Vulnerability management with DefectDojo (38c3)

Defect Dojo is an open source tool for vulnerability management. I will give an introduction into vulnerability management and show how that is implemented with defect dojo Vulnerability management is a try to integrate finding, managing and mitigating of vulnerabilities in code into your workflow. It usually starts with some tools to find vulnerabilities in different areas - let it be with image scanning like Trivy and Clair, classical vuln scanning like Nessus, Static code analysis like Sonar or dependency management with the OWASP dependency tracker. Defect Dojo takes all those reports, dedublicates findings, manages the handling of false positives and gives a Product Owner a tool to the hand how to move that on into your development tracking software like Jira or else. I will show how all of that works and what advantages this have. Also some insight how its used in a medium size critical infrastructure company. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/vulnerability-management-with-defectdojo/