00:00 Welcome & What You’ll Learn: Getting Started with DefectDojo
00:48 Meet the Speaker: Matt Tesauro’s AppSec & OWASP Background
01:46 The Big Picture: Why Security Must Move at Assembly-Line Speed
02:47 The Pain Today: Excel, Manual Triage, and Tool Sprawl
03:26 The Solution: DefectDojo as Your Single Source of Truth
04:58 Central Hub Workflow: Normalize, De-dupe, Auto-Triage, Then Ship to Jira
05:59 Why DefectDojo (Not the Acronym): Automation-Friendly Vulnerability Management
08:27 Real-World Impact: Prioritization That Cuts 30,000 Findings Down to 80
10:50 Fits Any Maturity Level: From New AppSec Programs to PR-Gating Automation
11:49 Understanding the Dojo Data Model: Product Types, Products, Engagements & Findings
12:55 New Labels + Locations: Evolving the Model for Performance and Clarity
14:28 Open Source vs Pro: DIY Community Edition vs “You’re Just Done”
16:00 What’s New/Next: MCP + LLMs with Clean, Normalized Vulnerability Data
19:08 New Integrations & Asset Hierarchy: Better Destinations and Better Visibility
20:52 Smarter Prioritization: Custom Weights, Risk Buckets, and Asset-Specific Rules
22:45 Connectors + Universal Import/Parse: Automate Ingest from Vendor APIs & CI/CD
24:49 Coming Soon: Modernized UI for DefectDojo Community Edition
25:28 Wrap-Up: Automate the Drudgery, Report Holistically, and Scale to Millions
27:00 Q&A Invitation and Closing
Yeah. We're gonna talk about how to get started with Dojo. I got started with Dojo a long time ago, but in case you're new, I can give you years of experience on how to make the most outta Dojo. So today what we're gonna do, I'm gonna do a very quick intro and a little bit of a rather quick kind of big picture discussion.
We're gonna talk about the problem, we're gonna talk about the solution, we'll talk about why DefectDojo, I think is a major part of that solution. I wanna spend a little time talking about what's new or what's next new or about to be new and released with DefectDojo. And then I'll have a little quick wrap up.
Meet the Speaker: Matt Tesaro’s AppSec & OWASP Background
So intro. So who am I? Like, like Chris said, I'm Matt Tesauro. I, I like to consider myself a reformed programmer and AppSec engineer. I'm currently the CTO and co-founder of DefectDojo, Inc. I've been 18 years, well over 18 years now. Woo. With the OAS community doing a bunch of different things, including this DefectDojo.
I created the AppSec Pipeline with Aaron Weaver. I did OWASP, WTE. I have 26 years of using Linux and Free and Libra Open Source software. I I, the last time I used Windows for real was Windows 2000. I'm a Linux person, so that's just what I use and what I know and love. I'm currently a go fan boy.
That's what I write when I get to write code, which I don't get to write as much as I like to. And that's not ai. This is actually me jumping up and breaking two boards at once to get my second degree black belt in to do that was. One of the scariest and most rewarding things I've done in a long time.
The Big Picture: Why Security Must Move at Assembly-Line Speed
So let's talk about the big picture. So who's this dapper looking gentleman sitting out in the grass contemplating life or whatever he's doing? Not for people who don't know. That's Henry Ford and Henry Ford maybe sat in grass and contemplated life and said, you know, this automobile thing, we're making them one at a time by hand.
And then rolling them out of the, the custom coach house and doing the next one. That really doesn't work. What if I did them in this factory thing and he started assembly lines and just radically changed how automobiles were produced. And I, I've been saying this for a while now, and I, I still agree with it.
I think we need to con, we need to figure out how to make security work faster. I don't think the other side of the house is gonna slow down, to be quite honest. I don't think AI is gonna make it slow down. So even if it's slop or if it's not slop, we have to deal with it and we have to deal with it at speed.
So how do we kick ourselves into overdrive?
The Pain Today: Excel, Manual Triage, and Tool Sprawl
So the problem and what does the problem look like today for a lot of people? It, well, it looks like this. You're using Excel, which is excel's a fine tool. It does some pretty cool things, and if you're a ninja with it, you can do some nutty things, but we're.
Excel seems to show its weaknesses or its its constraints, is when I suddenly add a whole bunch of tooling that has these s flaky ways to represent vulnerabilities, and I'm trying to mash them all together and make sense of them and, and. This is a very manual labor intensive process. It's risky. It's just, it's just hard to do at scale.
The Solution: DefectDojo as Your Single Source of Truth
So how do we, how do we solve this? Well, I mean, big surprise, I think DefectDojo is how you solve that and that's how I solved it years ago when we created DefectDojo. 'cause I had that very problem. And I needed to make sense of all these different tools. And what I really wanted was a single source of truth, right?
Because I get a SaaS scanner and the SaaS says, are my applications look this way? But then I get a container scanner, and my container scanner says, well, your containers look this other way. And then I get, I don't know, a SEA tool, and suddenly my libraries look this third way. And I just wanna wait to tell the, my stakeholders the, like the product teams, Hey, this is, this is the state of security of your thing.
I think these are the things we should work on and let me help you get there and get this thing shored up. But until you can get that sort of unified view, it's very hard to make sense of this. And DefectDojo now has support for over 206 different scanners. So whatever scanner you have, it's probably supported.
And if it isn't, we have some ways to generically import stuff as well, either via JSON or CSV. And then once you get all this together, suddenly you have this reporting dashboard where I can do these wonderful this. In this case, this is the executive dashboard in pro that lets you sort of see a high level overview of all of your programs and.
And then we also have a Priority Insights dashboard that gives you an idea of the risk and what are the priorities, the things you should be fixing, and this is all available to you because suddenly now you have this broad spectrum view of things.
Central Hub Workflow: Normalize, De-dupe, Auto-Triage, Then Ship to Jira
And so what you wanna get to, hopefully, eventually, is something like this.
Where DefectDojo is sitting at the center, I have CICD running that's pushing results into DefectDojo. I have various and sundry other scanners that are running and pushing things to DefectDojo. That's where the normalization, the D dupe, the auto triage happens. And I have one representation of what a vulnerability in Dojo speak a finding is, and then suddenly I just need to report findings.
To Jira. I don't need to report Tenable to Jira and a different way to do check marks to Jira. I just do dojo to Jira and it just greatly simplifies things. So you can now push those things to whatever issue tracker you want. If for some reason the tools don't give you enough flexibility, I can manually log in or via the rest API automate.
Tweaking how those scanners will report results before they go downstream, which is critical. I can do reporting if I have GRC, I can push to GRC, all those other sort of things.
Why DefectDojo (Not the Acronym): Automation-Friendly Vulnerability Management
So why, why Dojo? I've kinda given you the, the high level dojo, but let's dig this into some details. And by the way, like I keep talking about Dojo.
What is Dojo, right? Is it a, is it a DevSecOps thing or is it a SPM? Or is it A SOC, which is what? Application Security Orchestration and Correlation, or maybe it's Unified Vulnerability Management or RVM. The next acronym, to be honest with you, I don't care. We wrote DefectDojo initially when we wrote it, and before it was open sourced.
To solve real problems of real people doing real security work. Those are all marketing things and, and to be honest with you, call us whatever you want. I mean, it's kind of cute when people ask me, are you an A SPM? I'm like, I don't know. We pre-existed that term, so maybe, I don't know. It kind of doesn't matter.
We just make your life better. And so like I said, I think DefectDojo is your single source of truth. It's extremely automation friendly, so if you are wanting to do automation, it's got all the pieces there to make that happen. And it reduces that overhead and your tool cost because suddenly now I can get this broad picture instead of logging into tool one's web UI and tool two's, web ui, and seeing three different realities, I can just see one and that's extremely valuable.
So beyond just aggregating things, we actually, or DefectDojo enhances results. It will de-duplicate both within a tool and across tools, and it will do what we call auto triage, which is if you're running continual scans, it will diff them over time so that you end up with just a list of actionable findings, which is the net of all prior scans, and we just do that for you.
Right. Computers are good at doing that kind of grunt work so that you can focus on the real important thing, like, okay, this is the net of what I need to deal with. How do I get that fixed? And then in DefectDojo Pro, we have a bunch of prioritization and insights where we augment that data that comes from the scanners and provide it to you in a bunch of different formats so that you can make the best decision based on the results that exist in Dojo and your sort of overall program.
Not just like SAS tells me to do this, but my container scanner tells me to do this other thing, and then I have to somehow disambiguate those two places, which isn't fun.
Real-World Impact: Prioritization That Cuts 30,000 Findings Down to 80
And so, for example one of our customers using Pro, they had 30,000 rough, roughly speaking findings that were reported. When they did the prioritization and the de-dupe and the auto triage that distilled down to 40 urgent tasks and 40 that needed action or findings, technically not tasks.
And suddenly they eliminated 29, almost 30,000 of those things. But they didn't have to review. There's 80 things. That's a very manageable number versus 30,000 of things you really, really have to focus on. And for talking with that customer, they saved a, they estimated like 15 K hours saved per month just by having that prioritization where they didn't have to have people go in and dig through these numbers and make sense of things.
Dojo just did it for 'em. We have bidirectional sync with DefectDojo, so you can. Take issues or findings rather in DefectDojo and make them issues in Jira. And if you add comments to those issues in Jira, they'll show up as notes in DefectDojo findings and back and forth. So that makes Jira like a first class citizen in terms of issue trackers that we support.
And then even in open source DefectDojo. Pearson used Open Source Dojo and went from doing 44 assessments. Two, 414 assessments in two years, which is roughly an 840% increase in efficiency. I think one of the things that's just been super interesting about Dojo over time is that you get these crazy numbers because it, it sort of forces you to think systematically.
Right? And the, one of the interesting outgrowths of having Dojo is that upstream tool. It doesn't matter to Dojo. Dojo really doesn't care what the source of a finding is, right? If it's sast, if it's dast, if it's SEA tool, if it's a container, school container tool, if it's a Kubernetes scanning tool, dojo doesn't care.
They're just findings. And then suddenly you start to think about things as findings holistically. And you can get these kind of great speed increases. But one word of caution, don't tell your boss because you're likely gonna get a lot of free time and you could spend that doing something fun rather than grunt work, which was one of the other reasons we built DefectDojo.
I don't like doing grunt work. I'm, I'm. Too lazy to want to do that. So I spent some effort to make sure I didn't have to.
Fits Any Maturity Level: From New AppSec Programs to PR-Gating Automation
And then sort of depending on where you are in your life cycle with DefectDojo, where you're a security program, if you're very new at this and you just suddenly got told, by the way you're in charge of AppSec or just cybersecurity in general, make it happen and you've got nothing Doto can help you.
If you've got a highly mature program that is doing event and data-driven decision making, and you have automation all over the place, dojo can work with you there. Like, we have one customer today that for every PR that isn't in Maine, they're running a scan and doing a reimport and looking at the diff to decide if they will merge.
That's one of the criteria. And if they will or won't merge that finding or that pr, excuse me. So like. It's been really interesting to see now that we have customers, then it's not just an open source thing where people go use it and I don't hear about it much. To see how broad the, the, the support is for DefectDojo.
Understanding the Dojo Data Model: Product Types, Products, Engagements & Findings
And then if you're new to Dojo, I wanna spend a little bit of time talking about what the dojo data model looks like. 'Cause this is sort of key to understanding Dojo in general. So at the top is this thing called the product type. Product types can have one, or when you can have as many product types as you want.
Product types have one or more product. Products have engagements and engagement is really, the way I like to think of an engagement is it's just a way to collect, mostly for purposes of reporting, the output of multiple tests. It could be a single, you could just run a single scanner. I run SCA and it's in my engagement.
Or maybe I run dast, sast and a container scanner, but I wanna report those as one unit to say the product team. Well, that's what an engagement gives you. And engagements have or engagements have tests which are just either a manual test, but more likely a scanner output. Tests have findings, and then findings can have endpoints.
And endpoints is more or less where that finding was located.
New Labels + Locations: Evolving the Model for Performance and Clarity
Now, recently, this just ooh. When was this? Right before Christmas. I think we added the ability to, maybe it was before Thanksgiving recently. We added the ability to have different labels because we found people tripping over. Some of those labels as originally DefectDojo came out of Rackspace and we had products and we had types of products, and that just sort of worked, and that's why those names were there.
But some companies were confused. They're like, well, we don't really have product types. We just have this thing and how do I make this work? And so we went to more generic labels, basically. So now we have organization and organizations have assets. Functionally, it still works the same. They're just new labels.
And then for the, the sharp-eyed viewers that might notice this little beta thing down here that says Location, we are in the process of. Re I don't, I, it was re-implementing is probably too strong of a word. Rejiggering is rather colloquial, but we'll just go with that. We we're, we're, we're reinvesting in endpoints and making them better.
And this will be a one-way migration. You can change from end points to locations, but not backwards. And this was to clean up and just do some optimization of how locations were handled. Because there was just some data model issues in how we originally did endpoints, and this makes them a lot more functional, a lot more performant.
Some of our performance problems were actually on endpoints and location solves a lot of that for us, particularly in really large installs.
Open Source vs Pro: DIY Community Edition vs “You’re Just Done”
So you might have noticed there's an open source and a commercial version of DefectDojo. The easy way to think about this is sort of DIY versus you're just done.
I kinda like to use the analogy of like flat pack furniture from IKEA versus calling a furniture store and having them deliver a couch, right? You either get some boxes and you take it home and you spend an afternoon. You know, screwing and nailing and gluing together things, or you just have someone drop a new dresser in your bedroom and you're done.
Right? But certainly before Dojo I feel for you, you're probably dealing with Excel and you're, you're just getting buried. Open Source Dojo is absolutely perfectly functional. I use that for years and was highly successful in my career. And now we have pro, which just makes your life even better.
And so open source versus pro. Like I said, it's mostly a matter of things that you could do for yourself in open source. We don't block you or stop you from doing anything with open source. We just do them for you, automagically if you're a pro customer. So it's really just about making that, that use of dojo smoother and putting less of the burden on you and your team and more of the burden on DefectDojo the company.
Then DefectDojo Pro is offered as a single tenant SaaS where you have your own instance and we don't share any resources. Or you can do an on-prem or self-hosted and you can pick your geolocation. So if you want data sovereignty and you wanna be in, I don't know, Frankfurt or the Netherlands, or I don't know, Australia, great.
We can, we can do that for you.
What’s New/Next: MCP + LLMs with Clean, Normalized Vulnerability Data
So now going into what's new and what's next? And sorry, we're 30 slides that I'm gonna use AI in a slide. So I, I went pretty far without using AI directly in a slide. But so, I mean, ai, it's everywhere. You can't get away from it. And a lot of what is popular right now at this moment, it'll probably change next week, is cps.
CPS are everything. I'm like, Hey, if I wanna get data into my LLM of choice. I want an MCP and I'm just gonna stick MCPS on everything. And dude, I get all my data and I can do all the cool things. This works generally, but one of the things that gets interesting, particularly with vulnerability management is now you've made the LLM have to deal with the fact that a new vector result looks nothing like a burp.
Results. Looks nothing like a Veracode result. And so suddenly the LLM has the burden of having to understand these s flaky file formats, make sense of them, de-dupe them if it can auto triage them, if it can, and then actually start working on the program you want it, or the problem you want it to solve, right?
So you've just added a whole bunch of work on the LLM side of the house that it may or may not be well accustomed to doing, and you're not even starting on your problem. So we think DefectDojo helps greatly in this, where it gives you clean, accurate. Updated deduped normalized data that's been augmented like in pro, we automatically add EPSS, Kevin CVSS into findings.
Suddenly you get this high quality, high fidelity data going into your LLM and it can spend less token in time. Actually solving your problem, rather than having to do a lot of pre-filtering and understanding that that context of where it can even start on the real question you're asking. And so what does this look like?
This looks like a whole bunch of tools pushing results into DefectDojo and then one MCP server sitting in front of Dojo that then talks to LLM of your choice, and suddenly now. The LLM is spoke is spending tokens and time solving problems with really clear, highly high fidelity data rather than dealing with having to make sense of all these different scanner outputs and all that other junk that DefectDojo does for you.
And so we've got this now in pro. You can go enable it if you want it, or you can disable it if you're not into cps. And I guess one of the things we've just always kind of done at DefectDojo is it's, dojo is really fundamentally designed, to do, to make sure that you do the things the way you wanna do them, not the way Dojo does them.
It's, it's sort of a two-edged sword. Dojo can be complicated to some people, but it also just doesn't make you change. You don't have to do your work. The dojo way, dojo adapts to how you do things, which I think is fundamentally important. And a, and a big differentiator from a lot of the way of o other software works.
So anyway, you can enable disable MCP.
New Integrations & Asset Hierarchy: Better Destinations and Better Visibility
And we just shipped that with Pro we just added integrators. I say just, I think it was August or September, I can't remember. These are other targets that you can send findings to. So if I wanna make an issue in GitHub or or in GitLab or something in ServiceNow or Azure DevOps, these are new places I can push findings to.
And then in addition to that asset. Versus product type versus product versus organization name change. We have something we're calling asset hierarchy or product hierarchy. If you want to use the old labels. I've been doing Dojo for like 11 years. It's hard to not say product. But if you notice in this case, I can select a bunch of pro assets.
In this case, not products, although it's the same thing. I can select a bunch of assets and say, let me see that in a hierarchy. When I do that, bam, I get, I get a hierarchy, and here is my cyber Fido guard dog that has several different versions that it's tracking as children, assets of this parent asset as well as a development version.
But there's this one floating out here, this 2.0. Why is that dude floating out here? That's not right. So let me go in and I can add that to the existing, the correct parent, basically make it a child of one of those elements. And then bam, I've got it now, this new hierarchy. So this allows people to sort of visually understand the relationship of the assets that they're securing, because that was another area where people had some trouble just conceptualizing the relationships between these things and maybe mentally how they thought of them didn't fit great into the product hierarchy of Dojo.
Now you can do your own kind of custom hierarchy that fits your need.
Smarter Prioritization: Custom Weights, Risk Buckets, and Asset-Specific Rules
And then I mentioned this earlier, the priority and risk that we add to in pro automatically to all the findings, priority is a global measure. So across all of the things in Dojo, we're gonna give you a numeric value of how, what the priority of this thing is.
So obviously higher number of, for a priority. It's, it's more it's something you should look at earlier, right? And then risk is a bucketed version of those priorities. So what is urgent? What is needs attention, what is not so urgent, right? We do this, we have our own built-in calculation, it ships with Dojo Pro, however, we recently added the ability.
For you to create your own weights for prioritization. So if for some reason you don't like how Dojo calculates things, you wanna have your own way to do this and, and it, you know, for whatever reason your, your way is different or you just need a different sort of take on things, you can do that now.
And not only that, but just like SLAs work the same way in DefectDojo. You can have as many of these as you want and attach them to assets. So if I have some segment of my stuff in DefectDojo that are implantable medical devices, which. To me, I think the risk profile for an implantable medical device is significantly different than, I don't know, a mobile app or something.
I might want to really change these risks to where they kick in much sooner. So maybe seven 60 is where urgent happens for implantables. But if you know, 1150 is where that happens for their normal things. And so you can set up multiples of these prioritization engines and apply them. To your assets as you see fit, right?
So this gives you total flexibility. Another case where Dojo will adapt to how you wanna do things, not how Dojo does things, although we ship with the same default. So maybe you just use the same default and you're fine.
Connectors + Universal Import/Parse: Automate Ingest from Vendor APIs & CI/CD
Another thing that we have in in Pro is connectors. Connectors are a way for you to connect.
Hey, go figure. Clever naming Connect DefectDojo to a vendor who has an API then automatically pull in results from that. Vendor's API, the findings basically on a, on a daily basis. So I wanna wi, I want to connect my wiz into DefectDojo and every day pull in all my wiz findings into dojo or sneak or sem, gripp or what have you.
I can do that. We have got three currently in the hopper. I think two will launch on next Monday, if I remember correctly. And more will follow. So we just continue to add these as more and more vendors get set up with our system and. And we can get those created for our customers. And then universal options.
So there's two things that also we provide in pro that I think are very useful to customers. One is a universal importer. So the idea here is this is a single standalone binary. It's written in go, go figure, right? Pun intended but it allows you to put this in any CICD system. And then you can either use command line options, environmental variables, or a config file.
Whatever works for your setup to provide the data it needs to be able to ship those results to the right place in defect. Oja. So this is sort of our universal tool to help you do particularly CICD or automated imports. And this is what a lot of our customers are using to do those things. Like for every PR do this thing.
A universal parser, we support 206 plus security tools. But if there happens to be one that we don't support, or you wrote your own internally at your company, and obviously we don't know about it, you can create a parser on the fly with the universal parser. You give it a name, you select the fields, you map them how they want them to go, and then it's just like it's a parser that's always been in DefectDojo.
Coming Soon: Modernized UI for DefectDojo Community Edition
And then I'm, I'm happy to announce that coming soon, we have someone working on this right now. Today is an updated UI for the community version of DefectDojo. The DefectDojo community version. The UI is a little dated and this should give it a significant uplift and help just shore up some things that are.
I don't think they're, I wouldn't call them bad, but they're just dated in, in Community Dojo and so this will give us a, a much easier way and a much more modern framework that allow us to do quicker revs of UI work in the community version, and then wrapping things up.
Wrap-Up: Automate the Drudgery, Report Holistically, and Scale to Millions
I think to do this kind of, to solve this kind of problem I've been talking about for the last however many minutes, I think you need a something that allows you to automate the manual tasks and take a lot of this drudgery off of your plate.
Nobody likes a life of a million paper cuts and so let's just take those paper cuts out of your life. You need something that is comprehensive reporting across. Everything that you're in charge of. I've run a bunch of different AppSec teams. I've run AppSec teams where if it was port 80 or 4 43, it was my problem, but infra wasn't my problem.
I've also run teams. When I worked at Rack, I owned everything that ran the cloud. So from the iron up, so. I've never seen one place that does cybersecurity the same in the many places I've been. And you just need a tool that's flexible enough to cover whatever the scope of your work is. And Dojo I think, gives you that.
And then you need something that scales. And we have people doing crazy, crazy, crazy things with DefectDojo. Like I know of an instance that has 9,700 products in it. I know of another customer that's doing. 27,000 imports per day based on a very large base, a customer, a very large number of tools that they're running across a large well source code and other customer other bases.
But so it will scale up and do crazy numbers, like a million findings isn't something out of the ordinary. Or like I said, 27,000 imports isn't something that, that will, will break DefectDojo.
Q&A Invitation and Closing
I think that's hopefully a pretty good overview of what Dojo is and how to get started, but I'm, I'm happy to field any questions people have.