Introduction

Reporting in ThreadFix provides the ability to view application vulnerability data from many different angles. There are several different report types, each with its own filter set. These filters include limiting the view of data by date range, merged vulnerabilities, and various other metrics that allow users to control the visualization of application vulnerability data. Reports can be exported in various formats, such as PDF, CSV and SSVL. This allows for easy sharing of vulnerability data amongst teams and stakeholders. The following is a breakdown of each report and the data it displays.

Snapshot

The Snapshot tab provides several useful tools for viewing specific aspects of applications and their vulnerability statuses. The drop-down menu displays list of selectable report types.

The following provides a summary of each report type.

Point in Time Report

The Point in Time Report provides an intuitive display of a project's current state. Compare the ratio and severity of existing vulnerabilities using the top chart, and explore more in-depth information on each vulnerability with the expanding vulnerability tree below.

Progress by Vulnerability Report

The Progress by Vulnerability Report is an excellent tool for tracking a development team's response time to specific vulnerabilities. Here users can research the average age of vulnerability types as well as the average time to close each type. Comparing these metrics to industry performance can help teams target specific areas of concern.

The Average Age field shows how many days on average all open vulnerabilities of a particular type have been open. If no vulnerabilities of that type are currently open, the Average Age field will read 0.

The Average Time to Close shows how many days on average all closed vulnerabilities of a particular type were open prior to closing.

Most Vulnerable Applications

The Most Vulnerable Applications Report brings the applications with the most issues to the forefront. This report provides the application's vulnerability composition to aid in the development of remediation strategies.

OWASP Top 10

The OWASP Top 10 Report highlights application vulnerabilities that coincide with the ten highest web security threats as designated by the Open Web Application Security Project (OWASP). The expandable tree allows for further exploration of these vulnerabilities.

Portfolio Report

The Portfolio Report displays information on how current the imported scans are for each application in the portfolio. This report can help target specific applications for follow-up scans in order to stay up-to-date on a projects' vulnerability statuses.

DISA STIG Report

The DISA (Defense Information Systems Agency) STIG (Security Technical Information Guide) report displays information on an application’s compliance with DISA’s Application Security and Development STIG requirements. This report can help users plan and execute remediation strategies in order to maintain compliance with governmental application security standards. Users can filter this report by Teams, Applications, Application Tags, Severity, and Analysis Type. ThreadFix can export this report as a CSV, PDF, or SSVL document.

For more information on STIG, view the Defense Information Systems Agency site.

Scan Comparison Summary

The Scan Comparison Summary report gives a side-by-side look at how each scanner is performing, showing the number and percentage of total vulnerabilities found, number and percent of total false positives discovered among them, how many HAM (Hybrid Analysis Mapping) endpoints were found per scanner, and the percentage total that represents.

- 1.1 Introduction
  - 1.1.1 Snapshot
    - 1.1.1.1 Point in Time Report
    - 1.1.1.2 Progress by Vulnerability Report
    - 1.1.1.3 Most Vulnerable Applications
    - 1.1.1.4 OWASP Top 10
    - 1.1.1.5 Portfolio Report
    - 1.1.1.6 DISA STIG Report
    - 1.1.1.7 Scan Comparison Summary
2 Table of Contents

ThreadFix 3.X Documentation

Snapshot Reports 3.X