.svg){kind=small}
.svg)
Transcript
00:07
There we go. We should be cooking with gas now. Yeah, so this is going to be our recap of 2025. And like Chris said, I forgot how much stuff we did this year until I had to like take a breath and look backwards. And I was happily surprised. So for this one, I'm gonna do a very quick intro. I'm gonna talk about a new thing that just launched for DefectDojo on Monday, actually the asset hierarchy. We're gonna talk about...
00:32
the past year, which I kind of am calling optimizing and streamlining DefectDojo. A new thing that is out in very early alpha is Sensei. And then I'm wrap up and have a conclusion and we can field questions either at that time or whenever you guys have them. So quick intro for those who don't know me, I'm Matt Tesauro. I'm the co-founder and CTO of DefectDojo Inc.
00:57
I like to call myself a reformed programmer and app sec engineer. I still like writing code. I just don't get to do it as much as I like to. Um, I've had 17 plus years with the OAS community. I'm a maintainer of DefectDojo and ran the app sec pipeline and WTE, the web testing environment projects. I'm a Linux and open source person. Uh, I write and go when I get to write languages. And that was me actually jumping up and breaking two boards at one time to get my second degree black belt, which was...
01:26
extremely daunting and I survived. I did not land on my backside.
01:33
So they say a journey begins with one step. Well, a uh of DefectDojo begins with a single get push. Although I type journal. Wow. That's a bit of a whoops there. I guess life isn't error free. So what let's talk about the evolution of Dojo very briefly. I'll cover this and then we'll get into what happened this year. So...
01:56
Way back when I was running the product team at Rackspace that was on a whiteboard because we had the same kind of problems people have today of managing sort of the chaos of running product security. We had the MVP internally at Rackspace. We eventually open sourced it. We're a shockingly mature and pretty amazing product today, but tomorrow we're going to be even better. And I'm going to talk through all those phases in this, uh in this webinar or office hours or whatever you want to call it. So, uh...
02:25
Let's not double click. Let's talk about our new uh feature for pro asset hierarchy. And this was really driven by the fact that security is messy work. Like if you've done this for any company, you realize that there are more than one company in particular that none of the things or very few of the things that applied for particularly the organizational structure of company one applies to company two applies to company three, let alone the processes, what language they choose to write stuff in.
02:55
All of that stuff is different. So how do we make sense of this? And when we look back and we've talked to a lot of customers and people in the community, no app or product teams are the same. Like I've worked at places that were small startups. I've worked at unicorn startups. I've worked at large companies with hundreds of thousands of employees. Nothing that happened, very few of the things that happened between those companies was the same.
03:25
Combine that with the fact that when I first started back in when I had brown hair, there were mostly monoliths. We don't have monoliths anymore. We have a bunch of interrelated apps that get composed into what we sell as a product. And so now there's this disconnect, this cognitive dissonance around what is even an app. Now you also have the fact that deployment has gotten better in some regards, but also more complex.
03:55
Right. When we had a monolith, we bought a server, we put the app on the monolith and we were kind of done. But now we have containers and we have Kubernetes. We have shared in cloud services. We have microservices, lambdas, function as a service, SPAs, mobile, back and front end teams. So like just the deployment has gotten significantly more complicated. And then this cognitive dissonance I talked about a minute ago, this idea of a logical app.
04:23
Right. Versus the repos. I think a picture is worth a thousand words. So here's my picture. The problem is that what you sell is the robot, right? But what you build is a bunch of stuff that joins together and becomes the robot, right? A robot isn't, well, it's a thing, but it's really composed of a bunch of little things. And so apps are the same way. And unfortunately, if you're in product security,
04:52
You have to secure all the things you have to secure what marketing sells, but you also have to secure what internally are all the different repos and teams and services and maybe cloud services and Kubernetes that is actually what produces that product that you sell. And so to sort of, uh, make this situation better for customers, we have a new feature called asset hierarchy.
05:22
Um, so I'm going to talk through a hypothetical situation where in this case, we are cyber robotics, Inc. We're a company that sells robotic devices and marketing right. Sells the robot, right? They sell the cyber Fido guard dog, uh, but product, the people that build the cyber Fido, uh, guard dog.
05:45
care about the versions of FIDO that are fielded, right? Because if there's an issue with the version, they have to know who has what version to go tell them, hey, you need to update the firmware or what have you. And they need to know which volumes are in what version so they can do that field work. So when they do a security assessments, they're occurring generally at the fielded version level. Like I need to know the bits that constitute version three of this cyber dog.
06:15
versus two versus three. And then you're gonna have a main branch where development works. So you're gonna test the fielded versions and whatever the next version in process is. So if you uh go to the pro UI and look at what this looks like, if you're looking at the all assets table, here are the assets, right? And I've got these several assets as well as the uh org, cyberfido guard dog.
06:44
And this is great. This is a good listing. can sort, can filter here. But if I look at this from a visual perspective, it's flat. And this really doesn't tell me anything about the relationships between these things that I'm testing. And so is it really flat? Well, it is until...
07:07
you have the hierarchy. And this is what is now live in Pro for customers, our customers today. You can actually establish a parent-child relationship between these things that you're testing. So you can have something like the Cyber Fido Guard Dog and its children laid out in a nice structure. So let me do a live demo, because I don't like myself. I've got to move this floaty. I can move this floaty.
07:38
Wow, this is annoying. I don't know why. I love that they give me a bar to move that is all buttons. Okay. There we go. I can move it that way and click a button apparently. Okay. Now I can go to my other tab. So here's DefectDojo Pros UI. Let me go down here to assets and you'll see our new asset hierarchy feature.
08:00
It starts with a table. I can organize this. So in this case, I want to look at the cyber robotics.
08:10
So here's my cyber robotics. I've got my various versions, a development version. These ones are fielded. You can tell by the tag. This one has not yet been fielded. And I need to make sense of this visually. I can click down here and take a look at it, or I can just select what I want to view in the hierarchy and it will pop up this uh version or this uh diagram of that hierarchy. So I have...
08:39
Cyberphito, Guard Dog, what marketing sells as the parent to all these different versions. And I can do testing and all of the normal stuff I can do with the asset, product, formerly known as product level in DefectDojo for all of these. But I also have this relationship established. So I understand how they work. Now I have this guy floating out here. We just made a new version two. Hasn't been sold to anybody, so it's not fielded, but I still need to get this in the right place.
09:08
So I can select this guy and select a child of this 2.0 version and submit it and do a quick refresh.
09:20
I'll take it.
09:25
I misclicked. This is what you get for testing a feature that came out on Monday that I am not 100% familiar with.
09:33
Boom! Oh, come on.
09:38
um The other thing I was going to show you is at the bottom of this page are the various products. And you can click here to see the hierarchy, but I can also go into any individual product. Let's go to version 1.3.3. We also have this new icon up here that I can view the hierarchy from the perspective of this particular asset. And I can load more and see how it...
10:05
fits in relationship to all of the other assets in that hierarchy.
10:14
So that is the product hierarchy feature. We literally just launched this on Monday. Hopefully it'll help people better organize their DefectDojo and it'll fit sort of the mental models you have of how things are arranged and not have to be flat like the older uh single level depth system we had.
10:34
Okay, let's talk about optimizing and streamlining DefectDojo. What happened this year? So I did get to spend a chunk of time looking backwards, which I normally don't get to do, which was kind of interesting. The year is almost behind us. We're on the process of climbing. If you're familiar with some posts we've made in GitHub, we're on the process of climbing the 3.0 mountain. We're not there yet, but we're definitely higher than we started the year.
11:01
So what do these changes look like? When I went back and read lots of change log entries, I saw two major things. I saw a lot of effort to what I would call fortifying the foundation. These are changes to the core of DefectDojo that give us the ability to do even more and interesting things. There were certain assumptions made multiple years ago that are no longer true and we're adjusting things and making DefectDojo more flexible. A lot of optimizations for performance.
11:31
and a whole bunch of increased code quality and testing that we're doing just to make the core of DefectDojo as rock solid as it can be. And there's a bunch of what I would call like streamlining workflows. I started to list the API updates and the list got so stupidly long, it was never going to fit in a slide unless I did 0.1 font. So I stopped. There's just tons of updates to the API. We've done significant enhancements to import and reimport and parsers.
12:01
over the year and then we've added EPSS, Kev and CVSV4 support as well as a ton of JIRA improvements. That was another one where the list just got ungodly. So let's dig into what fortifying the foundation looks like. So we changed how DDoup works. Instead of being a one by one operation, it's handled now in batches and this allows it to greatly speed up, particularly for larger installs of DefectDojo.
12:29
Endpoints had some things that in that dedupe work we realized were not very optimized. So we optimized how endpoint imports happened. I didn't realize I was putting a tongue twister in here. em We also added bulk processing of tags. Those were another piece of DefectDojo that historically were done one by one. Now we do them in mass. That speeds up things, reduces queries to the DB.
12:56
We optimized product grading. was another area where the code did a lot of extra work it didn't need to, so we took that out. DefectDojo has a search feature, the simple search as we call it in the UI. The indexing of that was happening synchronously and could block potential calls. So we moved that to an async process and also sped up that process significantly. You saw it just a minute ago when I showed the asset hierarchy. We have new labels now.
13:26
instead of the legacy or the older product type product labels, we now have org and asset. I think that better fits how people talk about things today. We enhanced finding groups a ton. We optimized finding save and post-processing. This was mostly done to allow future changes to make this even better, but also some code cleanup and also some optimizations in terms of speed.
13:52
Val and Cody and a bunch of other contributors have done a ton of work really reducing the number of DB queries. m We use an ORM with DefectDojo. It's easy to feel like talking to the DB is free. It isn't. And we've really doubled down and making sure that those queries were as optimized as possible. Earlier this year, we replaced Redis with Valkey. We also replaced Django audit log with...
14:21
Django PG history. So if you're familiar with the object histories, like the finding history in the UI, these will be replaced with something that is not only more performant, but provides significantly better detailed data. So this was a win-win on both fronts. You get better quality data and a better speed. All of these things are in the open source dojo. I will have a GitHub discussion. I'll post today if I get a chance. If not, it'll be tomorrow.
14:47
with links to all the PRs you can, if you want to get into the gory details, they'll all be there.
14:54
So streamlining workflows, I forgot about this one until I look back at the change log, but I think January or February, I think it was January of last year. We realized that there were certain corner cases where it was possible to create tag formats that differed between the API and the UI. And so we went through and basically audited the code for how it handled tags and standardized and harmonized that in all the places and got rid of those corner cases. I think it was one or two of them that we found that...
15:24
was possible to create a tag that couldn't be edited in other parts. EPSS and key that should say Kev were added to the finding models. We did so many parser updates, I can't list them. We added a ton of new parsers. over 206 the last time I counted, which was back in October. We did a bunch of consolidation of parsers. So if there was a tool,
15:52
that produced CSV or JSON, we used to have whatever tool, JSON, whatever tool CSV. We just made a tool name and it was smart enough to say, oh, it's JSON or CSV. Let me parse it correctly, depending on the type. Simple risk acceptance. So if you don't need our full blown risk acceptance, you wanna just use a simple Boolean. We added the ability to tack notes when those statuses change.
16:18
so that there is an audit log of source, even though that's a very minimal implementation of a risk acceptance. OIDC support was added. There was some edge cases we found mostly in that dedupe batch processing, where if you manually created a finding through the API with like put or post or patch, it was possible in some circumstances that that finding wouldn't be dedupe. So in that cleanup and that batch processing of dedupe, also...
16:48
got rid of this corner case that we weren't necessarily aware of. was for doing, creating findings other than the normal import, reimport. That's been fine forever. um CSV and Excel added tags now, since a lot of customers and community members use tags extensively, those exports weren't including tags, now they do. Like I said, too many JIRA implementation or updates rather to talk about in depth. Please go look at the...
17:17
the closed PRs and sort by JIRA, there's ridiculous numbers of them. And we optimize prefetch. So if you're using prefetch to get related objects when you're doing API requests, that is significantly faster. So things that are in flight. So right now the cut over to org and asset is that code is there. If you are a open source user currently who has a DefectDojo installed even of the current, well,
17:47
installed prior to this code change, we haven't changed the default app from underneath you. You're still using product type product. If you do a new install of open source, you are still using product type and product. For our customers of pro, you have to opt in to do that label change. Just the same as community. We didn't want to surprise anybody. And then for um new customers of pro, we default to org asset, but we'll actually default all of them to org asset early next year.
18:18
We've done most, I would say, 80 to 90% of the cut over to PD history. We're not completely done yet. That'll land just because of timing slightly into the new year. Locations. This was a big one. We're in the middle of doing a significant revamp and optimization to how endpoints are handled in DefectDojo, so much so that we're calling them locations now. And as a Dojo user, you will get to choose if you want to stay on the current endpoints, or I would strongly recommend you...
18:47
migrate to the new locations. That'll be a one-way migration though. You cannot go backwards. However, the performance and the features for this new locations will be significantly better than endpoints have today. So I don't think anyone will fight us on that update. just, we give you the opportunity to choose when you're ready to make that change. But this should roll out early January.
19:14
In the middle of working with a contractor to revamp the open source UI, ah next year we're looking at doing some significant container hardening. We'd like to do a very simplified compose install where you just have a one liner. Because for those people who just want to run Dojo, but don't want to actually do the Docker build business, we build images and put them up in Docker Hub every Monday. So why build them if you can just pull them?
19:39
Um, like I mentioned earlier, we're getting closer to the 3.0 mountaintop. I get asked occasionally, where are we in 3.0? think my answer is going to be the same thing that the Debian OS has said. It will, we will, the next release will happen when it's ready. There are things that I can't anticipate that we will find in working towards 3.0 that will make that extend or contract. And since I can't answer based on unknowns.
20:04
I'm not gonna give you a timeline. It will be ready when it's ready. We are definitely working towards it though, that is for sure. And then DefectDojo Inc started a community program. We're gonna expand that. We launched it in 2025, we'll expand it over the next year.
20:21
For pro, oh my goodness, the pro UI, too many updates for a two hour feature of two hour prezo, let alone this one. I will say it is now the default for all of our pro customers. It's been that way since mid summer. I forget when we made that cut over, but it is now the default UI. We added rules engine last year. We added risk based prioritization. We recently also added to that the ability to customize.
20:51
Those calculations, you can have multiples of those similar to how SLAs work today. So you can create like, is how I want to calculate prioritization and risk, and then apply it to assets. We have SOC support and visualizations in Pro. We have the MCP server. We have integrators, which allow you to push in one direction findings into issue trackers like GitHub, GitLab, ADO, Azure DevOps and ServiceNow.
21:19
We added 11 connectors. OMG, I did not realize that number was going to be that high. I we had a lot, but wow. And we have two in progress currently and more queued up for next year. So connectors will continue to expand. We also added features of connectors to allow what we kind of internally call multi connectors. So if you have for some reason, two or three sneak accounts, you can have three sneak connectors, for example. And then we also have severity filtering.
21:48
on all of the connectors. So if I only want to get, I don't know, mediums and up, I can set that and only auto pull in the medium and up findings. For pro customers, once we added EPSS support and Kev, we have features that automatically enhance findings with EPS and Kev values if they have a matching CVE, even if that tool doesn't produce an EPSS value in its output. We have a new audit log and an API to do audit.
22:17
questions against the DefectDojo, your DefectDojo instance. And then you can configure API response payloads in Pro to uh tell the REST API, these are the fields that I want back when I make an API request, if you want to sort of optimize your API requests.
22:38
Woo. Okay. That was 2025 and however many minutes that took me. um That was a lot and that was summarized. So we did a ton last year. I'm very excited by what we did last year and looking forward to next year when we get to do even more. um Talking about future looking though, let's talk about Sensei. That's a coming soon feature of DefectDojo Pro. So DefectDojo currently has an MCP server and it helps.
23:07
make your AI as smart as DefectDojo is. However, if you're not an AI expert, created, we are creating a thing called Sensei. Right now it's out in limited alpha testing for a couple of our customers, but we'll roll it out at large next year. The idea with Sensei is you get all of the power of DefectDojo, but with an AI done your way. So the LLM in this case is local to your pro instance.
23:36
There are no third parties handling your data. Your data doesn't leave your pro instance. And so for those who don't want to do a bring your own LLM and count tokens, you can use Sensei instead since it's localized, there's no sort of token accounting. And you can take your DefectDojo MCP to the next level without having to be an AI expert. The features that we're looking at for Sensei we currently have in this limited alpha is a prompt. Your normal kind of...
24:05
chat GPT is prompt, although customized to DefectDojo. We have custom report generation that we're looking at doing. We're looking at doing some custom apps, DevOps advice based on your data in Dojo. So you can say, Hey, of the assets that I have in DefectDojo, when the teams creating those assets, what are they bad at? What do I need to do training for them? Or which of my assets are the ones I really need to focus on? And which of them are doing okay that I can kind of not...
24:35
look at because they're in a good place relative to the other ones that I have in DefectDojo. And then we're also looking at doing some DevOps automation as well with Sensei. And like every feature we release, we'll have a MVP and then iterate quickly with features post-launch. Here's a screenshot of Sensei running in a dev instance. m
24:59
where you can ask it normal prompt questions and get normal prompt responses. But this is prompt responses and answers key to what's in your instance of DefectDojo, not genericified, like if you use any of the other big players, LLMs. And then the next logical question, when does this take off? Well, we have limited access right now to the alpha, or an alpha to the prompt. Early in Q run of 2026, we should...
25:27
I have the prompt going general availability and then have report generation at the same time. Those should probably launch together. It's what it's looking like right now. And then we'll follow on with that AppSec advice and the automation following after we get that report generation and prompt out as GA.
25:47
And then let's wrap things up. So it was astounding to me. did not, I knew we were doing lots of cool things, but when you're in the middle of doing lots of cool things, it is kind of nice to take a deep breath and look backwards and see what you did. And I was shocked at the velocity we've had over this year. And I don't see us getting anything but quicker as we go forward, because we've done that now consistently for several years.
26:13
So I really love the state of Dojo and the fact that we've sort of um into a significantly mature org that is doing some great dev work on Dojo. I think the internal improvements on the core of DefectDojo are just vital. Like any code, I don't care what people tell you. uh Code is like milk sitting on the counter. It starts to go bad, right? So you have to give it some TLC and love.
26:40
and care and feeding and we've been doing that this year in earnest. One of the advantages of having Pro and a company behind Dojo is we can do these things that usually get left to unthankful jobs for contributors.
26:53
I think the future is super bright. I think we're seeing robust performance and we've only done increasing work to shave off any kind of performance bottlenecks we've found. So this thing already scales to millions. Lord knows where it'll go to now. I haven't actually tested, so I gotta test some of the new performance stuff. um And then what's the next for DefectDojo? We're gonna do what we've always done. We're gonna continue to evolve based on the needs of our community and our customers.
27:21
Right, today's practitioners, what problems do they face? Dojo has flexed and moved as the industry has changed and we're flexing and moving along with it. We're gonna have more improvements both for pro and open source. I would say we're about 50-50 if you look at the things I covered prior. Because as DefectDojo improves, everybody wins. So there really isn't a us or them aspect between pro or open source. They both help each other get better.
27:51
So DefectDojo, come for the practice, stay for the awesome. And I hope you do stay for the awesome. And I'm willing and ready to answer any questions you may.