[Question] Is it possible to have an application to be owned by multiple teams?

[comradpara]

Hi all,

Currently we have multiple teams working on one product, it is possible for an application to be shared among multiple teams?

Cheers,

Felix

[dancornell]

At the current tim - no. The Organization -> Team -> Application is a tree-like hierarchy. That said, you have the ability to define "teams" however you like. Some organizations do it by actual development teams. Others do it by line-of-business or some other definition.

Does that help? If you have an alternate way you'd like to see applications organized we'd love to hear about it. I can't promise anything but it would be valuable to know your particular requirements.

Thanks,

Dan

[comradpara]

Hi Dan,

Thank you for the prompt response! I think the request will make more sense if I explain what I was trying to do. ( After all, I could be doing it completely wrong :) )

Currently I'm attempting to record vulnerabilities discovered with their associated teams. In the future I’d like to record external pentest results under one 'application' that would apply to all affected teams.

As a hacky solution, I have created a new team named ‘Pentest Results’, and the ‘applications’ in the team are different pentests with their associated findings.

Is there’s a more elegant way to group a cluster of manual findings?

Cheers,

Felix

[dancornell]

Ah OK there might be a simpler way. The intended use of an "application" is to keep track of a unit of testable code over time. For example, your organization might have two applications: 1) http://www.mycompany.com/ - Main company website 2) http://customerportal.mycompany.com/ - Customer-specific portal

Let's say you do scans against application (1) with with IBM AppScan and BurpSuite. Every time you do a scan you can upload those files and ThreadFix will (a) normalize the scan results and merge them between AppScan and Burp so that vulnerabilities get consolidated and (b) diff the latest scan against the previous scan with that technology (AppScan to AppScan, Burp to Burp) to determine when new vulnerabilities appear, when old vulnerabilities have been resolved, and if previously-closed vulnerabilities have resurfaced.

For manual test results, if you had a pen-test done on application (1) you would enter those manual results. The next time you did a manual pen test for application (1) you would probably have to manually close out vulnerabilities that had been addressed since the first pen test and manually add new vulnerabilities that had been found in the latest pen test. (automagic de-duping and merging and diffing works great for automated scanner results but less so for manual pen test results)

If you want to see more info about how the merging of automated scan results see this page: https://github.com/denimgroup/threadfix/wiki/Vulnerability-Merging Please note - we still need to update this with a better description of how static-dynamic scan results get merged based on the Hybrid Analysis Mapping (HAM) technology we developed for DHS in the 2.0 dev branch. (More info here http://www.denimgroup.com/blog/denim_group/2013/08/dhs-funding-research-for-threadfix-hybrid-analysis-mapping-ham.html)

Does that provide some better insight into how most folks use Applications in ThreadFix?

Thanks,

Dan

[comradpara]

Hi Dan, thanks a lot for your help! After some careful restructuring I was able to store the pentest results in a significantly more manageable format :+1:

[dancornell]

Excellent! I'll close out this issue. For questions like this, the GitHub issue tracker is fine, but you can probably get even more participation from the community-at-large via the ThreadFix Google Group: https://groups.google.com/forum/?fromgroups=#!forum/threadfix

Thanks for your interest in ThreadFix and please keep us posted on any questions or feedback.

Thanks,

Dan