.svg?width=20&height=18&name=desktop_windows%20(1).svg){kind=small}
.svg?width=150&height=150&name=DefectDojo%20Menu%20Icons-03%20(1).svg)
Transcript
00:00 Welcome And Agenda
00:42 Defect Dojo V3 Goals
01:08 UI Rebuild Beyond Bootstrap
02:20 Deployment And API Changes
04:03 Release Plan And Licensing Shift
05:58 V3 Interface Demo Highlights
07:56 Wrap Open Source Updates
08:18 Custom Pro Dashboards
09:57 Report Builder Revamp
11:44 Locations Product Hierarchy
16:13 PSIRT Advisory Engine
18:44 Managed AppSec Offering
21:00 Community Events And Q&A
Hi, everyone. Happy Wednesday. Thanks for taking the time this month. Excuse me. The agenda that we've prepared for, um, today, I will say it is a little more Pro-slanted than normal. We try to, um, balance talking about the open source and the commercial edition as much as we can. And so, most of the, the things we're talking about today are on the, the Pro side.
And so, If you're only interested open, in open source, if you want to, you know, tune out or, or leave once we get past the open source points, you, you won't hurt my feelings. But to start with, kind of the big buzz in open source is the V3 version of Defect Dojo. And so, V3 is something that we've been working on for quite a while.
The number one thing that we've wanted to accomplish with a V3 is changing the look and feel and modernizing, uh, the open source version specifically. Pro has been, uh, modern for a while. But, uh, one of the big challenges in modernizing the open source version from a UI perspective was the, the bootstrap library, um, to get a little technical here for a couple of minutes.
Um, in our early attempts to get a new UI out we tried kind of plastering over bootstrap to, I don't wanna say be lazy, but to try and take the, the easy way out, if you will. So keeping bootstrap and then trying to paper over it where it made sense. You know, we're pretty r- late on this release at this point, and so, uh, I hope that doesn't become a pattern in open source.
But to actually get a new interface done, which we'll demo here shortly, is essentially a, a ground up rebuild. It's still I would say feels very similar, but it is much more modern. But it did require a complete bootstrap replacement. The other reason why we thought that was really important to get bootstrap out completely is because i- it's just an aging piece of software, that component specifically.
And so we thought it was important that we get it out sooner rather than later. There are some other changes in V3 that were slated for V3 but are already in present in V2. It has to do with, uh, things like import time, but also configuration and setup out of the box. When we talk about the very early or the very early versions of Defect Dojo V2 it was always very developer focused and not so much, um, production deployment focused, if that makes sense.
Uh, in the early version of Defect Dojo V2, it was a, a community primarily of developers, and that's grown a lot and the audience has changed significantly. And so we also wanted to take a focus on making things more easy to deploy. Um, when we talk about V3, um, there is an announcement and a lot more detail in our, our Slack channel, on our GitHub discussions that, um- Has more details on what you'll see or what you won't see.
But with regard to, um, things that you won't see yet, um, we are also working on some changes to the API to make it easier to work with. The best example I can give you of an API change right now is the difference between import and re-import. If you're a very experienced Dojo user, you probably know that there really isn't a reason to use import anymore.
We've made re-import flexible enough that it essentially accomplishes all the core goals of the import function while adding the smart triage functions like, um, close old findings, as an example. And so, you won't see this yet. It's, um, it's coming. It's something we're working on. But the other pieces you can see and experience today, um, they are in the dev branch currently.
They're slated for release June 1st. We may have to delay it, uh, ever so slightly because there's still some tweaks. Um, the other thing that's in the announcement is we talk about V3, the initial version, being downgrade compatible for those that accidentally do upgrade and prefer to stick to V2 while it gets polished.
Um, the other thing we did for V3 is the two interfaces live side by side, so you don't have to, uh, transition to the, the V3 interface, um, completely or all at once. And then we did also make some changes on how we look at, uh, open source versus pro in V3. I don't wanna gloss over that in this office hours, but the complete details on why and how we're approaching this change is, uh, all in that release.
I really encourage you to go read it. It also includes, uh, the feedback channels, how to get a hold of us to share, um, your thoughts and feedback and concerns. But the net is we have moved RBAC. We're not planning to support SSO and RBAC as part of V3 in the open source version. Um, two things we've done to try to address that is first we, we have a new free pro option or V3 for small organizations.
Um, our goal with this change is to, um, squeeze enterprises specifically. But, uh, if you go look at the announcement, it has, um, all the details on why, which, you know, I encourage you to read. And then, um, we have channels set up to, you know, share your feedback as I'm sure there will be, um, some feedback around this change.
And, you know, we understand that and are happy to, uh, talk through it in more detail. So to cut over and actually look at V3 and give you some examples of what it looks like, um, here it is kind of at a high level. And so the thing that I think is worth emphasizing is the reactiveness of the application.
So, um, it's, it's a very different experience from V2. We wanted it to feel familiar, and there's still quite a bit of polishing to do on the fonts that are in use. But we've also spent some time organizing and rebuilding the filters. As you may be familiar, these filters, um, can be verbose, is maybe the nice way to put it, but now they are, uh, collapsible, grouped by what they do, et cetera.
And so there's still a couple more things to, to polish here that I expect we'll get to before it's actually released. But the other thing that we've put in that announcement is we do advise not putting production instances on V3 to start with because, um, there is changes, there's more polish to-- m-more polishing to do.
We just thought given that it's been delayed and given that we had something that was call it on the verge of usable, we always like to release early and get feedback, uh, it made sense to, to go ahead and, and get it out there and, and start getting feedback. So if people accidentally upgrade, um, you can just downgrade and we'll, we'll continue polishing this so that it's a good open source experience.
This is one of the largest changes that we've made to open source. It's been, uh, a monolithic amount of work, honestly. The decoupling bootstrap was much more painful than we expected. And so, um, I'm hopeful that it'll be, you know, a better experience and a, a better, I don't wanna say product, project for open source as we go forward.
Okay. So I think that's the majority on the, the open source side of the house. Like we mentioned, I'm sure there's a ton of things to cover. This is just kind of the, the, the high level on, uh, what is changing. We, we encourage you to check out the GitHub discussions, the official Slack and, and the channels there to, um, keep that conversation going.
And then, um, on the pro side of the house, we have four or five new things to walk through. And so, um- The first is we've received pretty consistent feedback on wanting to be more flexible, both with reporting and dashboards. The pro remediation and insight dashboards are incredibly popular. And so one of the things that we've done is now built ones that can be totally customized.
And so to walk through what that looks like, essentially all of the different insights that we've built into Pro, you can now combine into one custom dashboard of your choosing, rather than having to go between the, uh, the different insight dashboards that exist. And so we'll demo that really quickly.
I might speed it up a little bit, but the net is you can really do just about anything with these dashboards. You can have custom data, you can rearrange it, you can, um, save different copies, et cetera. And so, um, we always try to start by populating with things that we believe to be true about your program or that you need.
But also, you know, the joke is if you ask 10 security leaders what they want, you'll get 12 different answers. And so, uh, this is also trying to meet people where they wanna be on, on customization. And so we've done something similar for reports. So moving to that we have a new report building block element.
So, you know, the, the original report builder is dated, I guess is the way to put it nicely. And so, um, this is a complete revamp of the, the old report generator that allows for more customization, regeneration, including of, uh, more elements than was previously allowed. And we'll skip a little bit into the video to get to the meat of what those look like.
Hopefully Blake opens it. Because there's so much going on, the Dojo team is pretty scattered right now. We're all working on kind of, individual pieces, if you will. So we didn't collaborate as much on What these actually look like. So I guess he-- Does he ever actually open one? Um, hopefully.
Fingers crossed.
Oh, maybe not. Well, uh, if you're a pro customer, you can see and play with this today and, um, see what they look like. But the net is much more customizable, much more repeatable, uh, many more building bro-blocks than the old reporter had. Uh, okay, so moving on to the next one, product hierarchy and locations.
This is one that's been out for a little bit, but just to re-encapsulate there's this new structure called locations. And, um, locations is an upgrade to the old endpoints framework. So at a high level, Dojo has this notion of an organization which is all about how people organize and permissions, and then we have the various assets that organizations tie into.
And then locations is designed to look at things that assets share for things like, uh, heat mapping or, um, deduplicating between SBOM as one example. And so, um, it's just a, a new structure designed to... We looked at a lot of different things one of them being compliance frameworks specifically. This is one of the changes that we made to, uh, accommodate Dojo specifically for CRA reporting.
The old version of SBOM, which was called components, only tracked things that were vulnerable rather than the entire SBOM. And so, this new structure changes that. It's a combination of both the old endpoints object and also components, uh, in one. But also now it allows for global deduplication, say, by third-party library rather than just by asset.
So, a bunch of different enhancements just to modernize and take a new approach to how people actually use third-party dependencies as it relates to their assets.
Oh, Greg, real quick. I think the audio from the video isn't playing. Oh, it's not? Oh. Oh, I see. Oops, sorry about that. So Matt is basically just re-explaining everything I explained but much, much better. And so, um, yeah, just so you can see it, get an idea of what it is, et cetera. Um, so sorry that the audio is not coming through on that.
Whoops. I guess we should have practiced more. But, uh, but yeah. So Matt is just basically sharing everything that we've already stated about locations, how they work, what's different versus components and endpoints, and moving over to that. The other thing he shows at the beginning is just that components is still present.
Um, e-eventually components will be phased out in favor of locations, but we always like to transition things slowly. We never like to, um, just rip and replace anything out of kind of nowhere. We always like to do as graceful of transitions as we can afford. And so we don't have a timeline on when components will go away.
In the meantime, these things are being populated side by side, so there's no impact to functionality moving on. But wait, there's more. There's more new things. Uh, I think this is the fi-- Oh, no, it's not. There's one more after this. So the other new thing that we've done in Pro is this PSIRT advisory engine.
So the other thing that we've heard, I think, just time and time again from security teams is dealing with new advisories as they've been published from all these different threat feeds with some of the things like the CV program being thrown into question. There is now millions of... Not millions of feeds, but there's so many more feeds that we have to deal with today.
And so, um, this was a, a use case and a pain point that we just heard repeatedly in security. I think there's been, uh, an underinvestment too in PSIRT. This is a team that is more and more common at organizations but has little to no tooling to support them. And so the whole goal of the PSIRT engine is to, uh, look at all these advisories that come in, we ingest them, we match them against your, your new SBOM as it relates to lo-locations feature.
We then prioritize and group those and help you manage those, and ultimately also bring visibility to your, your PSIRT processes in Dojo so you can definitively answer when advisories come out if you're vulnerable comparing to the data that we have on your SBOM. And so I don't have a video on this one, but this is what it looks like in practice.
So, again, like all the different feeds come in, you can filter them, you can group them, you can do pretty much everything imaginable with the data itself. And then for ones that are valid, you can ship them to, uh, Defect Dojo for tracking and remediation. And so this is a new service that essentially lives side by side with Dojo currently as, as we do a better job of incorporating it and integrating it.
But we already had some people using this and giving us feedback and so, again, like we really are Very heavily influenced by customer feedback. About 90% of the things we develop are based on customer feedback. And so we wanted to, uh, get it in more hands sooner so we can continue to refine this so it works for PSIRT teams en masse.
But this was a big pain point for me when when I wasn't on the other side of the fence being, uh, a vendor. And so, I, I wish I would have had this when I was doing PSIRT, and I'm, I'm very excited that, uh, we could make it a reality and, um, bring it to, to our customers. And then, uh, finally, th-this is really the last one, I promise.
We have, uh, a new managed AppSec offering that we're rolling out as well. This is, is largely powered by our developments with AI. But the goal of the managed AppSec offering is to go from a program that is totally greenfield, meaning you haven't procured tools, you're doing nothing in, in AppSec and security whatsoever, and go, um, all the way to auto remediation.
So, what this will do is not just select the best tools for every repo you have in GitHub and, um, scan every single change. It will report on all that activity in Defect Dojo. And then finally, it will also auto remediate everything it discovers if you tell it to. So it has a ton of access controls.
You don't have to, uh, trust the submissions if you choose not to, but if you want to, it can be totally automated end to end. And the other thing we're doing is we have, um, a human in the loop supervising this. And so, you know, the thing that we see, I, I think time and time again in our industry is just that, uh, talent is incredibly difficult to come by in security.
And so, um, for... I, I think this is primarily focused on, um, smaller security teams in, in kind of the, the mid-market, if you will, to use sales terms. But, you know, large enterprises may not struggle with this as much, or they want things that are highly particular to them. But typically, the security programs that I've been are n-not always, but, you know, there's this kind of really painful space where companies have all the same pain as large enterprise security requirements, but can only have a, a team of two to three.
And so, this is designed to, to help those teams, to give people an entire AppSec program with essentially little to no lift, including remediation, given, um, how we see AI changing security as, as a focus on being faster to remediate with, um, how things can now be found, et cetera. And so, um I think that's everything.
Oh, yeah, it keeps going. Things that we have coming up in the community. We'll have a, a presence at AppSec Vienna. We hope to see you there. We also have an entire sidetrack dedicated to, um, Defect Dojo. And so if you are attending AppSec Vienna there's details to, to sign up and, and attend that if you're in the area and you'd like to.
And so, okay. No, I think that's truly it. Yes. Um, thanks very much. I'm happy to field any questions that you have. I'm sure we'll get questions on the open source changes. I'll do what I can to answer those in that session. I'm not trying to dodge those. But we might have to speak more about that and the, the channels that we've opened up specifically to do that.