Introduction:
The management of application security vulnerabilities has been revolutionized by DefectDojo, a key tool in the field of security automation. DefectDojo’s extensive feature set, which includes the ability to import third-party results, integrate with Jira, template, and generate analytical metrics, makes the process of application security testing easier.
With its thorough examination of DefectDojo’s design, installation, and integrations, this comprehensive guide illuminates the tool’s critical role in simplifying security orchestration.
What is DefectDojo?
DefectDojo is a security tool that automates application security vulnerability management. DefectDojo streamlines the application security testing process by offering features such as importing third-party security findings, merging and de-duping, integration with Jira, templating, report generation, and security metrics.
What does DefectDojo do?
While traceability and metrics are the ultimate end goal, DefectDojo is a bug tracker at its core. Taking advantage of DefectDojo’s Product: Engagement model enables traceability among multiple projects and test cycles and allows for fine-grained reports.
Architecture
NGINX
- The web server NGINX delivers all static content, e.g. images, JavaScript files, or CSS files.
uWSGI
- uWSGI is the application server that runs the DefectDojo application, written in Python/Django, to serve all dynamic content.
Message Broker
- The application server sends tasks to a Message Broker for asynchronous execution. RabbitMQ is a well-supported choice.
Celery Worker
- Tasks like deduplication or the Jira synchronization are performed asynchronously in the background by the Celery Worker.
Celery Beat
- To identify and notify users about things like upcoming engagements, DefectDojo runs scheduled tasks. These tasks are scheduled and run using Celery Beat.
Initializer
- The Initializer gets started during the startup of DefectDojo to initialize the database and run database migrations after upgrades of DefectDojo. It shuts itself down after all tasks are performed.
Database
- The Database stores all data of DefectDojo. Currently, MySQL and PostgreSQL are supported.
Installation
DefectDojo supports various installation options.
- Docker Compose – Recommended (Which is opted now)
- SaaS
- Kubernetes
Pre-requisite for installation:
- If we want to install DefectDojo on the private instance, Must select the t2.large (2vCPU, 8GB Memory) Instance of any flavor. (ubuntu recommended)
- The latest Docker and Docker-Compose must be pre-installed.
Installing containerized DefecetDojo
git clone https://github.com/DefectDojo/django-DefectDojo cd django-DefectDojo # For building ./dc-build.sh # For running ./dc-up.sh mysql-rabbitmq # obtain admin credentials. the initializer can take up to 3 minutes to run # use docker-compose logs -f initializer to track progress docker-compose logs initializer | grep "Admin password:"
After completing the installation, Navigate to <public-ip>:8080 port. You will find the dashboard
Default username: admin
password:docker-compose logs initializer | grep "Admin password:" Run this command is terminal to get password.
After logging in, Can change the password in the user profile setting. And also can create N no of users.
Integrate SonarQube with DefectDojo
- Tool Configuration – Should configure the Sonarqube URL with a token to access the projects
- Add SonarQube as a product type
- Should create API scan configuration to establish API connection
- Finally, Import the scan results from SonarQube
Integrate BlackDuck with DefectDojo
- Tool Configuration – Should configure BlackDuck URL with API token to access the projects
- Add BlackDuck as a product type
- Should create API scan configuration to establish API connection
- Finally, Import the scan results from BlackDuck.
DefectDojo also provides the results in metrics after fetching the scan results
- Represents the Bug counts, severity, and risk factors.
- Represents the critical products in the dashboard.
Integrate DefectDojo with Jira
DefectDojo’s JIRA integration is bidirectional. You may push findings (Bugs) to JIRA as Story/Task and share comments. If an issue is closed in JIRA it will automatically be closed in Dojo.
- We should create a Webhook in Jira that contains the Defectdojo URL with a secret key.
- Should Configure by enabling “Jira integration” user defectdojo system setting
- To authenticate with Jira, Provide the Jira URL and PAT.
- Once done, Push the findings (Bugs) from DefectDojo to Jira, Which will create a new story on the bug description.
High-Level Points
- DefectDojo is an open-source application vulnerability correlation and security orchestration application.
- Which is developed in Python Django language.
- While traceability and metrics are the ultimate end goal
- Defectdojo can import 20+ tools reports and supports JIRA and Slack integration
- Users can be set up with limited access roles so they can only use certain functions inside the applications or view products/projects that have been authorized for them.
- You can push findings from DefectDojo into Jira. Also as a bonus, the integration is bi-directional, so if an issue is closed in Jira, it will also be closed in DefectDojo
- DefectDojo offers in-depth metrics across the dashboard. Is very easy to see overview metrics across products, engagements, and individual scans
How does it work?
- Working in DefectDojo starts with a Product Type.
- Each Product Type can have one or more Products.
- Each Product can have one or more Engagements.
- Each Engagement can have one more Test.
- Each Test can have one or more Findings.
Conclusion:
As a force to be reckoned with in the cybersecurity space, DefectDojo bridges the gap between efficient vulnerability management and application security testing. Because of its easy interaction with Jira, BlackDuck, and SonarQube, as well as its modular design, it is an indispensable tool for security experts.
Discover all of DefectDojo’s possibilities to strengthen your cybersecurity posture and improve the efficiency of your cybersecurity processes.