JFrog customers will soon enjoy end-to-end, holistic security across their software lifecycle — from development to devices — as the technology of recently-acquired Vdoo gets integrated into the JFrog DevOps Platform.
That was the pledge made by JFrog and Vdoo leaders during their first joint webinar, in which they explained why JFrog acquired Vdoo, how the platform’s security and compliance capabilities will expand, and what’s the integration timeline.
“We’re very excited about the future. We’re working very hard on delivering this functionality to you as quickly as we can,” Yoav Landman, JFrog’s CTO and Co-Founder, said during the webinar Vdoo & JFrog: Enhanced Security from Code to the Edge.
Unifying Dev, Sec and Ops
There’s often a disconnect and mistrust among development, security and operations teams, especially in larger organizations, but what unites them are runtime binaries. That’s what developers make, security pros scan, and operators deploy and monitor.
“That’s the common ground,” Landman said. And that’s a key reason why JFrog saw a good fit with Vdoo: Both have been laser-focused on binaries.
“It’s all about binaries,” Nati Davidi, Vdoo CEO and co-founder, said. “Looking at binaries is the only way to understand what matters.”
With a focus on binaries, Vdoo performs real contextual analysis, dramatically reducing false positive rates, pinpointing the most critical issues that should be prioritized, and reducing blind spots, such as misconfigurations that can create security and compliance gaps.
Equally as important, zeroing in on binaries is the only way to truly understand the attackers’ minds.
By covering all critical aspects of software security, JFrog and Vdoo will offer development, security and operations teams a single solution for comprehensive testing and analysis of organizations’ entire software security and compliance needs.
That way, organizations will have a coordinated and unified DevSecOps strategy and approach, where all teams are working in unison and basing their decisions on the same concrete proof and guidance.
The JFrog DevOps Platform
It’s key to first understand the scope of the universal and hybrid JFrog DevOps Platform, which provides end-to-end software release management for binaries — what JFrog calls the BinOps lifecycle.
The platform includes artifact storage and management, security and compliance violation detection, CI/CD, distribution, and more.
A closer look at Xray
The piece of the platform that’s most relevant to the Vdoo acquisition is JFrog Xray, a software composition analysis (SCA) tool that detects open source software vulnerabilities and license compliance issues. Key features that set it apart from competitors include:
- IDE integration
Xray lets you protect the software release pipeline and supply chain even before you have binaries, starting right from the moment you write the first lines of code and need dependencies for your applications. Xray will integrate with the most popular IDEs and let you perform scans from within their interface.
- CI/CD integration
Once you build and package your software release, Xray does SCA, and compiles an SBOM, by uniquely tapping into the build process and capturing information about dependencies and production artifacts. It also lets you set up actionable policies, for example, to automatically fail a build with unsafe dependencies.
- Distribution integration
Through its integration with JFrog Distribution, Xray will scan your release SBOM and ensure the safe promotion and distribution of software to production.
- Production monitoring
After the software is in production, Xray lets you monitor it and detect production violations, and provides a full impact analysis map of, for example, newly disclosed vulnerabilities, along with remediation advice.
The way Xray monitors software that’s already been deployed is through its unique recursive scans and impact analysis. How does Xray do this?
- Indexes components only once, scans them and keeps them in the database
- Recursively scans every binary layer, taking the software release apart and scanning all the way down to its deepest components
- Builds a component graph and matches new and known vulnerabilities to the graph
- Creates an impact analysis map, showing you the faulty artifact that’s making your software release vulnerable and links it to what you’ve already deployed and distributed
Why JFrog and Vdoo are better together
JFrog identified five main value propositions from Vdoo that set it apart in the industry.
- Accelerated mitigation
Vdoo uses unique technologies and techniques to scan artifacts and reduce the noise associated with vulnerabilities. By looking at vulnerabilities in a comprehensive, holistic context that takes into account the particulars of your binaries and of your IT environment, Vdoo ensures that its findings and mitigation advice are precise and relevant.
Vdoo refers to this contextualized, personalized analysis of vulnerabilities and misconfigurations as applicability scanning. Essentially, this approach allows Vdoo to determine whether a particular vulnerability or configuration issue will indeed affect your specific artifacts or binaries, so that, based on that insight, you can prioritize your next steps based on how urgent and critical the issue really is to your organization.
Vdoo doesn’t stop at detecting and analyzing threats. It also provides detailed knowledge base articles with developer-friendly instructions on how to mitigate critical vulnerabilities and misconfigurations. With its findings mapped to 40-plus security standards, Vdoo also quickly lets you know if you’re in compliance with industry mandates and government regulations.
- Fully automated zero-day detection
With a team of expert security researchers, Vdoo discovers vulnerabilities that haven’t been disclosed, helping organizations stay a step ahead of attackers. In fact, Vdoo is an authorized CVE Numbering Authority (CNA), meaning it can register new vulnerabilities in the Common Vulnerabilities and Exposures list.
In addition to discovering and disclosing zero-day vulnerabilities, Vdoo’s threat intelligence team also provides context and insights about known, disclosed vulnerabilities, so you can understand how much of a threat they represent to your software, given the particulars of your environment.
Vdoo scans every element of an artifact for vulnerabilities and malicious code, supporting both compiled binaries and source code, and using a variety of techniques, including next-gen static analysis, fuzzing and symbolic execution. It detects malicious OSS packages, backdoors and bugdoors.
- Universal device protection
With its strong foundations in IoT security, and its deep experience on a wide range of devices, Vdoo opens JFrog up to a new world of endpoints — embedded systems, smartphones, servers and more, across a variety of operating systems, architectures and mobile control apps.
- C/C++ application scanning
Through advanced SCA, Vdoo identifies C and C++ components using machine learning-based binary similarity algorithms, thus complementing the capabilities of JFrog’s Conan package manager for C and C++. In addition, Vdoo detects configuration issues, and zero-day threats.
- Runtime protection
Vdoo’s runtime agent protects your runtime environment in a tailored, customized manner because it’s compiled automatically for each system it runs on. Its core capability is smart whitelisting, which only allows known and approved code from getting loaded and executed.
Xray will be enhanced with Vdoo vulnerability data, including remediation advice, in this year’s third quarter, and deeper integration with the JFrog DevOps Platform will occur in 2022.
“We’re looking forward to bringing this technology to all JFrog customers very soon because Vdoo is about making developers’ lives easier when it comes to security,” Asaf Karaas, Vdoo CTO and Co-Founder, said. “That’s our vision.”
Watch on-demand the full webinar “Vdoo & JFrog: Enhanced Security from Code to the Edge” to get all the details about the integration of Vdoo’s technology with the JFrog DevOps Platform!