Our approach/architecture
The Cryptosoft platform is a set of cloud based SaaS capabilities/features to publish, verify, analyze and automate software supply chains in real time. The platform is intended to be used by ISV’s, embedded software, open source projects, and large in-house developers of mission-critical software (e.g. banks) and can be categorized into the following three perspectives:
Producers of software
the person/organization that creates a software component or software for use by others [develops/tests/assembles/packages/releases]
Choosers of software
the person/organization that decides the software/products/suppliers for use [purchases/acquire/sources/selects/approves]
Operaters of software
the person/organization that operates the software component [uses/runs/monitors/maintains/defends/responds]
The Cryptosoft platform consists of three main capabilities/features:
-
Secure Publish
The Secure Publish application allows software producers to:
- Generate Software Bill of Materials (SBOMs) or Digital Bill of Materials (DBOMs) (CycloneDx spec and format)
- Publish them to a secure, permissioned blockchain (Hedera)
Blockchain technology will automatically add timestamps and person/author stamps to published BOM’s to protect rights for software vendors/manufacturers and provide security to the consumers of the software. Will enable both to trace the ownership of the software packages back through the record of ownership with the help of smart contracts.
SBOM’s will become immutable, meaning that records can’t be manipulated or deleted.
- Publish them to an alternate cloud based database or SBOM/DBOM store (non blockchain option)
- Automate this process in real-time for every version of software that the company delivers to its customers by instrumenting the DevOps Value Stream Delivery toolchains and DevSecOps Tools
-
Clearing House
The Clearing House application allows software consumers to:
- Analyze a software package for supply chain information (nutrition label)
- Decide if a software package meets the minimum policy requriements for compliance based on provenance, licensing, vulnerability and security criteria set by the company
- Decide if a third party software component can be approved for use in the company’s applications based on policy and compliance rules
- Identify current vulnerabilities and potential remediation for software in use by the company (including dependencies)
Requirement: Would be hosted by Cryptosoft with optionally available to be deployed on customers cloud later
-
Vulnerability & Nutrition Tracker
The Vulnerability & Nutrition Tracker application allows software consumers to:
- Monitor vulnerabilities that arise in the software packages or their dependencies in use by the company in real-time
- Identify the software packages in use by the company which are impacted by the vulnerability
- Identify and assess risk/impact of vulnerability to the company
- Identify potential remediation measures
- Track remediation until vulnerability is resolved