Actionable Software Supply Chain Intelligence

You have the evidence. We make it actionable. DeployHub’s software supply chain management catalog is a breakthrough in cybersecurity defense. DeployHub provides a sweeping view of your organization’s security and DevOps data exposing all the pieces of software used across the supply chain.  With the DeployHub catalog, your teams can respond to vulnerabilities and cyber attacks quickly.  From securing space vehicles to ATM machines, DeployHub serves teams that must stop cyber attacks in hours, not months. You should never ask, “Where is log4j running?” With DeployHub, you already know.

What is Software Supply Chain Management?

Software supply chain management is the process of collecting and aggregating software composition details across your entire organization. Consolidating this data allows teams to identify every piece of software delivered to end-users.  According to McKinsey, 65-80% of companies seek better visibility into their security and DevOps Logs. We understand the data is painfully fragmented and hard to find. DeployHub’s Software Supply Chain Management solves this problem.  

DeployHub Addresses Cybersecurity Risk and Complexities

cyber security statistics

DeployHub Leverages the Data You Already Have

software supply chain management

Learn More

Software Supply Chain Management - Data and Usage

What are the Unique Attributes of Security and DevOps Data?

Every component in your software supply chain is different, each with its unique attributes. The attributes include ownership, SBOMs, CVEs, consuming applications, transitive dependencies, versions, and inventory across all deployed environments. The attributes of a component change over time, impacting consuming applications and other dependent services.

Software Supply Chain Management catalogs collect, track, and aggregate this level of data, showing trends, usage, and inventory to provide the intelligence needed to respond to cyber attacks quickly.  They also provide a ‘predictive’ platform for taming the use of components and open-source packages even before they are deployed.

What are the Features of a Supply Chain Management Catalog?

Here is a list of standard features you will find in a Supply Chain Management Catalog:

Who Uses a Software Supply Chain Management Catalog?

The users of a software supply chain management catalog include developers who produce and consume shared components and OS software, Chief Information Security Officers, DevOps teams, and Site Reliability Engineers. The core purpose of a software supply chain management catalog is to provide everyone, from the API developers to the production support teams, with essential information needed to succeed in quickly responding to cyberattacks and production vulnerabilities.

How do Software Supply Chain Management Catalogs Work for Developers?

Federating software supply chain data helps IT teams understand every piece of software they use, even transitive open-source packages. This information is critical to understanding the security and risk of consuming objects without hours of toil. 

How Do Software Supply Chain Management Catalogs Work for Operations?

Federated software supply chain data provides operations a clear map of where open-source is consumed across production environments, with vulnerabilities aggregated to the higher order versus one component at a time. The primary goal is to help support teams and SREs identify risk and the blast radius of a vulnerability as quickly as possible.

How do Software Supply Chain Management Catalogs work for DevOps?

Federated software supply chain data allows DevOps teams to track the changes and trends in the software supply chain. DevOps Teams who manage pipelines use the catalog to determine where a component version is installed. This is critical information with a high-risk vulnerability appears. Software Supply Chain Management catalogs can also track who consumes the service as a dependency and manage the blast radius of a high-risk component.

How do CISO Teams Use a Catalog?

Security Officers must have a comprehensive view of their organization’s security profile based on every piece of software consumed across all teams. Our Software Supply Chain Management Catalog aggregates SBOM data, CVEs, and provides compliance scorecards across teams, giving CISO a single pain of glass for viewing security concerns.

DeployHub Integrations

In order to continuously gather pipeline intelligence, DeployHub must become part of your pipeline. DeployHub integrates into your CI/CD process using the Ortelius Open-Source Command Line (CLI). The Ortelius CLI gathers supply chain data based on a single pipeline workflow at the build and deploy steps. The build step gathers Swagger, SBOM, Readme, licenses, Git data, Docker image, and other build output. The deploy step records when a release occurs, what was sent, and where the objects were sent to.

The Ortelius Open Source Community maintains the Ortelius CLI under the governance of the Linux Foundation’s Continuous Delivery Foundation.

Learn More

If you are not already generating an SBOM as part of your DevOps Pipeline, DeployHub’s supply chain defense catalog integrates with Syft to get the job done.

Learn More

DeployHub’s software supply chain defense catalog can consume CycloneDX formatted SBOMs. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub.

Learn More

DeployHub’s software supply chain management catalog can consume any SPDX formatted SBOM. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub.

Learn More

DeployHub uses OSV.Dev to continuously monitor your Component and Application’s vulnerabilities within your software supply chain. DeployHub scans for new vulnerabilities every 30 minutes.

Learn More

Add your Microservice / API Swagger documentation to your supply chain to clarify component use and details.

Learn More

Helm can be called to replace the DeployHub default processing engine for performing container deployments. When DeployHub executes the release process, it will call the Helm Chart you have defined as your Custom Action at the Component level. Our microservice catalog includes the version of the Helm chart as part of its overall configuration data. In addition, DeployHub’s software supply chain defense catalog can track Key Value pairs and generate override files for each environment to which you are deploying, making updates to configurations quick and easy.

Learn More

If you are developing your Applications using SaleForce, this integration will allow you to support SalesForce deployments. By creating this Custom Action, you can replace the DeployHub standard deployment processing engine and instead use a process designed specific to Salesforce including the mapping of DeployHub Environments to different SalesForce regions such as testing, pre-production, and production, where the class and package files can be deployed.

Learn More

A software supply chain management catalog would be incomplete without managing the important database parts, particularly for poly databases. You can publish your database updates to the catalog, tracking and versioning your data changes. DeployHub has a unique type of Component for database updates, allowing you to manage your database with roll-forward and rollback processing. Check out the ‘version jumping’ DB Demo.

Learn More

DeployHub integrates with Jira, Bugzilla, and GitHub issues to track your change request at three levels: Component (microservice), Application, and Release (collection of Applications). You define Jira, Bugzilla, or GitHub through an object called a ‘data source.’ Once defined, you can pull change request from your issue system and assign them at any level for tracking. When change requests are managed this way, you have a continuous feedback loop showing when the issue was opened and when the customer received the fix.

Learn More

You can configure DeployHub to call out to a Git Repo to pull deployable artifacts (binaries, scripts, etc.) as part of your deployment. The process will check out your deployable artifacts based on commit, branch or tag specified.

Learn More

DeployHub’s software supply chain management catalog allows you to send notifications using Notifiers via HipChat Groups, Topics, or Room features. Notifications are defined to Components and Applications and inform the recipient(s) of the Component or Applications deployment’s success or failure.

Learn More

Slack can be integrated with DeployHub using NotifiersNotifiers can be called to report on the success or failure of a deployment.

Learn More

DeployHub integrates with CircleCI to support microservices continuous configuration management and continuous deployments built into your CircleCI pipeline. In particular, DeployHub integrates with CircleCI to enrich the CI/CD pipeline around microservices, tracking which applications need to be retested due to a common microservice update.

Critical to the process is the ability to perform versioning and tracking microservices across clusters and teams and map them to ‘logical’ Applications. DeployHub’s CircleCI Orb includes the ability to perform automated version and dependency management of microservices tracking application and microservice relationships, their versions, and their deployment metadata.

Learn More

DeployHub allows you to use LDAP or Active Directory to manage your User logins. The integration creates an LDAP Data Source to access an LDAP database and use the information stored to gain access to DeployHub. It also populates the Users General tab with Real Name and Email, which it gets from the LDAP database. When you define a User, you associate the LDAP authentication method. At login, DeployHub checks the User’s authentication method to determine if LDAP or Active Directory should be used.

Learn More

Get Started - Easy as 1-2-3

Connect to Your DevOps Pipeline

Gather and Aggregate Evidence

Respond to Threats

open source communities

DeployHub Team For Small Teams and Open-Source Communities

DeployHub Team is the free SaaS version of our software supply chain management catalog. It is designed to help smaller teams and open-source communities understand the composition of the software they produce.  Our free catalog allows open-source communities to register and share their components and critical security insights. DeployHub Team is based on the Ortelius.io Open-Source Project, Linux Foundation. Learn More. 

DeployHub Team SaaS Signup

enterprise

DeployHub Pro for The Highly Regulated Enterprise

Designed for highly regulated industries such as space exploration, government, and banking, DeployHub Pro has expanded features designed to organize data across Domains, Groups, and Users. DeployHub Pro enables teams to restrict, share, and reuse software components and dependencies, keeping developers, testers, and support teams continually informed about the software in their supply chain.

DeployHub Pro Resources

Suggested Reading

software supply chain catalog

Software Supply Chain Management Catalog Explored 

Cloud-native architecture makes the cybersecurity challenge even more difficult. Understand how DeployHub’s Software Supply Chain Management can simplify the complexities.

Get the Whitepaper

application security and DevOps

Adding Application Security into Your DevOps Pipelines

This whitepaper will provide you with a clear understanding of how to harden your DevOps Pipeline using open-source tools at a minimal cost.

Get the Whitepaper

Partners

           partner logos