As a fully containerized platform, Orchestron can be deployed in two ways, using Kubernetes and using Docker-compose.1. Orchestron is easy to deploy and orchestrate using Kubernetes. It has the following components:
Most Vulnerability Correlation tools do not correlate vulnerabilities automatically. Even if they do, they heavily rely on CWE (Common Weakness Enumeration) IDs for merging.
We at Orchestron, realize that this is insufficient as several tools do not assign right CWEs, or CWEs at all. Certain tools rely on vulnerability names, which results in mismatches and duplications. Orchestron has the ability to do automatic, intelligent merging due to a proprietary technology called the Orchestron Risk Language (ORL), wherein the system will automatically recognize disparate names and values with or without CWEs and merge automatically.
ORL will consolidate vulnerabilities across SCA, SAST and DAST tool results. All the vulnerabilities are automatically correlated without the need for any manual intervention.
Orchestron supports the following SCA, SAST and DAST tools,
Orchestron primarily uses Open Source Databases to store and process data. It primarily uses PostGres to manage data. Additionally, Orchestron uses MongoDB for its ORL component.
As soon as Orchestron is deployed, a dedicated team of experts will walk the user through the list of applications with an in-built documentation to get started. This documentation acts as a complete user manual guide of Orchestron. A user can also request for extended onsite or offline support.
Orchestron supports following open source static analysis tools (SAST):
In addition, it is possible to integrate with tools apart from the ones mentioned with Orchestron JSON.
The basic requirements are Docker and Docker Compose. Minimum system requirements are :
Although it is recommended, it is not required. Orchestron is a containerized platform that resides on an existing web server or a virtual machine. A dedicated server is not required. The user can use whichever configuration works best.
To examine vulnerabilities in the affected line of code within Orchestron, the user will have to navigate to the individual vulnerability page. By clicking on the affected instance tab on the vulnerability page, the user will acquire access to the list of vulnerable lines of code. Clicking on the vulnerable code will give further details of the code along with the line number of the vulnerability.
These vulnerabilities are reported based on the details the SAST tools report as part of their findings.
Currently, there is no option to see the latest and old results, it will automatically merge both results and show in the open vulnerabilities section. But in the list of scans, the user can see the scans based on recently uploaded results.
Orchestron has two-way sync features with the following Issue Management / Bug-Tracking Tools:
We believe in providing the user the freedom to work with any Continuous Integration/Deployment tools. Which is why, we have developed Orchestron Webhooks. Webhooks allow the user to post results into Orchestron using a simple HTTP request and the export file from the tool (XML, JSON, YAML, etc). This ensures that the user can easily push data into Orchestron from any source including Jenkins, Bamboo, Gitlab, etc. With Orchestron webhooks, results can be pushed from any CI/CD platform to Orchestron. Read more about Orchestron Webhooks here.
Supported DAST tools:
Orchestron does not store any source as it is a correlation and management platform. It only consumes results from security tools to correlate vulnerabilities without the need to store any data or code.
Orchestron is not a scanner or a vulnerability assessment tool. It allows you to manage results from such tools.
We provide the ability to perform LDAP Authentication as an optional add-on to Orchestron.
Since Orchestron does not directly interact with tools, any tool that gives out vulnerability reports in the XML or JSON format can be integrated via a Webhook. If the format of the reports is different from the above-mentioned ones, then it can be converted to Orchy JSON and published to Orchestron via Webhooks.