Making Vulnerability Management Less Painful with OWASP DefectDojo – AppSecUSA 2017

DefectDojo 的结构

Making Vulnerability Management Less Painful with OWASP DefectDojo – AppSecUSA 2017
视频 18:00 左右 开始进行 Live Demo

DefectDojo
    > Products (Asset)
        > Engagement
            > Test (Scan Task)

如何衡量应用安全 (Application Security) 团队的价值

Better Metrics Dashboard

Something that I want to add at some point is the ability to take the infomation that’s in IDS/IPS/WAF to figure out like what type of attacks were seen and then compare it to our vulnerability data and see if we’ve ever been vulnerable. Because then it’s reasonable to assume that exploit might have been sussessful. (and then) If we can price that infomation that would have been lost then we can actually put a value on the appsec team and what they are producing
. (because) I think the other problem security faces from a budget perspective is that unless you are a revenue generating team, you are kind of always going to be second to whoever is revenue generating, but as we all know security needs to be a first priority for a company.

将 IDS/IPS/WAF 等设备发现的潜在攻击行为的告警，与内部发现的漏洞做对比，如果命中，说明攻击者的攻击行为可能成功(在没有安全团队的情况下)。这些命中的漏洞所对的IT系统的资产价值，即是安全团队创造的价值。

演示环境

演示站 (项目组 测试环境)
https://defectdojo.herokuapp.com/
演示账号
admin / defectdojo@demo#appsec
product_manager / defectdojo@demo#product

支持的数据类型

DefectDojo accepts:

Arachni Scanner - Arachni JSON report format.
AppSpider (Rapid7) - Use the VulnerabilitiesSummary.xml file found in the zipped report download.
Bandit - JSON report format
Burp XML - When the Burp report is generated, the recommended option is Base64 encoding both the request and response fields. These fields will be processed and made available in the 'Finding View' page.
Contrast Scanner - CSV Report
Checkmarx Detailed XML Report
Dependency Check - OWASP Dependency Check output can be imported in Xml format.
Generic Findings Import - Import Generic findings in CSV format.
Gosec Scanner - Import Gosec Scanner findings in JSON format.
Nessus (Tenable) - Reports can be imported in the CSV, and .nessus (XML) report formats.
Nexpose XML 2.0 (Rapid7) - Use the full XML export template from Nexpose.
Nikto - XML output
Nmap - XML output (use -oX)
Node Security Platform - Node Security Platform (NSP) output file can be imported in JSON format.
OpenVAS CSV - Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS.
Qualys - Qualys output files can be imported in XML format.
Qualys WebScan - Qualys WebScan output files can be imported in XML format.
Retire.js - Retire.js JavaScript scan (--js) output file can be imported in JSON format.
SKF Scan - Output of SKF Sprint summary export.
Snyk - Snyk output file (snyk test --json > snyk.json) can be imported in JSON format.
SSL Labs - JSON Output of ssllabs-scan cli.
Trufflehog - JSON Output of Trufflehog.
Trustwave - CSV output of Trustwave vulnerability scan.
Visual Code Grepper (VCG) - VCG output can be imported in CSV or Xml formats.
Veracode Detailed XML Report
Zed Attack Proxy - ZAP XML report format.

亮点

1 支持多源数据导入，包括 Burpsuite, OWASP ZAP, Nessus, Nexpose 等
2 与 JIRA 进行整合 (JIRA Integration)
3 提供 API 可将 UI 的操作自动化

参考资料

Making Vulnerability Management Less Painful with OWASP DefectDojo – AppSecUSA 2017
https://www.youtube.com/watch?v=7FX0vZ245-I
Greg Anderson
Senior Security Engineer, Pearson
greg.anderson###owasp.org

Vulnerability Management Isn’t Simple … (or, How to Make Your VM Program Great)
https://www.youtube.com/watch?v=67Mz_pjlPSk

Vulnerability Management 101 – Best Practices for Success [Complete Webinar]
https://www.youtube.com/watch?v=iYsrJLihZ-c

汉化版
https://github.com/xsseng/DefectDojo-cn

开源漏洞管理工具DefectDojo（一）使用指南：安装配置
http://www.freebuf.com/sectool/151611.html

开源漏洞管理工具DefectDojo（二）使用指南：基本使用
http://www.freebuf.com/sectool/152409.html

DefectDojo：安全程序和漏洞管理工具
http://www.mottoin.com/tools/94864.html

• #Blue Team
• #企业安全
• #企业安全建设