Free SaaS Signup and Tutorial

Signup and Learn How to Gather Continuous Security Intelligence

This tutorial uses the Ortelius Application to walk you through the basic concepts of Continuous Security Intelligence. Ortelius is an Open-Source project, incubating at the Continuous Delivery Foundation. This free SaaS version of Ortelius is hosted and sponsored by DeployHub, Inc.

The Ortelius project uses a decoupled microservices architecture serving as a great example of how Continuous Security Intelligence unifies fragmented clues and forensics across Components to expose the Application level security posture. In this tutorial you will see how Ortelius aggregates Component level security to the Application level providing Application level:

  • SBOMs
  • real-time vulnerability reports
  • compliance reports.

You will also see how Ortelius uses a Domain-Driven Design (DDD) to organize data across teams.

Ortelius Hosted by DeployHub Team

Signing Up and Getting Started

When you signup for Ortelius, you are asked for basic information, your UserID/Password, Company and Project names. Your UserID/Password and Company name are unique. Your Project will be a Subdomain under your Company Domain.

Ortelius is accessible through the following url:

https://console.deployhub.com/dmadminweb/Home

Login using the UserID and Password you used when you signed up for Ortelius. Check your email for your login information.

Upon logging into the Ortelius SaaS, you will be given an option to select your Company Name Domain, or the Open Source Domain. The Open Source Domain is prepopulated with data so you can take a tour. Select the Open Source Domain to start exploring.

Sign into a Domain

Explore Domains

Domains serve as the basic structure of organizing Continuous Security Intelligence. Developers use Domains to catalog their Components based on ‘solution spaces.’ Organizing your software supply chain in this way allows for Components to be easily shared.

Domains are not folders. They serve as a method for creating fully qualified names of Objects within Ortelius to keep things organized. Domains also manage security and Tasks. When you assign security options and Tasks at the Domain level, any child Subdomain inherits the value. A child Subdomain can override a parent Domain value.

You can explore the GLOBAL.open source Domain to learn how Continuous Security Intelligence is organized. In Ortelius terminology, the GLOBAL.open source Domain has multiple Subdomains.

Take a Tour of Domains:

  1. From the left hand side menu, select Domains to see the child Subdomains. You will see Linux Foundation, NPM, Golang, Maven as a few of the options. Click on Linux Foundation to expand the chart to view further Subdomains.

  2. You will see the Linux Foundation includes the CDF and OpenSSF as Subdomains. Under the CDF, you will see the child Subdomain Ortelius. Select Ortelius to see the Subdomains associated to the Ortelius project. These Subdomains represent different releases of Ortelius.

For More information on Domains see - Building Domains

Explore Components

Components are artifacts, binaries, database SQL, files or any deployable artifact. Components are assigned to Applications. This assignment allows for the aggregation of data from the Components to the Applications that consume them, providing unified Software Bill of Materials reports and Application Security Posture reports.

Take a Tour of Components

1) View Components

From the left hand side menu, select “Components”. Using the filter option, choose GLOBAL.Open Source.Linux Foundation.CDF.Ortelius to view all of the Components consumed by the Ortelius open source project.

Ortelius Domain


2) Component Lists

Notice that the first item in the list is ms-compitem-crud;main. “Main” indicates the base version of this Component. The subsequent items in the list shows the changes from the “Main” branch.

Components


3) Historical Comparisons

Generate a Comparison Report between two Component versions. Checkmark any two versions and select the Compare option from the list menu to see their differences.

Compare Components


4) Software Bill of Materials

View a Component Software Bill of Materials (SBOM) Report. When your Component build executes, Ortelius will generate an Software Bill of Material using the tool of your choice. Ortelius then cross references the known vulnerabilities to the packages. The report shows a timestamp to record the point in time the vulnerabilities were found. This is a static view of the known vulnerabilities at build time.

Component SBOM


5) Sorting Components

Sort Components by “Completed.” “Completed” indicates the Component has been deployed to end users. From the Component list view, click on “Completed” to sort. Select a Component in the completed list to view its Security Posture and current vulnerabilities. Ortelius provides updates to vulnerabilities every 30 minutes.

CompletedComponents


6) Component Details

View the Components details including the OpenSSF Scorecard Results, current known vulnerabilities, and Overall Component Security Posture.

Components Scorecard


Components Swagger


Components Vulnerabilities


7) Blast Radius

View the Blast Radius of a Component. The Blast Radius shows you what ’logical’ applications are impacted by a vulnerability, anomaly, or update. From the Component detail screen, scroll to the bottom to see the Dependency Map. You will see this map shows the versions of the Ortelius “logical” Application that are using this version of the Component.

Component Map


For More information on Components see - Publishing Components

Explore Applications

An Application is a collection of Components that make up a complete software solution. Ortelius manages the Logical Application aggregating Component data up to the application-level.

Take a Tour of Applications

1) Application Lists

From the left hand side menu, select “Applications”. If you have completed the above steps, you will still be in the GLOBAL.Open Source.Linux Foundation.CDF.Ortelius Domain. Notice that the first item in the list is ortelius without a assigned Version number. This indicates the main branch of the Ortelius Application. Select “Completed” from the list menu options to sort by all versions of Ortelius that have been released.

Application List


2) Compare Versions

Generate a Comparison Report between two Application versions. Checkmark any two versions and select the Compare option from the list menu to see their differences.

Compare Applications


Results:

Compare Application Results


4) Aggregated Software Bill of Materials

View an aggregated Application Software Bill of Material report. An Application SBOM is a report that shows all of the Application’s Component SBOM data, with duplicates removed. When a Component is updated, Ortelius automatically creates a new version of all Applications consuming the Component, with a new aggregated SBOM. Ortelius then cross references all of the Application’s Components packages with the known vulnerabilities. The report shows a timestamp to record the point in time the vulnerabilities were found. This is a static view of the known vulnerabilities at build time for the Application with SBOM details. If you are required to produce an SBOM for governance purposes, you can provide your consumers with access to the Ortelius platform allowing them to ‘self serve’ and track your Application’s security posture.


Export SBOM


5) Application Details

View the Application details including:

  • List of Components the _Application Consumes
  • List of OS packages from the SBOM report
  • List of current vulnerabilities

Application details


6) Application Security Posture

View the Applications overall security posture. This report shows the security activities that are associated with the DevSecOps pipeline.

Compliance Run


Results:

Compliance Results


Learn More at Packaging Applications

Explore Open-Source Inventory

Ortelius allows you to search your entire inventory of Components for open-source packages. Rapidly responding to vulnerabilities requires you know precisely where your exposure to the vulnerability is running, and what Components need to remediated.

Take a Tour of Open-Source Inventory

1) Open Source Package Search

Search for Package using the “Package Search” menu option from the Application list view.

Package Search Menu


2) Enter the Package Name

Enter the package you wish to search for such as “Spring.”

Package Search Menu


Results:

Package Search Menu

Conclusion

There are many other features of Ortelius that we did not get to cover on this short test drive. However, you should have the basic understanding of the major Objects and concepts needed to get you started. You may want to explore how to connect your CI/CD pipeline to automatically connect SBOMs to your pipeline process with Ortelius. See SBOMs and Ortelius on how you can include SBOMs in your CI/CD process.