Download as PDF, PPTX
More Related Content
Similar to OWASP DefectDojo - Open Source Security Sanity
![[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух](https://cdn.slidesharecdn.com/ss_thumbnails/1-141207100815-conversion-gate01-thumbnail.jpg?width=640&height=640&fit=bounds)
OWASP DefectDojo - Open Source Security Sanity
- 1. GLOBAL APPSEC DCTM MattTesauro @matt_tesauro
- 2. OWASP GLOBAL APPSEC- DC Who is this guy? • Reformed programmer and AppSec engineer • 11+ years in the OWASP community • OWASP AppSec Pipeline Leader • OWASP Defect Dojo Maintainer • OWASP WTE Leader • Former Global Board Member, employee • 20+ years using FLOSS and Linux • Currently a Golang fanboy • Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt)
- 3. OWASP GLOBAL APPSEC- DC This is how I feel when I log into the Nth security tool web console... And when I have to combine multiple tool’s output for reporting
- 4. OWASP GLOBAL APPSEC- DC So, next time you’re in the Expo... sane REST
- 5. GLOBAL APPSEC DCTM OWASPDefect Dojo Open Source Security Sanity
- 6. OWASP GLOBAL APPSEC- DC 90% of Enterprise Vulnerability programs
- 7. OWASP GLOBAL APPSEC- DC But WHY!
- 8. OWASP GLOBAL APPSEC- DC OWASP DefectDojo An open-source application vulnerability correlation and security orchestration tool. The source of truth for a security program that manages to make vulnerability management work by • Consolidating and deduping findings from multiple tools • Maintain product and application information • Push findings to defect trackers • Automation with it’s REST API
- 9. OWASP GLOBAL APPSEC- DC Try it yourself... https://defectdojo.herokuapp.com/
- 10.
- 11. OWASP GLOBAL APPSEC- DC Python 3 & Django 2 + 2 = NOTE: DefectDojo is Python Y2020 safe - see https://pythonclock.org/
- 12. OWASP GLOBAL APPSEC- DC Feature ‘Bullet list’ • Manages AppSec Program • Application Inventory • Application Metadata • Compliance + Regulations + ... • Testing Data • Credential Repository • Metrics • Dashboarding • OWASP ASVS built in • Tagging on multiple levels • Calendar of Sec Activities • Historical knowledge of past assessments • REST API / Swagger-ified • Reporting at multiple levels • Filter data for reporting • Import output from multiple tools And so much more...
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26. OWASP GLOBAL APPSEC- DC How many different tools do you use? • DAST Tools • SAST Tools • Component/3rd party library Tools • Infrastructure Tools • Cloud Tools • Docker Tools • ...
- 27. OWASP GLOBAL APPSEC- DC How many tools does Defect Dojo import? 7 10 20 30 40 No Wait, there’s more! 50
- 28. OWASP GLOBAL APPSEC- DC How about 63!
- 29. OWASP GLOBAL APPSEC- DC Act now and we’ll throw in a bamboo steamer!
- 30.
- 31. OWASP GLOBAL APPSEC- DC https://defectdojo.readthedocs.io Defect Dojo Documentation
- 32.
- 33. OWASP GLOBAL APPSEC- DC Defect Dojo is very active... 2019 Google Summer of Code
- 34. OWASP GLOBAL APPSEC- DC We got stars on ours
- 35.
- 36. OWASP GLOBAL APPSEC- DC Deploy in multiple ways... Helm / Kubernetes
- 37. OWASP GLOBAL APPSEC- DC Deploy in multiple ways... Docker Compose
- 38. OWASP GLOBAL APPSEC- DC Deploy in multiple ways... New Stand-alone installer (beta)
- 39. OWASP GLOBAL APPSEC- DC Deploy in multiple ways... New Stand-alone installer (beta) Features • Single binary installer • 160+ configurable options with sane defaults (yaml) • All options can be overridden with ENV vars • Non-interactive (optional) • Multiple logging levels • Install a release, a specific commit, or branch
- 40. OWASP GLOBAL APPSEC- DC Burpsuite Plugin
- 41. GLOBAL APPSEC DCTM Automation whereDefect Dojo really shines
- 42. OWASP GLOBAL APPSEC- DC There’s ever enough people or time... • AppSec teams size is small vs Dev team size • Automate all the things that don’t take a human brain • Defect Dojo (and the REST API) is the heart of AppSec Automation
- 43.
- 44. OWASP GLOBAL APPSEC- DC First Gen AppSec Pipeline
- 45. OWASP GLOBAL APPSEC- DC gasp-docker Golang 2nd Generation AppSec Pipeline (using docker)
- 46.
- 47.
- 48. OWASP GLOBAL APPSEC- DC 15 Repos 4 Months 5,100 Runs 25,000+ Container Executions
- 49.
- 50. OWASP GLOBAL APPSEC- DC Automation Results 2014 2015 2016 Number of Assessments 44 224 414 Headcount N/A -3.5 -2 Percentage Increase N/A 450% 107%
- 51. OWASP GLOBAL APPSEC- DC From 2014 - 2016 840.91% Percentage Increase
- 52. GLOBAL APPSEC DCTM Contributing Let’sall make Defect Dojo even better
- 53. OWASP GLOBAL APPSEC- DC How can you help? • Write some code / submit a PR • Submit issues • Help with the documentation • Provide an example of scanner output • Write code / docs for a deployment method • Join the Slack channel and answer questions • Donate / Sponsor a feature enhancement
- 54. GLOBAL APPSEC DC SCANTHE QR CODE TO COMPLETE THE SURVEY Rate this Session Thank You! TM OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc. Questions? Thanks! https://www.defectdojo.org https://github.com/DefectDojo https://defectdojo.readthedocs.io