have a question?

Browse through the frequently asked questions below to learn more about Orchestron.

FAQ_image2

FREQUENTLY ASKED QUESTIONS

How is Orchestron deployed?

As a fully containerized platform, Orchestron can be deployed in two ways, using Kubernetes and using Docker-compose. 

1. Orchestron is easy to deploy and orchestrate using Kubernetes. It has the following components: 
  • API Service - Python, Django
  • VueJS Front-end Service
  • PostgreSQL Database
  • NodeJS API Service
  • MongoDB
  • Minio - File Storage and Handling

2. With Docker-Compose, Orchestron can be deployed on a single server enabling one-click deployment.

How does vulnerability merging work?

Most Vulnerability Correlation tools do not correlate vulnerabilities automatically. Even if they do, they heavily rely on CWE (Common Weakness Enumeration) IDs for merging. 

We at Orchestron, realize that this is insufficient as several tools do not assign right CWEs, or CWEs at all. Certain tools rely on vulnerability names, which results in mismatches and duplications. Orchestron has the ability to do automatic, intelligent merging due to a proprietary technology called the Orchestron Risk Language (ORL), wherein the system will automatically recognize disparate names and values with or without CWEs and merge automatically. 

ORL will consolidate vulnerabilities across SCA, SAST and DAST tool results. All the vulnerabilities are automatically correlated without the need for any manual intervention.

What tools integrate with Orchestron?

Orchestron supports the following SCA, SAST and DAST tools, 

SCA

  • OWASP Dependency Checker
  • Snyk
  • WhiteSource
  • NpmAudit

SAST

  • Checkmarx
  • FindSecBugs
  • Brakeman
  • Bandit
  • AppScan-SAST
  • NodeJsScan
  • Xanitizer
  • HP Fortify
  • Veracode
  • GoSec

DAST

  • ZAP
  • Burp
  • Arachni
  • AppSpider
  • W3af
  • AppScan
  • Acunetix

What databases does Orchestron work with?

Orchestron primarily uses Open Source Databases to store and process data. It primarily uses PostGres to manage data. Additionally, Orchestron uses MongoDB for its ORL component.

What kinds of resources do you offer to help my organization get started using Orchestron?

As soon as Orchestron is deployed, a dedicated team of experts will walk the user through the list of applications with an in-built documentation to get started. This documentation acts as a complete user manual guide of Orchestron. A user can also request for extended onsite or offline support.

What open-source static code analysis tools does Orchestron Enterprise support?

Orchestron supports following open source static analysis tools (SAST): 

  • Brakeman
  • Bandit
  • NodeJsScan
  • GoSec
  • FindSecBugs

In addition, it is possible to integrate with tools apart from the ones mentioned with Orchestron JSON.

What are the hardware and software requirements for installing Orchestron?

The basic requirements are Docker and Docker Compose. Minimum system requirements are :

  • 2 Core CPU
  • 8 GB RAM
  • 40 GB HDD

Does Orchestron require a dedicated server?

Although it is recommended, it is not required. Orchestron is a containerized platform that resides on an existing web server or a virtual machine. A dedicated server is not required. The user can use whichever configuration works best.

How do I drill down to see the line of code that has a particular vulnerability?

To examine vulnerabilities in the affected line of code within Orchestron, the user will have to navigate to the individual vulnerability page. By clicking on the affected instance tab on the vulnerability page, the user will acquire access to the list of vulnerable lines of code. Clicking on the vulnerable code will give further details of the code along with the line number of the vulnerability.

These vulnerabilities are reported based on the details the SAST tools report as part of their findings.

Are there any ways of looking just at the new analysis results and filtering out old results?

Currently, there is no option to see the latest and old results, it will automatically merge both results and show in the open vulnerabilities section. But in the list of scans, the user can see the scans based on recently uploaded results.

What issue tracking tools does Orchestron integrate with?

Orchestron has two-way sync features with the following Issue Management / Bug-Tracking Tools: 

  • JIRA
  • Github
  • VSTS (Azure DevOps)

What continuous integration servers does Orchestron integrate with?

We believe in providing the user the freedom to work with any Continuous Integration/Deployment tools. Which is why, we have developed Orchestron Webhooks. Webhooks allow the user to post results into Orchestron using a simple HTTP request and the export file from the tool (XML, JSON, YAML, etc). This ensures that the user can easily push data into Orchestron from any source including Jenkins, Bamboo, Gitlab, etc. With Orchestron webhooks, results can be pushed from any CI/CD platform to Orchestron. Read more about Orchestron Webhooks here.

What Dynamic Application Security Testing (DAST) tools does Orchestron support?

Supported DAST tools: 

  • ZAP
  • Burp
  • Arachni
  • AppSpider
  • W3af
  • AppScan - DAST
  • Acunetix

Where do my source code and vulnerability analysis results reside? Is my source code stored in the cloud?

Orchestron does not store any source as it is a correlation and management platform. It only consumes results from security tools to correlate vulnerabilities without the need to store any data or code.

Can Orchestron scan third-party software components?

Orchestron is not a scanner or a vulnerability assessment tool. It allows you to manage results from such tools.

Can the Orchestron server use our domain/LDAP for authentication or does it use its own?

We provide the ability to perform LDAP Authentication as an optional add-on to Orchestron.

Is it possible to add custom tool rules to Orchestron?

Since Orchestron does not directly interact with tools, any tool that gives out vulnerability reports in the XML or JSON format can be integrated via a Webhook. If the format of the reports is different from the above-mentioned ones, then it can be converted to Orchy JSON and published to Orchestron via Webhooks.

Like what you see?

Request Demo