View Categories

Assessments

Overview  #

MyOrbik provides robust tools to evaluate and track the security and compliance of your products through assessments. This section outlines the process for creating and managing assessments, specifically focusing on Software Composition Analysis (SCA) assessments and ad-hoc reports. 

Key Specifications for SCA Assessments  #

  • Each product version can have only one SCA assessment. 
  • An SCA assessment requires an SBOM (Software Bill of Materials) as input. 
  • To update an SBOM, you must create a new product version, register it in MyOrbik, and then associate the SCA assessment with the new version. 

Steps for Creating an SCA Assessment #

 

Create a New Product Version #

If you need to update the SBOM for a product, you must first define the new version. 

  1. Navigate to: Management -> Products -> Add New Product. 
  2. Provide the following details: 
    • Name: A unique name for the product. 
    • Version: Specify the new version. 
    • Type: Select the product type from the list (e.g., Application, Library, Firmware, OS, Container, Device). 
    • Description: Provide an optional description for the product. 

        3. Assign the product to a hierarchy (if applicable). 

        4. Click Save. 

Generate and Upload the SBOM #

Once the new product version is created: 

  1. Generate the SBOM for the product version using your preferred SBOM generation tool. 
  2. Navigate to: Assessments -> Add New Assessment. 
  3. Select the product version you just created. 
  4. Choose SCA as the assessment type. 
  5. Once the assessment is created, go to the Assessment List. 
  6. Locate the assessment in the list and click the Upload button under the “Actions” column. 
  7. Upload the SBOM file. 

Validate the SBOM Upload #

After the upload: 

  • MyOrbik will process the SBOM and provide a notification once the scan is complete. 
  • The assessment results will be available under the Assessment Details page. 

On-Demand Report Creation  #

In addition to creating formal assessments, MyOrbik allows for on-demand report generation: 

  • Navigate to the Vulnerabilities List. 
  • Apply filters to display the vulnerabilities you wish to include in the report. 
  • Select vulnerabilities manually to generate a custom report. 
  • These reports are not stored in the system; they are generated temporarily for immediate use. 

 Assessment States  #

Each assessment in MyOrbik progresses through a lifecycle represented by the following states: 

       Contracted: 

    • The assessment has been agreed upon but not yet planned. 
    • This state indicates an initial commitment or scheduling phase.

       Planned: 

    • The assessment is scheduled, with necessary preparations underway.
    • All resources and timelines are defined at this stage. 

       Started: 

    • The assessment is in progress. 
    • Analysis and evaluations are actively being conducted. 

       Ended: 

    • The assessment has been completed. 
    • The results are being finalized but not yet reported. 

       Reported: 

  • The final assessment report has been delivered. 
  • This state signifies the conclusion of the assessment lifecycle. 

Managing SBOM Updates  #

Updating the SBOM (Software Bill of Materials) for a product version in our system involves the following steps: 

Define a New Product Version  #

  • One SBOM per Product Version: Each SBOM update requires the creation of a new product version in the system. 
  • Register the New Version: To accommodate the updated SBOM, you must register a new version of the product. Follow the steps outlined in the “Create a New Product Version” section to ensure the version is properly configured. 

Create a New Assessment for the Updated Version #

  • Associate an SCA Assessment: Link the newly created product version to an SCA (Software Composition Analysis) assessment. 
  • Upload the SBOM: Once the assessment is created, upload the updated SBOM to the system. 

Supported SBOM Format: CycloneDX JSON  #

Our system exclusively supports SBOMs in the CycloneDX JSON format. 

About CycloneDX  #

CycloneDX is a lightweight SBOM standard developed to enhance transparency and security across the software supply chain. It is designed to provide detailed information about software components, including: 

  • Components: Lists all software dependencies, including open-source and third-party libraries. 
  • Licenses: Documents licensing information for each component. 
  • Vulnerabilities: Enables integration with vulnerability databases for enhanced security analysis. 
  • Relationships: Maps dependencies and relationships between components. 

Why CycloneDX?  #

CycloneDX is widely adopted for its: 

  • Interoperability: Easily integrates with various tools and systems. 
  • Rich Metadata: Provides a comprehensive view of software composition. 
  • Security Focus: Facilitates risk management by aligning with best practices in software supply chain security. 

Ensure that the updated SBOM is generated in CycloneDX JSON format before uploading it to the assessment. If your tooling does not natively support CycloneDX, converters are available to transform other formats into CycloneDX JSON. 

By adhering to this process, you can maintain an accurate and secure inventory of your product’s software components. 

Important Considerations  #

  • Single SCA Assessment per Product Version: Each product version in MyOrbik supports only one SCA assessment to ensure consistency and traceability. 
  • Lifecycle Management: SBOM updates necessitate a new product version. This ensures a clear audit trail of changes and assessments. 
  • Efficient Tracking: MyOrbik’s hierarchical structure allows you to organize products and versions for streamlined management. 

By leveraging these tools and features, MyOrbik ensures that your assessments are comprehensive, traceable, and aligned with your organizational security goals. 

Powered by BetterDocs