OWASP Developer Guide

DefectDojo

DefectDojo logo

6.4.1 DefectDojo

OWASP DefectDojo is a DevSecOps tool for vulnerability management. It provides one platform to orchestrate end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting.

DefectDojo is an OWASP Flagship project and is well established; the project was started in 2013 and has been in continuous development / release since then.

What is DefectDojo?

DefectDojo is an open source vulnerability management tool that streamlines the testing process by integration of templating, report generation, metrics, and baseline self-service tools.

DefectDojo streamlines the testing process through several ‘models’ that an admin can manipulate with Python code. The core models include:

  • engagements
  • tests
  • findings

DefectDojo has supplemental models that facilitate :

  • metrics
  • authentication
  • report generation
  • tools

A good introduction to DefectDojo is the We Hack Purple discussion between Matt Tesauro and Tanya Janca.

Why use it?

DefectDojo integrates with many open-source and proprietary/commercial tools from various domains:

  • Dynamic Application Security Testing (DAST)
  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • Software Bills of Materials (SBOMs)
  • Scanning of infrastructure and APIs

It also integrates with the Threagile Threat Modeling tool, and with time more integrations with threat modeling tools will become available.

How to use it

Testing or installing DefectDojo is straight forward using the installation instructions; the recommended way to run DefectDojo is using a container.

To set up an instance of DefectDojo follow the docker compose instructions along with the associated scripts that handle the dependencies, configure the database, create users and so on. Refer to the DefectDojo documentation for further information on alternative deployments, setting up, usage and integrations.

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.