DevSecOps – Up and Running with JFrog Xray

Sven Ruppert
DevSecOps

From DevOps to DevSecOps. Where are the differences, what do you need? How can you start, and how can JFrog Xray help you with that? We will address and examine all of these questions in this talk. The term DevSecOps is on everyone’s lips, but it is mostly used as a synonym for DevOps. We will see that this is not the case, where and how the differences are shown. An essential point of view as to why and how it will directly benefit the business is shown, as well as the practical use of Xray when it comes to the most effective #ShiftLeft for security in software development.

VIDEO TRANSCRIPT

Hello and welcome to my talk at DevSecOps “Up and Running with JFrog Xray”. My name is Sven Ruppert and I’m a developer advocate at JFrog. What we want to do today is we want to see, first, the difference between DevOps and DevSecOps, just to have an idea where are the pain points and what you should avoid. After this, I will have a few minutes about why DevSecOps will minimize the risk in projects and for your business and after this, we will have a view like a developer, what a developer will see in daily life, and after this, we will have a few points about the architecture and what you can do here and the last one will be how to integrate all this in-existing infrastructure.

Difference between DevOps and DevSecOps. If you’re looking at the internet, especially from Wikipedia, you will see that DevOps is a well-defined thing. It’s more or less… It has a lot of books written about it and sometimes you have different opinions, what is part of it? But… in the end, there are some key points part of pure DevOps. It means, we are looking at the process from coding, overbuilding and testing a software up to packaging, releasing and then later, running, so it’s a configuration and monitoring of the productive systems. So, if you’re looking at this one, you see that it’s purely focused on the development itself, so it’s more-or-less a generic thing. So there’s no special part for performance, there’s no special part about quality and there is no dedicated part of security.
So what does it mean? If you’re looking a little bit to the history of DevSecOps or where DevSecOps or DevOps is coming from, you’ll see that mostly in companies who have a situation that you have the dev part and the Ops part. The Dev part was mainly focusing on the coding part, building and testing and after all this is done, you have something like a repository, maybe artifactory and there was this packaged thing that the Ops team could grab configure, test, deploy, whatever they want to do with it. So, this is not good because you have two dedicated teams so there’s a big border between them, so it makes sense to make this more-or-less transparent so that you have not the Dev or the Ops part and it means that everybody should be aware of all these things.
If you’re looking at this one the first question is, what is the right place for security itself? Do we have to add one dedicated point to this pipeline for security testing? Maybe you are asking if security is just a product you can buy. Or, will security mean that I’m slowing production because I have to do more things now one more item in my pipelines? So, all this, if if you’re just looking at security itself, and define security as one place in your pipeline then it’s not really optimal for your process and business. So, to give an answer to a few of these questions, so security is tested after, for example performance or after… whatever.
No, security is not one dedicated step in your pipeline that you should focus on Security is something that should be everywhere. It makes no sense just to hire someone who has a security background and he’s ignoring the rest of the team, or the team is ignoring him or whatever you want to have.
So it’s not just hiring one guy that is now responsible for security and that’s it. So security is more… it’s it’s something for the team itself and if you’re thinking about what a developer should feel, it’s definitely wrong if he will have a feeling that security is just bringing tight borders around him. It’s not losing security, security is something that will be integrated and actually, security is something that maybe, will give you more freedom than you had before.
Because, you can make decisions faster and easier because you will know what is coming. So, DevSecOps is more like a culture it’s something you will see keywords like “Security First”, for example, or “Zero Trust Environments” or whatever.
So security is more or DevSecOps is something like a philosophy. Something like performance, something like quality. Quality is nothing that is just bought one tiny step, quality is something that is everywhere in your pipeline. It means from the first beginning of your production to have quality in your mind, with every single step you do. So, same with security. If you’re going to do security right now, from the first line of code, security should be one part you have an eye on. That means, security most be introduced as early as possible.
So, not only after everything is coded and use-cases are done it makes sense to introduce security right now, from the first line of code I will show you how this could look like for you. So it means, security is part of the whole life cycle it’s not a dedicated step, it’s going from the first line of code, as I mentioned before, up to monitoring, deploying productive systems. So every tiny step will have some security, things, attributes, stuff you could do and even thinking about testing so just thinking about testing functionality is one thing, but if you have security in mind even during the TDD phase, it could have something like risky payload testing and all this stuff.
So, security should be everywhere. Why DevSecOps will minimize your risk or the risk for your business? This is a good question, so why you should do it? Having in mind that a lot of stuff is based on open-source in the Java world you’re speaking about 60% up to whatever percentage.
So, a lot of stuff in your product or project will be a dependency will be coded from someone else, will be maintained by other people. This makes sense because you don’t want to re-invent the wheel. You don’t want to code all this stuff by yourself because then you need all the knowledge in your house that’s just maybe not a good idea.
And the best thing or the other thing is, you should focus just on the use-cases to bring the best quality to your customers. But at the same time, you must trust you must trust other people’s implementations. And how to do this one? So you have security of things and you have compliance. So both must be available, the information about it. So open-source is good because you can analyze it easily, fast, everything is accessible.
With closed-source, it’s mostly a little bit more tricky, because you have to do all this stuff indirectly. So, security issues are quite often found early in open-source, well, I have no numbers about this, but it’s easier to detect them, for sure. Another thing, as I mentioned, is compliance open-source means you have a big bunch of different licenses different licenses means that some of these licenses are good for your business, and some licenses are just poison. So, sometimes, it’s a really bad idea if you just trust the license that this project is giving you or declaring maybe some transitive dependencies are just not the same license as license that really fits to your business. So, you have to check all the transitive dependencies as well If they’re using the right license and if they’re declared right. So… make sure that you have the full overview of the _ or stuff that is part of your project or business. DevSecOps or DevOps in general, means that you have to speed up your production in terms of automate as much as possible. If you have a CI pipeline it’s the way to go to make as much as possible in the CI pipeline because this is doing stuff again and again with the same quality and you can just increase speed with automating things The next thing is, it’s good for security and for quality. If you’re removing old, boring parts from your production because with this people are more focused on the tasks that are really important, and this means you can increase quality and security so… not only bugs but incompliance and security issues should be killed as soon as possible in your project. OK. What the Dev will see… What the Dev will see… have in mind that for example, you have a new feature, a new use case, whatever, you want to integrate in your product or your project means that you have some ideas and you will start with a fresh tiny project, a side project just to clear a few dependencies and start coding. This can take a few hours a few days, maybe longer if you have done all this and the proof of concept is perfect, and you decide this feature is really worth to having a product it would be sub-optimal if at this point you will start analyzing dependencies and you find out that that dependencies are, the implementations you’re using are not fitting to a project in terms of security or compliance.
Meaning, that, this means that even if you’re starting a tiny new project adding the first dependency you should have an overview if everything is green for you or at least, that you know, what is the, for example, you know that you’re using a dependency that you have to change because you have to discuss about the license. So, this is a good thing, if you have all this one, and the JFrog Xray plugin will exactly give you the possibility to have this information right now from the first line of code and to check security and license issues. So, what I want to show you now is how to use Xray IDE plugin for InelliJ and what you can see there. OK, next is the integration inside the IDE and I’m using here intelliJ but we have plugins for different, other IDEs, for example Eclipse or VSCode, so So, have a look at one page and see what version and plugin is available for your IDE and for this one, I have to install this plugin that means I’m going to the plugin’s marketplace and I’m searching JFrog and I will find the JFrog plugin. In my case it’s already downloaded and installed because I’m using it already. So, after you install this plugin, you have the configuration page In intelliJ, it’s under other settings – JFrog Xray configuration you can add to your URL the username and password and check if you have a connection to your instance.
In my case, it’s an Xray version 3.2.6 and that’s it. Now, it’s available the functionality is available inside your IDE for this demo I’m using a Maven a very easy and small Maven project the typical workflow is You start adding a dependency after this, it depends on your IDE, you have to set your configuration you have to trigger a re-load of this a re-load of the definition some people have it activated on default and auto-reload I just do it manually So, now, the IDE knows, I have this dependency commons-collections version 3.2 and then I can go to my plugin here I have the license info selected so I see commons-collection, this version is running on theApache license I can have a look at the security issues as well, so if this is not available you can just say sometimes re-load, sometimes it’s already loaded, sometimes you’re doing it manually then you can see here the commons-collections there are, right now, there are three security issues and the great thing is you can see here, as well if there’s a fixed version available for every security issue you have.
after this, you can decide if you want to have this fix with up or downgrade of the version number or if you’re fixing transitive dependencies for example, I have something with transitive dependencies let’s see how fast it is today with my internet connection, so I’m selecting just now the dependency from a little bit bigger project I have my mem reload and this performs just depending on the internet connection you have and… my one is not the best so it will take a few seconds to get this information the IDE was able to load at all dependencies, you have some new dependencies tree here it’s good to have them and then sometimes you have to say, “OK, please ask JFrog now” while this, any dependency tree you have in your project it will connect to the Xray instance, and again it’s depends a little bit on the internet connection you have then you will see here, the componentary, the dependency here it’s vaadin and if you’re clicking inside, you can now navigate through the transitive dependencies green, red or orange for the different levels and if you check here, for example, the vaadin charts with this version it’s consuming or has a transitive dependency to Jackson core the jackson databind in this version and transitive dependency is from jackson databind they are green, so he’s no issue.
but the jackson databind itself has some issues here you have the information, what is inside. and the good thing is, again, you see if there are some fixed version already here, for example, for this one we don’t have a fixed version until now, so, now that’s up to you to decide if you want to overwrite the transitive dependencies if you want to exclude charts because you are not using it, or if you’re going to a different vaadin version itself, so really, this is project depending.
But, the whole thing is, you have the possibility to navigate the whole dependency tree. that’s it. So, if you are just adding a dependency to your project, the good thing is that you’re informed immediately if you have some compliance or some security issues. so, that’s it for your IDE integration. OK, after we saw now what’s possible in the IDE and how this will look like for a developer the next thing is that I want to talk a little bit about is the architecture how to integrate all this stuff. for example, if you have this Artifactory as first barrier to the internet and everything will be stored and loaded over Artifactory, for example, on Maven dependencies you have the possibility that Xray is just scanning all this content and will give you the possiblity to break builds and all that stuff.
Everything you can do here is accessible via REST API as well as the Web UI REST API and Web UI that means, everything together is the unified platform was all part of the JFrog product and you can go via REST to all facilities as well as via the Web UI So, it means you have the repository, you will start adding rules to make sure all your compliance and security issues and behaviors and all that stuff is declared you will create policies and if you have policies you can connect this one to the resources that should be checked it could be a Maven dependency, a repository, it could be a Docker repository whatever, we are supporting a huge amount of different repositories so…
next, I want to show you how you can declare, for example, a rule and a policy and connect this with approach towards resource to that we have no review how fast it could be done and what kind-of information out of the dependency tree yes, this one, and have in mind – everything is available, what I’m showing next by a Web UI as well as a REST API OK, let’s have a look at the JFrog platform Xray installation and this is her on my Software as a service instance, but you can have the same as as this one, only On-Prem If you want to try out what I’m showing here right now I will give you the link for the trials a little bit later so you can ramp-up a trial, it will take approximately 10 minutes or so and then you have a whole platform installation on the cloud or in the cloud and then you can try all of this by yourself.
So, if you have your platform log in and go to the point many point security compliance here we’ll have two different menu entries you have to start with policies because policies are used inside watchers a policy is a stateless definition what should happen if you find something depending on your definitions I will create now a new policy after we find a logical name for this so… policy-demo.
If you have to deal with a lot of policies just think about a naming scheme and so the this is scaling all the time first of all, you have to decide if this is something from the area of security or license or compliance issues I’ll select security You can add a description but have in mind that this description must be in sync with all changes that you are doing all the time so I personally just leave it blank here right now. A policy is a composition of rules and rules is a fine grained thing exactly is the same like a few seconds before, you need to add a logical name then, you can choose what you can dis… use some pre-defined levels or you can define the CVSS core by yourself. I just say, grab everything and now you know how sensitive this should be, this rule.
And the next thing is you have to define what is the action that should should be triggered or the thing that should happen So, generate violation… sorry for this… Generate violation is just a thing or it’s just the entry and the or Web UI, we’ll show you in a few minutes but you can trigger webhooks to integrate with third party programs or the infrastructure components you can notify the platform user itself or external ones as well, via email if you want you can block downloads so Xray is always connected to an Artifactory and if you want to make sure that infected or affected components are not even inside your repositories you can just say here, block download. If something is unscanned, if you to block yes/no the same for release bundles and the most common thing is failing a build.
Yes, I know this can be used from Pipelines and TeamCity and Jenkins whatever CI you are using. I’m just generating the violation now I have this rule inside my policy and I can just create it now the next step is creating a watch. Creating a watch means that you’re connecting the policies or a policy created before with the resources you want to have a look at. so I will say, new watch So same here, a logical name Watch-demo… and Now you have to decide on what are the resources you want to look at. I’m just selecting a few repositories I have here for example, I have my Docker you can filter here, for example, I have my Bintray my Docker remote and that’s it, so these two repositories are now scanned.
That means this watch is connected to this repository and now I have to say what should happen I’m just selecting the policies I want to have combined here, the policy-demo is now associated with this watch and I can create everything after this is done, you have this overview in this menu being watches and you can see what are the connected resources and you can calculate the amount of violations here, you would have 0 because I just created this watch and there was no trigger to recalculate everything because there was no change not inside the repository, no build was triggered, nothing but you can trigger it manually for example, just have a look at the last 90 days or whatever you want to define and then it will start calculating this one it will take a few seconds but I’ve prepared here something a little bit earlier this one let’s go back so if I’m going here to calculate, you will see here you have this 400 and something violations You can have a detailed list you can filter this list if you want you have this one and then you can just grab one of these items you want to have a look at and you see this small text snip that will give you a short information you see what level the classification of all of this security issue and what is the resource.
you found it in. what is the component, here it’s a Debian:buster Docker image and it’s used in my created Docker image. that is based on this component or it’s containing this component, Debian:buster You can click in here you will see the impact graph so it’s inside the Debian:buster IP tables binary, in this Docker layer inside my image. So, some additional information is here the good thing is all of this is available via REST as well, it means if you want to have this information for your reporting system or whatever you want to do with this, or you want to trigger some external other infrastructure parts you can do with this via REST ou can consume this information or you can just trigger a webhook. so this is a web UI and a core functionality of Xray.
OK, we saw now how to use Artifactory and Xray in combination via the Web UI now I want to talk a little bit more about the power of integration because this is a really big topic. Firstly, I assume that you will have some kind of existing infrastructure and how to integrate this one inside your existing infrastructure if you have, for example, to deal with third party products for compliance, for auditing and all this stuff as I mentioned before, every information is available via Rest API and you can trigger Hooks web hooks. So it means not even breaking a build is possible inside your CI pipeline but you can notify via email or you can start with a webhook to an external process and you can have third party products grabbing all this data, out of Xray, out of Artifactory to consume it. It could be for reporting for compliance reportings you can start dymanic workflows based on Web hooks all this stuff is done so you can really integrate all this stuff.
The good thing is, all products are available as Software as a Service as well as On-Prem and the good thing is, you can combine it so you don’t have to decide first if you want to have Software as a Service or On-Prem you can even mix it up so if you have some special requirements you can just decide for every single component, if it is, a Software as Service solution if it is hosted in some way in the cloud if it Amazon (AWS), Google (GCP), Microsoft (Azure), whatever or you need some parts definitely inside your own network.
The best thing is if you just try it by yourself trying by yourself means you’re going to jfrog.com/platform/free-trial this is the URL I’m showing you here right now and then you can ramp up a the whole system for you, demo environment, it will take I don’t know, 10-15 minutes to wrap it up and then you can try all this stuff by yourself.
For example, you just create a tiny project after you created a trial and then you’re connecting to this Maven repository grabbing one dependency and checking what information is available about it. So, that’s it I have prepared a tiny project so that you can just start a trial, after this you can just clone this project change the URL to the Maven repository _ and then you can wrap everything up in below half an hour if you want. So, I really recommend it because then you’ll see the full power of this stuff. Thank you very much for this, If you want to reach me, the best way is Twitter So my Twitter handle is @SvenRuppert Thank you so much for attending and, well, See you.

Try JFrog for Free!