DevSecOps – Up and Running with JFrog Xray [swampUP 2020]

Sven Ruppert, Developer Advocate , JFrog

July 7, 2020

2 min read

Sven is working as Developer Advocate for Jfrog and coding Java since 1996 in industrial projects. He was working over 15 years as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank. He is regularly speaking at Conferences and Meetups worldwide and contributes to IT periodicals, as well as tech portals.Additional to his main topic DevSecOps he is working on Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotli

 

 

JFrog Xray | Get DevSecOps in the Cloud: https://jfrog.com/blog/jfrog-gives-yo… From DevOps to DevSecOps. Where are the differences, what do you need? How can you start, and how can JFrog Xray help you with that? We will address and examine all of these questions in this talk. The term DevSecOps is on everyone’s lips, but it is mostly used as a synonym for DevOps. We will see that this is not the case, where and how the differences are shown. An essential point of view as to why and how it will directly benefit the business is shown, as well as the practical use of Xray when it comes to the most effective #ShiftLeft for security in software development.

Speakers

Sven Ruppert

    Sven Ruppert

    Developer Advocate

    Sven is working as Developer Advocate for Jfrog and coding Java since 1996 in industrial projects. He was working over 15 years as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank. He is regularly speaking at Conferences and Meetups worldwide and contributes to IT periodicals, as well as tech portals. Additional to his main topic DevSecOps he is working on Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotlin.

    Video Transcript

    Hello and welcome to my talk at DevSecOps
    Up and Running with JFrog – XRay.
    My name is Sven Ruppert and I’m a developer advocate at JFrog.
    What we want to do today is
    we want to see, first, the difference between DevOps and DevSecOps,
    just to have an idea where are the pinpoints and what you should avoid.
    After this,
    I will have a few minutes about
    why DevSecOps will minimize
    the risk in projects and for your business
    and
    after this, we will have a view
    like a developer, what a developer will see in daily life,
    and
    after this, we will have a few
    points about architecture and
    what you can do here and
    the last one will be
    how to get _
    all this in-existing infrastructure.
    Difference between DevOps and DevSecOps.
    If you’re looking at the internet, especially from Wikipedia, you will see
    that DevOps is a well-defined thing.
    It’s more or less…
    It has a lot of books written about it and
    sometimes you have different opinions, what is part of it? But…
    in the end, there are some key points
    part of pure DevOps.
    It means, we are looking at the process from
    coding, overbuilding and testing a software
    up to packaging, releasing
    and then later, running, so it’s a configuration and monitoring of the
    productive systems.
    So,
    if you’re looking at this one, you see that it’s
    purely focused on the development itself, so it’s more-or-less a generic thing.
    So there’s no
    special part for
    performance, there’s no special part about quality
    and there is no dedicated part of security.
    So what does it mean?
    If you’re looking a little bit
    to the history
    of DevSecOps or where DevSecOps
    or DevOps is coming from,
    you’ll see that mostly in companies who have a situation that _ and the Ops part.
    The Dev part was mainly focusing on
    the coding part, building and testing
    and after all this is done, you have something like a depository,
    maybe artifactory
    and there was this packaged thing
    that the Ops team could grab
    configure, test
    deploy, whatever they want to do with it.
    So,
    this is not good because you have
    two dedicated team so there’s a big
    order between them, so
    it makes sense to make this more-or-less transparent
    so that you have
    not the Dev or the Ops part
    and it means that everybody should be aware of all these things.
    If you’re looking at this one
    the first question is, what is the right
    place for security itself?
    Do we have to add one dedicated point to this pipeline for
    security testing?
    Maybe you are asking if security is just a product you can buy.
    Or,
    will security mean that
    I’m slowing production because I have to do more things now
    or more items in my pipelines?
    So, all this, if
    if you’re just looking at security itself,
    and define security as
    one place in your pipeline
    then it’s not really optimal point of process in business.
    So,
    to give an answer to a few of these questions,
    so security is tested after, for example
    performance or after… whatever.
    Now,
    security is not one dedicated step
    in your pipeline that you should focus on
    Security is something that should be everywhere.
    It makes no sense just to hire someone who has a security background
    and he’s ignoring the rest of the team, or the team is ignoring him or whatever.
    It’s not just hiring one guy that is now responsible for security and that’s it.
    So security is more… it’s
    it’s something for the team itself
    and
    if you’re thinking about
    what a developer should feel,
    it’s definitely wrong if he
    has a feeling that security is just
    bringing tight borders around him.
    It’s not losing security, security is something that will be integrated
    and actually, security is something that
    maybe, will give you more freedom than you had before.
    Because, you can make decisions
    faster and easier because you will know what is coming.
    So, DevSecOps is more like a culture
    it’s something
    you will see keywords like “Security First”, for example, or
    “Zero Trust Environments” or whatever.
    So security is more _ DevSecOps is
    something like a philosophy.
    Something like performance, something like quality.
    Quality is nothing that is just bought one tiny step,
    quality is something that is everywhere in your pipeline.
    It means
    from the first beginning of your production
    to have quality in your mind,
    with every single step you do.
    So, same with security.
    If you’re going to security
    right now, from the first line of code,
    security should be one part you have an eye on.
    That means, security most be
    introduced as early as possible.
    So, not only after everything is coded and use-cases are done
    it makes sense to introduce security right now, from the first line of code
    I will show you how this could look like for you.
    So it means,
    security is part of the whole life spectrum
    it’s not a dedicated step, it’s going from
    the first line of code, as I mentioned before, up to
    monitoring, deploying
    productive systems.
    So every tiny step will have some security,
    things, attributes,
    stuff you could do
    and even thinking about testing
    so
    just thinking about testing functionality
    is one thing, but if you have security in mind
    even during the TDD phase,
    it could have something like
    risky _ testing and all this stuff.
    So, security should be everywhere.
    Why DevSecOps will
    minimize your risk or the risk for your business?
    This is a good question, so why you should do it?
    Having in mind that a lot of stuff is based on open-source
    in the Java world you’re speaking about 60% up to
    whatever percentage.
    So, a lot of stuff
    in your product or project will be a dependency
    will be coded from someone else,
    will be maintained by other people.
    This makes sense
    because you don’t want to re-invent the wheel.
    You don’t want to code all this stuff by yourself
    because you need all the knowledge in your house
    that just me _ in good idea.
    And the basing of
    the other thing is, you should focus
    just on the use-cases
    to bring the best quality to your customers.
    But at the same time, you must trust
    you must trust other people’s implementations.
    And how to do this one?
    So you have security of things
    and you have compliance.
    So _ must be
    available,
    the information about it.
    So open-source is good because you can analyze it
    easily, fast, everything is accessible
    with closed-source, it’s
    mostly a little bit more tricky, because you have to do all this stuff indirectly.
    So, security issues are quite often found
    early in open-source, well,
    I have no numbers about this, but
    it’s easier to detect them
    for sure.
    Another thing, as I mentioned, is compliance
    open-source means you have
    big bunch of different licenses
    different licenses means that some of these licenses
    are good for your business, and some licenses are just poison.
    So, sometimes, it’s a really bad idea if you just
    trust the
    license that this project
    is giving you or declaring
    maybe some _ dependencies
    are just not
    the same license as license that really fits to the business.
    So, you have to check
    all the transitive dependencies as well
    If they’re using the right license and if they’re declared right.
    So…
    make sure that you have full overview of the _
    or stuff that is part of your project or business.
    DevSecOps or DevOps in general ,means
    that you have to speed up your production
    in terms of automate it as much as possible.
    If you have _ pipeline
    it’s the way to go to make
    as much as possible in the CI pipeline because this is doing stuff
    again and again with the same quality
    and you can just increase speed with automating things
    the next thing is, it’s good
    for security and for quality.
    If you’re removing old, boring parts
    from your production
    because with this
    people are more focused on the tasks
    that are really important,
    and this means
    you can increase quality and security
    so…
    not only bugs but incompliance and security issues should
    be killed as soon as possible
    in your project.
    OK.
    What the Dev will see…
    What the Dev will see… have in mind that
    for example,
    you have a new feature, a new
    use case, whatever, you want to integrate in your product or in your project
    means that you have some ideas
    and you will start with a fresh
    timing project, a side project
    just to clear dependencies and start _.
    This can take a few hours
    a few days, maybe longer
    if you have done all this and the proof of concept is perfect,
    and you decide this feature is really worth to having a product
    it would be
    suboptimal if at this point you will start
    analyzing dependencies and you find out that
    that dependencies are, the implementations you’re using
    are not fitting to a project
    in terms of security or compliance.
    Meaning, that
    well, this means that
    even if you’re starting a
    tiny, new project
    adding the first dependency
    you should have an overview
    if there’s a _ green for you
    or at least, that you know,
    what is the, for example,
    you know that you’re using a dependency that you have to
    change and of course you have to discuss about the license.
    So,
    this is a good thing, if you have all this one, and =
    the JFrog XRay plugin will
    exactly give you the possibility
    to have this information right now from the first line of code
    and to check security and license issues.
    So,
    what I want to show you now is how to use
    XRay ID plugin for _
    and what you can see there.
    OK,
    makes this integration inside CID
    and I’m using _ but
    we have plugins for different, other
    IDs, for example _, so
    Mia’s code. =
    So, have a look at
    one page and see
    what version and plugin is available for your ID
    and for this one, I have to install this plugin
    that means I’m going to this plugin
    marketplace and I’m searching JFrog and I will find
    the JFrog plugin.
    In my case it’s already downloaded and installed
    because I’m using it
    already.
    So, after you install this plugin,
    you have the configuration page
    in _, it’s on the opposite to JFrog XRay configuration
    you can add to your _
    to username and password and check
    if you have a connection to your instance.
    In my case, it’s XRay version 3.2.6
    and that’s it.
    Now, it’s available
    the functionality is available inside your ID
    for this demo I’m using a _
    a very easy and small
    _ project
    that took _ _
    You start adding a dependency
    after this, it depends on your IDA, you have to
    or your configuration
    you have to trigger a re-load of this
    a re-load of the definition
    some people have it activated on
    default and auto-reload
    and I just do it manually
    So, now, _
    IDE notes, I have this dependency called Collections with version 3.2
    and then I can go to my plugin
    here I have the license info selected
    so I see _ collection, this version is running on the _
    I can have a look at the security issues as well,
    so if this is not available you can just say
    sometimes re-load, sometimes it’s already loaded, sometimes you’re doing it manually
    then you can see here the codes collections
    there are, right now, three
    security issues
    and the great thing is
    you can see
    here, as well
    if there’s a fixed version available
    for every security issue you have.
    after this, you can decide
    if you want to have
    this fix with up or downgrade of the version number
    or if you’re fixing
    transitive dependencies
    for example, I have something with transitive dependencies
    let’s see how fast it’s
    today was my _ so I’m
    selecting just now the dependency from a little bit
    bigger project
    I have my memory load
    and this performs just depending on the internet connection you have
    and…
    my one is not the best so it will take
    a few seconds
    to
    get this information
    the ID was able to
    look at all dependencies, you have some new dependencies _
    it’s good to have them and then sometimes you have to say, “OK, please ask JFrog now”
    while this, any dependency tree you have in your project =
    it will connect to the XRay, and again it’s
    depends a little bit on the internet connection you have
    then you will see
    here, the _, the dependency
    here it’s _
    and if you’re
    clicking inside, you can now navigate through the transitive dependencies
    green, red or orange for the different levels
    and
    if you check _, for example, _ charts
    with this version
    is consuming or has a transitive dependency to _
    in the _ data mine of this version
    and transitive dependency is from _ data bind
    they are green, so
    he’s a V-shape.
    but the _ data bind itself
    has some issues
    here you have the
    information, what is inside.
    and the good thing is, again,
    you see if there are some
    fixed version already
    if, for example, for this one
    we don’t have a fixed version _, no
    so, now that’s up to you to decide if you want to
    overwrite transitive dependencies if
    you want to exclude charts because you are not
    using it, or if you’re going to a different _ version of,
    so really, this is project depending.
    But, the whole
    thing is, you have the possibility to
    navigate the whole dependency tree.
    that’s it.
    So, if you are just adding a dependency to your project,
    the good thing is that you’re informed
    immediately if you have some compliance
    or some security issues.
    so, that’s it for your ID integration. =
    OK, after we saw now what possibilites _ IDE and how this will
    looks like for a developer
    the next thing is that I want to talk a little bit about is the architecture
    how to integrate all this stuff.
    for example,
    if you have this artifactory
    as first barrier to the internet and everything
    will be stored and loaded over artifactory, for example, on _ dependencies
    you have the possibility that XRay is just scanning all this content and
    will give you
    the possiblity to break _ and all that stuff.
    Everything you can do here
    is accessible via
    _ API as well as the
    WebUI
    _ API and WebPOI
    that means, everything together is
    the unified platform was all part of the JFrog product
    and you can go _
    to all facilities as well as
    via the WebUI
    So, it means
    you have the repository, you will start adding
    rules to make sure all your compliance and security issues
    and behaviors and all that stuff is declared
    you will create policies and if you have policies
    you can connect this one to the resources
    that should be checked
    it could be a _ dependency,
    a repository, it could be a _ repository
    whatever, we are supporting a huge amount of different repositories
    so…
    next, I want to show you
    how you can declare, for example,
    a rule and a policy and connect this
    with approach towards resource
    to that we have no review how fast it could be done
    and what kind-of information out of the dependency tree
    yes, this one, and have in mind – everything is
    available, what I’m showing next
    by a WebUI as well as a Rest API
    OK, let’s have a look at the JFrog platform XRay
    installation and this
    is _ on my _ service
    instance, but you can have the same as
    as this one, only on _
    If you want to try out what I’m showing here right now
    I will give you the link for the trials a little bit later
    so you can wrap-up a trial, it will take
    approximately 10 minutes or so
    and then you have a
    whole platform installation
    on the cloud or in the cloud
    and then you can try all of this by yourself.
    So, if you have your platform
    log in and get to the point
    many point security compliance
    here we’ll have two different menu entries
    you have to start with policies
    because policies are used inside watchers
    a policy
    is a stateless definition
    what should happen
    if you find something
    depending on
    your definitions
    I will create now a new policy
    after we find a logical name for this
    so… policy minus demo.
    If you have to deal with a lot of policies
    just think about naming scheme and so the
    this is scaling of the time
    first of all, you have to decide if this is something
    from the area of security or license or compliance issues
    I’ll select security
    You can add a description
    but have in mind that this description
    must be in sync with all changes
    that you are doing all the time
    so I personally just
    leave it blank here right now.
    A policy
    is a
    composition of rules
    and rules is a _ great thing
    exactly is the same like
    a few seconds before,
    you need to add a logical name
    then, you can choose what
    you can dis…
    use some pre-defined levels
    or you can define the CPSS core by yourself.
    I just say,
    equip everything
    and now you know
    how sensitive this should be, this rule.
    And the next thing is
    you have to define what is the action that should
    should be triggered or the thing that should happen
    So, generate _
    violations… it’s only for this…
    Generate violation is just
    thing or it’s just the entry and the
    or POI, we’ll show you in a few minutes
    but you can trigger webpox to integrate with third party
    programs or the infrastructure components
    you can notify the platform user itself
    or external ones as well, via email if you want
    you can block downloads
    so XRay is always connected to an artifactory
    and if you want to make sure that infected
    or affected components are not even inside
    your repositories you can just say here,
    block downloads.
    If something is unscanned, if you block _
    the same for release bundles
    and the best kiind-of thing is
    failing a build. Yes, I know
    this can be used from pipelines and _ and
    _ whatever CIA gives you.
    I’m just generating the violation
    now, I have this rule
    inside my policy that I just created now
    the next step is creating a watch.
    Creating a watch means
    that you’re connecting
    as a policies
    or your policy is created before
    with the resources you want to have a look at.
    so I will say, new watch
    So same here, a logical name
    Watch-demo…
    and
    Now you have to decide
    on what are the resources you want to look at.
    I’m just
    selecting a few
    repositories I have here
    for example, I have my
    Docker
    you can filter here, for example,
    I have my wind-tray
    my Docker remote
    and that’s it, so
    these two repositories are now scanned.
    That means this watch
    is connected to this repository
    and now I have to say what should happen
    and just selecting the policies I want to
    have combined
    here,
    the policy name was not associated with this watch
    and I can create everything
    after this is done,
    you have this overview
    in this menu being _
    and you can see what are the connected resources
    and you can calculate an amount of violations
    here, you would have 0 because
    I just created this watch
    and it was a new trigger
    to recalculate everything because there was no change
    Not inside the repository, no build was triggered, nothing
    but you can trigger it manually
    for example, just
    have a look at the last 90 days or whatever you want to define
    and then it will start
    calculating this one
    it will take a few seconds
    but I’ve prepared here
    something a little bit earlier
    this one
    let’s go back
    so if I’m going here to calculate, you will see
    here you have this 400 and something violations
    You can have a detailed list
    you can
    filter this list if you want
    you have this one
    and then you can just
    grab one of these items you want to have a look at
    and you see this small text slip
    that will give you a short information
    you see what level
    the classification of all of this
    security issue
    and what is the resource.
    we found it in.
    what is the component, here it’s a _
    Docker image
    and it’s used in my
    created
    Docker image.
    but it’s based on this _
    containing this component, _
    You can click in here
    you will see the impact graph
    so it’s inside the _ AP tables
    bannery, in this Docker layer
    inside my
    image.
    So, some additional information is here
    the good thing is
    all of this is available via _
    as well, it means if you want to
    have this information for your reporting system or
    whatever you want to do with this, how you want to trigger some _
    all the infrastructure parts
    you can do with this
    by _ you can consume this information or you can just
    trigger a webpog.
    so this is a webPOI and
    a core functionality of XRay.
    OK, we saw now how to use
    artifactory and XRay in commendation via the WebPOI
    now I want to talk a little bit more about the power of integrating because this is a really big topic.
    Firstly,
    I assume that you will have some kind of existing
    infrastructure
    and how to integrate this one
    inside your existing infrastructure
    if you have, for example, to deal with third party products
    for compliance, for auditing and all this stuff
    as I mentioned before, every
    information is available via Rest API
    and you can trigger Hooks webpox.
    So it means
    not even breaking a _
    possibility inside your CI pipeline
    but you can notify it via email or
    you can start with a _ in the process
    and you can have third party products
    grabbing all this data, all of XRay, all of artifactory
    to consume it. It could be for reporting
    for compliance reportings
    you can start dymanic workflows based on Webpox
    all this stuff is done
    so you can really integrate all this stuff
    the good thing is, all products are available
    as software SA service as well as on _
    and the good thing is, you can combine it
    so you don’t have to decide first if you want to have sodtware SA service
    or _
    you can even mix it up
    so if you have some special requirements
    you can just decide for every single component, if it is,
    a software SA service solution
    if it is hosted in some way in the cloud
    if it Amazon, Google,
    Microsoft, whatever
    or you need some parts
    definitely inside your own network.
    The best thing is if you just
    try it by yourself
    trying by yourself means you’re going to
    JFrog.com/platform/free-trial
    this is the URL I’m showing you here right now
    and then you can rent up a
    the whole system for you, demo environment, it will take
    I don’t know, 10-15 minutes to wrap it up
    and then you can try all this stuff by yourself.
    For example, you just
    create a tiny project after you created a trial
    and then you’re connecting to this
    _ repository
    grabbing one dependency and checking
    what information is available about it.
    So, that’s it
    I have prepared a tiny project so that you can just
    start a trial, after this you can
    just clone this project
    change the URL to the main repository _
    and then you can wrap everything up in below half an hour if you want.
    So, I really recommend it because then you’ll see
    the full power of this stuff.
    Thank you very much for this,
    If you want to reach me, the best way is Twitter
    So my Twitter is @SvenRuppert
    Thank you so much for attending and, well,
    See you.

    30:52
    NOW PLAYING