JFrog swampUP 2023: News and Updates Live From the Show Floor

Live updates from this event have concluded.

---

At JFrog’s annual user conference, swampUP 2023, attendees will gain practical insights to help them be prepared for the next digital disruption, security crisis, migration, or advancement in connected devices. Here are live updates coming from the event in San Jose, CA on September 13th 2023:

---

[5:20 p.m.] How to Take Prometheus Planet-Scale: Massively Large-Scale Metrics Deployments

eBay observability architect Vijay Samuel and observability lead Sandeep Chatra Raveesh detail how observability at the company has been on an exponential growth curve. Specifically, the duo dives into the “planet-scale” architecture of its metrics platform and how GitOps has helped facilitate the complexity of its massive deployments.

Sound bites from the session

• Vijay and Sandeep began with a look at observability at eBay: the company instruments, onboards, and harvests data, then sets up alerts and allows its users to visualize it all. Every minute the company scrapes roughly 2.5 million Prometheus endpoints. “The observabilty platform is at the heart of a true DevOps system.”
• “Adopting Prometheus as-is is not straightforward,” Raveesh said. When eBay started using it, there was no support for HTTP push, and the federated view of data was complicated. Further, scaling was hard — deploying multiple instances of Prometheus led to operational overhead challenges. Team goals included keeping things simple, including tenanting, and integrating tightly with Kubernetes. It also wanted to support PromQL and Grafana so users could fully build out user experiences.
• The company’s initial approach created challenges; it couldn’t keep up with new use case onboarding, tenant-based query routing was flawed, it was hard to support high-cardinality use cases, and there were too many dependencies involved. “Observability should have as few dependencies as possible.”
• Turning to the anatomy of a planet-scale installation, the team noted that data is closer to the source, rollups get bubbled up, queries are federated, and delivery is achieved through GitOps. “Control loops watch over the Git and deliver to the cluster.”
• After detailing the complete deployment architecture and providing an overview of its ingest routing, the team looked at its query routing. “With more and more cardinality, how do we make sure querying is faster?” Ultimately, eBay was able to achieve better scaling capabilities for high-cardinality data by deploying zones with rolled-up data that’s easier to query. In addition, the company improved its ingest and query performance while creating independently usable metric stores.
• In the end, the team came to the conclusion that GitOps makes life easy because it ensures changes are reviewed, automated, and easy to roll back. It also learned that internal APIs aren’t a bad thing; reusing the Prometheus contract end-to-end wasn’t required. Finally, continuous observation and evolution is key. Looking forward, the company will look to perfect automatic rollups, to support native histograms, and to consider embracing APIs.

[4:30 p.m.] Demystifying Artifactory Upgrades by Capital One

JFrog’s Artifactory plays a huge role in the day-to-day lives of enterprises — just ask Jyostna Seelam, lead software engineer at Capital One. She discusses the company’s upgrade process, the best policies it follows, and insights she has learned that will impact future updates.

Sound bites from the session

• Seelam detailed Capital One’s use of Artifactory, along with the benefits of continuous modernizations: it helps the company stay up to date with industry standards, it addresses bugs, it improves control on the platform with new cutting-edge features, and it makes it more feasible to adopt and align with newer infrastructure designs. She also highlighted JFrog’s customer support and versatile troubleshooting capabilities.
• When it comes to the steps involved in upgrading, Capital One begins with backups before shutting down its application to initiate the upgrade. The company then begins the upgrade, starting with changes to the database — “This is the most sacred part of the upgrade, and failing this can be catostraphic,” Seelam said — followed by replacing the config descriptor. Finally, metadata migration is triggered on the first system initialization after the upgrade.
• Seelam says upgrades are accompanied by inherent challenges, particularly when it comes to the database upgrade portion of the equation. This step could lead to slow database updates, simultaneous update issues, session counts that are too high following the upgrade, or locks in the database itself. In addition, she warns that metadata migration could happen at a slower pace. “There are other potential problems, but these are the most common we have seen,” she said.
• Resolving database upgrade solutions could call for disabling the archived indexes feature, restarting the database to clear any locks, or identifying problematic queries and the frequency of their execution. In addition, modernizing the database (converting from GP2 to GP3, for example), and reevaluating indexes — as well as dropping problematic indexes — can help mitigate database upgrade challenges.
• “Artifactory is an awesome product,” Seelam concluded. She wrapped up the session with a few tips to remember, including keeping notes on the database indexes created between version upgrades, developing a sound process to track changes, and implementing monitoring and log collection models. Finally, she urges users to provide ample time and patience. Ultimately, a successful upgrade helps establish strong collaboration between team members and builds overall team culture.

[2:15 p.m.] Diving into DevOps at Netflix

Tejas Chopra, senior software engineer at Netflix, takes the stage to reveal how the global leader in video streaming thinks about DevOps, including a glimpse into its loosely-coupled, yet highly-aligned culture.

Sound bites from the session

• Chopra shared that Netflix’s main competition is sleep, meaning, building “moments of truth.” The company’s goal is to have viewers choose Netflix, which to them means winning the moment of truth. And it needs the right infrastructure in place to do so effectively.
• The company has more than 225 million customers across nearly 200 countries, which means hundreds of thousands of customer actions per second and billions of time series metrics — all without one network operations center. “In today’s world, you need to react and develop software very quickly.”
• “We don’t do DevOps the traditional way,” Chopra said. “We index on freedom and responsibility.” He explained that Netflix developers have the freedom to choose their tools for deployment, which comes along with responsibility if something goes wrong. That said, Netflix does NOT optimize for uptime at all costs; it instead focuses on the velocity of innovation. “We want developers to find new ways to delight our customers.”
• Netflix also does not require specific standards — it lets people choose the language they work in. “What we focus on is enablement,” Chopra said. “Every engineer picks his or her own battles.”
• Chopra said that every Netflix engineer is a DevOps engineer. “If you build it, you run it.” The company doesn’t believe in guesses, it believes in data. “The vast majority of our decisions are based on data.” The company creates personalized experiences based on the preferences of individual users — even the clips of shows or movies that play when a user hovers over it are chosen based on those preferences.
• He concluded with a look at what DevOps means for him, including specific solutions he uses for deployment, CI/CD, and more. During a Q&A session, Chopra said JFrog Artifactory for the enterprise is a system the company wants to stick with. “We haven’t seen any challenges with Artifactory, it scales great for us right now.”

[1:40 p.m.] Fidelity on Migrating to the Cloud at Scale

Gerard McMahon, head of ALM tools and platforms at Fidelity Investments, shares how the company began its cloud migration journey, along with how — and why — its strategy, mission and focus have evolved over time.

Sound bites from the session

• McMahon says technology has always been core to Fidelity’s business — the company purchased its first computer in 1965. Its current tech priorities include driving digital engagement, embracing core capabilities, increasing business value, and keeping its technology secure, resilient and efficient.
• By 2026, Fidelity aims to have more than 90% of its applications running in the cloud. The goal is to make it easy for application teams to deploy workloads to the public cloud — and on-premises, when applicable. Its overarching cloud strategy involved cloud enablement, application software delivery, container management, embracing APIs, observability, event/data streaming, and leveraging an operational data platform.
• “When we started this process, we had over a quarter of a million pipelines across multiple tools — so how can you have security and compliance?” McMahon said.
• There are two key ways Fidelity leverages JFrog. It uses the platform to verify that artifacts it brings into the system are safe and secure, as well as to deploy the artifacts. “These are critical systems that actually power our business.”
• When it comes to securing the software supply chain, McMahon says the company uses Artifactory to scan artifacts, but if something happens to create vulnerabilities, continuous scanning picks it up and alerts teams where the issues lie. “It gives us a great way to provide detective-type controls to perform monitoring and compliance on,” he said.
• “People are building every minute, meaning there are hundreds or even thousands of binaries to account for every day,” McMahon said. He states this is why the JFrog Platform is an integral part of powering the business.

[12:00 p.m.] Security Guru Bruce Schneier on Supply Chain Risk Mitigation

Renowned security guru and New York Times best-selling author Bruce Schneier took part in a fireside chat moderated by JFrog’s vice president of developer relations Stephen Chin.

Sound bites from the session

• Bruce said it’s traditionally unusual that engineers pursuing computer science degrees focus on security in their coursework, but that it’s starting to change: “I like seeing that we’ve matured as an industry where security is no longer an afterthought.”
• “One of the most insurmountable challenges in our industry is supply chain vulnerabilities,” Bruce said. “Anything the industry can do there is very valuable.”
• Stephen asked: “Is government policy the right answer? Can they mandate security?” Bruce responded: “They can, that’s their job. But this is the U.S., and we don’t pass laws that nobody wants. In Europe, we may see it more.” Bruce said that industries throughout history haven’t improved security without being motivated by government regulation.
• Stephen asked about the next wave of vulnerabilities: “What is the future of security when machines are writing the software?” Bruce replied: “There’s an interesting case in vulnerability finding. It has an inherent defensive benefit.” He says that AI can be used to help identify vulnerabilities and that in our lifetime, we may look back at now as a particularly bad era for vulnerable software.
• Bruce said, ”It took us a couple of decades to figure out software security. My guess is it will take that long to do the same with ML systems that are so different.”

[10:35 a.m.] Shielding the Foundation: Security Across Your Software Supply Chain

JFrog’s security CTO Asaf Karas was joined by vice president of product Eyal Dyment to discuss the need for robust and holistic security capabilities in next-gen software supply chain solutions. An on-stage demonstration showcased JFrog’s DevOps-centric approach to security, along with how forward-thinking organizations are already using it to drive their future pipelines.

Sound bites from the session

• Asaf emphasized that security isn’t something you add — it needs to be a part of the foundation and present throughout the development process. This is a challenge because production is largely based on other people’s open-source code, but that code needs to be trusted. “What we’re seeing is attackers have also shifted left to attack developers and inject malicious packages at the onset.”
• Asaf discussed how the rate of published common vulnerabilities and exposures (CVEs) is on the rise, creating constant pressure on development and security teams. Yet critical CVEs in common components can have no real security impact. Many critical CVEs in common components are non-exploitable in 99% of cases. Developers are swamped, but attackers aren’t slowing down and continuously come up with new attacks.
• And ML models can serve as yet another problematic package, causing malicious code execution when loaded by developers or data scientists. Further, attackers are already exploiting generative AI to inject malicious packages. This is why the JFrog approach to security is paramount: it’s research-driven, developer-oriented, binary-focused, and visible all in one platform.
• Meanwhile, the rate of malicious package attacks is on the rise, increasing five-fold versus just three years ago. ML models can serve as yet another problematic package, causing malicious code execution when loaded by developers or data scientists. Further, attackers are already exploiting generative AI to inject malicious packages. This is why the JFrog approach to security is paramount: it’s research-driven, developer-oriented, binary-focused, and visible all in one platform.
• JFrog’s VP of Security Products, Eyal Dyment, provided a detailed overview and demo of JFrog Curation, which blocks malicious packages from ever entering an organization’s software supply chain. Newly added to JFrog Curation is JFrog Catalog, which allows teams to search for and identify trusted components or libraries for use in their development. This “Google for OSS packages”, greatly reduces remediation efforts later in the SDLC, providing a huge time savings.

[9:55 a.m] Release Fast (and Secure) or Die!

Yossi Shaul, senior vice president of research and development, and Gali Zisman, vice president of product, dove into the importance of speed in the software development and release process. They touched on an emerging shift in the industry: a “release-first” approach that embraces automation to enhance testing, improve decision-making, and eliminate bottlenecks.

Sound bites from the session

• Supporting the release-first approach, Yossi and Gali opened their session by describing JFrog’s release journey, from isolated artifacts, the promotion of artifacts, build info (SBOMs with build artifacts), the distribution of release bundles, and finally JFrog Xray, which identifies vulnerabilities and performs license scanning. The complete JFrog release journey offers simplicity, visibility, governance and, perhaps most importantly, trust.
• The duo announced JFrog’s Release Lifecycle Management, which is available for users immediately. Before offering a live demo of the new capability, Gali walked attendees through the solution’s key features and functionality, including release bundle creation, full visibility of environments, evidence of signed metadata linked to artifacts and release bundles, the promotion of release bundles through the supply chain, and the distribution of release bundles to an edge node.
• They then discussed the AI and ML market and illustrated how much adoption is exploding. Gali announced JFrog’s new Trusted ML Model Management and detailed how the platform now allows users to bring ML models into the software development lifecycle (SDLC).
• Yossi walked attendees through a demo of the new innovation using a fun machine-learning model that detects frogs within a photograph. The beauty? Users can use Artifactory for ML models just as they would for any other binary, making the solution very intuitive for existing users.

[9:00 a.m.] Software Supply Chain as a Platform

Yoav Landman, JFrog’s CTO, took the stage to dissect one of the most difficult challenges facing DevOps and DevSecOps teams today: end-to-end management and security of the software supply chain. He dove into how an integrated and consistent platform approach is how modern organizations are solving their next-gen supply chain challenges.

Sound bites from the session

• “Today’s developers need to do much more than coding. There is a gap between developers and operations: according to Gartner, by 2026, 80% of engineering organizations will establish platform teams as internal providers of reusable services, components, and tools for application delivery.”
• Yoav discussed the emerging “release-first” mentality. “At the end of the day, we have one thing in mind: the software release. This involves injecting controls along the assembly line to guarantee trust.”
• Under the release-first approach that guarantees trust, JFrog performs three main steps: analyze, validate, and sign. This starts at the source environment, moves through quality checks, and finally ends at the target environment. “We provide full visibility.”
• Moving on to DevSecOps, Yoav said that attackers attempt to inject themselves into an organization’s environment, ultimately impacting end customers. “The role of JFrog is to protect you from end-to-end at every point.”
• Yoav then discussed quality control versus quality assurance. “With package curation, JFrog fixes things before they’re broken.” Ultimately, effective curation blocks unwanted software components from entering the software supply chain.
• JFrog is shifting “lefter than left,” with the idea of protecting the workspace of developers. Seamless integration with JFrog creates a single source of truth for organizations.
• Yoav moved the discussion to machine learning (ML), beginning with a Gartner forecast that by 2027, 90% of new software applications will contain ML models or services. ML model files are binaries managed holistically with other binaries and “you need to manage those binaries in a single place.” In that vein, Yoav introduced MLOps within the JFrog Platform, a smart model registry with integrated security.

[8:45 a.m.] JFrog CEO, Shlomi Ben Haim on the Next-Gen Software Supply Chain

JFrog CEO Shlomi Ben Haim opened swampUP 2023 with his thoughts on how the evolution from DevOps and CI/CD to cloud-native technologies, microservices architecture, security and governance calls for a new generation of software supply chain management.

Sound bites from the session

• “There are three things that make a conference better and something to remember: the content, the team, and the energy in the room.”
• “Why are we automating everything? Why are we securing everything? In order to have a world where software is liquid.”
• “We’ve seen a movement from a full platform to a full best-of-breed, to a platform with a best-of-breed experience.”
• “It’s all about binaries. What is an AI model or a training model without binaries? We’ve started to see how important it is to be focused on the right asset.”
• “When we ask, ‘Are you ready for next?’ we’re serious about that.”
• “DevOps and Security are one, but security must be modernized.”
• “Everyone is implementing generative AI, but put that aside and think about what’s happening now. Our customers are telling us they don’t know if their own developers are using AI. My 15-year-old daughter does her homework using ChatGPT, so of course it’s being used.”
• “swampUp isn’t just about what JFrog has to say to the world, it’s a collection of community and speakers to share best practices.”
• Shlomi ended his presentation with “May the Frog be with you!” and introduced JFrog CTO, Yoav Landman.