DefectDojo is a DevSecOps and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities, and push findings into third-party issue trackers. Consolidate your findings into one source of truth with DefectDojo. Pulse 2.0 interviewed DefectDojo founder and CEO Greg Anderson to learn more about the company.
Formation Of DefectDojo
How did the idea for the company come together? Anderson said:
“For me, these two questions are interconnected. About a decade ago, I was an intern for Matt Tesauro (now our CTO) and was frustrated with the state of application security (AppSec) as a whole, to the point where I told him, ‘If you give me the chance, I could write a tool to fix all of this.’”
“At the time, I had one professional programming project under my belt, but we still saw a problem: security’s inability to scale effectively. Without DevSecOps in place, a company’s only choice to scale security is to invest in headcount at a 1:1 ratio – which is completely unsustainable. We created DefectDojo as an open-source security platform and community, and now offer a Pro Edition alongside our Community Edition.”
Favorite Memory
What has been your favorite memory working for the company so far? Anderson reflected:
“It’s been a incredible journey. The high point for me was going from being told we weren’t investable to booking $715K in the first two months of having a commercial edition. It provided a huge amount of validation after toiling for almost a decade.”
Core Products
What are the company’s core products and features? Anderson explained:
“DefectDojo offers security and DevSecOps teams a unified command center that automates critical tasks and tracks vulnerabilities across all stages, from builds to endpoints. It also automatically consolidates duplicates, eliminates false positives, and identifies vulnerability trends with the highest precision, thanks to advanced machine learning algorithms.”
“We have just announced several enhancements to our Pro Edition:
— Enhanced automation – Capabilities to streamline AppSec workflows with or without CI/CD and reduce manual tasks
— Powerful new insights and analytics tools – Increased understanding of vulnerabilities to support data-driven security decisions through risk, remediation, tool, and program insights
— Data enrichment – Providing more comprehensive vulnerability context with FIRST’s Exploit Prediction Scoring System, enhancing the quality of intelligence on threats and vulnerabilities.”
Challenges Faced
What challenges have Anderson and the team faced in building the company? Anderson acknowledged:
“At times, we’ve had challenges responding to all the demand we’ve received, but we’re in a very fortunate position relative to the security market at large. From Cisco’s layoffs to Synopsys exiting the market, we haven’t felt a significant impact despite the relatively soft market. If your offering is compelling enough, people will find the budget. We’re experts at making the case to budget holders on behalf of all security engineers who desperately need DefectDojo.”
Evolution Of DefectDojo’s Technology
How has the company’s technology evolved since launching? Anderson noted:
“Our engineering team is incredibly fast and gifted. We do weekly releases and aim to deliver a transformative feature every quarter. As an open-source project, DefectDojo served as an aggregator for security tools and catered to the most technical in security, especially before launching Pro. Our goal with creating Pro was to evolve the platform to be leveraged by everyone in security. Pro picks up where we left off in the open-source edition by adding additional means to automate ingestion of security results, increased tunability of the ML algorithms, enriching vulnerability data from sources like EPSS, providing customizable dashboards so everyone is looking at the same KPIs, insights into where you should put effort based on risk, and a new UI aimed to provide an enterprise-grade user experience.”
Significant Milestones
What have been some of the company’s most significant milestones? Anderson cited:
“We remain exceptionally proud of the open-source community we have built over the past 13 years. Without them, we wouldn’t be where we are today, and we are excited to keep growing this side of our business and the Community Edition. Developers are constantly sharing new projects – one of the recent ones that caught my eye was Osama Mahmood’s. He built a parser for Wizcli, a tool in the Wiz Cloud Security Platform, enabling DefectDojo to provide more detailed results from Wizcli’s continuous integration/continuous delivery (CI/CD) scanning for vulnerabilities – a major streamlining for a security team’s workflow and reduction in Wizcli’s noise through our algorithms.”
“We raised a $7 million Series A with Iolar Ventures and Aspenwood Ventures co-leading the round.”
“When we initially went to market with the Pro Edition, we were a four-person company with zero funding. In the first two months, we booked $715K – proving that there was a demand for scalable security. Using that as our seed money, we grew the company and chose to pursue funding due to the huge demand for our platform.”
“Today, I’m proud to share that DefectDojo has 38M+ downloads, 180+ integrations, and 80K views a month. Our userbase includes multiple Fortune 50 companies, government agencies, other startups, and more.”
Customer Success Stories
When asking Anderson about customer success stories, he highlighted:
“Most companies are quick to boast about customers. As a security platform built by security professionals, we try to walk the line of being as highly confidential as possible for our customers, while also assuring new customers they’re in good company. We do have permission from certain customers to disclose their usage, but are opting not to do so publicly for the time being.”
“With that said, there is very public data around what Pearson was able to achieve with the open source version of DefectDojo. At the time, Matt and I were working for Pearson as employees with the task of scaling their AppSec program. Utilizing the open source version of DefectDojo, we took Pearson from scanning 44 applications a year to 414, which was an 849% increase in efficiency, with 96+% of their applications now properly tested, all while losing 3+ members of that team due to attrition. The security leadership at Pearson was so happy about the results and turnaround that Matt and I were sent out to evangelize as both a PR and recruiting campaign of the incredible things Pearson was doing in security. We used what we did for Pearson as the inspiration for our Pro Edition, so others could achieve the same results without having to invest hundreds of thousands of dollars to customize DefectDojo to their specific use-cases.”
Funding
When asking Anderson about the company’s funding, he revealed:
“We’ve raised $7 million in our Series A. As a private company, we won’t be sharing revenue metrics, but we certainly couldn’t raise venture capital without already demonstrating venture-capital sized growth.”
Total Addressable Market
What total addressable market (TAM) size is the company pursuing? Anderson assessed:
“The broader AppSec market alone is growing steadily, projected to reach $7.4 billion this year and nearly double that ($13.6B) by 2029. We’re also part of the DevSecOps market, and IDC has forecasted that this market will continue to grow at a healthy pace through 2027.”
Differentiation From The Competition
What differentiates the company from its competition? Anderson affirmed:
“Our platform is the only open-source solution in the Application Security Posture Management (ASPM) space – underscoring our commitment to be a force for good in the security industry. Gartner projects that 40% of organizations will adopt ASPM by 2026 due to their need to corral all of their security data onto one unified platform, no matter how many tools are being used, and we are ahead of the curve and also offer a transparent solution.”
“We are dedicated to helping security teams transform how they approach AppSec, security at large, and DevSecOps based on our experiences with common security challenges.”
Future Company Goals
What are some of the company’s future company goals? Anderson pointed out:
“Our biggest goal is continuing to build out our platform, even beyond the new features I mentioned earlier. Security threats are constantly evolving, and we work hard to make sure DefectDojo keeps up.”
“Obviously, as we grow the platform, we’ll also need to scale the business up. We’re up to nearly 20 people on the team already!”
Additional Thoughts
Any other topics you would like to discuss? Anderson concluded:
“IDC’s 2023 DevSecOps Survey revealed that almost 78% of surveyed companies admitted they had experienced a security breach in 2022. AppSec and ASPM are no longer nice-to-haves or luxuries for a security team. As more threats develop, new tools will be created to fight them, creating an ever-more sprawling security apparatus. These are not threats that will go away: the time to embrace the DevSecOps approach is now.”
