DefectDojo attempts to simplify how users interact with the system by minimizing the number of objects it defines. The definition for each as well as sample usages is below.
Product types represent the top level model, these can be business unit divisions, different offices or locations, development teams, or any other logical way of distinguishing “types” of products.
- IAM Team
- Internal / 3rd Party
- Main company / Acquisition
- San Francisco / New York offices
This is the name of any project, program, or product that you are currently testing.
- OpenStack Neutron
- Internal wiki
These describe the environment that was tested in a particular Test.
Engagements are moments in time when testing is taking place. They are associated with a name for easy reference, a time line, a lead (the user account of the main person conducting the testing), a test strategy, and a status.
- Quarterly PCI Scan
- Release Version X
These can be any sort of distinguishing characteristic about the type of testing that was done in an Engagement.
- Nessus Scan
- API test
- Static Analysis
Tests are a grouping of activities conducted by engineers to attempt to discover flaws in a product. Tests represent an instance of a Test Type - a moment in time when the product is being analyzed. Tests are bundled within engagements, have a start and end date and are defined by a test type.
- Burp Scan from Oct. 29, 2015 to Oct. 29, 2015
- Nessus Scan from Oct. 31, 2015 to Oct. 31, 2015
- API Test from Oct. 15, 2015 to Oct. 20, 2015
A finding represents a flaw discovered while testing. It can be categorized with severities of Critical, High, Medium, Low, and Informational (Info).
- OpenSSL ‘ChangeCipherSpec’ MiTM Potential Vulnerability
- Web Application Potentially Vulnerable to Clickjacking
- Web Browser XSS Protection Not Enabled