Cryptosoft – Securing The Enterprise Supply Chain

Understanding risks that exist within a software package is a complex activity which requires the deployment of various security detection technologies (vulnerability scanners, antivirus scanning, pattern analysis etc.). This complexity is amplified as typical software packages are composed from many components; some home-grown, some from open source and others purchased from third parties. It means that to be effective traditional security analysis of individual components needs to be augmented with an evaluation of threats and vulnerabilities of the aggregated software package. Analysis at this level has been demonstrated to reveal significant issues that are hidden when the evaluation performed is purely at the component level.

Can you demonstrate that the combined elements in software packages you create or use have a risk posture that is within acceptable limits?

To help focus visibility at this level the concept of a software bill of materials (SBOM) was conceived. An SBOM for a software component contains the inventory of software elements that it is composed from. Analysis of risk on this plane has been embraced by industry analysts such as Gartner (expect SBOMs to be mandated by vendors by 2025) and the US Government’s mandate (US Executive Order 14028) to expose a more realistic view of a software supply chain security’s security posture.

Cryptosoft takes an existing SBOM, or creates one for you, and uses OWASP® Dependency-Track to create a view on the security and compliance posture of the collection of artifacts used to create your solution. We also display a view of the interdependencies between the various artifacts.

OWASP® Dependency-Track – An industry-leading open solution to SBOM analysis

OWASP® Dependency-Track is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain. DT takes a unique and highly beneficial approach by leveraging the capabilities of SBOMs. This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve. It plays a key role in identifying and analyzing vulnerabilities, license details and software pedigree information.

The DT project was started in 2013. There are now 10,000 active users and the offering analyzes 300M SBOMs a month.

Why Cryptosoft?

At Cryptosoft we bring to our clients a strong working knowledge of Dependency-Track and a rich set of skills and experience in DevSecOps, enterprise-grade software management and operating software-as-a-service (SaaS) solutions. We have a close relationship with the OWASP community and are committed to contributing our enhancements back to the open source base.

With our managed service, on-boarding is simple and you delegate the availability and software upgrade responsibilities to us, while focusing on managing your software supply chain risk according to your enterprise policies.

From our enterprise experience we know that some users will prefer to run Dependency-Track as a private instance from behind their firewall and not as a shared service. With our managed container application we provide you with a container and pre-configured information to allow you to easily run DT in your preferred environment (for example Red Hat OpenShift, Google Anthos, …). As part of the offering we provide our experts to ensure the package is successfully up and running in your environment.

Both our offerings include an SBOM creation capability (the ability to create CycloneDX SBOMs for ingestion to DT from a wide range of source languages), pre-configured best practices and easy integrations with your toolchain via APIs and GitHub Actions.

Regardless of which solution you select, teaming with Cryptosoft will help you accelerate and optimize the value your organization renders from Dependency-Track and allows you to focus your time and resources on other business-related issues.