Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
2. OWASP GLOBAL APPSEC - DC
Who is this guy?
• Reformed programmer and
AppSec engineer
• 11+ years in the OWASP community
• OWASP AppSec Pipeline Leader
• OWASP Defect Dojo Maintainer
• OWASP WTE Leader
• Former Global Board Member, employee
• 20+ years using FLOSS and Linux
• Currently a Golang fanboy
• Ee Dan in Tang Soo Do Mi Guk Kwan
(2nd degree black belt)
3. OWASP GLOBAL APPSEC - DC
This is how I feel
when I log into the
Nth security tool
web console...
And when I have to
combine multiple
tool’s output for
reporting
8. OWASP GLOBAL APPSEC - DC
OWASP DefectDojo
An open-source application vulnerability correlation and
security orchestration tool.
The source of truth for a security program that manages to make
vulnerability management work by
• Consolidating and deduping findings from multiple tools
• Maintain product and application information
• Push findings to defect trackers
• Automation with it’s REST API
9. OWASP GLOBAL APPSEC - DC
Try it yourself...
https://defectdojo.herokuapp.com/
11. OWASP GLOBAL APPSEC - DC
Python 3 & Django 2
+ 2
=
NOTE: DefectDojo is Python Y2020 safe - see https://pythonclock.org/
12. OWASP GLOBAL APPSEC - DC
Feature ‘Bullet list’
• Manages AppSec Program
• Application Inventory
• Application Metadata
• Compliance + Regulations + ...
• Testing Data
• Credential Repository
• Metrics
• Dashboarding
• OWASP ASVS built in
• Tagging on multiple levels
• Calendar of Sec Activities
• Historical knowledge of past
assessments
• REST API / Swagger-ified
• Reporting at multiple levels
• Filter data for reporting
• Import output from multiple
tools
And so much more...
26. OWASP GLOBAL APPSEC - DC
How many different tools do you use?
• DAST Tools
• SAST Tools
• Component/3rd party library Tools
• Infrastructure Tools
• Cloud Tools
• Docker Tools
• ...
27. OWASP GLOBAL APPSEC - DC
How many tools does Defect Dojo import?
7 10 20 30 40
No Wait, there’s more!
50
38. OWASP GLOBAL APPSEC - DC
Deploy in multiple ways...
New Stand-alone installer (beta)
39. OWASP GLOBAL APPSEC - DC
Deploy in multiple ways...
New Stand-alone installer (beta)
Features
• Single binary installer
• 160+ configurable options
with sane defaults (yaml)
• All options can be
overridden with ENV vars
• Non-interactive (optional)
• Multiple logging levels
• Install a release, a specific
commit, or branch
42. OWASP GLOBAL APPSEC - DC
There’s ever enough people or time...
• AppSec teams size is small vs Dev team size
• Automate all the things that don’t take a human brain
• Defect Dojo (and the REST API) is the heart of AppSec
Automation
53. OWASP GLOBAL APPSEC - DC
How can you help?
• Write some code / submit a PR
• Submit issues
• Help with the documentation
• Provide an example of scanner output
• Write code / docs for a deployment method
• Join the Slack channel and answer questions
• Donate / Sponsor a feature enhancement
54. GLOBAL APPSEC DC
SCAN THE QR CODE TO
COMPLETE THE SURVEY
Rate this Session
Thank You!
TM
OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc.
Questions?
Thanks!
https://www.defectdojo.org
https://github.com/DefectDojo
https://defectdojo.readthedocs.io