Shauli Zacks
Published on: December 15, 2024
SafetyDetectives recently had the privilege of speaking with Greg Anderson, CEO and co-founder of DefectDojo, a leading open-source vulnerability management platform. In this insightful interview, Greg shared his journey from a frustrated cybersecurity intern to co-founding a company that now serves Fortune 10 enterprises and government agencies. He discussed DefectDojo’s dual mission to support the open-source community and enterprise users, offered valuable guidance on DevSecOps, and highlighted the evolving role of AI in both defending against and enabling cyber threats. With 2025 on the horizon, Greg also shared his perspective on the future of open-source security and the impact of emerging privacy regulations.
Can you share a bit about your journey in cybersecurity and what inspired you to co-found DefectDojo?
In 2013, I was a frustrated cybersecurity intern working under Matt Tesauro (our CTO and my co-founder). At one point, I got so fed up that I told him, “If you give me the chance, I could write a tool that could fix all of this.”
Matt gave me that chance, even though I had only completed one professional programming project at the time, and what would become DefectDojo was born. Since then, we’ve built both a platform and a community, created our Dojo Pro offering, and raised our Series A.
DefectDojo serves both an open-source community and enterprise users, including Fortune 10 companies and government agencies. How does the platform balance the needs of such diverse stakeholders?
We have always had a vision of supporting both the open-source community and enterprise cybersecurity. Both Matt and I have ties to OWASP (the Open Web Application Security Project) and believe in its mission to make software more secure through collaboration. Our open-source contributors are a major part of DefectDojo’s success. On top of that, we want to ensure that cybersecurity professionals at all levels can work with our platform. We continue to offer and support our free OWASP Edition.
For enterprise users, we offer Dojo Pro. Every organization understands that they need security, but they are lost on how to scale effectively. Dojo Pro gives teams the necessary flexibility to accommodate growing tech stacks and ongoing tool sprawl issues. The launch of Dojo Pro allowed us to nearly double in size thanks to the initial bookings, and our Series A funding was driven by a need to support demand.
In short, we have always known that we needed to balance these needs—it’s just always been part of our vision. Security doesn’t become important once you reach a certain threshold as a company; it’s important for everyone, and our business model reflects that.
You predict that open-source security will become the standard in 2025. What steps should organizations take to effectively leverage the open-source community in addressing vulnerabilities?
Open-source communities are a pillar of technology, and the software they’ve developed would cost businesses nearly $9 trillion if they had to build those platforms themselves. Up to 97% of applications use some open-source software (OSS), showing how collective global wisdom has reshaped how we develop software.
While this ubiquity has significantly simplified the development process, it also has created a new risk: one vulnerability in one piece of OSS could open up threat vectors for many different companies. Over the past few years, we have seen vulnerabilities in OSS skyrocket, underscoring the need for dedicated tools to monitor, assess, and mitigate these risks.
To solve this problem, we can turn right back to the power of open source. There are communities of cybersecurity professionals and enthusiasts around the world, including DefectDojo’s. Their work offers security teams a chance to quickly upgrade their tools to respond to ever-shifting threats. While these teams can then build on and customize open-source tools, they don’t have to start from scratch in creating them, saving time and resources for other issues.
For security teams looking to capitalize on the resources already available, there are thousands of repositories on GitHub, including those specializing in remediating open-source vulnerabilities. (Here’s DefectDojo’s repository for reference.) You’ll likely find a good place to start there.
You mentioned AI’s dual role in cybersecurity as both a tool and a threat. What best practices would you recommend for organizations looking to harness AI’s potential while defending against AI-driven attacks?
Many security teams are already feeling the strain of AI-driven attacks, and 2025 likely won’t be any better. 93% of security leaders predicted that AI attacks will be a daily occurrence in 2025. AI can enhance a number of different attack types, from finding tucked-away vulnerabilities to generating more convincing phishing emails.
However, cybersecurity teams can also use AI. According to some estimates, 50% of regular cybersecurity tasks can use AI in some way.
For example, at DefectDojo, we’ve had a lot of success with using machine learning (ML) algorithms to deduplicate findings. ML is able to go beyond simple string matching and use advanced logic to more effectively detect duplicates, improving as it receives more human feedback. With teams drowning in alerts, some of which may not even be real issues, sifting duplicates out with ML could be a huge help.
Of course, models can also generate code. However, it’s critical to thoroughly evaluate and test anything created by AI before it goes live. Feeding a model proprietary information for better performance can also make it a bigger target for bad actors. In other words, like any tool, it has to be used thoughtfully to be a real asset.
With DevSecOps taking center stage, what advice do you have for companies looking to integrate vulnerability management into their workflows, especially those transitioning to hybrid cloud environments?
DevSecOps argues that for better vulnerability management, security has to be integrated into every part of a software’s life cycle. The idea is to continuously and proactively identify, prioritize, and remediate weaknesses across an organization’s applications and infrastructure to give IT teams a complete picture—they simply can’t fix what they can’t see or don’t know about. For companies looking to adopt this approach, the simplest first step is to make sure your security, development, and operations teams are regularly communicating and collaborating. A better working relationship now could help solve many issues later.
Security teams should also work to smartly incorporate automation into their workflows. As tech stacks grow more complex, automation has become necessary to keep up with all of the different applications. When these tools are easy to integrate, security teams can then efficiently consolidate information onto one platform for centralized tracking and remediation.
In the particular case of hybrid cloud environments, development, security, and operations need to take a unified approach to adequately protect sensitive information. If they’re not aligned, then the complex interplay of private cloud, on-prem, and public cloud services can create an even larger attack surface for malicious actors to exploit.
In addition, adequate identity and access management (IAM) is paramount. For example, if one user is compromised, but cannot access everything in a system, that reduces the harm a bad actor can do. This way of thinking is behind the rise of zero trust architecture, but full zero trust again requires a sufficiently centralized approach to security.
Beyond the trends you’ve highlighted, are there any emerging threats or opportunities in cybersecurity that organizations should prepare for as we move toward 2025?
One of the other major things I’m keeping an eye on as we go into 2025 is the regulatory environment. Governments are taking a more proactive approach to data privacy. Both the EU’s Digital Services Act and California’s CPRA are driving the demand for security solutions that prioritize data protection by design, since many of these laws are intentionally designed to cast broad nets and catch as many companies as possible. As a result, we should see more companies adopting tools that go beyond basic compliance checklists and actively embed privacy into their applications and data processing.
