Overview
JUDGE enables a unified developer and cybersecurity governance experience to mitigate the risk of software supply chain attacks by integrating zero trust principles of observability and verification into software build pipelines. JUDGE contains a configurable package, including:
- Build pipeline observer - automate the collection of trusted telemetry across input, environment, action, and output to cryptographically verify supply chain metadata (telemetry) via signing that data with a self-managed key, a key from a Key Management Service (KMS), or an identity
-
Certificate Authority (CA) - enable an identity-based signature by authenticating and generating a short-lived key to create a short-lived certificate (only valid for 10 minutes) that then uses that certificate and key to sign the data, thereby removing the entire burden of key management, key rotation, etc
-
Time Stamping Authority (TSA) - provide cryptographic proof that your data was signed while the certificate was valid and verify provenance without relying on an external service, enabling artifact verification across disconnected (air-gapped) environments
-
GraphQL data store - ability to manage storage, retrieval, and retention of software build pipeline attestations and trusted telemetry via a GraphQL API to facilitate either ad hoc or deploy-time compliance verification from developer commit to production deployment
Trusted telemetry is securely stored and accessible via a GraphQL API for custom integrations. If all policies are verified, one or more evidence-based software supply attestations are generated, encompassing the entire SDLC from developer commit to production deployment. Create software deployment policies, distribute policies, digitally sign policies to avoid tampering, and identify specific responses to disparate types of policy violations when they are detected.
At the core of this are two key open-source components: Witness, a CI/CD pipeline observer that collects trusted telemetry for attestations, and Archivista, a trusted telemetry and attestation storage manager. Originally built and maintained by TestifySec, both open-source tools were donated to the Cloud Native Computing Foundation (CNCF) as subprojects underneath the in-toto project.
Continuous monitoring of software build pipeline trusted telemetry yields a lower residual risk of software supply chain attack by verifying provenance and meets multiple NIST SP 800-53r5 security controls. For custom pricing, EULA, or a private contract, please contact awsmarketplace@testifysec.com, for a private offer.
Highlights
- Store/Retrieve Attestation and Trusted Telemetry - Manage and control the storage, retrieval, and retention of software build pipeline attestations and associated sets of trusted telemetry, for all software artifacts, and across the entire secure software development lifecycle.
- Use GraphQL for Trusted Telemetry Integrations - Explore trusted telemetry data sets quickly and easily using an industry standard Graph Query Language (GraphQL) API. Integrate the telemetry into a custom app or connect a Judge instance for advanced visualization.
- Resist Evidence Injection Attacks - Protect against corruption and trusted telemetry integrity attacks. The encrypted object storage can always be re-verified or re-parsed to seamlessly recover from an evidence injection attack or downstream integrity failure.
Details
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Description | Cost/month |
---|---|---|
Single User | This is a Single User contract | $60.00 |
100 User Block | This is a 100 User Block contract | $5,500.00 |
Vendor refund policy
All Orders are non-cancellable and all fees and other amounts you pay under this Agreement are non-refundable.
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
JUDGE OCI & Helm Delivery
- Amazon EKS
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
- Updated to JUDGE v1.6.0
- Includes new dapr workflows
- Includes new seed data migrations
- Includes new auto DB schema migrations
- Includes new gateway
With version 1.6.0, we have introduced seed data migrations. We have also updated auto DB schema migrations. These schema migrations are applied sequentially. As long as your DB is up to date with version >= 1.2.0, after updating to 1.6.0 migrations should apply for you. If you have any problems, we suggest trying to start with a fresh, clean DB.
Additional details
Usage instructions
This JUDGE Helm chart can be deployed on top of EKS.
Please check our documentation for more details: http://testifysec.com/docs/aws/get-started-with-judge-eks
Once you run the "helm install" command, you can access the JUDGE web interface at https://<EKS_Instance_Public_DNS>/index.html.
You will need to configure your favorite OIDC provider to enable user authentication, today we support GitHub and GitLab (public and self-hosted).
Check all the configuration options available during the deployment at https://testifysec.com/docs/helm/configuring-judge-helm
Resources
Vendor resources
Support
Vendor support
To establish official support on this contract, please reach out to awsmarketplace@testifysec.com
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.