ThreadFix Reduces Remediation Time and Effort While Facilitating
Communication Between Security and Development Teams

SAN ANTONIO, TX – Sept. 17, 2012 – Denim Group, the leading secure software development company, today announced ThreadFix, an open source, freely-available vulnerability management platform that substantially accelerates the process of resolving application-level vulnerabilities. ThreadFix aggregates vulnerability test results from disparate static and dynamic scanning tools as well as the results of manual penetration testing, code review and threat modeling to create a single comprehensive view of the security status of all applications within an organization. With ThreadFix, the reporting, prioritization and remediation of an organization’s application security vulnerabilities are centralized in a single tool, significantly easing communications between the application development and security teams. This centralization enables security analysts and development managers to make better-informed remediation decisions.

???Denim Group???s ThreadFix is taking an innovative approach to application vulnerability management,??? said principal analyst Eric Ogren of The Ogren Group. ???ThreadFix’s normalization of data from multiple scanning sources brings much needed de-duplication to vulnerability reports, while the virtual patching of discovered application vulnerabilities significantly helps security teams protect corporate data from external threats. Organizations should look to technologies such as ThreadFix to accelerate the closing of dangerous security holes in applications.???

The industry trend of using multiple commercial and open source tools to test the security of applications has enabled security teams to become more effective at identifying vulnerabilities. However, the downside of this approach is the volume of data that is produced to detail these vulnerabilities. Until now, this information has been managed with tedious and error-prone processes such as manually entering data into Excel spreadsheets.

The ThreadFix platform dramatically simplifies this process by automatically integrating dissimilar scanning data from a wide variety of tools. Overlaps among the reports are de-duplicated to present a clearer picture of currently-open vulnerabilities. To protect the organization’s assets during the remediation process, ThreadFix generates Web Application Firewall ???virtual patches??? that better protect the organization while the software vulnerabilities are addressed at a code level. These tailored firewall rules also generate additional data from actual attack attempts that is imported into ThreadFix. Combining the vulnerability scans with the attack intelligence provides a more complete picture of an organization’s security state, making it much easier to properly prioritize the software defects severity.

With the ThreadFix ???virtual patches??? reducing the organization’s exposure, security analysts and development team leads can work together to decide which vulnerabilities will get fixed and which vulnerabilities represent an acceptable risk to the organization. ThreadFix is used to bundle vulnerabilities by type, by responsible developer or by severity. The bundled vulnerabilities are exported to software defect trackers, the tools and processes developers already use in their daily job, eliminating the need to learn yet another security defect-specific system. As the defects are resolved and entered in the defect tracking system, these changes are synchronized within ThreadFix, enabling the security team to schedule follow-up testing to confirm the security holes have indeed been closed.

???With the hundreds of concurrent application development projects taking place in a typical company today, staying on top of the mountain of security vulnerabilities is a huge challenge, especially when you are trying to manage that data with Excel spreadsheets,??? said Dan Cornell, Denim Group CTO & Principal. ???ThreadFix aggregates all of this data, making it much easier to pinpoint the critical risks that can get buried underneath an overwhelming number of lower-priority or irrelevant vulnerability information. We’re pleased to be able to release this as an open source product to enable companies of all sizes to accelerate secure application development initiatives across the market.???

Immediately available, ThreadFix can be downloaded at http://www.denimgroup.com/threadfix. Denim Group also offers additional commercial support and implementation services for organizations deploying ThreadFix. To learn more, contact Denim Group at [email protected] or (210) 572-4400.

About Denim Group
Denim Group is the leading secure software development firm. The company builds custom large-scale software development projects across multiple platforms, languages and applications. What makes Denim Group unique is that the company brings significant core competencies in software security to the table, offering an innovative blend of secure software development, testing and training capabilities that protect a company’s biggest asset, its data. Denim Group customers span an international client base of commercial and public sector organizations across the financial services, banking, insurance, healthcare and defense industries. Its depth of experience building large-scale software development systems in a secure fashion has made the company’s leaders recognized experts in their fields. Denim Group has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine five years in a row, and has won multiple awards including its recent accolades as one of the best places to work in San Antonio. For more information about Denim Group visit http://www.denimgroup.com.
Denim Group is a registered service mark of Denim Group, Ltd. Other names and brands may be claimed as the property of others.