Free SaaS Signup and Quick Tutorial

To help you understand the need for continuously monitoring vulnerabilities, DeployHub Pro has provided a free version with a tutorial for you to explore. This free version is based on the Ortelius.io open-source project incubating at the Continuous Delivery Foundation, hosted by DeployHub, Inc. Explore how the Ortelius Application is configured and walk through basic concepts of Continuous Vulnerability Management.

The Ortelius project uses a decoupled microservices architecture serving as a great example of how Continuous Security Intelligence unifies fragmented clues and forensics across Components to expose the Application level security posture. In this tutorial you will see how Ortelius aggregates Component level security to the Application level providing comprehensive security insights at the Application level:

• SBOMs
• real-time vulnerability reports
• compliance reports

You will also see how Ortelius uses a Domain-Driven Design (DDD) to organize data.

Signing Up and Getting Started

When you signup for Ortelius, you are asked for required information, your Company, Project names, first name, last name, email and UserID/Password. Your UserID/Password and Company name are unique. Your Project will be a Subdomain under your Company Domain.

Signup

Login and Select the Domain

Ortelius is accessible through the following url:

https://console.deployhub.com/dmadminweb/Home

Login using the UserID and Password you used when you signed up for Ortelius.

Upon logging into Ortelius, you will be given an option to select your own Company Domain, or the Open Source Domain. For this tutorial select the Open Source Domain. It is prepopulated with data so you can take a quick tour.

Domains serve as the basic structure of organizing Continuous Vulnerability Management. Developers use Domains to catalog their Components based on ‘solution spaces.’ Organizing your software supply chain in this way allows for Components to be easily found and shared. Domains are not folders. They serve as a method for creating fully qualified names of Objects within Ortelius to keep things organized. Domains also manage security and Tasks. When you assign security options and Tasks at the Domain level, any child Subdomain inherits the value. A child Subdomain can override a parent Domain value.

You can explore the GLOBAL.open source Domain to learn how data is managed for Continuous Vulnerability Management. In Ortelius terminology, the GLOBAL.open source Domain has multiple Subdomains. For More information on Domains see - Building Domains

The Ortelius Tutorial

This quick tutorial will walk you through the concepts of Components, Component Versions, Applications, and Application Versions. Component Versions are associated with Software Bill of Materials (SBOM) reports. For each new release of a Component Version, a new SBOM is generated. Ortelius scans these Component Version’s SBOMs in real-time, detecting new vulnerabilities even after the build step. Additionally, Ortelius integrates with the DevOps pipeline to track deployment details, including the locations where each Component Version has been deployed. This tracking enables Ortelius to indicate where an OS package, used by a Component or Application, is running across your entire infrastructure.

Ortelius aggregates Component Versions into Application Versions. An Application Version is a collection of Component Versions that are released as a single software solution. This aggregation allows Ortelius to create SBOMs at the Application level. Leveraging the results from the Component SBOMs, Ortelius provides visibility into all new vulnerabilities affecting each Application Version.

In this tutorial you will:

• Explore Components
• View Component SBOM and Vulnerabilities
• Explore Applications
• View Application Vulnerabilities
• Generate an Application SBOM
• Search for a OS package across all Endpoints.

Explore Components

Components are artifacts, binaries, files or any deployable artifact. Components are assigned to Applications. This assignment allows for the aggregation of data from the Components to the Applications that consume them, providing unified Software Bill of Materials reports and Application Security Posture reports.

Using the Component List View

From the left hand side menu, select “Components”. This will take you to a list of view of all Components assigned to the selected Domain. Using the filter option, choose GLOBAL.Open Source.Linux Foundation.CDF.Ortelius to view all of the Components consumed by the Ortelius open source project.

Sorting Components

Sort Components by “Completed.” “Completed” status indicates the Component has been deployed to end users. From the Component list view, click on “Completed” to sort.

Viewing a Component’s Version

Because you are viewing real-time data, the items in the list will change based on the last update from the Ortelius community. Search the latest version of ms-compitem-crud. You will see a version label such as:

main;10_0_834_g1bdd9d_

Here is an example:

View a Component’s Security Profile and Details

The Component Detail page shows you the Component Version’s Security Profile, Impact Assessment, and DevOps configuration. For every update of a Component, Ortelius uses an internal versioning engine that captures configuration and security changes to the Component. Double click on the ms-compitem-crud Component to view its latest security profile.

SBOM and Vulnerabilities

When you view a Components details, the first attribute you will see is the Component’s Software Bill of Materials and real-time vulnerabilities.

When your Component build executes, Ortelius will generate a Software Bill of Materials (SBOM) report using the CI/CD command line integration (CLI). Once gathered, Ortelius cross references the SBOM results to known vulnerabilities in real-time. While the SBOM is a static view, the vulnerabilities are updated regularly. Ortelius continuously scans OSV.dev for new known vulnerabilities for all the packages in the SBOM.

In this view, you will see the Component’s SBOM displayed with the Package, Version, License and OpenSSF Scorecard values.

Note: You can export a Component’s Software Bill of Materials (SBOM) Report by returning to the Component list view, check mark the Component and select Export SBOM from the top navigation menu. You will be a provided a full view of your Components SBOM to be shared across teams.

OpenSSF ScoreCard

Ortelius uses the GitRepo and GitCommit from the the CI/CD command line integration (CLI) to gather OpenSSF scorecard data on the Component itself. When available, you will see the Component’s compliance with OpenSSF scorecard.

Impact Assessment Section

Gain insight into how a new Component Version impacts consuming Applications. This list shows which Application Versions consume the Component Version. Understand, if a Component Version has a vulnerability, so will the consuming Application Version.

View a list of Applications that depend on the Component, along with a graphical representation of the ‘Blast Radius.’ The Blast Radius illustrates which ’logical’ Applications are affected by a vulnerability, anomaly, or update. In this section, you will find a map displaying all Applications utilizing this version of the Component.

Component with DevOps Details Section

This section gives you additional information about the Component such as Owner name and contact information, build details, Git Repo information and Helm Chart information if used.

For More information on Components see - Publishing Components.

View Previous Versions and Run a Comparison

View previous versions, and compare your current version with an older version.From the top menu, look for the previous Version button.

This button shows you the total number of previous versions of this Component. Select the button to retrieve a list of all previous versions. From this list you can view the details of any previous versions.

Generate a Comparison Report between two Component versions. Select the Compare Button. You will be provided a list to select the previous version to compare the current version you are viewing.

You will be provided a report that shows the differences between these two Component versions.

Explore Applications

An Application is a collection of Components that together form a complete software solution. Ortelius handles the logical Application by aggregating Component data at the Application level. The Application features display all logical Applications with their associated Components, and their combined security profile. Each time a new Component Version is released through the CI/CD pipeline, a new Application Version is created. Ortelius uses an internal versioning engine that captures configuration, DevOps and Security data for every update.

Using the Application List View

From the left hand side menu, select “Applications”. If you have completed the above steps, you will still be in the GLOBAL.Open Source.Linux Foundation.CDF.Ortelius Domain. Notice that the first item in the list is ortelius with the most recent Version number.

Select the Application and Run Reports

Select the Ortelius Application by clicking on the check box and run the Compliance Summary report. This report is a summation of data gathered across your CI/CD pipeline including a compliance checklist for a variety of security checks and environment inventory for the Application Versions.

Next, select the Export SBOM option and generate an Application-level SBOM, derived from the Component dependency SBOMs.

This report is a federated Software Bill of Materials report that aggregates all Component data, including known vulnerabilities at the time the SBOM was exported.

Find an Open-Source Package Across Your Software Supply Chain

Ortelius allows you to search through all Applications for open-source packages. Rapidly responding to vulnerabilities requires you know precisely where your exposure to the vulnerability is running, and what Components need to remediated.

Search for a Package by selecting the “Package Search” menu option from the Application list view.

Enter the package you wish to search for such as “Spring.”

You will be provided a list of all Applications with their Components that are dependent upon the package.

View an Application’s Security Profile and Details

The Application Detail page shows you the Application Security Profile, Impact Assessment, and DevOps configuration. You can also view previous versions, and compare your current version with an older version. Double click on the Ortelius Application from the list view to explore the Application Version’s detials.

View Previous Versions and Run a Comparison

From the top menu, find for the Version and Compare buttons. These buttons show you the total number of previous versions of this Application and allows you to compare the current version with any other version.

Select the Versions button to be see a list of all previous versions. From this list you can select any version to see its details.

To generate a Comparison Report between two Application versions, select the Compare Button. You will be provided a list to select the previous version to compare the current version you are viewing. You will be provided a report that shows the differences between these two Application versions.

View the Application's Aggregated Software Bill of Materials and Real-time Vulnerabilities

When exploring the Application details, the first attribute you will see is the Applications summarized Software Bill of Material (SBOM) report and known vulnerabilities within the Security Posture Section. An Application SBOM provides a detailed report of all Component SBOM data within the Application, with duplicates removed. When a Component Version is updated, Ortelius automatically generates a new version of all Applications that use that Component, along with a new aggregated SBOM. Ortelius then cross-references all Component packages within the Application against known vulnerabilities. If you need to produce an SBOM for governance purposes, you can export the SBOM from the Application List View Reports menu option.

View the Application’s Impact Assessment

In the Impact Assessment Section, you will see the Environments the Application has been deployed to, as well as a list of Components the Application depends upon. In addition, you will see an graphical illustration of the Application with all of the consumed Components.

View the Application’s DevOps Details

This section shows your Application’s Log History, and Key Value Configurations that were used.

Learn More at Defining Applications

Next Steps and Conclusion

You have now covered the basic objects and how Ortleius manages vulnerabilities across the CI/CD process from code to cloud. There are many other features of Ortelius that we did not cover on this short test drive.

Next steps:

• You may want to explore how to connect your CI/CD pipeline to Ortelius and add SBOM collection to your DevSecOps process. See SPDX, CycloneDX and Syft on how you can include SBOMs in your CI/CD process.
• Complete a POC. Now that you have signed up to Ortelius, try it with your own data. Here is a Proof of Concept whitepaper to follow.
• Get started by connecting your CI/CD pipeline to add Components and Applications.
• Talk to the community - Join Discord and give us feedback. We want to hear from you.

Thank you for taking the time to learn how you can use Ortelius to evolve your DevOps pipeline to a DevSecOps pipeline, incorporating CI/CD cybersecurity into your existing pipeline tooling.