Vulnerability Management

and Remediation
by TWN
No part of this publication may be reproduced, copied, transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of nnSoftware GmbH

Copyright 2023 nnSoftware GmbH. All rights reserved.

TechWorld with Nana is an established name in the DevOps and
Cloud industry, and it stands for the quality trainings helping 1,000s
of engineers acquire the most in-demand skills in this field.

Our mission is enable individual engineers as well as companies to take advantage of the
recent developments in Cloud and DevOps fields, to use technologies and concepts in
order to create efficient, automated, streamlined DevSecOps processes in organisations.

Copyright 2023 nnSoftware GmbH. All rights reserved.

Vulnerability Management Tool

Why and what they are able to do

1 central place - Centrally manage vulnerability findings

of different tools

UI instead of logs in CI tool

Enriches and refines vulnerability data

Triage vulnerabilities and push findings to other systems

Copyright 2023 nnSoftware GmbH. All rights reserved.

 How it works
DefectDojo

One open source vulnerability management tool is

How it works

1. Configure each security tool to generate

security findings report file
a. Produce files in a format that
visualization tool can consume
2. Run DefectDojo
3. Feed report files to DefectDojo by
importing it

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Generate Scan Report Files
Producing Scan Reports in GitLab CI

Jobs can output files and directories

Job artifacts can be downloaded by using the GitLab UI or the API
We can use “job artifact” concept to export and save scan report files

Example for GitLeaks Job

Add parameters to tell GitLeaks tool

to save output in gitleaks.json file
Add “artifacts” block and indicate
that we always want to produce that
file no matter if job succeeds or fails

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Generate Scan Report Files

Report artifacts is available for download

Time to import it in DefectDojo

Copyright 2023 nnSoftware GmbH. All rights reserved.

Introduction to DefectDojo
 Introduction to DefectDojo

Serves as an aggregator and provides a unified and streamlined view for security tools

Smart features to enhance and tune the results (merge findings, remember false
positives, distill duplicates)

Bidirectional integration with Jira, Notifications, Google Sheets synchronization etc.

Supports many Push findings

different tools to other tools

Copyright 2023 nnSoftware GmbH. All rights reserved.

Introduction to DefectDojo

Product:Engagement model

Enables traceability among multiple projects / test

cycles and allows for fine-grained reporting

DefectDojo Structure

Working in DefectDojo starts with a Product Type

Each Product Type can have one or more Products
Each Product can have one or more Engagements
Each Engagement can have one or more Tests
Each Test can have one or more Findings

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Import Findings in DefectDojo

2 Types of Engagements

Interactive Engagement:
Findings are uploaded by the engineer via UI

CI/CD Engagement:
For automated integration with a CI/CD pipeline

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Analyze Findings

Severity Information

Description
Exact Code
Snippet that
contains
vulnerability

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Analyze Findings CWE Information

CWE = Common Weakness Enumeration

Community-developed list of common

software and hardware weakness types
More detailed description of the issue
compared to OWASP
What causes it
How it ca be fixed
Express vulnerability using numeric
information

Copyright 2023 nnSoftware GmbH. All rights reserved.

Upload Findings automatically
 Automatically upload findings to DefectDojo

DevOps is all about automation

We don’t want to manually upload report files. Pipeline may run multiple times per day
It’s essential to configure integration with DefectDojo to upload the scans automatically

For that, we can use Python or any other programming language

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Automatically upload findings to DefectDojo

1 - Authentication

We need an API key to authenticate to DefectDojo and access its API

Needs to be sent with the HTTP request

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Automatically upload findings to DefectDojo

2 - Write Python Script

Use requests library to send HTTP request

Check necessary values in DefectDojo UI or
documentation

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Automatically upload findings to DefectDojo

3 - Add CI job to execute Python script

Install needed libraries in before_script

Add script block to execute the script
Wait for previous jobs to execute (”needs”) or
introduce new stage that only executes after
scanning jobs

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Wrap Up

Copyright 2023 nnSoftware GmbH. All rights reserved.

Remediation Examples
 Broken or Weak Algorithm

Found vulnerable code

Fixed code

Over time, new vulnerabilities and weaknesses can be discovered,

making previously considered secure algorithms insecure

So continuous, automated security scans are so important

Copyright 2023 nnSoftware GmbH. All rights reserved.
 SQL Injection

Found vulnerable code

Fixed code

Use placeholder instead of variable

Placeholder ensures user input is treated as data, not executable code
It’s a key element in preventing SQL injection

Copyright 2023 nnSoftware GmbH. All rights reserved.