Software Supply Chain Super Heroes: Binary Management Plus Security

Go to any DevOps or security conference today and you’re likely to see “Secure your Software Supply Chain” blazoned across most booths in some form or another. And that’s for good reason. Recent data shows that supply chain attacks have more than doubled in 2021, a trend that is likely to continue. 

Leading companies are actively rethinking their approach to how to develop and release software. They’re asking core questions like:

• Which security tools should we use? 
• What policies should be in place around OSS use?
• How should we store binaries and packages?
• Who should determine what is acceptable risk?

These may well seem like independent questions. But in today’s rapidly evolving threat landscape, these issues are highly interconnected. To address them, organizations need binary management and security in a tightly integrated solution. Here’s why: 

Binaries: The Links in the Supply Chain

Securing software supply chains (SSC) starts by knowing what’s in them. A universal binary management solution, such as JFrog Artifactory, keeps the binaries, packages, and components for all the software technologies your organization uses in one place – a single source of truth for the supply chain.

Powerful metadata means that binaries aren’t just stored, but tracked, providing a fully traceable record of their provenance and usage. Additional features, such as checksum verification, help provide certainty that every component is what it claims to be, and hasn’t been compromised.

When governed by powerful permission administration facilities for role-based access control, your software supply chain can operate within an established secure circle of trust. Within that circle, developers can share immutable software components safely within or across teams to create builds.

“Having a centralized, well-governed repository [in Artifactory] where everybody can access that with certain controls and having the security and the labeling in place is essential for Monster to be as reactive, as fast as we can.”
– Chief Architect, Monster

DevOps and Site Reliability engineers can connect various build, QA, and orchestration tools to these repositories to better control the flow of binaries across different systems/tools as they advance towards production and ensure that developers are always working with the set of assets they think they are. 

SecOps: Hardening the Circle of Trust

Security tools are your line of defense to stop malicious or vulnerable components from making their way into live production software. Since the software supply chain is composed of binaries, that’s where your security posture needs to be most heavily focused. 

Once you’ve established a secure circle of trust for binaries, a binaries-focused security solution such as JFrog Xray can harden that circle, by providing automated vigilance of what’s inside those binaries  and how vulnerable they are to being exploited.

“Something [Xray] that’s going to scan everything in that central repository of truth, automatically, with zero customization required, that’s really, really powerful.”
– DevSecOps Sr. Manager, Hitachi Vantara

Identifying vulnerabilities, of course, is only the first step. You’ll also need to understand the vulnerability’s impact, know how to best address them, and block them from further use if necessary. 

Security point solutions that don’t rely on a single source of truth can identify problems found at specific places in the development pipeline, but can require many layers of protection to secure the entire software supply chain.  Security is a comprehensive concern throughout the entire SDLC, from the first pull request, to each build, through testing, final validation and well after release. When binaries are centrally managed in a unified system with powerful metadata, security can be built in from end-to-end.

Moreover, modern applications rarely stand on their own – an enterprise’s inventory of apps is highly interdependent, with both third- and first-party components in common re-use. A single vulnerable package may be used in not just one build, but hundreds. A secure circle of truth for binaries attested by rich metadata enables a rapid grasp of a vulnerability’s impact on every binary link in the supply chain.

Dev + Sec: 1+1 = 3

When it comes to securing your organization’s software supply chain, there is no better combination than the JFrog DevOps Platform with Artifactory and Xray. Binaries are the core component of software development and JFrog’s core competency is binaries – managing them, securing them, packaging them into software updates, delivering and deploying them to the edge and runtimes. 

Of course, security doesn’t end with an application’s deployment. “Zero day” issues, like the recently uncovered log4j and SpringShell vulnerabilities can be revealed long after an application has been placed into service. When these occur, security teams need to urgently identify all of the organization’s applications containing the severely vulnerable libraries, determine their impact, and remediate them quickly. This is only possible if binaries are centrally managed in a unified system with built-in security to effectively evaluate for newly discovered risks. 

When a severe vulnerability was revealed in the highly popular log4j library, countless orgs were impacted and security teams worldwide lost weekends and holidays to ensure their software wasn’t vulnerable. JFrog customers using both Artifactory and Xray, however, were able to completely remediate the log4j issue swiftly across their entire development organization and prevent the vulnerable components from being used any further, often in less than 24 hours.

“When log4j hit, it was the easiest thing to generate a report of what apps had that vulnerable dependency, fix it, and we were good to go.”
– DevOps Engineer, Bendigo and Adelaide Bank

With JFrog Artifactory and Xray, security isn’t just something that’s “added on” to your DevOps efforts. Instead it’s been thoughtfully integrated into the binary lifecycle management process – from curation through creation to consumption. For example, security scanning with Xray can occur at every step of binary promotion (from build to release) and serve as an automated production release gatekeeper.

When you combine the ability for security scanning to serve as a promotion gatekeeper, plus Artifactory’s release bundle signing to ensure immutability, you get secure releases that you can trust contain the software components you expect.

These two unified JFrog platform services deliver a comprehensive solution to secure the software supply chain starting before a binary enters an organization’s DevOps ecosystem, all the way through to a binary running in production. 

This holistic security approach is the reason leaders in the most regulated industries rely on the powerful JFrog Platform to manage their binaries and secure their software supply chain.

End-To-End Software Supply Chain Security at Scale

Seamlessly manage how, when, and where packages are used, and effortlessly find, fix, and fortify against vulnerabilities across your entire development landscape from a single source of truth.

• Create transparency and efficiency between DevOps, Engineering, and Security
• Know what 3rd party packages are in your supply chain and that they’re safe for use
• Improve security with integrated checks and gates throughout your SDLC
• See the big picture and easily take action with a single source of truth

Great on their own. Even better together. JFrog Artifactory + Xray is the leading combination to manage and secure your software supply chain.