As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Remote Providers
You will learn
About Remote Providers, how to create new providers, import scans, and schedule imports.
Prerequisites
Audience: IT Professional, or End User
Difficulty: Intermediate
Time needed: Approximately 20 minutes
Tools required: N/A
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 2 Table of Contents
- 2.1 Introduction
- 2.2 Create New Provider
- 2.2.1 Edit Remote Provider
- 2.3 Import Scans
- 2.3.1 Create ThreadFix Applications
- 2.3.2 Edit Mapping
- 2.4 Sync Remote Provider Applications
- 2.5 Import to ThreadFix
- 2.5.1 Scheduled Imports
- 2.6 Scan Orchestration
- 2.7 Scanner-specific Notes
- 2.7.1 AppScan Enterprise
- 2.7.2 Checkmarx
- 2.8 Importing Server Certificates
Introduction
Remote Providers are an interface that ThreadFix uses to import scans from SaaS platforms. Not all Remote Providers operate in the same manner, please refer to each Remote Provider guide below for further details as well as the ThreadFix Integrations page.
Note ThreadFix Bidirectional Sync has been deprecated.
In ThreadFix version 2.8, and higher, the interface is accessible from the sidebar on the left under Integrations → Remote Providers.
In ThreadFix prior to version 2.8 the interface is accessible through the Configuration (cog) menu under Integrations → Remote Providers.
The following documentation provides the steps for setting up and importing data from the supported remote providers. Please note images show ThreadFix version 2.8 which looks slightly different from previous versions.
Create New Provider
To add your Remote Provider instance to ThreadFix, select Create New Provider, and from the Create New Provider modal:
Select the desired scanner in the Type field
Enter the credentials, specify if you'll want to import All scans or only the Most recent (if applicable)
Indicate if you want to Force Last Scan (if applicable), which allows you to force an import even when there hasn't been a new scan run...e.g., in case you've updated one or more findings on the scanner side since the last scan:
ThreadFix will import all of the integration's existing applications (even if there are no scans assigned to them):
Edit Remote Provider
To edit a Remote Provider's configuration, click on its blue edit button on the right edge of the integration listing, which will pop up an Edit Provider dialog.
Note: In order to save changes to the integration's configuration, you will need to re-enter the account's password. The Save button will otherwise remain disabled.
Import Scans
In order to import scans into ThreadFix, the Remote Provider applications need to be mapped to a Team/Application combo. A user can either:
Select Create ThreadFix Applications
Manually create applications in ThreadFix and select Edit Mapping
Create ThreadFix Applications
Selecting Create ThreadFix Applications will ask for ThreadFix Teams to assign each AppScan Application to:
When clicking the Create Applications button, ThreadFix will create a new ThreadFix application with the same name as its Remote Provider application counterpart and assign it to the selected Team.
Edit Mapping
Selecting Edit Mapping will ask for the Team/Application Combo to which you want the Remote Provider application mapped:
Only teams that have at least one application will appear in the 'Team' list. As of 2.8.6 duplicate custom application names are permitted as long as there is at least one letter case differentiating them.
Sync Remote Provider Applications
As applications are added/removed/renamed on the Remote Provider side, you can click the Sync Remote Provider Applications button to add or remove applications from the list of Remote Provider applications.
ThreadFix will provide a banner indicating what, if any, applications were added/removed.
If a Remote Provider application has been renamed on the Remote Provider side, the sync function will remove the Remote Provider application and add a new one corresponding with the new name.
If the renamed Remote Provider application had been mapped to a ThreadFix application, the mapping will not be preserved, so the newly-added Remote Provider application will need to be re-mapped again.
As of version 2.7.7: App mappingss from Appspider, Checkmarx, Veracode, and Whitehat will persist if an app is renamed on the scanner side. If you sync the Remote Provider apps, their name will be updated and the mapping will persist.
Import to ThreadFix
You can either import scan data for all of a remote provider's mapped applications at once (Import All Scans button) or for a particular application (individual Import buttons):
Once the scans have finished importing, you'll be directed to the corresponding Application Details page. The Scans tab will display the scans that were imported:
The Remote Provider Application tab will show the import status:
Note that another method to import a scan is to click the Import (arrow) button within the Remove Provider Application tab.
Scheduled Imports
Via the Scheduled Imports tab, you can schedule Remote Provider scans.
To do so, click the Schedule New Import button, indicate when you want the import to occur and specify the Remote Provider and application, then click the Add Scheduled Import button. Introduced in 2.8.3, when scheduling a Remote Provider Import, a time zone drop down will allow users to set a desired time zone region for the scheduled job. This is applicable for both Select and Cron Expression scheduling methods.
The scheduled import will then be reflected in the list.
Scan Orchestration
ThreadFix supports scan orchestration via the UI for Netsparker Enterprise and Acunetix 360. In order to use the Scan Orchestration feature the ThreadFix user must have “Manage Remote Provider Scans” permission. After having configured the Remote Provider and mapped it to a ThreadFix application, you can click the Request button to initiate a scan, after which you can click the Import button to import the result.
Another method to initiate a scan orchestration is to click the Scan Orchestration (rocket) button within the Remove Provider Application tab as seen below for Netsparker Enterprise and Acunetix 360 respectively. Note this is the only currently available method for Acunetix 360.
ThreadFix also supports scan orchestration for Checkmarx, though currently only via REST API. Reference: Queue Remote Provider Scan - API
Scanner-specific Notes
AppScan Enterprise
In order to connect to AppScan Enterprise, you may need to import the AppScan server's certificate into the ThreadFix server's Java keystore. Otherwise you may receive the following error:
...SunCertPathBuilderException: unable to find valid certification path to requested target
Instructions for importing the certificate can be found in the Importing External Site's Certificate guide.
Checkmarx
Checkmarx requires that you have Server Manager role to pull scan data from your instance via API.
Importing Server Certificates
If your connection to a Remote Provider server requires that you import the server's certificate (otherwise resulting in "...SunCertPathBuilderException: unable to find valid certification path to requested target..." error), please refer to the following page for instructions on importing the cert: Importing External Site's Certificate
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.