groups, and User's Groups, to return the corresponding value(s). Multiple LDAP integrations can be created as needed.

Examples of Active Directory Overrides
Login Filter: Override filter to get the account of the person logging in. (uid={0})
Users Filter: Override filter to get the list of users in the directory. (objectClass=User)
Groups Filter: Override filter to get the list of groups in the directory. (&(objectClass=group)(cn={0})) 
User's Group Filter: Override filter to get the list of groups for a user. (&(memberUid={0})(objectClass=posixGroup))

LDAPS Support

ThreadFix supports using LDAPS to connect to an LDAP server. Use ‘ldaps’ to begin the URL, and port ‘636’ (or whichever port the server is using for LDAPS connections).

Example URL: ldaps://my.ldap.server:636/

Note: The LDAP server’s certificate may need to be imported into the trust store. For more information on this see: Adding Custom Root Certificates to AppSec Container.

SAML Settings

Stand Alone Authentication Type Configuration

To establish SAML Settings with Stand Alone Authentication Type Configuration in ThreadFix:

  1. Click the ThreadFix Metadata button to generate an XML file usable to configure SAML to work with ThreadFix.

  2. Enter the IDP Metadata URL from the SAML IDP. See the image highlighted below:

  3. Click the Download Metadata button to have ThreadFix connect to the IDP and provide a menu (after typing at least one character) of User Display Name options to select how the name will appear in the page's header after the user logs into ThreadFix via the SAML IDP.

  4. Enter an Entity ID and Service ID, both are required:

    • The Entity ID is the ID of the user's service provider, ThreadFix. The value of this field can be any unique identifier. One example being, <https://<threadfix-host>/saml/medatada,> replacing <threadfix-host> with the name of the ThreadFix host machine. If the user's SAML identity provider assigns this value to service providers, it should be used instead.

    • The Service ID is the endpoint where the Identity Provider will send the SAML Assertion. This should be <https://<threadfix-host>/saml/sso,> replacing <threadfix-host> with the name of the ThreadFix host machine

  5. The ReGenerate TLS Certs button is available if a user needs to change the certificates utilized by ThreadFix when making SAML requests to the configuration identity provider.

LDAP-Linked SAML Authentication Type Configuration

Threadfix 3.3 provides users the ability to log in using SAML while managing their permissions with a linked LDAP server. To configure SAML settings with LDAP-linked Authentication Type Configuration:

  1. Configure the IdP used for SAML SSO to delegate authentication to an LDAP server of choice. Consult the IdP's documentation to verify this is currently supported and for configuration instructions. Note: A user's LDAP username must be mapped to the NameID or an additional attribute in the SAML response.

  2. Enter the IDP Metadata URL from the SAML IDP. See the image highlighted below:

     

  3. Enter an Entity ID and Service ID, both are required:

    • The Entity ID is the ID of the user's service provider, ThreadFix. The value of this field can be any unique identifier. One example being, <https://<threadfix-host>/saml/medatada,> replacing <threadfix-host> with the name of the ThreadFix host machine. If the user's SAML identity provider assigns this value to service providers, it should be used instead.

    • The Service ID is the endpoint where the Identity Provider will send the SAML Assertion. This should be <https://<threadfix-host>/saml/sso,> replacing <threadfix-host> with the name of the ThreadFix host machine

  4. The ReGenerate TLS Certs button is available if a user needs to change the certificates utilized by ThreadFix when making SAML requests to the configured identity provider.

  5. Once the IdP is configured for LDAP delegated authentication, navigate to the System Settings page in ThreadFix. If the LDAP server used for authentication isn't already configured, create a new LDAP server for it under LDAP Settings.

  6. Open the SAML Settings and select "LDAP" in the Authentication Type dropdown menu.

  7. Complete the LDAP linked SSO setup by filling in the remaining required fields and saving these changes.

Default Login Tab

It’s possible to specify the default login tab that's enabled when navigating to the ThreadFix login page: Local, LDAP, or SAML (the latter two only appear when their respective settings are configured). See image highlighted below:

 

Session Timeout

Users can adjust the amount of time, in minutes, a session is able to run before a timeout.

Limit Login Records

ThreadFix allows specifying how many login records to save or select the 'Unlimited' checkbox to save all. See image highlighted below:

Report Settings Tab

Dashboard Settings

ThreadFix provides configuration settings for report placement on the Dashboard. The administrator can change the layout of report graphs, recent uploads and recent comments on vulnerabilities. Customize these reports by using saved filters (e.g., create a filter for critical and high severity vulnerabilities and select it for the Most Vulnerable Applications report). Another option is choosing to omit reports altogether by selecting the blank line from the pull-down menu for any/all of them.

A default Dashboard can be seen below:

A customized Dashboard can be seen below:

Application Detail Page Settings

ThreadFix provides configuration settings for report placement on the Application Details page. If desired, choose to omit reports altogether by selecting the blank line from the pull-down menu for any/all of them.

Team Detail Page Settings

ThreadFix provides configuration settings for report placement on the Team Detail page. If desired, choose to omit reports altogether by selecting the blank line from the pull-down menu for any/all of them.

Shared Vulnerability Schedule

The Shared Vulnerability Schedule feature allows a user to select a time to calculate the Shared Vulnerability report in the Hotspot section of the Analytics page.  This patented calculation analyses data flows from static results across all applications within ThreadFix to find areas of overlap indicating a likelihood of shared vulnerable source code. Due to the very large memory and processing requirements of this feature, users interested in the Shared Vulnerability Schedule should contact ThreadFix Support for recommendations when large sets of vulnerabilities exist within their instance.

  1. Checking the Enable Schedule Update box allows users to set a customized updating schedule.

     

  2. Once checked, a default frequency and update time will display. To change from the default schedule, click the Modify Schedule button.

     

  3. Within the Schedule Shared Vulnerability Updating modal, set the desired Scheduling Method, Frequency, Time, and Time zone (Time zone option as of 3.0.8). Click the Submit button.

     

  4. The modified schedule will now display.

     

Report Cache

As of 3.3 the ability to configure the timing on report caching has been implemented. From the Report Settings tab, users can adjust the timing between report refreshes.

Scanner Settings Tab

Available Scanners

The order in this table defines Scanner Priority, which is used to display Vulnerability information found by more than one Scanner.

Allow Import

ThreadFix allows the ability to restrict importing any scanner type by selecting it in the left column and toggling Allow Import to No.

Create a New Scanner

  1. ThreadFix offers the ability to create a new scanner. Click on Global from the Navigation sidebar, then click on Administration to access the System Settings page.

  2. From within the Scanner Settings page, click the Create New Scanner button.

     

  3. Complete necessary details with the Name and Version fields being required. Click the Create Scanner button.

     

  4. After successfully being created, the pop-up modal will close and a banner will display indicating success.

     

  5. The new scanner will not immediately appear to be allowed for import, logging out and back into ThreadFix will reflect that it is allowed and a user may now upload a .threadfix scan file with the new scanner as the source.

Export Settings

Vulnerability Export Settings

This page provides a list of vulnerability data that ThreadFix can export. By dragging and dropping objects into the Columns to Export box, this customizes the default fields to see exported. If the Columns to Export box is left blank (default), all fields will be included in the export. If any changes are made, click the Save Changes button.

Other Settings

Proxy Settings

This defines an optional proxy for ThreadFix to use for its external integrations. This proxy is configurable for each service. For example, ThreadFix can be set to use the proxy when making requests to WhiteHat but not use the proxy for JIRA.

A proxy’s credentials should be entered including the Host name, Port, Username, and Password. If desired, click the Use Proxy Credentials checkbox to use a Proxy Username and Password.

  • From the Remote Providers expandable section, users can toggle a Yes or No for any of the listed Remote Providers to include in the Proxy group.

  • The Defect Trackers expandable section provides a list of Defect Trackers that can be toggled to Yes or No to include in the Proxy group.

  • The GRC expandable section displays a Yes or No toggle for the available GRC to include in the Proxy group.

Any selections or changes made must be saved with the Save Changes button.

Email Settings

E-mail configuration is set via the UI or REST API, with credentials being encrypted and stored in the database.
API config: Configure Email Settings - API

The following fields correspond with the previously-used settings in the email.properties file:

 

  • Email Host = mail.host

  • Email Port = mail.port

  • Email Sender = mail.hostmail.smtp.from

  • Email User = mail.username

  • Email Password = mail.password

  • Enable TLS = mail.smtp.starttls.enable

  • SMTP Authorization = mail.smtp.auth

  • Email Filter = custom.filters



License Information

Information about the ThreadFix license, including the number of applications the license allows, how many of those applications have been used, and the license expiration date. When a license expiration date is approaching, a warning will display on the dashboard and will also be logged when the user logs in.

ThreadFix Base URL

This field is used to construct absolute URLs for links included into emails or defect tracker descriptions. Being server and network configuration, it cannot be determined without any user connecting, so it needs to be kept in configurations. When null, this field is automatically populated on first connection. It will alert the user and require a manual reconfiguration if there is a change to the deployment configurations.

Enable Risk Ratings

This allows toggling the Risk Ratings features, allowing viewing the portfolio of applications by their relative risk to the organization to help prioritize testing and remediation activities on the riskiest applications first.

OAuth JIRA

Scan File Settings

As of version 3.3 ThreadFix allows for the creation of scan file retention policies.

Retain Scan Files

Selecting the Retain Scan Files checkbox allows users to enable retention for all scanners, otherwise users can set a policy for each individual scanner.

Retention Policy

Per scanner type, users can create a policy specifying a scan file Retention Type (Days or Files) and subsequently the number of Days/Files to be retained (i.e., Keep files for x Days or Keep x File(s), respectively). Note: The user must have policy editing permission.

 


Days

At midnight each day, ThreadFix will delete files older than the number of days specified in this policy, even if they were already stored in the File Upload Location directory prior to setting this policy. Minimum value is 1 day.

Files

When uploading scans to an application, ThreadFix will delete all scans that exceed the number of files specified in this policy, on a per-application basis (not globally), even if they were already stored in the File Upload Location directory prior to setting this policy. This value can be set to 0 to keep ThreadFix from storing any files from the specified scanner.

 

Table of Contents



www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.