Kondukto - Modern ASPM Tool


Kondukto is an ASPM tool that gets all application security data in one place, whether coming from security testing tools, pentest or bug bounty.

7 min read

What is Kondukto?

Kondukto is an ASPM tool (Application Security Posture Management) that helps security teams to automate security scanning and centralize vulnerability management for better visibility and faster remediation.

It has integrations with all popular SAST, SCA, DAST and Container image security testing tools and runs built-in open-source scanning tools.

You can use all your git repos and collate all the security-related data (scan results from testing tools, bug bounty, manual findings) to take action directly.

It will even enrich the content of issue tickets with SecureCodeWarrior videos related to particular vulnerabilities. (no extra fee)


Centralized Vulnerability Management

It all starts with visibility. We want to see all security issues for each asset, development team, and business unit in one view. That’s the only way it works!

Even small organizations are using, on average, between 15-20 tools in security operations, which goes up to 130 tools for large organizations and enterprises.*

Unfortunately, there is no standard in the industry to streamline, so each tool has its own report template, classifications, recommendations etc…

In Kondukto, all vulnerabilities are consolidated, deduplicated and prioritized for each asset and business unit. 

All in One View: Scanning tool results, pentest reports or manual findings!

All vulnerability reports from different tools will be mapped into OWASP ASVS Framework automatically.

Application Security Posture Management

An ASPM accumulates data using the APIs of application portfolio management, code repositories, open source code scanning, static code scanning, credential scanning, image scanning, and dynamic application security test tools to create an overall risk score for each application” says David Matousek.

Kondukto Integrations

You will integrate all your application security scanning tools with Kondukto to create workflows and SLA levels for different asset groups or business units.

Security as Code for DevSecOps

It is an excellent concept to make security a part of development from the early stages. The foundation of security as code is continuous delivery.

Gitlab script to run SAST, SCA and Container image scan via Kondukto:
 - build
 - test
image: ubuntu
 - curl -sSL https://cli.kondukto.io | sh
  stage: build
    - echo "Project Building"
SAST Test:
  stage: test
    - echo "SAST via Kondukto"
    - kdt scan -p $CI_PROJECT_NAME -t checkmarx -b $CI_COMMIT_REF_NAME
SCA Test:
  stage: test
    - echo "SCA via Kondukto" 
    - kdt scan -p $CI_PROJECT_NAME -t dependencycheck
    - b $CI_COMMIT_REF_NAME --async
    # Import SBOM in cyclonedx format
    - kdt sbom import cyclonedx.json -p $CI_PROJECT_NAME 
CS Test:
  stage: test
    - echo "CS via Kondukto"
    - kdt scan -p $CI_PROJECT_NAME -t trivy --image=ubuntu:latest
    - b $CI_COMMIT_REF_NAME --async

Anything I Missed?

So these are my favourite features in Kondukto. 

And now I’d like to hear from you:

Is there any other feature that you love… but didn’t see in this article?

Or maybe you have a question.

Either way, let me know by leaving a comment below right now.

On this page:

Leave a Reply

Your email address will not be published. Required fields are marked *