What is DefectDojo?

In this to the mat edition of the Exploring Information Security podcast, Greg Anderson joins me to discuss the OWASP project DefectDojo.

Greg (@_GRRegg) is one of three project leads for the OWASP project DefectDojo. The project is an appsec automation and vulnerability management tool. This is something I wish was around when I first started managing vulnerabilities for the development team. It has got a lot of great features including metrics, integration with JIRA, automatic ticket creation, vulnerability de-duping, and of course it allows appsec teams to manage vulnerabilities in development. A demo site is available. It's open-source (as all OWASP projects are). I would recommend anyone having to manage vulnerabilities check this project out.

In this episode we discuss:

  • What is DefectDojo?
  • Why create the project?
  • Why the name?
  • Who should use the tool
  • How to effectively use the tool

How to find vulnerabilites

In this susceptible edition of the Exploring Information Security podcast, Samy Kamkar joins me to discuss how to find vulnerabilities.

Samy (@samykamkar) shouldn't need too much of an introduction to most people. He's been in the news for hacking garage doors, credit cards, cars, and much much more. Samy likes to hack things and has a knack for finding vulnerabilities in everything from locked machines to wireless doorbells. His site has the full list of vulnerabilities as well as videos and press appearances. Which made him the perfect guess for talking about how to find vulnerabilities.

In this episode we discuss:

  • What got him started in looking for vulnerabilities
  • What is a vulnerability
  • What skills are necessary for finding vulnerabilities
  • How he decides his next project
  • The steps to finding vulnerabilities
  • What he does when he discovers a vulnerability
  • How long the process takes