DevSecOps – Up and Running with JFrog Xray [swampUP 2020]

Hello and welcome to my talk at DevSecOps
Up and Running with JFrog – XRay.
My name is Sven Ruppert and I’m a developer advocate at JFrog.
What we want to do today is
we want to see, first, the difference between DevOps and DevSecOps,
just to have an idea where are the pinpoints and what you should avoid.
After this,
I will have a few minutes about
why DevSecOps will minimize
the risk in projects and for your business
and
after this, we will have a view
like a developer, what a developer will see in daily life,
and
after this, we will have a few
points about architecture and
what you can do here and
the last one will be
how to get _
all this in-existing infrastructure.
Difference between DevOps and DevSecOps.
If you’re looking at the internet, especially from Wikipedia, you will see
that DevOps is a well-defined thing.
It’s more or less…
It has a lot of books written about it and
sometimes you have different opinions, what is part of it? But…
in the end, there are some key points
part of pure DevOps.
It means, we are looking at the process from
coding, overbuilding and testing a software
up to packaging, releasing
and then later, running, so it’s a configuration and monitoring of the
productive systems.
So,
if you’re looking at this one, you see that it’s
purely focused on the development itself, so it’s more-or-less a generic thing.
So there’s no
special part for
performance, there’s no special part about quality
and there is no dedicated part of security.
So what does it mean?
If you’re looking a little bit
to the history
of DevSecOps or where DevSecOps
or DevOps is coming from,
you’ll see that mostly in companies who have a situation that _ and the Ops part.
The Dev part was mainly focusing on
the coding part, building and testing
and after all this is done, you have something like a depository,
maybe artifactory
and there was this packaged thing
that the Ops team could grab
configure, test
deploy, whatever they want to do with it.
So,
this is not good because you have
two dedicated team so there’s a big
order between them, so
it makes sense to make this more-or-less transparent
so that you have
not the Dev or the Ops part
and it means that everybody should be aware of all these things.
If you’re looking at this one
the first question is, what is the right
place for security itself?
Do we have to add one dedicated point to this pipeline for
security testing?
Maybe you are asking if security is just a product you can buy.
Or,
will security mean that
I’m slowing production because I have to do more things now
or more items in my pipelines?
So, all this, if
if you’re just looking at security itself,
and define security as
one place in your pipeline
then it’s not really optimal point of process in business.
So,
to give an answer to a few of these questions,
so security is tested after, for example
performance or after… whatever.
Now,
security is not one dedicated step
in your pipeline that you should focus on
Security is something that should be everywhere.
It makes no sense just to hire someone who has a security background
and he’s ignoring the rest of the team, or the team is ignoring him or whatever.
It’s not just hiring one guy that is now responsible for security and that’s it.
So security is more… it’s
it’s something for the team itself
and
if you’re thinking about
what a developer should feel,
it’s definitely wrong if he
has a feeling that security is just
bringing tight borders around him.
It’s not losing security, security is something that will be integrated
and actually, security is something that
maybe, will give you more freedom than you had before.
Because, you can make decisions
faster and easier because you will know what is coming.
So, DevSecOps is more like a culture
it’s something
you will see keywords like “Security First”, for example, or
“Zero Trust Environments” or whatever.
So security is more _ DevSecOps is
something like a philosophy.
Something like performance, something like quality.
Quality is nothing that is just bought one tiny step,
quality is something that is everywhere in your pipeline.
It means
from the first beginning of your production
to have quality in your mind,
with every single step you do.
So, same with security.
If you’re going to security
right now, from the first line of code,
security should be one part you have an eye on.
That means, security most be
introduced as early as possible.
So, not only after everything is coded and use-cases are done
it makes sense to introduce security right now, from the first line of code
I will show you how this could look like for you.
So it means,
security is part of the whole life spectrum
it’s not a dedicated step, it’s going from
the first line of code, as I mentioned before, up to
monitoring, deploying
productive systems.
So every tiny step will have some security,
things, attributes,
stuff you could do
and even thinking about testing
so
just thinking about testing functionality
is one thing, but if you have security in mind
even during the TDD phase,
it could have something like
risky _ testing and all this stuff.
So, security should be everywhere.
Why DevSecOps will
minimize your risk or the risk for your business?
This is a good question, so why you should do it?
Having in mind that a lot of stuff is based on open-source
in the Java world you’re speaking about 60% up to
whatever percentage.
So, a lot of stuff
in your product or project will be a dependency
will be coded from someone else,
will be maintained by other people.
This makes sense
because you don’t want to re-invent the wheel.
You don’t want to code all this stuff by yourself
because you need all the knowledge in your house
that just me _ in good idea.
And the basing of
the other thing is, you should focus
just on the use-cases
to bring the best quality to your customers.
But at the same time, you must trust
you must trust other people’s implementations.
And how to do this one?
So you have security of things
and you have compliance.
So _ must be
available,
the information about it.
So open-source is good because you can analyze it
easily, fast, everything is accessible
with closed-source, it’s
mostly a little bit more tricky, because you have to do all this stuff indirectly.
So, security issues are quite often found
early in open-source, well,
I have no numbers about this, but
it’s easier to detect them
for sure.
Another thing, as I mentioned, is compliance
open-source means you have
big bunch of different licenses
different licenses means that some of these licenses
are good for your business, and some licenses are just poison.
So, sometimes, it’s a really bad idea if you just
trust the
license that this project
is giving you or declaring
maybe some _ dependencies
are just not
the same license as license that really fits to the business.
So, you have to check
all the transitive dependencies as well
If they’re using the right license and if they’re declared right.
So…
make sure that you have full overview of the _
or stuff that is part of your project or business.
DevSecOps or DevOps in general ,means
that you have to speed up your production
in terms of automate it as much as possible.
If you have _ pipeline
it’s the way to go to make
as much as possible in the CI pipeline because this is doing stuff
again and again with the same quality
and you can just increase speed with automating things
the next thing is, it’s good
for security and for quality.
If you’re removing old, boring parts
from your production
because with this
people are more focused on the tasks
that are really important,
and this means
you can increase quality and security
so…
not only bugs but incompliance and security issues should
be killed as soon as possible
in your project.
OK.
What the Dev will see…
What the Dev will see… have in mind that
for example,
you have a new feature, a new
use case, whatever, you want to integrate in your product or in your project
means that you have some ideas
and you will start with a fresh
timing project, a side project
just to clear dependencies and start _.
This can take a few hours
a few days, maybe longer
if you have done all this and the proof of concept is perfect,
and you decide this feature is really worth to having a product
it would be
suboptimal if at this point you will start
analyzing dependencies and you find out that
that dependencies are, the implementations you’re using
are not fitting to a project
in terms of security or compliance.
Meaning, that
well, this means that
even if you’re starting a
tiny, new project
adding the first dependency
you should have an overview
if there’s a _ green for you
or at least, that you know,
what is the, for example,
you know that you’re using a dependency that you have to
change and of course you have to discuss about the license.
So,
this is a good thing, if you have all this one, and =
the JFrog XRay plugin will
exactly give you the possibility
to have this information right now from the first line of code
and to check security and license issues.
So,
what I want to show you now is how to use
XRay ID plugin for _
and what you can see there.
OK,
makes this integration inside CID
and I’m using _ but
we have plugins for different, other
IDs, for example _, so
Mia’s code. =
So, have a look at
one page and see
what version and plugin is available for your ID
and for this one, I have to install this plugin
that means I’m going to this plugin
marketplace and I’m searching JFrog and I will find
the JFrog plugin.
In my case it’s already downloaded and installed
because I’m using it
already.
So, after you install this plugin,
you have the configuration page
in _, it’s on the opposite to JFrog XRay configuration
you can add to your _
to username and password and check
if you have a connection to your instance.
In my case, it’s XRay version 3.2.6
and that’s it.
Now, it’s available
the functionality is available inside your ID
for this demo I’m using a _
a very easy and small
_ project
that took _ _
You start adding a dependency
after this, it depends on your IDA, you have to
or your configuration
you have to trigger a re-load of this
a re-load of the definition
some people have it activated on
default and auto-reload
and I just do it manually
So, now, _
IDE notes, I have this dependency called Collections with version 3.2
and then I can go to my plugin
here I have the license info selected
so I see _ collection, this version is running on the _
I can have a look at the security issues as well,
so if this is not available you can just say
sometimes re-load, sometimes it’s already loaded, sometimes you’re doing it manually
then you can see here the codes collections
there are, right now, three
security issues
and the great thing is
you can see
here, as well
if there’s a fixed version available
for every security issue you have.
after this, you can decide
if you want to have
this fix with up or downgrade of the version number
or if you’re fixing
transitive dependencies
for example, I have something with transitive dependencies
let’s see how fast it’s
today was my _ so I’m
selecting just now the dependency from a little bit
bigger project
I have my memory load
and this performs just depending on the internet connection you have
and…
my one is not the best so it will take
a few seconds
to
get this information
the ID was able to
look at all dependencies, you have some new dependencies _
it’s good to have them and then sometimes you have to say, “OK, please ask JFrog now”
while this, any dependency tree you have in your project =
it will connect to the XRay, and again it’s
depends a little bit on the internet connection you have
then you will see
here, the _, the dependency
here it’s _
and if you’re
clicking inside, you can now navigate through the transitive dependencies
green, red or orange for the different levels
and
if you check _, for example, _ charts
with this version
is consuming or has a transitive dependency to _
in the _ data mine of this version
and transitive dependency is from _ data bind
they are green, so
he’s a V-shape.
but the _ data bind itself
has some issues
here you have the
information, what is inside.
and the good thing is, again,
you see if there are some
fixed version already
if, for example, for this one
we don’t have a fixed version _, no
so, now that’s up to you to decide if you want to
overwrite transitive dependencies if
you want to exclude charts because you are not
using it, or if you’re going to a different _ version of,
so really, this is project depending.
But, the whole
thing is, you have the possibility to
navigate the whole dependency tree.
that’s it.
So, if you are just adding a dependency to your project,
the good thing is that you’re informed
immediately if you have some compliance
or some security issues.
so, that’s it for your ID integration. =
OK, after we saw now what possibilites _ IDE and how this will
looks like for a developer
the next thing is that I want to talk a little bit about is the architecture
how to integrate all this stuff.
for example,
if you have this artifactory
as first barrier to the internet and everything
will be stored and loaded over artifactory, for example, on _ dependencies
you have the possibility that XRay is just scanning all this content and
will give you
the possiblity to break _ and all that stuff.
Everything you can do here
is accessible via
_ API as well as the
WebUI
_ API and WebPOI
that means, everything together is
the unified platform was all part of the JFrog product
and you can go _
to all facilities as well as
via the WebUI
So, it means
you have the repository, you will start adding
rules to make sure all your compliance and security issues
and behaviors and all that stuff is declared
you will create policies and if you have policies
you can connect this one to the resources
that should be checked
it could be a _ dependency,
a repository, it could be a _ repository
whatever, we are supporting a huge amount of different repositories
so…
next, I want to show you
how you can declare, for example,
a rule and a policy and connect this
with approach towards resource
to that we have no review how fast it could be done
and what kind-of information out of the dependency tree
yes, this one, and have in mind – everything is
available, what I’m showing next
by a WebUI as well as a Rest API
OK, let’s have a look at the JFrog platform XRay
installation and this
is _ on my _ service
instance, but you can have the same as
as this one, only on _
If you want to try out what I’m showing here right now
I will give you the link for the trials a little bit later
so you can wrap-up a trial, it will take
approximately 10 minutes or so
and then you have a
whole platform installation
on the cloud or in the cloud
and then you can try all of this by yourself.
So, if you have your platform
log in and get to the point
many point security compliance
here we’ll have two different menu entries
you have to start with policies
because policies are used inside watchers
a policy
is a stateless definition
what should happen
if you find something
depending on
your definitions
I will create now a new policy
after we find a logical name for this
so… policy minus demo.
If you have to deal with a lot of policies
just think about naming scheme and so the
this is scaling of the time
first of all, you have to decide if this is something
from the area of security or license or compliance issues
I’ll select security
You can add a description
but have in mind that this description
must be in sync with all changes
that you are doing all the time
so I personally just
leave it blank here right now.
A policy
is a
composition of rules
and rules is a _ great thing
exactly is the same like
a few seconds before,
you need to add a logical name
then, you can choose what
you can dis…
use some pre-defined levels
or you can define the CPSS core by yourself.
I just say,
equip everything
and now you know
how sensitive this should be, this rule.
And the next thing is
you have to define what is the action that should
should be triggered or the thing that should happen
So, generate _
violations… it’s only for this…
Generate violation is just
thing or it’s just the entry and the
or POI, we’ll show you in a few minutes
but you can trigger webpox to integrate with third party
programs or the infrastructure components
you can notify the platform user itself
or external ones as well, via email if you want
you can block downloads
so XRay is always connected to an artifactory
and if you want to make sure that infected
or affected components are not even inside
your repositories you can just say here,
block downloads.
If something is unscanned, if you block _
the same for release bundles
and the best kiind-of thing is
failing a build. Yes, I know
this can be used from pipelines and _ and
_ whatever CIA gives you.
I’m just generating the violation
now, I have this rule
inside my policy that I just created now
the next step is creating a watch.
Creating a watch means
that you’re connecting
as a policies
or your policy is created before
with the resources you want to have a look at.
so I will say, new watch
So same here, a logical name
Watch-demo…
and
Now you have to decide
on what are the resources you want to look at.
I’m just
selecting a few
repositories I have here
for example, I have my
Docker
you can filter here, for example,
I have my wind-tray
my Docker remote
and that’s it, so
these two repositories are now scanned.
That means this watch
is connected to this repository
and now I have to say what should happen
and just selecting the policies I want to
have combined
here,
the policy name was not associated with this watch
and I can create everything
after this is done,
you have this overview
in this menu being _
and you can see what are the connected resources
and you can calculate an amount of violations
here, you would have 0 because
I just created this watch
and it was a new trigger
to recalculate everything because there was no change
Not inside the repository, no build was triggered, nothing
but you can trigger it manually
for example, just
have a look at the last 90 days or whatever you want to define
and then it will start
calculating this one
it will take a few seconds
but I’ve prepared here
something a little bit earlier
this one
let’s go back
so if I’m going here to calculate, you will see
here you have this 400 and something violations
You can have a detailed list
you can
filter this list if you want
you have this one
and then you can just
grab one of these items you want to have a look at
and you see this small text slip
that will give you a short information
you see what level
the classification of all of this
security issue
and what is the resource.
we found it in.
what is the component, here it’s a _
Docker image
and it’s used in my
created
Docker image.
but it’s based on this _
containing this component, _
You can click in here
you will see the impact graph
so it’s inside the _ AP tables
bannery, in this Docker layer
inside my
image.
So, some additional information is here
the good thing is
all of this is available via _
as well, it means if you want to
have this information for your reporting system or
whatever you want to do with this, how you want to trigger some _
all the infrastructure parts
you can do with this
by _ you can consume this information or you can just
trigger a webpog.
so this is a webPOI and
a core functionality of XRay.
OK, we saw now how to use
artifactory and XRay in commendation via the WebPOI
now I want to talk a little bit more about the power of integrating because this is a really big topic.
Firstly,
I assume that you will have some kind of existing
infrastructure
and how to integrate this one
inside your existing infrastructure
if you have, for example, to deal with third party products
for compliance, for auditing and all this stuff
as I mentioned before, every
information is available via Rest API
and you can trigger Hooks webpox.
So it means
not even breaking a _
possibility inside your CI pipeline
but you can notify it via email or
you can start with a _ in the process
and you can have third party products
grabbing all this data, all of XRay, all of artifactory
to consume it. It could be for reporting
for compliance reportings
you can start dymanic workflows based on Webpox
all this stuff is done
so you can really integrate all this stuff
the good thing is, all products are available
as software SA service as well as on _
and the good thing is, you can combine it
so you don’t have to decide first if you want to have sodtware SA service
or _
you can even mix it up
so if you have some special requirements
you can just decide for every single component, if it is,
a software SA service solution
if it is hosted in some way in the cloud
if it Amazon, Google,
Microsoft, whatever
or you need some parts
definitely inside your own network.
The best thing is if you just
try it by yourself
trying by yourself means you’re going to
JFrog.com/platform/free-trial
this is the URL I’m showing you here right now
and then you can rent up a
the whole system for you, demo environment, it will take
I don’t know, 10-15 minutes to wrap it up
and then you can try all this stuff by yourself.
For example, you just
create a tiny project after you created a trial
and then you’re connecting to this
_ repository
grabbing one dependency and checking
what information is available about it.
So, that’s it
I have prepared a tiny project so that you can just
start a trial, after this you can
just clone this project
change the URL to the main repository _
and then you can wrap everything up in below half an hour if you want.
So, I really recommend it because then you’ll see
the full power of this stuff.
Thank you very much for this,
If you want to reach me, the best way is Twitter
So my Twitter is @SvenRuppert
Thank you so much for attending and, well,
See you.

30:52
NOW PLAYING