.svg){kind=small}
.svg)
Transcript
00:08
Welcome everybody. It's good to have you today or this morning or afternoon or wherever it is, whatever.
00:17
So I'm going to introduce the DefectDojo Community Program today as part of our office hours.
00:25
The agenda today, we're gonna talk about a little bit of background on DefectDojo, just the history, honestly. We're gonna talk about DefectDojo and our commitment to, well, we've always been open source and maintaining our open sourced-ness. I'm gonna introduce the contributor rewards program and talk through that. I'm gonna give you some areas where you can get involved if you want to get more involved, if you're not already super involved or what have you. And then we're gonna do an AMA so you can ask me anything.
00:55
So who am I? I'm Matt Tesauro. I like to call myself a reformed programmer and an AppSec engineer. I started out life actually writing, this will date the heck out of me. I started writing PHP 3, which is kind of nuts. But I'm now the CTO and co-founder of DefectDojo Inc. I've had 17 plus years being involved in the OSS community. I'm a core maintainer of Dojo.
01:19
did the, I was co-lead of the AppSec Pipeline Project and I was the leader of the OWASP project. Just so you understand kind of my biases, I guess, if you want to call it that. I've got 25 years of using Linux and open source. I'm doing this deck on a Linux box because I just like the Linux. My first contribution, when I was doing this deck, I realized my first contribution to open source was in the late 90s. I think it was like 98.
01:46
or maybe 97, it was a long time ago. So I've been doing this open source thing for a bit. I'm currently a Golang fanboy. When I write code, I don't get to write as much as I like, but when I do get to write code, it's in Go. And that is actually me doing two board breaks simultaneously with a double jump front kick. And that's what got me my second degree black belt in Taekwondo, or excuse me, not Taekwondo, Tang Soo Do. Ooh, man, just insulted all the other people at the Dojo. Sorry, guys.
02:17
Okay, so let's get into the history lesson. So 10 years ago, let's see if this works.
02:26
10 years ago, DefectDojo was created. You might understand the sort of theme or style of this. I was not sure how this graphic would work. current version, version 2.44.2, The Community Awakens.
02:48
So continuing with the success in the ASPM Galaxy DefectDojo doubles down on their community engagement. Not only are the contributions encouraged, now they are rewarded. The community is strong in this one with flexible data model. Oh, interesting, it reset over there. These things are in different areas. Oh, that's crazy. Interesting. My...
03:15
presenter deck is off of my other deck. have no idea what you're seeing. Well, this sort of works. This is a cool Star Wars looking thing that works great locally. have no idea what's coming over the video. Oh, now you're getting the scroll. It looks like, oh, that's hilarious. Yes. Oh, that's that's hysterical. I was reading off of my presenter view, which is offset of this one. Well, note to self, don't use these rolling gifts anymore.
03:45
Okay, so anyway, yay, Star Wars theme. Let's move on. So security work before DefectDojo. If you're doing this job, this is probably how you feel. You've got this ocean, if not a tsunami of vulnerabilities splashing down on you with your nice, you know, earth-colored umbrella, earth tone umbrella, but it's not very useful. So instead, let's talk a little bit more about DefectDojo.
04:10
So it was created in 2014 at Rackspace. I was actually the head of the product security group at Rackspace. We owned everything that ran Rackspace's cloud from the iron up, which was a rather big scope. And we were running loads and loads of different tools that we had to make sense of and get sane, actionable data out to the different product teams. And that's really what drove the need for DefectDojo. We wanted to tame the chaos and keep our team from.
04:39
losing their minds, quite honestly. And then we eventually open sourced that and became an OWASP project. We are currently now a flagship project, which is like a strategic project for OWASP. We've been open sourced for 10 years. We're looking at 38. We have 38 million downloads, over 400 active contributors, which is pretty amazing. And we're in the GitHub top 25 project security or open source project. And we're used...
05:08
all over the place. It's kind of honestly like as an aside, the probably the best thing about having a SaaS service is I actually get to see people using it because we knew a lot of people were downloading it. But you don't tend to get a lot of feedback and it's been really cool to see it. Just some rough numbers. I know of an install that has over 9,700 products in it. So Dojo will scale to crazy numbers. There was another one that I was aware of that was doing 21,000 re-import a day.
05:37
In addition to doing the reimport, they were actually adding a small text file that was a manifest of what was scanned, adding that to that reimport. So 21,000 imports as well as 21,000 file uploads per day. And six figures of findings, just nothing new. There's, know, several instances that are well over 2K findings, so this thing will scale. It's kind of nuts. And we've seen a lot of customers. It's been the other interesting that's come out of
06:06
like having a closer connection with our community. A lot of customers using multiple, usually open source, honestly, scanners, so they can get maximum coverage because DefectDojo will dedupe and distill things, and that allows you to run a whole bunch of tools and only get a small amount of actionable output, which is pretty sweet. So yeah, DefectDojo is ideally your single source of truth for all your security risks.
06:32
And the idea is to give you a foundation with which you can automate this entire process. This allows you to reduce overhead and tool costs. And honestly, as an aside, one thing I realized after we started using DefectDojo is if I have a one team has check marks, another team has veracode, I need to do SAS scanning. Maybe I don't care. Maybe that's fine. Right. It doesn't really matter if I can just combine them. Right.
07:02
And then because I have DefectDojo making sense of all these things, I have a nice actionable view of all of what's happening. So when we were initially creating this at Rackspace, I had to report not only to the specific sub teams within a product line, but also to the head of that product line. And DefectDojo allows you to slice and dice data that way.
07:24
So this is kind of the end goal we'd love to see you get to, where you have what I like to call an AppSec pipeline, GoFigure had an OWASP project on that. Where on the left-hand side, you have GitHub and GitLab ideally running CI, CD tests that get pumped directly into DefectDojo. You also can run a whole bunch of tools. All those can also get pumped into DefectDojo. That's where the normalization DDoop and all that other good stuff happens. And then from there, you have a single source of truth to do fun things like,
07:55
Mark things as false positives. Push things out to reports and metrics. If you have like a GRC system like Archer, you can push results out to Archer. You can do bi-directional syncing with JIRA. So if that's where the developers want to work, that's fine. You can push findings down to them. So this is kind of the end goal and kind of the happy place you can get to with DefectDojo.
08:18
And then moving on to our commitment to open source. When we announced DefectDojo Inc, the company and our SaaS offering. I mean, like I said, I've been doing OWASP since what, 2008 or so. I can't remember exactly when I started doing OWASP, but it's been 17 years. I know a few people there. The next time I went to an OWASP event, I had a lot of people saying like, what is this DefectDojo Inc thing? What are you doing with our fun and exciting open source project? So I got a lot of this.
08:46
Open source doesn't matter anymore, huh? You guys are just gonna sell out and become a commercial company and I hate to tell you this but that's wrong. We can now actually do even more than we ever did. Like I actually for the first time in not quite 10 years because I've been working here for two, so eight years I guess. Instead of it being a nights and weekend and when I found time, this is my day job is to make dojo better, which is really really cool.
09:14
And that's Dojo, a whole of Dojo, not just our SaaS offering. Because guess what? Like our SaaS offering uses Dojo. So we've always been open source. We're not changing any of that, even though we have Pro. Instead, Pro has really enabled a bunch of really cool things that do help the community, right? For the first time ever, we have full-time engineers whose job it is to make Dojo better, keep it maintained, make sure all the third-party libraries are updated, all that other stuff you have to
09:44
do when you maintain enterprise grade software. We also, now that there is Pro, it's someone's job to go answer questions on Slack. Now the community is great and we get tons of interaction where the community answers their own questions, but we do have explicit people who are defect-ojo long-term contributors who are going in and answering questions on Slack, responding to GitHub discussions, and triaging GitHub issues.
10:11
So this is huge in my mind, because we suddenly have this ability to get you a good, well thought out answer, not only from the community, but from active contributors as well. And we actually just brought on a contractor to do some work on updating the UI of DefectDojo. This is kicking off, I think, next week, very, very soon. I don't exactly remember what the start date is, but we will have someone who's going to work focused, or their work will be focused on updating the UI for DefectDojo, which is...
10:41
Also pretty cool. And then for those of you who've been around with DefectDojo for a while, you may have seen this post that I did to the GitHub discussions talking about a feature freeze and also this idea of DefectDojo 3.0. You may be curious about that. So let's hit the feature freeze first. We've stopped the feature freeze.
11:05
We actively want contributions and we really didn't stop contributions, but we were assessing the state of DefectDojo at the time to understand where the shortfalls were now that we actually had engineering bandwidth to go in there and do more than just like, it's a slow Saturday. I've got nothing going on. I'm going to fire up my editor and poke around on DefectDojo. Instead, this is where we can actually do planned looking at things and improving the
11:32
A lot of our improvements have actually not been on the surface. They've been like performance and scalability and reliability and bug fixes of DefectDojo itself. And then for the V3 thing, the one thing I'd like to say, and I'm cheating, I'm using a Bruce Lee quote because I like Bruce Lee. A goal is not always meant to be reached. It often serves as something to aim at. And honestly, only
11:59
put down the V3 idea of this is where we wanted to get Dojo 2. We're not there yet, but we haven't stopped moving forward. We continue to move forward and try to make Dojo the best it can possibly be.
12:12
All right, next section is the contributor rewards program that we are announcing at this office hours. So we do love our contributors. I mean, we wouldn't have 200 ish tools. I lost track the last time I counted, I think it was 196, but that's been several weeks ago. So who knows what our total number of tools that we can ingest is.
12:36
But a lot of that is because of you, the contributors, who have said, hey, I'm using this tool and I can give you a sample file, but I can't write a parser for it. And we can take that sample file and create a parser. And this is how we get that wonderful tool coverage. So we wanted to do more than the usual kind of like thank you or thumbs up emoji. So how do we do this? Because Dojo gets a lot of contributions. This can be code. This can be documentation.
13:05
This can be get of issues of like, hey, I tried to do this thing and it didn't work like I expected. Is this a bug or is this how it works or I don't understand? Or I read the docs and the docs say this, but this is how it actually works, right? Like I mentioned earlier, sample scan files, we love those. That's how we can keep up with the wonderful vendors who like to change their file formats for no apparent reason and at random times.
13:29
Or like tell a friend about DefectDojo. That helps us too. Like more people who know all about this, more chance we have of contributions and people helping us make the best possible open source thing we can. So the actual contributor rewards program has sort of four levels. The initial level, the first time contributor, if you've contributed to DefectDojo, you enroll in the community contributor program and we'll send you a batch of stickers, Dojo stickers for free. No questions asked.
13:58
If you are a contributor and have contributed 5k lines of code and actually this could be in the, this is in the GitHub repo. So this could actually be documentation too, I guess, because it's just really repo lines of code lines. We will send you a regular contributor shirt that is special only to you. Well, it's special. You can't get it unless you're a contributor. Like only contributors can have these t-shirts. If you commit 15k more or more lines of code,
14:27
You can get 10% off the DefectDojo Pro subscription for life. And then Hall of Fame, you get a free instance of DefectDojo Pro.
14:36
And how do you get access to this? Well, you can go to community.dfhikdojo.com or we have this lovely bit.ly URL that takes you directly to the enrollment form. On the community page, you can see at the bottom, this section right here is what will get you to the rewards program. Fill out a short form so we know how to contact you and then we'll make things happen.
15:04
And then how can you get involved with DefectDojo? If you're new to Dojo or you want to get further involved or what have you, what areas do we have things for you to get involved in? Well, we definitely, probably the busiest and most active places, OWASP has a Slack instance. There's a Pound DefectDojo channel in that Slack instance. So if you join us on Slack, that's a great way to interact with the community.
15:28
get questions answered. There's honestly more activity in that Slack than there is really in GitHub issues. So if you have a gee, how do I do this question? Slack is actually a great place to do that. We're doing a whole ton of events. If you go to defectdojo.com such events, you can see them. The next big one is OWAS Global AppSec EU in May, end of May. Yeah, end of May in Barcelona. We just did SNOWFROC.
15:56
I was just at the Austin chapter. We're doing something at BASC, which is the Boston OWASP Conference. So we're doing a ton of things around security and we'd love to have you there. Or you can do one of these things like come to an office hours. Or we have like a fireside chat coming up with Jim Manico. There's a bunch of cool things we're doing. We'd love to have you there. Obviously you can see us on GitHub, github.com, DefectDojo, no big deal, no big surprise there rather.
16:23
And then we have LinkedIn and YouTube presences as well. And we'd love to have you at either of those places if that's your jam. And then we're to the AMA section. So I would say, what's on your mind? I'm happy to answer any questions anybody has about this program, about DefectDojo in general, directional things on where we're going, whatever you want. I'm game.