SDLC Security: It’s Personal for JFrog

The SolarWinds hack, which has affected high-profile Fortune 500 companies and large U.S. federal government agencies, has put the spotlight on software development security — a critical issue for the DevOps community and for JFrog. At a fundamental level, if the code released via CI/CD pipelines is unsafe, all other DevOps benefits are for naught.

What happened

SolarWinds, an IT monitoring and management vendor, said hackers breached its systems and inserted malware into the software build process of its Orion Platform. For several months, product updates shipped with the vulnerability, which was designed to help hackers compromise customers’ Orion servers using a backdoor. 

It’s estimated that about 18,000 customers received the contaminated updates, and that several dozen got breached. Those affected include Microsoft, the U.S. Department of Homeland Security (DHS), and FireEye, a cyber security vendor which first detected the attack this month after the hackers stole proprietary security tools it offers to its clients.

SDLC Security Under the Microscope

SolarWinds, which builds all products utilizing a secure development lifecycle, including architectural reviews, static and dynamic code analysis, and open-source analysis, has already tightened its SDLC security, including by:

  • Further restricting access rights to its build environment
  • Using a new code-signing certificate for new builds
  • Reviewing the build environment’s architecture, the privileged and non-privileged users with access to it, and the network surrounding it

It’s also been reported that the company may have inadvertently exposed FTP credentials in a public Github repository last year, raising the question of whether this may have been an avenue for the hackers to breach its systems.

Rolling out a comprehensive, holistic DevSecOps strategy is a must, especially with the exponential growth of open source software, which we know often contains vulnerabilities and other security faults. Click To Tweet

A Troubling Trend

This type of breach, known as an upstream supply chain attack, has become increasingly popular among hackers, because it offers an extremely effective vector. By poisoning code that’s assumed to be safe, cyber criminals exploit the trusted relationship between software providers and their customers. Hackers’ malware hides in legitimate software and gets unknowingly shipped to thousands of customers through otherwise official distribution methods.

How JFrog Can Help

JFrog has been creating awareness about DevSecOps and building security capabilities into its platform for years. It’s our belief that security must be baked end-to-end into the SDLC — from design to production. 

That way, security gaps — vulnerabilities, malware, misconfigurations, policy violations and more — can be caught early and often, and fixed immediately, before bad actors get a chance to exploit them.

It’s a broad, complex undertaking that requires a holistic, multi-dimensional approach, and that encompasses application security, infrastructure security, data security and comprehensive role-based access control (RBAC). 

Here’s a brief rundown of what we offer for DevSecOps within the JFrog Platform, as well as some recommendations.

JFrog Xray

JFrog Xray is our DevSecOps tool, designed to offer continuous security and universal artifact analysis. Through a multilayer analysis of containers and software artifacts, this software composition analysis solution scans vulnerabilities and detects license compliance issues, and helps you take appropriate action quickly.

JFrog Xray is natively integrated with JFrog Artifactory, our platform’s flagship component, providing optimized scanning, unified operation, and a single pane of glass view into your artifacts’ security and compliance issues. Identification of vulnerabilities and traceability of your builds are inseparable. You must weave security and license compliance tightly into your artifact management system. That way, when a vulnerability is detected, you know how it got there and how it impacts everything else. 

In addition, Artifactory provides granular RBAC capabilities, so you can limit access to artifacts, and determine what kind of access to grant, such as read-write, or read-only permissions. Furthermore, Artifactory’s rich metadata gives you full traceability of artifacts. That way, you can respond instantly to breaches, and generate a new, safe build with uncompromised components — in hours, not days.

JFrog Xray’s deep recursive scanning gives you visibility into all the underlying layers and dependencies of components, and provides complete impact analysis, so you can understand which artifacts contain insecure components. And it does all this continuously and at the speed of DevOps, so you can identify and fix violations early and often in the SDLC — even directly from within your IDE — without creating security-check bottlenecks at the end of the cycle.

Attempting to do all this manually, and with disparate point tools that don’t interoperate well, slows you down, and prevents you from pinpointing security issues with precision and at scale — putting you at risk for breaches.

JFrog Pipelines

As we’ve explained before, keeping secrets safe can be challenging for CI/CD tools. They must connect to many other services, each with its own password or token — data that must be shielded from cyber crooks.

JFrog Pipelines was designed for secrecy from the start, with native, built-in secrets management. Through its integrations capabilities, Pipelines combines central secrets management with granular access permissions of the JFrog Platform. Its out-of-the-box integrations include GitHub, Bitbucket, Docker, Kubernetes, and Slack, as well as public cloud platforms, such as AWS, GCP, and Azure.

With Pipelines integrations, you can share secure resources, while safeguarding the secrets that authorize their use. Using the JFrog Platform’s unified permissions model, you can grant access to those who need it and block access to everyone else. This all automates and streamlines the process of protecting secrets from being inadvertently exposed or actively stolen from your CI/CD tools.

Best Practices

Rolling out a comprehensive, holistic DevSecOps strategy is a must, especially with the exponential growth of open source software, which we know often contains vulnerabilities and other security faults. As we outlined in this white paper, these recommendations provide a solid baseline for starting or fine-tuning your DevSecOps practices:

  • Establish DevSecOps as a cornerstone of your SDLC
  • Instill security knowledge and ownership across your developer and operations teams
  • Utilize security and compliance best practices and adopt continuous improvement tactics
  • Use an integrated suite of DevSecOps tools that can automate security and governance
  • Ensure your toolsuite includes a universal software composition analysis solution
  • Utilize the most comprehensive and timely vulnerability intelligence database

We also reached out to Risk Based Security, whose VulnDB vulnerabilities database we use in JFrog Xray, and Brian Martin, VP of Vulnerability Intelligence, shared these tips with us:

  • For companies receiving software updates from trusted vendors: Practice due diligence and have a proper security-focused policy for accepting code contributions from any source. While it is time intensive, every code change should go through at least two sets of eyes. That way if credentials are abused to inject new code into a project, a second person would be responsible for checking that code.
  • For DevOps teams to prevent having their pipeline breached and their code tampered with by hackers: DevOps teams should periodically review third-party code used in their software. Do they still need it? Is the project actively maintained? Is there a history of vulnerabilities in the code? Does that project have a policy that includes reviewing contributions from outside parties? These are all important questions to ask.

Sign up for a free JFrog Cloud account and experience first-hand how Xray’s deep recursive scanning and impact analysis capabilities boost security and compliance across your DevOps pipeline.