DefectDojo at Global AppSec San Fran 2024
mtesauro
44 views
30 slides
Oct 08, 2024
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
A quick overview and update on DefectDojo
Slide Content
OWASP
OWASP DefectDojo:
DevSecOps Single Source of Truth
DevSecOps Single Source of Truth
Matt Tesauro
●Reformed programmer & AppSec Engineer
●CTO & Founder of DefectDojo Inc
●15+ years in the OWASP community
○OWASP DefectDojo (core maintainer)
○OWASP Podcast (host)
○OWASP Global Board of Directors
○OWASP AppSec Pipeline (co-leader)
○OWASP WTE (leader)
●22+ years using FLOSS and Linux
●Go language fanboy
●Ee Dan in Tang Soo Do
(2nd degree black belt)
●Reformed programmer & AppSec Engineer
●CTO & Founder of DefectDojo Inc
●15+ years in the OWASP community
○OWASP DefectDojo (core maintainer)
○OWASP Podcast (host)
○OWASP Global Board of Directors
○OWASP AppSec Pipeline (co-leader)
○OWASP WTE (leader)
●22+ years using FLOSS and Linux
●Go language fanboy
●Ee Dan in Tang Soo Do
(2nd degree black belt)
Introduction
to DefectDojo
01
to DefectDojo
01
You’re “doing AppSec” and…
●It’s very likely you won’t have a full picture, especially at the start
●You need something that adapts and grows over time
●Tool vendors will have you log into 27 different web consoles
●What you really need is a single source of truth?
○Ability to normalize and hold all the data you need flexibly
○Ability to filter, sort, modify, combine the data
○Differing views based on stakeholders
○Dedup, False Positives, Grouping/Merging of findings
●It’s very likely you won’t have a full picture, especially at the start
●You need something that adapts and grows over time
●Tool vendors will have you log into 27 different web consoles
●What you really need is a single source of truth?
○Ability to normalize and hold all the data you need flexibly
○Ability to filter, sort, modify, combine the data
○Differing views based on stakeholders
○Dedup, False Positives, Grouping/Merging of findings
So, what solves these problems?
We surveyed AppSec, DevSecOps and Vuln Mgmt Pros and determined…
We surveyed AppSec, DevSecOps and Vuln Mgmt Pros and determined…
But WHY?
OWASP DefectDojo
DevSecOps tool created by DevSecOps professionals for DevSecOps professionals.
●Manages the DevSecOps security program
●Application inventory with robust metadata
●Sort, filter, munge and export the data in multiple ways
●Engagement / assessment tracking
●Supports manual and automated security work
●Customizable deduplication + false positive tracking of findings
●Custom report creation
●Tagging on multiple levels
●Calendar of security activities
●Historical knowledge of past assessments
DevSecOps tool created by DevSecOps professionals for DevSecOps professionals.
●Manages the DevSecOps security program
●Application inventory with robust metadata
●Sort, filter, munge and export the data in multiple ways
●Engagement / assessment tracking
●Supports manual and automated security work
●Customizable deduplication + false positive tracking of findings
●Custom report creation
●Tagging on multiple levels
●Calendar of security activities
●Historical knowledge of past assessments
OWASP DefectDojo
OWASP DefectDojo Pro (SaaS)
Active Project with a large Community
●Monthly minor version releases (2.x.0)
●Bugfix release every week in between (2.x.y)
●Top 20 open-source security index
●Monthly minor version releases (2.x.0)
●Bugfix release every week in between (2.x.y)
●Top 20 open-source security index
Active Project with a large Community
180+ Security Tools Supported
Install Options
Docker Compose
Community Contributed Helm Chart
Iron installs with godojo
AWS AMI
SaaS offering (supports the project)
Docker Compose
Community Contributed Helm Chart
Iron installs with godojo
AWS AMI
SaaS offering (supports the project)
DevSecOps &
DefectDojo
02
DefectDojo
02
Manual Pen Tests
&
False Positive Analysis
Reporting & Metrics
Developer
Remediation
Security Orchestration
CI/CD Scanning
&
False Positive Analysis
Reporting & Metrics
Developer
Remediation
Security Orchestration
CI/CD Scanning
840%
Increase
in
Efficiency
Increase
in
Efficiency
15 Repos
4 Months
5,100 Runs
25,000+
Container Executions
4 Months
5,100 Runs
25,000+
Container Executions
Two places are better than one
Place #1
Tune the
profile of the
tool as much
as it will allow
Place #2
Mark False
Positives in
DefectDojo so
they don’t
flow further
downstream
Place #1
Tune the
profile of the
tool as much
as it will allow
Place #2
Mark False
Positives in
DefectDojo so
they don’t
flow further
downstream
DefectDojo
What’s next?
02
What’s next?
02
Changes and Improvements
●Recent deprecations
○MySQL as a supported database (July 2024)
○RabbitMQ as a supported message broker (July 2024)
○Integration with Google Sheets
●Increase testing across all supported features
○Only testable features make it into DefectDojo
○Changing out the framework behind our UI tests
○Increased API tests and diff’ing between releases
●Upgrade to newer Django Framework
●Recent deprecations
○MySQL as a supported database (July 2024)
○RabbitMQ as a supported message broker (July 2024)
○Integration with Google Sheets
●Increase testing across all supported features
○Only testable features make it into DefectDojo
○Changing out the framework behind our UI tests
○Increased API tests and diff’ing between releases
●Upgrade to newer Django Framework
Beta testing a new UI
Explore on your own
We have a booth!
Thanks!
Questions?
http://defectdojo.org
http://defectdojo.com
DefectDojo also at:
LinkedIn, X/Twitter, Github
OWASP’s Slack…
Questions?
http://defectdojo.org
http://defectdojo.com
DefectDojo also at:
LinkedIn, X/Twitter, Github
OWASP’s Slack…
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 44
- Slides 30
- Age 437 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
83 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
77 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
74 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
60 views
21
Know for Certain
DaveSinNM
35 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
38 views