Vulnerability Management in DevSecOps using DefectDojo

Introduction

DevSecOps stands for Development, Security, and Operations. It is a practice where security is seamlessly integrated into CI /CD pipelines. The goal is to consider the application and infrastructure security and automate security gates to keep the DevOps workflow from slowing down. Such security gates can be categorized in multiple stages, such as:

  1. SAST (Static Application Security Testing)
  2. DAST (Dynamic Application Security Testing)
  3. SCA (Software Composition Analysis )
  4. Container Security
  5. IaC scanning (Infrastructure as a code )

This image shows high-level DevSecOps

To execute these stages, we need tools such as Checkmarx, Appspider, Twistlock, etc. These tools generate output in different formats, and managing such output can be very overwhelming. Also, pushing them into defect management tools such as JIRA or QC can be very cumbersome. Security assessment tools primarily provide JIRA integration, but there is a risk of creating too many JIRA issues as these tools create defects in huge numbers.

OWASP DefectDojo can be very helpful in this scenario. Defectdojo is an open-source project developed in python Django and maintained by,

  • Greg Anderson
  • Aaron Weaver
  • Matt Tesauro

Defectdojo can import 20+ tools reports and supports JIRA and Slack integration. So this tool can be integrated into CI /CD pipelines for defect management. Now let us see how to set up defectdojo and use it in CI / CD pipelines.

Terminologies of DefectDojo

Now let us look at some DefectDojo terminologies before using it.

  1. Product Type – Product Type is the topmost component in the hierarchy. Product type can be the name of the Team or Business Division.
  2. Product – Product is the name of any program or Product under testing.
  3. Engagements – Engagements are moments in time when testing is taking place. They are associated with a name for easy reference, a timeline, a lead (the user account of the main person conducting the testing), a test strategy, and a status. Engagement consists of two types: Interactive and CI/CD.
    • Interactive Engagement: An interactive engagement is typically conducted by an engineer, where the engineer usually uploads findings.
    • CI/CD Engagement: As its name suggests, a CI/CD engagement is for automated integration with a CI/CD pipeline.
  4. Tests -Tests are a grouping of activities conducted by engineers to attempt to discover flaws in a product. Tests are bundled within engagements, have a start and end date, and are defined by a test type.

    Examples:

    • Semgrep Scan: Semgrep is an open-source code scanner built for python to check issues such as SQL Injection, Hardcoded passwords, etc.
    • Dependency Scan: Dependency Checker is a tool that checks for the vulnerabilities in the third-party libraries present in the code

DefectDojo Setup

As described in the original code repository, you can install defectdojo as mentioned below. This will deploy defectdojo as a docker image.

1git clone https://github.com/DefectDojo/django-DefectDojo
2cd django-DefectDojo
3# building
4./dc-build.sh
5# running (for other profiles besides mysql-rabbitmq look at 
6./dc-up.sh mysql-rabbitmq
7
8# use docker-compose logs -f initializer to track progress
9docker-compose logs initializer | grep "Admin password:"

Configuration Of DefectDojo before Integration

After logging in, we need to configure defectdojo to make it ready for integration

  1. Create Product Type
    • After logging in, the application will land on the dashboard page. On the left side, we can see the menu bar. On the menu bar, navigate to Products -> All Product Types to create a product type.

This image shows Product Type Tab

This Image shows how to add product Type

  1. Defectdojo Jira Integration
    • On the menu bar, go to Configuration -> Jira to add Jira details.
      This image shows Jira configuration Setting

    This image shows how to add jiraThis image shows details to put in Jira configuration

  2. Add Product
    • Navigate to Product -> Add Product to create a product type. We can see that the JIRA instance that we added before is located in the dropdown.This image shows add product section of defectdojoThis image shows Jira attachment to the Product
  3. Add Engagement
    • After Creating Product, we will land on the product page. On the top middle, we can see the menu bar with Overview, Components, Metrics, Engagement, Findings, etc. options.
    • Go to engagements and click on Add new CI/CD engagement.

    This image shows how to add Engagement

    • Fill in the required details and move to the next step.

    This image shows details to put in the engagement section

  4. Add Tests
    • After filling in engagement details, we can see an option to Add Tests.This image shows how to add tests
    • Click on Add Tests and fill in the required details.
    • In the Test Type option, select the tool that is being used in the pipeline. For e.g. dependency Check

    This image shows what details to put in the tests section

Now we are ready to integrate defectdojo in CI / CD Pipeline.

Integrating DefectDojo into CI/CD Pipeline

Let us take one python vulnerable application and build a DevSecOps pipeline around it. We are going to use Semgrep and Dependency Check as SAST and SCA tools, respectively.

  1. Open Jenkins and create a new job as a freestyle project. In Source Code Management Section, integrate vulnerable repository.This image shows Jenkins source code integraton
  2. To run semgrep, select Execute shell in the build stage and put the following command.
1semgrep scan --config auto --json -o semgrep.json

This will run the semgrep scan and create the report “semgrep.json,” which we are going to upload to defectdojo.

  1. To upload a report in defectdojo, we are going to use the defectdojo API called reimportscan. Endpoint parameters can be found in defectdojo API docs. To integrate this API call in Jenkins, create another build step with Execute shell and put the following curl command.
1curl -X 'POST' \
2  'http://localhost:8080/api/v2/reimport-scan/' \
3  -H 'accept: application/json' \
4  -H 'Authorization: Token $defectdojo_token' \
5  -H 'Content-Type: multipart/form-data' \
6  -F 'test=2' \
7  -F '[email protected];type=application/json' \
8  -F 'scan_type=Semgrep JSON Report' \
9  -F 'tags=test' \

The required parameters are as follows:

  • test: ID of the test created under Engagement. (test_id can be found by clicking on created test)This image shows the test id parameter required for the API call
  • file: semgrep report file in JSON format.
  • scan_type: Tool name which is used to scan.
  • tags: Tags needed for identifying the upload.

    This image shows defectdojo API call in Jenkins

  1. Similarly, repeat the procedure for the dependency check and change the relevant parameter values in the curl command according to the dependency check.This image shows dependency check integration
  2. Click on Save and Build the Job.
  3. After each successful job, you can find defects uploaded in defectdojo and open in JIRA.

    This image shows defects in the defectdojo

    This image shows defect added in Jira through defectdojo

How can Payatu improve the DevSecOps process using an existing solution?

  • This tool can be integrated into any DevSecOps pipeline and with other CI / CD tools such as Bamboo.
  • Being open-source software, the functionality of this software can be extended for the tools not currently supported by defectdojo by writing custom parsers.
  • We can speed up the process of vulnerability management by opening defects into defect management software such as Jira.
  • Get instant updates on defect instances using the webhook facility.

Conclusion

  • Defectdojo is easy to build and deploy in any environment.
  • We successfully demonstrated the seamless integration of “Semgrep,” “Dependency Checker,” “DefectDojo,” and “Jira” representing SAST, SCA, and Defect management Stages respectively.
  • DefectDojo supports 20+ security tools.
  • DefectDojo can be integrated into any CI/CD pipeline due to available API support.

References

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by