A software supply chain encompasses anything and everything that touches an application as it is being developed; the component code, how the components are connected, security, development processes, deployment processes, tools used etc. It is the end-to-end story of assets, processes and tools being used in the creation of a software product.
A “software bill-of-materials” (SBOM) defines the complete inventory of software components and their dependencies in an application. It is defined in JSON text and follows a standard format. SBOMs have emerged as a key building block in software security and software supply chain risk management as they provide visibility into all the components in the chain and their dependencies.
OWASP Dependency-Track (D-T) (https://owasp.org/www-project-dependency-track/) is an open source project that has been evolving since 2013. It is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain by analyzing risks in SBOMs. D-T analyzes components used in the SBOM for security vulnerabilities, license compliance and software pedigree.
The Cryptosoft service will provide you with immediate security protection and value, along with support. We take care of ensuring the service is available and up to date allowing you to focus your skilled resources on security strategy versus infrastructure management. Cryptosoft additionally provides you with a utility to create your SBOMs and the flexibility to run our offering privately (behind your firewall).
Functionally the offering is exactly the same. We additionally provide SBOM creation services, support and we provide immediate access to an operational service relieving you of the need to plan, install and maintain the offering.
Dependency-Track requires a CycloneDX formatted SBOM as input to its capabilities. You can create the SBOM yourself using a tool of your choice, or use Cryptosoft’s provided capability to create one for you (https://www.cryptosoft.com/wp-content/uploads/2023/06/Github-Action-Manual-1.pdf).
APIs are provided to allow you to create an SBOM using Cryptosoft’s provided utility and to drive the Dependency-Track analysis of your SBOM. This allows you to easily add this capability to your current toolchain. Documentation for using the APIs can be found here: https://www.cryptosoft.com/wp-content/uploads/2023/06/Github-Action-Manual-1.pdf.
Our Documentation tab (https://docs.dependencytrack.org/) provides links to Dependency-Track’s documentation.
Pricing of our offering can be found here. The first month’s usage is free.
The managed application version of our service is a containerized version of Dependency-Track along with assets we have created to facilitate running it on your chosen kubernetes environment behind your firewall. As part of the offering Cryptosoft provides expert assistance to ensure the offering gets up and running. We provide updates to the container as required, the updates are provided to you using a choice of secure mechanisms. For more details on our managed application please contact us at firstname.lastname@example.org.
We use a Postgres database to persistently store the SBOMs that you upload and the subsequent analyzed information. As a Cryptosoft client, this database and your Dependency-Track instance, is unique and exclusive to you and can only be accessed by you.
Cryptosoft provides secure access to your Dependency-Track instance using the Auth0 protocol. Your Dependence-Track instance and any associated data is unique to your company alone and cannot be accessed by others.
Yes. You are provisioned with a dedicated Dependency-Track instance that is private to you alone and delivered with secure access via the AUTH0 protocol.
We will upgrade the service at least once a quarter.
There is a support portal provided for clients, and we welcome any feedback at email@example.com.