Xray and VulnDB: Security at the Speed of DevOps Automation

JFrog Xray: A Powerful DevSecOps Solution

JFrog Xray was originally announced at our annual JFrog user event, swampUP, back in 2017.  So what does it do? Xray allows DevOps teams to discover, receive notification, and remediate open source vulnerabilities and software license compliance issues early in the development phase. The sooner a vulnerability is discovered in the early phases of development the better. This is often coined as a “shift left” in the development lifecycle of software distribution.

JFrog Partners with RBS

JFrog as a company believes in the power of a universal approach to implementing DevOps methodologies successfully, which means that DevOps teams can “BYOT,” bringing their own tools to their software development and release processes. JFrog Artifactory and Xray integrate with a multitude of DevOps tools, and for some of these tools we provide a deep integration to ensure a better end-user experience. The recent announcement of our partnership with Risk Based Security [RBS] is one such example of a deep integration, this time between JFrog Xray and RBS’s VulnDB vulnerability intelligence solution.

Xray with VulnDB takes data security intelligence to the next level

Together, Xray with VulnDB data provides one of the best security intelligence solutions on the market. After all, a security scanning solution is only as good as the database of vulnerabilities that drives it. The extensive metadata knowledge and database of software packages from JFrog, combined with the full breadth, depth, and timeliness of vulnerability intelligence from the VulnDB database has created a very powerful solution for identifying and mitigating vulnerabilities across the DevOps pipeline in a timely fashion. The best part is that JFrog customers don’t have to do anything special to get this high level of security, aside from using Xray within their development pipelines. The incorporation of VulnDB within Xray comes out of the box (and at no additional charge).

Tell me more, tell me more

It’s important to understand that the VulnDB database will be directly incorporated into the Xray database and that this is not a mere lightweight plugin or API call integration. VulnDB is the leading security vulnerability intelligence database in the market, and we believe that the combination of Xray and VulnDB provides you with great protection which highly reduces the need to connect with other vulnerability providers.

Further, since the VulnDB data is being added on top of what’s already available in the Xray vulnerabilities database, our customers will not lose anything from the current data they have.

Update Xray to include VulnDB

To get the latest data, customers only need to update their Xray vulnerability database frequently (if working in offline mode, they must download the latest database updates). The completed integration of VulnDB into Xray will be done gradually, and you can expect new vulnerability data to be made available with every database update.  We expect most of the work to be completed by mid-2019. Since newer vulnerabilities are discovered every day, this is an ongoing, diligent process.

How to learn even more

The integration of VulnDB within JFrog Xray provides JFrog customers with a real DevSecOps solution and protects them from a multitude of unique vulnerabilities as their software moves from development through production and release.

If you’d like to learn more about the integration of VulnDB with Xray, you can read our press release.  If you’d like to learn more about JFrog Xray, and other partner integrations we’ve released, be sure to meet us at swampUP 2019.  We’re hosting our annual event at the Hyatt Regency in San Francisco this June.  If you join us, you’ll be sure to be the first to hear about new product announcements too.