Cloud Security Alliance (CSA) West Michigan Chapter: “Not Another Demo” with JFrog

hey everyone and welcome to
your favorite youtube series and our
favorite youtube series
too i’m not gonna lie this is literally
my favorite thing to watch
is uh is everyone else talking not me
but anyways
still my favorite um we are
we’re on episode number 23 if you can
believe that of
not another demo as you know not another
demo
is is our uh chance of having a real
conversation with the vendor
about what they you know what they do
what problems they solve
maybe what sets them apart from
competitors in the industry and we’re
super excited of course i i i’ve got
aaron and lloyd
uh with me today so we’re we are sans
anthony today but uh the the three of us
are gonna handle it in his
absence we’re wishing him well because
he got injured
um doing indoor outdoor stuff sven he uh
he broke his ankle
um climbing
you know young people like to do young
people things and i don’t
i don’t do any climbing anymore except
in and out of bed
and i could break an ankle doing that
sometimes i’m not gonna lie
um so uh we are really happy
this week to have with us sven rupert
from
jfrog and uh we are uh i i have to do
this
we are going to jump into the devops
swamp with jfrog today so
um you did that you did that on purpose
right jumping
for anthony
so sven i’m gonna uh just have you
introduce yourself
um introduce us to to jfrog because i
think you guys are
are a newer company so maybe some folks
are not familiar with what you’re doing
and then
let’s start with you know maybe telling
us a little bit about what sets you guys
apart from
some of some of the other companies in
that space
okay so um well i’m sven i’m from
germany and i joined
jfrog a little bit over a year ago as
developer advocate
and there i’m focusing on the security
part there in the
product area what what jfrog has jeff
rock itself is um
originally from israel tel aviv and then
tonight
but israel and they have no headquarters
in
different countries and in u.s
sunnyvale uh last year we had our ipo
so since this we have all this attention
with all these new rules and new
uh yeah ways to do things new
regulations too
right yeah yeah yeah yeah sorry
more people than respect him
yeah oh well no we we are quite flat in
in the hierarchy towards it that’s
really
really cool and um
well still still some kind of ager so
it’s
uh the company itself i think it’s over
10 years old to say i don’t know exactly
so
but it’s it’s not just a startup from
the last two years
definitely so there’s a history and
they’re focusing
since the beginning um on the developer
part
say what what is what the developer
needs what’s a developer like
um they they came from the field of um
binary management so the most people
know it from from multifactory
it’s this binary repository
and yeah that’s that’s the route where
everything is coming from
and then slowly the functionality was
increasing with
how it distributes its stuff and how to
make it secure and
how to yeah build this stuff and so on
but the core is art factory the binary
manager
that’s it well
all right let’s just jump right in
because this is this is
a topic i am a former
well i guess i’m not a former web
developer because i still i still code
on the side because i have to stay
up on secure coding practices because
that’s one of the work streams that i
manage in my day job
um we’re actually about to start
um a new secure software
development like too many
too many letters secure software
development
life cycle maturity right because my
organization
we’re big enough we actually have two
different development teams one on the
medical side
and one on the insurance side so
one of the struggles that we have as we
try and mature this process
is the balance of you know the
continuous innovation
continuous delivery you know the ci cd
pipeline
balancing that with security
requirements right
so three or four years ago you know we
had you know
we implemented stat sas tools static
application scanning
uh tools and then you know dynamic
application scanning tools
we quickly discovered that
uh the sas part worked well after you
matured and got your false positives
out in your code but one of the
struggles that we had was around dynamic
application scanning and how
you know the development teams as you
know especially the artifactory space
you know they want to crank out stuff
all the time and it doesn’t leave a
whole lot of time to do
complex testing you know secure coding
testing so
what are you seeing right now in the
devsecops space
that’s kind of trying to address that is
that something that you can do with the
solution like yours
or is it a combination of things
well um let’s let’s say so if
the most people if they start what they
say they need something that’s
giving the best benefits in the
beginning so what what are the
low-hanging fruits
and mostly if people start thinking
about security and reading a bit and all
this stuff they got a lot of this
acronyms terms
short word whatever constellations and
the security field as a lot of other
fields has
buzzword inflation it it’s it’s a
german term so what would translate but
it’s more we we’re getting more
buzzwords
and sometimes it’s way easier if you’re
if you’re going a little bit back to the
roots
and think about what what is the core
you’re doing
what is just technical costs um
how to avoid things that are just here
before
because they are cool but you’re not
earning money with it
so and if if you start simplifying
things and
the main thing is complicated things to
explain complicated
is easy but explain
complicated things in easy words is damn
this is really hard because then you
need to understand it
exactly in all details so it
means that making security
simple is a biggest goal you should have
so that
everybody in your team is able to follow
is able to do
his part of the job and um
simplifying means as well that he splits
the responsibility
so who is responsible for the does part
who’s responsible for the static part
who’s responsible for whatever
so um this is sometimes not really clear
so if if you’re looking a little bit in
the past we have these deaths and orbs
and what we learned is that
this merging is a good thing so that the
whole team is responsible for all this
stuff
but on the other side what we learned is
now if you have these devops teams not
every dev is an
op specialist he needs to know exactly
what he needs for his daily job to be
efficient
and the same with security so if you’re
going to the suspect or das per
or whatever you need
you have to make sure that the general
awareness of this topic security is
everywhere every in every part of your
tool chain on your your product line
but some people are focusing on the
dynamic application scanning so what
what we are doing with
jfrog is we are focusing on the
let’s say biggest part of it um
but not of the dynamic part why why is
this dynamic application
security testing why is this just a tiny
part compared to
to the rest so if if you look at the
whole tech stack
and what what are you doing as a
developer you have always this decision
may go by so i need i need to print the
pdf
should should i implement a pdf library
or should i get it as a pdf
library so elaborate third party
dependency
and security for me personally security
includes vulnerabilities and compliance
issues
so this is both can be poison for your
business
vulnerabilities yeah it’s just a
compromised system
compliance it’s just the right license
at the wrong place
can kill your business as well so this
is this is something that most people
are forgetting that compliance is part
as well
so going back to the developer what’s he
doing he he has always his
time to market and make or buy so the
economy part of the company is is
thinking about
this this new use case must be pushed to
production as
fast as possible because we want to
write a bill okay this
this is the main thing and we as a
developer we are doing exactly the same
so there is a requirement
and we must push it as fast as possible
to production
and if you have a vulnerability and you
have to react
this is time to market as fast as
possible it
must change in production there is a
requirement this vulnerability
so whatever vulnerability if you’re
finding it on static analysis or during
the runtime or whatever
the other side if you’re checking the
dependency part and all
tech layers the most projects i
saw is that the dependency part is by
far
the biggest part of an application so
if you are focusing on the static stuff
on the dependencies and making sure that
this is secure you have the low-hanging
fruit you have the biggest part of the
system already checked
yeah and this should be done there
and this is an easy part because the
mathematics behind
is easier and then you can focus on the
dynamic application scanning stuff
but this is not really solved from the
mathematical point of view
from the technical point of view and so
on
but whatever technique you’re using
i think you should focus on quality
because quality will lead you to
a better way to deal with security or
vulnerabilities always all this stuff
and why because you you’re just
going over test driven development and
this is
low-hanging fruit for everything so if
you’re focusing on quality
and then adding the term security in the
whole pipeline
and focusing on the biggest parts you’re
on a good way
and all this ai stuff and all this
dynamic scanning
for me personally is a tiny part
in the whole text stack and this is why
i always would
say have an eye on this dynamic
application scanning stuff
make sure that you are have no false
positive stuff
but make sure that this is not the
leading one because this
is it’s not so strong it will be strong
over the next 10 or
15 years and it will be amazing what we
will get with ai and machine learning
and all this stuff
but right now my personal feeling is
it isn’t at on and it’s not
the main thing you should focus on
and it’s just yeah so
it has the same rules so if you find
something
you must be fast again you must change
it as fast as possible
you must be immutable you must be able
to
recreate the same instance to analyze it
without destroying your production
and all this stuff so you have the same
mechanics
and uh for me personally my personal
point of view is that the dynamic
application
security part isn’t good at on but it
shouldn’t be the backbone that’s
that’s at least what what i would
suggest
now when you talk so hang on so you you
had a
phrase in there that i had have to
capture you said what was it buzzword
something you said it was a german term
buzzwords something uh uh they see a
buzzword inflation
so in reflection in terms of this we’re
gonna
we’re gonna bring that um here because
uh you know and you heard aaron a couple
of times
it’s one of our rules and not another
demo we don’t allow acronyms because we
get into that
that uh vegetable soup mix of oh wait
i’m gonna use the new word
uh buzzword inflation which we want to
stay away from
totally love that hashtagging that one
um on this episode
so um okay yeah i guess
aaron i’ll throw back over to you
because i know we’ve had some
assassin desk conversations um like
what was your take on the on that part
of the conversation
i’d like to dig in a little bit more
like when you talk about
quality right so i i am in agreement
with you that
dast has a long ways to go
right because ai isn’t where it needs to
be you still
need a lot of manpower right
putting in you know the checks and
you know the logic in the das tool to
make it
find the vulnerabilities you’re looking
for right so that’s there’s a big
fte left on that you need a you know a
qa
analyst or a business analyst that knows
your application
that can say check for x y and z right
that’s that’s the biggest
problem with implementing a dust right
is understanding that
it’s going to need a lot of care care
and feeding as opposed to
a static application scanning tool i
wanted to
to know a little bit more about when
what you mean by
like quality you know when you talked um
a little bit
about shift lift shift left sorry
um before we started recording are yours
are you seeing that most if i’m
understanding you right
you’re saying that most of the
vulnerabilities that you’re finding in a
solution like jfrog
are like bad you know bad binaries
coming in you’re beginning to your setup
tools right so your open source
libraries you mentioned like you know
as a developer do i want to create my
own pdf
converter so matt for you and lloyd
there are times where you have a form
right
and you put in the information on the
form and then you need to do two things
with it
you need to send that data to the
database but you also have to print
and make it printable right so the stuff
that sven talked about
you need to be able to print out a copy
so there’s two ways to do this right you
can do
well actually three one you can just
roll the dice right and see what windows
or mac does
when you print it you can create your
you know you can make css tweaks um
cascading style sheets
tweaks to make it look a certain way or
eight out of ten times like sven is
saying the developer’s just gonna go out
and get a plug you know get a plug-in or
a library
that that creates that so sven are you
seeing that more vulnerabilities are
coming into your custom
web applications from like open source
libraries
um well let’s let’s have a
little bit more detailed view on this
one um because i don’t want to blame
web apps or different technologies so
um we all know the solar wind tag so if
we
we got it okay this fire company that
got their tool stack broke to this
solarwinds company
and uh what what happened here the main
thing
is that the attack was not against the
final target the attack was against the
supply chain and this
is a new way of attacking system because
if you’re getting a binary and you have
a fingerprint
and you’re validating and it’s coming
from the producer and you say oh this
fingerprint that’s fine
you’re just taking this binary and trust
it
yeah it happened exactly exactly this
happens
because the attack was against the ci
environment
from from this company and with every
build they produce
compromised binaries by themselves so oh
my god
so how to get rid of this one how to
make sure that this will not happen for
you
and so this this isn’t this is the
question so
what what is static dynamic
for you um are you looking at the place
that you are a producer and pushing
stuff away or you’re focusing on the
part i’m grabbing from the market and
using it by myself
so this and these are different things
if you’re focusing on
just on the part i’m grabbing stuff from
outside
into my production make sure that
nothing is coming in over this way
okay then you need to understand over
all tech layers
of the dependency management systems and
if you have this metadata
and this binaries and the knowledge
about all known vulnerabilities
you’re focusing on 80 or 90 of your
whole stack already
damn that’s good what you need is to
go back to your previous question about
quality
if you’re dealing with vulnerabilities
i’m not talking about
compliance issues because there is a big
difference so with vulnerabilities
you have just between to kill a
vulnerability is mostly
creating a new composition of the same
word of different versions of the same
elements
okay so if you have version a and it
must be version
b but it’s the same library so if you’re
focusing on this part
a good test coverage will help you
because you can just
create a new composition of versions
test it give it to production perfect
time to market short okay don’t
do all this stuff if you’re thinking
about should i grab a dependency open
source or not i love open source because
a lot of people can analyze it
instead of something that’s closed
but if you think about creating pdf by
myself
or grabbing someone i would trust this
guy that has done it a few times
and learnt his lesson already but a few
of us i mean developers
tend to say hey i’m great i’m a senior i
can do everything
and this is a challenge if you’re
talking
yeah doing stuff by yourself
oh yeah just a pdf i don’t i just need
this a and b
and they not even read the spec what pdf
is including
so nearly nobody knows that pdf can
include javascript that’s
executed so all this stuff
so it means that don’t underestimate the
effort
not only from the economic point of view
but from the complexity and the best
practices
it’s the same with polyglot systems so
with this micro
service stuff and serverless and
whatever
what we are thinking is we’re thinking
of
writing new instead of maintaining
this is nice and this is perfect if you
want to try out stuff
i learned java i started working with
java 1996.
if i would start now with go i would be
just a junior
a just bloody junior but i have to say
to myself
okay no i’m a junior and i
would need advice for people that maybe
just
half of the age of mine but working
five years ago and i just started and
this is a challenge that’s a
social challenge in companies and this
is a huge security risk
so security is not only the dependency
security is how to deal with
your own ego with your behavior with
your teammates and all this stuff
this is a different part of security so
this polyglot world will give
us different challenges of hidden
technologies just dependencies grabbing
stuff in
it will give us a challenge that i’m not
a senior anymore i have to learn again
it gives us a challenge how to deal with
different personalities
and how to do this one and
quality is mostly a good good good thing
again the most
of this pause i just mentioned why
um if if you have a good test coverage
i’m not saying what is a good test
correction just i think you have a good
test coverage okay
and term good we have to have a look on
but if you have a good test coverage it
doesn’t depend
if i’m doing a change in the system on
monday after i had a strong weekend
on wednesday and i’m just exhausted on
friday and i’m just
out on the weekend already or
if i’m happy at home or not or social
challenges whatever i’m always
delivering the same quality and this
is the change the machine can deliver
always the same quality
i’m a human i’m not able to do it but
the machine can help me
and if i have a predictable quality
then i know the duration and so on and
so on
okay so now the question was a good test
coverage
and then we can go back to the security
part and static or non-static testing
what’s a good test coverage most people
start with line coverage
line coverage is great yeah but
it’s just a very very it’s not strong
okay it’s definitely not strong even if
you have branch coverage it’s not strong
so what other test techniques you have
and then people are coming oh yeah
we have property-based testing and so
okay property-based testing
um can you explain me the random
generator
that is used to create a statistic
significant amount of test points
fits to your problem are you able to
verify that this random generator fits
to your problem yes or no
and the most developers would say i’m
taking the random generator that’s
part of this tool great perfect i have
no clue what i’m doing but i have test
coverage
i would prefer something very
traditional from the 70s
boring stuff mutation testing everything
is atomic
mathematical easy implementing and
straightforward
okay and then i have a really strong
test coverage
and now going back to this dynamic of
the static testing
static testing is an easy mathematic
it’s a straightforward algorithm is
you can handle it and you can
validate that this is at least a solid
base
and the dynamic part this is on top
yeah so but with a good quality and a
good
process you eliminate human stuff you
eliminate
this so i don’t know how to explain it
but
you’re working with quality against a
lot of variables you have
inside this system and make sure that
that’s predictable
and predictable is perfect for security
yeah that makes sense
that makes sense um do you see
do you see situations where especially
you will use your junior junior
developer use case
are you seeing that it’s better to
teach them to code like getting to them
early and saying secure coding practices
like you know cleanse your inputs
like you said think about your test your
you know your test coverage differently
um it’s easy probably easier to
implement that with a junior developer
how do you how do you how do you propose
doing that like you said with a senior
developer
who’s like you know i’ve been doing this
forever
you know i started coding before you
were alive kind of thing
where that’s working against
security because you need them to learn
new things because
because especially with code there’s new
types of
attack scripts every single day
yeah so um let’s say so um
well i i had this situation in one
company i was head of r d
of an uh company here in germany and was
leading a team
and there was a product and it was over
10 years old it was transformed from
php to java over 15 years ago so
something like that so we had
way more than a million lines of code
and this the challenge was that this
team was nearly yeah they are
all over 60 sometimes so a huge amount
was
just near to be retired okay
and they had a lot of experience and
this was the biggest border
so this was the biggest challenge and
they recruited
just from the university so you had
exactly this
thing so someone you can form or
you can train and on the other side just
it’s
very very i don’t know how to say polite
about this
people that are long in this field that
are quite old
and have a very stubborn strong you can
wait it’s okay to say stubborn
yeah so as if you’re not a native
speaker you must be careful what you’re
saying i’ll say
so the main thing is that that
here this challenge was how to motivate
them to to change something in their
life because the old one
didn’t want to change something they
just want to get the last five years to
be retired
they never want to touch it anymore and
they just don’t care about the company
because
they are retired in four five six years
and what with the company happens
they just don’t care the young one says
oh i’m learning
from the old one and i will do exactly
what they’re doing because they have
experience and all their stuff
and the young young one was not strong
enough
to say something against the old one
because they know the ceo
they along in the company and all this
stuff so it’s social engineering was
really a disaster
they were starting to not only not only
make it difficult to have those
hey should we think about doing a
different way but you probably run into
where they’re picking up bad habits
right yeah so that they’re just doing
the same stuff as the old one and this
was a change
this was really a disaster and so with
this they used all practices
they are not look they it was not
allowed to use
new practices yeah so they stuck on old
behavior
and yeah this learning stuff this is
something so
what what what you need in this case is
you need a metric
that is easy to understand from the
developer
up to the sea level and it must be
one metric that’s exactly the same so
the same number but you can use it on a
green and red slide for the sea level
and
in numbers for the developer so one
thing
everybody’s working against and you need
some some behavior or some some some
characteristics of this number must be
if you have this typical static analyzer
you have 100 000 defects
and you’re working one month and then
you kill 10 000 defects it’s a lot but
in the statistic you see nothing
people are just bored and stop working
against it
and the same with security so if you
have all this stuff it’s
so you need something with an
exponential growing so
this is why why i love this mutation
testing you start with a few tests but
in the beginning you have an exponential
grow of
mutation test coverage and then it’s
going slow and slow but then you are
over 80 percent
and this behavior this curve yeah is
very motivating for the team
and you’re just discussing about this
number you’re not discussing about
what should you do or your behavior or
whatever if you just
be able to reduce the discussion
to discuss about numbers so many
mutations means
we have this amount of risk in our
application we’re expecting so many
changes
risk and changes are not fitting
together we need
strategic thing and then you start
implementing this
sneaking in with security stuff
for example security payload injection
testing
so talking about dynamic or static
security stuff
if you are writing junit tests
and inside this test you’re grabbing
from a repository
your binaries your compromise binaries
and you’re feeding your program
is this a dynamic test or static test
for you
now we can discuss endless if this is
dynamic or static
but in the end what i want to say is you
focus on
scanning everything that’s in making
sure that’s clean
and making sure with quality that you’re
just discussing about
improving quality there is no discussion
about
left or right because quality is
something you’re not discussing
you just need to go through quality if
you’re old
or young quality is timeless okay
security is this black magic thing and
then you have to go step by step if you
haven’t
very efficient dependency management you
can start
implementing this oh we have to change
versions
and then later nobody is asking why we
are changing versions because you are
used to change versions you are flexible
you are agile again
but the uh the discussion is first about
we are improving quality
we want to have more use cases for the
customer
and in the end you know just changing
dependencies not only for functionality
but you start
changing dependencies against
vulnerabilities
there’s one thing we’re talking about
vulnerabilities
but if you have compliance stuff you
have a different behavior
if you have vulnerabilities you need
just a new version of the same library
with compliance you need a semantic
equal implementation
because you need a semantic equal
replacement you can’t change the version
you have to change the dependency itself
and if you’re running in this one
then you need a good test coverage to
make sure that this completely
independent
different implementation is doing
exactly the same okay
so you can you can start
discussing about left and right and all
this stuff but if you’re going over the
quality
thing and start being agile with your
dependency management you have the
biggest part
and you’re going against vulnerabilities
and compliance issues
and then you can start adding oh we have
a good test coverage now i want to test
if something is not working
as expected and feeding your system
with compromised binaries so the secure
payload testing
is the first step i give you a
manipulated image
is my application working well no
it’s crashing oh oh that’s
happening this or that
and then i’m start yeah
writing security test but it’s under the
hood of quality
so it’s just a different way of waiting
and it’s a different way of
being yeah afraid of doing something if
i say
make a security test oh how to do i
have no ah i have no idea never done it
if i say hey tess if this stuff is
running with this boundaries i’m
providing
yeah we’ll do this is easy
so i aaron i feel like whenever we get
into these these devsecops conversations
said it’s
almost more of a like the issues are
almost more of a people and
process issue than than they are a
solution issue right i think there’s a
lot of what we were talking about here
it’s always fascinating to me when we
you know i think sometimes we get so
ingrained in looking for
you know the next tool or the solution
or you know something that’s going to
help us
fix whatever it is that’s going on from
a security standpoint when we never
take that step back to look at people
and process and communication and all of
that stuff
right well yeah i hope you’re gonna see
a lot of
i think you’re gonna see some of that
change now that this
the the what or sorry the how of the
solar winds
attacking even the microsoft exchange
server attack right
because one of the things that cement
talked to
that you know i’m gonna have to to to go
back to developers and think about so as
a former developer we have code checks
right so code check means
ike it’s like sven talked about i
created this chunk code
it’s my section of the web application
right
you have if you have a mature software
development not even talking security
if you just have a secure software
development life cycle
then that code is getting peer reviewed
right
so that is one thing that um you know
the insurance side does
very well is i sorry it’s going to make
it sound like the hospital side doesn’t
the insurance side has been doing it way
longer than the hospital side so let me
put that out there
so they have matured that so i have
lloyd is my fellow developer he’s going
in he’s looking at this code right
for two things it’s the structure right
for the test coverage that seven talks
about
but the other thing that you that we’re
going to have to train
developers to do is maybe look for
suspicious code and when i say
suspicious code not like
for code injection but for your critical
software
why is this piece of software doing this
right and you’re not you’re not doing it
in a
accusatory way right it’s that
collaboration part
hey i see that you’re sending this to
this spot is that the intended behavior
or like sven says do we do
do we rethink how we’re doing unit tests
to be able to account for that right
so so if you do that properly and you
get that quality like sven talks about
in theory you don’t need to use a
das tool right and then you can push
code
quicker but that’s gonna require a
fundamental shift for
like web developer developers period and
even development managers right because
you’re pushing
more knowledge and more scrutiny
everything else
at the beginning of your software
development life cycle
and then the bonus part of it like sven
talks about
is you have quality you’re less apt to
have issues later you’re still going to
do your
penetration testing after your app goes
live right
but it’s it’s a new challenge do you
need das tools at all anymore
right especially because it’s not to the
ai
that it needs because for some people
that aren’t proficient
or may not know a lot of about devsecops
is
your das tool you’re basically going in
and your
quality assurance analyst is saying yep
it’s supposed to be able to give you
this information but they kind of think
also like a hacker
if i change this one number right
i’m sending lloyd lloyd is one two three
user one two three
i’m sending a request back one tooth
user one two three
and then when you’re doing your regular
testing like the unit testing that sven
talks about
it’s gonna be okay right because hey i
put in this
my expected data return is what it’s
supposed to be
but like with a das tool is emulating a
pen tester
that person is going to put in one two
three four
now am i getting matt’s information back
yes i’m getting that’s bad that’s
something that like friend talked about
we need to go back and address but if we
change that mentality and think about
you know repo repositories differently
and coding differently at the beginning
then down the road until you know das
tools get like he said
super intelligent then you really don’t
need that stuff and that’s a
that’s a fundamental shift in think in
developer thinking
wouldn’t you agree then is he right
about that sven
yeah a few a few tiny details maybe
we should discuss about chinese
please fix this details no no no
i i don’t want to fix i just want to um
ask if i understood it right or
how to say it no it’s it’s more or less
like
um don’t forget that
if you’re talking about this provider
that will give you
information about vulnerabilities that
are the known
vulnerabilities okay these are not the
unknown vulnerabilities
and this is why dust is good as addition
because the amount of known
vulnerabilities is
way bigger than the amount of unknown
vulnerabilities it’s just a prediction
i’m not true i don’t know if it’s free
right it’s but i’m guessing all the
years
that’s a pretty safe that’s a pretty
safe gas yeah but
so and and if i have the quick win i
should focus on the
known vulnerabilities to verify because
i can verify this what i mentioned was
now
you know exactly what to do you have an
atomic operation you can do it in a
certain amount of time you know you need
so much time to do this one
for dynamic application or security
testing you need exponential amount of
time
with double amount of components okay
because you have to
don’t have in a ci cd life cycle
so and now the question is how you split
up all the responsibilities
for a developer i think it’s very
important that in his daily life
he will get his information as early as
possible like
i’m in my ide and i have a plug-in and
if i’m adding a dependency i will just
get a list of non vulnerabilities the
biggest
challenge here is people are seeing the
cvss um
these um scores yep scores
exactly and this um vulnerabilities
course uh
this is just a number but nearly nobody
knows okay this number is built
of these components and you have this
basic one you have this temporal one
what
is the thing that temporal is increasing
or decreasing can temporal
increases score yes or no and then you
have this environmental score
say or metric and uh how to adjust this
so it’s this transformation from from
this generic number to the number that
fits to my system
so people are not doing it says
adjusting cvss
number whatever is the risk right it’s
it’s not it’s a generic number and then
you have to transform it
so it was cbss for probability three
probability
matt for you i understood completely
what seven
said but to translate it like sven talks
about is
probability just because a score is 10
is how is that 10 in relation to your
web application right
because if you’re not if you’re not
doing anything
that 10 is a 1 right but if your
application was doing this
that 10 is critical and it’s not really
fair to a developer to translate that
risk right because there are actually
teams dedicated to doing that so
what sven is saying is a hundred percent
correct
in not incorrect 100 correct sorry
oh yeah but so i think uh the good
mixture is
is what we need with the toolsec and
uh make sure that everybody’s just
focusing on this part and then i think
you have a huge amount
what the mess there are two things that
most companies are just ignoring
it’s security by concept so they’re
focusing on the
devops part so from i start coding until
it’s running in production but security
by
as concept is a very strong thing it’s
like an algorithm
so if you have the wrong algorithm you
can tweak the technique but a better
algorithm will always beat
yeah and the other thing
is that most peop or companies or groups
are focusing on
checking the vulnerabilities of their
product what they’re producing
but they’re not checking his own
infrastructure so who scanned his
jenkins against non-vulnerabilities
damn this was a solarwinds attack
attack against jenkins or against
whatever ci system so
check your infrastructure check your
your tools you’re using and at the same
time if you have something like at
factory this repository manager
and you’re storing your maven
dependencies docker images and all this
stuff
while people are not storing the jdk
there
this version has this jdks runtime
for this operating system so why they’re
not
so they’re storing everything but
they’re not using generic repositories
to
to save exactly everything from their
production line
so in the same version that correlates
to the version you’re creating
so often i saw yeah we are developing on
whatever jdk
for example on mac yeah the customers
running it on linux
yeah they have this jdk number whatever
built
they have an incident okay can we
reproduce yeah we have
same main number of this jdk but not the
same build number
how to get it damn that’s it
so um this is why in the story you can’t
investigate it anymore
that’s it well damn be immutable of the
whole production line and scan your
whole production environment so as well
because
not only your product must be secured
you must be secure as well
and well yeah i just think solo wins
don’t be the companies it’s don’t be the
shakes
amazing the uh what that what that
particular situation has done to our
entire industry right it’s pretty
fascinating
so so sven we have just a couple of
minutes left i’m actually going to spin
this
all the way back around to the question
that i normally ask because
we just had a very deep
thought-provoking conversation about
devops
tell us if someone is interested in
you know building a better devops
platform or
doing more in this space why would they
come to you and to jfrog to
discuss this so tell us a little bit
about jfrock
well the best thing is to try it
and then i don’t have to discuss with
you because then you will buy it
immediately
so there’s a fridge here go go try it
and adjust
yeah and try it so it’s so easy so um if
you want to see a little bit more how
it’s done so the practical way and all
this stuff
um you can have a look on my youtube
channel or on on the jfrog one
for example i i shared how to harden uh
that framework
an open source web framework how it’s
done practically and then look at this
and
check if this is a workload that would
fit
in your production line because it’s
just what you’re doing every time
it’s just a tiny addition so you’re not
spending more time
you’re not having additional processes
and all this stuff
and this is one of the bigger things of
jfrog we can
go on pram we can go in the cloud
and we can go hybrid with all of our
tools if you have a
security scanner we have the full impact
graph over all click layers because with
art factory we are now sending all
package manager
with this we have all metadata then we
can say this jar
this is this web archive in this docker
image used by this helm chart and this
is running there in production
done that’s good so you have exactly
what you need to
revalidate the cvs as the full impact
graph
without technical borders that’s one
thing
the other thing is that um we
we are able to to build
or if you’re looking just at the
security scanner x-ray for example
we’re not just breaking a build we have
the possibility
we are offering everything by rest
interface okay
but we can start workbooks and with this
we can build semi-automatic or
completely automatic workflow say
whatever infrastructure you have
you have for example auditing tool and
you need all this information in this
auditing tool because
the law required is we are just sending
this data to your auditing tool because
we have rest interface we can start web
hooks we can just do it
on the fly and this is one thing that is
very very convenient
i can talk i think a little bit more
about
what you can do with repositories how
cool it is how you can
kill rebuilds because you’re using
virtual repositories and all this stuff
way too much for this time so if you
want to know more
just ping me on twitter linkedin
ask me i’m giving talks workshops
whatever or just
subscribe my youtube channel because i’m
doing all this stuff
doing all this stuff as a content
creator
i can completely relate to that i have a
couple good episodes
for for educational and you know
you have those are like the 30 views
right but you have something where
you’re going on a rant or something else
and then
it gets a hundred views and you’re like
but this is just my opinion
this other one is you your company
really could use it right
[Laughter]
so thank you thank you very much yeah
absolutely so a couple of things for
those of you that have gotten this far
in the video you will know that
somewhere inside of this video it was
hidden in easter egg
uh i think that’s what they’re called
right um for a chance to
uh there’s 25 copies of the book liquid
software that jfrog is offering for the
first 25 people that find that easter
egg and get a hold of them on it
you don’t have to give them any of your
information or anything like that just
get a free book
so we appreciate that um like subscribe
all that
all the stuff that sven just said about
all of his stuff do that with ours too
um because we got some pretty cool stuff
as well um
including this episode uh sven thank you
very much for
uh i i continue to be enlightened by
these conversations
um so i really appreciate you being here
with us
we will share all of your information um
in the
the details section of the youtube video
and uh we’ll see everyone for episode
24.
thanks everybody
[Music]
[Applause]
[Music]