My name is Kat Cosgrove, and I’m a Developer Advocate at JFrog. Before that, I was an engineer on JFrog’s IoT team. Our goal is to bring DevOps to the edge, because it shouldn’t be as difficult to update these kinds of devices as it currently is. In pursuit of this goal, we found a lot of interesting solutions that we could bring into a CI/CD pipeline for embedded Linux devices, and eventually built a rather flashy proof of concept that put several of these solutions on display.
This can be a deceptively difficult problem to solve, especially if you’re dealing with a fleet of devices with different capabilities, but there are some tools and design strategies we can implement that address a number of pain points in such a system. First, let’s get some context: exactly how large IS the edge?
Counting both “dumb” sensor edge devices and smarter ones or gateways, there are an estimated 20.4 billion edge devices today. Seems like a lot, yeah? It’s certainly way more than I thought there would be. How are we handling updates for these devices right now?
Some of them can’t be updated; they’re throw-away devices, effectively single-use. When they break, they must be replaced. A lot of those that ARE being updated do it in a way that’s somewhat unwieldy. It’s time consuming, or the infrastructure to support it is complicated, or it can’t happen wirelessly at all and requires physical access, which is either expensive for the manufacturer or irritating for the user. The industry is still booming, though, so why should we spend the time and effort to change it?
- Our lives are increasingly reliant on edge computing and IoT, with devices taking over larger amounts of work in consumer, industrial, retail, and medical spaces. People don’t want to spend lengthy amounts of time waiting for a software update to complete, and they definitely don’t want to have to plug a device into a computer to do it.
- Infrequent or non-existent software updates, regardless of the reason for it, makes edge devices a serious security vulnerability in anyone’s network. Everyone knows unpatched software is a problem, right? This could mean allowing anything from the exposure of user or client data to a malicious third party, to devices being harnessed for a botnot or cryptocurrency mining. This has already happened on a wide scale, and is continuing to happen today. The safety implications for medical devices are even more extreme.
- A lot of edge devices are still simply not designed with the ability to be updated. They expect to run the software version they ship with until they break. The “update strategy” for these devices is flashing them. This is dangerous, because how often do you write a piece of software with zero bugs in it? How confident are you in your QA team to find every conceivable edge case? You shouldn’t be THAT confident — on average, there are between 1 and 25 bugs per 1000 lines of code. Bugs are making it into production. Don’t gamble on your code being perfect.
So what we have is an increasingly large number of these devices, across multiple markets, in rapidly increasing numbers that are totally incapable of being updated at worst, or doing it badly at best. This translates to potential security vulnerabilities or failures waiting to happen in nearly every aspect of our lives. Put that way, it’s something obviously worth spending the effort to fix, right?
To learn more about this problem, including the system we built to take software updates on a car from several hours to just minutes, don’t miss my talk “Updating the Edge” at JFrog’s virtual SwampUp!