“We NEED to talk about Software Supply Chain!!!” @ DOGCAST The DevOps Webcast by NADOG

Speaker: William Manning, Solutions Engineering Manager - Americas @JFrog

3月 21, 2023

< 1 min read

“We NEED to talk about Software Supply Chain!!!” @ DOGCAST The DevOps Webcast by NADOG

Ensuring that your company has the most reliability doesn’t start with the deployment but with the development of the hosted software. The applications you are running are susceptible to everything from security issues with third-party libraries that make up 85-90% of the software you host and misconfigurations and other threats to its reliability. This will also help you protect your company by helping ensure your company’s integrity and reputation. This session will cover everything from shift left (Secure Software Supply Chain) to shift right and how you can use it to make your software delivery more efficient and reliable in production. Everything from NPM to Kubernetes.

Speakers

Bill Manning

Bill is a Solutions Engineering Manager with JFrog. He is also a mentor with TechStars (Nike Incubator), Matter, and NestGSV. He has successfully exited 3 companies and took one public in Australia. He also currently helping various startups as an advisor. In his spare time, he likes to travel with his wife and two boys. He also plays guitar, lives for the beach and rides skateboards.

Video Transcript


foreign [Music]
welcome to this edition of dog cast the devops webcast by North American devops group otherwise known as nadog I’m Adam
nadelva the host of dog cast and New York City nadog chapter president senior Azure app Innovation specialist at
Microsoft and founder of community advisory and research firm DTR I know that’s a mouthful
if you would like to attend any of our local community events please go to nadog.com join to join and start
receiving invitations Our Guest today is Bill Manning I’m really excited to have Bill on the show
today bill is a Solutions engineering manager at jfrog a friend and a community evangelist really excited to
have him on the show hey Bill how’s it going hey guys how you doing so happy to be here you know thanks for having me uh
you know let’s have some fun today I think I think and I realized you were in New York man I would have said something earlier to you because that’s where I
grew up I was born and raised in New York so oh no way born and raised Queens which part of New York City oh so yeah
so originally from Brooklyn and then raised in Long Island actually right outside of Queens Oceanside Long Island so uh right by Freeport right yeah right
Rockville Center and you know right around that area Baldwin the beach hey there you go exactly Lido Long Beach
whatever Jones you know so awesome so thanks Bill thanks for joining and now I
know you’re from Long Island in Queens and all that Brooklyn that’s awesome yeah so good yeah but thanks for having
me man I really appreciate it so I always like to kick this off today what would you like to talk about let’s
should we uh should we just dive in or you want to ask some questions or how do you want to do this I guess give us a
little bit about you uh your background right um you know how what have you been up to at J frog and uh what’s your involvement
in the community sure absolutely so uh you know so I’ve actually been with a jfrog now for just
uh coming up next week on on six years uh before that uh you know I had a I’ve had a bunch of startups over time had a
couple of Acquisitions uh Venture Capital work uh mentoring other companies and things and then at jfrog
really I felt my you know I I felt a kinship to the development community and so when I joined there not only doing
the stuff that I do as a solution engineer and helping companies actually take the world of CI CD and sdlc and
devops and devsecops and all these various components and try to come up with some sort of solution for them uh
to help ensure their success right you know make sure that they have everything they need from end time you know from
developer to device code to Cloud I do a lot of work with our military um and it’s you know compiled a combat
which always cracks me up as like one of the things that they talk about but the thing is also on the develop on the community side I’ve done a couple of
NADA talks uh with you guys I’ve actually you know I do a lot of work publicly uh so that’s why I’m kind of
here but usually they let me out of my hole uh to talk to people because you know that’s what they do
phenomenal phenomenal so yeah I think from here let’s just jump right in if that’s okay absolutely when I say I want
to share my uh what we’ll make the slides not as painful as possible but we need to talk about
software supply chain you know this this is the way it feels though some way Ark
will be uh with a lot of companies right because it’s a known issue it’s something that everybody needs to talk
about but at the same time it’s like that whole difficult discussion that you need to have uh here’s a you know my
professional headshot just in case any Hollow producers are looking I am available uh for any sort of shows you
might want to do uh anyway uh let’s go talk about it because the thing is is
that we read these terrifying headlines all the time right you know the community the world out there isn’t is
not a safe place anymore in terms of software developers and you know when we see these you know the thing is is that
companies know this is something that they need to talk about but at the same time it’s a tough discussion to have
because you know we got some customers like yes this is one of the highest important things we need to do but we also need to do it in a way that doesn’t
disrupt uh our developers and our velocity and our speed and the thing is is that when you’re trying to do all
this and you’re trying to manage all those kind of things that you might have as a software development you know
company you know and the thing is is that we always said this for years right every company is a software company it’s
just gotten to that I mean we have everybody from you know like you know like SpaceX putting people up in space
to like Chick-fil-A you know and and things like that like we’re you know we have the range of of customers that we
have as an organization is absolutely completely mind-boggling right and like
I said we tried to attribute it so that every company can do what they need to do but the problem is is that all these
statistics that I’m about to show you should terrify you it should actually make you scared right 40 of the zero day
exploits that have happened of all time it’s really started in 2021 and up right
think about that there you know there was always there’s always been some sort of software exploits there’s always been
some sort of things but vulnerabilities cost companies money right I mean simple
third-party transitive dependencies you know one of the things we’re going to talk about today is what J fraud does right a little bit of you’re not
familiar with what we do I’m going to explain in a little bit and I’m actually going to demonstrate some of the things
how we handle it and we make sure that companies can say you know stay you know safe and secure and the thing is is that
most companies when they start looking at this like supply chain attacks you know took 26 days right to identify
think about that right when you start looking at software supply chain the things that make up you know majority of
the things that you do it took you 20 you know company 26 days to possibly identify and exploit that’s that should
scare people right because the thing is is that you know the thing is in the past
it actually the exploit when they would you know distribute these out into the world and things would take about 42
days that’s now down to 12 days and the thing is that we’re going to talk about is why right why is this such a systemic
problem and the thing is is that even when these exploits happen remediation times have increased while the exposure
time has decreased the amount of time it takes for a company to remediate any sort of these things has increased and
when I say remediate it’s not only just identifying the issue but it’s also identifying the problem and also the
blast radius as I like to say right what else has this happen you know where how long has it happened what else has it
affected right because most companies you know over time have decreased things into micro Services into smaller
application bundles right which also means that you have to handle more so the thing is in the past like when I
started you know obviously with the white on my face I’ve been doing this for a long time you know it was very big gigantic monolithic releases you know
every quarter you’d spend a couple of weeks planning you know weeks and weeks developing queuing and blah blah blah
you know now everything’s more you know smaller releases you know you can blame the CTO of Amazon way back in you know
with devops or video ideas you build it you run it you know I always laugh when I heard you know that expression you
build it you run it right yeah well you know what that’s actually caused problems and stuff over time but the
thing is is that 80 percent of the public exploits that are published right are published before the cve even
happens right remember cves which is a clear indicator of a Potential Threat
and vulnerability need to be validated peer-reviewed right I mean there’s a lot of things that go into it so an XY
happens and then you know teams of individuals I mean just so you know jfrog is a CNA we’re a cve number
Authority we have a massive research team we’re part of the of the global Community that’s trying to combat this
but the thing is is that when their next point is found it needs to be validated
and that takes time and on top top of that think about this one 21
000 cves were registered in 2022. how how insane is that think about that
sheer number of potential threats to the software supply chain the 80 to 95 you
know 85 to 90 percent of the things that you use to build your software whenever
I give my Talks by the way one of the things I always like to say is and this comes from you know this there’s a little self-serving nature here I’m not
gonna lie um I know I’m a developer I I started my career as a developer back in way back
in the late 90s right you know so far long ago um you know the thing is is that
developers and coders are artists let’s face it they’re Artisans right their
craft is they’re building code which builds awesome things and the thing is
though is their palette you know the the medium they choose to do this it is you
know consisting of that 85 to 90 percent of someone they have never met right
um think about this your according your faith into this but at the same time you want to ensure you have Safety and
Security around these exploits but at the same time you do not want to squash Innovation you want to make sure that
your the developers are able to do the job that they do code their craft you know be able to create masterpieces with
it but at the same time make sure they’re not using lead paint right um you know you want to make sure and
the thing is is that I always love this quote this is still one of my favorite quotes of all time every time you do a
pip install go get Maven Fest something you’re doing with the equivalent of plugging a thumb drive you found on the
sidewalk into your production server right you really are we have you know as
a developer we use tools I need to parse a line I need to go and you know take a
graphic and smoosh it and extract exif data or you know whatever I’m doing
I just looked at the libraries I need to make my job more efficient right and the
thing is is that I’m doing this on Blind Faith I’m just pulling this stuff in and saying yeah you know what this is
exactly what I need check it off my kpi move on right that’s what we do you know
that’s what developers do and the thing is like so when you think of like a typical developer in this case right
they’re give they’re given a task and they say what’s appropriate for the task maybe it’s npm right maybe they have to
create a node application for a web front end or you know maybe they want to do a combination of web front end back
end so they chose npm uh they go ahead they create a package.json uh around the
third party Transit dependencies they’re going to use right as part of their project then by the way I always joke
when they call mpm the house party right you invite three things into your package.json and 500 show up right
that’s just what happens right I mean it’s the most notorious I mean just give you an idea in our database alone for
our cve database that we use with our jfrog x-ray product we have over 16
000 npm vulnerabilities alone think about that team
1000 vulnerabilities but I do that I do I do an npm install right to bring
everything in that I want to do as a developer and it goes out to my third-party trends of resource in this
case mpmjs it brings it down I’m none the wiser I build my product I’ve
accomplished my kpis with no care in the world on where that stuff came from now
why is that important well from a software supply chain happens and you know like I said I’m continuing with the
Maurice theme here um you know the thing is we have some things we need to keep in mind right
99 of the code base is 75 of those contain at least one major open source
vulnerability right and when I talk about open sources by the way I’m talking about false right you know the whole idea of you know free instant
speech not as in beer open source components right your code only really technically is about 10 of every product
that you do right you depend on everything else to do this on top of that 49 of the code bases have
been analyzed have at least one high risk vulnerability my God right I mean these high risk vulnerabilities could be
potentially catastrophic to organizations by the way and I’m not just talking uh you know I’m talking
about like lost Revenue I’m talking about reputation I mean reputation lost revenue is usually a component of of
lost reputation right do I trust them anymore and on top of that the other
side of this is is that 90 of the applications used you know the the
components inside are old out of date and at the same time you know that’s the
thing is it’s like oh and um you know the thing is is that you know they’re abandoned so in other words like
you know one of the things that we’re combating on the side of of jfrog is we
have this idea called operational risk and when operational risk is is how old
outdated and what’s the health of the third-party Transit source that you’re pulling has it been abandoned
and the thing is is that when we go in and we do this you know we need to look at why supply chain attacks are the way
they are right and the thing is is they’re low effort let’s face it you don’t have to do a lot right to really
disrupt things uh it doesn’t really take a lot of technical skill and because of the way things like say
npm or Maven or go or python oh my God python right uh you know the reason why
is is to get into these communities and actually contribute without any sort of background validation checks or who
these people are uh you know I mean they could just go throw in things that you know it might be a not even a direct
train it’s usually not even a direct Transit dependency by the way right it’s usually an indirect like third or fourth
level transitive dependency you know this comes up with the crowd right this kind of works its way in with the crowd
if I can real quick bill I mean yeah this this is another example of the dependency confusion identity there’s
also all the kind of transitive dependencies that come in when you’re pulling in these open source packages right so how does jfrog think of this
from like the pipeline perspective where does this part of it fit is that on the X-ray side or is that going uh as closer
to the to the repo like as possible where is it where does it fit absolutely so we have this mentality right of shift
left to ship right right this is really what it comes down to and actually I’ll demonstrate some of that stuff too
um you know the idea is is that you know actually just as another step right
um and when we look at third party Transit dependencies it’s more expensive the further down the sdlc right the
software development life cycle you find it so to give an idea it’s a hundred times more expensive to find a
third-party Transit availability in production than it is to address it where it matters most the developer
right your Frontline defense and in our case we have a couple different ways with the jfrog platform one of the ways
that we can do it is is that so jfrog if you’re not people out there are not aware of what we do we are the universal
binary repository management company right it’s a mouthful to say but really what we do is we manage those
third-party Transit dependencies direct and indirect and also the bills you
produce and the way you can actually promote the builds through the third party through your sdlc right so you can
actually design the repositories which is where you store your binaries you can design them to match your sdlc and the
reason why I bring this up is is that you can public you can actually promote so if you follow things like 12 factor
or multi-tier all these you know in modern day like you know development methodologies there’s one thing
consistent it’s the atomic unit right whatever I build in development should be the same thing in production right
variants and deviance of that are actually broken right the thing is because it’s like the idea of like
scientific method right you want to make sure that the the sample you’re using is the same thing throughout the entire
test right if there’s any sort of variance in deviation you’ve actually skewed the results so in our case we
actually go ahead and manage the build so you can promote your bills from Dev to QA to staging and production but our
security offering that goes through that to validate it will actually validate it from the developer side so they can
combat it we can actually pre-evaluate those third-party Transit dependencies before they even get into the developers
tool or hands right so say they request a new npm library they have npm install
blah it goes out and gets those third-party Trends into sources and all its Associated friends right both direct
and indirect it comes into Art Factory we store it and what we do is is we evaluate it with our x-ray product
because our product is very different than most others just so you’re aware like whenever you upload a binary into
artifactory we actually tear it apart and create a unique shot 256 checksum to
represent that and we put that into the actual file store as a Shah and then we actually reference it via metadata our
x-ray product is actually based on metadata as opposed to physical binaries like other solutions that are out there
so here about CI you hear about CD we talk about CS continuous security since
it’s metadata to metadata base we’re constantly actually evaluating the binaries I actually just gave a talk on
tuesday called zero day doesn’t mean zero hope because of the fact that we’re actually actively always evaluating the
third-party Transit dependencies so that when a new zero day comes in and our database is up to date
um like I said we are a CNA so we actually have a massive amount of data that we’re always aware that if a new
zero day happens let’s go look at the most horrible one by the way which was like log4j where the whole world went on
fire um we can stop the consumption of those from those tools or those or those
developers from our product based on that new information immediately because
we actually own the binaries yes there are other Solutions out there and they’re fine solutions for detecting you
know vulnerabilities and others you know sort of you know software supply chain related items the difference with us is
that we actually not only detect it and show you where it is but we own the
winery you own the binary as a company so in other words you own those third-party Transit dependencies you own
those actual binaries you produced meaning that you can take action you could be it’s audible you can go ahead
and look at everything there and actually know not only what is currently affected but what it’s affected overall
right and the thing is you can see that being extremely valuable to like governance
risk and compliance teams that are kind of overseeing the pipeline ensuring that you know there’s compliance from a cve
perspective from a hierarchy perspective like that’s really cool just a quick shout out for that that’s awesome oh and
I’ll I’ll show you I’ll actually I’ll show you an example in a minute but the thing is is like here’s some of the major things that with the supply chain
attacks right and the major part of the supply chain attacks like back doors and malicious code I mean let’s think about
this you know the world everybody knows about the one that really put a fire under everybody’s butt right solarwinds
now solarwinds by the way was a fourth level Transit of dependency that came in
out of nowhere actually I admire the elegance and the Simplicity of the solarwinds hack
um I I don’t know if I mean the main thing about it I loved was is that it didn’t enact itself for 14 days right it
started and every none the wiser and then 14 days later havoc and Chaos ensued or another one like the log4j
thing like I said before you know what’s funny about that one is actually and I I always give this as a pro tip to
customers I said always pay attention to cve info and warnings info and warnings
means that there’s actually a Potential Threat being evaluated currently by someone somewhere and that there’s a
potential cve coming about you know that from for a couple of weeks like almost I think four or five weeks there were info
and warnings going out about log4j and no one paid attention nobody everybody
kind of ignored it and then when it became a critical cve the whole world went crazy right it
became the top news item so the the challenge that I’ve been having well not me but Security leaders
have been having is the noise right so it became ignore it was ignored but how do we kind of shortlist or ensure that
we have that level of visibility to you know oh I’m actually glad you asked because
actually one of the things I think you and I were talking about earlier is so as a company I’m just going to show you an example uh with jfrog here’s here I’m
here’s an example right here okay here’s a Docker image I created okay now this
Docker image I created is a mess I am not gonna lie I like to create Terrible
Things um and the thing here is is here you go here’s an example 265 vulnerabilities
think about that now every single one of these vulnerabilities I need to investigate right I need to go in and
and think so when we actually recognize this as an issue we looked at this and we said you know what
this is kind of unacceptable and by the way in some cases this is on the smaller side right well look at this in our
product we have this idea of contextual analysis so if you look here I’ve got a couple of cves that are like
undetermined but check this out I have a massive amount right here that says not
applicable what we’ve done is is that we’ve actually go through and we do a quick analysis and say hey by the way you know
what in this can in this container you know what you’re actually not using this object mapper in this function so this
cve is not applicable we help you delineate through the noise like you said you know or you know like down here
I have another one yeah this cve is a medium but you know it’s actually applicable and now I would still need to
go in and investigate this right I would still need to go in and look to see where it is well we’ve actually gone
ahead and say oh hey by the way here it is right here why don’t you just go jump in and take a look so for us the thing
is is that all those kind of issues actually cost companies money you know
and and the thing is that when we look at the at the money aspects behind this this is one of those things that when
you see this you go okay great you know I just saved time and effort this is and
what I like to say is and we’re using this as a slogan I like to say is is that you know innovate more remediate
less like you said there’s a lot of noise out there and being able to just strictly go ahead and cut down this lips
you know this list substantially you know I mean the only ones I have to look at in this case is I can go ahead and
like I’m sorting through them right now I see all these look at these these are all the non-applicable items look at
that I mean that is a huge amount of non-applicable cves out of that 265.
right and that if I go here and I Resort again you can see that the ones I really
need to look at are these three here and then I got a smaller list of cves that are undetermined right and in most cases
if they’re undetermined that usually means that you know that I’m not going to have to go in and actually you know
and actually go ahead and and dive into that right and that’s a good thing so
that means that I’ve now remediated it down more okay but there’s more by the
way because the thing is is that this is this is the number that everybody should be a little scared at right which is
there was an increase 650 percent increase in supply chain attacks in 2021.
think about that you know and covet had a lot to do with that by the way there are a lot of board there’s a lot of
bored people you know hey what am I going to do right and there’s also things like bounties and and whatever
that were out there you know how do I disrupt as many companies as possible and if you think it decreased after that
it actually went up and actually I just want to double click on that so another tactical example and I won’t obviously
mention the customer’s name one of my customers in a previous life large media and Telecommunications Company uh they
had imported a vulnerable component shift you know from probably a open source repo didn’t do any sort of
security testing using jfrog because it was running in Amazon at the time it went all the way down into production
and it ended up having um a crypto Miner in there right and the
crypto owner was just pulling resources they had to shut down production and from there the customer was looking
around like well crap how do I I’m sorry how do I identify uh you know remediation for this before years
now you’ve lost Revenue you’ve impacted customer experiences and so this is
exactly what you’re talking about and now by the way it’s happening more right it’s accelerating the proliferation of
Open Source in the Enterprise well and and it’s funny you mentioned that too because you know what you know
say they did introduce that right they introduced it let’s go take a look at something for a second right let’s go look at some packages here and you know
like I said we manage those third-party Transit dependencies so the thing is is that first of all the more awareness you
have the better right so if you take a look here here’s an example I’m just grabbing a random example this doesn’t have any vulnerabilities I’m just
grabbing a random library right but if you look here you can see that I’ve got a series of builds right you know a
series of versions um and you can see how many times I’ve used it and looks like this has been the
most used right so let’s go in and take a look well you know I can actually show you quickly you know like you know has
this been used by anything right this one hasn’t been used of course I think one that hasn’t been used but the idea is simple you know we can actually go
ahead um let’s go back to packages for a sec I’ll just actually find a different one um but the idea is simple right you know
if I go in here and I look at something I think this one actually might have some uh stuff in it um yeah here we go like this one
um I found the state of this version ABAB you know what uh you know 206
um you know and and say I find out this is a terrible one right you know say it’s the end of the world it’s gonna release all my data out out to everybody
well how long have I been affected by it well with our product I could actually show you well here’s every build that’s
ever used it there you go right I just showed you blast radius and I can go in look at the
build itself here’s the tar gz I created and here’s all you know 1167 Transit of
dependencies right I mean think about that and you know but I’m going to show you a real world scenario really quickly
that I always love to show to customers and whenever I if I ever want to exemplify where we like we as a company
bring the most value right um is like let me show you like uh
here’s an example perfect example ready let’s go ahead and um let’s go look at a
Docker build okay now this Docker bill just happens to be in Jenkins as I mentioned we can also go ahead and you
know you know do things with the sdlc um in this case you can see it was released and and you can see like this
build number 146 and actually you know what let me switch to a different instance because this what this instance
here that I’m going to show you actually exemplifies this a little bit better uh I know I’m switching I’m switching
context but what I want to do is I want to be able to show you is let me go log in here and let me show you an example
and I’m going to ask you a question in this case okay now the question I’m going to ask you is
this I’m going to show you a container so let’s go in and look at the container uh here it is right
um let’s go here and look at bill number 125. now this to you looks like a typical container right
every other registry on the market um you do a DOT you know and if I were to ask you
one for I’m running a node app and I’m running a Java app right very typical web service right you understand this
right I got a back end of the front end I’m going to ask you what version of the note front end and what version of the
Java backend are you am I running how long would it take you to tell me
oh are we still there yeah no it would take us a long time yeah right so let’s
see this though see what we do is we have best practices where I could say oh here you go here’s my note front and
here’s my Java back end right this is a remediation scale and when that happens if if you know say
Bill number 125 is terrible you release it out to the world customers are complaining uh it doesn’t work right and
whatever and they say well build number 94 was 10 times better than the version we had right uh Adam what changed
right well with us I can go show you all right well it looks like the node front
end stayed the same but let’s take the Java back-end changed so you actually have a jump point to start with right
you can dive in and find out this information and from us the best part is like I can go right from here well you
know maybe the front end was different well here’s the front end how many times will we use this well it looks like we’ve actually had this as for 33 of our
past builds and you know what let’s go see how it was built right so it’s like when we we bring to the table for
companies is is the ability for them to quickly go in and search and find the things that matter to the most right
and this really comes down to you know having the amount of information is
really the most important part and with us our our platform is designed for this
end-to-end kind of construction right so artifactory that’s the universal binary
repository manager right third-party Transit dependency management build management our x-ray product for
continuous security which is to the right of that we have a distribution side right to do the CI side so we have
distribution and edges that allows you to be by the way hybrid approach single
Cloud multi-cloud write your own DC whatever works for you we have Edge
nodes which are lightweight immutable versions of our artifactory product for deployments of like things like web
services or getting sdks to your customers or you know are delivering software to devices through our connect
platform you know we have we have like the top 10 auto manufacturers in the world like one of my favorite videos I
see online right now is it cracks me up is like BMW has been doing these ads they’re like get software updates in
your vehicle to get the latest functions in your car once you buy your BMW you’re buying a platform you’re not just buying
a car less powered by us and I got a little bit of pride a little bit of tear in my eye every time I kind of see that
right we’re doing the same thing for like companies like Tesla right you know all those updates for their software is
coming through us and the thing is is that you know understanding that is one part but the other part is you
mentioned it before how do you protect yourself right and and the thing is is that when I look at this you have the
first level which is curation right so curation is really where the development
brings in the actual potential components they’re going to use for their software right and we have things
like the ID like ID plugins we have our jfrog CLI tool and actually what I’m going to do is let me let me uh share
something really quick I’ll just show you right the importance of this so here’s like my here’s my you know here’s
hey you’ll appreciate this here you go here’s my vs code right um and in my vs code uh we actually have
a jfrog plugin and the plug-in allows me to go look at all the components I’m using as a developer I’m not seeing this
thing oh you’re not oh wait I thought I was sharing the uh desktop wait oh let’s try that again I just lost it get it back
let’s see share that share boom we’re back in Action there we go
all right cool maybe the scare functionality didn’t work but here I am as a developer right
here’s my here’s my package.json I can actually show you the cves that I’m as a
developer I can I can address these directly I can actually go ahead and we
actually provide all the information on it we also show you like is this an indirect Transit dependency what level
is it right and on top of that you know like here’s a list of the tremendous amount of cves we also include our own
jfrog research data so this is where the developers can attack it where it matters most right which is at the
actual third-party Transit dependency level as a developer and on top of that
they can also uh you know use other tools that you know are out there too like we actually have our uh can you see
my uh can you see my uh what do you call it my shell no not right now no
oh that’s weird I think like it’s funny is let’s try that again I think it actually does something weird whenever I
if I do that let’s see let’s try that again can you see it now yeah got it there we go so if you look
here I can even use our jfrog CLI to even audit things I’m at my desktop and
on top of that I could even go ahead and even download items in this case I downloaded a jar I created uh here we go
I downloaded the jar I created and I was able to scan it with our products so I could even get back cve information directly here
and and you know that’s the thing is is like how do you have all the perfect amount of tools at any time that allows
you to do what you need to do right and having that knowledge and where it matters most is of course at the
developer level and that’s the reason why whenever we you know talk about what we do you know the biggest thing that we
show all the time is the fact oh I think it’s just I’m going oh I see here uh I
think I’m just waiting for it to share again oh there we go um is the curation side right that’s the
first level of defense and actually in artifactory as I mentioned before you can actually pre-evaluate um you know
binaries before you use them think about that right so before they even get to the developer’s hand do a spa check you
just save your time yourself time effort and money
as a developer right so if I’m thinking as a developer for a moment I find a
vulnerable component this x-ray integration with the visual studio IDE Works off obviously awesome
um how do I automate the transition to a potentially uh non-vulnerable or ideal
component for that application does it show and kind of like best you know guy gives some guidance on how to approach
uh that transition phase so really what it comes down to is just so you know we get asked this a lot too
we’re like we will never Auto remediate right that’s not our place that is not our place you know developers need to
make that decision if we did the auto remediation and companies that do auto Remediation in some of these cases
never think about the consequences of what of the actions of doing that right just because it says to do it doesn’t
you know it means too you’re probably gonna have you might have to refactor you know they might the function might
have changed exactly so the thing is is by providing that level of detail that we have right if I
go back and if I go back to there I’ll show you uh really quick um I’ll just give you a quick example
let’s see here I’ll bring it up again
share let me see can we share it there we go and if you look here you can see where
we actually have remediation data right we’re actually here we have actually done some thought forethought and say
here is what you should know and here’s the details on why and on top of that
why we did the research and then if you need more information you can see here’s the public sources
behind it here’s the reference materials behind it so you can research it more and you can also see the impact right
this is the stuff that you need to know and we even have that in the CLI too right so it’s not just there it’s also
an inside of the CLI and and we also provide that that information
um hold on let me get back to this we even also too I mean just to kind of go back to the uh the demonstration I was
showing before uh with the slides I think it’s I’m just waiting for it to come back into the uui can I go active
on that as funny as there we go I’m I’m sharing it but it says it’s not sharing let’s try sharing it again
uh here we go let’s try sharing it it’s funny I think it’s like second time the charm there we go
um so if you go here let’s go back right and let’s go back and look at this build
for a second and if I go into this x-ray data uh information that I’m showing you
here you know I’ll give you an example um let’s go ahead now just so you’re aware this this is let’s go actually
let’s go back to my actually I’ll go back to the docker image uh uh yeah let’s go into this one and I’m gonna go
into the X-ray date and I’m going to show you why this is important by the way this is going to take a second to load in terms of violation I have a goal
of getting over 3 000 violations into a single container um but let me show you this right here’s
an example I’m using a Java backend I’m using spring boot as my framework and I’m using XML parsing to parse the data
that I’m sending to the front end right and if I select this one you can see here here’s like a standard CV this
thing’s Terrible by the way this is like one of the most terrible cves out there but in here our research team said you
know what that’s unacceptable this is one of the most used items here’s all the research data we did and said oh by
the way if you just change this one function you can actually save yourself and not worry about it
and here’s the remediation pass you could choose you can replace it you can fix it you can do whatever you want but
check this out you want to see the scary part which framework is that I think it’s it looks like the Jackson databind
component right which is spring boot yeah yeah it’s part of spring boot right chaos oh yeah well watch this though we
found this jar in a jar of a layer of an image of a build we actually found this embedded in there
and the thing is is that understanding that helps developers remediate better like like I said whenever I talked about
operational risk you know how old or outdated the stuff you’re doing here’s an example right this is like the risk
of it right this is the version you’re using here’s the latest version available what’s the Cadence this one
was released in 2016. here this Library down here this was released at actually 2013.
um and it doesn’t look it’s been updated in a long time right and and understanding those pieces those
components as a developer are super important and the thing is is that the
next phase of this though is understanding on the creation side now you’ll appreciate this especially you
you know like if you’ve ever worked with any of the government entities or anything like that you know the next
part of this is also applying that level of extrapolation even into the CI
process right through the sdlc as we mentioned before right when you’re going through and you know one of the things
that we talk about here is software bill of materials right this has become a Hot Topic May 2020.
Alan Friedman by the way I’ve met him a bunch of times uh he’s awesome so I give
a talk everybody loves the talk I actually give a talk like I did at naw dog I did it at Olas I actually equate
um baking a cake to a software bill of materials they call it the cake talk everybody loves what I do the cake talk
because like basically I was like this is boring let’s talk about cake instead right but you know the thing is though
is remember where it came from right 2020 is where the software bill of materials became a thing with the US
government right the buying Administration said we need to do this and it’s section four yes I’ve read the
stupid thing in section four it says improving software supply chain and one of the ideas was okay provide a software
bill of materials we actually just so you know we actually have that uh baked
into the product so this build that I’m showing you here I can actually go ahead and produce an s-bomb for SPD extra
cycle in the X formats at any time one simple button click right to go ahead
and fix that but the thing is is that when we talk about that and I actually remove that one stage
there is the fact that yes we provide all that information we can actually you can integrate our security into it you
can Auto do it behind the scenes you can connect it to other tools like pager Duty servicenow uh and those you can
actually or jira so you can actually create actionable items behind it right so we’re very involved in every level of
the software development process even down to the end when we get to consumption right so this is that idea
of being able to track a binaries history its usage potential threats and vulnerabilities throughout the entire
thing and by doing that you know we help companies expose any level and even by
the way even down two things like um infrastructure as code right we’re doing like terraform scanning and saying
you know like one of one of my favorite examples um that I like to show is I think I’ve
got one here let me see yeah I do here let me log in and I’ll just show you this is one of my other I have lots of test servers and lots of test instances
but what are the things that we have here in part of our scan list is like here’s a terraform template and here it
is uh and I’ll just show you quickly ready and this is hilarious this is my own idiocy as part of this but so I
wrote a terraform template followed the tutorial and none of the ACLS right the
access controls were being uh we’re actually being conformed right they weren’t they weren’t and I’m like huh
what’s going on so I ran through our scanner and found out that I’ve never turned off authorization equals none which is at the top of it and just
resets it all fun fact so um terraform is the fastest
growing programming languages right now so this ties right into the overall growth of terraform it’s really it
sounds really uh nice yeah right and and that’s the thing is is that you know you mentioned terrible
on the other side of this by the way is my new my it’s not my newest session it’s been this way for over a year now
um programming language wise though I am obsessed with rust so
um and that goes down to like the you know the thing is I just love you know basically it’s the speed and the
efficiency of like CNC plus plus the you know the garbage collection memory management of something like Java about
the portability also right I mean it’s amazing and there’s a reason why rust if you look at like the number of rust
developers have gone through the roof like just give an idea like our head of devrel here at at jfrog is actually uh
you know on the board of the of us you know of the rust foundation and Russ nation and stuff like that so it’s like we’re heavily involved also ancillarily
around this so when we talk about all this like security stuff you know like we look at
what we’re trying to do right so we’re trying to help companies you know with all the scanning of all the software and containers and you know providing that
level of efficiency to have one source of truth but by the way like I said other companies detect V cves
vulnerabilities and whatnot but it’s not just that it’s the reach right remember I showed you here’s every build that is
affected you know understanding actually having the catalog to back up the findings is essential and so you get
that full visibility into everything that you’re doing as a company right so being able to say how long will you use
them how long have you been exposed you know you know how do I remediate faster because the thing is is that the faster
you remediate the faster you can get back to you know Innovation which I remember if you calculate what a single
cve cost it would blow your mind especially critical right we’re talking you know in the hundred thousand plus
range just for the initial Discovery if you think all the way up to the CTO CSO to notify him that something critical
has happened right and you fix matters what you can as fast as possible and the
thing is by having all the information that we Supply and also too the blast radius you can affect and get to it
faster so say your team it finds it and you’re working on it you go and you look you say oh my God you know what Tim’s
team is also using the same thing we should probably let them know and show them what we did so this way they can
fix it right you’ve now effectively grown organically and your ability to go ahead and address these issues and the
thing is it allows you to take complete control of your posture as a company you can write security procedures that
matter that’s the important part right not just some blanketed sort of like
this is just the way it is this allows you to say you know what we actually have the ability to do remediation we
have the ability to do audibility we have the ability to address this where it matters one of my favorite things
that we’ve actually introduced into our product is is we of course we fail builds right you find a new cve or
vulnerability you fail a build we actually included a grace period notify the developers they did something
horrible and terrible right they need to fix it but the problem is is now let me give you this scenario save 100
developers and Bob brings in a library that Causes Chaos right suddenly all the
builds fail now you have 99 other developers with pitchforks and stuff going after Bob because their builds are
broken their productivity is down Bob’s got to fix it Bob’s got a knee-jerk react and just fix it and without even
consequence a cause do it just to get everybody back in action the grace
period Factor says you have a vulnerability you have X number of days that is defined by the customer you have
X number of days to fix it before we kill the build so it still allows your teams to be productive but with the
notification that they probably shouldn’t release this because you have this and this gives the developers
enough time to sit back and say you know what we need to take a step back we need to look at this and when it’s going to
affect and come up with the proper solution maybe it’s a whole new library not the latest version and by the way so
from a GRC perspective it gives the best of both worlds right it doesn’t just destroy the productivity of the
organization but also kind of empowers them to be thoughtful of their next action
that’s exactly it right and that’s the thing and to write this through your entire environment every piece of it
it’s okay you should you should you know I always tell people like I said our
product brings consistency look at this as the big as the base Foundation I mean we have almost 8 000 corporations
globally almost 100 percent of the Fortune 100 top 10 Banks auto
manufacturers avionics medical they all use our platform and we’ve learned we
have learned and sat down with our customers and listen to their voices to produce the most efficient caring
solution we can think of for companies and we we said you know what we have no
right to say how you use our product so our product by the way can be deployed as you know kubernetes I we have SAS I
don’t like to say SAS I hate to say it I like to say managed see we’re different you can choose your provider you can be
Azure AWS uh gcp you can choose your own regions you could choose if you want to
have multiple instances you could have multiple Cloud providers you could have your own DC we always hear that term my
favorite overloaded term of the of the of of the past couple of years you’ll appreciate this digital transformation
right you know everybody talks about with digital transformation you know and that could be anything but in majority
of cases is less lower TCL right let’s lower Opex and capex cost and let’s go
ahead and put everything into the cloud right that’s what you know and we help actually I gave a talk with Azure
recently about this and I’ve done it with other Cloud providers is how do you transition your corporation from a DC to
the cloud and we really helped there right because we have like replication that you can do we have True Form replication Push Pull mesh Star Event
based you know cron based you know on top of that you can have like we have customers that are running a single
instance in a closet you know up to companies running 38 instances of us globally for full mesh and that that
happens to be a gaming company they use us for everything so that hybrid Cod interoperability conversation is one
that everyone evangelized with the proliferation of the beginning of cloud but now it’s actually production ready
right like and this is what we’re talking about so you’re saying that as a part of the repo management solution
within the X-ray and and jfrog artifactory platform you can effectively start private build private and
effectively deploy public for anyone anywhere you want and with our Edge nodes and our distribution platform
what’s great is we see a lot of companies not putting all their stuff in proverbially one Cloud basket right you
know we see companies now saying you know what I I want to have my main stuff in Azure and I want to have a backup
system potentially in AWS or gcp or my own right and we give them the ability
to have that same solution no matter where they are and what they use so that level is consistent right back to
consistency not dependent on how it’s done and what this really does it affords companies the opportunity to
think differently to actually go ahead and say you know what what works best for us and always like I said we’re not
the sexiest company out there but we’re like we’re the biggest little company you’ve ever heard of but we’re everywhere like we’re just an amazing
foundation and we’re okay with that right you can use us as that solid foundation to do everything else you
want to do but we provide that consistency that security we’re like a warm blanket for
for your company but the thing is it affords you to be able to say I want to say distribute my software I have a web
service right I could package that up and deploy it in Azure you know and you know say AKs and then I can go deploy it
also in AWS and eks right I could do that at the same time without me even having to think about it and that’s what
really what we do and then we layer on top our Advanced security features like this is something some of the stuff I’ve touched on right it was like
infrastructure was code analysis secret detection malicious to code detection we’re going to be I I I’ll touch on it
briefly static code is coming you know it’s like I’m not gonna I can’t really talk about it too much but we’re also
going to be you know addressing it so that our developers either that we work with you know we’re developer focused
we’re Corporation focused you know it’s really I mean I love what we do I love
being part of the community and I love seeing a lot of the things that I’ve seen in the past like I said with these
eyes um you know it’s like my old eyes have seen a lot and I’m really excited for
where it’s going right even with things like I don’t want to start on it right now because this could be a whole Rabbit
Hole of uh you know things like chat GPT and all that but you know I’ve become obsessed with it I mean I actually
before I joined jfrog I actually had a company that did this uh before Chachi
BT uh nobody would fund it because everybody thought it was too scary um but we actually we actually created a
series of bots um that you know back in 2015-16 that were part of a mobile application uh I
was working with the media industry down in Hollywood and what we’re doing is we were actually parsing through messages
and like WhatsApp WeChat and others and producing ad campaigns around media entities right and you can interact with
your favorite characters uh in those shows um and what we did is we actually pulled scripts and put together a chat bot and
you could like chat with the guys from Supernatural right and it would actually give responses back as those characters
um nobody wanted it at the time um so that’s reason why I had to shut it down but it was exciting right this is
what we you know this and chappie GPT I see I see AI
in this area is another area of concern where you’ll you know we’re doing like stuff around oh sorry we’re back to
we’re back to demo uh I I actually already demoed some stuff to you already so I don’t I’m gonna stop sharing now
but um you you get the idea right it’s like you know chappie you see I think in
the future is going to add value not take away jobs but I think it’s going to do is like even not just them but other
there’s other ones because like I said I’m involved in a lot of other things uh there are a lot more that are actually
in my opinion will be more beneficial especially and I look at a world
in the future where I see a lot of the automated processes um
lowering and what I mean by that is I become also obsessed and I pushed our company in this direction too is
everyone’s talking about Dev and devsecops I am obsessed right now with platform engineering it’s funny is it’s
a retraction right so in other words it went from that waterfall devops devsecops and now people are like now
there’s way too much crap out there uh let’s consolidate and actually that’s the best part about us as a company is
that we are the platform engineering platform for consolidation and by the way I’ve I’ve seen this trend in
proliferation so in my message for your days right so mesos precursor to kubernetes and all this oh yeah
um you know we’ve seen so many changes in the way that organizations uh de-risk
their platform because going all in on one orchestration solution or one Cloud divider or one you know management plane
for kubernetes is risky because all of a sudden what if that is no longer the case and the cncf with the proliferation
of Open Source it adds that level of complexity so we’re seeing that same observation to like no Ops or low Ops
and I think that that’s going to be evangelized a little bit more so Solutions like jfrog fit that Paradigm
very very very well developer in the beginning CI CD security right we we
hand like like when I read the specs behind like the initial talks if you look at our platform base right and the
things that we do and you know I go back and I you know I bring up that slide I show you you know this the slide I was
showing you before um I’ll share my screen again right if you if you look at like what we have
here um there we go you can see that you know we actually also have our pipelines
product right our pipelines product is also a CI CD and CI orchestration tool
that’s the key you know we have standard CI we have standard CD that goes without
saying okay but when I see I say CI orchestration companies out there are using like
GitHub actions they’re using you know Azure devops they’re using you know all
these various tools and sometimes that’s okay right what’s appropriate for the company or actually in this case the
project you can use our pipelines as an endpoint right where one team might use Azure
devops when they use GitHub actions one they use Jenkins and we can use them as an endpoint to show how they’re
interconnected think about that being able to actually map the actual interconnectivity between
various builds and projects and project dependencies that’s huge and the thing
is like when I so when I say that you know if we were to go back and say you know like you know I have my pipelines
product right here you know our pipeline product is is a great solution I love this product I think it’s fantastic you
know if you look at it right you we actually have it so you see like the steps of your job actually you’ll laugh as if you’ve been developing forever you
know logs are a pain in the butt to parse through like we’ve actually even gone in and actually parsed the log so this way you can actually just see the
high high level portion of the of the paragraph right so this way you can go in and see like you know or if something
goes wrong um like if I go back here I show you this is I love this part right here’s a here’s a failure
um I can actually click on here and this will actually it brings me right to where the failure is right to it right
but the other thing too is is that when we look at the pipelines and I look at them and I click on something like graph
you can see where I can actually show you you know here’s the path of like where these these builds are
interconnected and these are separate build machines by the way these aren’t just these just aren’t
having to deal with you know things like um you know like one of these this is a Jenkins job just so you know like this
one in here and this one failed so that means it’s going to affects the it’s actually going to affect this Downstream pipeline that I have right here
huge yeah so like I said it’s like not only can we be a CI but if you have your own
CI which most companies do they can go in and and you know directly see uh what
it’s affecting where you know what other builds is affecting what is the path so dude this one’s awesome uh obviously
jfrog has a lot of components within the platform and it seems like there’s more stuff coming so thank you so much
we have some really cool stuff coming out I just can’t blow the way are my marketing team will hunt me down if I if
I start talking I get too excited well listen it’s a fun game and thank you for
the partnership I know that you’re working closely with the Azure team and and you know it’s been great seeing your involvement in the community at nadog as
well as well as other community ecosystems so uh any other things or highlights you want to mention to the
community how to get in touch with you at all yeah so I mean if you want to get in touch with me uh my uh you know my my
uh my Twitter handle is just William Manning um very simple then actually you know using it for since the beginning I was
one of those people like what the hell are you doing I’m like I’m tweeting like what’s that I’m like well were you texting the tweets oh yeah oh yeah
oh yeah back in the day so I mean like I said I’ve been I’ve been involved this I mean like let’s just give an idea like behind me you rarely see but like I mean
I’ve been doing this kind of work I mean one of the companies that I had was called for home um we were iot before iot but it was
still called the connected Home and these are like the engineering CS Awards I have behind me uh we actually got
acquired by Google Motorola uh they acquired us for our patents um but you know we built this platform
to do this kind of stuff so like I mean I’ve been involved in everything from iot Email encryption and security uh my
first startup we were the first web-based CRM a lot of the people who we all I worked with at the time when we built it I was called octane software
went on to found um Marketo uh Sugar CRM you know help build Salesforce all these things right
so it’s like I’ve been for every time in my career I’ve chosen something different every time um and jfrog just happened to be the
next extension for me to be like you know what I’m gonna take all those years of development experience engineering experience CTO experience and bring it
all together inside of a one product team bill it’s been great speaking with you working with you and we’re going to wrap
this Edition uh so thank you so much you’re a wealth of knowledge please stay involved in the community and keep up
the great work with J frog your rock and I really appreciate you having me here today man it’s been an absolute pleasure uh like I said love your bike in the
back and stuff and the music thing you can see probably see my guitars hanging on the wall on my piano behind me a little bit but yeah love it so we’re
gonna talk devops music cars and uh fun all that good stuff it’ll be great uh everyone’s gone my friend thank you so
much for tuning in and you’ll we’ll see each other at the next episode of the podcast nadog Rock and rolling see ya
well I got a really cheers be safe [Music] foreign
[Music]