Getting Started
with Security Scanning, Mapping, Rating and Data Analysis.
The Cyberfame WebApp is designed to provide a user-friendly interface to get started with asynchronous, parallel security reconnaissance and supply network analysis for technical and non-technical users.
This guide will help you get started with Cyberfame's WebApp and Advanced Features.
To access Cyberfame's WebApp and Graph Database, you'll first need to create an account and subscribe to a plan here.
Open-Source projects and NGOs are elidgable for a free cyberfame license, get [email protected]
Use the email or SSO account for your subscription you intend to use with the application. We do not yet support account merging, If you accidentally subscribed with the wrong email, get [email protected]
For Security reasons, you'll receive an email link every time you log into the platform and can not set a password.
Start by submitting one or more domains or repositories for supply chain security analysis.
Please note that Cyberfame treats any domain entered as a root domain. This means that if you enter
www.example.com, Cyberfame will analyze subdomains of www.example.com, not example.com.Cyberfame uses a growing set of security scanning tools to gather data on your assets and generate a dynamic graph, allowing you to explore and analyze your supply network.
Cyberfame's WebApp conducts security analysis of your supply chain through asynchronous and parallel scanning. The scanning methods automate the analysis on these key security risk areas:
- 1.Repository and Web Application Security RisksFor GitHub Repositories and Web Assets:
- Dynamic SBOMs: Combines SAST, DAST, and SBOM scanning to create dynamic Software Bill of Materials, identifying vulnerabilities, outdated components, and license compliance issues in real-time. SBOM Explained by Linux Foundation
- Dependency Graph Analysis: Identifies and analyzes dependencies, detecting potential vulnerabilities and outdated components. Dependabot Security Updates by GitHub
- Repository Security Checks: A series of tests that examine branch protection, code review practices, security policies, and more. GitGuardian on Securing Your GitHub Repositories
- Vulnerability Detection: Cross-references dependencies with known vulnerability databases, such as OSV and NVD, to detect potential security risks. Google's OSV
- 2.Web Application Security RisksFor Web Assets:
- External Vulnerability Surface Discovery: Identifies and maps the attack surface exposed by your web application to external threats. Attack Surface Management by RiskIQ
- SSL Best Practices: Evaluates the implementation of SSL/TLS certificates and configurations to ensure secure data transmission. SSL/TLS Best Practices by DigiCert
- Protocol Fingerprinting: Collects and ingests data from various protocols to analyze potential vulnerabilities. Rapid7 on Network Protocol Analysis
- Web Security Checks: A set of tests to ensure secure web configurations and protect against common web application attacks. Cloudflare on Web Application Security
Cyberfame's WebApp abstracts all collected data into a security rating for each analyzed asset based on the results of the security scans. This rating considers factors such as:
- 1.Severity of Vulnerabilities: Assets with more severe vulnerabilities receive a lower rating. CVSS Scoring System by FIRST
- 2.Security Best Practices: Adherence to industry-standard security practices impacts the rating positively. NIST Cybersecurity Framework
- 3.Security Automations: The implementation of security automations contributes to the rating. DevSecOps by GitLab
- 4.Outdated Dependencies: Projects with outdated or unmaintained dependencies with known security issues negatively impact the rating. Snyk on Outdated Dependencies
- 5.License Compliance: Non-compliant projects receive a lower rating. Compliance Basics with SPDX by the Linux Foundation
After the analysis process is complete, you'll be notified. The supply graph will display various nodes and connections, highlighting potential vulnerabilities, dependencies, and the results of scanning, mapping and rating your supply graph. Take some time to navigate the graph and familiarize yourself with the visualizations.
Cyberfame graphs display nodes and connections, with color-coding security ratings, vulnerabilities, dependencies, and other key data points.
With the Unlimited Plan, you can perform graph theoretical data analysis on your supply network and more than 1 million open source repositories.
For example, you can use graph theoretical algorithms for path search, connectivity, centrality and the built-in query language to answer a combination of questions like:
"Which are our organizations most connected and least protected dependency?"
"Which of those dependencies have known vulnerabilities?"
The results can be visualized and shared with your team within the WebApp:
Now that you have a basic understanding of Cyberfame, you can explore the rest of the technical documentation to learn more about specific features, use cases, and best practices.