DefectDojo has a variety of installation options.
Built by Application Security Engineers
DefectDojo is an open source OWASP project.
- DefectDojo is available on Github and has a setup script for easy installation.
- A docker container with a pre-built version of DefectDojo is available.
DefectDojo supports 22+ scanner formats.
DefectDojo has bi-directional Jira integration.
Manage your application security workflow by scheduling your engagements.
Track security tests and know exactly the state of your product security status.
CI/CD Automation and Tracking
Know exactly when new vulnerabilities are introduced in a build or remediated.
Tracking when a product is assessed is easily accomplished using DefectDojo's API to track security tests that are run on each build.
DefectDojo has the ability to track the build id, commit hash, branch or tag, orchestration server, source code repo and build server for every on demand security test.
Vulnerability Management Features
Various reports are available for tests, engagements and products. Products can be grouped into critical products to track products that are critical to your organization.
Similar findings can be easily merged into one finding to provide developers one finding instead of multiple findings.
Remediation and finding description templates can be created by CWE so that remediation advice is consistent across all reported findings. Build and customize remediation advice based on your companies requirements.
Set remediation timeframes based on the criticality of your findings and view the remainder of days to remediate.
Set thresholds for determining the grade of your product so that a scorecard of product health can be seen at a glance.
Track Vital Product Information
All text fields support markdown to allow customized detailed information on each product.
DefectDojo supports tracking source code language composition, technologies, regulations such as PCI and GDPR, criticality, lifecycle, origin, revenue, user records and platform to name a few.
Call To Action
Maintaining DefectDojo requires substantial time and effort. If you are interested in assisting with QA testing, documentation or fixing bugs then please review our Github page and issues to participate.
Additionally, as DefectDojo is an OWASP project financial contributions can be made through OWASP, specifiying the DefectDojo project.
Finally, corporations can sponsor code development and optionally have their logo on this page.
Track your product proactively using OWASP's ASVS (Application Security Verification Standard Project) which provides developers with a list of requirements for secure development.
Network resources are defined as endpoints which can be tagged and each endpoint is automatically associated with any findings.
A new beta feature which allows findings to be changed based on criteria. For example set a finding to verified based on the vulnerability type.
Credentials can be stored for each engagement which makes it easy to retest as the credentials that are tested with can be traced to a finding.
Frequently Asked Questions
Where did DefectDojo originate?
DefectDojo orginated in Rackspace and was later donated as open source to become the leading open source application defect manager.
Why build an application like this?
DefectDojo exists because there are not many applications like DefectDojo that assist in managing an application security program. DefectDojo is one of the only application vulnerability management applications that is still open source.
What is DefectDojo's relationship with OWASP?
DefectDojo is an OWASP project.
Who uses DefectDojo?
DefectDojo is used worldwide by large fortune 100 companies to small businesses.
Is hosting, custom integration and commericial support available for DefectDojo?
Yes, commericial support and integration is avialable for DefectDojo through 10Security.
Built by Application Security Engineers
Greg AndersonCore Contributor
Aaron WeaverCore Contributor
Matt TesauroCore Contributor
Past Core Contributors
Many thanks to Charles Neill and Jay Paz