.svg){kind=small}
.svg)
Transcript
00:07
Welcome to this webinar where I will be covering an intro to DefectDojo Pro. I'm going to do a nice fly over of all the different things you get when you get, when you go pro. And as Dawn said, I'm Matt Tesauro. I'm the CTO and co-founder of DefectDojo. I've been around DefectDojo since it was on a whiteboard many years ago. So let's get started.
00:28
Oops, also if you're clicked in. So I'm going to do just a very quick, what is DefectDojo a super fast flyover just in case you are brand spanky new to DefectDojo and then I'll go into the features that that exist in our pro offering.
00:43
So typical vulnerability management, if you talk to people, most people these days, I hate to say it, the enterprise vulnerability management tool of choice is Excel. And you have Excel plus a whole bunch of different tools, all that which have snowflakey ways to produce what DefectDojo calls a finding. And so that was painful. And that was the pain we felt when we created DefectDojo, this very same thing. I'm running all these different tools, they all talk about things in slightly different nuanced ways.
01:11
And I just want one representation of the truth that I can share with my stakeholders and hopefully move the needle as far as our security program is concerned. And so DefectDojo is that single source of truth. And it supports 180 different scanners. So the outputs of 180 different tools can be ingested to DefectDojo normalized, presented, managed, sent to JIRA, all these other things. And so...
01:38
That's where this came from is I ran the product security team at Rackspace. We had this problem of a whole bunch of different tools that reported in different ways. And I needed to make sense of them so I could report to the teams to, Hey, these are the things that where you're falling short on, please go fix them. And also to management, these are the areas that we maybe need a little more TLC to prop up our security. And where we really want to see Defecto Joe go and where it's going for our customers is.
02:07
It actually ends up becoming a DevSecOps pipeline where you can do pushing of results in there automatically via GitLab, GitHub, CI, CD, any kind of automation. You run a bunch of tools. Those all get sent to DefectDojo. DefectDojo does the normalization, deduping, false positive, all the stuff I'll talk about in a minute. And then from there, you can then talk to downstream stakeholders. Like if you want to push to Jira where your developers are likely working, you can do that. You want to do reporting and metrics outside of
02:36
of DefectDojo, you want to push to a GR system like Archer, right? All those things are possible.
02:45
And then one other just interesting aspect of supporting this many tools is that adding an additional tool is really not a large lift. As long as particularly open source tools, if you want to increase your coverage, as long as DefectDojo has a parser for it, and it likely does, particularly if it's an open source tool, then you can increase the visibility of what you have across your suite of products or apps or whatever you're doing in terms of product or application security or DevSecOps.
03:14
Whatever you want to call it.
03:18
So ideally with DefectDojo, and this is an interesting aspect of Dojo, we created it at Rackspace where we were fairly automation heavy, although we ended up having to do a lot of manual testing because at that time we were dealing with a lot of REST APIs and the tooling to test REST APIs was non-existent at that point in time. This is what, 2011, 2012. So there wasn't any really reasonably good.
03:44
tooling to test API. So we ended up doing a whole bunch of manual testing. And that's been one of the interesting aspects of having this pro service and seeing a lot of different customers use Dojo is, it can really go from a zero automation team to a completely automated team. And it fits both use cases nicely. So it gives us very nice ramp. Wherever you fall on this spectrum of automation, you have a firm starting place and a direction to head to make your program even better. So we have some...
04:14
users that are almost all in the UI and do a lot of just normal using of DefectDojo and don't have particularly a lot of automation in place currently. We have some users that have complete automation, end-to-end automation. They barely interact with the UI of the platform, but the engine that is DefectDojo, that platform, still provides them great value in all the different features I'm going to talk about shortly. Oh, and then quickly a case study. So Pearson.
04:42
We're assessing 44 of their applications in year one. DefectDojo came on the scene. By year two, they were assessing all 414 of their apps. And that was an 840% increase in two years, which is pretty startling. And they almost 10x basically, which is pretty cool. And he had a much more happy security team because one of the things DefectDojo it's design principle was what are those drudgery items?
05:11
that you have to deal with as a security professional dealing with like these output of tools, how can I make those drudgery items, take them off the plate and make them DefectDojo's problem and let your team focus on those important sort of human, human brain aspects of security instead of just doing sort of rote, boring, unexciting work.
05:34
And then just because I'm going to talk about DefectDojo, and I'm going to say some of these things, I want to just level set for everybody what the data model looks like for DefectDojo. So starting at the top, every DefectDojo starts with a product type. I like to think of product type as just a way to group a collection of products together, particularly for reporting, but it's just a grouping function. And likely this is like a VP or a geographical area or a product line of the business.
06:03
that you as a security professional need to do reporting at. And then every product type can have one or more product. Every product can have one or more engagement. And engagement is just a collection of doing multiple tests. So this could be, I don't know, a SAS scan, a DAS scan, and a manual pen test. And if I wanted to report the net result of all three of those activities, I would report at the engagement level as opposed to having to...
06:31
in the traditional sort of way this problem is solved, give you the results of SAS, give you the results of DAST, give you the results of Pentest, and now I have three interactions and three different sort of workflows with the product teams. So that engagement model really helps focus that and give you one sort of way to say, this is the net result of the security work that I've done, and here's where we're falling short. Let's work to get these things sorted. But anyway, an engagement can have one or more tests. Tests have one or more findings.
07:01
And then findings can have endpoints and endpoints are where that finding was found. So if you hear me say test engagement, finding endpoint in future, at least you have hopefully a decent frame of reference going forward.
07:16
Okay, so the first part I'm going to talk about is the smart features that are in DefectDojo. Those things that are, I think, kind of cool and make your life a little bit better, a lot better, honestly, if you're doing this kind of work. So deduplication. So DefectDojo will be able to recognize that it has seen this same finding before for that same product and realize that this is a copy, it's a dupe. I don't need to have
07:43
Two instances of the same finding. I just need one, because only one is actionable. Well, two are technically actionable, but telling the team twice to fix the same thing is no way to make friends and influence people. So dedup is really a very useful feature. And you can do this for a single tool. So I could do this between, say, burpsuite or burpsuite and qualyswas, right? Same type of tool. They're both DAST tools. I could do a cross tool deduplication as well.
08:13
The nice thing with dedupe is it allows you to run tools frequently. And I only have to deal with the net result of those frequent runnings of the tool. You get accurate risk reporting per product, because I'm not reporting that you have 15 open vulnerabilities when seven of those are actually duplicates. You have a lot less than 15 to deal with. And like I said, you can tune how the deduplication works and our support team will help you with this.
08:41
And there's a UI coming out for this in late August that allow you to tune for same tool and cross tool deduplication settings. If you do need to custom tune it, we've shipped with pretty sane defaults, but if you have a kind of a unique use case, there are some cases where you might want to adjust that or the two tools that you're wanting to do cross tool are unique and you need to do some adjustments to those deduplication settings.
09:07
And then auto triage. So in this case, if you have automation, I have CI, CD, I'm scanning the same sort of scope, the same thing over and over again. So I'm scanning a repo for SCA. I'm scanning the same segment of a network. I've got automation that runs the same DAST scan against an instance of my like web app every week. Whatever that is, I have a repeating security scan activity.
09:37
Auto-triage will automatically close the fixed vulnerabilities by taking a look at what it saw prior and what it saw in this run and looking at that difference and saying, oh, look, this wasn't the first run, it isn't in the second run, therefore I can close it because it is obviously gone from the perspective of that scanner. So it allows a continually updated list of findings that are actionable, right? You don't have to do that, geez, I ran the scan last week and was, oh, that was there, but it's not in this one, I got a...
10:06
None of that, like Dojo handles that drudgery for you. And so it allows you to reduce the number of findings you have to deal with if you do have automation, because one of the sort of dark sides of security automation is like, yay, I automated all my tools, and now I have 20X the amount of findings I have to sort through. This allows you to focus only on those actionable ones.
10:30
Smart upload. So this is sort of a subset in essence of what I was talking about where for infrastructure scans and sort of a unique case for infrastructure scans a lot in a lot of cases. The easy thing to do is to scan a broad chunk of the network. I want to scan all of our whatever production environment. The problem is that there is five, four, six different teams that own pieces of that broad network scan. How do I assign
11:00
those infrastructure findings to the right people to handle those like the DevOps, say, person for product one and product two and product three. DefectDojo uses the smart upload feature to match prior scene endpoints or hosts to the results that you ran today with the infrastructure scanner and automatically assign those to the products. And then if there is a miss, there's a new issue that it's never seen before or a new host.
11:28
You can then decide to create a new product based on that, dismiss it, or assign it to an existing product. And then Defectojo will remember that newly assigned endpoint in the infrastructure scan. And going forward, we'll just automatically place it in the right place. So this is just to solve the, if you've ever done infrastructure scans, which I have done, I used to write a lot of sort of scratch scripts to take a big Nessus result in my case and chop it into pieces based on, in my particular case, it was IP ranges.
11:58
that were owned by different segments of the product teams and then ship off these like subsets of Nessus results to those teams. This just automates that process for you, takes it off your plate.
12:12
And then connectors. This is a pro feature that we've recently added. And we have seven now connectors, and eighth one is coming out in about two weeks. The idea with connectors is you have licensed a commercial tool that has an API, and you're running scans with that commercial tool. That's great. Now I have a SaaS service that is providing me value, but I want to get those results out of that SaaS service.
12:38
And end of DefectDojo so it can just be part of my normal single source of truth and my flow of vulnerabilities through your dev sec ops pipeline. How do you do that well with connectors where you can give us the necessary information to connect to that vendors API. We will automatically pull down a list of things that look like products, because not every vendor call some products they call them different things you can either auto map those or you can have.
13:06
You can manually map those to say for this thing, I wanted to go to this product, et cetera. But then DefectDojo will on a recurring and automatic basis daily, go pull down the latest results so that once you set up a connector, you will always have the latest results from that tool. Residing in the products that you've configured or mapped them to sort of two operations. We call discovery, which is go out and find those things that would need to be mapped or could be mapped to products and DefectDojo. And then syncing, which is okay. I've got.
13:35
a list of things that are product equivalents in this commercial tool. I'm gonna now take those results and ship them into DefectDojo. And by the way, I mentioned prior, I'm gonna go back up two slides. This auto triage we call reimport, and that's what connectors do is they do a reimport. So you get a continually updated list of actionable findings over time from those commercial tool integrations we have.
14:03
The next one, if I didn't say it, is going to be Sonar Cube. That's coming up in about two weeks.
14:10
Universal Importer. So this is a way we help our customers shortcut some of the work that it takes to do automation and CI-CD efforts. So this is a, well, it's a universal tool that you can use with whatever CI-CD process you have and connect the results of a CI-CD run and push those into DefectDojo. And it allows for three different ways to configure it. You can do it this way that I show on the screen, where I'm pointing to a configuration file.
14:39
I can set up environmental variables or I can set up command line options, either of those three things, and then that basically handles any of the sort of CICD use cases, GitHub actions, what are they called? GitLab runners. If you have Jenkins, I don't know any of the other CICD services, this allows you to have a step in that automation that automatically ships those results to DefectDojo, so one command and done. I've got.
15:07
I ran this universal importer and bam, I have in this case, Acunetix data and DefectDojo in one fail swoop. So this is a nice way for our customers to get quick results or wins in any kind of automation or CI, CD efforts they're making.
15:25
Okay, so I talked about the smart features. Let's talk about other pro features because why yes, there is more.
15:35
So we have what we're calling the beta UI, which sits on top of Pro. The only reason we have a beta label on it, to be totally honest with you, is that not all of the features in the original UI are currently baked into the new UI, although we're desperately close. And so this allows you to do dark and light mode. I'll show you this in a minute. I'll jump over to my other tab and do some live walkthroughs of this. But there is a light and a dark mode.
16:01
and a nice fresh look for DefectDojo if you're familiar with the existing UI that exists for the open source version as well as the Pro version. And by the way, the existing Pro version does also have a dark mode. So you can do dark mode on either side with Pro, which is kind of nice.
16:22
The other thing I was going to talk about was customizable dashboard tiles. So one of the things that DefectDojo has when you first log in are these dashboard tiles. You can configure one or more of these. I don't remember the set we ship with. This screenshot has 12, but you can add and remove these to your heart's content. The idea here being is there's a wealth of data inside of DefectDojo. There's certain aspects of it that are going to be important to you.
16:49
These tiles allow you to configure them so that the data that you care about is surfaced when you first logged into DefectDojo. So if I have a particular product or I'm worried about SLA violations, or I want to know how many times I've done engagements or scans, all those kind of numbers can be pulled out of DefectDojo and giving you a quick sort of overview of the state of things in your program. And by the way, these tiles respect RBAC.
17:19
So I'm gonna show you in a minute logged in as an admin. I'll see everything. If I were to log in as a user that only had say access to one product, all of these numbers would reflect the stats for that single product. And I'm just gonna jump mid talk and jump over here and show you. Here's the new UI. You refresh to make sure, yes, I'm still logged in. And so these are those tiles I mentioned. I can go in here and actually view.
17:47
the results of those tiles if I wanted to. Or if I wanna add a tile, I just go up here and do, add let's say a new finding tile, I'm gonna call this example. And just because this is a demo, let's say I wanna only look at high and critical findings for the Bajit product. All right, go down here and save this guy. And yay, I have no
18:17
highs or crits for Bajit, which is great. If I get tired of this tile or it's no longer important to me, I can just delete the thing and off it goes. So this is a great way for you to get quick results and focus the data in DefectDojo on what's important to you. At least that's the driving force behind these tiles.
18:40
All right, data visualization, and I will show you this live because it looks way better than these three screenshots, but the whole idea of the data visualization that we've added to Defectojo Pro is to give you a good view of how your efforts are going in terms of your program, your remediation, and the tools that you're using. And let me just jump in, because this is something that doesn't get a lot of justice if you see it not live. So let me go into this.
19:09
And program insights, the first one, we'll show you findings fixed by quarter, products tested yearly, tests performed by quarter, just to get an idea of sort of the velocity of your team, efficiency increase. So this lets you, gives you a sort of a metric on the smart features of DefectDojo, how much time are they sort of saving you in effort, like those.
19:34
automatically closed findings that are done with auto triage. Those are things your team doesn't have to deal with. So these are savings that you get. We display those by category here in this circular graph, as well as this bar graph over time, so you can get an idea of how your program is performing and then cumulative cost saving over time. And this is obvious when I loaded the demo up with data, but you get the idea.
20:01
Remediation insights. So how is your security effort doing in terms of remediating the things that are found? Total number of findings, total number of crits and highs, and EPSS score. So EPSS score is produced by FIRST, and it's sort of a metric that gives you a idea of the exploitability of a particular finding. Those are updated for our pro users every day. I'm actually stealing my next slide, so I'll stop there.
20:30
And then we show open findings over time, average time to remediation, what that looks like for you and your team, findings with exceptions. And I should mention some of these graphs also allow you to sort of trim them down to say, if I only want to look at what the high and medium are, I can look at those rather than the full spectrum of findings. Findings past SLA. So some of our customers like to look at this from a product manager perspective, and that's what this graph gives you.
21:00
Or you can look at this from a product type perspective. So I want to look at it as a summary level, that one level up from product. Either way, we give you both representations. And then severity of products past SLA. And by the way, for any of these graphs, you can take this and expand it if you want to look at a bigger version of it. This also has the ability to turn off and on different pieces. You can also pull.
21:27
just a copy of this as a SVG if you want to insert it into say a slide deck or something. And you can also view the data for that makes up this metric as a table and then download that as a CSV. So we give you ability to pull the data out of these charts as well as them just being present.
21:46
And then tool insights, how many tools are you using currently? Which tools are producing false positives and give you an idea of the sort of accuracy of the tools you're using. Uh, severity by tool, the top 10 most findings by tool, uh, average EPSS score by tool, so if you want to get an idea of what kind of exploitability information you're getting out of that tool, this will give you that interesting thing with, with EPS and how we have it with pro while I'm stealing the next slide.
22:16
I'm gonna also just pause that for a minute. I'll get back to that in a second. But this can be interesting beyond just what the tool provides. Let me tease it there. And so those are the metrics, yeah, the metrics or visualization dashboards we have currently in DefectDojo. And I said I was gonna tease it and I am. EPS score. So the way EPS works is for CVEs first, which is a...
22:45
security organization produces an EPS score and percentile that gives you a metric on how exploitable that particular issue is. Now what DefectDojo does is it gets these in two different ways. One, you might have a tool that actually includes an EPSS score and if it does, we'll obviously ingest that and display that. But the other thing we do for DefectDojo Pro users is for any EPSS score, and the EPS scores are updated every 24 hours.
23:14
So for every new day, basically, DefectDojo will grab the latest EPSS scores, look across all of your findings, whether or not they had, when they came in, an EPSS score or not, find the matching CVEs, and then adjust the EPSS scores accordingly. So this allows you to have an always updated metric on exploitability of your findings in DefectDojo, whether or not your tool actually provides that, which is that little hint I was...
23:44
Speaking about a minute ago, you don't have to have a tool that supports EPSS, as long as they produce the CVE, which any tool with the salt likely does. You've got a way to get an exploitability metric on top of that provided CVE from the tool with Defectojo Pro.
24:03
Okay, I'm gonna take a quick drink because I've been talking a lot.
24:11
All right, let's talk about the SaaS benefits, where our host is the mostest hopefully, or your host if you're one of our SaaS customers. So one thing about our SaaS I like to say just off the bat is it is a single tenant, no shared resources instance of DefectDojo. So you are not commingled with anybody else's data, it is strictly your data in each isolated SaaS instance. And then for all of our SaaS customers, we automatically do updates of the platform.
24:40
And the way DefectDojo does updates is every month we rev a minor version. So in July, the first Tuesday in July, 3.36.0 of DefectDojo came out. Every week between the first Tuesday of that month and the next month we do patch releases. So the first one after we did 2.36.0 was 2.36.1. And so this allows us for our customers.
25:08
to very quickly fix any issues that may come up or add features on a weekly basis. We also do daily, weekly, and monthly backups, both of the DB as well as any data you upload into DefectDojo. Since it's single tenant, you can pick your geographical region as long as there's a data center within that region. And then obviously you get dedicated support with enterprise SLAs to keep this thing up and running for you.
25:34
without you having to burn any kind of FTE time on your side to maintain and run DefectDojo.
25:42
The security for this, well, DefectDojo was written by AppSec people for AppSec people, so we're all kind of paranoid here at DefectDojo, Inc. At least we have long backgrounds of running security programs. So a lot of these things were non, or they were just obvious for us in terms of things, but I just want to enumerate them. We're SOC 2 type 1. We have regular pen testing. We actually just signed our SOW for our next round of pen testing last night.
26:10
You can have data sovereignty since you can pick where your instance is located. You can put it in whatever data sovereign you like. It is, like I said, an isolated environment. The, by default, all of our instances are firewalled where you have to allow in traffic to your instance. And then data is encrypted in REST and in transit. Each customer has a unique key for those different aspects. So we did it right. Cause guess what? We're security people.
26:38
And then on top of the security stuff we do, we do a ton of proactive monitoring. We have ASPM turned on or application performance monitoring for all of our instances, endpoint detection and response. We have proactive performance monitoring. So we can notice if you are hitting a performance issue, we have proactive tuning, or we can also notice if there's a performance issue, we can do some tuning to help you out. And we also have audit log monitoring. Standard things, but I felt like it needed to be said.
27:07
Ah, and then inside of DefectDojo, the application or the portal, we have the ability to send messages into you. So we can give you announcements, let you know there are new things, et cetera. This is from a demo instance, so these are a bit silly announcements, but you get the idea. It allows us to send messages out to our customers in a non-intrusive fashion. Here is where you can manage that firewall directly in the platform. So you can add or remove rules, whatever you need to to set this up.
27:36
We also have the ability to do in-platform support requests. So you don't have to go find your mail client or open up a new tab and go to whatever mail service you're using and shoot an email off to support at dfictojo.com. You can just within the platform, go to the contact support, write out your, write out your issue and submit it and get it directly without having to fiddle with going anywhere else.
28:00
Okay, so that's all of the content I have. I have a quick key takeaway slide, which is here. So DefectDojo Pro should be your single source of truth for your DevSecOps program and a whole lot more. Pretty much any security tool worth its salt is likely to be read into DefectDojo. And I didn't mention this earlier, but we also have what we call a generic importer. So as long as you can get results into the structure of our CSV or JSON.
28:29
you can get those results into DefectDojo. It was created like I said earlier by AppSec professionals, for AppSec professionals, it's kind of, I always get an internal giggle every time I do a demo and they're like, oh, that's a great feature. And I thought, well, yeah, because I had that problem and I wanted it solved. And so we wrote it into DefectDojo. Like I mentioned earlier, we normalized over 180 plus different scanners.
28:54
And as far as DefectDojo was concerned, a finding is a finding is a finding. It kind of doesn't care where it comes from. So all of the smart features I covered handle all those different types of scanners. So container scanner, DAS, SAS, SCA, cloud infrastructure scanner, whatever, as long as we support it. In terms of having a way to ingest it, all those features just work.
29:17
Smart features and then just the design model of DefectDojo is there to save you time so you can focus on the important things. I've never, I've run several product security teams. I've never had one that had too many people and I've never had one that had enough time. So if I could at least make sure that the staff that I had was focused on the really important things, I felt like I could move the needle and DefectDojo allows you to do that. It takes that drudgery off your plate. And then I really didn't get a chance to cover this today
29:47
The data model of DefectDojo is highly flexible. So I think one of the key things of DefectDojo is you don't have to adjust your process and program to how DefectDojo sees the world. DefectDojo changes to how you do things, which is really important because it's hard enough to get a functioning process in any organization. It's even worse when you have to change it. So by design, DefectDojo is highly flexible to allow you to not have to change how you're doing things today.
30:16
just help you be more productive with the way you're currently doing things. And that's it. I'm ready for questions if people have them.
30:29
Okay, I am on the Q&A. So if you have a question or you can raise your hand and ask it in real time, either way is fine.
30:39
Or maybe you were just so good. No. I know you answered all the possible questions.
30:51
Maybe you can talk a little bit about how someone could buy it, what the model is. Yeah. Well, we just had a question come in too. How is it priced? So I will totally talk to that. Great question. It's the most affordable ASPM out there. No, that's just bunk. No, the way we price things, honestly, is, and I'm just going to be very disclosing because that's the kind of person I am.
31:21
When Greg and I, the other co-founder, talked about how we were gonna do this DefectDojo, ink thing, we had experienced running AppSec programs ourselves, some of the less great licensing models. That would be number of apps. And by the way, every vendor has a different way to describe what an app is, cause some it's a repo, some it's a something else. It's just painful.
31:44
I blew through a license of one of the tools I was using because of the way they defined an app was unclear to me when I bought it and halfway through the year, I'm having to go up to management and say, please, I need more money or we can't test all the things, which I hated that. The other model that a lot of other tools use is the per user. We don't do either. It's literally storage. It's just how many findings and endpoints you have in DefectDojo. Because at the end of the day, that relates to how much compute we have to have behind your instance.
32:12
to run it effectively and performantly. And so it's simply storage. So we just need an idea of the count of your number of findings and endpoints. And that's how the pricing model works. Try to keep it as straightforward and simple. So if you want one person or a thousand people to log into Dojo, we don't care. Or if you want one person or one product, or like we have one customer with almost 10,000 products, great, doesn't matter.
32:44
Oh, so it's a POC, get good pricing. So the way we do POCs is we'll do a two week free trial of our pro offering. You can log in, use it all you want. And then depending on how that goes. And this is just, just depends on the customer. We've had customers take both choices. You can either convert that POC into your final running instance or some of our customers ask us to trash that POC and they want to start with a fresh instance now that they have a better feel.
33:14
for how DefectDojo Pro works, but we can do either.
33:26
Yeah, no, I got a thanks for the questions and yeah, I got a thanks for the question. But yes, those are great questions. I love them. I'm very much an engineering person. I don't think about the pricing stuff, but as a customer, you're probably interested in.
33:42
Okay, any other questions?
33:47
All right. Well, thank you very much for your time, everybody, for listening and learning a little bit more about DefectDojo Pro, and thank you, Matt, as well for your time. I'm going to stop the recording here, and everybody have a great day. Thank you.