Riscosity Quickstart Guide

Overview

The Riscosity Quickstart Guide is designed to help a first-time user of Riscosity get started with scanning a codebase and viewing issues found on it.

Please follow the sections in order.

Accessing Riscosity for the First Time

The user designated as the main point of contact for the Riscosity installation will require a License Key to successfully register themselves and invite other team members.

If you did not receive a License Key yet, please contact your Riscosity representative before proceeding to Onboarding an Application.

Onboarding an Application 

1. Once you are signed into Riscosity, navigate to Portfolio -> Applications
2. Click the "New Application" button
   1. 
3. In the Add Application modal window, fill out the following fields:
   1. Name: Choose a name for your Application
   2. Application owner: Select yourself for now, this can be changed later
   3. Allowed inbound ports: Enter the port or port-range that you expect this Application would allow inbound connections for. If you are unsure, enter "80" for now
   4. How critical is this application: Select the criticality
   5. What is the posture of this Application: Select the posture
   6. What kind of data does this product use: Select the appropriate data types. If you are unsure, select any data type for now
4. Click the "Save" button to create the Application
   1. 
5. Proceed to the next step, Onboarding a Repository

Onboarding a Repository

1. Navigate to Portfolio -> Repositories
2. Click the "Add Repos" button
   1. 
3. In the Add Repos modal window, fill out the following fields:
   1. Name: Choose a name for your Repository
   2. Application: Select the Application you made in Onboarding an Application
   3. Privacy: Select whether the Repository you wish to add is Public or Private. If you want to start with a sample Repository to see how Riscosity works, choose Public and proceed to the next step
   4. URL: Enter the URL for your Repository. If you want start with a sample Repository, enter "https://github.com/WebGoat/WebGoat"
   5. Language: Select the primary programming language of your Repository, if you are unsure then select any language for now. If you are using the sample Repository from step 3.4, choose Javascript
   6. Protocol: Select whether your Repository is accessed via HTTP, HTTPS, or SSH. If you are using the sample Repository from step 3.4, choose HTTPS
   7. Scan Options:
      1. Riscosity Recommended:
         1. Keep "Scan all files for DLP keywords" selected
         2. Select "Scan all supported programming languages" to ensure that Riscosity can fully scan the Repository, regardless of what language you selected in step 3.5
      2. Note: For more complicated cases, other Scan Options may be used. However, most use cases are covered by the recommended Scan Options. 
   8. Branch:
      1. Riscosity Recommended: leave this field blank to have Riscosity use the default branch, this is the most common use case
4. Click the "Validate" button to ensure that Riscosity can connect to your Repository.
   1. Note: Riscosity instances will need network access to wherever the Repository is located. Please contact your Riscosity representative if you run into issues.
5. Once you receive the message "Repo Config is Valid" after clicking the "Validate" button, proceed to click the "Save" button to create the Repository.
   1. 
6. Back on the Portfolio -> Repositories page, click the "Scan" button next to your Repository and wait for the Scan Status column to show a green checkmark. You may click the "Scan Log" button to view the progress of the scan.
   1. 
7. Proceed to the next step, Viewing Your Vendors

Viewing Your Vendors

1. Navigate to Vendors
2. Here you can view:
   1. Which Vendors your Application/Repository is communicating with
   2. What data types are being shared
   3. Whether there have been any reported breaches
   4. What geographical locations your data is going
3. The Data Types column shows data types that have not been approved, using the "Approve" button, in gray. Any approved data types will be blue. 
   1. 
4. Let us dig deeper into the details of these Vendor communications. Proceed to the next step, Viewing Your Data Transit Issues

Viewing Your Data Transit Issues

1. Navigate to Portfolio -> Data Transit
2. Here you can view detailed issues for every API call that your Application/Repository is making to Vendors
   1. 
3. Click on red exclamation points next to issues to see more information about what security issues Riscosity observed
4. You can also create tickets for issues and resolve issues on this page, but for now we will skip this 
5. Let us finish up by quickly viewing all of the data types that Riscosity found in the Application/Repository, regardless of there being an API call. Proceed to the next step, Viewing Your Static Data Issues

Viewing Your Static Data Issues

1. Navigate to Portfolio -> Static Data
2. Here you can view detailed issues for every data type found in the source files of your Application/Repository. These issues are not directly tied to any Vendor communication.
   1. 
3. Click on the "Details" button next to an issue to view more information about the data types that were found and where in the code of the Repository Riscosity found them
4. You can also resolve issues on this page, but for now we will skip this
5. Proceed to the last step, Wrapping Up

Wrapping Up

Now that you have a sense of how to use the fundamental capabilities of Riscosity, it is time for you to invite other Users and onboard more Applications/Repositories. As you get a handle on using Riscosity and the state of your Data Flow posture, you can use more advanced capabilities like Riscosity's Governance Proxy to automatically control how your Applications/Repositories communicate with Vendors and what data can be sent. 

To read more about Riscosity, please go to the Using Riscosity section of our documentation.

If you have any questions or need any help, please reach out to your Riscosity representative.