SlideShare a Scribd company logo

Intro to DefectDojo at OWASP Switzerland

M
Matt Tesauro

This document introduces Fred Blaise and provides information about OWASP DefectDojo. DefectDojo is an open-source application vulnerability correlation and security orchestration tool that consolidates findings from multiple tools, tracks vulnerabilities, and enables automation through its REST API. It can ingest reports from many common security tools and helps automate previously manual processes to improve security and allow small teams to manage large application security programs. The document demonstrates how DefectDojo can be deployed in various environments and discusses its features, community, and recent improvements.

1 of 38
Downloaded 10 times
OWASP FOUNDATION TM Matt Tesauro @matt_tesauro Fred Blaise @FredBlaise (madchap) introduced to you by
OWASP FOUNDATION Matt - Who is this guy? • Reformed programmer and AppSec engineer • 13+ years in the OWASP community • OWASP AppSec Pipeline Leader • OWASP Defect Dojo Maintainer • OWASP WTE Leader • Former Global Board Member, employee • 20+ years using FLOSS and Linux • Currently a Golang fanboy • Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt)
OWASP FOUNDATION ● Ops guy at heart, manager who wants to remain reasonably technical ;-) ● Crossed the french Alps by foot (autonomous - Leman lake to Mediterranean sea) ● Product Security leader ● DefectDojo core moderator ← Fred Lac miroir →
OWASP FOUNDATION This is how I feel when I log into the Nth security tool web console... And when I have to combine multiple tool’s output for reporting
OWASP FOUNDATION 90% of Enterprise Vulnerability programs
OWASP FOUNDATION But WHY!
OWASP FOUNDATION OWASP DefectDojo An open-source application vulnerability correlation and security orchestration tool. The source of truth for a security program that makes vulnerability management work by • Consolidating and deduplicating findings from multiple tools • Create findings and reconcile status with defect trackers (e.g. JIRA) • Enabling automation with its REST API • Maintain products and applications information
OWASP FOUNDATION Use cases - ingest all the things Ad-hoc / manual • Ad-hoc tools report upload, centralize • Keep track of internal security assessments • Leverage for your 3rd party pentests • Track findings from your teams threat models Complianc’ish • Map and enforce your SLAs • Keep track of your risk acceptances CI ● Call DefectDojo directly from your CI pipelines ● Or from whatever abstraction/framework
OWASP FOUNDATION Tech stack + 2 =
OWASP FOUNDATION Features ‘Bullet list’ • Manages AppSec program • Application inventory + metadata • e.g., compliance, regulations • Metrics / dashboards / reporting • OWASP ASVS built in • Tagging on multiple levels • Historical knowledge of past assessments • Calendar of security activities • Export to Google Sheets • REST API / Swagger-ified • SSO (Okta, Google, SAML, ...) • Notifications to JIRA, slack, MS teams, email • Ingest reports from multiple tools And more...
OWASP FOUNDATION How many different tools do you use? • DAST tools • SAST tools • Composition analysis/3rd party library tools • Infrastructure tools • Cloud tools • Docker tools • ...
OWASP FOUNDATION How many of these can DefectDojo import? 100 and growing
OWASP FOUNDATION TM Automation where DefectDojo shines
OWASP FOUNDATION There’s never enough people or time... • AppSec teams size is small vs Dev teams size • Automate all the things that don’t take a human brain • DefectDojo (and its REST API) is the heart of AppSec automation
OWASP FOUNDATION
OWASP FOUNDATION First Gen AppSec Pipeline
OWASP FOUNDATION
OWASP FOUNDATION Demo: gasp-docker Golang 3nd Generation AppSec Pipeline (using docker)
OWASP FOUNDATION AppSec Pipeline Stats 15 Repos 4 Months 5,100 Runs 25,000+ Container Executions
OWASP FOUNDATION Automation Results 2014 2015 2016 Number of Assessments 44 224 414 Headcount N/A -3.5 -2 Percentage Increase N/A 450% 107%
OWASP FOUNDATION TM Deployment options
OWASP FOUNDATION docker-compose ● As easy as docker-compose pull && docker-compose up ● Can override the profiles for easy development ● Can also be used for some (semi) prod-like workloads ○ Still run the database somewhere dedicated ● Probably the most tested way of deploying ○ And all our tests run on docker
OWASP FOUNDATION Real world docker-compose • 1 EC2 instance t2.large (2 vCPUs, 8GB of RAM) • Database running on AWS RDS (MySQL) • DefectDojo app overall settings • uWSGI: 4 processes / 6 threads (24 concurrent connections per “django” pod) • Celery: prefork mode, custom prefetch multipliers with autoscaling. → Good for up to ~200K findings → Running full dedupe computation may likely kill you (celery workers will not cope need more CPU)
OWASP FOUNDATION kubernetes / helm - Packaged with Helm 3 - Run locally with minikube (or else, but we’ve done local minikube) - Can run with minimal changes on your favorite cloud provider - Do not yet support file uploads
OWASP FOUNDATION Real world k8s example • GKE cluster, 5 nodes (n1-standard-4) (also includes all ops related pods, not just defectdojo) • 3 “django” pods (uWSGI), 6 celery pods by default -> auto-scaling • Allows for HA and seamless rolling upgrades • if the django database migration do not take too long… • Database running on Google’s Cloud SQL (Postgres) • 21GB in size - we had to disable audit mode for now :-( • DefectDojo app overall settings • uWSGI: 4 processes / 6 threads (24 concurrent connections per “django” pod) • Celery: prefork mode, custom prefetch multipliers with autoscaling. ~75 products ~in DB: 1.2M findings (half are dups), 150K findings ingested per month / 5000 per day
OWASP FOUNDATION godojo (setup.bash was EOL’ed!) New stand-alone installer Features • Single binary installer • 160+ configurable options with sane defaults (yaml) • All options can be overridden with ENV vars • Non-interactive (optional) • Multiple logging levels • Install a release, a specific commit, or branch
OWASP FOUNDATION TM Recent improvements and next up
OWASP FOUNDATION Recent improvements - Refactoring - Parser code - JIRA handling code - Tests - Way more unit and integration tests FTW - Release governance - Re-import (also refactored) - Now keep tracks of delta in-band - Dedupe algorythm now matching the regular import one - Findings grouping to push as one to JIRA - Performance improvements - Many more: Over 120 PRs merged every month!
OWASP FOUNDATION Up next ● Coming soon: new authorization model (kudos to StefanFI!) ○ Right now behind feature flag, testing welcome! ○ Should be the default authorization model coming in autumn/winter. ● APIv1 or APIv2? ○ v1 has been EOL’ed (end of 2020) ○ v2 set to get more love, better swagger ● GSoC ○ First attempts to build something with ReactJS ● Helm chart published with every release starting with 1.15.0 $ helm search repo defectdojo NAME CHART VERSION APP VERSION DESCRIPTION helm-charts/defectdojo 1.5.1 1.14.0-dev A Helm chart for Kubernetes to install DefectDojo
OWASP FOUNDATION Deduplication and jira groups
OWASP FOUNDATION TM Community
OWASP FOUNDATION The nucleus Aaron Weaver Greg Anderson Valentijn Scholten Jannik Jürgens Cody Maffucci Damien Carol
OWASP FOUNDATION An active project 2021 Google Summer of Code
OWASP FOUNDATION We got stars on ours
OWASP FOUNDATION How can you help? • Write some code (e.g. a parser) / submit a PR • Submit issues • Help with the documentation • Provide an example of scanner output • Write code / docs for a deployment method • Join the Slack channel and answer questions • Donate / Sponsor a feature enhancement
OWASP FOUNDATION Latest from contributors, not moderators! Only examples, for all contribs see the release notes or merged PRs ● Brand new authorization model - by StefanFI ● Performance improvements - by Daniel Naab ● GitHub Actions - Kubernetes/Helm related - dsever, bgoareguer ● New importers/parsers - SPoint42, jis0324, hasantayyar, bp4151, mohcer and quite a few others! ● API enhancements - RomainJufer, xens
OWASP FOUNDATION Try it yourself anytime Many things we have not talked about... https://demo.defectdojo.org Or clone and docker-compose up -d
OWASP FOUNDATION SCAN THE QR CODE TO COMPLETE THE SURVEY Rate this Session Thank You! TM OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc. Thank you See around on the OWASP Slack o/ Or https://forms.gle/b55Uget61YWXPV1y8
Ad

Recommended

OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
Ismaeel Enjreny
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
The Paved Road at Netflix
The Paved Road at NetflixThe Paved Road at Netflix
The Paved Road at Netflix
Dianne Marsh
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
What we talk about when we talk about DevOps
What we talk about when we talk about DevOpsWhat we talk about when we talk about DevOps
What we talk about when we talk about DevOps
Ricard Clau
 
Ad

More Related Content

What's hot (20)

DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
Ismaeel Enjreny
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
The Paved Road at Netflix
The Paved Road at NetflixThe Paved Road at Netflix
The Paved Road at Netflix
Dianne Marsh
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
Ismaeel Enjreny
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
The Paved Road at Netflix
The Paved Road at NetflixThe Paved Road at Netflix
The Paved Road at Netflix
Dianne Marsh
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 

Similar to Intro to DefectDojo at OWASP Switzerland (20)

DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
What we talk about when we talk about DevOps
What we talk about when we talk about DevOpsWhat we talk about when we talk about DevOps
What we talk about when we talk about DevOps
Ricard Clau
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Stackato
StackatoStackato
Stackato
Jonas Brømsø
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
Jonas Brømsø
 
EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...
EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...
EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...
Evolve The Adobe Digital Marketing Community
 
Dev Ops without the Ops
Dev Ops without the OpsDev Ops without the Ops
Dev Ops without the Ops
Konstantin Gredeskoul
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
Django deployment with PaaS
Django deployment with PaaSDjango deployment with PaaS
Django deployment with PaaS
Appsembler
 
What DevOps Isn't
What DevOps Isn'tWhat DevOps Isn't
What DevOps Isn't
Frank Lamantia
 
Extending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesExtending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with Kubernetes
Nicola Ferraro
 
DevOps tools for winning agility
DevOps tools for winning agilityDevOps tools for winning agility
DevOps tools for winning agility
Kellyn Pot'Vin-Gorman
 
Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...
Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...
Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...
Edward Wilde
 
Public PaaS Throwdown!
Public PaaS Throwdown!Public PaaS Throwdown!
Public PaaS Throwdown!
Ronak Mallik
 
Practical PaaS presentation
Practical PaaS presentationPractical PaaS presentation
Practical PaaS presentation
hmalphettes
 
Cloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and BenefitsCloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and Benefits
Guillaume Berche
 
Stackato v5
Stackato v5Stackato v5
Stackato v5
Jonas Brømsø
 
Webdevcon Keynote hh-2012-09-18
Webdevcon Keynote hh-2012-09-18Webdevcon Keynote hh-2012-09-18
Webdevcon Keynote hh-2012-09-18
Pierre Joye
 
DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024DefectDojo at Global AppSec San Fran 2024
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
What we talk about when we talk about DevOps
What we talk about when we talk about DevOpsWhat we talk about when we talk about DevOps
What we talk about when we talk about DevOps
Ricard Clau
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Stackato
StackatoStackato
Stackato
Jonas Brømsø
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
Jonas Brømsø
 
EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...
EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...
EVOLVE'16 | Keynote | Cat Reusswig | Taking Your AEM Implementation to The RO...
Evolve The Adobe Digital Marketing Community
 
Dev Ops without the Ops
Dev Ops without the OpsDev Ops without the Ops
Dev Ops without the Ops
Konstantin Gredeskoul
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
Django deployment with PaaS
Django deployment with PaaSDjango deployment with PaaS
Django deployment with PaaS
Appsembler
 
What DevOps Isn't
What DevOps Isn'tWhat DevOps Isn't
What DevOps Isn't
Frank Lamantia
 
Extending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesExtending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with Kubernetes
Nicola Ferraro
 
DevOps tools for winning agility
DevOps tools for winning agilityDevOps tools for winning agility
DevOps tools for winning agility
Kellyn Pot'Vin-Gorman
 
Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...
Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...
Docker and serverless Randstad Jan 2019: OpenFaaS Serverless: when functions ...
Edward Wilde
 
Public PaaS Throwdown!
Public PaaS Throwdown!Public PaaS Throwdown!
Public PaaS Throwdown!
Ronak Mallik
 
Practical PaaS presentation
Practical PaaS presentationPractical PaaS presentation
Practical PaaS presentation
hmalphettes
 
Cloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and BenefitsCloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and Benefits
Guillaume Berche
 
Stackato v5
Stackato v5Stackato v5
Stackato v5
Jonas Brømsø
 
Webdevcon Keynote hh-2012-09-18
Webdevcon Keynote hh-2012-09-18Webdevcon Keynote hh-2012-09-18
Webdevcon Keynote hh-2012-09-18
Pierre Joye
 
Ad

More from Matt Tesauro (20)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Ad

Recently uploaded (20)

Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 

Intro to DefectDojo at OWASP Switzerland

  • 1. OWASP FOUNDATION TM Matt Tesauro @matt_tesauro Fred Blaise @FredBlaise (madchap) introduced to you by
  • 2. OWASP FOUNDATION Matt - Who is this guy? • Reformed programmer and AppSec engineer • 13+ years in the OWASP community • OWASP AppSec Pipeline Leader • OWASP Defect Dojo Maintainer • OWASP WTE Leader • Former Global Board Member, employee • 20+ years using FLOSS and Linux • Currently a Golang fanboy • Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt)
  • 3. OWASP FOUNDATION ● Ops guy at heart, manager who wants to remain reasonably technical ;-) ● Crossed the french Alps by foot (autonomous - Leman lake to Mediterranean sea) ● Product Security leader ● DefectDojo core moderator ← Fred Lac miroir →
  • 4. OWASP FOUNDATION This is how I feel when I log into the Nth security tool web console... And when I have to combine multiple tool’s output for reporting
  • 5. OWASP FOUNDATION 90% of Enterprise Vulnerability programs
  • 7. OWASP FOUNDATION OWASP DefectDojo An open-source application vulnerability correlation and security orchestration tool. The source of truth for a security program that makes vulnerability management work by • Consolidating and deduplicating findings from multiple tools • Create findings and reconcile status with defect trackers (e.g. JIRA) • Enabling automation with its REST API • Maintain products and applications information
  • 8. OWASP FOUNDATION Use cases - ingest all the things Ad-hoc / manual • Ad-hoc tools report upload, centralize • Keep track of internal security assessments • Leverage for your 3rd party pentests • Track findings from your teams threat models Complianc’ish • Map and enforce your SLAs • Keep track of your risk acceptances CI ● Call DefectDojo directly from your CI pipelines ● Or from whatever abstraction/framework
  • 10. OWASP FOUNDATION Features ‘Bullet list’ • Manages AppSec program • Application inventory + metadata • e.g., compliance, regulations • Metrics / dashboards / reporting • OWASP ASVS built in • Tagging on multiple levels • Historical knowledge of past assessments • Calendar of security activities • Export to Google Sheets • REST API / Swagger-ified • SSO (Okta, Google, SAML, ...) • Notifications to JIRA, slack, MS teams, email • Ingest reports from multiple tools And more...
  • 11. OWASP FOUNDATION How many different tools do you use? • DAST tools • SAST tools • Composition analysis/3rd party library tools • Infrastructure tools • Cloud tools • Docker tools • ...
  • 12. OWASP FOUNDATION How many of these can DefectDojo import? 100 and growing
  • 14. OWASP FOUNDATION There’s never enough people or time... • AppSec teams size is small vs Dev teams size • Automate all the things that don’t take a human brain • DefectDojo (and its REST API) is the heart of AppSec automation
  • 16. OWASP FOUNDATION First Gen AppSec Pipeline
  • 18. OWASP FOUNDATION Demo: gasp-docker Golang 3nd Generation AppSec Pipeline (using docker)
  • 19. OWASP FOUNDATION AppSec Pipeline Stats 15 Repos 4 Months 5,100 Runs 25,000+ Container Executions
  • 20. OWASP FOUNDATION Automation Results 2014 2015 2016 Number of Assessments 44 224 414 Headcount N/A -3.5 -2 Percentage Increase N/A 450% 107%
  • 22. OWASP FOUNDATION docker-compose ● As easy as docker-compose pull && docker-compose up ● Can override the profiles for easy development ● Can also be used for some (semi) prod-like workloads ○ Still run the database somewhere dedicated ● Probably the most tested way of deploying ○ And all our tests run on docker
  • 23. OWASP FOUNDATION Real world docker-compose • 1 EC2 instance t2.large (2 vCPUs, 8GB of RAM) • Database running on AWS RDS (MySQL) • DefectDojo app overall settings • uWSGI: 4 processes / 6 threads (24 concurrent connections per “django” pod) • Celery: prefork mode, custom prefetch multipliers with autoscaling. → Good for up to ~200K findings → Running full dedupe computation may likely kill you (celery workers will not cope need more CPU)
  • 24. OWASP FOUNDATION kubernetes / helm - Packaged with Helm 3 - Run locally with minikube (or else, but we’ve done local minikube) - Can run with minimal changes on your favorite cloud provider - Do not yet support file uploads
  • 25. OWASP FOUNDATION Real world k8s example • GKE cluster, 5 nodes (n1-standard-4) (also includes all ops related pods, not just defectdojo) • 3 “django” pods (uWSGI), 6 celery pods by default -> auto-scaling • Allows for HA and seamless rolling upgrades • if the django database migration do not take too long… • Database running on Google’s Cloud SQL (Postgres) • 21GB in size - we had to disable audit mode for now :-( • DefectDojo app overall settings • uWSGI: 4 processes / 6 threads (24 concurrent connections per “django” pod) • Celery: prefork mode, custom prefetch multipliers with autoscaling. ~75 products ~in DB: 1.2M findings (half are dups), 150K findings ingested per month / 5000 per day
  • 26. OWASP FOUNDATION godojo (setup.bash was EOL’ed!) New stand-alone installer Features • Single binary installer • 160+ configurable options with sane defaults (yaml) • All options can be overridden with ENV vars • Non-interactive (optional) • Multiple logging levels • Install a release, a specific commit, or branch
  • 28. OWASP FOUNDATION Recent improvements - Refactoring - Parser code - JIRA handling code - Tests - Way more unit and integration tests FTW - Release governance - Re-import (also refactored) - Now keep tracks of delta in-band - Dedupe algorythm now matching the regular import one - Findings grouping to push as one to JIRA - Performance improvements - Many more: Over 120 PRs merged every month!
  • 29. OWASP FOUNDATION Up next ● Coming soon: new authorization model (kudos to StefanFI!) ○ Right now behind feature flag, testing welcome! ○ Should be the default authorization model coming in autumn/winter. ● APIv1 or APIv2? ○ v1 has been EOL’ed (end of 2020) ○ v2 set to get more love, better swagger ● GSoC ○ First attempts to build something with ReactJS ● Helm chart published with every release starting with 1.15.0 $ helm search repo defectdojo NAME CHART VERSION APP VERSION DESCRIPTION helm-charts/defectdojo 1.5.1 1.14.0-dev A Helm chart for Kubernetes to install DefectDojo
  • 32. OWASP FOUNDATION The nucleus Aaron Weaver Greg Anderson Valentijn Scholten Jannik Jürgens Cody Maffucci Damien Carol
  • 34. OWASP FOUNDATION We got stars on ours
  • 35. OWASP FOUNDATION How can you help? • Write some code (e.g. a parser) / submit a PR • Submit issues • Help with the documentation • Provide an example of scanner output • Write code / docs for a deployment method • Join the Slack channel and answer questions • Donate / Sponsor a feature enhancement
  • 36. OWASP FOUNDATION Latest from contributors, not moderators! Only examples, for all contribs see the release notes or merged PRs ● Brand new authorization model - by StefanFI ● Performance improvements - by Daniel Naab ● GitHub Actions - Kubernetes/Helm related - dsever, bgoareguer ● New importers/parsers - SPoint42, jis0324, hasantayyar, bp4151, mohcer and quite a few others! ● API enhancements - RomainJufer, xens
  • 37. OWASP FOUNDATION Try it yourself anytime Many things we have not talked about... https://demo.defectdojo.org Or clone and docker-compose up -d
  • 38. OWASP FOUNDATION SCAN THE QR CODE TO COMPLETE THE SURVEY Rate this Session Thank You! TM OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc. Thank you See around on the OWASP Slack o/ Or https://forms.gle/b55Uget61YWXPV1y8