DevSecOps with DefectDojo
The Early Bird
DevOps has been an integral part of software development in most organizations for years. The term encompasses various practices and tools and a kind of cultural philosophy that are intended to help automate and interlink processes between the development department and IT teams. From DevOps mechanisms, a further development has emerged in recent years: DevSecOps, DevOps plus security. In more detail, it means that security needs to play a role in every phase of the software development process: from the initial design through integration, testing, and deployment to delivery.
The principle of moving tasks – security in this case – forward as far you can in a process chain is also known as the shift-left approach. In terms of containers, shift left means taking security aspects into account as early as the container construction stage. This approach makes sense; after all, fixing incidents in production environments often involves massive amounts of money, and discovering errors at the outset of the development process is typically far less costly. Many tools have become established on the market in the shift-left and DevSecOps environment in recent years. DefectDojo [1] is one of these tools, and it is free.
DefectDojo
DefectDojo was originally developed by Rackspace but is now open source. The community is working hard on the further development of the software, with more than 350 contributors and more than 2,500 GitHub Stars. New features are released quite frequently; according to the GitHub page, an update is made approximately every two weeks. The tool integrates with a wide range of existing security tools, including security scanners, issue trackers, and reporting tools and displays their information in a centralized and easy-to-understand way.
A special feature is its ability to automate the process of running security scans, which makes it possible to work toward eliminating vulnerabilities in real time and to share the current status within the team. Another advantage is the tool's flexibility. DefectDojo can be customized to suit your organization's needs, with your own workflows and vulnerability classifications, and be integrated into your own security toolchain.
Under the hood, DefectDojo comprises a number of components (Figure 1):
- All static web content is provided by Nginx, including JavaScript, images, and other CSS files.
- The application server is uWSGI, which is based on the Django Python framework and is responsible for all dynamic content.
- The RabbitMQ message broker is responsible for asynchronous communication.
- Celery workers run tasks such as Jira synchronization or deduplication in the background.
- The Celery
beat
program is used to notify users. - MySQL or PostgreSQL are supported as databases; PostgreSQL is recommended.
- Initializer scripts are called during the installation of updates and terminate automatically.
Docker Installation
DefectDojo reaches the user in a containerized form; therefore, a local test install is a quick and easy process relying on Docker and Docker Compose. This environment is also a prerequisite for the installation shown in Listing 1.
Listing 1
DefectDojo Installation
01 git clone https://github.com/DefectDojo/django-DefectDojo 02 cd django-DefectDojo 03 # building 04 ./dc-build.sh 05 # running (for other profiles besides postgres-redis look at https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md) 06 ./dc-up.sh postgres-redis 07 # obtain admin credentials. the initializer can take up to 3 minutes to run 08 # use docker-compose logs -f initializer to track progress 09 docker-compose logs initializer ? grep "Admin password:"
First, run the command to clone the public DefectDojo GitHub repository (line 1), change to the program directory (line 2), and start the local build of the container images (line 4). As soon as the build is done, you can call up the application (line 6). You need to specify a profile to save the tool's configuration. As soon as the software has launched, you will find the password in the logs (line 9); it is generated randomly for each installation. Next, open the application by calling http://localhost:8080 and go to the dashboard. Enter admin as the username and the password you took from the logs.
How DefectDojo Works
Although DefectDojo is very intuitive, it is still a good idea to familiarize yourself with the product's data classes. The project has a clearly defined hierarchy. The Product Type occurs at the top level and is usually a company, department, or team (e.g., the Identity and Access Management team). The next level contains the matching Products (e.g., WordPress), and the third level defines a moment (Engagement) for product testing, which is usually a point in time, a version (e.g., beta), a regular security check, or the like. Each engagement has a specific name, a time line, a leader, a test strategy, and a status.
Tests summarize the activities for identifying security vulnerabilities, which are linked to a starting point, endpoint, and test type. A Finding is a vulnerability that has been found. Each finding is categorized by severity: Critical, High, Medium, Low, and Info. An example of a finding could be OpenSSL 'ChangeCipherSpec' MiTM Potential Vulnerability . Finally, the Endpoint designates the tested system with its IP address and fully qualified domain name.
If you use DefectDojo in a larger organization, you can easily end up with many products, engagements, tests, and other objects. To group objects, use the tags you can find in the tool's graphical user interface (Figure 2).
As soon as a finding appears, its status is displayed. Each finding can be addressed individually, and you can change its status. Unfortunately, it is not uncommon for findings to appear more than once. To mitigate the effects, DefectDojo has a deduplication process that can adjust the status of findings. In production environments, compliance with service-level agreements (SLAs) is typically important, as well (Figure 3). The tool also offers support; you can configure how many days software teams can take to fix findings.
DefectDojo can display the current data in the form of a report. Predefined reports exist for all data classes. If required, you can also create your own with a dedicated report builder. You can include a cover page, a directory, WYSIWYG content, findings, vulnerable endpoints, and page breaks. When it comes to visualization, metrics are particularly interesting, with product type metrics and counts or other series of figures.
Buy this article as PDF
(incl. VAT)