integration with cyberark
60 views
Skip to first unread message
Mark Ma
Jun 3, 2016, 7:34:33 PM6/3/16
to ThreadFix
at one of my recent conversations regarding storage of security findings, a big boss asked 'where are you storing all of the findings?'
when we realized uncomfortably that our web app storing the vulnerability findings was susceptible to all manner of attacks (such as access escalation and SQLi), there was a nervous hush around the table.
Threadfix should be as secure as possible, since it tends to hold the jewels of the kingdoms it is deployed in. Would it make sense to integrate it with Cyberark to avoid privilege escalation and theft?
Dan Cornell
Jun 5, 2016, 9:45:10 PM6/5/16
to ThreadFix
Great story. Are you a Cyberark sales person? ;)
ThreadFix undergoes periodic security reviews via SAST, DAST and manual pen testing. Nobody's perfect, but we do have a program in place to proactively identify and resolve potential issues. Are you saying you've identified specific vulnerabilities? Or just that, as a web application, ThreadFix could be targeted with various attacks? If you have any specific vulnerability information, please send my way dan _at_ denimgroup _dot_ com.
Thanks,
Dan
Mark Ma
Jan 3, 2017, 7:30:29 PM1/3/17
to thre...@googlegroups.com
haha.. :D totally true story. totally not a salesman for Cyber.
and no known vulns, just realized if you have jewels, you will likely be the target of attacks.
i have been thinking quite a bit about your product space.. curious how you compare yourselves to other competitors..
personally, i'm very fond of your flexibility. i'm even thinking about integrating feedback from risk assessment tools like Carbon Black.. and wondering if you have any plans to incorporate data from tools other than application focused.. like IPS (PaloAlto, Fortinet..), DLP, maybe even AV (Symantec, Cylance, Traps..)
personally, i'm very fond of your flexibility. i'm even thinking about integrating feedback from risk assessment tools like Carbon Black.. and wondering if you have any plans to incorporate data from tools other than application focused.. like IPS (PaloAlto, Fortinet..), DLP, maybe even AV (Symantec, Cylance, Traps..)
--
You received this message because you are subscribed to a topic in the Google Groups "ThreadFix" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/threadfix/if19STKlZ3w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to threadfix+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ben Tomhave
Jan 4, 2017, 1:44:21 PM1/4/17
to ThreadFix
There's nothing to stop you from leveraging the API integration in CyberArk to script in protection of credentials instead of any that might need to be embedded in threadfix (in lieu of app keys). I would suspect this would be trivially done, and CyberArk might even have script snippits to leverage in jenkins, etc. From what I've seen, their API is straightforward.
To unsubscribe from this group and all its topics, send an email to threadfix+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages