As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Bidirectional Sync
You will learn
How to enable and configure a Bidirectional sync in ThreadFix.
Prerequisites
Audience: IT Professional or End User
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A
Introduction
Enabling Bidirectional Sync allows ThreadFix to send updates to a finding’s status or severity back to the Remote Providers from which it was reported. As an example, while merging findings, ThreadFix may raise the severity of a finding’s vulnerability; with Bidirectional Sync, the new severity would be posted back to any Remote Provider that has reported this finding, within the application scope. Similarly, if a vulnerability is marked as false positive, ThreadFix will update the findings associated across Remote Providers, that reported the vulnerability, with the new status. We currently support Bidirectional Sync for Checkmarx and AppSpider Enterprise.
Configuration
Bidirectional Sync works by leveraging a series of hooks in our scan import and merging logic, as well as in manual updates and bulk operations. We store updates in a queue and perform network requests to eligible Remote Providers in the background. We rely on a few pieces of configuration to ensure data between ThreadFix and a remote provider is consistent.
Enabling Bidirectional Sync
Only a user with Manage System Settings permission can enable Bidirectional Communication. First, navigate to Administration-> System Settings. Under the Other Settings tab, expand the ‘Enable Remote Provider Bidirectional Communication' section and click ‘yes’ on Enable Bidirectional Communication with Scanner. Once it’s on, you can select which of the supported Remote Providers will be configured to Synchronize with ThreadFix.
Configuring Remote Providers
If you have a previous Remote Provider connection for which you would like to enable Bidirectional Sync, navigate to Integrations -> Remote Providers and click the pen tool next to the Remote Provider you wish to edit. Check Enable Bidirectional Communication. If you wish to create a new Remote Provider with Bidirectional Sync enabled, go through the [create remote provider] steps. Check Enable Bidirectional Communication on the create form.
Status Mappings
When a vulnerability status changes in ThreadFix, AppSpider Enterprise and Checkmarx will updated using the following mapping rules:
ThreadFix to AppSpider:
ThreadFix | AppSpider Enterprise |
|---|---|
False Positive | Ignored |
Security Verified | Verified |
Not Verified, Not False Positive, and Not Exploitable | Unreviewed |
AppSpider to ThreadFix:
AppSpider Enterprise | ThreadFix |
|---|---|
Verified | Scanner Exploitable |
Fixed | null |
Ignored | False Positive |
Checkmarx:
ThreadFix | Checkmarx |
|---|---|
False Positive | Not Exploitable |
Developer Contested | Proposed Not Exploitable |
Scanner Exploitable | Confirmed |
Open | To Verify |
If a vulnerability’s status in ThreadFix is manually marked (or unmarked) to any status, this status will persist indefinitely or until manually changed again. No changes will be made automatically from subsequent scans.
Configuring Scanner Severity Mappings
Navigate to Customize -> Scanner Severities. Under the ThreadFix Severity Mappings tab, navigate to either Checkmarx or AppSpider Enterprise. You should see two side by side lists of select elements.
Mappings on the left side control what a severity from a scanner becomes in ThreadFix. On the right side, the mappings control what ThreadFix will send back to a scanner when performing a sync. These should reflect one another. The reason there is not a direct 1:1 relationship is because it is possible for multiple severities coming into ThreadFix to map to the same Generic Severity, in which case we would need to know which one to pick going the other direction.
Testing Configuration
You can test the configuration by [importing a scan from a remote provider] with Bidirectional Sync enabled. Navigate to the Application Details page, choose any vulnerability from the vulnerability tree, and click View More. Scroll down to External Links and click on any one listed.
Note the severity reported by your scanner:
Back in ThreadFix, scroll back up to the top of the Vulnerability Details page and click Action -> Change Severity -> choose any severity you previously set up mappings for. Note the new severity in ThreadFix.
Return to the external link, refresh the page and ensure the severity has been updated appropriately.
Caution
Exercise caution when Bidirectional Sync is enabled with the following features:
ThreadFix Vulnerability Type Severity Mapping
Scanner Vulnerability Type Severity Mapping
Mapping a CWE to a specific severity at the app, team or global level will trigger a bulk Bidirectional Sync operation containing a network request for each finding affected. Mapping a scanner vulnerability to a ThreadFix severity will issue the same operation. We suggest limiting the frequency of re-mappings and being conscious of the number of findings you will be affecting before carrying out the procedure.
Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.