.svg){kind=small}
.svg)
Transcript
00:07
So yes, this is going to be an introduction to DefectDojo, as you can see on screen. And I do definitely believe DefectDojo is the open source leader for unified prioritization for AppSec vulnerability management and SOC and a whole bunch of other things. It's the all singing, all dancing thing for your security needs. So let's, let's get into this thing. So the agenda for this particular webinar, I'm going to do a very quick intro.
00:36
I will talk about the big picture, sort of a fundamental look at things. I'm going to talk about this more specific problem in AppSec and security in general, talk about what I believe the solution is and why you should look at DefectDojo for that solution. So let's get started.
00:57
So intro, so who am I? As Chris said, I'm Matt Tesaro. I like to consider myself a reformed programmer and AppSec engineer. I'm currently the CTO and co-founder of DefectDojo Inc, which is the commercial company behind DefectDojo. I have over 17 years in the OWASP community. I've twice been on the board, the global board of directors for OWASP. I've run a bunch of projects for them.
01:22
I have a pretty strong bias towards Linux and open source, 25 plus years of using Linux. I'm currently, I love writing in Go. That's my go-to language. Ha ha, pun intended. And if you look at that picture, that's me actually doing a double front kick to break two boards at once to get my second degree black belt, which was kind of amazing, honestly. So let's talk about the big picture. What's the big picture? What's the overarching theme here?
01:53
So first I want to ask a question and this is a webinar, this is better in a conference, I guess, where people can shout out. Anybody know who this guy is? This nice, well-dressed gentleman with the bow tie sitting in a field, looking all dapper in his, I don't know what this is, 20s maybe? I'm not sure, maybe earlier than that. But anyway, who is this guy? Well, this guy happens to be Henry Ford and
02:22
Before Henry Ford started the whole assembly line thing, the whole idea of building a car was you would get a coach house that would coach people, a coach, coach maker, excuse me, who would go and you would say, I need a car. And they would get a bunch of people together and they would build you a car. And then experts would come and say, I want a car. And they would get a bunch of people together and they would build you a car. So they did this a la carte, one-off bespoke car building.
02:51
which was way better than horses, but also didn't address the need, right? There was more people that wanted cars and were willing to buy them than they could actually produce them. And this is where the Henry Ford and the idea of an assembly line really just blew this market wide open and radically changed things. Suddenly you have this moving conveyor belt of people putting bits together, repetitively putting bits on the same part of the car.
03:20
You add all that together and suddenly you're producing, well, at least for the Model T, a car in any color you wanted, as long as that color was black. Right. So that's not a lot of choice, but we definitely got a lot of cars out there and this just radically changed things. And so I think we have the, if you've ever worked in security, you have the same sort of problem where the number of issues or findings or vulnerabilities or whatever you want to call it outpaces almost always the team's ability.
03:48
handle them. So how do we get ahead of that? How do we change the narrative and make things work better? And so let's talk about the problem more in the InfoSec realm rather than building cars. So I don't know if this is good or bad news, but honestly, if you talk to people who do vulnerability management, there's a whole bunch of vulnerability management by Excel, which there's nothing wrong about Excel. It's a fine tool to do spreadsheet stuff.
04:18
But I think the problem space of vulnerability management and tracking these issues and understanding which ones need to be fixed is a bit much to ask of Excel. Even if you're a Excel ninja, you're pushing the boundaries of Excel. And then you add on top of that the fact that every tool has their own sort of way of representing what an issue or a finding or a vulnerability is that is different than every other tool.
04:47
And suddenly you have this very manual process of data entry and converting formats and understanding that my SAS tool thinks this is what a vulnerability is, but my DAS tool thinks that's what a vulnerability is. And it just becomes burdensome, risky, it's hard to measure, and it's just hard to even keep up. So we need a better something, right? This is the custom coach built car, which is better than a horse, but it's not a factory.
05:16
So what's better? What's the solution? Well, no surprise being the CTO of DefectDojo Inc. I kind of think DefectDojo is. And a little bit of history here, DefectDojo actually started at Rackspace when I was the product security owner of all of Rackspace's cloud. So me and my team owned all of the cloud infrastructure from the iron up. And we're running a ton of different tools and needed to make sense of them and get
05:45
issues out to the right teams in the right format so that they could go and get things done and fix them and upgrade our security across the board. So that's where DefectDojo came from, an idea of a security tool written by security people to make security people's lives better. And so that's why we say Unified Connect and Secure, because that's really what we wrote it for initially. This was Greg and myself solving
06:14
mine and my team problems, and then sharing that solution as an open source piece of software for the last shoot, 11 plus 13, I don't even remember, for the last many years. And now we have a company behind it as well. So DefectDojo, like I said, it's your single source of truth. It has the ability to ingest data from over 200 different security scanners. And this runs the gambit, like I said, from DAST to SAST.
06:42
to SCA, to container, to cloud, to infrastructure, things like MS defender, almost anything. DefectDojo honestly is not picky about what it thinks of as it calls vulnerabilities finding. So it's not picky about what it thinks of finding is. Like you can pretty much pump anything you want into DefectDojo. And we've helped a lot of customers pump internal tools and custom things in there. No big deal.
07:10
And so beyond just giving you this nice consolidation of all these different formats into one sane view that gives you things like the ability to grade products like you see over here, as well as some nice dashboarding features. It also gives you the ability to do interesting things like have this executive reporting dashboard that talks about the different product and product types. How much is remediation has occurring? Which scans are providing EPSS so you have a better
07:38
on exploitability, right? All these things are possible with DefectDojo. And then beyond things like the executive dashboard you have to help you with the people north of you on the food chain, right? There's also our priority insights dashboard, which DefectDojo Pro has a feature that adds a priority measurement based on the metadata that you supply, plus some finding enhancement we take so that we go beyond the sort of scanner provided
08:08
critical high, medium, low, and actually use some environmental metadata about how much you care about those products to give you a real actionable list of things to fix. And then I want you to sort of picture yourself here where you have DefectDojo at the center, you have CI, CD running, pushing results into DefectDojo, you have any number of other tools, also pushing results into DefectDojo, giving you this
08:37
like holistic view of your security landscape. And then from here, you can go in and manually adjust findings as needed if for some reason you can't tune the scanners or the scanners are malperforming for you. You can also push those results out to JIRA where developers can work and do those remediations for you. Deepak Dojo has a ton of reporting metrics inside of it, but if you want to pump data out to something like Archer or some other like
09:08
Oh shoot, I'm blanking on those other reporting frameworks like Tableau. Thank you. I remembered it. You can do that because there's a full REST API behind DefectDojo. So pretty much anything you can do in the UI, you can do with the API as well. So why would I want DefectDojo? And why is this the solution or why should I choose it? So more fundamentally, what is even DefectDojo? What is it?
09:37
What is this thing? Is it a DevSecOps platform? Is it an ASPM, an Application Security Posture Management tool? Is it a Application Security Orchestration and Correlation tool? Is it a Unified Vulnerability Management tool? Is it a Runtime Vulnerability Management tool? Honestly, who cares? It is a security tool written by security people.
10:06
to solve security people's problems and make their lives better. Honestly, that's all sort of marketing stuff that is, I guess, useful to help sell products, but it doesn't solve problems. So I want to focus on how DefectDojo solves problems for you.
10:22
So like I said, DefectDojo is your single source of truth. And as I mentioned earlier, DefectDojo has a very robust REST API along with its UI that allows you to automate as much or as little of your AppSec or security program as makes sense. So if you want to toe dip into automation, we've got that for you. If you want to do the full on automate all the things, DefectDojo will do that for you as well.
10:50
And because of the smart features that I'm going to talk about in a next slide, it helps reduce your overhead. So the amount of grunt work your team is doing will be reduced. And you can even help that to reduce costs because you can get some great visibility into how those tools are performing for you and make data-driven decisions about which tools to keep, which tools to consider swapping out, which tools are actually worth reinvesting in.
11:19
And then because you have this combination of all the tools wherever you're doing security assessments, you now have this great view, not only of the entire landscape, but with the priority and risk features, you have the ability to look at the risk and priority across your entire landscape of tooling. So I don't have to say, well, SAS thinks this particular area where we gone, but SCA doesn't like this other area. So you can have a combined view and actually address the truly risky parts.
11:48
across all of the tool suites that you're employing, which is rather important.
11:54
So, what are those smart features I mentioned one slide ago? DefectDojo has this idea of deduplication, nothing new there, but what it will do is dedupe within or across tools so that as I'm running scans and importing data into DefectDojo, I have the actual list of actionable findings rather than...
12:22
Like a repeat. don't need to tell the dev team, Hey, fix this thing, the same thing four times. I just need to tell them once. So it de-clutters your data and gets you down to like an act, nice, actionable list. The other thing Deepak Dojo has is something we call auto triage, which if you're running recurring scans of the same thing, IE I'm running a CI CD every time a PR is
12:50
put into the repo, let's say. So I'm scanning the same repo for every PR. DefectDojo can actually look at what has happened before, what has happened in the most recent scan, and take a delta and say, oh, look, this was in the first scan. It's not in the second scan. Therefore, it must be gone. I'm going to just close that for you automatically. That's a little bit of drudgery off your plate. And so you end up with the ability to do scans as quickly and repetitively as you want to, but
13:19
only having a single actionable list of things in DefectDojo, right? All that kind of dedupe and auto triage can reduce the noise down significantly for you.
13:31
And then beyond the DDoP and AutoTriage, we have prioritization and those insight dashboards. I showed you a couple of them. There's several more. But the idea here is it gives you visibility into your AppSec program and allows you to remediate things at speed and also focus on the most important things. Some ways that we enrich data.
13:55
For every CVE, we'll match it and add an EPSS if it exists for that CVE, even if the tool doesn't provide it. Some tools do, some tools don't. Doesn't matter with the Effect Dojo Pro, we'll add that in for you. And then also we are about to add Kev. So Kev will be the next way that we augment and enhance findings from scanners to go beyond what the scanners produce. And then for prioritization, like I mentioned earlier, we take a whole bunch of metadata.
14:25
that you tell us about things at a product level. The findings that come from scanners, plus the augments we do or the enhancements we do to findings, put those together to provide a prioritization, which is globally across all of your findings in DeepFake Dojo, which ones are the highest priority, the most spooky, as well as a risk categorization that says this is the sort of risk band that those findings fall into to help you focus your efforts on the most important things.
14:56
So with these smart features, what are we looking at? So one of the advantages of having a company behind DefectDojo is we actually interact with customers now and we get to like find these nice stories that were harder to get when you have an open source project. So this is an example of a pro customer. They had 30,000 findings-ish in DefectDojo. With the smart features and the auto triage and the prioritization,
15:26
They were able to distill those down to 40 urgent risk findings that needed action. So you're taking 30K and boiling it down to 40. 40 is a number that humans can deal with. 30,000, not so much unless you have a huge team, which I've never been in a security team that had too many people. So you've taken 29,900 some odd findings off the table that you don't have to review. You just have to look close at those high urgent risk findings.
15:56
and handle those and you're moving the ball forward, right? If you do some rough paper napkin math, you're looking at 15,000 hours saved per month. This is how your team is happy and how you're productive and you can move things forward. Another feature of DefectDojo is we do have a bi-directional sync with Jira. So this allows you to have sort of a single source of truth that the security team uses. And some customers have
16:24
like dev teams logging into dojo some don't doesn't really matter. That's your choice. Dojo supports both. But then when you're ready to get remediations done, you can push them to where those remediations are tracked generally, which is something like JIRA. And then it's bi-directional so that if I add a, let's see, if I add a comment on the JIRA side, it'll show up as a note on dojo. If I add a tag on the dojo side, it'll show up as a label on the JIRA side. So.
16:52
This allows a security team to sort of work in their environment and the dev and remediation teams to work in whatever environment they're used to working in. Another big aspect of having DefectDojo sort of between a tool and your issue tracker is that as a security team, you can make judgments about what you send downstream. Maybe you know a team is about to do a really big release and this is like a quarter
17:21
in like a significant impact on your quarter revenue feature that needs to get out the door. In other words, you're pretty well assured that unless it's a stop all, stop all forward move motion and fix this thing issue, it's not going to get addressed. Right? So maybe you pause sending those to JIRA while this team pushes this big feature out the door, have a conversation with that team's leader and say, Hey, I know you've got the big release.
17:51
Let me work with you so that once that's out the door, I'm going to sort of queue up some things we need to get fixed once we tick the box of releasing that thing, right? And this is how you build goodwill with your stakeholders, the people who have to go do the remediation for the stuff you're finding. Much better than I've also in the early days of automation, you see a lot of people plumb tools directly into JIRA. And to be honest with you, that's how you get kicked out of JIRA. So I would not recommend doing that. Having that middle ground.
18:21
DefectDojo really helps.
18:25
So what does this all look like? So Pearson was actually using the open source version of DefectDojo. And when they adopted DefectDojo, they were doing 44 assessments per year within their AppSec team in this case. By year one, they were up to 224. And by year two, they were up to 414. What this is is an 840 % increase over two years for Pearson. They actually got more done.
18:54
without adding staff just by using the efficiency and smart features that DefectDojo gives you. So these are awesome numbers, but to be honest with you, don't tell your boss, just get DefectDojo and have a little more free time, just never a bad thing. I'd much rather sit on a beach and look at a sunset than kill myself with Excel trying to manage 40,000 findings in Excel, which sounds horrific, even just saying it.
19:26
Another nice thing about DefectDojo is that it will adapt to your level of, I don't know, security ninja-ness. Right? So if you're starting from ground zero and you have nothing in place and you're just doing whatever you can to get by, DefectDojo at least gives you advantage of having that single source of truth and normalizing all those different scanners that you likely have.
19:52
and you're not manually entering things into Excel and dealing with those kinds of things. You get metrics right out of the box. If you're a little more formal and you've got the single source of truth, the DefectDojo, suddenly now you maybe want to do things like standardize how things work, like a standard engagement or a standard assessment of a source code repo, we run these four tools, right? That could be inside of an engagement DefectDojo. You run those four tools, you can produce results.
20:20
about that combination of those four tools. Maybe you want to get a little more mature. Maybe you have CI-CD in place and you want to do a every merge to main or every PR or every week, whatever makes sense running CI-CD tooling to then produce results to get fed into DefiCDojo. You can use auto triage to keep the list down to the only the actionable items based on the last scan.
20:48
And suddenly you're moving forward or we have a set of our customers that are highly mature in their automation and they to be quite blunt barely log into DefectDojo they use the rest API almost for everything. Which if that's where you're at and that's what makes sense for you. That's perfectly fine. It's been super interesting. Getting to see customers use of data. Now that we actually have a company behind Dojo and it's not just an open source project.
21:12
And there's this interesting division between some that are very heavy in the UI and some that are very heavy on the API and some that are a mix. And so Dojo will flex and bend to your needs wherever you are in sort of this maturity ladder of security automation.
21:29
And then another place that DefectDojo is really flexible that I quite like is this idea of our data model. So we have product type, which is really just a way to group a number of products for reporting purposes. Primarily. I like to think of it as I have a, let's say a VP that owns five different products. Well, I'm going to put a product type that correlates to that VP's domain, whatever it is, like, I don't know. Insurance. have no idea.
21:59
And then the five insurance products can go underneath that VP. So that now when I'm reporting for the VP, which I'm inevitably gonna be asked, I simply take metrics at the product type level and my reporting's done. I don't have to combine, I don't have to do anything, Dojo does all that for me. And then products can have what we call engagements. Products, by the way, can map to a actual product, a repo, a bunch of different things.
22:27
Engagements allow me to have multiple security assessments under a product. And then engagements allow me to combine the results of multiple tests in DojoSpeak, which tests are generally a scanner, although this can also be manual testing. Multiple tests and combine them into one reporting function at the engagement level. This is where this gets really useful. Maybe I, every time we do a release, we have a pre-release pre-flight check.
22:56
that is running four five different tools against that thing before we release it. I can run all those tools and then have one view of the net of all of that security activity, which is very, very useful rather than having to report, well, DAS says this, SAS says this other thing, and my SCA tools says the third thing. Just combine it all into one. But then tests have findings, no big deal. This is the standard security issues that come out of doing any kind of security assessment work.
23:25
And then for some findings, you will have endpoints, which is where that security issue is located, things like host names or things from infrastructure scans. And then you can walk this model from the top to say this product type contains this product that has an engagement that has these findings, or you can walk it from the other direction. On this host, what are the issues that it has that were found during what test that's part of which product, right? So you can walk this model up or down.
23:54
There's another video on our YouTube channel that I talk about the various ways you can use product type product and engagement to fit pretty much any model We have yet to have one that really didn't fit it well
24:09
So you may have noticed I mentioned an open source version and there's also a commercial version. I kind of love this slide. So before DefectDojo, you were probably getting crushed by the amount of vulnerabilities you're trying to handle and make sense of. Open source Dojo can help you give a huge hand up on getting a handle on those vulnerabilities and making sense of them. And then Pro, we have a lot of quality of life features that make it to where maybe you can go sit on the beach.
24:37
although I don't think I'd be wearing a shirt and a tie if I was on the beach, but you can sit on the beach, enjoy your drink of choice, and your problem gets significantly smaller. So the next logical question is what's the difference between pro and open source? This list keeps getting longer, honestly.
24:58
So customizable dashboard in Pro, we allow you to customize the dashboard you first see when you log in with a bunch of different tiles and each of those tiles respects the RBAC permissions in DefectDojo. So you can sort of make custom views based on who's logging into DefectDojo. We do have an enhanced UI for Pro customers. There's those data visualization, otherwise those insight dashboards I showed you earlier, there's a handful of those.
25:25
We have a smart upload feature which allows you to do broad network scans and then parcel them out into the products they belong into. Tunable deduplication for both same and cross tool and reimport in DefectDojo Pro. We have these things we call connectors or API connectors. So if you have a security tool that has an API that DefectDojo can talk to, you can put in a little bit of configuration data and DefectDojo will automatically pull those down.
25:53
and do re imports of them every day so that you constantly have the up to date information for that tool. I already talked about this earlier, we'll enhance findings with EPSS and we're about to add Kev. There's SSO and MFA. We've added unified support across sort of the two big pillars of security or two of the big pillars of security. So AppSec or DevSecOps or whatever you want to call it plus SOC now. So you can have two different views of the world.
26:23
We have a rules engine that allows you to write rules to say if a finding came, for example, this particular SAS tool produces these findings, it says they're critical. I have a mitigation in place that actually makes them medium. I can just write a rule and then auto push those down to the right severity I want or a bunch of different things. Universal parser, if you happen to have an internal tool or some other source of data,
26:52
The DefectDojo happens to not be able to ingest. You can upload that data into dojo. You can map that data to the data we hold for finding and create a parser on the fly and then be able to ingest any data in any which way you want. I'm kind of tipping our hat a bit. If you saw the newsletter that went out yesterday or maybe this morning, I can't remember when. We have an MCP now that you can connect the LLM of your choice.
27:22
into DefectDojo's data and ask it prompty like questions, which is pretty sweet. We have a CLI and a universal importer, which are command line tools. The universal importer is actually really cool. It's a universal way to connect your CI-CD into DefectDojo and automate pushing findings from when you run or issues or whatever you want to call it, results from scans into DefectDojo on CI-CD runs.
27:49
You can do asynchronous importing so the UI doesn't hold if you're pushing up large scans. We have the risk and priority I talked about. For both open source and commercial, we do weekly releases and then monthly bigger releases. the second, if you're SemVer speaking, the second minor version revs every month, then we have a third dotted version that revs every week. You have dedicated customer support, obviously with Pro.
28:19
And we can scale this thing to crazy levels. We have one customer that was doing 30K re- imports per day. And there was another one that had 9,700 products in DefectDojo. So it'll scale like crazy. That's been kind of fun, honestly, to watch.
28:39
And then security, well, this is a company built by a bunch of hardened security people that are rather paranoid and don't trust anybody, myself included. So you might think we have a, or not may not be surprised that we have a fairly rugged security posture. We have SOC 2 type 1, we do regular pen testing. As a customer of Pro, you can select the region. So if you have data sovereignty concerns, you can put it in the region that you want because all of our
29:09
Instances for defecto Joe sass are single tenant with no shared resources. So we don't co mingle your vulnerability data with any other customers vulnerability data for obvious reasons. We have MFA support. All the instances have a firewall that the customer can manage to restrict or open as much as they feel safe, whatever matches their policies. And then we have loads of monitoring going on, both ASPM, traditional observability.
29:39
audit log monitoring going on so we can watch what's going on with all of our customer SAS instances and be proactive if there's any issues. So to kind of summarize, DefectDojo will give you that unified vulnerability management and single source of truth. It allows you to automate manual tasks, some of which Dojo will do for you with the DDoop and the auto triage, some of which you can do if you want to use like the universal importer to make CICD ingestion easy.
30:07
or the connectors make pulling from API-ified vendor tools easy. And then once you get all your data in, we have this comprehensive reporting as well as risk and prioritization across everything as opposed to these little slivers of views. You get one view, which is quite nice. And because DefectDojo can grow with you, you can scale your AppSec program in terms of automation or number of findings or any of those things over time. That's kind of the whole purpose of Dojo, to be honest with you.
30:37
And so this is where I end and thank you for your time today. It's been fun talking about dojo. I rather like it. So I am happy to answer any questions people may have or whatever else is going on.