When it comes to security, it makes a lot of sense to embed it as early as possible in the software development process. DefectDojo is a vulnerability management tool that helps development teams and admins to identify, track and fix vulnerabilities. Our workshop introduces the basics, architecture and practical use of the free tool.
DevOps has been an integral part of software development in most companies for years. The term stands for various practices, tools and a kind of cultural philosophy that are intended to help automate and dovetail processes between the development department and the IT teams. Based on the DevOps mechanisms, a further development has emerged in recent years: DevSecOps. In short, this is DevOps plus security. In more detail, this means that security should play a role in every phase of the software development process: from initial design through integration, testing and deployment to delivery.
The principle that the processing of tasks – in our case security – should be shifted as far forward as possible in the process chain is also known as the shift-left approach. In terms of containers, this means incorporating security aspects as early as the container construction stage. This makes sense, as incidents in productive environments can often only be rectified at great cost. It is usually much more cost-effective if errors are found at the beginning of the development process. In the shift-left and DevSecOps environment, many tools have become established on the market in recent years. One free tool is DefectDojo [1].
DefectDojo at a glance
DefectDojo was originally developed by Rackspace, but is now open source. The community is working hard to further develop the software: there are now over 350 contributors and the product has more than 2500 GitHub stars. New features are released relatively frequently – according to the GitHub page, an update is released approximately every fortnight. The tool integrates with a wide range of existing security tools – including security scanners, issue trackers and reporting tools – and displays their information in a centralised and easy-to-understand way.
