Kondukto - Modern ASOC Tool

Summary

Kondukto is an ASOC tool that gets all application security data in one place, whether coming from security testing tools, pentest or bug bounty.

7 min read

What is Kondukto?

Kondukto is an ASOC tool (Application Security Orchestration and Correlation) that helps security teams to automate security scanning and centralise vulnerability management for better visibility and faster remediation.

It has integrations with all popular SAST, SCA, DAST and Container image security testing tools and runs built-in open source scanning tools.

You can use all your git repos and collate all the security-related data (scan results from testing tools, bug bounty, manual findings) to take action directly.

It will even enrich the content of issue tickets with SecureCodeWarrior videos related to particular vulnerabilities. (no extra fee)

Kondukto-Projects-Dashboard

Centralized Vulnerability Management

It all starts with visibility. We want to see all security issues for each asset, development team, and business unit in one view. That's the only way it works!

Even small organizations are using, on average, between 15-20 tools in security operations, which goes up to 130 tools for large organizations and enterprises.*

Unfortunately, there is no standard in the industry to streamline, so each tool has its own report template, classifications, recommendations etc…

In Kondukto, all vulnerabilities are consolidated, deduplicated and prioritized for each asset and business unit. 

All in One View: Scanning tool results, pentest reports or manual findings!

All vulnerability reports from different tools will be mapped into OWASP ASVS Framework automatically.

Application Security Posture Management

An ASPM accumulates data using the APIs of application portfolio management, code repositories, open source code scanning, static code scanning, credential scanning, image scanning, and dynamic application security test tools to create an overall risk score for each application” says David Matousek.

Kondukto Integrations

You will integrate all your application security scanning tools with Kondukto to create workflows and SLA levels for different asset groups or business units.

Security as Code for DevSecOps

It is an excellent concept to make security a part of development from the early stages. The foundation of security as code is continuous delivery.

Gitlab script to run SAST, SCA and Container image scan via Kondukto:
				
					stages:
 - build
 - test
 
image: ubuntu
 
before_script:
 - curl -sSL https://cli.kondukto.io | sh
 - export KONDUKTO_HOST=$KONDUKTO_HOST
 - export KONDUKTO_TOKEN=$KONDUKTO_TOKEN
 
build:
  stage: build
  script:
    - echo "Project Building"
 
SAST Test:
  stage: test
  script:
    - echo "SAST via Kondukto"
    - kdt scan -p $CI_PROJECT_NAME -t checkmarx -b $CI_COMMIT_REF_NAME
 
SCA Test:
  stage: test
  script:
    - echo "SCA via Kondukto" 
    - kdt scan -p $CI_PROJECT_NAME -t dependencycheck
    - b $CI_COMMIT_REF_NAME --async
    # Import SBOM in cyclonedx format
    - kdt sbom import cyclonedx.json -p $CI_PROJECT_NAME 
 
CS Test:
  stage: test
  script:
    - echo "CS via Kondukto"
    - kdt scan -p $CI_PROJECT_NAME -t trivy --image=ubuntu:latest
    - b $CI_COMMIT_REF_NAME --async
				
			

Anything I Missed?

So these are my favourite features in Kondukto. 

And now I’d like to hear from you:

Is there any other feature that you love… but didn’t see in this article?

Or maybe you have a question.

Either way, let me know by leaving a comment below right now.

On this page:

Leave a Reply

Your email address will not be published. Required fields are marked *