Kondukto is an ASOC tool that gets all application security data in one place, whether coming from security testing tools, pentest or bug bounty.
7 min read
Kondukto is an ASOC tool (Application Security Orchestration and Correlation) that helps security teams to automate security scanning and centralise vulnerability management for better visibility and faster remediation.
It has integrations with all popular SAST, SCA, DAST and Container image security testing tools and runs built-in open source scanning tools.
You can use all your git repos and collate all the security-related data (scan results from testing tools, bug bounty, manual findings) to take action directly.
It will even enrich the content of issue tickets with SecureCodeWarrior videos related to particular vulnerabilities. (no extra fee)
It all starts with visibility. We want to see all security issues for each asset, development team, and business unit in one view. That’s the only way it works!
Even small organizations are using, on average, between 15-20 tools in security operations, which goes up to 130 tools for large organizations and enterprises.*
Unfortunately, there is no standard in the industry to streamline, so each tool has its own report template, classifications, recommendations etc…
In Kondukto, all vulnerabilities are consolidated, deduplicated and prioritized for each asset and business unit.
All in One View: Scanning tool results, pentest reports or manual findings!
All vulnerability reports from different tools will be mapped into OWASP ASVS Framework automatically.
“An ASPM accumulates data using the APIs of application portfolio management, code repositories, open source code scanning, static code scanning, credential scanning, image scanning, and dynamic application security test tools to create an overall risk score for each application” says David Matousek.
You will integrate all your application security scanning tools with Kondukto to create workflows and SLA levels for different asset groups or business units.
It is an excellent concept to make security a part of development from the early stages. The foundation of security as code is continuous delivery.
stages:
- build
- test
image: ubuntu
before_script:
- curl -sSL https://cli.kondukto.io | sh
- export KONDUKTO_HOST=$KONDUKTO_HOST
- export KONDUKTO_TOKEN=$KONDUKTO_TOKEN
build:
stage: build
script:
- echo "Project Building"
SAST Test:
stage: test
script:
- echo "SAST via Kondukto"
- kdt scan -p $CI_PROJECT_NAME -t checkmarx -b $CI_COMMIT_REF_NAME
SCA Test:
stage: test
script:
- echo "SCA via Kondukto"
- kdt scan -p $CI_PROJECT_NAME -t dependencycheck
- b $CI_COMMIT_REF_NAME --async
# Import SBOM in cyclonedx format
- kdt sbom import cyclonedx.json -p $CI_PROJECT_NAME
CS Test:
stage: test
script:
- echo "CS via Kondukto"
- kdt scan -p $CI_PROJECT_NAME -t trivy --image=ubuntu:latest
- b $CI_COMMIT_REF_NAME --async
Anything I Missed?
So these are my favourite features in Kondukto.
And now I’d like to hear from you:
Is there any other feature that you love… but didn’t see in this article?
Or maybe you have a question.
Either way, let me know by leaving a comment below right now.
appsecsanta.com is part of CNT Friends Oy registered in Finland. Company No: 2993839-3 | © 2019-2022. All rights reserved.