Using ThreadFix with IriusRisk
ThreadFix is an automated tool for consolidating and tracking Threat Model vulnerabilities and intelligence for your applications. This guide surrounds the ease of integrating and using IriusRisk with ThreadFix as a Vulnerability Tracker in your CI/CD pipeline.
IriusRisk is able to upload all countermeasures of a product to ThreadFix as vulnerabilities as if were a scanner; these scans act as single point-in-time capture of all the existing vulnerabilities that exist in the application's Threat Model in IriusRisk. ThreadFix can consolidate these findings into a unified view with other results from a multitude of different scanning tools, mapping and correlating findings with other SAST and DAST tools with MITRE Common Weakness Enumerations (CWEs).
In relation to ThreadFix, you can think of IriusRisk as a scanner, which can be rerun across single or multiple products and versions, to enhance a CI/CD pipeline.
Integrating ThreadFix as a Vulnerability Tracker
- You will need your API Key from ThreadFix to complete the next steps:
- If this is your first time using ThreadFix, you will require an Unique Application ID, and Team Name. This is created in the Portfolio menu, as shown below:
For this demo, we will use ExampleTeam and ExampleApplication.
- Navigate to the Global Default Settings in IriusRisk, and configure the Vulnerability Tracker with the below fields:
URL: The URL of your ThreadFix instance.
Unique Application ID: The default application ID as a global setting - this is the ID of the application the scan results will map to in ThreadFix from IriusRisk (see step 2). This ID can be changed per product (see step 4).
Scanner Name: In ThreadFix, the vulnerabilities uploaded will be shown as results from a scanner. We recommend using 'IriusRisk' here.
Team Name: The name of the Team in ThreadFix (see step 2).
Be sure to Save and Test Connection to verify API connection.
- ThreadFix as a Vulnerability Tracker is likely to have an Application ID configured at a product level and/or component level. This is particularly useful when threat modelling multiple applications distributed across various teams. To change the Vulnerability Tracker settings in the Products menu:
A dialogue box for Product Settings will appear where you can similarly configure the ThreadFix settings specific to the Product in the same way we did for the Global Default Settings:
Using the ThreadFix Vulnerability Tracker in IriusRisk
Now that we have our Vulnerability Tracker configured, we can complete our first ThreadFix 'scan' of our Threat Model.
- We will be using a simple Threat Model diagram for illustration:
- From the Countermeasures tab, we will Create new Vulnerabilities for all Requirements:
A dialogue box will confirm the upload of all countermeasures as vulnerabilities to ThreadFix:
Once you've seen the below notification, we can then navigate to ThreadFix where we are able to interact with our new ThreadFix vulnerabilities:
- Our ExampleApplication in IriusRisk is now displaying the created vulnerabilities in ThreadFix:
- See below for an example ThreadFix finding generated by a vulnerability 'scan' using IriusRisk:
Subsequent Vulnerability Scans from IriusRisk:
- Imagine in our next scan, some of our Countermeasures have been Implemented or Rejected (perhaps a state change triggered by an IriusRisk Issue Tracker integration, such as Jira).
IriusRisk will only export vulnerabilities to ThreadFix when they are in the Required or Recommended state:
- As done previously, we can now Create new Vulnerabilities for all Requirements, but this time to reflect the state changes we've made with some of our countermeasures:
- The ThreadFix application dashboard will now reflect and track our scans as a consolidated view for our ExampleApplication:
How are CWEs Automatically Mapped?In the case when a countermeasure Unique ID contains a CWE (CWE-XXXX), then it will be automatically mapped to a weakness in ThreadFix, as shown below for an IriusRisk countermeasure:
This vulnerability is automatically resolved to a CWE with ThreadFix:
Scan findings can also be mapped manually using ThreadFix.