DevOps 2022: 5 Big Rocks to Harness the Software Supply Chain

DevOps 2022: 5 Big Rocks to Harness the Software Supply Chain

Together with the community, JFrog pioneered what we now know as DevOps with a focus on binaries (aka software packages, artifacts or images). A decade ago, no one thought binary management would be a thing — now it’s a standard most companies can’t live without. Back then, we said software universality would be necessary, and now others follow suit. People thought cloud would be a single-vendor decision. We invested in hybrid and multi-cloud, and now we see it happening across industries.

We said we would see a huge growth in DevOps in 2021, and in just one year we see some public companies and investors now estimating a $50 billion TAM for the DevOps marketplace. These are nice pats on the back and a confirmation of our focus, sure. But it’s time to look forward to the next leaps ahead for DevOps, supporting all companies as they digitally transform their businesses.

2022 Is All About the Binaries

2022 in DevOps

In a world where automation drives smarter, faster, better software at scale, binary management is now at the core of any company. And since software powers the world, binaries have become everyone’s business. Let me explain.

Binaries are the only asset in the world of software that is being “brought” into the organization, built in the organization, tested, automated, secured, promoted and deployed at the edge. Binaries are the blood flow of the software supply chain, and the core software value you ultimately deliver into production (not source code.) The software supply chain is about the binaries being imported, built and delivered by your organization’s dev team, and it simply cannot be brought under control with source code-centric approaches.

In fact, everything “after Git” is a binary-driven step in your software release cycle. Automation is about binaries. Distributing to the edge is binary deployment. Even if it sometimes starts in static source code scanning, a company’s security is about the binaries you run in production (see SolarWinds and Log4j — more on that later.) The software supply chain is about curating, delivering, deploying and protecting binaries. Period.

While JFrog has been in the binary business forever, in 2022 you’ll see the roadmaps of many businesses and platforms begin to address the binary lifecycle as a mission-critical piece of their DevOps and Security stack. If this piece is not handled properly, companies will not be able to meet the promises of digital transformation in the coming year.

And if you think “digital transformation” is a phrase of yester-year, think again. Some analyst firms estimate only a quarter of companies that plan on transforming themselves have even started to do so. There’s a long runway ahead for transformative DevOps, and the way is paved with binary management.

DevSecOps Isn’t a Real Thing Yet (But It Can Be)

While there is a LOT of buzz around “DevSecOps,” it’s still nothing but a phrase — and for sure not any specific standard that offers developers and security stakeholders common ground. We can be honest about why: the way DevOps brought developers and operations teams into a more melded mindset has not yet happened in a “DevSecOps” world. Security is still an add-on, or a very necessary, but developer-intrusive step in the software release process. 

DevSecOps in 2022

Remember how not too long ago “Dev” was the world of programmers and “Ops” was the world of IT? These two populations became one by sharing the same pains and same incentives to become DevOps teams. We have all created this new DevOps reality together. 

But it’s very different when you add in the “Sec” in DevSecOps. We’re now asking developers — as an industry — to develop security skills, or at minimum incorporate Software Composition Analysis (SCA) tools and triage into their processes. We say things like “shifting left” to illustrate these moves (very important of course.) Yet, if you ask any developer, they’d much rather be coding and adding value, not worrying about security.

But the business rightfully insists that security MUST be part of the story and integrated into the supply chain lifecycle from the start to protect the organization — not just the developer or development process. Log4j as the latest reminder and other high-profile software supply chain attacks only solidify this point — and the next “big one” is inevitably around the corner. 

In 2022, supply chain security — with developers at the center — will take the spotlight as organizations rally to democratize security testing and scanning, implement software bill of materials (SBOM) requirements, and increasingly leverage security solutions to create a full chain of custody for software releases to keep systems running smoothly and securely. But solutions must be much more holistic than today where there are 4, 5, 6, 7+ security solutions that are driven by security engineering teams. Then developers have various specialized solutions to look at their code or applications (also important.) This disintegrated, muti-sec approach must change.

Case in point: millions of developers around the world gave away their Christmas vacation in order to help their companies recover from the recent Log4j vulnerability. The developers all have security tools and OSS scanners – so what happened? Why did developers again pay the price for a security breach? The simple answer is that the focus was not on the right asset! They wanted to find and replace the one binary that fixes it all, but couldn’t because existing systems did not have an implemented binary security and management practice. 

The good news is that this dilemma is solvable for both teams. By focusing on the “what” we are trying to secure (binaries) versus the “how” we are trying to secure them (myriad tools for every step), the DevOps world can protect the developer, protect the open source curation process, protect the build process, and protect the deployment and runtime environments. Securing binaries holistically throughout the DevOps pipeline is therefore the key to protecting the organization and making developers more efficient to meet the promises of DevSecOps.

In short, 2022 will be the year we begin to see actual culture change to bring security and development teams together with binaries at the center as a shared asset. It might be a Docker image or an OSS package you proxy from a public hub, but binaries will be the asset we’ll curate, manage, secure and ship.

Managing Source Code Can’t Fix Your Supply Chain

supply chain and devops

Source code and CI are where every developer starts. Back in the day, Subversion and Perforce were the name of the game, and now most VCS solutions are Git-based. But the pain today isn’t about managing source or making IDE choices. The pain now is about scale and speed and trust as you automate the entire binary-centric delivery cycle. 

“GitOps” or other source-driven approaches may be useful in some instances — but aren’t the right asset to use for solving these supply chain issues. Why? Metadata comes from binaries / software packages. Dependencies are applied and delivered with binaries. Automation comes via the movement of binaries. Supply chain security is about curating and securing binaries. 

This means that in 2022, binary management — alongside your VCS and GitOps practices — is not just a nice-to-have. It’s a requirement to get control of your full supply chain. Recent industry-shaking security alerts are all about vulnerable software packages, not source code management or operations. Discovering impact is about binaries. Patching and updating is about binaries. … There’s a theme here that’s hard to ignore.

Hybrid Becomes a First-Class Citizen in 2022

DevOps 2022 - the hybrid cloud

Just as our work environment has changed to a hybrid model forever, so has the deployment model for most companies. That may not be news, as JFrog has maintained for a long time that hybrid cloud isn’t accidental or a one-off exception. Hybrid is the new cloud norm, and it’s intentional for many companies. 

But in 2022, we will all observe there is no single deployment environment anymore — even for “cloud-first” shops. We see the cloud vendors themselves pushing to adopt this hybrid concept. Just look at the bridges between on-prem and cloud with providers like AWS who recently launched services available for on-prem Kubernetes deployment. Hybrid is the intentional, efficient new normal, and if companies do not embrace services that support these models, transformation will prove difficult at best. 

We’ll also of course see more hybrid setups as a pathway to a cloud-centric approach, so even if a company intends to migrate fully to the cloud, 2022 will be full of more hybrid setups for dev and production. 

2022 Is the Year of the Edge

Updates - DevOps 2022

Analysts believe the number of edges we will all have to manage will grow by several million (data centers, servers, clusters), while incorporating billions (with a “b”) of new devices in the next couple of years. In 2022, we will see an industry-wide push to harness cloud, multi-cloud and hybrid edge topologies that will necessitate robust solutions to distribute (and manage the distribution of) a company’s binaries. 

As an example, one of the most popular car companies in the world is saying publicly that it’s not about the tires, the engine, the seating or the horsepower anymore. It’s all about Over The Air (OTA) software updates; these are what provide real value to the driver — their customers. Your experience is going to be improved while you drive, you’ll be safer, you’ll be smarter, you’ll be more informed and entertained as a driver. This shift in focus brings software even more to the forefront. It connects the CI/CD workflow, software distribution and the binaries (and only binaries) being deployed on the device as the new competitive differentiators.

 

2022 Will Be the Binary “Big Bang”

Binaries will explode even more in 2022. Not just in the number of binaries — which of course grows quickly — but the attention to the importance of binaries and the technology to manage their lifecycle. This isn’t a trend — it’s a truth that’s here to stay. 

But simply managing something is not good enough. You must have enough confidence in your assets to drive differentiation with them. As this DevOps universe expands, I look forward to seeing how the JFrog team and the development community continue to make DevOps and the software supply chain not something to be passively tamed, but something that we all fearlessly utilize to drive success.

May the Frog be with us all in 2022.