.svg){kind=small}
.svg)
Transcript
00:06 Hi everyone, happy, what's today, Wednesday? My name is Greg Anderson. I'm the creator and now CEO at DefectDojo. And so today in office hours, I'll be sharing one of our new features, which is a risk-based and prioritization feature that is now live for all customers in DefectDojo. And so first, if you just happened to hear about this session, if you're not familiar with DefectDojo,
00:33 What DefectDojo is, is an open source platform for vulnerability management and security automation. We created this about 10 years ago at Rackspace before it became open sourced. Today we have about 43 million downloads in use by north of 10K organizations. And the platform itself is all about centralizing security, doing automation, and trying to remove as much manual work as possible for security professionals.
01:05 And so how we do that is we just aggregate the data together from all these different security tools, put it in one place, auto triage, deduplicate that data, and then enrich that data. And so one of the new combinations of all our enrichment is this new risk scoring. And so we created this because the job of a security professional has never been harder.
01:30 Just this year alone, there was a 25% plus increase in the number of CVEs. Software is like milk in that it spoils over time, it does not get better. And unfortunately, we bear the brunt of that as security professionals. And so we feel that the job of security professionals has never been harder and there's never been more noise or more issues to wade through
01:58 when it comes to assessing risk of vulnerabilities and how you prioritize those vulnerabilities. Or to put it another way, how I used to feel before going to the evil vendor side is like I was rearranging deck chairs on the Titanic. You know, we talk about all these different things in security, but oftentimes what can be important isn't what really matters. And so that's the other part of building this feature is to
02:28 highlight what matters most to the business and give contextual information to help security professionals advocate for what actually has to get fixed through a scoring methodology. And so, yeah, just to highlight a little more, our job is one that is constantly filled with trade-offs in terms of where do we spend time, what do we fix, how do we approach the massive amount of data,
02:57 findings and vulnerabilities that a security team has to deal with.
03:04 And so how we actually calculate this is there's a lot of interest with regard to risk in the market. And most of what we've seen is based on a matrixes or something that requires a significant lift to get accurate scoring. And so when we approached this problem, we wanted to make sure that everything came to a single finite deterministic point to look at. And that also
03:31 that the feature would work really well right out of the box. So with no lift, although the scoring can be customized and adjusted. And then just a little more in terms of how we think about risk versus priority. We think of risk as like the simple final contextual decision of any finding, the ultimate risk to the business.
03:56 Whereas priority is just a number that is really meant for absolute triage, if you will. So if you wanted to know between two issues, which one was more urgent, priority would be a better thing to look at. Whereas with regard to risk, urgent is just urgent. It gives context versus a high level score.
04:21 We kind of think of risk as intended for a more senior audience and priority is more of a number that helps people on the ground, that's essentially how we've approached it.
04:38 And so with regard to how we actually calculate this and how we come up with this contextualized risk scoring, we're looking at a number of factors. So of course we're looking at first the base severity that's reported and then these other factors that DefectDojo automatically gathers or you can supply. So the number one thing that will change risk and priority within DefectDojo is if a vulnerability is known to be exploited in the wild through EPSS.
05:08 And then from there, we'll move on to look at how many endpoints is this finding affected by? Are these endpoints reachable? And then moving on to user records, we'll look at things like what is the business criticality of what is associated with these findings? Are you storing user records there? Do we have revenue information on that line? Also, it will look at things like compliance fines if
05:37 certain products or projects are subject to compliance or certain compliance standards. Those were all things that will amplify or change the priority and risk for any giving finding in DefectDojo. And then how those calculations actually translate into risk classifications. Generally speaking, anything above needs action is fairly self-explanatory.
06:04 Urgent is essentially, it needs to be fixed as soon as possible. Immediately, it poses an immediate security risk to the organization with a high likelihood of creating a breach with significant impact to the business. And then medium and low.
06:26 You know mediums nice if you have bandwidth, low I don't think people are going to spend a lot of time with, but what this allows pro users to do is resliced findings based on contextualized risk rather than just looking at the base severity or what the scanner is reporting.
06:51 Um, so one of the things that we try to do with any feature at DefectDojo is, um, always be flexible. So when we start talking about the ranges and what they translate into with regard to the risk, those are actually unique to your organization. So what, one of the things we're looking at is do we have metadata or not to, um, influence and give you the most accurate risk rating possible,
07:17 or are you trying to look at risk and prioritization with no context? We want people to be able to utilize these things successfully with no lift and accurately, or if they want to get ultra customized, we allow you to do that through the metadata fields currently. Or to sort of share my favorite security professional, William Shakespeare, you can choose to add the metadata or not.
07:45 It will still work and it will still be very accurate, regardless of which path you want to take. At DefectDojo, one of the things we always want to do is sort of lead with what we believe is the correct view, but also allow users to customize because in our experience, no two security programs care about the same metrics, no two security programs care about the same risks, et cetera.
08:12 Yeah, and so just going back to highlighting how these scores are made up. With regard to the blue, those are things that DefectDojo will do automatically for you. And then in the orange is data you can choose to supply if you want to further influence the scores.
08:33 Okay, so moving on to the demo. Chris, I know we also had a couple of questions. Do we want to field questions or go straight to demo? I say let's go to demo first. Okay. So I have two parts to this demo.
08:55 So flipping over to the Pro platform, what I've pulled up here is just a view that looks at the active findings within the product. And so there are these two new columns here representing the risk and priority. As always in Pro, you can customize what you see here. You can remove things from this table. You can drag and drop if you want to have a different ordering.
09:22 But so with regard to risk, if we sort based on the risk, what you'll notice is as we scroll through these critical findings, you'll start to see that there are certain highs that are mixed in. And so it's just a different sort of way of looking at findings contextually to understand the actual risk and going beyond what the scanner is reporting. And then the other thing
09:51 that will be released, I believe on Monday, but I have a video preview to show everyone, is the new Insights dashboard. Actually, let me hop really quickly. So if you're not familiar, we publish various Insights dashboard to give information on things that we think are key to security programs, things like remediation insights. And so there is a new risk and priority insight
10:21 that will be added to the platform on Monday and to show you the quick preview on what that will look like.
10:35 Here is that dashboard. So it will break risks down by product, by component, if you're working with SBOMs, if you're working with hosts. It gives you this, and these insights dashboards are designed to give a comprehensive view as it relates to risk and priority. The only thing that's missing in this dashboard that people will see on Monday is a list of
11:02 prioritized findings at the bottom with all the risk components that go into prioritization. So it'll be a specific view of the findings and all the different components that go into calculating risk and priority.
11:25 We've already had a lot of reception about this feature. Sometimes when we release a new feature, it takes time for people to absorb it, people to start using it, and us to eventually get feedback where this one was instant. And so we're very aware that people want further abilities to customize scores and more data source enrichment opportunities to further influence risk and priority.
11:55 And so we hear you, we're working on it. I'm very proud and appreciative of the reception that it has had. And these are definitely things that we're aware of that customers in the community want to see.
12:12 So with that, that's all the prepared materials I have. The last thing I wanted to mention is, we do have this large open source community around a DefectDojo. So if these are things that you're interested in, security automation, risk and priority, please feel free to participate. It's a welcoming community. It's a warm community and we appreciate
12:39 you know, anyone that interacts and chooses to participate in any form.