As many know, I’ve spent the last couple of years in the vulnerability management world- at least what we generally accept as “vulnerability management”. Although I think what we do at my “day job” (what a quaint concept, “day job”) is stellar, there is a hole in vulnerability management- vulnerability management for applications from a code review and process management perspective. Known and published application vulnerabilities are part of a mature vulnerability management programs, but what about the results of internal and external code review and testing- how do you manage disparate data sources on vulnerabilities in your organizations code? How do you share that information, and get the right information to the right people- in the format they want? How do you leverage the information as quickly and effectively as possible? For many people, I assume a kludge of ticketing and bugtracking tools are used, probably with a few spreadsheets tossed into connect dots that the tools don’t support.
Enter the good folks at Denim Group, they have created ThreadFix an Open Source “application vulnerability management platform”.
read more.........