A software supply chain encompasses anything and everything that touches an application as it is being developed; the component code, how the components are connected, security, development processes, deployment processes, tools used etc. It is the end-to-end story of assets, processes and tools being used in the creation of a software product.
A “software bill-of-materials” (SBOM) defines the complete inventory of software components and their dependencies in an application. It is defined in JSON text and follows a standard format. SBOMs have emerged as a key building block in software security and software supply chain risk management as they provide visibility into all the components in the chain and their dependencies.
OWASP Dependency-Track (D-T) (https://owasp.org/www-project-dependency-track/) is an open source project that has been evolving since 2013. It is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain by analyzing risks in SBOMs. D-T analyzes components used in the SBOM for security vulnerabilities, license compliance and software pedigree.
The Cryptosoft service will provide you with immediate security protection and value, along with support. We take care of ensuring the service is available and up to date allowing you to focus your skilled resources on security strategy versus infrastructure management. Cryptosoft additionally provides you with a utility to create your SBOMs and the flexibility to run our offering privately (behind your firewall).
Functionally the offering is exactly the same. We additionally provide SBOM creation services, support and we provide immediate access to an operational service relieving you of the need to plan, install and maintain the offering.
Dependency-Track requires a CycloneDX formatted SBOM as input to its capabilities. You can create the SBOM yourself using a tool of your choice, or use Cryptosoft’s provided capability to create one for you (https://www.dependencytrack.com/sbom-creation/ ).
APIs are provided to allow you to create an SBOM using Cryptosoft’s provided utility and to drive the Dependency-Track analysis of your SBOM. This allows you to easily add this capability to your current toolchain. Documentation for using the APIs can be found here: https://www.dependencytrack.com/sbom-creation/
Pricing of our offering can be found here. The first month’s usage is free.
The managed application version of our service is a containerized version of Dependency-Track along with assets we have created to facilitate running it on your chosen kubernetes environment behind your firewall. As part of the offering Cryptosoft provides expert assistance to ensure the offering gets up and running. We provide updates to the container as required, the updates are provided to you using a choice of secure mechanisms. For more details on our managed application please contact us at info@cryptosoft.com.
We use a Postgres database to persistently store the SBOMs that you upload and the subsequent analyzed information. As a Cryptosoft client, this database and your Dependency-Track instance, is unique and exclusive to you and can only be accessed by you.
The Cryptosoft team is composed of security professionals who have depth and experience in defining and implementing security processes for commercial software products and for large diverse software development teams. We implement security best practices (access controls, audit log, secure connections, encryption, etc...), reliability, performance, and efficiency as dictated by AWS/GoogleCloud's Well Architected Framework. This includes daily vulnerability scanning with a management system around remediations as necessary.
We have a roadmap in place to attain ISO 270001 certification. We believe we have the controls and processes in place for information confidentiality, information integrity and information availability to satisfy the requirements.
Yes, we implement a single tenant architecture. You are provisioned with a dedicated Dependency-Track instance and Postgres database that is private to you alone and not accessible by others.
We will upgrade the service at least once a quarter.
There is a support portal provided for clients, and we welcome any feedback at info@cryptosoft.com.