Hybrid Analysis Mapping Configuration
This is a walkthrough on configuring application in ThreadFix to take advantage of ThreadFix's Hybrid Analysis Mapping (HAM) capabilities
If you're interested in another topic, here are some links:
Supported Threadfix [Dynamic Scanners] (https://github.com/denimgroup/threadfix/wiki/Dynamic-Scanners), [Static Scanners] (https://github.com/denimgroup/threadfix/wiki/Static-Scanners), [Remote Providers] (https://github.com/denimgroup/threadfix/wiki/Remote-Providers)
Supported Threadfix [Software Defect Trackers] (https://github.com/denimgroup/threadfix/wiki/Software-Defect-Trackers)
Supported Threadfix [WAF Types] (https://github.com/denimgroup/threadfix/wiki/WAF-Types)
ThreadFix Plugins: Zap Plugin, [Eclipse IDE Plugin] (Eclipse-IDE-Plugin), [IntelliJ IDEA Plugin] (IntelliJ-IDEA-Plugin)
Threadfix [Vulnerability Merging] (https://github.com/denimgroup/threadfix/wiki/Vulnerability-Merging)
Threadfix [Vulnerability Format] (https://github.com/denimgroup/threadfix/wiki/Vulnerability-Format)
This walkthrough on configuring application in ThreadFix to take advantage of ThreadFix's Hybrid Analysis Mapping (HAM) capabilities allows for interactions such as:
- Better static-dynamic vulnerability merging
- Allowing scanners (OWASP ZAP and BurpSuite) to import application attack surface from ThreadFix prior to starting a spider/scan for increased coverage
- Allowing IDEs to import dynamic scan results as well as likely code locations into Integrated Development Environments (IDEs) (Eclipse and IntelliJ)
ThreadFix Hybrid Analysis Mapping (HAM) currently works for Java/JSP and Java/Spring applications. Support for additional languages and frameworks is planned. Source code can be imported from public git repositories or from local or network folder locations with additional source code access methods planned.
If you're interested in another topic, here are some links:
- OWASP ZAP Plugin
- [Burp Plugin] (Burp-Plugin)
- [IntelliJ IDEA Plugin]
- Eclipse IDE Plugin
Setting up an application to take advantage of HAM involves pointing ThreadFix toward the source code and (optionally) telling ThreadFix what language and framework the application uses:
The fields are as follows:
- Application Type - What type (language and framework) is this? The "Detect" option is preferable because ThreadFix will look at the project folder and attempt to detect the language and framework. If there are detection issues, the specific language and framework can be selected. Please note that currently only Java/JSP and Java/Spring applications are supported by ThreadFix's HAM engine.
- Source Code URL: This is the git URL where the application's source code can be found. Currently only anonymous git access is supported and this is a known issue.
- Source Code Folder: This is the folder (from the perspective of the ThreadFix server) where the application source code can be found if the application is not available via unauthenticated git.
Providing ThreadFix with access to the application source code will allow the server to perform a lightweight static analysis of the source code and build an internal database of the application's attack surface and the source code elements responsible for each piece of attack surface. This attack surface database allows for the advanced interactions both inside of ThreadFix and with external tools that was mentioned above.
HAM technology in ThreadFix is still in development - please feel free to ask questions on the Google Group or to submit bugs or feature requests to the GitHub issue tracker.