michael wager | cyber security consultant

Vulnerability Management with DefectDojo

Sat, 25 Oct 2025 16:26:11 +0200

Last Friday, I had the pleasure of speaking at the Hackerkiste Conference in my hometown Augsburg 🥨 — about one of my favorite topics:
How to make Vulnerability Management actually work in modern DevSecOps environments. Here’s a small blogpost about it.

Imagine it’s Friday afternoon.
A critical vulnerability is disclosed in a widely used library — one that your applications also depend on.
When your developers return on Monday morning, a pull request with the fix is already open, all tests are green, and the ticket just needs to be merged and deployed.
That’s what modern DevSecOps should look like: automated detection, prioritization, and remediation — before attackers can exploit the weakness.

Why Vulnerability Management?

Security today is not just about reacting to hacks — it’s about staying ahead.
Besides regulatory pressure (e.g. NIS2, CRA, ISO 27001), continuous attacks and new vulnerabilities make it essential to monitor your entire software supply chain.

The challenge: there are countless scanners — SAST, SCA, DAST, container, IaC, WTF — each producing different formats, priorities, and reports.
This leads to scanner overload and fragmented visibility.
That’s why we need Vulnerability Management: to consolidate, track, and prioritize findings efficiently.

OWASP and DefectDojo

The Open Web Application Security Project (OWASP) provides an open-source solution for Application Security Posture Management: OWASP DefectDojo.
It aggregates findings from multiple scanners, deduplicates results, provides dashboards, and integrates directly with tools like Jira.

There’s a demo available at https://demo.defectdojo.org/. Log in with admin / 1Defectdojo@demo#appsec.

The Architecture

Our architecture for automated vulnerability management consists of three main components:

1️⃣ GitLab (left)

GitLab CI/CD pipelines execute all relevant security scans using custom container images.
Each image includes a bit of Python logic that automatically uploads results from the application pipelines directly to DefectDojo.
This ensures that every security scan from every team ends up in one central place.

2️⃣ DefectDojo (center)

At the heart of the system, DefectDojo acts as the central Application Security Posture Management platform.
It normalizes and deduplicates scanner data, tracks remediation progress, and provides management-level dashboards and reporting — critical for compliance and executive visibility.

3️⃣ Jira (right)

Between DefectDojo and Jira sits a thin Python integration layer.
It automatically creates and updates tickets in Jira for verified findings, linking them to the right teams and repositories.
This closes the loop between detection and remediation.

Challenges We Faced

To be very honest here, there were some challenges:

DefectDojo maintenance required ongoing updates and tuning, e.g. the database migration from MySQL to PostgreSQL was a major effort.
JIRA Spam: False positives had to be filtered before creating Jira tickets.
And overall, ensuring smooth integration across tools required constant attention.

A Practical Alternative

If you don’t want to build such an automation framework from scratch, a practical alternative is to explore GitLab’s integrated security features - where you get everything from this architecture (and more) out of the box. This can drastically reduce complexity and maintenance overhead.

Get in Touch

If you’re interested in setting up a similar vulnerability management process or improving your DevSecOps workflows:
📧 Reach out to me or the team at secureIO GmbH — we’d love to help.

You can download my slides from the presentation here:
Download Slides (PDF)

DIN 27076 Cyber-Risiko-Check ✅

Tue, 02 Sep 2025 16:26:11 +0200

Ich habe erfolgreich die Schulung zum Cyber-Risiko-Check nach DIN SPEC 27076 abgeschlossen und bin nun offiziell berechtigt, kleine und mittlere Unternehmen (KMU) bei der Durchführung dieses standardisierten Sicherheitschecks zu unterstützen.

Was ist die DIN SPEC 27076?

Die DIN SPEC 27076 ist ein vom Bundesamt für Sicherheit in der Informationstechnik (BSI) unterstützter Standard zur niedrigschwelligen Cyber-Sicherheitsberatung für kleinere Unternehmen. Ziel ist es, ein erstes, systematisches Bild über den Stand der IT-Sicherheit zu erhalten – schnell, verständlich und praxisnah.

Warum ist das relevant?

Gerade kleinere Unternehmen stehen zunehmend im Fokus von Cyberangriffen, haben aber oft nicht die Ressourcen für eine umfassende Sicherheitsstrategie. Der Cyber-Risiko-Check ermöglicht einen einfachen Einstieg:

Systematischer Fragenkatalog
Klare Handlungsempfehlungen
Schnelle Umsetzung möglich
Förderfähig durch das BSI (IT-Sicherheitskennzeichen)

Mein Angebot

Als geschulter Berater nach DIN 27076 biete ich:

Durchführung des Cyber-Risiko-Checks
Dokumentation der Ergebnisse
Erste Maßnahmenempfehlungen
Optional: Begleitung bei der Umsetzung

📞 Interesse an einem Cyber-Risiko-Check für Ihr Unternehmen? Jetzt Kontakt aufnehmen

🎓 Zusatzqualifikation

Neben der DIN 27076 Schulung habe ich auch die ISO/IEC 27001 Officer Schulung erfolgreich abgeschlossen. Damit bin ich in der Lage, Unternehmen zusätzlich zur Umsetzung eines vollständigen Informationssicherheitsmanagementsystems (ISMS) nach internationalem Standard zu beraten.

Secure Containers 🚢

Thu, 14 Sep 2023 10:26:11 +0200

Recently I gave a talk at the Container Days Conference in Hamburg, as well as the BSides Conference in Munich.

You can download the slides here or watch the videos here.

Scorecard - rate the security of your OSS🃏

Wed, 08 Jun 2022 14:36:11 +0200

This post presents “Scorecard” - a pretty interesting tool for evaluating the overall security status of an open source software component. It is a project by the Open Source Security Foundation.

Introduction

Almost all software products depend on so called open source libraries. And just like code written by yourself, these libraries can have security vulnerabilities too! For example, I bet you heard about log4j, a logging library for Java which is widely used in applications worldwide. This library had a critical security issue, thus affecting millions of applications. Another example of so called supply chain attacks is seen in the NPM pakage “ua-parser.js”. The NPM account of the original maintainer had been hijacked and the malicious threat actor then added some malware to do cryptomining on the affected machines. These machines could be local developer machines, staging or even production servers! So you see, securing open source components is a very important part of the SSDLC.

Fact is: Libraries will be used, so what can we do? How can we decide if a library meets certain criteria related security?

Manual research
Software Composition Analysis (SCA)
Running a SAST scan manually against the library source code
And… use Scorecard!

Intro to the Open Source Security Foundation (OpenSSF)

The OpenSSF is a cross-industry forum for a collaborative effort to improve open source software security. Founding board members include Google, IBM, JPMorgan Chase, Microsoft, and more. They have lots of interesting projects on Github:

Scorecard Repo
WG Securing Critical Projects (e.g. angular, laravel, Wordpress, OpenVPN, MySQL, etc.)
Web Application Definition 1.0.0 - Open standard for the integration of DAST in OSS

What is Scorecard?

CLI tool written in go
Idea: give consumers of OSS a way to judge whether their dependencies are safe
Uses heuristics (called “checks”) related to software security
Each check has a score of 0-10 (higher -> better)
Usage: via CLI manually or access already scanned projects: Angular example

CHECKS:

16 checks implemented
Examples:
- CI-Tests: “tests executed before pull requests are merged?” (technical debt == security debt)
- Dependency-Update-Tool: “project uses a dependency update tool?”
- SAST: “project integrates static application security testing?”
- Vulnerabilities: “Does the project has open, unfixed vulnerabilities?” using the OSV (Open Source Vulnerabilities) service

You can find documentation of all implemented checks here: https://github.com/ossf/scorecard/blob/main/docs/checks.md

Demo

We are going to demonstrate the usage against “Jacksum” - an integrity verification library for java.

Note that for runs against a github repo a token must be created first. The demo uses the osx compiled binary “scorecard-darwin-amd64” with one parameter: the direct github url of the java library: https://github.com/jonelo/jacksum/

export GITHUB_AUTH_TOKEN=$TOKEN
./scorecard-darwin-amd64 --repo https://github.com/jonelo/jacksum/
Starting [Dependency-Update-Tool]
Starting [SAST]
Starting [Vulnerabilities]
…
Finished [Dependency-Update-Tool]
Finished [SAST]
Finished [Vulnerabilities]

RESULTS
-------
Aggregate score: 4.9 / 10
...

Conclusion

Scorecard is a very interesting project. As I’ve been a developer myself for more than 10 years, I know how hard it is to evaluate new dependencies. The checks of scorecard also look for quality assurance (e.g. CI Tests or Code-Review) which is a nice thing for sure! So the usage of scorecards gives developers a quick way to decide if a certain project is worth looking into more.

Also, it provides security analysts with a solid base for decision making when asked if a certain library can be included into an application.

It’s worth checking out the project (and all of OpenSSF)!

Tools for Security Testing in Continuous Integration Pipelines 🛠

Mon, 23 May 2022 15:26:11 +0200

In the context of the lecture scientific writing at the University of Applied Sciences in Augsburg, I recently wrote a small paper researching and comparing security testing tools for usage in CI pipelines.

Read the full paper here.

Data runs (Run-Lists) in NTFS filesystems 📂🔪

Thu, 27 Jan 2022 13:36:11 +0100

This post explains how data is stored within the New Technology File System (NTFS) which is the primary file system for recent versions of Windows and Windows Server. Based on an example I will explain how to “carve” a file out of the master file table.

Setup

I formatted a 32GB USB Drive with NTFS and copied a movie file on it:

The file is 21.663.347 bytes in size (21.7MB), which is larger than an MFT record, which has 1024 bytes in NTFS. For files smaller than 1024 bytes the content is stored directly inside the MFT record, but if the size is larger this is called “none-resident” and then the location & size of the content on disk is stored in so-called “Data runs” inside the MFT record of this file. We will now analyze the runlist and try to find the raw data of the movie.

For analyzation I am using FTK Imager on Windows. Opening the USB Drive directly and looking at the file we get the MFT record number, which is 30. With a little math we can jump to the record: Each record has 1024 bytes, so we need to multiply 30 with 1024 to get the byte offset in the MFT: 30720

The image shows a screenshot of the hex-representation of the MFT record. I selected the filename, which is stored inside the MFT record as well. The red selection is the run-list for our file (Starting at decimal offet 64 from the data attribute 0x80000000). It is:

32 B0 14 D1 00 02

So the 2 tells us the size: B0 14 -> little endian -> 0x14B0 which is the value 5296 in decimal representation. This is the size of clusters used for the file content. We need to convert it to bytes by multiplying it with the cluster size, which is 4096. So we get: 21.692.416 Byte. This is just a little bit larger than our original file size and this is caused by internal NTFS organization structures. But this makes sense so far.

The last 3 bytes D1 00 02 tell us the starting cluster number of the content which is 131.281 in decimal representation (little endian!).

So now in FTK Imager we can select the NTFS Evidence, use “Go to sector/cluster…” and put in this number. After that we just set the selection size to 21.692.416 Byte and save as fragment.mpeg.

Opening this file with VLC will play the movie. Here we go!

Resources

MFT Run Lists explained by Frank Griffitts

Forensic Analysis of an Ext3 Linux filesystem 🗄

Fri, 21 Jan 2022 14:26:11 +0100

In the context of the lecture IT-Forensics (which I really enjoyed!) at the University of Applied Sciences in Augsburg, I recently did a forensic analysis of the Ext3 Linux filesystem.

Read the full paper (in german) here.

OWASP Offensive Web Testing Framework (OWTF) 🔐

Wed, 30 Jun 2021 15:17:11 +0200

In the context of the lecture Network Penetration Testing at the University of Applied Sciences in Augsburg, I recently did an evaluation of the Offensive Web Testing Framework (OWTF) from the Open Web Application Security Project (OWASP).

Read the full paper here.

Abstract

Penetration testers often need to work under time pressure. Companies may have limited budget but still need high quality results quickly. Therefore it is a major goal for penetration testers to work as efficient as possible and integrate the use of sophisticated and comprehensive tools to reach this goal.

In the context of the lecture Network Penetration Testing at the University of Applied Sciences, Augsburg, a collection of such tools will be presented in this report: the Offensive Web Testing Framework (OWTF) from the Open Web Application Security Project (OWASP).

First, the motivation of this project will be explained followed by a feature overview. After a short technical analysis, installation instructions will be given. Afterwards a demonstration of the usage and the tools’ possibilities will be presented. Finally, a conclusion related the productive use of the tool completes this document.

You can read the full paper here.

Configuration Management 📚

Sat, 19 Dec 2020 19:17:24 +0100

I am doing my master’s degree in Industrial Security and Safety since april 2020 at University of Applied Sciences in Augsburg. It was quite a crazy start due to covid. This post introduces my work on a major project, which I did together with two fellow students, which goal was to secure the state of an industrial automation facility by developing a configuration management solution.

Read the full paper here

Abstract

Today’s enterprises in the producing industry are subjected to continuous change and are required to adapt their production environment capabilities in order to remain competitive. This causes continuously increasing complexity and connectivity of modern production systems. To mitigate potential safety and security incidents as well as optimization of the companies’ business case, a configuration management solution represents an effective instrument.

In context of the master course in Industrial Security at the University of Applied Sciences, Augsburg, a configuration management project is conducted on a real-world production facility by a group of three students.

Based on a fictional scenario concerning a manufacturer of smartphones (Yeskia Inc.), an initial analysis of the enterprise environment regarding potential risks is performed and appropriate mitigations are derived. Based on the mitigations a comprehensive concept phase is proposing various strategies for realization. Following the V-Model approach, three individual software solutions are designed, implemented and validated. A training course with qualified training material regarding the developed solutions concludes the project.

❤️ JavaScript ❤️

We used JavaScript to detect any unauthorized changes to PLC applications. More info in the paper :-)

You can read the full paper here.

On UNIT Testing 🔨

Sun, 18 Jun 2017 20:27:21 +0200

So you don’t write tests, eh? This is what I think about it.

In a lot of projects I work in, the people just don’t write tests, especially in the frontend. And everytime the reasons are as follows:

It takes so much time!
It is much more code than the code I need to write for the app!
We don’t need tests (because of reasons)!

And everytime the consequences are:

SO MUCH SENSELESS BUGS!!! (😭😭😭)

Some examples

1. The following line of code was added, without tests:

function doStuff(metaInfo) {
  // Context: The developer introduced a new flag which should be `true` by default
  metaInfo.sendPrintjob = metaInfo.sendPrintjob || true;
  ...
}

Question: what’s the value of metaInfo.sendPrintjob if metaInfo.sendPrintjob === false ?

Yeah, it’s true 😞. Bug in production. A simple test most probably got that covered…

You could argue that the developer was stupid. But we all make mistakes. Writing tests allows us to execute that code VERY FAST and get IMMEDIATE RESPONSE. Without reloading the page, adding console.logs, clicking through X screens just to get there and manually test it, maybe only once, like in this case with metaInfo.sendPrintjob = true

2. Following code was changed:

  // before:
  headers: options.headers.toJSON(),
  // after:
  headers: options.headers // Don't call toJSON

This change led to a bug in production. I had to fix the bug ticket in a new project. And it did cost me hours of debugging to find it. As there were no tests at all, this means starting the app, clicking through lots of pages, and setting breakpoints just to get to the point I could reproduce… (this was a big codebase and I was new to the project)

Nevermind the frustation and lost of motivation on that day… But hey, thanks to the comment Don't call toJSON!

If there was a simple test which expects that toJSON has to be called, it wouldn’t be a problem at all..

Some arguments for testing

Tests are (living) documentation (= specification) - this means they are executable code documentation - see BDD on wikipedia
-> Do you always update the code docs when changing code?! (If your answer is yes: 😂)
Time! If you have no automated tests you need to manually test the whole app if you are making changes because you cannot know which parts you broke ;)
Refactoring: How can you refactor and clean up some code without automated tests? Manually test everthing? Good luck!
After updating dependencies tests can show you if something broke.
Better Code-Design - if you are writing tests, you think more about the structure of your code resulting in more clean and readable code
Fast feedback of code execution: You can run code without having to run the whole app. This can even speed up the development of a certain feature, especially UI related code. Who wants to click through 5 pages just to visit the part of the app you are working on?
Less bugs will go to production because with tests they are detected much earlier.
I hate to manually test my apps (of course I do it) but it’s just boring and error prone.
Writing tests will give you more confidence about your code.
🤺 …and yes you will have more test-code that production-code, but:

TDD is like Mr. Miyagi getting you to wash his car and paint his fence - seems like a lot of unnecessary work, but the payoff comes later pic.twitter.com/7U9nbENXEU
— Joshua Morony (@joshuamorony) June 14, 2017

Some links

Writing unit tests for personal projects? - FunFunFunction #29 @ YouTube -> “Code without tests is buggy and bad code”
Eric Elliott - 5 Questions Every Unit Test Must Answer -> “Most Developers Don’t Know How to Test”
Eric Elliott - 5 Common Misconceptions About TDD & Unit Tests -> “TDD is too Time Consuming”
Ryan Hayes - How to Introduce TDD to Your Team With No Unit Testing Experience
Martin Fowler - Mocks Aren’t Stubs

michael wager | cyber security consultant

Vulnerability Management with DefectDojo

Why Vulnerability Management?

OWASP and DefectDojo

The Architecture

1️⃣ GitLab (left)

2️⃣ DefectDojo (center)

3️⃣ Jira (right)

Challenges We Faced

A Practical Alternative

Get in Touch

DIN 27076 Cyber-Risiko-Check ✅

Was ist die DIN SPEC 27076?

Warum ist das relevant?

Mein Angebot

🎓 Zusatzqualifikation

Secure Containers 🚢

Scorecard​ - rate the security of your OSS🃏

Introduction​

Intro to the Open Source Security Foundation (OpenSSF)

What is Scorecard?​

CHECKS:

Demo​

Conclusion

Tools for Security Testing in Continuous Integration Pipelines 🛠

Data runs (Run-Lists) in NTFS filesystems 📂🔪

Setup

Resources

Forensic Analysis of an Ext3 Linux filesystem 🗄

OWASP Offensive Web Testing Framework (OWTF) 🔐

Abstract

Configuration Management 📚

Abstract

❤️ JavaScript ❤️

On UNIT Testing 🔨

Some examples

1. The following line of code was added, without tests:

2. Following code was changed:

Some arguments for testing

Some links

So, always remember:

Scorecard - rate the security of your OSS🃏

Introduction

What is Scorecard?

Demo