|
| 1 | +--- |
| 2 | +title: "DefectDojo Pro Metrics" |
| 3 | +description: "How to Leverage Metrics in DefectDojo Pro" |
| 4 | +audience: pro |
| 5 | +weight: 2 |
| 6 | +--- |
| 7 | + |
| 8 | +## Metrics Overview |
| 9 | + |
| 10 | +The DefectDojo Pro UI has various Metrics dashboards to help visualize your current security posture. Each dashboard allows stakeholders at different levels of the organization to make informed decisions without needing to interpret raw data or navigate individual Findings. These dashboards include: |
| 11 | +* [Executive Insights](#executive-insights) |
| 12 | +* [Priority Insights](#priority-insights) |
| 13 | +* [Program Insights](#program-insights) |
| 14 | +* [Remediation Insights](#remediation-insights) |
| 15 | +* [Tool Insights](#tool-insights) |
| 16 | + |
| 17 | + |
| 18 | + |
| 19 | +## Metrics Features |
| 20 | + |
| 21 | +Before elaborating on each particular dashboard, there are some commonalities between all dashboards that are worth reviewing. |
| 22 | + |
| 23 | +### Filtering |
| 24 | + |
| 25 | +All Metrics can be filtered by timeframe, Organization, Asset, and Tag. After adjusting the filter as desired, Apply Filter must be clicked in order for the filter to take effect. If you wish to export a PDF of all charts, tables, and graphs on the dashboard as currently filtered, click Export as PDF. |
| 26 | + |
| 27 | +The filtering timeframe is limited to the past year, but can otherwise be adjusted to include the past 7, 14, 30, 90, or 180 days. |
| 28 | + |
| 29 | +### Submenus |
| 30 | + |
| 31 | +Each graph has a ⋮ kebab menu in the top right of each view with the following features: |
| 32 | +* Force Refresh — Manually refreshes to incorporate any new updates in the data. |
| 33 | +* Expand Plot — Opens the same chart in a larger pop-up modal. |
| 34 | +* Download Plot as SVG — Downloads the chart as an SVG file. |
| 35 | +* View as Table — Shows the data from the chart in table format. |
| 36 | + * Each column of the table can be toggled to appear in ascending or descending order when clicked. You can also download each table. |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +### Access |
| 41 | + |
| 42 | +The Metrics section will only represent data from the Organizations and Assets that each User has the appropriate permissions to view. A User with access limited to a single Asset will only be able to see Metrics for that particular Asset, but if they don’t have access to the other Assets within the parent Organization, data from those other Assets won't be represented in Metrics. |
| 43 | + |
| 44 | +### Viewing Data Within Charts |
| 45 | + |
| 46 | +The X-axis of line charts will always represent the current timeframe filter. Hovering your cursor over a line chart will cause a modal to appear with a count of the figures on the Y-axis at that point in time. |
| 47 | + |
| 48 | + |
| 49 | + |
| 50 | +### Toggling Results |
| 51 | + |
| 52 | +Users can toggle certain categories of Findings as viewable and nonviewable in the chart by clicking on their respective color/name at the top of each chart. |
| 53 | + |
| 54 | +For example, in the Active Findings by Severity chart below, if you only wanted to see Findings with a High or Critical severity, you would click Medium, Low, and Info at the top to remove those results from the chart. Clicking Medium, Low, and Info again would make those results reappear. |
| 55 | + |
| 56 | + |
| 57 | + |
| 58 | +## Executive Insights |
| 59 | + |
| 60 | +**Executive Insights** provides an aggregated view of application security risk across your organization. As it is design for executive-level consumption, this dashboard focuses exclusively on Organizations and Assets, emphasizing trends and outcomes rather than individual Findings. |
| 61 | + |
| 62 | +Within Executive Insights, Users may select a timeframe, Organization, Asset, or Tag from the filter list, which will populate an adjoining table with the resulting Findings. It will also change the results in various charts and graphs below. |
| 63 | + |
| 64 | +If no filters are selected, the table will display the status of all Organizations, Assets, and Tags. |
| 65 | + |
| 66 | +The first table provides a birdseye view of your overall security posture. There are also two separate tables for your Organizations and Assets. |
| 67 | + |
| 68 | +Figures will populate within each table depending on the filters applied. Clicking any hyperlinked figure within a cell will open a separate tab containing all Findings from that cell. From there, Users can investigate and interact with the Findings as desired, such as by: |
| 69 | +* Viewing Finding data within the table |
| 70 | +* Opening a Finding’s Organization and/or Asset |
| 71 | +* Downloading the Findings as a CSV file |
| 72 | +* Generating a Quick Report of the Findings |
| 73 | +* Editing or closing a Finding |
| 74 | +* Requesting a review |
| 75 | +* Adding risk acceptance |
| 76 | +* Adding a file or a note |
| 77 | +* Pushing to Jira or Integrator |
| 78 | +* Deleting the Finding |
| 79 | +* Opening the Finding history |
| 80 | + |
| 81 | +## Priority Insights |
| 82 | + |
| 83 | +**Priority Insights** shows the most critical Findings as determined by risk, severity, exploitability, or custom scoring, helping teams understand which vulnerabilities pose the greatest threat at any given moment and focus their efforts accordingly. |
| 84 | + |
| 85 | +Apart from various charts and graphs, Priority Insights includes four clickable modals that will open a separate tab with a table for all of the data those four modals represent: |
| 86 | +* Total Urgent Risk Findings |
| 87 | +* Total Needs Action Risk Findings |
| 88 | +* Total Medium Risk Findings |
| 89 | +* Average Finding Priority |
| 90 | + |
| 91 | +It also includes an integrated table of Prioritized Findings arranged either by AppSec or SOC, allowing Users to further filter, interact with, and view the data associated with individual Findings. The contents can be exported as a CSV file or a Quick Report, and other various columns can be added prior to export. |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | +## Program Insights |
| 96 | + |
| 97 | +**Program Insights** evaluates the effectiveness and maturity of the application security program as a whole, focusing on program-level performance rather than individual Findings. It includes breakdowns of testing efforts, as well as how deduplication and reimport features are affecting noise reduction, efficiency increases, and cost savings, ensuring that security processes are working as intended. |
| 98 | + |
| 99 | +## Remediation Insights |
| 100 | + |
| 101 | +**Remediation Insights** focuses on closure performance and remediation accountability, charting SLA adherence, overdue Findings, and Risk Acceptance over time. It relies on EPSS scores to determine a Finding’s exploitability, the database for which DefectDojo Pro updates daily and applies to each of your Findings. |
| 102 | + |
| 103 | +Similar to Priority Insights, Remediation Insights also includes four clickable modals that will open a separate tab with a table for all of the data those four modals represent: |
| 104 | +* Total Open Findings |
| 105 | +* Critical & High Open Findings |
| 106 | +* Mitigated Within SLA |
| 107 | +* Highly Exploitable Findings |
| 108 | + |
| 109 | +## Tool Insights |
| 110 | + |
| 111 | +**Tool Insights** tracks the performance of each security tool used in DefectDojo based on the count and severity of Findings that it reports, helping to evaluate the comparative effectiveness of tools over time. |
| 112 | + |
| 113 | +Specifically, the Severity by Tool (Top 10 Most Findings) modal will provide a radar chart comparing the severity of the Findings your tools reveal. |
| 114 | + |
| 115 | +Severity by Tool Monthly will also provide a table arranged by the total Findings a particular scan type revealed on a particular date. Each column of this table can also be toggled to present in ascending or descending order. |
| 116 | + |
| 117 | +Collectively, the suite of available Metrics dashboards enables organizations to move beyond raw vulnerability data and make informed, risk-driven decisions across the entire security lifecycle. |
0 commit comments