CIO Interview with Greg Anderson, CEO and founder at DefectDojo

Greg Anderson, CEO and founder at DefectDojo, talks about the benefits of a Unified Command Center for IT and compliance teams, the future of SaaS security and more…

————-

Hi Greg, tell us about yourself and more about DefectDojo, what inspired the platform and how has it evolved over the years?

The idea for what would become DefectDojo came in 2013. At the time, I was interning for Matt Tesauro (our now-CTO) and was frustrated with the state of application security (AppSec) at the time, especially how hard it was to have everything together in one place. I told him, “If you give me the chance, I could write a tool to fix all of this.”

I had only one professional programming project under my belt at the time, but I went ahead and created what we now know as DefectDojo. I intentionally went the open-source route, knowing that I wasn’t the only one with these kinds of frustrations. 11 years later, we have a robust community on GitHub alongside our Pro version.

Also Read: How to Stop AI From Fueling Insider Risk

Take us through your recent funding and the challenges / ups faced when procuring it?

I pitched DefectDojo for close to 5 years to VCs to show the need for scalable security and how we could become the go-to platform, and I think I’m likely in the running for most rejections for a single pitch. However, I was determined to make DefectDojo a success, so with only four employees, we launched our first commercial version. Within two months, we’d booked $715K – enough seed money to double in size.

Recently, we pursued funding because we wanted to meet the demand for our Pro version and expand its features and capabilities — and continue to invest in our open-source community. Without them, we wouldn’t be here in the first place. Our institutional investors, Iolar Ventures and Aspenwood Ventures, are both aligned with our vision to pursue both paths, and we’re grateful to have them on board.

How can a Unified Command Center like what DefectDojo offers enable better processes with distributed IT and compliance teams?

A security team typically uses a number of different tools and platforms to oversee the entire program – some of which overlap or don’t have automation capabilities – making it hard to track vulnerabilities across the entire lifecycle (since different stages have different tools). DefectDojo is an Application Security Posture Management (ASPM) platform that corrals data from all the tools being used onto one platform, helps automate tasks, tracks vulnerabilities, and uses machine learning (ML) to automatically consolidate duplicates, eliminate false positives, and identify vulnerability trends. We have integrations with 180+ security tools to help connect them to DefectDojo and therefore have every tool’s data in the same place.

These capabilities are particularly useful for distributed IT teams because it means that everyone, no matter where they are, is working from the same single source of truth. In addition, the unified command center approach means that it’s easier for these teams to further scale their operations to address new security threats as they develop – while still keeping everyone on the same page.

What are some of today’s top security concerns and threats that plague the minds of IT heads?

It is more difficult than ever to keep a company secure. Software tends to age like milk instead of wine, so heads of IT are contending with a rapidly-increasing number of vulnerabilities. It’s overwhelming, and without a command center to aggregate all of their security tools, the job of prioritizing, acting, and ultimately keeping their company secure is near impossible. The data is clear: most breaches occur from known vulnerabilities. These gaps in coverage are keeping IT heads up at night. You can’t fix what you can’t see, and IT heads can’t see without scaling their security program to the entire company.

Some top of mind challenges and tools that can help these teams address these issues?

In terms of solutions, I already mentioned ASPM earlier, since DefectDojo is the only open source ASPM platform out there. ASPM is growing in popularity because every organization needs a way to unify their disparate security data onto a singular platform. To illustrate how important this is, Gartner projects that 40% of organizations will adopt ASPM solutions or approaches by 2026. While it does require adding another layer onto your AppSec approach, it unlocks true DevSecOps capabilities – meaning developers, security/IT, and operations can easily collaborate to integrate security testing into every step of software development.

I also want to underscore the importance of open-source communities like the one we’ve built at DefectDojo over the years. The developers in our community have unique perspectives in finding different pain points and vulnerabilities among the many security tools and platforms in use today. Their collective wisdom and contributions have pushed the platform to new heights. We wouldn’t be here without them.

According to one survey from IDC, almost 78% of surveyed companies experienced a security breach of some kind in 2022. While professionals are constantly developing solutions to counter the latest tools from bad actors, those same bad actors are hard at work finding new exploits and developing the next generation of attack methods, resulting in a series of moves and countermoves. Communities like DefectDojo’s allow experts from around the world to work together, share insights, and pool resources to develop better tools to defend against these different threats. We’re continually updating the DefectDojo platform with the latest security measures, and that is driven in large part by the open-source community.

Also Read: CIO Influence Interview with Kevin Bocek, Chief Innovation Officer at Venafi

A few thoughts on the future of security for digital first organizations and the top trends that will influence this space?

The challenge is more difficult than ever, and unfortunately, I don’t think we’re going to see a silver bullet solution to the challenges of securing an enterprise. Many are hopefully looking to generative AI to outright solve security, but I don’t believe we’re going to see that come to fruition. We have a ton of data, possibly more security data than anyone else, and from what we’ve seen, large models struggle with accurately identifying security risks. We think this is because the nature of security data is so non-uniform / disparate. To give one concrete example, detecting and mitigating cross-scripting is fundamentally different from blind SQL Injection, even though both types of vulnerabilities are injection based.

What we have seen work well, and what we’ve implemented with DefectDojo, is machine learning algorithms that transform on a per-customer basis. This also has the added advantage of not shipping sensitive data to a third party like OpenAI for processing. Essentially, we’re observing how security professionals tune the results of their tools and then using that human input to modify all the applicable scans going forward. Once the results are enhanced, a human never has to do that work a second time, which we think will continue to give the industry the best of both worlds.

[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]