Cloud Security Alliance (CSA) West Michigan Chapter: “Not Another Demo” with JFrog

April 14, 2021

< 1 min read

Sven Ruppert, Developer Advocate at JFrog, dives right in with the experts at the Cloud Security Alliance. If you are interested in learning more about the DevSecOps space then this is 45 minutes well worth your time!   For more information about DevSecOps or JFrog, please check out the following links: Try out the DevSecOps – FreeTier from JFrog https://bit.ly/SvenYouTube​

Speakers

Sven Ruppert

    Sven Ruppert

    Developer Advocate

    Sven is working as Developer Advocate for Jfrog and coding Java since 1996 in industrial projects. He was working over 15 years as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank. He is regularly speaking at Conferences and Meetups worldwide and contributes to IT periodicals, as well as tech portals. Additional to his main topic DevSecOps he is working on Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotlin.

    Video Transcript

    hey everyone and welcome to
    your favorite youtube series and our
    favorite youtube series
    too i’m not gonna lie this is literally
    my favorite thing to watch
    is uh is everyone else talking not me
    but anyways
    still my favorite um we are
    we’re on episode number 23 if you can
    believe that of
    not another demo as you know not another
    demo
    is is our uh chance of having a real
    conversation with the vendor
    about what they you know what they do
    what problems they solve
    maybe what sets them apart from
    competitors in the industry and we’re
    super excited of course i i i’ve got
    aaron and lloyd
    uh with me today so we’re we are sans
    anthony today but uh the the three of us
    are gonna handle it in his
    absence we’re wishing him well because
    he got injured
    um doing indoor outdoor stuff sven he uh
    he broke his ankle
    um climbing
    you know young people like to do young
    people things and i don’t
    i don’t do any climbing anymore except
    in and out of bed
    and i could break an ankle doing that
    sometimes i’m not gonna lie
    um so uh we are really happy
    this week to have with us sven rupert
    from
    jfrog and uh we are uh i i have to do
    this
    we are going to jump into the devops
    swamp with jfrog today so
    um you did that you did that on purpose
    right jumping
    for anthony
    so sven i’m gonna uh just have you
    introduce yourself
    um introduce us to to jfrog because i
    think you guys are
    are a newer company so maybe some folks
    are not familiar with what you’re doing
    and then
    let’s start with you know maybe telling
    us a little bit about what sets you guys
    apart from
    some of some of the other companies in
    that space
    okay so um well i’m sven i’m from
    germany and i joined
    jfrog a little bit over a year ago as
    developer advocate
    and there i’m focusing on the security
    part there in the
    product area what what jfrog has jeff
    rock itself is um
    originally from israel tel aviv and then
    tonight
    but israel and they have no headquarters
    in
    different countries and in u.s
    sunnyvale uh last year we had our ipo
    so since this we have all this attention
    with all these new rules and new
    uh yeah ways to do things new
    regulations too
    right yeah yeah yeah yeah sorry
    more people than respect him
    yeah oh well no we we are quite flat in
    in the hierarchy towards it that’s
    really
    really cool and um
    well still still some kind of ager so
    it’s
    uh the company itself i think it’s over
    10 years old to say i don’t know exactly
    so
    but it’s it’s not just a startup from
    the last two years
    definitely so there’s a history and
    they’re focusing
    since the beginning um on the developer
    part
    say what what is what the developer
    needs what’s a developer like
    um they they came from the field of um
    binary management so the most people
    know it from from multifactory
    it’s this binary repository
    and yeah that’s that’s the route where
    everything is coming from
    and then slowly the functionality was
    increasing with
    how it distributes its stuff and how to
    make it secure and
    how to yeah build this stuff and so on
    but the core is art factory the binary
    manager
    that’s it well
    all right let’s just jump right in
    because this is this is
    a topic i am a former
    well i guess i’m not a former web
    developer because i still i still code
    on the side because i have to stay
    up on secure coding practices because
    that’s one of the work streams that i
    manage in my day job
    um we’re actually about to start
    um a new secure software
    development like too many
    too many letters secure software
    development
    life cycle maturity right because my
    organization
    we’re big enough we actually have two
    different development teams one on the
    medical side
    and one on the insurance side so
    one of the struggles that we have as we
    try and mature this process
    is the balance of you know the
    continuous innovation
    continuous delivery you know the ci cd
    pipeline
    balancing that with security
    requirements right
    so three or four years ago you know we
    had you know
    we implemented stat sas tools static
    application scanning
    uh tools and then you know dynamic
    application scanning tools
    we quickly discovered that
    uh the sas part worked well after you
    matured and got your false positives
    out in your code but one of the
    struggles that we had was around dynamic
    application scanning and how
    you know the development teams as you
    know especially the artifactory space
    you know they want to crank out stuff
    all the time and it doesn’t leave a
    whole lot of time to do
    complex testing you know secure coding
    testing so
    what are you seeing right now in the
    devsecops space
    that’s kind of trying to address that is
    that something that you can do with the
    solution like yours
    or is it a combination of things
    well um let’s let’s say so if
    the most people if they start what they
    say they need something that’s
    giving the best benefits in the
    beginning so what what are the
    low-hanging fruits
    and mostly if people start thinking
    about security and reading a bit and all
    this stuff they got a lot of this
    acronyms terms
    short word whatever constellations and
    the security field as a lot of other
    fields has
    buzzword inflation it it’s it’s a
    german term so what would translate but
    it’s more we we’re getting more
    buzzwords
    and sometimes it’s way easier if you’re
    if you’re going a little bit back to the
    roots
    and think about what what is the core
    you’re doing
    what is just technical costs um
    how to avoid things that are just here
    before
    because they are cool but you’re not
    earning money with it
    so and if if you start simplifying
    things and
    the main thing is complicated things to
    explain complicated
    is easy but explain
    complicated things in easy words is damn
    this is really hard because then you
    need to understand it
    exactly in all details so it
    means that making security
    simple is a biggest goal you should have
    so that
    everybody in your team is able to follow
    is able to do
    his part of the job and um
    simplifying means as well that he splits
    the responsibility
    so who is responsible for the does part
    who’s responsible for the static part
    who’s responsible for whatever
    so um this is sometimes not really clear
    so if if you’re looking a little bit in
    the past we have these deaths and orbs
    and what we learned is that
    this merging is a good thing so that the
    whole team is responsible for all this
    stuff
    but on the other side what we learned is
    now if you have these devops teams not
    every dev is an
    op specialist he needs to know exactly
    what he needs for his daily job to be
    efficient
    and the same with security so if you’re
    going to the suspect or das per
    or whatever you need
    you have to make sure that the general
    awareness of this topic security is
    everywhere every in every part of your
    tool chain on your your product line
    but some people are focusing on the
    dynamic application scanning so what
    what we are doing with
    jfrog is we are focusing on the
    let’s say biggest part of it um
    but not of the dynamic part why why is
    this dynamic application
    security testing why is this just a tiny
    part compared to
    to the rest so if if you look at the
    whole tech stack
    and what what are you doing as a
    developer you have always this decision
    may go by so i need i need to print the
    pdf
    should should i implement a pdf library
    or should i get it as a pdf
    library so elaborate third party
    dependency
    and security for me personally security
    includes vulnerabilities and compliance
    issues
    so this is both can be poison for your
    business
    vulnerabilities yeah it’s just a
    compromised system
    compliance it’s just the right license
    at the wrong place
    can kill your business as well so this
    is this is something that most people
    are forgetting that compliance is part
    as well
    so going back to the developer what’s he
    doing he he has always his
    time to market and make or buy so the
    economy part of the company is is
    thinking about
    this this new use case must be pushed to
    production as
    fast as possible because we want to
    write a bill okay this
    this is the main thing and we as a
    developer we are doing exactly the same
    so there is a requirement
    and we must push it as fast as possible
    to production
    and if you have a vulnerability and you
    have to react
    this is time to market as fast as
    possible it
    must change in production there is a
    requirement this vulnerability
    so whatever vulnerability if you’re
    finding it on static analysis or during
    the runtime or whatever
    the other side if you’re checking the
    dependency part and all
    tech layers the most projects i
    saw is that the dependency part is by
    far
    the biggest part of an application so
    if you are focusing on the static stuff
    on the dependencies and making sure that
    this is secure you have the low-hanging
    fruit you have the biggest part of the
    system already checked
    yeah and this should be done there
    and this is an easy part because the
    mathematics behind
    is easier and then you can focus on the
    dynamic application scanning stuff
    but this is not really solved from the
    mathematical point of view
    from the technical point of view and so
    on
    but whatever technique you’re using
    i think you should focus on quality
    because quality will lead you to
    a better way to deal with security or
    vulnerabilities always all this stuff
    and why because you you’re just
    going over test driven development and
    this is
    low-hanging fruit for everything so if
    you’re focusing on quality
    and then adding the term security in the
    whole pipeline
    and focusing on the biggest parts you’re
    on a good way
    and all this ai stuff and all this
    dynamic scanning
    for me personally is a tiny part
    in the whole text stack and this is why
    i always would
    say have an eye on this dynamic
    application scanning stuff
    make sure that you are have no false
    positive stuff
    but make sure that this is not the
    leading one because this
    is it’s not so strong it will be strong
    over the next 10 or
    15 years and it will be amazing what we
    will get with ai and machine learning
    and all this stuff
    but right now my personal feeling is
    it isn’t at on and it’s not
    the main thing you should focus on
    and it’s just yeah so
    it has the same rules so if you find
    something
    you must be fast again you must change
    it as fast as possible
    you must be immutable you must be able
    to
    recreate the same instance to analyze it
    without destroying your production
    and all this stuff so you have the same
    mechanics
    and uh for me personally my personal
    point of view is that the dynamic
    application
    security part isn’t good at on but it
    shouldn’t be the backbone that’s
    that’s at least what what i would
    suggest
    now when you talk so hang on so you you
    had a
    phrase in there that i had have to
    capture you said what was it buzzword
    something you said it was a german term
    buzzwords something uh uh they see a
    buzzword inflation
    so in reflection in terms of this we’re
    gonna
    we’re gonna bring that um here because
    uh you know and you heard aaron a couple
    of times
    it’s one of our rules and not another
    demo we don’t allow acronyms because we
    get into that
    that uh vegetable soup mix of oh wait
    i’m gonna use the new word
    uh buzzword inflation which we want to
    stay away from
    totally love that hashtagging that one
    um on this episode
    so um okay yeah i guess
    aaron i’ll throw back over to you
    because i know we’ve had some
    assassin desk conversations um like
    what was your take on the on that part
    of the conversation
    i’d like to dig in a little bit more
    like when you talk about
    quality right so i i am in agreement
    with you that
    dast has a long ways to go
    right because ai isn’t where it needs to
    be you still
    need a lot of manpower right
    putting in you know the checks and
    you know the logic in the das tool to
    make it
    find the vulnerabilities you’re looking
    for right so that’s there’s a big
    fte left on that you need a you know a
    qa
    analyst or a business analyst that knows
    your application
    that can say check for x y and z right
    that’s that’s the biggest
    problem with implementing a dust right
    is understanding that
    it’s going to need a lot of care care
    and feeding as opposed to
    a static application scanning tool i
    wanted to
    to know a little bit more about when
    what you mean by
    like quality you know when you talked um
    a little bit
    about shift lift shift left sorry
    um before we started recording are yours
    are you seeing that most if i’m
    understanding you right
    you’re saying that most of the
    vulnerabilities that you’re finding in a
    solution like jfrog
    are like bad you know bad binaries
    coming in you’re beginning to your setup
    tools right so your open source
    libraries you mentioned like you know
    as a developer do i want to create my
    own pdf
    converter so matt for you and lloyd
    there are times where you have a form
    right
    and you put in the information on the
    form and then you need to do two things
    with it
    you need to send that data to the
    database but you also have to print
    and make it printable right so the stuff
    that sven talked about
    you need to be able to print out a copy
    so there’s two ways to do this right you
    can do
    well actually three one you can just
    roll the dice right and see what windows
    or mac does
    when you print it you can create your
    you know you can make css tweaks um
    cascading style sheets
    tweaks to make it look a certain way or
    eight out of ten times like sven is
    saying the developer’s just gonna go out
    and get a plug you know get a plug-in or
    a library
    that that creates that so sven are you
    seeing that more vulnerabilities are
    coming into your custom
    web applications from like open source
    libraries
    um well let’s let’s have a
    little bit more detailed view on this
    one um because i don’t want to blame
    web apps or different technologies so
    um we all know the solar wind tag so if
    we
    we got it okay this fire company that
    got their tool stack broke to this
    solarwinds company
    and uh what what happened here the main
    thing
    is that the attack was not against the
    final target the attack was against the
    supply chain and this
    is a new way of attacking system because
    if you’re getting a binary and you have
    a fingerprint
    and you’re validating and it’s coming
    from the producer and you say oh this
    fingerprint that’s fine
    you’re just taking this binary and trust
    it
    yeah it happened exactly exactly this
    happens
    because the attack was against the ci
    environment
    from from this company and with every
    build they produce
    compromised binaries by themselves so oh
    my god
    so how to get rid of this one how to
    make sure that this will not happen for
    you
    and so this this isn’t this is the
    question so
    what what is static dynamic
    for you um are you looking at the place
    that you are a producer and pushing
    stuff away or you’re focusing on the
    part i’m grabbing from the market and
    using it by myself
    so this and these are different things
    if you’re focusing on
    just on the part i’m grabbing stuff from
    outside
    into my production make sure that
    nothing is coming in over this way
    okay then you need to understand over
    all tech layers
    of the dependency management systems and
    if you have this metadata
    and this binaries and the knowledge
    about all known vulnerabilities
    you’re focusing on 80 or 90 of your
    whole stack already
    damn that’s good what you need is to
    go back to your previous question about
    quality
    if you’re dealing with vulnerabilities
    i’m not talking about
    compliance issues because there is a big
    difference so with vulnerabilities
    you have just between to kill a
    vulnerability is mostly
    creating a new composition of the same
    word of different versions of the same
    elements
    okay so if you have version a and it
    must be version
    b but it’s the same library so if you’re
    focusing on this part
    a good test coverage will help you
    because you can just
    create a new composition of versions
    test it give it to production perfect
    time to market short okay don’t
    do all this stuff if you’re thinking
    about should i grab a dependency open
    source or not i love open source because
    a lot of people can analyze it
    instead of something that’s closed
    but if you think about creating pdf by
    myself
    or grabbing someone i would trust this
    guy that has done it a few times
    and learnt his lesson already but a few
    of us i mean developers
    tend to say hey i’m great i’m a senior i
    can do everything
    and this is a challenge if you’re
    talking
    yeah doing stuff by yourself
    oh yeah just a pdf i don’t i just need
    this a and b
    and they not even read the spec what pdf
    is including
    so nearly nobody knows that pdf can
    include javascript that’s
    executed so all this stuff
    so it means that don’t underestimate the
    effort
    not only from the economic point of view
    but from the complexity and the best
    practices
    it’s the same with polyglot systems so
    with this micro
    service stuff and serverless and
    whatever
    what we are thinking is we’re thinking
    of
    writing new instead of maintaining
    this is nice and this is perfect if you
    want to try out stuff
    i learned java i started working with
    java 1996.
    if i would start now with go i would be
    just a junior
    a just bloody junior but i have to say
    to myself
    okay no i’m a junior and i
    would need advice for people that maybe
    just
    half of the age of mine but working
    five years ago and i just started and
    this is a challenge that’s a
    social challenge in companies and this
    is a huge security risk
    so security is not only the dependency
    security is how to deal with
    your own ego with your behavior with
    your teammates and all this stuff
    this is a different part of security so
    this polyglot world will give
    us different challenges of hidden
    technologies just dependencies grabbing
    stuff in
    it will give us a challenge that i’m not
    a senior anymore i have to learn again
    it gives us a challenge how to deal with
    different personalities
    and how to do this one and
    quality is mostly a good good good thing
    again the most
    of this pause i just mentioned why
    um if if you have a good test coverage
    i’m not saying what is a good test
    correction just i think you have a good
    test coverage okay
    and term good we have to have a look on
    but if you have a good test coverage it
    doesn’t depend
    if i’m doing a change in the system on
    monday after i had a strong weekend
    on wednesday and i’m just exhausted on
    friday and i’m just
    out on the weekend already or
    if i’m happy at home or not or social
    challenges whatever i’m always
    delivering the same quality and this
    is the change the machine can deliver
    always the same quality
    i’m a human i’m not able to do it but
    the machine can help me
    and if i have a predictable quality
    then i know the duration and so on and
    so on
    okay so now the question was a good test
    coverage
    and then we can go back to the security
    part and static or non-static testing
    what’s a good test coverage most people
    start with line coverage
    line coverage is great yeah but
    it’s just a very very it’s not strong
    okay it’s definitely not strong even if
    you have branch coverage it’s not strong
    so what other test techniques you have
    and then people are coming oh yeah
    we have property-based testing and so
    okay property-based testing
    um can you explain me the random
    generator
    that is used to create a statistic
    significant amount of test points
    fits to your problem are you able to
    verify that this random generator fits
    to your problem yes or no
    and the most developers would say i’m
    taking the random generator that’s
    part of this tool great perfect i have
    no clue what i’m doing but i have test
    coverage
    i would prefer something very
    traditional from the 70s
    boring stuff mutation testing everything
    is atomic
    mathematical easy implementing and
    straightforward
    okay and then i have a really strong
    test coverage
    and now going back to this dynamic of
    the static testing
    static testing is an easy mathematic
    it’s a straightforward algorithm is
    you can handle it and you can
    validate that this is at least a solid
    base
    and the dynamic part this is on top
    yeah so but with a good quality and a
    good
    process you eliminate human stuff you
    eliminate
    this so i don’t know how to explain it
    but
    you’re working with quality against a
    lot of variables you have
    inside this system and make sure that
    that’s predictable
    and predictable is perfect for security
    yeah that makes sense
    that makes sense um do you see
    do you see situations where especially
    you will use your junior junior
    developer use case
    are you seeing that it’s better to
    teach them to code like getting to them
    early and saying secure coding practices
    like you know cleanse your inputs
    like you said think about your test your
    you know your test coverage differently
    um it’s easy probably easier to
    implement that with a junior developer
    how do you how do you how do you propose
    doing that like you said with a senior
    developer
    who’s like you know i’ve been doing this
    forever
    you know i started coding before you
    were alive kind of thing
    where that’s working against
    security because you need them to learn
    new things because
    because especially with code there’s new
    types of
    attack scripts every single day
    yeah so um let’s say so um
    well i i had this situation in one
    company i was head of r d
    of an uh company here in germany and was
    leading a team
    and there was a product and it was over
    10 years old it was transformed from
    php to java over 15 years ago so
    something like that so we had
    way more than a million lines of code
    and this the challenge was that this
    team was nearly yeah they are
    all over 60 sometimes so a huge amount
    was
    just near to be retired okay
    and they had a lot of experience and
    this was the biggest border
    so this was the biggest challenge and
    they recruited
    just from the university so you had
    exactly this
    thing so someone you can form or
    you can train and on the other side just
    it’s
    very very i don’t know how to say polite
    about this
    people that are long in this field that
    are quite old
    and have a very stubborn strong you can
    wait it’s okay to say stubborn
    yeah so as if you’re not a native
    speaker you must be careful what you’re
    saying i’ll say
    so the main thing is that that
    here this challenge was how to motivate
    them to to change something in their
    life because the old one
    didn’t want to change something they
    just want to get the last five years to
    be retired
    they never want to touch it anymore and
    they just don’t care about the company
    because
    they are retired in four five six years
    and what with the company happens
    they just don’t care the young one says
    oh i’m learning
    from the old one and i will do exactly
    what they’re doing because they have
    experience and all their stuff
    and the young young one was not strong
    enough
    to say something against the old one
    because they know the ceo
    they along in the company and all this
    stuff so it’s social engineering was
    really a disaster
    they were starting to not only not only
    make it difficult to have those
    hey should we think about doing a
    different way but you probably run into
    where they’re picking up bad habits
    right yeah so that they’re just doing
    the same stuff as the old one and this
    was a change
    this was really a disaster and so with
    this they used all practices
    they are not look they it was not
    allowed to use
    new practices yeah so they stuck on old
    behavior
    and yeah this learning stuff this is
    something so
    what what what you need in this case is
    you need a metric
    that is easy to understand from the
    developer
    up to the sea level and it must be
    one metric that’s exactly the same so
    the same number but you can use it on a
    green and red slide for the sea level
    and
    in numbers for the developer so one
    thing
    everybody’s working against and you need
    some some behavior or some some some
    characteristics of this number must be
    if you have this typical static analyzer
    you have 100 000 defects
    and you’re working one month and then
    you kill 10 000 defects it’s a lot but
    in the statistic you see nothing
    people are just bored and stop working
    against it
    and the same with security so if you
    have all this stuff it’s
    so you need something with an
    exponential growing so
    this is why why i love this mutation
    testing you start with a few tests but
    in the beginning you have an exponential
    grow of
    mutation test coverage and then it’s
    going slow and slow but then you are
    over 80 percent
    and this behavior this curve yeah is
    very motivating for the team
    and you’re just discussing about this
    number you’re not discussing about
    what should you do or your behavior or
    whatever if you just
    be able to reduce the discussion
    to discuss about numbers so many
    mutations means
    we have this amount of risk in our
    application we’re expecting so many
    changes
    risk and changes are not fitting
    together we need
    strategic thing and then you start
    implementing this
    sneaking in with security stuff
    for example security payload injection
    testing
    so talking about dynamic or static
    security stuff
    if you are writing junit tests
    and inside this test you’re grabbing
    from a repository
    your binaries your compromise binaries
    and you’re feeding your program
    is this a dynamic test or static test
    for you
    now we can discuss endless if this is
    dynamic or static
    but in the end what i want to say is you
    focus on
    scanning everything that’s in making
    sure that’s clean
    and making sure with quality that you’re
    just discussing about
    improving quality there is no discussion
    about
    left or right because quality is
    something you’re not discussing
    you just need to go through quality if
    you’re old
    or young quality is timeless okay
    security is this black magic thing and
    then you have to go step by step if you
    haven’t
    very efficient dependency management you
    can start
    implementing this oh we have to change
    versions
    and then later nobody is asking why we
    are changing versions because you are
    used to change versions you are flexible
    you are agile again
    but the uh the discussion is first about
    we are improving quality
    we want to have more use cases for the
    customer
    and in the end you know just changing
    dependencies not only for functionality
    but you start
    changing dependencies against
    vulnerabilities
    there’s one thing we’re talking about
    vulnerabilities
    but if you have compliance stuff you
    have a different behavior
    if you have vulnerabilities you need
    just a new version of the same library
    with compliance you need a semantic
    equal implementation
    because you need a semantic equal
    replacement you can’t change the version
    you have to change the dependency itself
    and if you’re running in this one
    then you need a good test coverage to
    make sure that this completely
    independent
    different implementation is doing
    exactly the same okay
    so you can you can start
    discussing about left and right and all
    this stuff but if you’re going over the
    quality
    thing and start being agile with your
    dependency management you have the
    biggest part
    and you’re going against vulnerabilities
    and compliance issues
    and then you can start adding oh we have
    a good test coverage now i want to test
    if something is not working
    as expected and feeding your system
    with compromised binaries so the secure
    payload testing
    is the first step i give you a
    manipulated image
    is my application working well no
    it’s crashing oh oh that’s
    happening this or that
    and then i’m start yeah
    writing security test but it’s under the
    hood of quality
    so it’s just a different way of waiting
    and it’s a different way of
    being yeah afraid of doing something if
    i say
    make a security test oh how to do i
    have no ah i have no idea never done it
    if i say hey tess if this stuff is
    running with this boundaries i’m
    providing
    yeah we’ll do this is easy
    so i aaron i feel like whenever we get
    into these these devsecops conversations
    said it’s
    almost more of a like the issues are
    almost more of a people and
    process issue than than they are a
    solution issue right i think there’s a
    lot of what we were talking about here
    it’s always fascinating to me when we
    you know i think sometimes we get so
    ingrained in looking for
    you know the next tool or the solution
    or you know something that’s going to
    help us
    fix whatever it is that’s going on from
    a security standpoint when we never
    take that step back to look at people
    and process and communication and all of
    that stuff
    right well yeah i hope you’re gonna see
    a lot of
    i think you’re gonna see some of that
    change now that this
    the the what or sorry the how of the
    solar winds
    attacking even the microsoft exchange
    server attack right
    because one of the things that cement
    talked to
    that you know i’m gonna have to to to go
    back to developers and think about so as
    a former developer we have code checks
    right so code check means
    ike it’s like sven talked about i
    created this chunk code
    it’s my section of the web application
    right
    you have if you have a mature software
    development not even talking security
    if you just have a secure software
    development life cycle
    then that code is getting peer reviewed
    right
    so that is one thing that um you know
    the insurance side does
    very well is i sorry it’s going to make
    it sound like the hospital side doesn’t
    the insurance side has been doing it way
    longer than the hospital side so let me
    put that out there
    so they have matured that so i have
    lloyd is my fellow developer he’s going
    in he’s looking at this code right
    for two things it’s the structure right
    for the test coverage that seven talks
    about
    but the other thing that you that we’re
    going to have to train
    developers to do is maybe look for
    suspicious code and when i say
    suspicious code not like
    for code injection but for your critical
    software
    why is this piece of software doing this
    right and you’re not you’re not doing it
    in a
    accusatory way right it’s that
    collaboration part
    hey i see that you’re sending this to
    this spot is that the intended behavior
    or like sven says do we do
    do we rethink how we’re doing unit tests
    to be able to account for that right
    so so if you do that properly and you
    get that quality like sven talks about
    in theory you don’t need to use a
    das tool right and then you can push
    code
    quicker but that’s gonna require a
    fundamental shift for
    like web developer developers period and
    even development managers right because
    you’re pushing
    more knowledge and more scrutiny
    everything else
    at the beginning of your software
    development life cycle
    and then the bonus part of it like sven
    talks about
    is you have quality you’re less apt to
    have issues later you’re still going to
    do your
    penetration testing after your app goes
    live right
    but it’s it’s a new challenge do you
    need das tools at all anymore
    right especially because it’s not to the
    ai
    that it needs because for some people
    that aren’t proficient
    or may not know a lot of about devsecops
    is
    your das tool you’re basically going in
    and your
    quality assurance analyst is saying yep
    it’s supposed to be able to give you
    this information but they kind of think
    also like a hacker
    if i change this one number right
    i’m sending lloyd lloyd is one two three
    user one two three
    i’m sending a request back one tooth
    user one two three
    and then when you’re doing your regular
    testing like the unit testing that sven
    talks about
    it’s gonna be okay right because hey i
    put in this
    my expected data return is what it’s
    supposed to be
    but like with a das tool is emulating a
    pen tester
    that person is going to put in one two
    three four
    now am i getting matt’s information back
    yes i’m getting that’s bad that’s
    something that like friend talked about
    we need to go back and address but if we
    change that mentality and think about
    you know repo repositories differently
    and coding differently at the beginning
    then down the road until you know das
    tools get like he said
    super intelligent then you really don’t
    need that stuff and that’s a
    that’s a fundamental shift in think in
    developer thinking
    wouldn’t you agree then is he right
    about that sven
    yeah a few a few tiny details maybe
    we should discuss about chinese
    please fix this details no no no
    i i don’t want to fix i just want to um
    ask if i understood it right or
    how to say it no it’s it’s more or less
    like
    um don’t forget that
    if you’re talking about this provider
    that will give you
    information about vulnerabilities that
    are the known
    vulnerabilities okay these are not the
    unknown vulnerabilities
    and this is why dust is good as addition
    because the amount of known
    vulnerabilities is
    way bigger than the amount of unknown
    vulnerabilities it’s just a prediction
    i’m not true i don’t know if it’s free
    right it’s but i’m guessing all the
    years
    that’s a pretty safe that’s a pretty
    safe gas yeah but
    so and and if i have the quick win i
    should focus on the
    known vulnerabilities to verify because
    i can verify this what i mentioned was
    now
    you know exactly what to do you have an
    atomic operation you can do it in a
    certain amount of time you know you need
    so much time to do this one
    for dynamic application or security
    testing you need exponential amount of
    time
    with double amount of components okay
    because you have to
    don’t have in a ci cd life cycle
    so and now the question is how you split
    up all the responsibilities
    for a developer i think it’s very
    important that in his daily life
    he will get his information as early as
    possible like
    i’m in my ide and i have a plug-in and
    if i’m adding a dependency i will just
    get a list of non vulnerabilities the
    biggest
    challenge here is people are seeing the
    cvss um
    these um scores yep scores
    exactly and this um vulnerabilities
    course uh
    this is just a number but nearly nobody
    knows okay this number is built
    of these components and you have this
    basic one you have this temporal one
    what
    is the thing that temporal is increasing
    or decreasing can temporal
    increases score yes or no and then you
    have this environmental score
    say or metric and uh how to adjust this
    so it’s this transformation from from
    this generic number to the number that
    fits to my system
    so people are not doing it says
    adjusting cvss
    number whatever is the risk right it’s
    it’s not it’s a generic number and then
    you have to transform it
    so it was cbss for probability three
    probability
    matt for you i understood completely
    what seven
    said but to translate it like sven talks
    about is
    probability just because a score is 10
    is how is that 10 in relation to your
    web application right
    because if you’re not if you’re not
    doing anything
    that 10 is a 1 right but if your
    application was doing this
    that 10 is critical and it’s not really
    fair to a developer to translate that
    risk right because there are actually
    teams dedicated to doing that so
    what sven is saying is a hundred percent
    correct
    in not incorrect 100 correct sorry
    oh yeah but so i think uh the good
    mixture is
    is what we need with the toolsec and
    uh make sure that everybody’s just
    focusing on this part and then i think
    you have a huge amount
    what the mess there are two things that
    most companies are just ignoring
    it’s security by concept so they’re
    focusing on the
    devops part so from i start coding until
    it’s running in production but security
    by
    as concept is a very strong thing it’s
    like an algorithm
    so if you have the wrong algorithm you
    can tweak the technique but a better
    algorithm will always beat
    yeah and the other thing
    is that most peop or companies or groups
    are focusing on
    checking the vulnerabilities of their
    product what they’re producing
    but they’re not checking his own
    infrastructure so who scanned his
    jenkins against non-vulnerabilities
    damn this was a solarwinds attack
    attack against jenkins or against
    whatever ci system so
    check your infrastructure check your
    your tools you’re using and at the same
    time if you have something like at
    factory this repository manager
    and you’re storing your maven
    dependencies docker images and all this
    stuff
    while people are not storing the jdk
    there
    this version has this jdks runtime
    for this operating system so why they’re
    not
    so they’re storing everything but
    they’re not using generic repositories
    to
    to save exactly everything from their
    production line
    so in the same version that correlates
    to the version you’re creating
    so often i saw yeah we are developing on
    whatever jdk
    for example on mac yeah the customers
    running it on linux
    yeah they have this jdk number whatever
    built
    they have an incident okay can we
    reproduce yeah we have
    same main number of this jdk but not the
    same build number
    how to get it damn that’s it
    so um this is why in the story you can’t
    investigate it anymore
    that’s it well damn be immutable of the
    whole production line and scan your
    whole production environment so as well
    because
    not only your product must be secured
    you must be secure as well
    and well yeah i just think solo wins
    don’t be the companies it’s don’t be the
    shakes
    amazing the uh what that what that
    particular situation has done to our
    entire industry right it’s pretty
    fascinating
    so so sven we have just a couple of
    minutes left i’m actually going to spin
    this
    all the way back around to the question
    that i normally ask because
    we just had a very deep
    thought-provoking conversation about
    devops
    tell us if someone is interested in
    you know building a better devops
    platform or
    doing more in this space why would they
    come to you and to jfrog to
    discuss this so tell us a little bit
    about jfrock
    well the best thing is to try it
    and then i don’t have to discuss with
    you because then you will buy it
    immediately
    so there’s a fridge here go go try it
    and adjust
    yeah and try it so it’s so easy so um if
    you want to see a little bit more how
    it’s done so the practical way and all
    this stuff
    um you can have a look on my youtube
    channel or on on the jfrog one
    for example i i shared how to harden uh
    that framework
    an open source web framework how it’s
    done practically and then look at this
    and
    check if this is a workload that would
    fit
    in your production line because it’s
    just what you’re doing every time
    it’s just a tiny addition so you’re not
    spending more time
    you’re not having additional processes
    and all this stuff
    and this is one of the bigger things of
    jfrog we can
    go on pram we can go in the cloud
    and we can go hybrid with all of our
    tools if you have a
    security scanner we have the full impact
    graph over all click layers because with
    art factory we are now sending all
    package manager
    with this we have all metadata then we
    can say this jar
    this is this web archive in this docker
    image used by this helm chart and this
    is running there in production
    done that’s good so you have exactly
    what you need to
    revalidate the cvs as the full impact
    graph
    without technical borders that’s one
    thing
    the other thing is that um we
    we are able to to build
    or if you’re looking just at the
    security scanner x-ray for example
    we’re not just breaking a build we have
    the possibility
    we are offering everything by rest
    interface okay
    but we can start workbooks and with this
    we can build semi-automatic or
    completely automatic workflow say
    whatever infrastructure you have
    you have for example auditing tool and
    you need all this information in this
    auditing tool because
    the law required is we are just sending
    this data to your auditing tool because
    we have rest interface we can start web
    hooks we can just do it
    on the fly and this is one thing that is
    very very convenient
    i can talk i think a little bit more
    about
    what you can do with repositories how
    cool it is how you can
    kill rebuilds because you’re using
    virtual repositories and all this stuff
    way too much for this time so if you
    want to know more
    just ping me on twitter linkedin
    ask me i’m giving talks workshops
    whatever or just
    subscribe my youtube channel because i’m
    doing all this stuff
    doing all this stuff as a content
    creator
    i can completely relate to that i have a
    couple good episodes
    for for educational and you know
    you have those are like the 30 views
    right but you have something where
    you’re going on a rant or something else
    and then
    it gets a hundred views and you’re like
    but this is just my opinion
    this other one is you your company
    really could use it right
    [Laughter]
    so thank you thank you very much yeah
    absolutely so a couple of things for
    those of you that have gotten this far
    in the video you will know that
    somewhere inside of this video it was
    hidden in easter egg
    uh i think that’s what they’re called
    right um for a chance to
    uh there’s 25 copies of the book liquid
    software that jfrog is offering for the
    first 25 people that find that easter
    egg and get a hold of them on it
    you don’t have to give them any of your
    information or anything like that just
    get a free book
    so we appreciate that um like subscribe
    all that
    all the stuff that sven just said about
    all of his stuff do that with ours too
    um because we got some pretty cool stuff
    as well um
    including this episode uh sven thank you
    very much for
    uh i i continue to be enlightened by
    these conversations
    um so i really appreciate you being here
    with us
    we will share all of your information um
    in the
    the details section of the youtube video
    and uh we’ll see everyone for episode
    24.
    thanks everybody
    [Music]
    [Applause]
    [Music]