.svg){kind=small}
.svg)
Transcript
00:11
Okay, thank you everybody for joining us today and welcome. Today we have a really special office hours. It is a one-on-one ask me anything with our co-founder and CTO, Matt Tesauro. Great opportunity to get all your questions answered, whether, and as I said in the invite, whether it's a technical question, strategy question, tactical issue you're dealing with, we are happy to answer it. So.
00:41
We're going to kick things off. I'll let Matt, just in case some of you are new, just give you a little bit of his background, and then we'll get started with the question. Yeah, sure. So I'm Matt Tesauro. I'm the CTO and co-founder of DefectDojo, Inc., as Dawn nicely said. I've been doing this dojo thing forever, at least since dojo was on a whiteboard and we were sketching out how this thing was going to work.
01:06
Just for a tiny bit of history, DefectDojo started out as a thing that we created at Rackspace, because I was running the product security team that owned all of Rackspace's cloud, and we were running a whole bunch of tools, and it was just a mess. And we needed something to make sense of it, and that's where DefectDojo came from. And then we open sourced it, and it's been an open source thing 12, 13 years, I don't know, quite a long time.
01:33
great community that helps us keep Dojo active and thriving and changing. Um, but that's, that's it for me. Hey, and, um, just, we did have someone who couldn't hear you. So maybe you can turn up your mic just a little bit. Yeah, I can hear you, but let's see if zoom is being silly. Every once in a while zoom will. Okay. I just maxed my input on my mic. Okay. Great. Thank you. So we're.
02:01
We're gonna kick things off and everybody, we're gonna take your questions. This is a question, some people sent questions and ahead of time that we've gotten a lot of input on. So we wanna just kick things off with this. As many of you may have noticed, we got our first series A round of funding we announced a couple of weeks ago at OASP Global App Stack. And since that time, a lot of our open source community has been asking,
02:31
both myself, Greg and Matt about what this means for the future of open source dojo, what's our commitment to open source dojo. So I wanted Matt to field that first. Sure, that's a fair question. Once I leave here and I get on my yacht and I go off into the ocean, we're just gonna close it down. No, I'm not gonna do that. We're not closing anything down. So honestly, like we've been doing this open source thing like I said for 13 years.
02:58
I'm actually thrilled that we got funded because it allows us to pour even more resources into open source. And we already have several full-time engineers that work on DefectDojo currently. This just allows us to focus even more and maybe bring in, we actually have done a hire since the funding, honestly, to help with the engineering side of the house. So to me, this isn't changing anything. We're gonna keep improving. There's a couple interesting changes we've done.
03:24
Recently to open source DefectDojo we deprecated my sequel and rabbit MQ Under the goal of trying to keep the install as simple and honestly the testing matrix got super complex So that allowed us to simplify that the sort of next iteration of this is we want to double down on making dojo even easier to do an install particularly if you just want to do a Non development install like you just want to use dojo. You don't necessarily want to develop on dojo
03:52
And then we're looking at doing a refresh of the UI as well. Because the UI has been around for a while. It kind of could use some TLC and love. And so that's the other thing we're looking at doing with this new round of funding. And these are all things that became available to us since we now have an injection of cash, which is always a good thing.
04:15
All right, great. Thank you, Matt. For those of you in attendance, if you want to either put a question in the Q&A or the chat, or you want to raise your hand and ask your question out loud to the group, you may do so. So, let's get them going.
04:41
Don't be shy. I'm interested in hear about what's new in Dojo. I can show you something that's cool. Let me share my screen. Yeah. Do, do, do this guy.
04:56
This is DefectDojo Pro. However, one thing I did want to show you, this is a brand new thing we just did. We just added this, well, for those who aren't familiar with DefectDojo Pro, this dashboard is the tiles that you can add or part of DefectDojo Pro. And we just, over the summer, added this Program Insights dashboard, the Remediation Insights dashboard, as well as the Tool Insights dashboard. However,
05:24
last week I think it was, very recently we added executive insights which gives you a whole bunch of data on DefectDojo as well as some bunch of charts, kind of an overview of how dojo is helping your program at a high level and then you're able to filter these to what's happened in the last 90 days, I can pick a particular product type, I don't remember what's in this demo instance so this might be interesting, oh good there's numbers here.
05:54
But I can filter and then I can also do things like export this as a PDF if I wanna give, say somebody up the org chart to me summary numbers on this particular product type, I can export this as a PDF. It will generate in the background and then bam, I get a PDF which just downloaded. So this is a pretty cool thing that we just added. I'm looking for more cool and fun stuff like this. But this is probably the newest thing.
06:24
We've added a bunch more connectors of late too. Connectors are a way that Pro allows you to, well, connect, DefectDojo to the APIs of tool vendors, or well, tool, yeah, tool vendors APIs. The last one we just did was dependency track, and I think prior to that was SolonarCube, I think. But there's been a bunch of different ones of these added of late.
06:56
pretty much all the new stuff I can think of off the top of my head. Okay, thank you. And guys, put your questions in the.
07:05
Oh, we do have a new question about what the latest updates to the open source product are. Oh, yep. Let me, I will, let's just go there.
07:21
Oh, I have to type correctly. That always helps.
07:35
Goodness, this is why you don't do this stuff live.
07:42
There we go, I can type, I swear. We just did actually the 3.9 release. Oh, one thing I should show you.
07:54
is actually this is even better let me do this one thing i can show you is i go over here you'll notice we have a brand new logo i mean this is not maybe the most exciting thing it's kind of cool for me because i've been looking at the logo the same logo for i don't know eight plus years so it's kind of nice to have a new shiny one um beyond that though that was like the
08:24
You can see we've done a whole bunch of updates to parsers. One of the things we're focusing on, honestly, in the open source right now is really doubling down on quality. You'll notice all of these rough linters that we're adding to make sure that the code base stays as rock solid as possible. We're also adding a whole bunch of tests. Unfortunately, all this stuff is kind of not so sexy behind the scenes things, but they do make Dojo a more rugged and reliable product.
08:54
So I think that's always a good thing. We've had a bunch of parser updates. This was an interesting thing, AlmaLinux. There's a way in vulnerabilities that when you provide a vulnerability ID to a database of vulns, this is the AlmaLinux vulnerability DB. There's a Red Hat vulnerability DB. We just added the Ubuntu vulnerability DB. There's a whole bunch of ways that we can augment that data. Basically, if a tool provides us a reference for those, we can...
09:22
generate a link on the fly back to that authoritative source, which is super nice. And then we're also doing a whole bunch of new features on the API, as well as improving the Swagger docs, because a lot of our customers, or users for that matter, do a bunch of API. And just to level set for the open source people, DefectDojo Pro sits on top of DefectDojo, the open source version. So
09:51
We have every reason to keep DefectDojo open source as rugged in quality as possible because our commercial product pro sits on top of that. So there's nothing, nothing is going away in open source because honestly we need it for both the open source and the non-open source side of things.
10:13
Okay, great. We do have a question in the Q&A. I will paraphrase, but it is from a user who uses open source as their primary tool for managing vulnerabilities. They've encountered accessibility issues with my colleagues with visual impairments or color blindness, specifically with the visibility of certain fields, filter arrangement, and keyboard navigation.
10:40
As we aim to contribute to the community while focusing on practical, releasable improvements, my question is, would you be open to us in dressing and implementing these accessibility and ergonomics improvements for the community version? Also, do you foresee any issues in releasing them in the current version? And lastly, there's three questions there. Um, do we have a timeline for the release of version three for the community? These are great questions. So, um, and by the way, I also saw someone noted, I forgot to mention we added.
11:09
webbooks. It wasn't in this last release. I think it was one release back. It might have been in this one. There are now webbooks as well tied to the notifications, which is pretty sweet. So about the accessibility, you know, we've had Access Lint doing linting for accessibility for a long time in DefectDojo, but that's a fairly lightweight check of accessibility. We could certainly do better. One of the things that we are looking at, and I mentioned this a minute ago.
11:38
Because of the funding, we want to rev the UI toolkit that we're using in DefectDojo. Honestly, one of the things that we wanna address is the whole usability issue. That's been something we've done a fair job at, but we certainly could do a lot better as you noted. So yes, the one thing I would say, you're welcome to do any changes in today's UI you want. We're never gonna say no to usability and UI improvements. Just the one...
12:07
caution I would say is probably in the middle November time frame, we will have a new UI toolkit. So some of those may have to get ported to this new toolkit. I just, I don't want you to do work and then if it goes away because it's handled by the new toolkit, I don't want your work to disappear, so to speak, or think it disappeared because one of the criteria for choosing that new toolkit is how well
12:36
it handles by default accessibility issues. Because the toolkit we have now, I think, it's years old. And it doesn't handle accessibility, obviously, as well as you want it to. But we're happy to take those improvements. Time release for version three, probably around Christmas is what we're looking at. If you've seen my updates in GitHub in the discussions,
13:02
We were really excited to do version three until we started flipping over rugs and looking under them and realizing we had some tech debt we had to clean up first. We are most of the way through cleaning up that tech deck currently. We have a few more items to knock out. One of the things we wanna give a little more attention to is the notification system. But once we get those in place, we will announce three. We're gonna try to tie the new UI.
13:29
to version three together and do one big release, basically, ideally. Well, so you have not only a functional improvement, but also a visual improvement in the new UI. I think that got your three questions. Thanks, though. Okay, next question I will read for you. First, it's a thank you for being here today and also responding to this person's message on LinkedIn.
13:57
So I'll just repeat the question for the audience. I'd asked about the possibility of having the ability to add new columns to a finding. Essentially, I'm looking for the ability to normalize and enrich vuln data, things like risk prioritization, the host name where a vuln lives, asset criticality, et cetera, affected code down to the repo or file. I looked into tags and I don't think they fit what I'm trying to achieve.
14:27
Okay, so there's several things going on.
14:31
So one thing that is in DefectDojo, open source or not is EPSS scores. We've added that as a new field you can add to DefectDojo. That is a great way to do the sort of enhanced the findings in terms of exploitability. Let's see, do, do, do. Oh, this part is, oh, host name where the volume lives and endpoint provides you the ability to put.
14:58
the host name, that's exactly why we created it, of where a vuln exists. So you don't need to add anything to dojo, hosts can be stored as endpoints on a finding. That allows you to have the same finding spread across multiple hosts. So if you have the same, I don't know, golden image across a bunch of VMs, and you...
15:21
and you do a scan and everyone has, I don't know, let's just give you a horrific finding. Everyone has telnet listening. Like, I don't know why you do that, but let's just say everybody has telnet listening. You could have one finding that says telnet listening on host, and the endpoint would say host one, host two, host three, host four. So the endpoints give you that. Actually, if I dig into here, you can look at actually endpoints in DefectDojo, as well as, these are probably not gonna be great because this is a demo system.
15:52
You can get, yeah, like this is a host name that came in that's tied to a specific finding. As well as you can have multiple findings per host name. So let me go here.
16:09
One nice thing with the data model is that because of the way endpoints work, you can have multiple endpoints attached to a finding. That allows you to do exactly what you're asking about, to say where that host name lives. Asset criticality, there is measures of criticality we have kind of sprinkled throughout Dojo. Let me go back here.
16:32
So asset criticality, one of the ways that I've seen customers do this and users do this for that matter is, oh, what, what? There's actual measure of criticality of a product. So if you're doing product equals asset, you have this directly already in DefectDojo as part of the metadata, you can filter by it. There's a whole bunch of other things you can do with that.
16:57
And then what was the other one? Asset criticality. Oh, affected code lined down to the repo. If I dig into a finding.
17:05
And I'm going to, we're going to have to scroll a bunch.
17:11
but we have things in a finding, source sync, line of code, where it happens, like most of those, it seems like doing it, like line number, file path, component name, component version, all this stuff is already in the finding model. The thing is we have a very broad model. It just depends on the tools you're putting, using to put that data into DefectDojo. If the tool doesn't provide a line number or a file path, let's say,
17:40
Obviously, Dojo has nothing to store when you do that import. You can always add that after the factor. If you're manually entering findings, obviously you can enter whatever you want. But most of the things you've asked about are generally in DefectDojo to begin with. The real gap is what the tool vendors provide in their output determines what DefectDojo can store. We don't throw away anything. We try to save every last bit we can pull out of every import.
18:09
But if the tool vendor doesn't give us line number or file path, we can't magic that into existence, if that makes sense.
18:19
Okay, great. Oh, I cheated. I opened up the question. Yeah, what would they that was a big question. I agree. So the next question is, will the UI changes that you mentioned as part of the funding be applied also on the community version or only crop? It'll be in the community version. What I was mentioning was specifically to update the community UI.
18:43
the what I would call the air quotes old UI or the current UI, whatever you wanna call it. This is what it looks like in pro. I could log into this one as well. I forget what the password is for this. I'm gonna show you my password. It's okay because this is a public demo that gets wiped once a day. This guy is the password. So.
19:11
This UI as well, which is a community UI, will get an update. This is the one that really honestly needs the most. This is the one that's the most dated. So this is what I was talking about when I said UI. Okay, great. Thank you. Next question. If I would like to contribute on the open source version, what are the most urgent topics, features that you need help with?
19:35
Um, that's an interesting thing. I'll tell you a perpetual one. Um, and then I can give you a bunch of, of, uh, also ran items. A perpetual one honestly is, is scanners. We have 180. I think we may even be up to 190 different scanners that we import. Obviously I don't have a copy of 190 different scanners. Now we have unit tests that tests. That test the latest version that we have access to of the file output of those scanners.
20:03
However, vendors are great about changing file types. So one of the thing the community has been fantastic about is just saying like, hey, I'm using, I don't know, I'll pick on Semgrep. I'm using Semgrep and their file format changed and I'm getting an error or they just added EPSS to Semgrep and I don't see it when I do an import because in this case, like hypothetical case, Semgrep's parser was written before they had EPSS.
20:30
They've added it. So we need to add pulling that out of that file format for a SIM grip, which is an easy ad. We're happy to take a contribution. We have lots of people do those contributions or even just telling us like, Hey, this bit of data is in this tool's output. I don't see it in dojo. Here's a sanitized example file. You know, can you help me? We'll go ahead and do those updates. Like that, that's something we do all the time. Cause honestly, that's probably the biggest area of maintenance and update.
21:00
or upkeep in DefectDojo is adding and keeping up to date with the changes vendors make to the file formats. That's been a challenge since day one because vendors will just radically change their file formats on a Tuesday and then suddenly dojo doesn't know how to parse them. Beyond that sort of like what other contributions are useful, I just had someone put in a bug where we just had an issue that was a bug where we had a link.
21:29
missing in one of the menus. Even those little silly bugs are great. This UI has been evolved over years. There's four or five different ways to do different things inside of DeepVic Dojo. In fact, the other day, somebody showed me, I've never created, or was it? Was it here? Oh, import scan. I've never done an import here. I didn't know that button was there. And I've been using this thing for 10, 13 years.
21:59
So there are things inside of DefectDojo that some class of users use that I never see. And so any of those kinds of bugs or features are very useful. And then if you have an improvement that you think is really useful, please put it in issue and say, hey, I think Dojo should do X and let's talk about it. The one thing that we really...
22:23
I hate to do, and we've had to do a couple of times as people have said, hey, I've got this PR that radically changes how Dojo's internals work, which may work really well for that particular user. But one of the weird things you get when you run an open source project is you get to, you have to kind of represent all of the user base. So changes in how Dojo work that may make your life better, but break it for everybody else.
22:51
we can't really do, we have to find a way to make it to where it's an additional feature that I can either opt into or I can enable or disable. So there are those kinds of things I'd hate for someone to do the work of doing a PR to add something cool to Dojo just to say, oh, dang it, you're gonna have to go back and change some things because how you've added it breaks how things work for a big chunk of our user base. And I just never wanna do that. There's too many people relying on Dojo.
23:20
either open source or pro, doesn't matter, but I don't wanna break stuff for them. So please put an issue in that says, hey, this is what I'm thinking, we can discuss it, and then come up with a plan that works for everybody, and then we're happy to take that. That's how the webhook happened, honestly. Somebody asked like, hey, I wanna do this webhook, and we had a back and forth about how it would work and how it would be implemented, went through a couple of iterations of reviews of their PR and now it's in DefectDojo. So we're happy to take those updates. I just...
23:49
There's been a couple times where people have made really interesting changes for them that break things for a big class of the user base that as much as I really hate doing it you have to say no because I want to protect all of the community not just a segment of the community.
24:10
That's great. Thank you, Matt. Next question is, do you have any plans to implement OWASP way of risk assessment and DefectDojo open source? So first of all, I would say if you could maybe define for the audience what that actually is, and then answer the question would be helpful. So, the one that I can remember the OWASP risk assessment methodology is part of the OWASP testing guide, if I recall correctly, and keep me honest and deep if I'm wrong.
24:40
One of the things we're looking at doing, this will probably be, it will be, it won't be right away, I guess I should say. This is something that we're thinking about, but we haven't come up with a definitive plan. That's why I don't have like a timeline, I guess. Is the idea of, do I have this? I don't have it enabled here, not in this demo. But this benchmark right now, we have OWASP-ASVS.
25:10
And right now this benchmark is fixed only to ASVS. The idea would be to change this to be configurable, to have multiple types of checklists built into DefectDojo. The thing is that how this is currently implemented makes that a little interesting. So we're trying to find a way to make this better. Today, if I wanted to do something in DefectDojo, open source or otherwise.
25:40
We have do, do, do, questionnaires, which you could do a questionnaire that represents the questions that are in the OWASP risk assessment. You can ask those of any person, either someone who has a login or you can do anonymous. They can fill that out and then you can attach that risk assessment to an engagement or to a product or to a bunch of different things. And so this is one way to gather that data today. The way questionnaires work is
26:10
You basically create questions. You create as many questions as you want. You take those questions you created, stick them together to make a questionnaire, and then you can send out a link to that questionnaire. So I don't have any questionnaires here in this demo instance, but if you have a questionnaire, you can actually.
26:30
decide as a setting to have it available anonymous, aka I don't have to log in to fill it out, or you can have to have a login, just depending on what makes sense for your use of Dojo.
26:46
Great. Thank you. Next question actually is more of a statement that just says it's a cool product and features. So thank you. Yeah, thank you. That's always great to hear. It's kind of funny. Like I've done different open source things over the years. I'll shoot the first time I contribute open source. Well, I have gray hair, so I'm not really diming myself out, but was in the 90s.
27:12
I made a contribution to Squirrel Mail if anybody remembers that application back in the day. But I've had like I had an open source OWASP project that got super popular around 2009, like 300k downloads a year. It kind of blew up on me and I probably got 20 pieces of feedback. So I'll tell you this is something somebody said, how can they help with open source? Man, just like post a discussion and say, dude, I love how Dojo does X because the people who contribute to this.
27:41
for the longest time were nights and weekends. I did that for 10 years almost. And even the now that you know we did get funding some of us are paid which is great. But it's just lovely to get feedback. Any open source project loves getting feedback because that 300k download a year project I had with OWASP, I got maybe 24 pieces of feedback on it. And I knew there was a lot more than 24 people using it.
28:11
So even, you know, negative feedback like, dang, I wish Dojo would do X is very useful because that gives us something that we could do to make Dojo that much better.
28:22
Correct. Thank you. Next question is question in the comments. Happy to hear that V3 is planned for Christmas time. Is it possible to publish at least how the new data model in V3 will look? Yes, you're not the first person to ask a question along those lines. In fact, there was a discussion in GitHub discussions where somebody asked me about when I would do my next update. I was
28:50
This is me being very disclosing. I was trying to do a quarterly update every quarter. And I think I did the first two of this year. However, I got life busy, to be honest with you. Some things with work, but honestly, some things outside of work, just in my personal life, kind of doused me for free time. And I did not get to doing updates. What I promised that person in the GitHub discussion is I'm about to do some travel. I have some personal things I have to put to bed.
29:19
But no later than the first week in November, I will do an update that will cover the V3 issue you're talking about, as well as what our next plans are. Like the UI thing I mentioned today, I'm gonna write it out more explicitly, et cetera, in that update. So I apologize, I got busy. My personal life got interesting, but I should have that all sorted, hopefully by first week of November, and I will get something out by then.
29:47
I agree. Thank you, Matt. Next question. Any news regarding open API schema validation? It was mentioned in the past. Oh, yes. Oh, that's a great yes. So one of the things we're doing, and I actually this is this is kind of one of the fun things about having an open source project is we have a college intern who's working on DefectDojo while they're getting their degree.
30:14
And one of the things they did for us was create a tool to do an API diff of DefectDojo from release to release. So this is somewhat API schema validation somewhat more about making sure the API changes are known to people when they go from version to version. What we are working with. They're currently working on this intern is doing for us is taking that and turning it into a GitHub action so that
30:40
We can run that on every release, either bug fix or minor release, and say these are the changes that happen in the API for release, you know, three, two, 38, four, to two, 39, one, or zero, is the next release, right? We can give people warnings that, hey, we added a new field to the finding API, you got a new way to do filtering, or we deprecated this old method that nobody uses or whatever.
31:08
In terms of schema validation, we're using a Python library to autogen that autogen the swagger or open AI schema. I mean, we're happy to hear feedback about areas where it's wrong. There are certain things we can tweak about it and there are certain things we can't tweak about it since it's autogen to based on the Django models. So we have some ability to make that better and we've done that in cases where we found shortfalls. But since it is autogen, there's areas where it's
31:37
harder to make improvements, if that makes sense.
31:44
Okay, thank you. The next question is, any plans on adding a risk score field to a finding? I feel like it would be helpful for those that take a risk-based approach to managing findings. I saw the EPSS score, but from what I understand, EPSS and a risk score are different.
32:05
So EPSS score is a measure of exploitability based on first.org. Risk score is honestly highly personalized to the business context in which you're running. Like risk can be important and risk can not be important. Perfect example of this. This was a fun one. When I worked at Rackspace and product security, all of us happened to be out of the product security area and meetings are doing something. We had a junior person there.
32:33
who was testing an internal system, found SQL injection in this internal system that's used by a handful of people. And unfortunately, the VP of product walked by their area at the time and talked to this junior person who was like, I found SQL injection, I can do whatever I want to the database. And that caused a huge incident internally and we sparked up a thing and I got a phone call and I had to leave my meeting.
32:59
This was a system to book meeting rooms inside of Rackspace. It was not particularly important. You had to be inside the building to actually access it. So yes, it was bad. We had SQL injection in this one-off app. Was it going to bring Rackspace to its knees? No. So one of the reasons why we've struggled with the best way to put risk into Dojo is I could make risk really work for me, and it would do nothing for you.
33:28
We haven't really come up with a great universal scheme to do risk. Honestly, it's very tricky because for some people severity is enough, for other people severity plus exploitability is what they want. Some people will use CVSS with the extended temporal and environmental scoring to give them a more defined version of risk. And if you do make those modifications, Doja will change the severity based on updates to the CVSS score for temporal and base.
33:57
temporal and environmental. But it's just a hard question to answer generically because so many people have different opinions on what means risk. We've thought about and we might end up doing as part of V3 like a general priority field. The problem is like giving people an empty field doesn't feel like we're helping them much. And then you run into the question of what's the right thing to put into that field. Well, we could just copy over severity and default to severity.
34:24
which isn't bad, but isn't great either. So that's one of the places we've had a lot of discussions and just haven't come up with the perfect solution, to be really honest with you.
34:39
Okay, thank you. Take a drink. I read the next one. Might be water. Can you share some scalability performance numbers about the current user's customer deployments? I'm thinking to deploy Dojo, but I'm afraid the scalability would be an issue since we ingest phone data from 100 plus tools and over a thousand microservices repos. Okay, fair question.
35:08
So Dojo will scale to crazy numbers. I can give you some crazy numbers, either from people I've heard or from customers that we've interacted with. Some of these are ones that are public. I can find the public one if you want. There is a, I wonder if I can, this is really bad idea. DefectDojo, Fred Blaze.
35:37
Matt, sorry. Let's see if I come up with a...
35:42
Nope, nope, that's not it. Oh wait, this might be it.
35:52
Oh wait, okay, I gotta wait for the stupid ad. Ah, bloody ads. Sorry, marketing person. Skip the ad.
36:02
Yeah, oh this is awesome. I can find his numbers in here. This is public. Uh... Where is his numbers?
36:15
Come here. Somewhere in this deck he has his numbers. Oh, there it is.
36:23
So here's Fred's pause. Fred was doing 75 products, 1.2 million findings, 75 findings ingested per month, 5,000 per day. And he gives how he set up his DefectDojo and Kubernetes in this deck. We have customers that are doing some of the crazier ones just short of 10K products.
36:52
26,000 imports a day that include both a scan file as well as a small text file of metadata. The thing is with Dojo and scaling is, this is the good and bad about Dojo, right? Dojo doesn't force you to make a choice. We try to make, let me put it this way, by design, DefectDojo was.
37:18
built so that your process doesn't have to change. Dojo adapts to your process versus you adapting to Dojo's process, which means it's very flexible. The flip side of that is, it's very flexible, which means it's very configurable, which means it can be really interesting to get the configuration right, which is one of the things we do honestly for our pro customers, because we have some of the core maintainers here who have done crazy things with Dojo and get the innards.
37:45
So if you're not super familiar with Django apps and scaling them, it can be a challenge to pick the right lever and knob and dial to play with. The UISC process is the number of celery workers, the RAM on the machine. There are certain things that are just obvious like breaking the DB into a separate host is a huge plus. I would not, well, I just about to say, I would not run them together, but honestly, I just did a training class in San Francisco when I mashed all of Dojo into a single container.
38:15
absolutely the worst way to deploy DefectDojo, but super if you're doing a training and you have one concurrent user, right? So that's just one of the tricks of Dojo. You kind of have to know Django, UWSCI, Nginx, Postgres fairly well to be able to scale it up. And just like the risk question, it's so hard to explain the difference.
38:42
or how to do that in a generic way because it's so contextually important. Like the, the, the, the several customers we have that have very large installs. Every pro install is a single tenant, no shared resources installation. And so those installs don't look anything like each other in terms of resources, which is one, I think the advantages we give customers who come to pro is we will set up a custom one for you.
39:07
where you have no shared resources and we can do those tweaks because if you're an API heavy customer, we can do things to make the API work faster than you. If you're only a UI customer, we can do things that make the UI work faster than you. But those things may negatively impact the API. If you're not using the API, doesn't matter. So I hate to say it, I'd love to tell you, I could write out like the ultimate guide doing performance with DefectDojo, but it'd be a novella, it'd be huge. So it's not really practical.
39:36
But I will tell you, it'll scale. It'll scale to nutty levels. We have, I think, forget how many million we do testing with. Greg always knows this number, but our testing goes to millions of findings. And it can be performant, but if you put this on a raspberry pie and put millions of findings into it, it will perform terribly, because it's a raspberry pie.
40:00
Hope that helps. Sorry.
40:03
Can you, there are some differences too in that, in the management of those, those really high volume environments.
40:16
between open source and pro yes, that enable you to deal with those large volumes better? Correct, we can do some interesting install things, particularly using a cloud provider that we manage and we know all of the levers and things to do. Yeah, there's a whole bunch of things we do in pro that help it be more performant for those large customers that don't make sense. Like you can make trade-offs to make something, like I said, you can make API or import heavy trade-offs.
40:45
that impact other aspects of the Dojo system, but if you're not using those other aspects of the Dojo system, it doesn't matter, right? This is a bad example, because I can't think of a good example off the top of my head, but if you never used risk acceptance, the full-blown risk acceptance in DefectDojo, and I made a performance tweak, I don't think this would actually happen, but if I made a performance tweak that really slowed down risk acceptance, but made your use case faster,
41:12
you'd be fine with that because you don't use risk acceptance. And so for our customers, probably the most interesting thing about having customers is one, we get lots of feedback because we get to see how people use Dojo. But we have a mix of customers that a lot of them are very API heavy and a lot of them are very UI heavy. And how those systems are configured is different based on their usage. We do loads of monitoring and tweaking of customers' instances just because. For Pro.
41:41
And so, yeah, it's a combination of the fact that we have single-tenant instances that we very tightly monitor and keep an eye on performance and then tweak according to usage that is your problem if you're using open source. And if you don't have that skill set, you may have a hill to climb in terms of learning curve before you can do those things.
42:09
Okay, thank you. We got another one. Um, thanks for the info on the approach for future leases. Creating a way to let users define which data points to use in their risk calculation along with the weights. Then an org can define how risk is calculated. Yeah. The closest thing we have right now is the grading system. Um, I know I've got that here. I should have it here. Yeah.
42:36
the top 10 and bottom 10 products show the grades. And that is based on weights that you can configure in system settings. I think if I remember correctly, yeah. You can enable this product grading and then set weights there. So this is one way to have control over that, that exists today, but that's not a bad idea. We just haven't.
43:03
we haven't like I said earlier we haven't settled on a pattern that makes sense in a general use case but certainly today you could do the grading and change these scales appropriately to sort of uh... adjust who gets the letter grade accordingly we use the traditional kind of US standard academic thing but it could be whatever you want
43:25
Okay, great. Thank you. Any other questions? Oh, it's coming in. Okay, if I start with the open source version and in the future considered to move to pro, is there an easy way to move the data and configuration? Yes, because by design, we built pro on top of open source. So that move is easy. Really, the pro adds things on top of dojo. So it's a
43:54
it's generally an additive process. So worst case, like here's an example of something we can do with Pro that's hard to do with open source, EPSS, right? I mentioned that earlier, EPSS scores. If a tool provides an EPSS score and you're using open source, Dojo will store it. One thing we do for our Pro customers, because we can, because we're managing and running their instance, is we have a service that caches
44:23
for our customers the EPS scores and then updates them daily. So if a tool has a CVE and doesn't provide an EPSS, we can add an EPSS for that matching CVE and pro because we have the ability to do that. Now this is something you could do as an open source user if you want to pull down a copy of the cached results in EPSS and then talk to the API and do these updates. Like it's doable, but you have to write that code. For pro users, we wrote it and it's available to them.
44:53
So those are just examples of things where like Pro helps, but it's additive. It's not like we've had many people migrate from open source to Pro and we're happy to do that and help you do that, but there's not like you, it's not like they're two different products. It's not like you're using the left-handed version and Pro is the right-handed version now. That migration is simple by design. Right, so not a lot of heavy lifting for an open source user to...
45:22
go over there. And I would also just add that we do, if you are interested, we do offer a trial of PRO, a POC of PRO, if you're really, you know, seriously thinking about the migration. So you can kind of test it out in your environment and see, obviously not the whole migration, but kind of see how it works and all the additional features that you would get.
45:52
Yeah, you can kick the tire on the open source version in this demo that I showed you, or if you talk to us, we'll happily give you a POC and you can try the pro version as well. Yeah, another question. During uploading processing heavy report, we are receiving timeouts. Is there a plan to possibly add async processing of reports?
46:19
I do not need statistics about upload file and HTTP response. Current async is experimental and not working well. Yep. You're not wrong about the current async being experimental and not working well. There's several parts of dojo without getting into the weeds of the internals that make the async thing interesting. Which is why we mark that.
46:42
as an experimental feature because we were experimenting with it and as you noticed it doesn't work that great. We've honestly talked about removing it but we were kind of afraid that some people, for people who have the use case that it works well for, I never like taking away a feature that just feels wrong. So that's why that's there but it's marked experimental because if you happen to, it seems like you're in the use case that it doesn't work well for. We have talked about doing async.
47:09
And that may be something that we can deliver post V3, but there's a lot of internals that we have to make better before async works, to be really honest with you. And some of these things are just a, you need to set expectations accordingly. For example, I remember this was, gosh, this was years and years ago, shortly after we first open sourced it, someone was doing a ridiculously huge, I think it was like one gig.
47:39
tenable CSV, I can't imagine a one gig CSV, but they did a tenable CSV that was one gig and Dojo was dying trying to parse this thing. Well, actually, to be honest with you, it was dying at NGINX because that post was bigger than NGINX would allow. So one of the keys of having those imports work quickly, even in a synchronous fashion is to have enough resources behind it. But obviously you can still have a case where you just don't. We are looking at async. I-
48:09
I can't tell you when, but I can tell you that the work that we've been doing in the innards of Dojo will help us be able to do that async. And that experiment that we did, we learned a lot from that about where the sort of problem points are inside of Dojo. And the goal is to be able to use that data gathered from that experiment to actually do it in a way that's much more generally useful.
48:37
Okay, great. Thanks. Any other questions? We're coming up on 10 before the hour. So I want to make sure we get everybody in before we have to go. So.
48:51
Let's know.
48:55
We did have a lot of good questions. We did. Thank you everyone who asked questions. I love this. I like to get in front of the community and get to talk to people and see how they're using it. That's probably been honestly my favorite thing about turning Dojo into a business because now I get to, I don't casually bump into people at a conference who happen to use Dojo and tell me about it. I actually get to interact with them on a regular basis, which is really cool. Although funny story like.
49:23
One of the apps like us is when it was in DC several years ago, I was just walking, you know, between, uh, talks and somebody stopped me and was like, Hey, are you mad? I'm like, yes, I'm mad. And they're like, Oh, I, I'm a dojo user. I love dojo. And I was like, Oh, that's great. He's like, yeah, I, I was the one who did the CVS import. And I was like, I, I've used the heck out of the CVS import over the years. And I was like, wait, that was you. Oh dude, thanks. Like,
49:51
It was amazing to like bump into this person who did something that's been really fantastic for dojo. Um, and so I love being able to talk with the community and thank people for their awesome contributions. Yeah, we do really appreciate it. Um, I think, oh wait, we got another one. I'm telling you. Um, there's a new issue in GitHub about replacement. I don't know. U W S G I to unicorn. What's your opinion? Yeah. So.
50:21
What the way I say it is you whiskey. I don't know if that's correct because it's an internet thing and gonna corn or G unicorn or however you want to say that one. I say gonna corn Yeah, so we have thought about that and that was a very interesting Issue I saw that recently and honestly that sparked a whole bunch of internal discussion that has been going on amongst the core contributors The
50:51
It, if it happens, it will probably be a V three thing only because you whiskey is all over the place in dojo. It's in all the entry points. So like the conversion will be non trivial and I want to make that conversion seamless to end users and not breaky. So those are the things that that
51:13
make this a I'm sympathetic to using Gunicorn and that's kind of the default Django way of doing things at least it is today I don't remember what it was back when we first wrote Dojo that was too long ago so perhaps and I I if you are the person who submitted that you did spark discussion and we have been talking about it amongst the core contributors to try to figure out what the right answer is so I
51:41
I don't have an answer for you today because we wait till consensus and it's open source. And so if one of the contributors takes a while to get back to us, it takes a while. But I love that. I love that question. And it's something we're definitely considering. Okay, thanks. We have another one. Probably our last one will have time for. I have uploaded various results in my dojo. Only a small subset of the findings were unloaded, but I think it means uploaded.
52:10
I'm wondering why. And then I met you at OWASP in Lisbon in June. Thanks for your work. So seems like there's a seems like there's a problem difference between what they uploaded and what the findings that are actually shown. So maybe you I don't know if you can speak to that without knowing exactly what's going on. But yeah, I could talk about at least some generalizations for some of the parsers. It depends on the
52:40
the results that are sent in to Dojo. How do I say this? Like, here's a great example I could think of off the top of my head. For Sonar Cube, there are code quality issues and there are code like security issues. I can't remember how they, I can't remember the terms that Sonar Cube uses for them. At least in the case of Sonar Cube, there is a configuration setting that says, I want the code smells.
53:09
the quality issues to make it into dojo or I don't. And to be honest with you, there's not a right answer there. Some class of dojo users will want code quality issues to be reported in dojo, which is primarily a security tool, but honestly it doesn't care what a finding is. And some don't. And so I've had cases, what was the other one? We just had one of these the other day. There was another issue where it was more of a quality issue.
53:38
didn't get parsed into Dojo because it was, oh, that's what it was. Somebody said, hey, I ran, I don't remember what tool it was. This was a, I think this was a GitHub issue. Pretty sure it was a GitHub issue. It might've been OAS Slack, but they were like, hey, I ran this tool and it had 79 findings. I imported and I got 60. Why? You know, why is Dojo broken? And what it ended up being was for that particular tool, they multiply reported
54:08
the same issue that dojo collapsed, dojo's parser collapsed into a single mitigation. So a great example of this is a lot of SCA tools will say, your lib blah is out of date, right? You need to update to version two. And then you'll have three or four findings or outputs from a tool that say you need to update to version two. However,
54:35
Dojo parser will parse those into a single finding that says update to version two, because that's the better way to present that data. You don't need four JIRA issues that say update to version two. You just need one. The other thing that Dojo will do is it won't, by default, we don't parse findings that are marked as false positive. So in your SAS tool, if you mark something as a false positive, let's say, I think this was check marks. Don't quote me on that. I think it was check marks.
55:04
If you mark it as a false positive in check marks, you do an export, it shows up in the export. When you, when Dojo parses that, there's no reason to add an FP to Dojo, it chucks that. And we only get the actionable findings into Dojo. So look at the parsers of the tools that you're using and see if there's the case that they have these findings or items that the tool may call a issue, but isn't really actionable or.
55:33
an issue that has a different mitigation. Because a lot of times Dojo will compress things by mitigation. And so you'll get a larger number from tools, a smaller number in Dojo, because we're trying to make your life easier. OK, hope that helps. Yeah, thanks. So we're around with a two minute warning here. So I'm going to do the last two together. So that on the follow on to that question was I tried Koalas, ZAP, CSV, and Colverity all the same problem. You may have answered that. And then.
56:01
The next one is, happy to hear that issues start internal discussions. Is it possible to make them more public as responses to issues or in Slack? And then those will be the last two questions. Yeah. Um, starting with the Qualys Zap, CSV and CoVerti one.
56:23
have to look at those parsers to answer this concretely. The other thing that may be biting you is if you have dedupe or you're doing reimport those can close findings as well so your total number of findings may not match what you expect them to be because the DefectDojo has dedupe or otherwise like managed or like made actionable those findings if that makes sense.
56:50
And if you do see an issue where like for QALYS is not working correctly, please put an issue in GitHub and we can dig into it. The discussions more public for the things that we, though there's two different ways that discussions have been made more public, particularly for the one about the gunna corn or g unicorn whatever the heck, versus you whiskey, those discussions will happen on the issue.
57:18
Um, the internally what I did is I just poked a bunch of the maintainers and said, Hey, there's this issue in GitHub. It would be great if you could chime in on it. That's what I mean by internal discussions. It's not like we have a internal powwow that secret. It's mostly me poking other core maintainers and saying like, Hey, go look at issue one, two, three. This is kind of interesting. We should probably think about it.
57:45
Okay, thank you. So just I think we have about 30 seconds left, maybe. So I just want to thank everybody for coming. I think this was a great session. I'm thinking perhaps we do this at least once a quarter, just because there are so many great questions. And I think it's really educational. We can see Matt next online. On October 30, he will be doing a reprise of his last con talk on
58:13
ASPM your way, which should be pretty interesting. So stay tuned, you'll get messages in the Slack channel and your emails about other upcoming events. But thanks very much for participating today. Yeah, thank you for the awesome questions. Keeping me on my toes.