Skip to main content

Finding

Findings" in DefectDojo are records that represent findings or discoveries of security problems in an application or project. These issues may include code vulnerabilities, configuration weaknesses, security bugs and other security-related risks.

They are generally created as part of the security analysis process of an application. Security professionals, test engineers and developers can identify these issues during the execution of security testing, static code analysis, dynamic application analysis, container scanning, configuration review and other security-related activities.

Each finding in DefectDojo usually contains detailed information about the problem:

  1. Detailed Description: Each finding includes a detailed description of the security problem. This description provides accurate information about the problem, making it easier for the development and security team to understand and address.
  2. Severity: Findings are classified by severity to indicate their potential impact on safety. This ranking helps to prioritize the correction of problems, ensuring that the most critical ones are addressed first.
  3. Vulnerability Type: A specific vulnerability type is associated with each "finding". This helps identify the nature of the security problem, such as SQL injections, transport layer security vulnerabilities (TLS/SSL), denial of service (DoS) attacks, among others.
  4. Location: The "finding" includes information on where the problem is located. This can include references to source code, to specific files, to URLs or endpoints in web applications, or even to specific infrastructure configurations.
  5. Evidence and Context: To better understand the finding, related evidence or proof may be attached. This may include code snippets, screenshots, logs or any other information that supports the finding. In addition, context is provided to help teams understand the scope and impact of the problem.
  6. Assignment of Responsibility: Each finding can be assigned to a team member responsible for correcting it. This ensures that there is a clear owner for each security issue.
  7. Status and Progress: Findings can have statuses indicating whether they are pending, in progress or resolved. This allows you to track the progress of the remediation and ensure that problems are resolved.
  8. History and Audit: Changes and updates are fully tracked for each finding, providing a complete history of activities and an audit trail of who did what and when.
  9. Comments and Discussion: Findings allow comments and discussions between members of the development and security team, which facilitates communication and collaboration in problem solving.
  10. Prioritization and Planning: Findings can be prioritized to address the most critical problems first. This helps in the planning of corrective actions and resource allocation.