Ortelius Blog

Topics include Supply Chain Security, Microservice Management, Neat Tricks, and Contributor insights.

Leveraging Ortelius for Vulnerability Tracking

By Neetu Jain |

More Complexity in the Software Supply Chain

The rise of open-source software has increased the complexity of the software supply chain, making it essential to have a complete understanding of the dependencies and vulnerabilities within the software. Software Supply chain attacks are increasingly becoming a concern and has garnered attention even from President Biden to make SBOM (Software bill of material) publishing mandatory. An SBOM is essential for supply chain security but it has teeth only if information is used/leveraged pro-actively for managing vulnerabilities by identifying all the software components and their associated vulnerabilities. This security information empowers organizations with relevant data to prioritise their remediation efforts and ensure that all vulnerabilities are addressed.

Ortelius is an open-source tool that helps in tracking the software supply chain’s dependencies and vulnerabilities through software bill of materials (SBOM) collection and real time CVE (Common Vulnerabilities and Exposures) information reporting. It integrates with various vulnerability databases, to provide real-time updates on vulnerabilities at multiple levels ( component, microservice and application level).

Let’s double click and see how Ortelius can be leveraged for comprehensive vulnerability tracking:-

  1. Pipeline integration :
    Ortelius can integrate into any CI/CD pipeline, ensuring that vulnerabilities are identified and remediated early in the software development process. Ortelius aggregates component to application security data, providing a comprehensive view of security and DevOps data, such as application level SBOMs, even in a decoupled microservices environment. Once integrated in the pipeline Ortelius gathers supply chain data based on a single pipeline workflow at the build and deploy steps. The build step gathers Swagger, SBOM, Readme, licenses, Git data, Docker image, and other build output. The deploy step records when a release occurs, what was sent and where the objects were sent to.

  2. Software Bill of Materials (SBOM) collection and aggregation:
    Ortelius can aggregate a complete software bill of materials (SBOM) by mapping microservices, applications, and components to their dependencies and vulnerabilities. This helps organizations to manage the complexity of the software supply chain and prioritise remediation efforts.

  3. Integration with Open Source Vulnerabilities (OSV) Database:
    Ortelius also integrates with the Open Source Vulnerabilities (OSV) database OSV.dev to cross reference packages for gathering CVE data. Every 30 minutes Ortelius performs an OSV.dev look up for every package listed in every SBOM to determine if any vulnerabilities exist. The look-up is performed using the OSV public facing APIs. SBOM generation is required to perform this scan.This provides detailed information on vulnerabilities associated with open-source software components. This integration allows users to view CVE information at the component level and provides additional details, such as remediation advice.

  4. Real-time Alerts:
    Ortelius can send real-time alerts to users when a new vulnerability is discovered that affects their microservices, applications, or components. This feature ensures that users are aware of new vulnerabilities as soon as they are discovered and can take immediate action to remediate them.

Conclusion

In conclusion, Ortelius’s ability to consume an SBOM automatically and track vulnerabilities at the microservice, application, and component level makes it an essential tool for managing the software supply chain’s complexity. By using Ortelius, organizations can identify all the components and their associated vulnerabilities, prioritize their remediation efforts, and ensure the security of their software applications. The integration with the OSV database, real-time alerts, and integration with CI/CD pipelines make it easier to stay up-to-date with the latest vulnerabilities and ensure that they are remediated promptly.

References

Deployhub Demo:- https://www.deployhub.com/sbom-management/

Ortelius Docs:- ttps://docs.ortelius.io/guides/userguide/integrations/osvdev/

About Neetu Jain

Neetu Jain was one of the first contributors to the Ortelius open-source projects serving in a project management capacity. Neetu is a Product Leader with a passion of turning great ideas into innovative customer centric products, with 2 decades of experience in the tech industry. Neetu builds outcomes, drives team engagement, and creates a culture of collaboration, accountability, and openness. Neetu thrives on the big picture by strategically connecting dots.

Learn more about Neetu Jain by visiting her LinkedIn Profile