Thursday, December 29, 2016

Combating the Vulnerability Chaos with OWASP DefectDojo


Four short years ago, I spent 35% of my time actually hacking on products and 65% of my time writing reports and recording metrics. Our team tried a multitude of tools to make our lives easier, but it seemed to only increase our turnover rates. The landscape of security has never been harder to manage with the numerous hoops engineers and penetration testers have to jump through to actually do their job.To alleviate our frustration and lack of options we created DefectDojo, a free and open-source vulnerability management tool.

Home Screen:  Here is what you will see when you first login to DefectDojo.
It provides a quick overview of the state of your security program.

DefectDojo is a tool that not only stores findings, but also helps to streamline your entire application security program. It simplifies vulnerability management by offering templating, report generation, metrics, finding deduplication, and baseline self-service tools to allow security engineers and penetration testers to spend their time on their actual expertise, hacking. Comprehensive details on all of DefectDojo’s features can be found on our official docs.


templates.gif
Templating: DefectDojo's templating system saves time on reporting
 by allowing users to recycle previous entries on similar issues.
report_gen.gif
Report Generation: DefectDojo includes a multitude of options to generate custom reports including
 filtering for a specific engagement or test-type. For an example report see the link below.
scan.gif
Self-Service Tools: DefectDojo includes self-service tools that allow teams to schedule
their own scans and store the results back into DefectDojo.
upload_scan.gif
Scanner Integration: DefectDojo allows you to import scan data from multiple commercial and open-source security tools.
Every code change is checked for quality and security with continuous testing using Travis CI.  We do this to ensure that future updates do not break the current build.  We also run the same series of tests against any contributed code.  Speaking of contributions, we’re happy to take your pull requests, feature requests or donations to keep DefectDojo moving forward.  We’ve had several pull requests from new contributors, including a recent one that added file uploads to the REST API.  
dojo_ci.PNG
Continuous Integration: Every code change is run against a series of of tests to ensure stable updates.


It is easy to make Dojo your own.  You can install DefectDojo using a single command on all Linux systems and OS X. There is also an option for Docker. The project is written with Python/Django. If you wanted to add or alter any features or displays to personalize your instance, only three files need to be changed (models.py, views.py, and templates).


DefectDojo is currently used by multiple large enterprises and has core contributors from five different organizations including Rackspace, Rapid7, Pearson, Cengage, and the OWASP Foundation.


DefectDojo works at scale. For example, Pearson uses DefectDojo to manage application security engagements for 2,000+ applications written by 5,000+ developers with operations on every continent.

If you’re curious about DefectDojo, there is a live demo.
You can log in as an administrator like so:
Admin
You can also log in as a product owner / non-staff user:
Product owner
Please direct all inquires to greg.anderson@owasp.org

No comments: