DevSecOps 101: Best Practices

William Manning: Welcome to DevSecOps 101: Best Practices! 

Personally, I’ve actually removed the word DevOps from my vernacular and I’m actually concentrating mostly solely on DevSecOps because think it’s actually everything we need to know about modern day DevSecOps practices, that everybody today should be doing it and today we’re going to discuss reasons why, and also too how the Jfrog platform specifically around Xray and an Artifactory product can provide you with an end-to-end deaf second up solution with best practices around how to do everything from shift left to ship right.

 
So who am to talk about this well my name is uh Wlliam Manning or bill you just call me bill I’m actually uh the solution engineering manager for the americas for our new business team you can follow me on twitter or also follow jfrog on twitter we have a lot of good information around there. 

Hopefully if you’re coming to this talk you know who Jfrog is we’re the universal binary repository management people. Our main product is Artifactory and a lot of people confuse the term Artifactory as a verb that’s out there. But Artifactory is actually our product it’s a way for you to do things like manage builds and manage also the third-party transit dependencies which we’ll dive in and talk about today so first of all let’s start off and let’s set the context for everything that we’re going to discuss today number one DevSecOps starts with software supply chain surprise surprise right and today we’re going to discuss some of the things around it and the reason why this has become such a phenomenon in the industry for a lot of good reasons and there’s a lot of reasons also too why you should enact these into your organization to provide the best level of support and the fully comprehensive ability to cover your company the way it needs to be covered. 

So this way it’ll become one of those headlines that you read about we’re going to talk in a few minutes but the thing is is the headlines right we see these all the time you know we got alerts that suddenly there’s all these flaws out there and third-party transit of dependencies you know that you know people’s secrets are being leaked and user data and you know some sites been brought down or we don’t you know we know the drill but the thing is though is it’s nothing new this has been going on for a long time this actually dates back even further than 2012 but the whole idea of what a supply chain attack is is that your software is made up of other software it’s injecting these malicious components into that software making your software indexable now the best part is you don’t even know what’s happening most of the time but the thing too is is that when we talk about software supply chain we need to address one of the major features here. 

And we’re going to discuss things like foss right free and open source software as the old adage goes right free isn’t speech not as in beer but the thing is is that over the years these attacks have actually grown in intensity and the thing is is that there was one attack in particular on this third-party transit dependency attack that caused the whole world to have an uproar and you guys all know what it is because it’s right there as the last item but solar winds and why was solarwinds such a catalyst for the industry to really sit back and take stake in the way that actually software is being built like said this is nothing new even the Xray product we talked about today is over five years old but the thing is is the reason why solarwinds was such an attack was actually there was an elegant manner to it to be honest um it was actually like a fourth level transit dependency meaning there was an implicit dependency that the developer who developed the software needed and when he brought that in it also brought in a whole series of other things so the people have solarwinds depending on dependencies which depend on dependencies you get the idea well the thing was is that fourth level in this somewhere was this one malicious package and today we’ll talk about how some of those things happen and you know why that’s such a bad thing but the thing is with that one that was so elegant was is that it didn’t even start until 14 days after the sophomore itself started 14 days later chaos ensued and the reason why it also garnered so much visibility was the 18 000 plus customers. 

But it wasn’t just the sheer volume of customers it was actually the specific customers especially in the United States that got affected like the dod the you know the department of homeland security the federal reserve bank a lot of the companies that depended on solarwinds for their software needs suddenly found themselves you know exposed and this is like a hundred billion dollar global worldwide uh remediation has been had to done since 2020 but the thing is is that this is just one instance and the thing is is that remember the reason why this happens is: that open source software comprises 85 to 90 of your code think about that right most of your code is someone else’s code! 

And the thing is is that the reason what always talk about is is that let’s talk about the developer right I’m a developer by trade obviously from the white beard that have in my face i’ve been doing this for a long time and codes are you know coders are artists they’re artisans in their crafts they use palettes and the palettes they use are these libraries that they need to complete the tasks that they do you know they look at they need to like you know concatenate a string or you know create a bitmap or you know create a hash table of of you know different you know fields and numbers and you know they look for ways to accomplish these tasks and the thing is as a developer we have this blind naivety that we have about where these software components come from because we really don’t most of the time don’t pay attention all we know is that there’s a library out there that will help me do my job faster I’ll utilize it I’ll utilize the maybe one function out of a hundred but what about those other hundred functions we’ll get to that later.

But the whole idea is that you now use this function to accomplish my task. You know my agile sprint’s done, check off my kpmy or whatever. 

The thing is is that we have to take stock in understanding where these pieces and components come from but how we can also not remove the velocity of a developer or remove that innate ability for them to master craft something out of nothing but utilizing a series of palettes like said they’re artisans they’re like painters and the paints they use are these libraries and it makes up 85 to 90 of what you do, but why do these actual components why are they so malicious in what they do or how can these things happen and how do we stop them and that’s what we’ll talk about today of all the different levels of approaches so we got to remember software is everywhere and also too the amount of velocity has changed over time mean if you’ve been doing, like said mean when started coding we would do quarterly releases and then shorten the cycles as agile and you know from waterfall to agile and other things and then we automated more you know ccd happened you know get ups you know check in your code have something automatically build so you don’t have to worry about it and do its thing the problem is is that all these automated tasks while they have helped tremendously I’m not going to discount the fact that these have helped expedite the delivery of software giving companies the advantage to produce feature sets and things and uh that you know give them the edge above their competition or help them go to market faster but at the same time we have introduced a susceptible risk to the software that we’re producing ourselves and the thing is is that remember um you know 85 to 90 is not built by your team these are things that you’re utilizing from random strangers on the internet right these are libraries that are out there you know there’s free and open source software.

I am a huge believer in the idea of giving back to the community and developing i’ve been part of many open source projects over my lifespan but the thing is is that this roads trust these things that have been happening right how do you know how safe these are it’s like somebody walking down the street and they have an apple in their hand and they take a bite and they go this is delicious and they reach in their bag and they pull out another apple: will you take it do you trust that person do you know this person just some random person and the fact they pulled out of their bag, right? 

Same kind of idea. But the thing is is that when these attacks happen we’re gonna go into the various methods in which these actual uh you know people who do nefarious things with this you know you know the thing is in a lot of times there are some financial incentives don’t get me wrong but the thing is is that you know there are also non ones there’s bragging rights and things like that but we’re going to dive into a couple of the mindsets behind this and the various types of approaches, that, you know, these these uh hackers for back lack of better term um though that that gets me into a whole other discussion but I’m that’s not here um really what this is but the thing is is that there’s various approaches that are are taken and there are ways to combat this while still having the same velocity you have now but also too addressing it so that the velocity also entails having security to protect not only your company in terms of reputation but also financially because the thing is and we’re going to talk about this today we actually introduced recently a portion of our product called operational risk and the idea here is 74 of the binaries that you use to do your job are susceptible they’re either old outdated um a bit abandoned but the thing is a big large swath of those have fixes so understanding that you know if just have a simple fix that makes me that much more secure yes in some cases. 

These are little baby steps that you’re taking to ensure the safety and security of the software you produce but at the same time it’s not hopeless you have methods you have ways to protect yourself because 99 of the software developed 85 to 90 is full of open source components right 62 of all attacks have you know where have increased year over year and they from 2015 to 2021. 

Now these numbers are pretty low actually in a way because have another number that’s way more scary but the thing is is that it’s increasing it’s going a velocity and actually during the pandemic when people have a lot of time on their hands there was a huge increase I’m talking a 650 increase in supply chain attacks last year alone think about that that is massive think about the sheer magnitude of the things that are being introduced that could cause potential threats problems cost your company you know lots of money reputation mean think about it suddenly all your information has been released because of something that could have been easily fixed and suddenly you know you have lead you know users leaving your site or you have people saying don’t want to use that because don’t trust it because of what read in an article somewhere you know what it’s very easy it takes seconds to ruin a reputation it takes a lifetime sometimes to garner back well the thing is a software supply chain attacks happen for a lot of different reasons first of all it really is low effort the thing is is that most of these attacks are pretty nominal and they might expose one little particular detail a field or it might be a way for you to you know connect to something let me come on look at log4j long for j this is something that was used for the longest time there was actually info and warnings by the way going out before this saying: “hey guys we’re investigating this mess but the thing is is that think about this you” could interject a simple command line option and wipe out a remote disk because of a simple vulnerability in a lice in a library used in a piece of software it doesn’t take a lot of skill it doesn’t have to be elegant these are hit and run kind of objects right if they get installed they’ve they hit it and if it runs it does something it’s easy the sp. 

These attacks spread so rapidly it’s insane think about something like mpm which I’m going to talk about a little bit later call it the house party as a joke you invite three friends over and 500 show up right so three implicit libraries that you state in your package.json as a developer and it brings like 500 friends because dependencies are dependencies of dependencies you have implicit dependencies that you said and then there’s all the rest but the thing is is that these libraries and: this is the various components that we’re going to discuss today hide in plain sight they’re in these repositories once something is uploaded associated to another transitive dependency it is dragged along with it right and the thing is that this has actually caused a widespread issue in most companies in the trust of these third-party libraries but like said there’s old methodologies. 

You’ll hear this a lot we have companies that come to us all the time they’re like yeah our security team wants us to submit a list of the binaries we need you know the libraries actually should say that we need to do our job they have to go through pull them all in approve them and then you know then they’ll give them to us and we can use them think about how long that takes our methodology that we’re going to show as part of this discussion, will show you how you can still ensure that same level of security does it not have its top velocity but the thing is that also help improve that relationship that your company has to feel safe in doing the jobs they do without the intervention of having to have your security teams harp on you or things like that but still provide that level of security that can help your organization but the other thing too is is that they blend into the community they’re very stealthy they just get in there they do their job they check their code in the attitude they pull down the library they create their library they make an indirect transitive dependencies that people just go hey it’s 25 lines of code it probably does something mean come on guys remember 2016 when the disgruntled developer and uh for mpm got rid of you know left pad does exactly what it says but it was 11 lines of code but, when he got mad and removed his library, out there and everybody tried to build it was like a fifth level transitive dependency that everybody used and like 75 percent of the builds you know that used npm failed right and we’ll talk about the fact that you know these little pieces of code can cause massive amounts of damage they can either open up say a back door or interject some malicious code that might do something more mean you know the thing is is that what happened was with you know um solarwinds was that when it released it was like a sniffer sniff around the network tell me what you found right these are bad things right but the thing is it’s not hopeless there are ways to fix this so how do these attacks occur right so once again let’s talk about this in a visual format I’m a developer have a a project I’m working on i’ve got to build a piece of software you know picked the technology let’s say you know npm maven um python don’t care whatever stack works for me or works for my company or whatever the standard is that is around this you know picked the library but the thing is is that when start coding realize need libraries to accomplish the tasks need right to do things you know whether there’s like a spring boot framework or an npm I’m using something like uh react j you know like react or you know, maybe, uh I’m using docker containers need a base level docker container that contains a very specific set of of runtime elements that need to run my application whatever it is it doesn’t matter software is made of software and go ahead and define the software that I’m using and then compile my code.

And it gets all happy but what happens if one of those elements you know maybe an indirect dependency which is what everybody thinks in their mind everybody goes well I’m not using any sort of malicious items well you know what suddenly when you go ahead and you build your software you know that’s part of the product you’re shipping and when you send it to your customer you’ve not only given the software you need but you’ve also given them so much much more but let’s be honest most of these attacks do not have a lot at the implicit level itself these attacks happen actually at the indirect dependency level right, these are the ones that come associated with the binary have implicitly stated as a developer but it’s still the same effect they come in and suddenly I’m giving my customers so much more than just my software you know they’re probably not going to be too happy so let’s talk about when software attacks right always laugh when show and talk about this because it’s really not the software it’s the people who created the software that created the you know the package that’s gonna go and cause the damage it’s like it’s like somebody puts a you know uh you know something in a package and ships it out and that person somewhere else opens it but it’s anonymous where did it come from don’t know you know, but it still can cause damage right well there’s things like dependency swat you know dependency and typo squatting right these are huge ones mean there are people out there that will create malicious packages based on the fact instead of before e except after c they do e before and suddenly you’re fat fingering because you’re typing and you know what you do an npm pull you do a pip install and you don’t even realize it and it still goes out and say that package exists with that dependency and it you know spelled differently. 

You bring it in you’re none the wiser because a lot of times actually with these they’ll actually fork the code so you still get the implicit functions you’re you’re trying to get so you still think you’re in that happy zone of got the library need to do the task need to accomplish this in my spring but injected in there somewhere might be some other code that causes something terrible to happen let’s talk about dependency confusion all right those are names everybody knows right and these names have trusted pieces that they do right mean look at apple they are probably one of the most you know trusted names in security mean don’t care what you think of them in terms of apple but when it comes to their security that they do for their users is pretty top notch look at Microsoft one of the most Microsoft became one of the largest open source contributors out there. 

Unbelievable, look at me like I said I used to be the guy who can’t believe they’re doing this and I’m an open source guy and now I’m like Microsoft surprising now or Netflix they make some of the best tools out there. 

Look at chaos monkey, one of my favorite pieces of software ever created if you’re not familiar with chaos monkey type in netflix chaos monkey after this after this not now and take a look it’s amazing the problem. 

It is that how do you know what libraries are real and which libraries are fake do you think that that’s the case look at paypal and that’s the example we’re going to use next we actually did a test on this and when we took a look you look at these binary packages here it says off paypal world or for whatever that says paypal and analytics paypal you’re like hey paypal is a trusted source out there you know what they’re basically a bank. 

They must know what they’re doing in terms of security wanna wanna know something funny these aren’t real these are terrible packages that will go ahead and destroy everything that you’re doing these are fake these are not real you need to look for trusted solutions and the jfrog platform when we talk about it always said it’s a DevSecOps platform it’s end to end security if you’re not familiar with our entire platform I’m going to explain it to you right now on the five cent tour so we’ll start from left to right or shift left to ship right know you hear these terms all the time I’m throwing market buzzy words yet too right. 

But let’s start up with over to Artifactory it’s this cornerstone of our technology the best part about Artifactory is simple is that when you look at Artifactory it’s a place to manage that 85 to ninety percent of the software you ingest to create your software and manage those third-party transit dependencies it also manages the builds you create so you can publish the builds docker images mpm we support over 30 package types and the thing is we just introduced terraform support so infrastructure is code support besides chef and ansible and puppet that we already have. 

But also two will be introducing I’ll probably get in trouble for this swift support done very soon to discuss things around ios mac os tv os and all the other os’s that apple does but the thing is it’s also an sdlc enablement tool software development life cycle so you can design it also as a way to monitor and maintain the build you produce but also through their entire intrinsic cycle you can have your repositories we’ll talk a little bit about this we’ll have dev and qa and staging and production and we have a promotion apthat allows you to promote it through the cycles then we have Xray Xray is our security vulnerability license compliant and now operational risk assessment tool it’s a way for you to implement everything from shift right you hear this shift left god that was a mistake but shift left at the developer level so ensuring that your developers the front line defense for your organization the place where the roon any security tool is greatest is at the developer level we’ll show some of that you can also interject it into your cprocess and it’s your cd process too in addition to that you can have it automated behind the scenes everybody talks about cfor continuous integration cd for continuous delivery we also talk about cs for continuous security because our Xray product is constantly in motion constantly ensuring that you’re safe and secure then we have distribution this is our release management process you can either use our distribution edges in our sas model to distribute things like sdk and software packages to your customers you can also implement our immutable edge notes. 

We have Artifactory edge notes or lightweight immutable versions you can use them in a hybrid model either in the cloud your dc but what they are is it’s a way for you to distribute your software using a component called a release bundle which allows you to securely digitally sign a group of binary packages you want to push to a location to these edges for retrieval but also two the thing is is that you have the ability to use our Xray product to scan them one last time before they go out into the world then we have jfrog connect it’s our iot platform right this is an mdm so it manages your devices provides remote access remote assessment so you can see how they’re doing but also ways for you to distribute your software in real time do things like blue-green testing if you wanted to right this gets your software products to remote devices that are iot based we have pipelines our ccd and orchestration tool the ideas here is simple it’s a fully scalable process all built in kubernetes where the runtime can reflect the actual elements. You might need to run your software it could be debian based center west base windows based it’s also built so you have templates all yaml based uh you there’s no plug-ins so it’s all native integration based so you can even do things like running powershell or native kubernetes commands then on top of that you can use it as a way to package up your software through our distribution and distribute it out and also implement it because like said it even has kubernetes you know connections in it so you can actually even do kubernetes runtime commands you could also extend it as an orchestrator keep your current cprocesses in place and when they finish have a cjob done um or cd job done in pipelines including things like approval processes or blue green testing on top of that what also is nice we have a thing called signed pipelines which is a blockchain style ledger for all the stages of the actual build process that you do and then lastly we have mission control and insight mission control and inside is a holistic view of how the whole system is operating and insight is a way for you to capture all the data that you have and the data that you have you can utilize in things like splunk I’ll just show you a quick example here is actually have a uh you know a thing that I’m doing here where I’m actually using the cell right now i’ve probably just picked a better a better time frame like I’ll go I’ll come back to this but let’s go ahead and let’s look at the previous year I’m going to submit this and let it do its job but we’ll come back and it’ll actually show you that here actually here we go here’s all the data that collected on assessing my vulnerabilities as an organization for 2021. this lets me know how many vulnerabilities how many license issues violations so there’s a tremendous amount of data we provide for you to make better decisions.

So now that we’ve talked about that let’s go to the next phase right let’s talk about Xray for a minute right it’s automated security and compliance and now also to operational risk assessment so first of all it allows you to scan all those components as you’re bringing them in it allows you to get full visibility and one of the things we’re going to talk about at the end today the bonus round on this we’ll talk about software build materials everybody talks about it I’m going to show you how easy it is for you to get that but it’s a full visibility into your supply chain not only where it’s being used currently in the build you’re assessing but everywhere else the blast radius as call it what else has this affected in my organization and how can fix this we’re also going to say fixing what matters fast right so the impact analysis component of this is not only that but also the remediation aspect right, so assessing the actual things you’re doing but also the remediation aspects are just as important and this helps improve your security posture and the best part about it is a majority of these things can be implemented pretty rapidly and also behind the scenes and even none if you implement Artifactory already or you want to once you’ve put that Artifactory you can do this behind the scenes without even the other teams knowing it while still providing that same level of security that you need and on top of that it integrates everywhere right so the thing is it’s got our apour clI’m going to show you that today you can implement it to your cprocess but behind the scenes is continuous it’s constantly scanning and it works everywhere right this is another thing that we do so let’s get to the next part of this when look at this and break out all those individual pieces out and all those pieces talked about the platform as you can see here stated you can see that we have things like id integrations which I’ll show today I’ll show you our cltool and how you can utilize that I’ll show you how you can use Artifactory and Xray together to ensure that security at every level and lastly how you can actually use this part of our distribution process and even down to our connect for iot devices.

So let’s get into it now that i’ve talked about it you heard me speak about all these various aspects now I’m going to discuss with you a demo so let’s first of all go in and let’s take a look at the things that you can do I’m actually going to use two systems here because one system have is actually being self-hosted and this one actually has a very cool thing want to show you and want to show you towards the end of this about assessment and how you can go in and actually trace things through the entire life cycle of the stuff that they do but want to show you some other things so I’m actually going to log into this other system that have here because actually. This is actually has one of the newest components in it and think that we need to discuss it because we haven’t discussed it yet publicly you guys are actually one of the first which is pretty cool so first of all one of the things you need to understand is that there are other levels of security that you have of course you have things like user identity and management we have the ability to provide you with all that level of security around there. 

When we talk about storing the binaries and using the binaries I’m not going to go too deep into this because we have plenty of of 101 you know, basically Artifactory 101s out there if you need to understand I’m going to go very ancillarily over the components that we’re going to discuss here which are the repositories where you store the binaries specifically we’re just going to talk about local remote and virtual so local repositories of the binaries that matter to you your bills, the things you produce remote repositories of those third-party trends and dependencies the 85 to 90 percent of the stuff you consume to build the software that you release and then virtual repository is an encapsulation it’s a way for you to go in and and and have all these things done. The right way so first of all number one let’s talk about local repositories when we talk about local repositories one thing you need to keep in mind is is that you go in first you design your local repository not only first of all based on the package type so let’s go look at something like docker right want to have this as a docker registry and there’s lots of reasons why so first of all you need to understand that anytime you upload a binary into Artifactory whether you do it through uploading it or publishing it or you do it through a third-party request everything that’s pulled into Artifactory torn apart turn it to unique shot 256 stored as that shot 256. 

And when we store it we actually go ahead and say there’s a thousand projects all using the same library we go ahead and we store it once and we reference it a thousand times in the metadata this allows us also to track and trace where this binary is being used but in addition to that it also provides a level where you can go in and if you look here i’ve got 296 gigabytes of physically stored binaries in my file store but 1.494 terabytes would be if expanded it back put all the duplicates back in the reason why bring this up is is that when we are talking about this and we talk about how we design the repositories is everything is done at the meta level so when say was going to design this and by the way we have a naming convention document I’m being very rough here might say you know my project is called test it’s docker and want to design my repositories to match my software development life cycle this is another way of ensuring security so that you can go ahead and have dev and qa and staging and production, you can change the acls through these two where developers might have a little more free reign and the actual say qa team can only read and then publish their results in because you’re going to want to encourage your teams to publish more metadata in for everything you produce so you have one single source of truth that when you look at it you get a true assessment of this binary but when go in and say dev might say qa as my next stage or you know might say staging and then eventually production this also allows you to assess where are the things in the cycle how many things went from dev to production you can actually calculate this information to say we have a hundred bills in dev we you know 25 got assessed by qa three got to put in the staging and then one got released right you can find out this kind of velocity assessment but also when you design these you can go in and do things such as include patterns and exclude patterns to say you don’t want to store specific things like you might want to say don’t want to store you know log files or something then at the bottom here the piece that’s most important is this enable indexing in Xray because the binaries are stored as metadata this metadata is then passed to Xray so remember said Xray is continuously scanning one of the advantages of this is is because it’s metadata it doesn’t need the physical binary it just has the metadata assessment so it’s constantly looking based on the data that we provide to assess it too which we’ll talk about in a minute now we’ve actually gone in if we take a look here believe in this one actually have a docker repo so repos do so if you look towards the bottom here you know might have dev and production and some others. 

Think only have a couple here could always go in and add some other ones like qa and staging then we have the remote repositories those third-party transit dependencies I’m kind of going through this little quickly because if you want bigger details go look at some of our other stuff but the idea here is simple is that what you do is you once again you go ahead you pick your repository you pick your repository type let’s go with docker again in this case so might say you know docker remote actually already have this created in here but I’m just doing it. 

Again it’s going to yell at me that already exists right can go in there can use paid accounts free accounts here’s multiple ways to authenticate you can do include patterns next food patterns to say don’t want any binaries by this name you might have one where your team says you know what don’t want anything with the word you know blah you know could type ready blah in it don’t know I’m just using that as an example so no package name blah will come in but also once again enable indexing in Xray this will allow you to go in and make sure you can write rules and actions to take to make sure that those third-party transit dependencies even base container images and the run times that are in them are protected and then lastly you’re going to want to go ahead and design your virtual repository right I’m not going to go too deep into this either you guys if you’ve used Artifactory long enough you understand what this means and if go in here and type in docker I’m sure have a ton in here but this allows you to go in have a central entry point this is a terrible name. 

By the way below it have production and dev and might have a remote repository and by default I’m going to build something and deploy it so now i’ve got a little touch on repositories let’s talk about Xray and let’s talk about what you can do with it and the various aspects of which you could protect yourself as a corporation while still retaining velocity but also understanding more than you ever wanted to know about the things you produce so first of all let’s take a look at something. 

So first of all on one side i’ve got a list of binaries that wish to assess and just so you know by the way our Xray product also does on-demand scanning it also does local disc scanning using the clso you can still produce okay results without it being in Artifactory this is something need to demystify there’s a lot of companies out there that say we don’t do this we do and there’s plenty of information online to address this but on the other side need to match this up against something and the stuff matched up against is a thing called zuckerzook depending on how you talk to it’s the Xray update center it’s our massive database of vulnerability and compliance and the idea here is is that we have nvdness sources we have a relationship with rbs we actually have a research team once again we are going away with companies saying that we don’t we do we are a cna we are certified number authority right we can produce cves we are one of the few companies in the world that do this and we algorithmically and manually curate this information to turn into something tangible. 

So on one side binaries other side data that we want to assess it to now what can do so we have policies and watches policies are the rules and the actions you take and launches is how you implement them first let’s go look at policies so with policies you give the policy a name you give it a description and up to a couple of weeks ago would say pick one of two flavors you know what we’re neapolitan now so we have three flavors we’ve got vanilla chocolate and now we have strawberry maybe you’re not a strawberry fan but it’s neopolitan we’re gonna go with that well if you take a look we have security licensing and operational risk this is our new kid on the block here and we’ll discuss a little bit of that today so under security would go create a series of rules right got more than one rule in the policy so give the rule a name, then have my criteria that want to assess it by first of all have minimum severity which is cve so you have low to critical always include all severities at some point info and warning provide you with a lot of information especially if a binary is being assessed for a potential threat then we have things like cvs’s score you can do v2 or v3 so you set your slider for four to say 6.7. If you don’t know what cbs’s score is go look it up it’s actually a fine granular approach to understanding a binary in terms of vulnerability assessment is it a network component is a data component right there’s a lot of information in there also too a new thing that we have is is that you can actually say issues that do not have fixed versions are not generated until a fixed version is available what this means is in some cases there is remediation available for these libraries some are like don’t even tell me about it until there’s a fix available so can address it well now we talk about that as being the criteria you’re assessing your binaries by let’s talk about the actions you can take to make sure that you’re secure so first of all it’s going to generate a violation in Artifactory and we’ll show you what that looks like and how awesome the detail is you can also do things like trigger or web hook it actually is a simple json post post it out somewhere use your parser parse out the data that matters to you place it in the system somewhere when you apply your policies one of the fields that is there is a parameter for email address this will allow you to send an email to a group or individual you can also say notify deployer what this means is is that anybody who deploys software into Artifactory can notifications that they’ve introduced something potentially threatening or nefarious there’s a separate email here the separate email here is a good one this one is always so you have red team that handles critical issues or 9.1 or higher in cbs’s score one of the cool features that we introduced over the past couple of months is jira integration inside of you go ahead connect to your jira you select the project you want inside the watch but this will actually go ahead and create a jira ticket so what does that look like well here’s an example right here this is actually in my jira right now here’s a security violation here’s the X Ray information here’s a link back to the binary that actually contains it and then here’s all the information that’s behind it another thing that you can do as part of this and these are the aggressive features so you need to be cautious when you do this first we have block download now block download is actually where binaries that are already inside of Artifactory continuous security always scanning suddenly new information comes about that the thing you’re using yesterday is not so fine look at log for j we’ve been using it for five years and hey look suddenly it’s the worst thing that’s ever been known to man we actually released a tool to help companies get past that but the thing is is this stops the inject the consumption of these binaries from that moment forward until you have time to assess it and then rule whether or not you want to allow it or not or if there’s a fix for it which we’ll talk about implement that fix but let’s talk about shift right mean left oh my god did it again since this is already recorded take it all right shift left well let’s talk about that now number one let’s talk about the automated behind the scenes right you still want your developers to have creativity and you want them to be able to ingest binaries but assess them before they do this kind of like the manual team here’s my list of binaries can you go out and get it and then do some scanning on it and let me know if it’s safe this will do it behind the scenes block unscanned artifacts mpm install blah it goes through Artifactory it proxies that request it pulls in the blind library with a seven million other transitive dependencies that come with it it gets stored in Artifactory it gets accessed by Xray and then if it passes your criteria that you’ve defined whether it’s licensing security or operational risk it gets delivered to the developer this way you protect it before they even get their hands on it but that’s just behind the scenes this is you can implement this right away once you’ve implemented Artifactory in Xray the next part of this though is let’s go to the developer let’s go where it matters most how do you get the information to them there’s a couple different ways so first of all what if you have a what if you use slack right you’re a slack organization you have slack for your messaging we do right, so just let you know we actually have a slack application out there that you can install put it into your environment and connect it and then if you take a look here you can see actually in my slack here’s the jfrog actual slack application and if go into my slack alerts you can see where the tool is actually publishing information based on the assessment of the things that i’ve done and have instant access so as a developer I’m using slack this is one methodology can use but let’s go even more to the point let’s go right to the developer themselves and one of the nice things that we also introduce here is we actually have plugins for ides so whether it’s intellij eclipse you know visual studio or in this case vs code. 

My favorite editor, right, was an atom o person now use vs code because that’s all my favorite plugins don’t have to go and do anything but if you look here we actually in this mpm project we’re breaking down the actual binaries and if there’s any potential threats in this case i’ve got a threat here call it binary shaming yes that is elegant isn’t it the idea here is is that no developer wants to be the developer that checks in things with red or orange right because you’re introducing something potentially threatening so we look at the component itself you see the version its type its scope are there any issues even its licensing well you can see that as a severity level of high but has remediation so it actually has the ability if you say hey I’m going to go from 3.04 to 3.05. 

This will alleviate my issue i’ve addressed it where it matters most whether it is the rois greatest further down your sdlc the cost goes up exponentially but let’s also talk about people who don’t use ids let’s talk about cltools well if you look in here inside of my and this is you know this is my my personal uh you know desktop here and if you look I’m actually using our jfrog cltool ran a chaff rock clcommand called jf audit and jf audit actually went ahead and actually composed a list of vulnerabilities based on my local desktop that did here did an mpm install it did it actually looked at all the way those binaries are are being utilized how they’re all together both direct implicit and indirect transit dependencies and lets me know hey by the way i’ve got issues well know i’ve got issues but this in this case the actual components I’m using have issues what about docker all right now here’s the thing a lot of us out there and if you’re not doing it recommend reading it I’m a huge 12 factor application guy, right, love the idea of it getting rid of that works on my machine right so all my developer do personally have a docker image that runs it’s the same docker level os I’m using in my production so have my ide my local file store all attached to it so always make sure well how do you know that those are safe and secure so first of all, I’m going to show you inside of Artifactory and why that’s so meaningful. 

But what if your developers are pulling it down to their desktop well we actually just introduced something really really really awesome and what we’ve actually introduced is um is actually our deco desktop so this is actually my docker desktop with our jfrog extension actually installed and if you look here can pull down any docker image to my desktop and this will go ahead and connect it to your Xray installation without this even being an Xray by an Artifactory by the way because we are one of the most awesome container registries but the best part here is I’m assessing it right here right can actually tell if those are actually nefarious or not so this is another level ide cl also have the ability to use now the docker desktop but let’s go back to Artifactory right. 

And I’m going to talk about build integration next think this is super important so let’s go back in here let’s go back into my instance, and let’s talk about other things so one of the other things talked about was distribution right packaging up those things like maybe help charts and docker images and publishing them and deploying them with pipelines well can also make sure they’re safe and secure by assessing them one last time then we have the of course fail build now fail build is great because right you just sends an exit event clide whatever doesn’t matter what it’s doing is it’s going in and saying hey I’m going to sell this build based on its action but what the thing one of the problems is is that what that is is that a lot of times it’s forcing your developer by killing the build and other say other developers are doing the same build and suddenly the same thing happens and so they’re like hey bob you know what you introduced something that broke all of our builds please fix it well you can introduce also grace period now grace period says you know we’re gonna give you three days to fix it and then we kill it completely. 

But this gives your developers a chance to take a breath back and say okay know this is bad you know what let me go find something better or let me see if there’s some other remediation around it let’s talk about licensing right just as important so in our rules for licensing you give the rule a name you give it a criteria though in this case is different but the actions are the same we treat it just as severely so of course we have all 435 open source licenses on the market right these are the major ones other people say there’s 2600 and stuff like that those are actually mostly corporate licenses. 

Okay, let’s be honest these are the open source ones these are the ones that you’re an open source developer you go with right so we have the allowed licenses we have the band license you can upload your own license and add it into this so you can assess that too so it doesn’t get flagged but what if it’s not one of those licenses what if it’s unknown you don’t know what it is you’re going to want to find out why or why is there more than one license sometimes these are indicators that there’s something potentially malicious going on here then we have the next phase of this right operational rest this is new not many people know we have this this is a brand new entity that we’re actually bringing in and this is the longevity the life cycle of a binary well you know the thing is is that remember said 74 of the components you have either have one major vulnerability they’re old outdated abandoned well we now have the ability to assess that so you give it a rule and then we have by the way on our website we have assessment criteria. 

There’s a metrics of information on how things get assessed in terms of operational risk so if you want to see what those are we have them below right is this an end of life right is this you know we have also by the way operands here so you can say end or or right is there you know what was the last you know really it wasn’t released in the past six months you know how many releases are greater than this right so have my version 1.01 how many releases after this. 

So you know it needs to be greater than four okay it means that somebody keeps maintaining it you know is there a cadence right are they releasing every week or they’re releasing every five years how many commits have there been in this year right that’s a good indicator too have they been fixing it also too is there less committers right so maybe things go down or in some cases risk severity level right this comes back to the risk assessment. 

But once you’ve actually gone in and you’ve defined your rules and policies now you’re going to want to go in and implement them and we implement them through a thing called the watch and with a watch you’re actually going to give it a name you give it a description here’s that recipient list here’s your jira profile so once you’ve connected you would actually go ahead and select the actual component that you want to look at and then you say here by the way um I’m going to go in and I’m going to use my license policies and my maybe some security policies or whatever now go in to sign those and then choose how want to implement them can either assume at the project level didn’t even go into projects there’s a whole talk on that project is a way to provide more of an rbac style implementation where you have super users that run the environment and then you can have project admins that run their own projects but you can say want all projects to have the same security want to do it by specific projects or even want to do it by uh patterns so it’s more blank, and say I’m going to assess everybody with the word uh dev in their name right for their project or can do it by resources say want to do all repositories that have flagged uh with indexing and Xray want them all to have the same one could do specific ones might assess development differently than do production can also do by regular expression and can do the same thing for builds and the same thing for bundles now let’s go look at two things and this is this will be the end so first of all let me address the element in the room so first of all just so you know here’s the on demand scanning where you can actually see if you’ve actually scanned something locally or something that wasn’t part of it like a remote kit project or something we also have reports licensing vulnerability and all those kind of things but want to show you the important reason on why you would do these things and in this case I’m going to go extreme so this is the last part of the discussion so let’s go ahead and look at this so first of all build integration I’m actually going to show you a docker build in this case in my case instead of using our pipeline product happen to be using jenkins so with jenkins can actually go in here and if you look actually can clone my github project pull my dependencies build test deploy scan it as part of the assessment and use my promotion I’m kind of zipping through this like said there’s whole other talks based on this

But the important part is if were to look at this dsl you can see here where actually have a stage where I’m actually going ahead and I’m going to scan this with Xray just supply the bill name the job number and say Xray scan and by the way I’m not failing it in this case but also too mean if they’ve passed my unit test and like by the way just you know could actually send metadata to say it passed my test or failed it once again queryable data that can be really important to you by the way you can also go in and query Artifactory to make sure you’re installing the latest versions of applications and the reason why chose docker is is they’re very black boxes right the thing with the black bosch menta box mentality is is that how long would it take you to like unravel a container to find out what’s in it right including what application layer is in there. 

So let’s go in and take a look for a second so as you can see this was released but this has a lot of critical issues so number one in this case this is the important part from a remediation aspect had a person recently tell me that you used to take them anywhere from weeks days and weeks to and you know to recess and cause root cause analysis and we’ve knocked it down to minutes and hours let’s take a look. 

So first of all your standard instance would look like this right where you have just a bunch of layers they don’t mean anything if you use our approach wanted you to know that first of all if you click in here and look to say the dependencies you can see here that can see that here’s my node front end and the java back-end I’m hosting in this container understand the application the run time and also understand the base os know everything about this container then can go in here and see what environment is there, but the other thing too should probably hop back for a second is what if build number 91 is terrible and say build number 81 or 80 was better right better system it seemed to operate better how long would it take you to address that well can go in here and do a quick diff and say hey you know what the no front end hasn’t changed in a long time but the java back-end has changed can show you any environmental system information hey did somebody leave the debug flag on nope nope doesn’t look like they did can show you all the Xray data.

Now I’m going to let this load now the thing is is that the one we’re looking at here is a terrible terrible container I’m have a goal of reaching 2 000 issues inside of this container so it’s taking a while to assess it and we’ll come back to that but let’s look at the security portion of this you know what level of information do you get well let’s go look at a popular item let’s look at something like fast right so in this case it’s a spring work item and let’s go take a peek at it right if were to go ahead and and let’s go back in and hit my space bar by accident um but let’s go ahead and take a look well first of all here’s the issue and this issue is actually pretty bad. 

Tt’s really funny, this is a terrible cbe somebody got lazy and did a cut and paste that’s all they did but want to show you is is that we actually see this as critical our security team said medium here’s the reason what if you have a thousand functions in a library and one is bad you you’re using not even the one that’s bad do you want to throw it out probably not well our research team sat back and said yeah you know what depending on how you actually do this it can impact you differently.

But we’ve actually supplied you with a ton of information and hey you actually just changed the way this thing is out that you know the object is actually mapped and you can fix it we actually also include things like remediation of information you can upgrade it you can patch it you can change your deployment and the funny part is we actually found this jar in a jar of a layer of an image of a build that’s how deep we went on top of that we also went in and we also provide reference materials on the patching and the advisory information we have all the license components inside of here see it’s multi-faceted can also go in here and show you the most the best view possible remember we talked about hey these are those obfuscated layers know nothing about them well told you we tear everything apart so can actually go look at these and even see the contents of these layers and if there’s any issues with the os in this case these are libraries in the os can even go ahead and view them if wanted to or could even assign a custom issue if wanted to overwrite the fact that maybe it’s a high assessment can also export this quickly for say violation of security ports for my security team or say your legal team is like hey we need to get all those license files. 

You could produce a license report we talked about s-bombs software build materials it’s a composition analysis of everything that’s used to build your software with us here you go export sbom spdx and cycle and dx formats both of them this is becoming a thing by the way initially implemented by the government as a regulation now believing into the private sector but we also have all these other things like issues that you can get all your jira issues you can actually do full dips to see if things are different like showed you before right has anything changed here you can see here’s the sdlc but here’s the thing now do this with anything else maybe the container has a bunch of vulnerabilities like it does but what if suddenly the node at front end you question it well let’s go ahead so I’m going from the docker image in this case this is root cause analysis ready here’s the actual tar gz I’m hosting in there.

All right, let’s go back to this one right that’s rgz I’m hosting in there have all the information on it like what is he using for potential you know any sort of dependencies here’s his permissions right here’s its own Xray information right could show you you know everything from security to licensing and whatnot but the biggest thing here is is that I’m skipping ahead of it because I’m running out of time but check this out well went from the docker image to the application here’s the build that produced it but how long would it take you to find out where has this been used well here’s every build that has ever used every docker image that’s ever used this note front end was able to address it like that but can go right from this build can go hop right from this one to the actual build that created it so could say here’s that targe that I’m hosting here’s those 482 transit dependencies hello house party right and can go in here and take a look and say oh maybe different from another build so have all that but here’s one for you too, what if you’re reading an article and suddenly you find out that under you know that babel uh core what you’re using right here is terrible it’s causing issues it’s leaking data don’t even know anymore well can go in here do a search for it and can say well you know what we’ve actually been used we’ve actually used it in all these builds how fast is that or what if suddenly oh let’s go in here what if suddenly go in here and say what about you know what read an article and want to find out read about the cve cbe 2021-44907.

Well, want to find out are we affected by it how long would that normally take it would take a while let’s do a search well no packages no builds no artifacts and bundles got an answer like that and went through all the binaries here so that none of them are actually part of that but the last thing want to show you before end this discussion is also to want to go in here and want to show you the latest thing that we have and think it’s super important and this is actually the idea here is that when we look at Xray data showed you violation showed you security but our new thing is here operational risk this is super super important this lets you know that the binaries that you’re using what is their life cycle like this binary have right here hasn’t been updated what since 2016. the current version is two you know two zero one the last version that was released was two zero four and there’s one commit this is something important and then have one last thing to talk about and will bid you ado and the last thing is is to how do also do this so that implemented something like github or gitlab or even bitbucket well just to let you know we also released the thing originally called frogbot frogbot is free you can go ahead and utilize it and what this does is this connects to your instances and every time you do a pull request say you go ahead and you add this in you actually added in using github actions or in gitlab there’s a way to do it and also bitbucket will be very soon but every time you do a pull request as a developer you can actually go ahead and Xray will go ahead and assess it so this shows you that you have a lot of options in terms of security, you have a lot of ways that you can use the platform a multitude of different vectors you can attack the same situation and figure out what works best for you. 

So saying that I am actually going to bid you adieu. 

Thank you so much for today. I hope you appreciate the information and go forth and protect your organization and protect the people that you have been safe and wonderful with!
Everyone cheers!!