OWASP Developer Guide


6.4.1 DefectDojo

OWASP DefectDojo is a DevSecOps tool for vulnerability management. It provides one platform to orchestrate end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting.

DefectDojo is an OWASP Flagship project and is well established; the project was started in 2013 and has been in continuous development / release since then.

What is DefectDojo?

DefectDojo is an open source vulnerability management tool that streamlines the testing process by integration of templating, report generation, metrics, and baseline self-service tools.

DefectDojo streamlines the testing process through several ‘models’ that an admin can manipulate with Python code. The core models include:

  • engagements
  • tests
  • findings

DefectDojo has supplemental models that facilitate :

  • metrics
  • authentication
  • report generation
  • tools

Why use it?

DefectDojo integrates with many open-source and proprietary/commercial tools from various domains:

  • Dynamic Application Security Testing (DAST)
  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • Software Bills of Materials (SBOMs)
  • Scanning of infrastructure and APIs

It also integrates with the Threagile Threat Modeling tool, and with time more integrations with threat modeling tools will become available.

How to use it

Testing or installing DefectDojo is straight forward using the installation instructions. An instance of DefectDojo can be setup using docker compose along with the associated scripts that handle the dependencies, configure the database, create users and so on. Refer to the DefectDojo documentation for all the information on alternative deployments, setting up, usage and integrations.

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.