Remove Silos and Speed up Security Responses with Microsoft Teams and JFrog

Video Transcript

good morning good afternoon good evening everyone depending on where you’re joining us today my name is Fanette Jobard and I will be your moderator for today’s webinar on our webinar is goingto be remove silos and speed up security response with Microsoft teams and Jfrog and we are excited to demo and introduce you the new Jfrog and microsoft teams uh inter integration sorry
um before we start just a few housekeeping items this webinar is being recorded so
don’t worry if you miss anything we will be sending the recording within 24 hours
um if you have any question regarding the webinar please email us at webinars jfrog.com
and also as a reminder please use uh the q a uh chat window at the bottom of your
screen uh we have experts on the call today and we are happy to answer all your questions so don’t be shy
i’m going to kick uh things off introducing our speakers and agenda today so today’s webinar will be hosted
by maida by ready software engineer at JFrog uh an alexis kinslin
global software architect at microsoft maita and alexis i think the floor is
yours thank you very much
um so as you said today we’ll do a the webinar will be about microsoft
teams as a collaboration platform for devops and how do we integrate jfrog
into the microsoft teams ecosystem for same practice my name is alexis i’m from microsoft
i am a modern work solution architect and happy to be your host today um
so if you if we think about uh devops so i’m sure that if you come to this
session today in this webinar you should be uh somehow familiar with what devops is so let’s um set the scene and just
give us a small recap on that so the definition of develop that we have through the union of people processes
and technologies say say that differently is really devops has been tremendously
deployed and used as a practice to accelerate the uh software
development cycle so with devops you accelerate the pace of uh
of the feature that you deliver and the value you deliver into the product but it’s also a way to be secured in
terms of quality of code so with the um the processes and the automation that you put in place your code quality will
be increased and the security of the solution will increase as well and the third benefit of of devops
is really around the continuous cycle so you are not just you know designing and then building and then shipping you do
that in a continuous cycle and so this improvement in quality and expertise and
feedback look is much faster so then you learn rapidly and you fail fast and you
learn fast but um when this is said i mean devops is always a matter of people processes and
collaboration and this is what we want to dig into today what we observe that
the develop cycle works well when the collaboration is well in place when people can
collaborate fluently and and a bad collaboration
means as well about productivity or at least you don’t get all the benefits of what you could expect from devops
and so the three thing that we observe most of the time is that there are variables or frictions in this
cycle so the first of them will be around the cycles and why why we have silence just because
we have people working on different tools and solutions right so the devops anchor is like only one it’s not only
one activity it’s a set of activities that will be done in sequence and um in
um in a loop so you have to do that again and again and again
but if the tools and the solution are not connecting to each other then you lose this collaboration effort and effect and
so the silo has an impact on the collaboration and the speed of the process and so uh the pace
of the delivery and so the fact that these uh processes and tools are disconnected uh creates
this situation and and the impact of that will be a non-optimal communication right
and and the other thing that you want to avoid as well if you have different people accessing different tools maybe because it’s due
to uh they are not views and familiar to the solution or they don’t have the licenses to solution you will be in a
good income in a culture where you have a kind of lack of transparency
what groups observed that the best collaboration happens when you what we call uh
speak out loud which is i want to tell everyone what’s happening well if you are not interesting about what i’m
saying just listen don’t listen to it but at least by default you will have access to the information freely and
publicly so how we kind of remove this disruption
so microsoft teams is what we call the hub for collaboration so not only microsoft
teams you can create ads so you can chat synchronously or asynchronously you can
create meetings you can you know share your screen you can have interactive calls with your colleagues
and so you can collaborate so it’s really the platform when you can easily collaborate share content
and as teams is deployed at the scale of an organization any employee within an organization
could be a developer a devops engineer a product manager or even people from hr or other parts of
the organization will be able to use microsoft tips and collaborate together
so this is the first key aspect it’s really a microsoft team is really an enabler for collaboration
and communication and the second part is that microsoft teams is also a platform
and when i meet a platform i mean that you can bring and integrate your solution
into microsoft teams right so if you think in terms of all the toolings and processes that i
mentioned earlier you can bring this solution into the context of microsoft teams and
leverage microsoft team for better collaboration remove the barriers remove the silos okay
and so when i mentioned teams as a platform we have a really broad ecosystem so not only we
have uh 270 million user active users monthly on the
platform so it’s really a massive adoption of the solution but you also have more than a thousand of applications
available in the store and some of them are really dedicated for the devops practice right so you have a lot of
solutions that are already and the most popular solution that you may use today from your devops practice are already
available out of the box and also specifically designed to be
integrated into microsoft teams right so it’s not like a copy paste of the solution in teams it’s really a nicely
an uh integration to microsoft team so that you only take what’s relevant um
and what is required to make soft not only you can use things
that that are out of the box but you can also customize and beat your own solutions
so let’s have a look at how do we map teams as a collaboration tools with the devops cycle so here’s a quick recap of
the different activities that you have as part of the devops cycle and we’re going to go into the details but you know that this is these
different activities and so usually people will be part of these different activities but not all of them right so
you may be interested into the planification phase or the testing phase or the monitoring phase but maybe not
all of them but anyway at the end of the day if you are applying devops practices you will go through all these activities
so the question is how will you organize and and build uh this
team building this collaboration um using solutions like microsoft teams so here is microsoft teams you this is
what you get out of the box so basically microsoft teams you will have um reorganize
the team using the term of team so basically a group of people working on a project
will be a software or a feature or let’s say uh you are working on the uh next um
catalog for your e-commerce website then uh you are working as a future team and as a team you need to collaborate right
and so for this objective to deliver this feature you will organize and create a team so all the people that are
part of this activity throughout the entire devops cycle and so this notion of team then will be
split into different channels a channel will be the equivalent of an activity in the develop
cycle right so my team will be organizing different activities and out of the box i will get directly
from microsoft teams all the communication tools for collaboration so we’ll have the chats i will have the meetings i can
create calls i can create recursive or recurrent meetings i can share document
and i can bring my applications into this environment and everything is customized so it’s not like
a one-size-fits-all it’s really your custom solution based on your own practice
you can adjust the customizing tailor the experience and bring the solution that makes sense for you
and if you don’t find the solution that you need you can build your own and so if we uh click and zoom in a
little bit so here is my team this is the devops team for my e-commerce website and then i will organize the
different steps of the devops cycle into channels right and what is interesting that once you
are at a stage where you have automated and you know how you want to build a develop software you can automate the
creation of this environment so let’s say that team number one is working in a specific way and you want to replicate
this um design and this maybe naming convention all the steps that are
applicable in your organization then you can automate that and make it repeatable so you will say create a team select the
template click ok and then all the the naming all the channels we created
automatically and all the application attached to these activities will be
automatically deployed and activated in your environment so here we see that if i am
taking part of the architecture i will maybe uh install um let’s say world or
one node because i want to take note and i will share activities um if i uh in charge of
the cdci pipeline i will bring application relevant to this specific uh
activity so i need to bring uh information about my code repository about my release pipeline i want to know
where my prr and everything if everything went well into production
okay so everything is customizable everything can be templated and you have all the flexibility to
organize the tools um as you need it so let’s have now a quick
an additional zoom in on three specific uh processes or activities as part of
the devops cycle so the first one is the clarification one this one is really interesting and
important because we are now more and more working in a hybrid world and so basically people
will walk from the uh work office or from home
and so to be able to manage uh this uh notion of location what you create in
teams what is what we call the space so a space is really where you will collaborate and so
it doesn’t matter where you are physically what is important is where the collaboration happens
and so think about your daily daily sprint so let’s say that you are like thursday morning it’s 9 00 a.m and then
you have your dating screen meeting right so what you do here is that i see that in the general channel there is a
meeting that is ongoing so the meeting has started i see that and you can now connect and access the meeting you will
turn on your video camera and you will say hello to everyone and you will take part of the uh
the discussion right so this communication part is is really useful
and it’s required to coordinate the activity and make sure that everyone is aligned um
and the good thing that if you miss the call or if you are on a different time zone and you cannot attend the meeting
then you will be able to get the transcript the video recording you know who participated if there has been some
chat and discussion happening during the meeting you can even either listen to the recording or you can
read all the messages shared during the meeting and then you can as well share your own ideas you can reply you
can comment so you are even if you are not there you can still be part of the discussion and know what has been said
taking the example of the daily uh meeting i said that you can organize
this step which is like my uh daily scrum meeting on my weekly uh sprint review and as part of this activity i
will share um information and one information i’d like to share will be typically to take my uh
the list of features and i want to update where i am in this feature so where the team is in future delivery so
here what you see on the screen is um the azure devops board that is brought
directly to microsoft teams so as i have the discussion with the rest of my team everyone is still sitting into microsoft
teams and i don’t have to jump into another external solution i will directly share
my screen or everyone can even access the same dashboard within microsoft teams so if you think about oh yeah
please access this url or please connect to these two to get access to the information this question does not
happen anymore because everything is centralized and has been configured so the onboarding of new members of the
team is really facilitated and how you discover and get access to the information is really facilitated and as
a consequence the collaboration that comes out of that is also increased
a second other example here it’s will be like the um the release pipeline so in that situation the scenario is a bit
different as part of my release pipeline i want to be notified of what’s happening right so i want to know
if there has been uh if there is something blocked so let’s say that as part of my response line there is
a gate and the gate requires that i don’t know one two or three people’s review
the status so there is a manual approval of um of the the release pipeline so um what
will happen in the situation that i can be notified into microsoft team and say hey i need your attention here can you
please review this um this activity and validate because we need you to validate
the release to the next step another thing that is happening interesting that the fact that
here in that case all the security events sent by jfrog are now available into a channel it’s
interesting because maybe there are people that will be interesting about this information but may not have access
to the default platform so now you open and this is the notion of speak out loud which is people that
are that have access to teams but may not have access to jeffrey can still have access to the information
and they even react collaborate reply to the message at mention other people so that they can
be aware and inform about what’s happening so basically we enable and we
enhance the collaboration that can happen on this process and then once the discussions happen in teams then you can
feed this information back into jfrog directly from the team’s platform right so it’s a bi-directional communication
where things are being notified to teams the collaboration happens with an extended crew and then when the
discussion is over you can push back the information back into jfrog in this example right so again uh here we
connect multiple tools in tools into microsoft teams and the collaboration happens here we enrich the information
and we push it back into the original system
the last use case i wanted to share with you is around incident management this one is very very interesting because
incident management is a tricky situation um basically you never know
when an incident would happen this is just the nature of an incident so you don’t know what this will happen and so and you
want to be able to react fast right and when i say you want to react fast you want to take action uh so you have to
find the good people to resolve the solution and in most cases uh you want two things
one is to make sure that the people that are managing the resolution will be in
kind of safe bubbles so you don’t want to disturb them because they are concentrated on solving the problem but
at the same time there are people that want to know where we are so you need to communicate right
and so there is this balance between the two and again here i am in a meeting so there has been
an incident the team is connected onto microsoft teams and before that they received a chat into a team and they may
have received as well an email and they have received an sms so basically something happened and we everyone will
be joining a call because to react fast you need to collaborate and you need to um have an in-person meeting artist or
remote meeting via this type of video call and you see that as part of the of the meeting i do have an application
embedded in that case it’s it’s it’s pagerank duty so it’s an ancient management tool that you
and so all the participants have the information that they need to discuss and know what they are talking about and
all the information the decision the nuts that will be taken during the meeting are directly
inserted both in in the incident management system but also into microsoft teams so the good thing is
that the team will have the meeting they have all the information they need directly
plugged into the incident management system of the company and the outcome and the decision taken can be then
shared to a broader audience so that there is no loss of information and there is no
waste of time so you have people that can concentrate on the resolution and then the communication is
facilitated because basically you only have to have access to this environment to have access to the latest information
on what’s happening and where the steam is in the resolution okay so again uh
this is really how microsoft teams have in the collaboration facilitate uh the devops process and how we remove all
these barriers to make the process more efficient i will now hand over to haita to give
you more information around how jfrog is integrating to microsoft teams
hi everyone i’m mahitab and i’m excited to be here today and i’m a software
engineer with the partner engineering team at jfrog
so what is shape jfrog is a devops company that helps you make software updates quickly we have a full platform
suite of tools that help you store manage artifacts build binaries qa dependencies scan components for the
security issues and release your software quickly
so at jfrog we believe that in a world where software is part of everything we do keeping the software up to date with
speed and efficiency is the only way to progress in devops this may also mean that you
change the way you manage your software releases in the olden days the applications were built as a big monoliths which made it
slow to update them and the build times and deployments were cumbersome teams build micro services that allow
you to merge code in more incremental ways through ci cd sometimes multiple times a day making small incremental
changes so when the vulnerabilities go public the race is on which means that you need to fix the vulnerable open source in
your applications before it can be exploited x-ray helps you win that trace by giving
you a complete view of the open source that you’re using and the earliest notification of the new vulnerabilities that are reported enabling you to find a
fix with for these vulnerabilities very fast
the products that we will be discussing today are jfrog artifactory and jfrog x-ray and how microsoft teams helps in
collaboration with development and operations jfrog artifactory is a place to store
large binaries files and components and manage different versions of your software releases
and x-ray is our security and license compliance tool
artifactory our universal binder repository manager is what stores all of your code
now where artifactory really shines is in being able to store all your large binaries the artifacts the files
associated with those binaries and the dependencies that may need to be pulled in from those remote repositories
artifactory supports more than 27 different package types including repositories for docker images go modules npm and more
and what makes artifactory stand out is the number of package types and the technologies that we support making us
the most universal binary repository manager in the world so when a team has a bunch of
different programming languages that make up a piece of software or they need the same app to work on in different
environments artifactory can be used to manage all of this complexity in a seamless way with a big focus in
providing you metadata that can help you get clarity into everything that is happening with your applications
jfrog x-ray is meant to do software composition scanning of all the artifacts in each depository and your
bills with x-ray you can be notified when a new vulnerabilities are found or if a license issue comes up
jfrog x-ray’s main type of analysis is called software composition analysis this means that it takes a look at your
binaries does a recursive scan of all the artifacts and the dependencies associated with it so it looks through
each and every individual file and component each build step down to the container layer and then once it
finishes the scan of each component it even enriches your repositories and artifacts with the security metadata
you’ll see the kind of information x-ray provides during the demo why would you use x-ray instead of other
security tool the main reason is that it is deeply integrated with artifactory and provides
you a single pane of glass view to everything that is happening in your binaries and files x-ray uses
the most timely and comprehensive vulnerability intelligence databases including the 1db
coupled with other sources of information and x-ray can also be used to mitigate false positives and resolve security and
compliance issues as quickly as possible with remediation information
so the scanning of open source binaries and repositories bills and containers for security vulnerabilities and license
compliance issues is made easy with x-ray x-ray also helps to compare binaries against a large database internal
vulnerability and public database it also provides a contextual analysis
of vulnerabilities to determine if they can be exploited or not to minimize the false positives
and it also enables granular automation of manual security tasks and checks it creates a detailed impact path or
analysis of any vulnerabilities that are found and it is also very easy to integrate with
customer devops ecosystems for this integration with microsoft
teams what we have done is that we can create notifications that appear in your channels as an interactive card that
have metadata around the vulnerability including the severity level the description the file information etc
you can also take actions on some of these files including like choosing to ignore certain violation if you or your
team thinks that is not severe or relevant enough
so let’s get familiar with today’s use case of how you might use jfrog x-ray and microsoft
teams in a real-world scenario to manage security incidents
in our scenario we’ll be discussing about a famous gaming platform network startup
spartak is the gaming company that we’ll be discussing today and it is using hundreds of open source
libraries so we cannot be we cannot be exactly sure if all the open source libraries
are safe and up to date so the problem that is right in front of us is the fact that around 80 of software packages that
are being used today are open source and every time a package is being pulled in you have to make sure that the specific
version doesn’t have any vulnerabilities however a package that was marked safe at the beginning of the deployment can
be found vulnerable later and that is not patched yet this is called a zero day vulnerability
and spartix software component frostbite is already deployed and looks like it has a vulnerability that was just reported
this vulnerability is a dependency that the team used to build multiple games and if it is exploited this
vulnerability would allow the hacker to crash all the games that depend on frostbite with the denial of service
attack and then it just came over hispanic
this could end up in being a disaster so the time is a huge factor right now luckily spartak is using jfrog x-ray and
the minute this vulnerability was reported to the national vulnerability database xt made an association between
the components inside sparx artifactual repositories and has provided cv cv details around this issue
so the next steps that we’ll be taking is we alert the right team numbers
so spartak needs to alert the developers and other teams that are in charge of the mitigation and remediation of the
issue they need to get right development teams involved to apply the fix push the changes through the staging qa and
production so that the fixed application can be re-released this is where the start of the show comes in the
integration between jfrog x10 and microsoft teams since there were many teams involved in managing a complex piece of software
providing information in teams channels let’s break down the silos and discuss each issue in real
time spartak is using jfrog x-ray and already has notifications set up in their
microsoft teams channels
so let’s see how this plays out in this demo you’ll be uh you’re going to see our microsoft teams integration make
each member aware of the issue let them stay up to date when a fix has been applied and a new artifact is being
uploaded so it lets teams collaborate on where they are in releasing the software as well the team members in this use case
are the chief information officer at devsecops engineer a software engineer that worked on the application and the
jfrog administrator who is in charge of the operations and developments within the depth team
so now let’s see how ms teams plays a big part in spartax software development life cycle
so the first step is inside the jfrog platform x-ray finds a new vulnerability
this information is sent via a webhook to microsoft teams channel and it includes the summary of the issue it is
clear from the violation that it is a high severity incident the actionable card also has rich information about the
cve the impacted artifact its path and the vulnerability components this makes it easier to identify and
track the issue
so deep informs the security engineer of the issue who then taxes chief information security officer and she
asks thee to make sure that all the development teams are informed as well
x-ray has reports that can be generated that provide a detailed view of all the issues around certain repository or
within a specific time period so deep make sure to generate a report for the cso office
and a report is generated inside the jfrock platform in the meanwhile
and carl our security engineer has investigated the issue and actually found that someone has made a fixed fix
and created a new version of the package that the team was using it turns out that the next version which
is 1.15.1 of this package has been fixed of the vulnerability
the team involves the software engineers involved and ask them to pull in the new package version which is 1.1 5.1
the development team pulls in the new package and they upload the binary that has a safe version of the package
included they deploy this to their staging server and then get ready to push this through their build pipeline to production
there is a notification in microsoft teams x-ray channel showing that this new binary has been uploaded
while this is going on our devsecops engineer carl rescans the uploaded artifact and confirms that there were no
vulnerabilities in this version of the app the build pipeline is then kicked off as
the app goes from staging to test and then the qa stages and then finally to production where it gets ready to be
deployed
the software engineer then informs the team that a build has been promoted successfully and the devsecops engineer confirms that
x-ray is still monitoring the repositories that are part of the bill and there have been no issues found so far
then i let everyone know that the app is now live and car will make sure that they are aware that the new app has been scanned and
vulnerability free and of course kathleen from our sees office
is happy and that’s a success as you can see the jfrog integration
with microsoft teams allows team members to work much faster than they would be able to if all this information was only
in the jfro platform most team members at your company may not be able uh to log into jfrog but
many of them will be using microsoft teams and it’s the real-time information and the ability to communicate
collectively in channels that allowed spartak to remediate this issue quickly this process is going to allow companies
to innovate faster while still keeping the applications that that release safe which is our motto
uh one last thing i want to leave with you is that our microsoft teams integration also has a summary card view
of your vulnerabilities and license issues we found that some third-party packages can come with dozens or hundreds of cv
issues and when you create your notification the default is our summary view which gives you a summary of all
the high medium and low vulnerabilities in aggregate
and you can get this app by going to the app area in the microsoft teams and searching for jfrog
and if you’re new to jfrog we have a free version of our jfrog software that includes x-ray security scanning as well
you can get it at the following link and you can start creating security notifications in your microsoft teams
right away
any questions uh thank you media and alexis uh um i
think we have some time for a question and we already have a couple of questions online uh the first question
was can more than one gpd be connected to one account
yes that is possible we support the multi-tenant architecture so
yeah all right we have another question on does x-ray provide live monitoring
into my app and how it works yes uh x-ray does provide live
monitoring so whenever uh the app that you’re planning to deploy has all the artifacts in a specific
repository and you have created a policy and a rule that is associated to
a specific watch the watch scans for all uh the vulnerabilities or the license compliance issues that are present in
that specific repository and anytime a new vulnerability pops up it automatically sends it back to microsoft
teams and the respective team members get notified
thanks i think that was all on the on the question unless we have other additional questions uh and so we are
coming also about time um if you have any any additional question please feel free to email us at webinars
at jeffrock.com usually it goes right away on my inbox and we’ll be able like to answer the question on a one-to-one
basis um we will be soon sending the recording thank you marita and alexis
and thank you for joining the webinar today and we are looking forward to seeing you online
have a great day