At Cobalt, we aim to make security easier. We have covered before how to use the Cobalt Public API to gain deeper insight into your pentests. In this blog post, we will cover how we leveraged our API to make it simple for you to import pentest findings into DefectDojo with ease.
What is DefectDojo?
DefectDojo is a security program and vulnerability management tool created and maintained by the OWASP foundation. It is a free software that is also open source — the code is available on GitHub! As a vulnerability management tool, DefectDojo allows you to aggregate vulnerability data from various sources — be it SAST, DAST, and now Cobalt Pentest data — into one centralized place.
With all of this consolidated data, you can use DefectDojo to analyze your risk profile, prioritize & triage findings, and manage your application security program. Having findings from pentests in this dataset will enable you to gain a deeper understanding and remediate pentest findings faster.
As of DefectDojo version 2.3.0, you can import findings from Cobalt pentests with the press of a button. There is a one-time setup process in DefectDojo to authorize access to the Cobalt Public API. After that, you can import Cobalt findings as a scan without requiring any additional effort. This post will provide a look into how to get started with the integration so you can leverage its strengths during your next pentest.
Configuring DefectDojo for Cobalt
To be able to import findings from Cobalt into DefectDojo, you first need to do some configuration. You will need to add a Tool Type and Tool Configuration, as well as per-product Cobalt.io Configurations.
So, let's get started!
Step 1: Add a Tool Type
Log in to your DefectDojo instance, and from the sidebar navigate to Configuration → Tool Type. Then, select Add Tool Type from the menu in the top right. In the form, enter the Name "Cobalt.io" and press Submit.
Step 2: Add a Tool Configuration
Next, we will use this tool type to set up a tool configuration for the Cobalt API. For this, you will need your Cobalt API token as well as your Cobalt Org token (you can get these by following this support guide).
From the DefectDojo sidebar, navigate to Configuration → Tool Configuration. Then, select Add Tool Configuration from the menu in the top right. In the form, enter a descriptive Name, select the Tool Type you just created, and the Authentication type "API KEY". Paste your Cobalt API token into the API Key input and your Cobalt Org token into the Extras input, and press Submit.
Step 3: Add A Product Configuration
The last step to configuring your DefectDojo instance is to associate Cobalt assets with a DefectDojo product. For this step, you will need the identifier of the asset(s), which you can get by navigating to the asset in the Cobalt webapp and copying it from the end of the URL.
With the asset ID on your clipboard, go to a product page in DefectDojo. From here, navigate to Settings → Add Cobalt.io Configuration. Enter the asset ID in the Cobalt.io Asset ID input and select the tool configuration created in Step 2, then press Save.
Now, you're ready to import findings from Cobalt into DefectDojo.
Step 4: Import Findings
Finally, to import findings from Cobalt, select an engagement or create a new one and choose the Import Scan Results option. In the import form, select the Scan Type called "Cobalt.io API Import" and select the asset from which to import findings through the Cobalt.io Config input (this is required if you configured more than one asset for the product). Then, press Import to start importing pentest findings into DefectDojo.
When you press Import, DefectDojo will use the credentials you entered earlier to fetch all pentest findings for the asset you selected from the Cobalt Public API. It will make sure all of the relevant data from Cobalt is included in the findings in DefectDojo, so you don't have to context switch between the two applications.
And that's it! You just imported your first Cobalt pentest findings into DefectDojo. From here on out, you only need to repeat Step 4 to import new findings. If you want to import findings for another asset, you can repeat Step 3.
For more details on the setup process, see our DefectDojo support guide. And, as always, if you have any questions or want to tell us about an interesting use case for the Cobalt API, please reach out to us at firstname.lastname@example.org.