JFrog Artifactory and JFrog Xray recently underwent a rigorous hardening process to earn accreditation for inclusion in the U.S. Department of Defense’s Iron Bank, a centralized repository of digitally-signed and hardened container images. In this blog post, we’re pulling back the curtain on the process, in order to share our insights and lessons learned with our customers and with the DevOps community at large.
We’ll describe the container hardening and cyber security checks that Artifactory and Xray went through, and explain the value and benefits organizations receive from deploying Iron Bank containers in production.
What’s Iron Bank?
First, the basics: Iron Bank is part of Platform One, a DoD initiative for DevSecOps, the software development practice that combines software development (Dev), security (Sec) and operations (Ops) to efficiently manage and streamline the software development lifecycle.
By using Iron Bank containers and Platform One tools, DoD teams can get authorization to go live with their applications faster. They can push validated code into production on an ongoing basis, shortening development cycles and releasing new features more quickly.
JFrog’s Iron Bank container-hardening reference considerations
The JFrog Platform’s reference considerations for container hardening extend Iron Bank security hardening requirements by implementing the following functions and controls for securing the Artifactory and Xray container images. Iron Bank containers are hardened with DoD-approved tools.
- Application code is scanned by static and dynamic code analysis tools.
- Vulnerability scans and compliance scans are run.
- Security reports are published for end user consumption.
Pre-validated repository considerations:
- DoD-approved Trusted Base Images: Red Hat UBI 7 and UBI 8 OS
- Checksum-based signed container images
Container hardening pre-requisites:
- Images are scanned for any open ports, TLS checks and approved SSL ciphers.
- Images can run on approved CNCF Kubernetes platforms (currently under validations.)
Security function extensions:
- The JFrog Platform’s Artifactory and Xray products were used to validate and harden the Artifactory and Xray dependencies before submission to Iron Bank. Findings were mitigated before submission.
This architecture diagram shows the Xray and Artifactory container-hardening process for Iron Bank, consisting of automated pipelines, which in turn include multi-step hardening phases.
Hardening process steps:
- Preparation: Artifactory and Xray container images are built based on DoD trusted and approved base images (UBI7,UBI8).
- Preparation: Artifactory and Xray scan container images and test them before building a Docker build file and packaging dependencies for submission to Iron Bank. JFrog submits a pull request to the Iron Bank repo, which triggers DevSecOps pipeline orchestration.
- Test: Iron Bank pipeline “test” step validates and downloads dependencies.
- Build: Build step builds the container image.
- Secure: Container images are secured using dynamic and static code scanning.
The process also involves a DevSecOps hardening team and cyber engineers who validate and generate findings for any vulnerabilities that need to be fixed before approving. Finally, the secured images are approved and stored in Iron Bank.
Artifactory and Xray Iron Bank certification
Now that Artifactory (both the open source and commercial versions) and Xray are Iron Bank-approved, these container images can be downloaded from the Iron Bank registry and can be hosted on any supported and approved Kubernetes distribution by the DoD.
This certification enables JFrog customers — both federal and commercial — to deploy and operate Artifactory- and Xray-hardened containers in production in secured networks, including air-gapped ones.
JFrog continues to invest in its platform by committing to continuous Iron Bank certification. This enables JFrog customers to deploy and operate secured Artifactory and Xray container images in secured environments.
In our next blog post about this topic, we’ll explore how the JFrog Platform helps address the DoD’s DevSecOps Reference Design.
Interested in learning more about the Iron Bank accreditation of Artifactory and Xray? Join us for our webinar “Aligning to the DoD Enterprise DevSecOps Reference Design” on Oct. 26 at 11 a.m. PT / 2 p.m. ET.