As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Bidirectional Sync

You will learn

How to enable and configure a Bidirectional sync in ThreadFix.

Prerequisites

Audience: IT Professional or End User
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A

Introduction

Enabling Bidirectional Sync allows ThreadFix to send updates to a finding’s status or severity back to the Remote Providers from which it was reported. As an example, while merging findings, ThreadFix may raise the severity of a finding’s vulnerability; with Bidirectional Sync, the new severity would be posted back to any Remote Provider that has reported this finding, within the application scope. Similarly, if a vulnerability is marked as false positive, ThreadFix will update the findings associated across Remote Providers, that reported the vulnerability, with the new status. We currently support Bidirectional Sync for Checkmarx and AppSpider Enterprise.

Configuration

Bidirectional Sync works by leveraging a series of hooks in our scan import and merging logic, as well as in manual updates and bulk operations. We store updates in a queue and perform network requests to eligible Remote Providers in the background. We rely on a few pieces of configuration to ensure data between ThreadFix and a remote provider is consistent.

Enabling Bidirectional Sync

Only a user with Manage System Settings permission can enable Bidirectional Communication. First, navigate to Administration-> System Settings. Under the Other Settings tab, expand the ‘Enable Remote Provider Bidirectional Communication' section and click ‘yes’ on Enable Bidirectional Communication with Scanner. Once it’s on, you can select which of the supported Remote Providers will be configured to Synchronize with ThreadFix.

Configuring Remote Providers

If you have a previous Remote Provider connection for which you would like to enable Bidirectional Sync, navigate to Integrations -> Remote Providers and click the pen tool next to the Remote Provider you wish to edit. Check Enable Bidirectional Communication. If you wish to create a new Remote Provider with Bidirectional Sync enabled, go through the [create remote provider] steps. Check Enable Bidirectional Communication on the create form.

 

Status Mappings

When a vulnerability status changes in ThreadFix, AppSpider Enterprise and Checkmarx will updated using the following mapping rules:

ThreadFix to AppSpider:

ThreadFix

AppSpider Enterprise

False Positive

Ignored

Security Verified

Verified

Not Verified, Not False Positive, and Not Exploitable

Unreviewed

AppSpider to ThreadFix:

AppSpider Enterprise

ThreadFix

Verified

Scanner Exploitable

Fixed

null

Ignored

False Positive

Checkmarx:

ThreadFix

Checkmarx

False Positive

Not Exploitable

Developer Contested

Proposed Not Exploitable

Scanner Exploitable

Confirmed

Open

To Verify

If a vulnerability’s status in ThreadFix is manually marked (or unmarked) to any status, this status will persist indefinitely or until manually changed again. No changes will be made automatically from subsequent scans.

Configuring Scanner Severity Mappings

Navigate to Customize -> Scanner Severities. Under the ThreadFix Severity Mappings tab, navigate to either Checkmarx or AppSpider Enterprise. You should see two side by side lists of select elements.

 

Mappings on the left side control what a severity from a scanner becomes in ThreadFix. On the right side, the mappings control what ThreadFix will send back to a scanner when performing a sync. These should reflect one another. The reason there is not a direct 1:1 relationship is because it is possible for multiple severities coming into ThreadFix to map to the same Generic Severity, in which case we would need to know which one to pick going the other direction.

Testing Configuration

You can test the configuration by [importing a scan from a remote provider] with Bidirectional Sync enabled. Navigate to the Application Details page, choose any vulnerability from the vulnerability tree, and click View More. Scroll down to External Links and click on any one listed.

 

Note the severity reported by your scanner:

 

Back in ThreadFix, scroll back up to the top of the Vulnerability Details page and click Action -> Change Severity -> choose any severity you previously set up mappings for. Note the new severity in ThreadFix.

Return to the external link, refresh the page and ensure the severity has been updated appropriately.

Caution

Exercise caution when Bidirectional Sync is enabled with the following features:

  • ThreadFix Vulnerability Type Severity Mapping

  • Scanner Vulnerability Type Severity Mapping

Mapping a CWE to a specific severity at the app, team or global level will trigger a bulk Bidirectional Sync operation containing a network request for each finding affected. Mapping a scanner vulnerability to a ThreadFix severity will issue the same operation. We suggest limiting the frequency of re-mappings and being conscious of the number of findings you will be affecting before carrying out the procedure.

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.