Let's go through the applications and understand the risks along the pipeline and their priority, in order to ensure pipeline security and integrity
This page gives you a high-level view of your application's security, as it displays the list of all applications along with their risk score, business priority and any security issue along the software supply chain. Here you can also drill down into each application's details.
You can sort applications based on the risk score or business priority and even search for any application through the search field.
The risk drift shows the risk trend of each of the applications. If it drifts upwards, it indicates increasing risk and vice versa.
The risk score of the application is calculated by factorizing the risk severity of different issues with the business priority of the application. If no issue is identified for the application, the risk score is marked as 0.
In the table, you can see the issues per category which are identified during the scan. For example, Acme/Inconsistent Deployment Hash application has issues in the supply chain while no issues were identified in any other category, so they are marked with a green tick.
OX runs multiple security tools and checks on different stages of the software supply chain to discover security violation at any stage of the scan. If a violation is identified then it is displayed as a bar in the table and if no violation is found then the stage is marked as green.
The business priority of the application indicates the criticality of each application to your business. This is a business score, not related to the security state of the application. This score allows us to prioritize the issue risk in business critical applications over those of non business critical ones.
The business priority calculation is based on these 3 factors:
- Dev effort - This takes into account the number of developers involved, code commits, frequent changes, etc.. The more the effort the higher the priority
- Cloud usage - Applications which got deployed to the cloud get a higher score. The higher the usage, the higher the priority.
- Internal characteristics of the application - like the use of PII or financial data, will push up the importance.
All of these 3 factors collectively decide the business priority of the application.
You can view the application details by clicking on the application.
Application detail view
The application details view gives you complete information about app flows along with general info, languages, and personas.
The general info section gives you a general overview of the application - like the developer's count, total files in the app, the size of the repo, when the app was created, when the last code change was made and the access level of the app that can be public or private.
The languages section tells you about the coding language that is used in the app.
The personas section tells you about the creator of the app, security owners, business owners, dev owners and watchers assigned to the app. These owners can be assigned to multiple apps in bulk by the Assign To action at the top of the app page, or by Add owner button on the specific app's details.
Once you click on set priority, after selecting any of your apps, you will see the option to change the business priority or make it irrelevant.
If you click on the change business priority option, you will get a pop up window allowing you to adjust the business priority of your app.
Once the priority is set, it will start reflecting under the business priority section of the app.
You can also mark any of your apps irrelevant by selecting the irrelevant option from the priority drop down. Once the app is marked as irrelevant, it will move to the irrelevant section of OX and you won't be bothered with any of its security issues. You can always go to the irrelevant app page and choose to make the app relevant again.
SBOM, Software Bill Of Materials, is a list of all external libraries used by the app. You can download SBOM for the selected app by generating it from code or image. Once generated it will be saved in a JSON, following the CycloneDX format.
You can also choose to generate a single SBOM to the entire org.
You can download the PBOM (Pipeline Bill of Materials) of any app. You can download the PBOM in the form of HTML, JSON, or PDF.
The PBOM lists down complete information about the app including app flows, repo list, artifact list, issues list, and issues details.
You can assign different users to the application as owners or watchers. On clicking assign to, you will see a pop-up with a list of roles that are Dev, Business, Security owners, and Watcher. You can assign any role to an existing user by giving the username from the list of available users.
You can also define new owners by clicking the add new owner name. Once you click add, you will need to provide his user name and email. Once done, the new user will be added in system with assigned role.
Assign new user