Orchestron is an Application Vulnerability Management and Correlation Tool. One of the key challenges for organizations large and small is to manage vulnerabilities from applications in their environment. This has become a more serious issue with application security being integrated into the CI/CD Environment. In this kind of implementation, security results from SAST, DAST, and Source Composition Analysis (SCA) tools come in, often continuously from automated CI/CD processes. Without a way to manage these vulnerability results, things tend to get overwhelming, very quickly for Application Security teams. This is where Orchestron comes in.
Orchestron helps you solve one key problem "Find and fix vulnerabilities early in the lifecycle"
Orchestron allows you to do the following quite effectively:
- Manage results from various application security tools directly from the CI/CD pipeline with convenient features like webhooks. See Webhooks for more details. For a list of supported tools and formats, please see here.
- Speak the Developer's Language with integrations with Jira => Results from security tools can pushed to Jira from Orchestron. See Settings for more details
- Manage False Positives from across different security tools. See Vulnerabilities for more details.
- Automatically correlate and merge vulnerabilities from across various security tools
- Easily manage releases and "in-time" security assessments with Engagements. See "Engagements" for more details
- Unlike many other tools, Orchestron also attempts to correlate/merge results from across SAST, DAST and SCA tools
Orchestron comes in three flavours:
- Community Version (this one) which is available open source and free to the world at large
- Enterprise Version, which is a commercial version of the product that is available to enterprise customers.
- SaaS version (yet to be launched)
Platform and Framework
Orchestron has two main components:
- API => Python Django 2.x (Python3),
- Front-end => Vue.JS
- Minio => S3-Like Object storage for media files, etc
- Nginx => Web Server
- ThreatPlaybook => Comprehensive Threat Modeling-as-Code and AppSec Automation Framework
- RoboZap => ZAP Library for Robot Framework - Automating ZAP in a CI/CD Pipeline
- RoboBurp => Burp Library for Robot Framework - Automating Burp in a CI/CD Pipeline
- RoboArachni => Arachni Library for Robot Framework - Automating Arachni in a CI/CD Pipeline
- We welcome contributions to this project in the form of:
- Feature Requests, Suggestions
- Help with writing tests
- Add-on features, plugins, etc