Free SaaS Signup and Quick Tutorial

To help you understand the need for continuously monitoring your security intelligence, DeployHub Pro has provided a free version with a tutorial for you to explore. This free version is based on the Ortelius.io open-source project incubating at the Continuous Delivery Foundation, hosted by DeployHub Pro, Inc. Explore how the Ortelius Application is configured and walk through basic concepts of Continuous Security Intelligence.

The Ortelius project uses a decoupled microservices architecture serving as a great example of how Continuous Security Intelligence unifies fragmented clues and forensics across Components to expose the Application level security posture. In this tutorial you will see how Ortelius aggregates Component level security to the Application level providing Application level:

• SBOMs
• real-time vulnerability reports
• compliance reports

You will also see how Ortelius uses a Domain-Driven Design (DDD) to organize data.

Signing Up and Getting Started

When you signup for Ortelius, you are asked for basic information, your UserID/Password, Company and Project names. Your UserID/Password and Company name are unique. Your Project will be a Sub-Domain under your Company Domain.

Ortelius is accessible through the following url:

https://console.DeployHub.com/dmadminweb/Home

Login using the UserID and Password you used when you signed up for Ortelius. Check your email for your login information.

Upon logging into Ortelius, you will be given an option to select your Company Name Domain, or the Open Source Domain. The Open Source Domain is prepopulated with data so you can take a tour. Select the Open Source Domain to start exploring.

Explore Domains

Domains serve as the basic structure of organizing Continuous Security Intelligence. Developers use Domains to catalog their Components based on ‘solution spaces.’ Organizing your software supply chain in this way allows for Components to be easily shared.

Domains are not folders. They serve as a method for creating fully qualified names of objects within DeployHub Pro to keep things organized. You can explore the GLOBAL.open source Domain to learn how Continuous Security Intelligence is organized. In DeployHub Pro terminology, the GLOBAL.open source Domain has multiple Subdomains.

1. From the left hand side menu, select Domains. This will take you to the Domain Details. All Domains you have access to will be shown in the Domain List Box.

2. Select GLOBAL.Open Source.Linux Foundation. In the Details, you will see this Domain has two Subdomains, the CDF and the OpenSSF. Driving into the GLOBAL.Open Source.Linux Foundation.CDF Domain will show you the Ortelius project is a Sub-domain of the CDF.

For More information on Domains see - Building Your Domain Catalog

Explore Components

Components are artifacts, binaries, files or any deployable object. Components are assigned to Applications. This assignment allows for the aggregation of data from the Components to the Applications that consume them, providing unified Software Bill of Materials reports and Application Security Posture reports.

Using the Component List View

From the left hand side menu, select “Components”. This will take you to a list view of all Components assigned to the selected Domain. Using the filter option, choose GLOBAL.Open Source.Linux Foundation.CDF.Ortelius to view all of the Components consumed by the Ortelius open source project.

Sorting Components

Sort Components by “Completed.” “Completed” indicates the Component has been deployed to end users. From the Component list view, click on “Completed” to sort.

Viewing a Component’s Version

The first item in our sorted Component list is the latest version of ms-compitem-crud represented by the version label “main;10_0_834_g1bdd9d_.” DeployHub Pro uses a versioning engine to track changes as artifacts are updated, and appends the name with a new version number.

View a Component’s Security Profile and Details

The Component Detail page shows you the Components Security Profile, Impact Assessment, and DevOps configuration. You can also view previous versions, and compare your current version with an older version. Double click on the ms-compitem-crud Component to view its security profile and see a list of previous versions.

View Previous Versions and Run a Comparison

From the top menu, look for the previous Version button.

This button shows you the total number of previous versions of this Component. Select the button to be provided a list of all previous versions. From this list you can view the details of any previous versions.

Generate a Comparison Report between two Component versions. Select the Compare Button. You will be provided a list to select the previous version to compare the current version you are viewing.

You will be provided a report that shows the differences between these two Component versions.

SBOM and Vulnerabilities

When you view a Component’s details, the first attribute you will see is the Component’s Software Bill of Materials summary and real-time vulnerabilities.

When your Component build executes, DeployHub Pro will generate a Software Bill of Materials (SBOM) report using the CI/CD command line integration (CLI). Once gathered, DeployHub Pro cross references the SBOM results to known vulnerabilities in real-time. While the SBOM is a static view, the vulnerabilities are updated regularly. DeployHub Pro continuously scans OSV.dev for new known vulnerabilities for all the packages in the SBOM.

In this SBOM summary, you will see the Component’s SBOM displayed with the Package, Version, License and OpenSSF Scorecard values.

Note: You can export a Component’s Software Bill of Materials (SBOM) Report by returning to the Component list view, check mark the Component and select Export SBOM from the top navigation menu. You will be a provided a full view of your Components SBOM for sharing across teams.

OpenSSF ScoreCard

DeployHub Pro uses the GitRepo and GitCommit from the the CI/CD command line integration (CLI) to gather OpenSSF scorecard data. When available, you will see the Components compliance with OpenSSF scorecard.

Readme and License

In addition to the above, DeployHub Provides you with the Read.me information and license information defined by the GitRepo.

Impact Assessment Section

Gain insight into how the Component affects consuming Applications. This view quickly reveals the impact of Component vulnerabilities on all dependent logical Applications.

Consuming Applications and Blast Radius

View a list of Applications that depend on the Component, along with a graphical representation of the ‘Blast Radius.’ The Blast Radius illustrates which ’logical’ Applications are affected by a vulnerability, anomaly, or update. In this section, you will find a map displaying all Applications utilizing this version of the Component.

Swagger

DeployHub Provides you a view of the Components Swagger information when available.

Component with DevOps Details Section

This section gives you additional information about the Component such as Owner name and contact information, build details, Git Repo information and Helm Chart information if used. In addition, if you are using the DeployHub Pro internal Deployment Engine, the configuration for deploying your Component is provided.

For More information on Components see - Components and Their Security Posture.

Explore Applications

An Application is a collection of Components that together form a complete software solution. DeployHub Pro handles the logical Application by aggregating Component data at the Application level. The Application features display all logical Applications with their associated Components, and their combined security profile.

Using the Application List View

From the left hand side menu, select “Applications”. If you have completed the above steps, you will still be in the GLOBAL.Open Source.Linux Foundation.CDF.Ortelius Domain. Notice that the first item in the list is “Ortelius” with the most recent Version number.

Run Reports

Select the Ortelius Application and run the following reports:

• Compliance Summary - this report is a summation of data gathered across your CI/CD pipeline and includes a compliance checklist for a variety of security checks and environment inventory for all of the Application’s Component versions.

• Deployment Frequency - this report shows how often each Environment has been deployed to, based on the CI/CD pipeline data.

• Lead Time for Change - this report shows the average number of days for a change to be deployed.

• Export SBOM - This is a federated Software Bill of Materials report that aggregates all Component data, including known vulnerabilities at the time the SBOM was exported.

Find an Open-Source Package Across Your Software Supply Chain

DeployHub Pro allows you to search through all Applications for open-source packages. Rapidly responding to vulnerabilities requires you know precisely where your exposure to the vulnerability is running, and what Components need to remediated.

Search for a Package by selecting the “Package Search” menu option from the Application list view. Enter the package you wish to search for such as “Spring.”

You will be provided a list of all Applications with their Components that are dependent upon the package.

View an Application’s Security Profile and Details

The Application Detail page shows you the Application Security Profile, Impact Assessment, and DevOps configuration. You can also view previous versions, and compare your current version with an older version. Double click on the “Ortelius” Application to view its security profile and retrieve a list of previous versions.

View Previous Versions and Run a Comparison

From the top menu, find for the Version button. This button shows you the total number of previous versions of this Application. Select the button to be see a list of all previous versions. From this list you can select any version to see its details.

Generate a Comparison Report between two Application versions. Select the Compare Button. Generate a Comparison Report between two Application versions. Select the Compare Button. You will be provided a list to select the previous version to compare the current version you are viewing.

View the Application’s Aggregated Software Bill of Materials and Real-time Vulnerabilities

When exploring the Application details, the first attribute you will see is the Applications summarized Software Bill of Materials (SBOM) report and known vulnerabilities outlined in the Security Posture Section.

An Application SBOM provides a detailed report of all Component SBOM data within the Application, with duplicates removed. When a Component is updated, DeployHub Pro automatically generates a new version of all Applications that use that Component, along with a new aggregated SBOM. DeployHub Pro then cross-references all Component packages within the Application against known vulnerabilities. If you need to produce an SBOM for governance purposes, you can export the SBOM from the Application List View Reports menu option.

View the Application’s Impact Assessment

In the Impact Assessment Section, you will see the Environments the Application has been deployed to, as well as a list of Components the Application depends upon. In addition, you will see an graphical illustration of the Application with all of the consumed Components.

View the Application’s DevOps Details

This section shows your Applications Log History, and Key Value Configurations that were used.

Learn More at Applications and Their Security Posture

Conclusion

There are many other features of DeployHub Pro that we did not cover on this short test drive. You may want to explore how to connect your CI/CD pipeline to automatically connect SBOMs and other DevSecOps tooling data to your pipeline process. See SPDX, CycloneDX and Syft on how you can include SBOMs in your CI/CD process.

Other topics to explore include:

• Get started by connecting your CI/CD pipeline to add Components and Applications.

• The Internal Deployment Engine - execute deployments using DeployHub Pro’s internal agentless deployment engine