Hands-on Walkthrough for Configuring the InsightAppSec Integration with Threadfix

Threadfix is an application vulnerability management platform that integrates with a variety of security tools - both SAST and DAST (static and dynamic application security testing). This ability to integrate with various tools means that you can correlate findings from many different sources to get an even more comprehensive view of your web application’s security status.

With Rapid7’s InsightAppSec Integration with Threadfix, you can do just that. The integration automates the import of InsightAppSec scan data into Threadfix to further enhance your findings data and provide a real-time picture of your web application’s threat level.

The integration is designed to be highly customizable to ensure you can import data from InsightAppSec as desired. It includes a configuration wizard to guide you through the setup of Threadfix and InsightAppSec connections, applications, and more. Let’s do a little walkthrough of this configuration now.

Setup

We’ll need to use the command-line interface to initiate our setup. For Linux, this looks like the following:

> cd /opt/rapid7/insightappsec_threadfix/
> ./rapid7-insightappsec-threadfix configure

For Windows, we can use this:

> cd /d C:\Program Files\Rapid7\insightappsec_threadfix\
> rapid7-insightappsec-threadfix.exe configure

Now that we’ve launched the initial setup, let’s step through each of the prompts to make sure we understand what they’re asking for.

The integration between Rapid7 InsightAppSec and Threadfix has not yet been configured. Would you like to configure the integration now?
▸ Yes

We got this prompt since we’ve never setup this integration before. Let’s say Yes here (unless you want to abandon ship already :cry: )

The configuration will now ask for connection details for communicating with the InsightAppSec and Threadfix APIs. Passwords and API keys will be stored in an encrypted format on the filesystem.

What region is your InsightAppSec account? Example regions are: us, eu, ca, au, ap. A full list of supported region codes is documented here: https://insight.help.rapid7.com/docs/product-apis#section-supported-regions
us

What is your InsightAppSec API key? ***********************

What is your Threadfix IP address or hostname? https://127.0.0.1

What is your Threadfix port? 8443

What is your Threadfix API key? *****************

Let’s review a few of these inputs. In this example, I’ve entered us as my region due to the location of my InsightAppSec instance. If you are located elsewhere, then your region may be different. You can double check the handy link in the prompt if you’re not sure.

I’ve also input basic connection information, as the integration needs it for both tools - InsightAppSec for retrieving scan data, and Threadfix for importing it there. The API keys entered here will be encrypted for storage, so we don’t need to worry about them sitting in the config file in plaintext.

There are no export configurations defined. Define a new configuration to get started.
▸ New Configuration

What’s an export configuration? It’s a way to define the data that you want to export from InsightAppSec, and allows you to select where you want to “put” it in Threadfix. Let’s continue with our prompts so we can see an example.

What InsightAppSec Applications are within scope? You may provide a regular expression to match Applications by name. This will determine which applications scans will be imported into Threadfix
Hackazon*

Please define a Scan Config filter to limit the scans within scope. You may provide a regular expression to match Scan Configs by name
HackazonConfig*

Let’s take at these inputs before we move on. I’ve entered Hackazon* as the InsightAppSec application I want imported into Threadfix. But why the * at the end? Well, that * serves as a “wildcard” character. It means that we’ll be importing ALL applications that start with the name “Hackazon.” Maybe you have apps called Hackazon 1, Hackazon 2, and Hackazon 3. In this case, all of them would be used for import because they all start with “Hackazon.” If you didn’t want that, you could just match the exact application name, and only that one would be used (eg, Hackazon 1).

The same goes for the scan config. I input HackazonConfig* because I have multiple scan configs that begin with the name “HackazonConfig”, and I want all of those to be used for import. If I only wanted one of them, I would input its full name as-is.

Only import the most recent InsightAppSec scan when run?
▸ No

In other words, do you want any historical data to be imported into Threadfix, or do you just want the most recent scan? In this case, let’s say we want some historical data. We’re going to enter No because we don’t want JUST the most recent scan.

You have chosen to import historical scans as the integration is run. Past scans will be imported from oldest to newest and provide the ability to import historical scan data. How many days back from the initial import should be included?
90

This is basically asking - how many days worth of historical data do you want imported into Threadfix? I’m going to say 90 days for this example. This would mean that we’d get roughly three months worth of InsightAppSec data, counting backwards from the current date. Keep in mind that the larger you make this number, the longer the initial import into Threadfix will take.

Please provide a name for this configuration
AllHackazon

This is just asking us to name the current export configuration we’re working on in case we want to reference it in the future. I called it AllHackazon because it succinctly describes what we’re doing here - importing data for all our Hackazon applications.

Would you like to define a single Threadfix application where these scans will be imported, or should scans be imported to a Threadfix application that is based on the InsightAppSec application name?
▸ Define single Threadfix application name

In this example, let’s make the assumption that I have an application in Threadfix named All Hackazons, and I want to import all my data there. That’s fine - I would select the Define single Threadfix application name option and continue to the next step.

But maybe your setup is different. Maybe you have a setup where you have applications in Threadfix that are named based on your applications in InsightAppSec. For example, say you have an InsightAppSec application named TestApp, and you have one in Threadfix with the same name - TestApp. If you select the Based on InsightAppSec application name option, then you wouldn’t need to input the name of your Threadfix application - we would just do the import based on the InsightAppSec application name. So InsightAppSec scan data from the application TestApp would be automatically imported to the Threadfix application named TestApp, without you having to configure anything extra. (Whew, that was a mouthful.)

Please provide the name of the Threadfix application for the scans of this configuration
All Hackazons

Since I just want to define my own existing Threadfix application where I want to import my data, I’ve input its name here. This step wouldn’t be necessary if you went the Based on InsightAppSec application name route.

Please provide the name of the Threadfix Team
Rapid7

Finally, we need to know the name of your Threadfix Team so we can import data to the right place.

That may’ve seemed like a lot, but it’ll ensure your data from InsightAppSec is imported into Threadfix exactly how you want it.

There’s one more set of options that we can configure for this integration, and it has to do with vulnerability severities. InsightAppSec and Threadfix each have their own set of severities, and they are not identical to one another. Because of this, we have to provide a mapping of their severities - say, SAFE in InsightAppSec is equal to Info in Threadfix.

Another prompt will appear during the configuration process that asks whether you want to alter these mappings. They’ll appear as follows:

Would you like to review severity mappings between InsightAppSec and Threadfix? Default settings are recommended in most scenarios.:
▸ Yes

Severity Mappings (InsightAppSec : Threadfix):
▸ SAFE : Info
  INFORMATIONAL : Low
  LOW : Medium
  MEDIUM : High
  HIGH : Critical

Select any mapping and you can edit it as needed.

Now that we have everything configured for our integration, we can go ahead and run it. There is the option of running it manually by passing in the --adhoc flag, which is great for doing one-time data imports or doing development and troubleshooting.

> rapid7-insightappsec-threadfix.exe --adhoc

You can also configure the integration to run as a service. If you do so, the integration will utilize the internal scheduler (defaults to running it every 5 minutes) and process each export configuration that you’ve completed.

> rapid7-insightappsec-threadfix.exe

And there we go! Now we have a fully configured integration, and we’ll be able to see our InsightAppSec data make its way into Threadfix for further usage there.