A software supply chain encompasses anything and everything that touches an application as it is being developed; the component code, how the components are connected, security, development processes, deployment processes, tools used etc. It is the end-to-end story of assets, processes and tools being used in the creation of a software product.
A “software bill of materials” (SBOM) defines the complete inventory of software components and their dependencies in an application. It is defined in JSON text and follows a standard format. SBOMs have emerged as a key building block in software security and software supply chain risk management as they provide visibility into all the components in the chain and their dependencies.
OWASP Dependency-Track (DT) is an open source project that has been evolving since 2013. It is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain by analyzing risks in SBOMs. DT analyzes components used in the SBOM for security vulnerabilities, license compliance and software pedigree.
The Cryptosoft service will provide you with immediate security protection and value, along with 24x7 availability and support. We take care of ensuring the service is available and up to date allowing you to focus your skilled resources on security strategy versus infrastructure management. Cryptosoft additionally provides you with a utility to create your SBOMs and the flexibility to run our offering privately (behind your firewall) or as a public SaaS.
The Cryptosoft OWASP Dependency-Track beta is a functional version of our offering that we plan to commercialize in the summer of 2023. The beta is free to use and there is no obligation to purchase the offering if you decide to participate in the program.
There are currently no functional restrictions on the beta. You can define and analyze as many projects/SBOMs as you like free of charge.
Dependency-Track requires a CycloneDX formatted SBOM as input to its capabilities. You can create the SBOM yourself using a tool of your choice, or use Cryptosoft's provided capability to create one for you ( https://www.cryptosoft.com/samples).
APIs are provided to allow you to create an SBOM using Cryptosoft’s provided utility and to drive the Dependency-Track analysis of your SBOM. This allows you to easily add this capability to your current toolchain. Documentation for using the APIs can be found here: https://www.cryptosoft.com/samples.
Pricing will be finalized for the service in the summer of 2023 prior to launching the commercialized offering. If you have any immediate questions on pricing please contact us at info@cryptosoft.com
The managed application version of our service is a containerized version of Dependency-Track along with assets we have created to facilitate running it on your chosen kubernetes environment behind your firewall. As part of the offering Cryptosoft provides expert assistance to ensure the offering gets up and running. We provide updates to the container as required, the updates are provided to you using a choice of secure mechanisms. For more details on our managed application please contact us at info@cryptosoft.com
We currently plan for the service to be commercially available during the summer of 2023. If you require a commercial service immediately please contact us at info@cryptosoft.com
We use a Postgres database to persistently store the SBOMs that you upload and the subsequent analyzed information. As a Cryptosoft client, this database and your Dependency-Track instance, is unique and exclusive to you and can only be accessed by you.
Cryptosoft provides secure access to your Dependency-Track instance using the Auth0 protocol. For beta, we support Google SSO. If you require support for other identity providers please let us know at info@cryptosoft.com. Your Dependence-Track instance and any associated data is unique to your company alone and cannot be accessed by others.
Yes. You are provisioned with a dedicated Dependency-Track instance that is private to you alone and delivered with secure access via the Auth0 protocol.
We will upgrade the service at least once a quarter.