Ortelius Aggregates Supply Chain Data Across the Pipeline

Use the Evidence You Already Collect

Aggregated Security and DevOps Intelligence Across the Organization


Ortelius is the go to place for DevOps and Security engineers to view and analyze security intelligence. The Ortelius evidence store collects data generated by existing tools such as SBOM tools, Software Composition Analysis tools, CVE databases, and deployment data. Security and DevOps tools are called by the DevOps process. In a decoupled architecture, pipelines are executed for every independently deployed container. This causes DevOps and Security data to be fragmented across tools or left in the build directory where the DevOps pipeline was executed, making it difficult to see a complete software application’s security profile, CVEs and SBOMs. By aggregating the data, Ortelius provides CISO and Development teams sweeping views of the critical software supply chain intelligence needed for rapidly responding to cyber threats. Most important, Ortelius shows your open-source usage and details across the organization with [’logical applications’](/microservicemapping/ mapping. Some of the data collected by Ortelius includes:

  • SBOM (SPDX or CycloneDX formats)
  • Aggregated SBOMs in a Decoupled Architecture
  • Open-source usage and inventory
  • SonarQube
  • Syft
  • OSV.dev
  • CVE for each service with data aggregated up to the logical application
  • Dora Metrics
  • Ownership (email, Pagerduty, phone)
  • Swagger
  • Readme
  • Open-source packages and licenses
  • Versions over time based on the Container Tag
  • Logical Application versions based on changes to the supporting microservices
  • CD Pipeline and tooling (Jenkins, Tekton, Spinnaker, Commercial pipeline tools)
  • Deployment Engine
  • Key Value Pairs
  • Environments and Endpoints
  • Blast Radius and Usage
  • Organization
  • Inventory by version across all environments

Logical Application SBOMs

In a decoupled architecture, component updates drive new applicaiton versions. Each time a shared component is updated, all of the consuming ’logical’ applications have new SBOMs. Because Ortelius versions the overall supply chain, it automatically provides a new aggregated application level SBOM for every component update. This information is critical for meeting Government SBOM requirements such as EO 14028.

Component Usage

Aggregated SBOM

Conclusion

The Ortelius evidence store is a critical piece of the overall software supply chain security puzzle. Ortelius gathers and analyzes existing DevOps and security data, aggregated to application and organizational levels. This centralized data simplifies the jobs of CISO and development teams when a supply chain event occurs. Ortelius provides a full inventory of where open-source packages are running, what application team consumes the package, and what component included the package. These critical details can be viewed from an organizational level giving teams the critical information they need to rapidly respond to threats and anomalies.