Introduction to the Ortelius Continuous Security Intelligence

Why Use Ortelius

Ortelius is an open source, Continuous Security Intelligence solution for surveilling, gathering and analyzing the security posture of Components and their consuming “logical” Applications". Ortelius is particularly suited for complex, decoupled architectures where hundreds of artifacts and repos are used, and a central view of the entire supply chain from a usage, security, and inventory perspective is required. When you outgrow your excel spreadsheet, its time to consider Ortelius. The Ortelius watch center tracks Component ownership, SBOMs, vulnerabilities, dependency relationships, key values, deployment metadata, consuming Applications and versions. Ortelius collects clues and forensics from the DevOps pipeline centralizing supply chain data across tools and teams.

Supply Chain Catalog

The “Logical” Application

In order to understand the security posture of an Application, teams need to know the Component dependencies, and the Component packages. Ortelius aggregates DevSecOps data to the ‘logical’ application versions simplifying the complexities of a cloud-native architecture. Ortelius provides a clear view of the software supply chain for every “logical” Application and its Components. By tracking Component level information, Ortelius can easily aggregate metadata up to the ’logical’ application producing application level SBOMs, CVEs, audit reports, deployment inventory and status.

Decoupled Environments are Complex

Migrating to decoupled, cloud-native architecture breaks the way we assemble and configure software. With a decoupled implementation, we no longer build a complete software solution, or Application Version. Instead we manage many moving parts that communicate at run-time based on APIs. The loss of the Application Version disrupts the core of software delivery. It impacts most of our standard software practices including the generation of application security level reports. After all, everything is based on an Application Version from tracking changes request, determining differences, tracking relationships and supporting users. Without a method of tracking the logical Application, IT teams struggle to confirm that the software they deliver to end users is safe.

Ortelius is not a ‘artifact registry’ or ‘API Gateway." Instead, Ortelius interacts with the DevOps pipeline to automatically gather supply chain metadata. Tracking Components in this way facilitates their sharing and reuse across teams. Ortelius serves as an internal market place for finding, tracking and versioning Components and relating them to the Applications that consume them. The evidence organization is based on a Domain structure to support a Domain Driven Design.

Versioning - Ortelius Secret Sauce

Ortelius versions both Components and ’logical’ Applications. When versioning Components, Ortelius provides insights needed to determine if the service is safe for consumption including:

  • Software Bill of Material
  • OpenSSF Scorecard
  • Common Vulnerabilities and Exposures (CVE)
  • Swagger Details
  • Readme and Licensing
  • Consuming Applications
  • Ownership
  • Git repo
  • Git Commit (Tag and branch)
  • CI/CD Build Number
  • Container SHA
  • Docker Registry
  • Key Values
  • Deployment Script (Helm Chart, Ansible Playbook, etc.)
  • Any Attributes (DB Name for example)

Application Versions are based on a collection of Component Versions. If a new version of a Component is built or registered, Ortelius auto increments the Component version and the consuming Application version. Dashboards are provided for each new Application version showing:

  • A full map of all the Components, the Application version is consuming.
  • An Application Level SBOM, based on all Component SBOMs
  • An Application Level CVE
  • The specific changes that created the new Application version (your new diff report)
  • The audit history
  • Log history
  • Where it is running
  • Trends (Deployment time, success failure rates)

This level of information can also be viewed from the Component level showing similar information to the Application, but instead showing the Applications that are dependent on the Component.

Other Core Features

Domain-Driven-Design: First and most important is the Ortelius Domain structure for organizing security forensics. This feature organizes your Component metadata in a method that encourages reuse and sharing across development teams.

Dependency maps: Shows you the ’logical’ view of your application and which Components it consumes. Once you begin sharing Components you need to track their usage. An Application is a logical collection of Components that make up an entire software solution.

Application Level SBOMs and CVE: Ortelius aggregates all Component level data up to the logical Application Version making it easy to provide security reporting on a complete software system, even when it is decoupled.

Blast Radius: Know your service impact before you ever deploy. Ortelius can provide predictive insights showing what Applications will be impacted by an updated service. Ortelius provides this data in clear maps of dependent Applications and services.

Improved incident response: Ortelius makes it easy to find the owner of microservice or common Component, and contact them through PagerDuty, HipChat, Discord, Slack, email or phone.

Integrates into your CD pipeline: Ortelius is automated via your CD Pipeline to continuously version your decoupled architecture with changes, including where they are deployed.