Shifting Left for DevSecOps Success

What exactly does “shift left” security mean? More importantly, how does this strategy affect a developer’s workflow?

In this workshop we will walk attendees through the steps of setting up an end-to-end DevSecOps solution to automate your build artifact storage, vulnerability detection, testing, and deployment. Lastly, registrants will learn how to take advantage of JFrog’s IDE integration and JFrog Xray to increase your confidence in the security of your application, all within a freely available DevSecOps environment!

Workshop Objectives:

  • What does shift left mean for DevSecOps? Empower and inform as early as possible
  • Walk through developer and security team workflows
  • Identify how to uncover vulnerabilities across your software supply chain
  • Automate, then monitor your security policies
  • Overview of security challenges and the preemptive steps you can take now
  • Demo of Pro X

Transcription:

Host: Hi and welcome to our Shifting Left for DevSecOps Success Workshop! We’re excited to have you here. Our solutions engineering manager William manning will be hosting us today. Feel free to ask any questions in the Q/A section at the bottom and they’ll be able to answer questions and live.

Bill Manning: Hello! I’m the solution engineering manager for the Americas. I’m going to go through and do a quick presentation and then we’ll go through the demonstration and then point you guys have any questions, we can always address them or we can leave them into the end. Also I encourage you to place that into the Q/A in the Q/A tab. You can go ahead and put any sort of questions you might have and I’ll do my best to answer them as part of it so. Today we’re talking about shift left right, so I have some informative stuff we’re going to talk about it first why it’s important and why it matters to your organization we’re going to talk about. You know the modern day you know things that are going on in terms of supply chain, because this is really what it comes down to its essentials, this is really a discussion. About supply chain attacks and how it can affect your organization because let’s face it, nobody wants to have a company and be part of a company that’s like a headline right no X company excellent released X number of you know customer information. Based on some sort of vulnerability that was introduced in their software. So today what we’re going to do is we’re actually going to go through and we’re going to start off with you know what is shift left and DevSecOps, what does it really mean. And then, why does it matter to you as a software developers or development organization that produces software. We’re also going to talk about how you secure your software supply chain, so not only am I going to talk about the shift left ideals. I’m also going to talk about better security also in total about how you can utilize this to manage all the things you’ve used in the things that you produce and I’ll get into details on that. We are to going over artifacts and Xray and one of the things we’re going to talk about towards but I started going to do a demonstration live so that’ll be fun that’ll be interesting because you know demos are always chancy. You know, with actually doing everything live but we’re going to do that here and we’re talking about repositories best practices, because this does influence. The way you actually utilize artifacts and Xray and our JFrog platform in general we’re also going to talk about policies and watches and Xray and how you evaluate the binaries. That you’re utilizing where we’re also going to talk about what our factory and Xray is just in case. We’re talking about ID plugins and the ID plugins that are available for like intelligent eclipse visual studio and vs code of vs code users will be using vs Code as my example today. We’re also talking about the JFrog see a lie it’s a very important tool and how you can utilize that as part of what you do to make everything that you do better. And then lastly we’ll talk a little bit about get OPS right, the idea of automation so because, in some cases. There’s a lot of companies that the security, yes, you want to have it at the front level where it matters most which is what’s left is but also to how you can integrate it into your automated build process if your organization is more of a get up style so I’ll show some examples around that. And then lastly I’ll just give you a quick conclusion recap, and like I said I want to make sure that everybody understands all the pieces that we’re utilizing. So, first of all, you know our platform is end to end, you know, this is just a quick overview in case you’re new to what we are who we are, what we do you know we are a company that has over 6600 customers 70 plus percent of the Fortune 100. We went public last year last year actually back in 2020 so we went public. You know, we are actually governance board members in the cognitive foundation, we are also a CNA so if you’re an infosec person, you know that we are one of the companies out there that can produce vulnerability data, so we know we’re very steeped in this and we have a massive research team in our Israeli office that goes through, and does this on a regular basis and I’ll show you some examples of what they produce I’m very proud of what they’ve done and I think it’s really truly amazing. But when we look at our products, if you look at this actual comparison here for. You know the chart of what we do as a platform from end to end it’s from developer device Code, the cloud I work with the US military a bunch of agencies and it’s from compile the combat. You know, whenever you want to say in your DevSecOps needs and, by the way, I don’t use the term DevOps anymore, I used the term DevSecOps, because I think that security is now just it’s not just an add on it’s actually part of the process and part of the mentality that every organization should have when the attack any of these potential issues. So when we have this and you look at our platform you’ll see that in DevSecOps, we have artifacts that go left to right. Artifact or universal binary repository managers who support over 30 packages natively out of the box it’s a way to maintain and manage all those third party transitive dependencies you use to build your software and also the software you produce. Next to that we have Xray or security compliance and vulnerability scanning we will be discussing those two projects in a majority here, but it goes beyond that, because we also have our distribution platform. We have our distribution hub, and then we have our edge nodes are edge nodes are basically immutable versions of artifacts they’re meant for deployment purposes, you can install them. In your data Center your cloud providers whatever because, by the way, just so you’re aware, I gave a talk on this, a couple weeks ago, but we are hybrid cloud agnostic we are multi cloud, you name it we work to work with you right, so you can design our system to work with, however, you work best below that we have our pipelines product which is our ci CD in the ci orchestration tool it’s actually built in kubernetes so it’s built for scale it actually uses yaml as its code base so it’s also something you could check in and check out of your code repository where you do. It also does not use plugins that uses integrations so you can use full API access from these other you know integration sites, you know, like Jenkins servers bitbucket. You know kubernetes clusters, or whatever and then, on top of that it’s customizable you can actually extend it so you can write your own custom steps that can be reusable. Then you can template eyes everything we’re all your developers, you want to have a standard build process you just have to simply I can evaluate the animal file and they put that in, and you can have a standardized build process. It also provides you with a blockchain style ledger for everything you’ve done for additional security and also allows you to do things like approval processes when you’re. One of the things we’ll talk about today’s promotion and how you can promote binaries as it just kind of a rudimentary best practice. But a way that you can also add an accountability by having things like acceptance, where you accept something to say, I want to promote from say development to QA and on top of that things like blue green testing and, at the very top of the stack here we have mission control inside mission control is a way to get an overview of how the system is acting holistically as accurate as a functioning has been replicating between size, because we actually have one of them was top notch right locations, if you are a most massive global entity. You know I have customers using single instances, all the way up to customers using like 38 node clusters around the globe, to provide the maximum amount we have customers putting petabytes of data, every day, through our solution. And then we have insight, which is a way to be future connected to things like you know splunk or datadog or anything like that where you can get actually information around how you doing in terms of velocity and operationally but also to in terms of security and vulnerability and I’ll show you some of that towards the end and. How if you’re a large organization, you want to get a handle on are we addressing the security issues that we have, and how are we doing over time I’ll show you ways to extract that data through a tool like slung. Now, saying that one of the things that we’re going to talk about today is what is shift left, right and shift left is a very essential thing the idea of shift left is very simple. When you look at an end to end of SecOps process like I have here, and in this case I’m utilizing artifact report, you know actually the JFrog platform from end to end from developer to device or code to cloud like I said before, whatever your whatever you say internally for the things that you do. You know the thing that we’re going to be talking about today is the fact is, this little area over here right or I’m the developer, and this is really what shift left is. If you want the maximum Roi from any security product terms of development, it always starts at the developer, does the thing of shift left, because if you were to look at this from left to right. You know right it’s your delivery and you know left side is actually your development, this is why it’s called shift left, I mean it’s kind of a parent right. Now, why does this matter well in today’s day and age, the biggest thing is the leading cause a lot of loss, where a lot of companies were talking $1.556 trillion dollars in lost productivity and stuff is actually poor software. And not only poor software quality in terms of you know you know, does it function, the way it’s supposed to but also to things that fuel that you know things that fuel the software you produce that’s poor quality and the thing is, though, is a 75% of this, you know, is actually caused by known vulnerabilities. This is something that is known in your software that’s up 22% since 2018 that’s insane when you think about it, because the thing is, is that. You know, poor quality software is not just like I said the code was a somebody you know the do you know do a function and they did it and there’s a memory leak of some sort and it’s not being caught or you know, maybe you know, maybe the query times that’s not what I’m talking about. I’m talking about in this case that in this a lot of these things here is your software depends on other people, software and we’ll talk about that detail soon. But the thing is, though, is a lot of the software failures is due to poor quality resources that you’re utilizing to do your jobs best as an organization. And that the thing is, though, is that a lot of projects are thrown to the side, based on things that really have no influence on what you’re doing in some cases, because of these third party things on the outside world right and that’s The thing is, is that when you look at it. You want to address these issues shift left right where they matter most with the Roi is greatest because here’s The thing is, is that you’re 10 times more expensive to fix the issue when it’s gotten further down your SDLC. Yes, we actually do have I see, that there’s actually a question here about examples of how. To GitLab CI yes of course we do, and I will actually type in the answer to you, in the minute and I will actually show that in so you can see this as part of actually I’ll just do it right now we actually just do right here are the factory GitLab CLI and I’ll just go in here and I’ll describe this as a little older but it’s still very applicable. It still has links to all the sites and I will actually type an answer to you right now put it in there and so it’s you and there you go. So when you are going ahead, and you know, the thing is, is that we’re going to address this right. This is where the cost a where you want the return on this and you want to make yourself more and greater velocity with same level of security and safety that you want to provide your customers, this is where we’re going to begin, because the front line is the frontline you guys are the troops on the ground that will make sure that you know your defenses are strong. So, saying that how to use, you know we know, security or supply chain, you hear this talk all the time, I mean last May and US Government finally got around to addressing this issue by actually creating a mandate, about how to enhance cyber security across the board and in section for yes, I did read it. Yes, it was it was exciting, yes, you can tell them my face right but The thing is, though, is that when you. It was a section in section for where you need to attribute to how the software is being you know put together. This is the concept and you probably read it you’ve heard about it it’s everywhere, by the way, it’s in process in the United States, right now, as being law is the fact that you know. You know, we look at software supply chain right and you think about this, you know, protecting that is essential, and this is what we’re going to talk about next because you read these headlines all the time. This is nothing new, and one of the things you hear about too is like software bill of materials and we’ll touch upon that today I want you to understand what that means. But you see all these headlines, you know, a supply chain attack you know, the thing is, is that we as developers I come from, and they can see from my Gray I’ve actually been doing this for a long time. You know, over 20 almost 25 years wow here we go I’m dating myself like 25 years. The thing here is that when you look at this you see these all the time as developers, we have this inherent blind trust right, I need to get my job done, I need to find a function that will concatenate a string and pull out a value that I need that I’m going to go ahead and place through my code somewhere. I don’t want to write it I’m going to look for libraries like find a library. That works, I try it out it works and I move on right I check it off my case, you know I get my Jira ticket I go hey I implemented a feature I’m good or I look at my function of this is what I do and, by the way, I’m done and I move on that’s it. But you know we’re going to talk about actually what that really, really means when you do that, and the actual inherent dangers you’re bringing to your organization. Because last year alone, there was a 650% increase in supply chain attacks right, and this is why we’re here, this is what we’re here to repress. And when I talked about supply chain attacks you guys, you know there’s big ones that have been represented over time. Right and the biggest one that everybody kind of like lit a fire under everybody’s butts including US government, the EU and a majority of the apex countries, of course, was solarwinds. You know what this is not new, this has been going on for a long time, but the thing is, though, 18,000 customers were directly affected by this actual and. This is a multi-billion dollar remediation and you know the best part is this was a fourth level transitive indirect dependency attack. In other words, once again let’s talk about the blind faith and trust. That means that I brought you know if I brought into the library it brings in its friends it’s friends it’s friends, if you work with npm or something like that you know that’s trouble and we’ll talk about that. But the thing is, though, solar winds really lit a fire under everybody’s been right. You know, it was really the kind of thing that drew the catalyst and because they let you know I mean the God that you know the Department of Defense the hormonal Homeland Security, the Federal Reserve Bank all these. All these institutions were affected by this, and this really caused it, but you know there’s ones recently look at log for Jay oh my God, one of the most of us libraries by everybody out there, suddenly becomes. The bane of everybody’s existence there’s firing everywhere everybody’s running around trying to figure things out and we’ll talk about that if you were a customer of ours. You know what you will be you’d be able to have that remediation that root cause analysis report, you have to put together are we affected, you know some CIO. Somewhere CSO says hey I read this article about log for Jay, we need to know by this afternoon, you know, have we been using it. I had a guy recently, who had to do that, and he said normally would tell us like we started to sweat and panic. And we usually take us anywhere from days to weeks to pull together the report for upper management, we were able to pull it together in minutes and hours. That to me, and he thanked me and I was like this is awesome, this is what we do, and this is what it’s about. So, knowing that, why are soft supply chain so prevalent, why did this suddenly become a thing it hasn’t it’s always been there it’s just that I think. Just like joker like I think Kobe made it easier because a lot of people at home, like a lot of time in their hands anyway, but software supply chain attacks are simple low effort doesn’t take a lot to do what you need to do. You don’t need a lot of skill either hero fairly don’t a lot of these are not exactly well, I will say solar ones was pretty sophisticated if you’re not familiar with it look it up. To second kind of explanation behind it is a fourth level, you know transitive dependency that was used for another transitive dependency and up the chain right because it’s a multi-layer. But what it did is that, when it was adjusted and as soon as it actually was activated this part of another dependency, as part of the software itself off a timer and said hey from this moment 14 days from now I’m going to start so. It wasn’t it was you know, it was a time defect and when it started that’s what it said oh now I’m going to go look for all your ports that I want to do I’m going to start opening things right. I mean it was that was pretty sophisticated that was pretty cool actually I’m going to give props to whoever did that that was a nasty one. But the biggest thing too is it’s super easy to spread its high speed, I mean here’s The thing is, is that it’s a transitive dependency and I think about it. You know I download a file I know a dependency, I need and, like, I said that dependency depends on other dependencies depend on other dependencies blah blah blah somewhere in there I’ve actually gone ahead and put in something. And that thing that I put in, maybe a transitive dependency, as part of the Community, because it’s super easy to get become part of the Community. Is it’s in there now and now anybody who downloads for levels up downloads this library gets my package and, like Carl let’s just call it my gift to the world as part of it.  But the thing is, though, is that if you’re the company supplier, for your software supplier to accompany and they’re affected by your software containing us, you have now abused the trust relationship with that company. But lastly blending into the Community is incredible because the thing is, is that we’re a Community if you’re a software developer I’m an open source contributor myself I’ve been for decades. The thing is, is that you know I like being part of the Community, I like giving my bed, but the thing is there’s people out there. Who will add things like back doors or malicious code that’s what happened with solar winds. So what we’re talking about today is what software attacks, but something you use that the blind trust the thing that you were taught from. When you started your CS stuff or when you started working in you know computer science, or when you started working for a company. Is that you’ve always had this mentality that there’s a repository out there in the world of libraries that do functions that make my job easier. Right that’s the thing we need to discuss, and we need to have that still keep that same naive trust that we have but also do it in a smart way and doing it with a set of tools and resources that allows us to operate and still do our jobs, but still ensure safety and security and not have your company, be the headline and not be the guy in the company that caused it or woman or whoever, I know I should probably say that. Anyway, how do they attack, well, here we go I’m a developer I’ve been given a project, you need to go out build some code yay I don’t even care what it is, I don’t. All I know is that when I start building it I break down my problem statement I say this is what I’m going to build I put together a list of you know. Like in npm package json and maven will be part of my palm you know docker I use the base level docker image and then some I pull in the bunch of like say to a Damien docker image I bring in a bunch of Apps packages to do what I needed to do a shove, my application in their runs. Whatever you’re building depends on others, and this is that blind trust so suddenly I put together the list of resources, I need to do my code. Well, when I compile all my code it’s all hunky dory but what happens if suddenly I brought in something nefarious some library that I’ve been using for a while and suddenly our I bring in a new library. And it contains something nasty in it I don’t know, an rpc call or whatever, or its allow SQL injections, or what I don’t care.  Whatever it is well if this is bad suddenly it’s in my code and if I deliver it to somebody or I installed in my production environment or whatever that’s terrible that’s a terrible thing I just actually took my stuff gave it to somebody and now I’ve jeopardize that company my company or my company or I’ve also jeopardized another company or my user base. So, saying that but that’s just not just the front line that’s if I’m a first level transitive dependency, this is something I directly right that’s correct level dependency, I actually implicitly stated. That this is the one that I need to use that’s not the way the world works, though, that still is yes, I asked, I implicitly stated it. But if I pull that in that resource also depends on other resources because that coat not developer did the same thing I did I need a bunch of third party transitive dependencies to make my job to make something to give to somebody else. Then, that brings in all its friends and The thing is, is that now, what if one of those actually has a you know, a transitive dependency in it that actually has some potential threat. Well, now that’s influenced the other one and we’re back to where we began before. I see there’s a question here so before I go to my next slide I’ll go through those I try to figure out on my own how to identify log4j . With our Xray results, it was painful process, what is the where are some published a guys and so much from God that I missed we’re going to go through that today actually let’s go it’s kind of like what were kind of discussing here today, so you know the thing is, though, is that once you’ve identified it right identify that you know and you’re using are like a software bill of materials or an artifact we also you can use our built information. Is the fact that if you do find the dependency that has this and I’m going to show you how to do this today and I think this is kind of actually part of what you’re asking. Is I can say these the builds that we have that were affected by this potential threat, and this is what we’re going to go through and talk about today, as part of shift left because let’s be honest shift left is just the like I said the front line, but it extends way beyond this, all the way, your production. Whether you like to admit it or not, when you throw your software over the fence into the next phase of your out your software development lifecycle maybe the QA is PR staging production you’re really technically not done with it it’s still going to come back to you and we’re going to talk about that. So remember 85 to 90% of your code base is someone else’s that’s a number to think about right, this is what we manage an artifact with our factory and how we evaluate it with Xray. All that night of that 99% of that code base actually contains at least 75% of the software is actually explains like one major vulnerability right or contains a vulnerability what’s scarier is 49% of that contains at least one high vulnerability one high risk item that could jeopardize your organization, whether it’s direct or indirect transitive dependencies. And the thing is 90% of the stuff you use is usually outdated by years in most cases or completely abandoned and, by the way, later on this year will be introducing a product will actually not only tell you this kind of level of information hasn’t been abandoned hasn’t been you know, are there. Other alternatives, you know I you know what will you the fact, if you don’t do certain things we’re going to have that, as part of what we do. Because we think it’s our responsibility to provide you with as much information as possible, so you can do your jobs better, but the idea here is. Is that you know, the level of trust that we have is just built into us by developers, I mean we went into this for a reason like I said and there’s a blind the empty that we have that. When you’re pulling this up in that you’re just like a she’d be okay the thing is 74% of the stuff I just told you about can be fixed with a simple update and we’ll talk about that too, how do you do it now, by the way. We as an organization do not blindly upgrade any other libraries, that would be very pretentious of us that would be also not be very good right because in some cases. You might have other people that are utilizing that library to. And you want to make sure that it doesn’t directly affect them because it will cause their stuff to break, so there, of course. You need to keep your Dev organization, you know, still a well-oiled machine of communication, but at the same time, I want you to know that most of the stuff you do can be fixed with a simple upgrade or a simple patch or a simple fix and we’ll discuss that. So how can you ensure safety as a developer right and then we’ll talk about also further down the pipeline to as part of the ci process Do not get me wrong. But with first thing we need to do is, we need to discuss repositories and then I’m going to talk about Xray okay. This is actually our free tier so you can use this as a sandbox it’s got a very limited amount of space it’s a nice way for you to go in and. Do this and actually just so you’re aware we’re going to be using I have a very fresh hot off the press instance I created, and I am going to run the risk of doing everything live, while we talk here, this will be fun so. I’m going to use my free instance for this so let’s first talk about repositories because this is the level in which you’re going to want to design. The way you do things and I’m going to show you and we’re actually going to go ahead and we’re going to design some great implemented we’re also the crates of policies roles. We’re going to go ahead and create some watches to represent that and then we are going to go ahead and test it and I’m going to show you the various aspects of shift left. First of all, repositories so in case you’re not aware, we have three repository types that we’re going to concentrate on today. We have local repositories these here binaries are your builds. These are the things you upload. These are the things you publish these are the things that you do as an organization, these are your files, these are the things that you want to maintain. Your remote repository is our lazy proxy so, in other words, any requests for third party transitive dependency direct and indirect is mostly direct from you, and then the indirect come in. Our proxy through once you’ve set up your clients who use this and, by the way we do this natively and I’ll talk about that, but those requests say like npm install blah. That would be proximity artifacts it goes to that third party remote source it pulls it in with all of its friends and then it gets delivered to you. Now that would be without Xray we’re going to talk about implementing Xray to make sure that when you do those requests that they’re safe and secure and they actually function properly. Now, saying that we’re going to go do is we’re also going to talk about consolidation. So part of that is virtual repositories this would be your central entry point, this is actually where you would do a majority of your work, because it encapsulates both virtual and local and remote repository. Now, saying that let’s go in and do that because one of the things that we’re going to do is I’m going to show you both. But before I do that I’m actually going to go ahead and actually create when I do create these repositories now I’m not going to do all of these stages here I’m not I’m going to do Dev I’ll do QA I’m going to do staging I’m going to do, release. But you could design your repositories to match that so as a developer. I push and publish all my stuff to development, when I want to test it I use our promotion API to promote to the next phase of the SDLC and, by the way, there’s all we have a whole bunch of stuff on this in some other. Courses we offer so I’m not going to go too detailed into it, but just so you know you can also change the access, controls between each of these so say I do send that the testing and I have a testing team. I don’t want them to develop I don’t want them to publish what I want them to do is I want them to actually do read only so they download my binary they test it. But then I want to use annotate is one of the enablement features inside of our access, controls, where you’re still testing team can publish the results into our factory, so this way you actually have all the information around the bill that is pertinent to that stage of the SDLC. And then you can have them actually migrated you know, promote it and say QA and do the same thing, but this allows you to have accountability from its inception to his deployment. With all the pertinent information surrounding the build object that you have so this way you know everything about it so for remediation root cause analysis and stuff you have all that level of detail that you can use to do your job more simply. Now, saying that let’s go in and let’s go look at my lovely instance now I signed up and for my sign up I’m actually using my GitHub login. So I’m going to go hit I’m going to go ahead is going to say I’m going to log into my instance using my GitHub login I’ve already authenticated have already given the permissions for me. To do what I needed to do and I’m presented here with a blank fresh instance of artifacts and I’m going to shut my little froggy friend down here I don’t need to see it. But when you come in you’re presented, of course, our factory here’s our pipelines products and, of course, we have a little tab here for security, where you could produce things like reports, and also to when we create violations, we can get some information out of that but we’re not going to concentrate on that. So the first thing I’m going to do is I’m going to go create my repositories Now for my instance here for my example I put together today like I said this is going to be. This is going to be fairly interesting because I am going to do a majority of this live so let’s go ahead and let’s create some repositories so there’s some radio some basic ones here I’m actually creates a new ones, these are ones that we install by default, you know if you sign up for the free tier just so you can get an idea. I’m not going to touch on projects right now that’s a whole other discussion, but let’s go in and let’s go create some local repos so in this case for the project I’m doing I’m going to do npm. And I’m going to go create my you know my npm repository here, by the way, there is a naming Convention document that you can just go into that I wrote years ago. That you can utilize and see how I’m doing my naming, but in this case I’m just going to say test. I’m going to say npm because this is the package type that I have I’m going to say deb and I’m going to say local. Right, so this is a test instance here’s the package type here’s the face of my sd llc, and this is lame you know it’s a local repository I’m going to copy that. I’m going to copy that and I’m going to create another one soon in a minute, but I’m also going to say enable indexing an Xray. By enabling this down here, this is going to say I want our Xray product to know about this repository for evaluation, you have to enable this feature to have Xray evaluated because Xray is going to be your frontline defense well let’s go create that repository. Let’s go create another one to right so I’m going to create I’m actually create two more I’m not going to create all through them and say create two more. I’m going to create another npm repo but instead of death because I can’t reproduce them and say QA and once again I’m going to have Xray enabled here I’m going to create that. Then I’m going to create another one for production so let’s go ahead and let’s go create the npm package for production, here we go. And now I have the phases of them as SDCL is I’m not going to worry about access, controls or anything like that, right now, this is not what the discussion is for that can be part of our administration. We do have our JFrog Academy, which is also free. But we’ve actually built this around the concepts of you know everything from administration, the pipelines to management from developer to DevSecOps, whatever you want it’s all here. Now I am my production repository right, and so there we go, so if I were to go in and just show you the ones that I created here we go got Dev I’ve got QA and I have my production. But, as stated 85 to 90% of the build that I’m going to do is going to depend on other people. Let’s go look at the remote repositories so I’m going to say add I’m going to say remote repository I’m going to go in and select npm I’m pretty sure I already have one of these, but I would say npm dash remote. There we go already have one no I don’t. But at the bottom here I’m also going to make sure I index an xray now there’s other things you can do to like such as include patterns and exclude patterns to say you don’t want to have certain things, and you won’t have others. There’s certain things like that right I’m not going to worry about that right now I’m just going to go in and create my repository for the want to make sure we stay on track. So now, I have my npm remote repository now I’m going to do an encapsulation now the constellation I’m going to do in here is my virtual repository. And this is going to be as a developer for my CI process for my desktop any developers I have. I’m going to go in and create this virtual repository I’m going to go in and select npm again, and this case I’m just going to say test and I’m going to say npm. Okay, so test actually not mistaken, you know if this was just a npm. This is a bad name, but I want to be able to you know, make sure that everybody understands, so I have my npm repository that I’m going to deal with as a developer. And then, at the bottom here, you can see, I have the list of repositories that are available to me. Now, in my case I’m going to look for everything that says test well here’s my dilemma here you go here’s my development repository. Let me grab my QA I’m going to go ahead and grab my production So there you go Dev QA production. Now, I also want to make sure I have my npm remote right click those third party transits so let’s go add that in so if you look, this is the actual resolution order. So if I was to interact with this and I was just search for a binary quest a binary it would come through npm and go to Dev first QA production and remote. But remember it’s hidden at the bottom here. But by default if I’m going to publish a binary in I am going to go a half two and I’m going to play it I select up to the plate to death, so you have to select a default deployment on where you’re publishing your artifacts if you are publishing. So let’s go in and create the virtual repository now, I have a virtual repository built. Let’s talk about Xray next and then I’m going to go implement it and I’m going to go run it and where to go look at the results for certain things so number one. Xray itself is here under the administration tab you have to make sure you have permissions to access us to do the next set of features that I’m doing. But we have watches and policies, what are they well policies are the rules and the actions you take and watches, is how you implement them so let’s start off with a policy with policies first. So I’m going to click on policies I’m going to go and give us a name now my case I’m just going to give it a very, very simple let’s say npm. And I’m going to say security and it could be anything you want, by the way, I’m going to say security because I’m going to look for security issues. And that’s all I’m going to call it just npm security I’m going to select given the description and be like this is, you know this is for all my npm needs but. I’m being lame here, but then I’m going to choose the type now. The two types, we have for policies or security or licensing now, in this case, by the way, this is an upgrade feature I’m going to show an upgraded version of this to kind of show you the licensing but we’re going to go ahead and concentrate first of all on security. So what I can do is, as I can go produce a series of rules now I’m going to take a quick drink. Now, in this case, you can have more than one rule, more than one criteria and more than one action that you take. First of all, for this one I’m going to start off the recently and I’m not going to do anything when it comes to like individual you know security I’m not going to. Block builds for right now we’re just going to concentrate on this I’m going to show you the functionality. All set for all severity I’m just going to say all some in this case now when you write the policy you given a descriptive name and, in this case also verities. You pick the criteria and then the actions now if you to think about this programmatically criteria is the if statement and the actions are the event right, these are the things you do if your criteria is met and criteria in this case is bad. Right, so if you want to I’m going to go back in because I actually hit the mouse when I did this I’m going to say all set. Now let’s look at the criteria, so you can you see me as your printer in this case now let’s see me, you can go in and say. I want to have all severity is or I want to use load a critic right that’s the severity value that’s inside of a CVE has a severity value, and they are low to critical. Here’s a pro tip always include all severity is at some point, why. Well, also verities also include things like info and warnings and there are binary is out there that are in process right. That are in process of evaluation for potential threats or do not have a CVE or CVSs score associated to them, yet, so I always say always have that don’t do any actions just kind of show what it has. We’re going to say also varies in this case, but I want to see everything, but my first time running it, I want to see everything there from critical low medium high and whatnot or say you’re a CVS s score shall we see a lot of more companies doing this bill V2 and v3, by the way, if you need to go look it up right, you see, you see, you see me as a score calculator click on here. You know the difference between CV and CVs a score is the level of information that they actually go ahead and demon exploit right. You know, like you know as an attack vector does it have scope, you know, does it require privileges right, these are all things that when they’re combined produce a score. So when you produce a score like that what’s nice about this is that in ours, you can say CVs a score V2 v3 and you say between like, in this case between 2.4 and 6.2 I wanted to do something right because you don’t know the level of detail until you look at the issue, but you at least have the aggregate score that CVSs score provides, but in this case we’re just going to stay with CV. Now, when it comes to what you can do the actions you can take behind the scenes, this is very important. So, if you look here, you can see that first it’s going to generate a violation, and this is what we’re going to be using today, by the way. For some of this but there’s other things that you can do and I’m not going to enable them I’m explain to you what they do. And maybe we will, and you know what it will see how things go if I have time, maybe I will enable one of the ones that actually cause chaos and mayhem when we’re doing. So, first of all, you can go in and you can define a web hook right I don’t have any web hooks to find right now. But it’s a simple json post it’ll actually post, the data somewhere, I mean just kind of giving the example of this, I actually have an interpreter from that that I connected to our actual JFrog slack channel I use for some of my testing and I’m publishing that and, by the way, just so you also are aware, if you guys are using slack out there, I can actually just type in JFrog Xray slack and we actually do have a slack APP here, it is right here, just so you’re aware. If you are using slack you can actually go in and get a big chunk of this data that we’re going to be talking about you can even set up, you know policies and notifications and properties it’s fully integrated into our platform. But in my case I’m just publishing, I want to be able to test that I’m actually receiving this information. Then, when you apply your policies, using the thing called a watch which we’ll talk about next you can actually set an email parameter list, where you say hey I want to notify these individuals that you know what. There’s an issue, so you can do that I’m actually going to check that I don’t want this to earn you could also have notified deploy or somebody who deploy something it’s artifacts notify them that they’ve actually uploaded something potentially threatening. We also have a separate email notification, this is actually set up so that maybe you have a critical issue or 9.1 CPS score and higher and you might have red team. You know, everybody on red team get together, this is a production level to Reno, this is the world ending event, we need to go in and get everybody on board. Then you can also do things like you can hook your Jira system up right, so we have a Jira integration, and this will say you pick your project and part of the watch which I’ll show you and then you say create Jira ticket, I want to create a Jira ticket and the Jira ticket will go ahead and how contain all the information. Now the next set of features are part of shift left and I’m going to show you the developer level in a few minutes, but this is part of it so first of all block download. This will actually stop the consumption of any binary historically already stored artifact every. If a new information, you know new information that’s pertinent right, so a new zero day or an increase in you know CVs a score or you know, maybe the severity level change to critical right. This will actually stop the consumption of any binary from that moment forward until you go in and allow it, and there’s information on how you can go and then for shift left, though, if you want to be able to provide autonomy for your developers to go and develop and do the job that they do, that’s when you enable the next feature which is blocked on skin artifacts meaning as a developer, I have the ability to go out and retrieve. An artifact and all its associated friends directly indirectly dependencies right and bring them in there’ll be stored in Artifactory. Right, so we requested and stored get evaluated by Xray and then delivered to the developer, now we get a lot of questions and I’m sure, the question is well won’t that delay my development well. One of the things that I talked about earlier in this discussion is how we store the binary is not a factory based off this check some based approach if you upload a binary repo on a binary we create actually you know check to see. You know, we create a unique shots up six check some inside of our file story reference to be a better data. So our actual Xray product runs on that metadata as opposed to the physical binary so when a binary comes in and it’s actually adjusted in check some is produced, this means that our Xray product will be able to evaluate very rapidly being able to say Oh, we have a slight pause and delay in the development. Especially, but this will also do not only the direct dependency, but the indirect dependencies to, and this will actually stop it and developer will receive a notification that there was a failure. If you using our distribution product, you can actually do one last test before you send it off it to the world and say, are you saying I’m actually do one last evaluation. And we also have the concept of fail bill, which is, of course, will send a termination event, you know to a CI/CD to an ID and now we just introduced a new feature which I love. Which is allow grace period, so you can actually say you know what I don’t want to actually kill the build right now I’m going to give the developer three days to come up with a proper solution behind this to do their job. But let’s go ahead and let’s just get rid of this, I just want to make sure I have the violations I’m going to say all severity and I’m going to say this I’m going to save this so now, I actually haven’t npm security policy. I have one rule that just basically says, I want to see everything and hit create. Now I’m going to go into watches now, and this is how I’m going to apply my policy so let’s go ahead and set this up so I’m just going to say in this case, this is npm asked me to descriptive name or nom in this case. I’m going to say you know all said for right now, just because you know I’m going to say blah I don’t care here’s where I could go in and put a recipient list I could say all right bill and at JFrog COM that’s my email address. And then I’m going to say I’m going to grab my policy here’s my policy right I’m going to hit save. And then I am going to go in and say, I want to apply this now, I can apply in a couple different ways. So, first of all, we have this concept of projects I’m not going to go into that right now I’m only going to concentrate on repositories and builds. Let’s go in, say I want every repository that I flagged individual repositories that I flagged or I can even do patterns.  So these are things we have more details on all the stuff but you know what look at that I do not have any other ones, though, I want to evaluate here. Let’s go and take a look what happened because I get this a lot from customers, as a result, I did it so first of all. As those repositories aren’t on my list let’s take a look a test ah there’s nothing here, well, the reason why is because I didn’t index them. I actually flag them but I go into index resources, you can see that I actually you know my typing test, these are all of these are actually the binary you know the repositories that are being evaluated none of them are there. Let’s go add them and do a search for test now let’s go in and let’s go and grab all the test ones that I have. Now I’m going to save and now know that if I type in test, this means that anybody now these binaries should be available when I create my watch. Because I need to index them because the thing is, is that Xray keeps an index list of all the binders you want to evaluate because it’s continuous Xrays, a continuous evaluation. Of all the binary to use, not just the ones that are was restored that’s not it it’s continuously looking for any potential threats and issues. Let’s go back to launches and policies again now let’s go and create my watch again all right, this is good somebody say npm I’m going to say all set all right let’s go in I’m going to add my name what’s a build for my region, my email. Let’s go get my policy and let’s save that now let’s go back to the repositories and let’s do a quick thing it says test oh look there, they are. If you look in here, you can see that all these repositories are here, but you know what I’m actually missing an essential one here, these are all in my local repositories oh shoot let’s go create it. Let’s go back to my settings again let’s go back to index resources and let’s type in remote because Oh, you know what my npm remote isn’t there that’s weird. Add that in well here’s my npm remote all right let’s go ahead and do that let’s say that, as part of this, and now that we have it okay great so now she would say remote there it is. Perfect let’s go back and look on my watch again and let’s go and take a look now I should be able to go in here and click on a repositories and there’s my npm remote. Now for the list and I’m going to save it now, I have a rule, where I can go in and look at all severity. Okay, so now, I can also create one, by the way, with licensing and just so you know let’s go in and look at that for a second. Let me go into my other instance I have here I’m just going to log in this is actually I feel like I’m inviting you to my place and I haven’t cleaned up yet. But I want to make sure you understand if you’re doing licensing it’s at the same level, so if we go into security policies if you’re one of our one of our customers that actually has our upgrade of security, because the free tier just includes just the vulnerabilities I could select licensing. I could add rule and just see you know all the actions of the same as security. But the difference is the criteria is you know here’s all 435 Open Source licenses on the market, you can also manually upload your own license into here. So you can say here’s my allowed licenses here’s my band licenses right if it’s not part of those 435 you’re right, we have just allow unknown licenses, why is this license not whining one of the 435 Open Source licenses available that’s ridiculous. Or why does this have multiple licenses that’s another key indicator. So just let you know you can also evaluate based on that criteria, in addition to that, and by the way we are going to come back to this instance. I can talk about builds because we’re actually not going to do a full build today when I do this we’re just going to talk about implementation with the free tier. Setting up the builds can take a little longer, but I’ll show some examples behind it and the reasoning, why this is important. Well let’s go back in, so now we have our rules, we have our policies we designed our repositories let’s go implement it. So let’s go back to our factory let’s go to the artifact browser and here’s my npm repo. Right so let’s go ahead and I’ve got a project and let’s go ahead and how do I implement this so we’ve actually made this super simple. Go ahead and local click on the set me up instructions, so you have either standard or scope and the first thing you see here is is that when we are doing this and I am going to be doing this. I am going to go ahead and I’m going to set my npm registry to be set to my and I just let you know I’ve actually you know where to go do this right now so I’m going to go copy this. I just copy the text and now I’m going to go over to a project, and now this is where me as a developer gets to do the fun stuff that I do. Here’s an npm project, there is no packages here installing be like there’s no more modules there’s no package lock that do package dash lock the json but let’s go in and let’s publish this here, here we go I’m going to copy and paste that and now I’m actually going ahead and I’ve set my actual npm registry now. I am going to have to go and login so I can actually say npm login because I want to make sure it’s secure now it’s going to go ahead and it’s going to prompt me for my username. I’m actually just going to go over to my instance over here, so you know, in my case, my username happens to be. You know I’m going to put my email address in. There we go and username is that. Here we go. I’m going to go ahead and just to kind of show you, by the way, I’ll share over here is, I can go ahead and look at my profile. And you can see where my profile, just so you know how you got there you go edit profile and then, in this case I’ve got an API key or I could generate a token so I can use either or if I wanted to so let’s go ahead and copy this and then let’s go back.  There you go oh it doesn’t it doesn’t like my authorized header because of that that’s fine I’m actually to go some do something different really quick. I’m going to create a new user I’m going to hit save oops there we go password. I’m actually creating a new password for go. There you go save that. Alright so let’s do this, let me go back and share just so you know so we’ll just do this I’m normally I would actually do a little bit more debugging on this, I know what I have to do, but let’s go away and let’s log out. Let’s go and login as my user right so I’m going to say bill, and in this case I’m going to put my password in. Here we go let’s do that, instead, all right, just to finish, I don’t care about that right now. Let’s go back to my UI right so I’m going to go and actually just so you know I’m going to go with my profile here. I’m actually looking at my password and so like unlock the features that I want to do there we go. I am going to go ahead and generate a new API key that I have for this, so I can do that, I also have an encrypted password to that I can utilize so let’s go copy my encrypted password. Now let’s go back in here and let’s go try doing npm login again let’s do that because my other one was actually an admin user I don’t want an admin user so let’s do npm login now here we go let’s say fill them. I’m going to say my password I’m going to paste that in I’m going to leave bill me at JFrog like a spell today calm and enter and now there we go now I’ve actually logged in.  Now, the thing is, is that I’ve actually gone ahead and set my registry, as this value, so I means is when I go in and I do it and I’m just going to do a straight npm install that’s it straight npm install. And let’s say npm install because I’ve actually spent the summer industry, I don’t have to do anything else. Now this is actually going to go in and it’s going to go request this from my my instance now remember this is my free tier this isn’t being hosted on a very powerful machine it’s kind of a sandbox that I’m using. But it’s actually going ahead and it’s going to go fetch all those third party direct and indirect dependencies. And now, all those dependencies are going to be stored in our factory so say I have 1000 people working on this project. I’ve run only third party transitive dependencies I put them through the Xray product. And now I’m able to go in and 999 other developers will be able to take advantage of what I’m doing I should have probably pick the smaller project, this is a pretty big project but let’s see what does. As we are going through this. Now it’s pulling all those dependencies in and if I do an Ls dash la if I do a VIP package json, blob of json, this is actually was a slow there we go, you can see where I’m actually pulling all my dependencies in through artifacts I’ve actually gone in and done this now let’s go in here alright, so one of the other things I can do here is actually I’ve used RJ proxy ally tool I’ll just show you, if I do JFrog. We actually here I’ll clear this first and say, I want to find out as a developer I’ve now gone in and done this, I don’t want to go to artifact because we’ll go over and look at the art of factory stuff in a minute. But let’s say I want to go in and see exactly what’s in here, we have our JFrog CLI tool has a lot of built in functionality there’s a whole subject on this, you can go ahead and take a look. Let’s say I want to do audit I’m going to audit this it detected that the JFrog seal I said hey you know what this is an npm project, let me see the components and build a model around it, it’s going to take that model of all the components that I have here and look I actually right now, as a developer shift left. Using the JFrog CLI I was able to pull out and see if there’s any high items or any potential threats or issues I might have in here now, these are all just all some areas and stuff but. You can see like here’s the impact that version, you know, is there a fixed version available, you know what is the component, you know doesn’t actually have a CVs a score and things like that, so there are these pieces. So this is one place, I can do this now, what if I’m a developer right let’s go in and take a look. Now let’s go look at my ID now my ID in this case happens to be intelligent a visual studio, so this is vs code. Well here’s that actual same package locked up json that I have here we go very simple nice and easy to do here’s all the information. But I have the JFrog plugin now these plugins are available right, so this is the plugin here, and this link up here and there’s a simple instructions it actually walks you through and says pointed to your instance that you want to use for Xray. Once it does that, and this is connected, you can see where all these pieces and components right but I pulled in it’s like 482 transitive dependencies, by the way, and if I showed you the package json. It’s actually three things on my dependencies and there’s 482 transitive dependencies, but I can show you as a developer here’s the hierarchy. Of the actual components that I’m using as part of this now check this out Look how deep into the tree I’m going where I can show you that the here’s a potential threat. And you can see all the information and while it’s antsy rejects it’s a 4.10 that’s an npm it’s a production stuff because you can do scoped packages. Right, so it has one issue and if I click on the issues tab, it is a high severity level here’s the actual component here’s the CVs score and here’s remediation I can fix this. As a developer, I can go in and upgrade the version, in this case, you know of a particular package, and it will affect this and I can address it directly I even have in the CLI. Now, the thing is, is that these are just some of the simple functions that you can do now ­­­understanding that and looking at those things we could actually go ahead now this one just happens to have, by the way, just so you know I’m going to go and show you just some quick information right. So let’s go in and take a look at you know the actual my in my UI well. Let’s go ahead and if I take a look at my packages, you can see here’s all the packages that were just download, these are all the potential things I just brought in as part of my things I brought in. I can also at any point I can click in here, and I can actually show you the versions, I have. I can show you, you know here’s all the readme instructions on the actual components. If it’s attached to a build which this one isn’t I can show you where it is, but I can also click in here and say oh hey, by the way, here’s the actual component inside of artifacts. I can show you its information, and I can show you and say already talked about trends of dependency layers well there’s body parts are here has in total 10 other dependencies it brought with it. I can see his permissions right, I can even look at the Xray now an Xray this is going to let me know that there’s no violations and stuff but also, if I had the upgraded version it’s actually can show you where the actual licenses for this component. But I can also go in here under watches and violations and let’s see if I have any issues here, because now, remember, I didn’t really do anything other than also varies, but we can we can actually change that. Right, so in this case, a very level of high here’s the actual Xray component. You know the actual piece itself, you can actually see that there’s two vulnerable components here here’s the two other vert you know to other in the layer. I can show you the security summary on why this is an issue and also to you know here’s the dependency mapping. So these are all kinds of ways in which you can do this, but let’s go look at something that was actually build and it says, assuming your developers I see it as a question. Assuming your developers build their npm projects via docker compose will the plugin work with npm install inside the docker container. Absolutely I’m glad you brought that up journey, because I am going to show you that right now.  These are just simple examples where I’m just showing you right now right now I’m going to go one step up, I want to talk about docker I want to talk about that I want to talk about things like you have you know when we start talking about. You know, like build integration right get options and automatic ci because actually I realized when I went back here is that I didn’t even get a chance to show you that these are the things that I was going to demo. So now let’s talk about the next part so In answer to your query let’s go look at a bill. Okay let’s go look into the docker container and a docker container this containing and npm project that was part of the build process which is even better. And I’m going to show you the advantages of actually correlating all this information, like I said I was able to in a matter of minutes right if I wasn’t talking I probably it probably would have been you know. A lot more information about this, but I haven’t I actually have a system that has a tremendous amount of stuff in it and I’m going to show you that right now. So let’s go talk about complexity, because this was simple I created a repository I created some simple rules, I you know, to evaluate I applied them. I actually integrated into a real life project I showed you when I had the actual plugin for my IDE I showed you the CLI the advantage of being able to actually get it directly there, these are all things that you can do and it’s very simple to start. But let’s talk complexity right now let’s go look at something like this step three create docker multi APP, this is a bill right, because one of the things you need to do is you need to know we talked about trans the management let’s talk about build match. So in this case, this is actually a Jenkins job and just to cover show you I’ll actually close this just kind of show you how you do it. Well let’s go in here and let’s go see let’s build number 82, it’s built by Jenkins server so here’s my get off server so I had this setup actually when I checked the said this automatically builds now this image I’m going to show you contains a node front end and the Java backend and being hosted in a container. So if I click in here, this will actually bring me directly to build number 82 that produced it. Now this job I have here is actually pulling it’s artifacts you know this case, the lymph node front end and Java back end. As part of this now, by the way, when you do your docker compose I actually there are docker compose examples where if you’re doing as part of the docker compose process. This case I’m actually built a container already and now I’m actually going to host an application in it, because I’m going to go one step above just the standard npm. You know, as part of the docker pose but I’m also going to build this container image and publishing is the Artifactory I’m going to test it I’m going to publish the results and I’m going to scan it with Xray and when the public I’m actually going to you know check to see if it’s okay I’m not failing and, in this case, just so you know. I never promoted from one stage to the next, and if I were to show you what this job looks like I mean it’s very simple, we have an Artifactory free plugin for all major CLIs and if we don’t use our JFrog CLI also. But if you look here, I’m using the artifacts plugin and I’m forever rising, these are parameters that I’m putting them right so server URL and credentials. And here’s like I want to get the latest version of my node front end something I’ve already built this, and now I want to host it, this is like a very typical scenario I built something now, I want to host an image right, this is very much a best practice you can do. In this case right here, you know UI, I’m actually querying Artifactory using our language called AQL, the Artifactory your query language, to say hey go to this local repository right SDLC. Give me the latest version I want to host it and then I’m going to build it right here. Using a standard Docker build command I’m going to publish all that information about this build into Artifactory and perform a very silly unit test on pulling it down I’m doing a curl towards the docker image and say do like a 200mlk. Okay, I mean just to kind of show you it’s right here, you know if I get one okay response from a curl I’m good that means it works. If I want to publish information that says it passed my functional tests. Then I’m going to go ahead and I’m going to Xray scan. And I’m going to say Artifactory.xrayscan. I’m not I’m not failing the bill, just so you know. And then I’m going to say promoted from its source to its destination I’m going to call it released. Right, these are all things you can do, I give talks on this and there’s plenty of examples I’m not going to go into all the detail on this, but I want to show you what I did. Now I want to show you the results so first of all, this was promoted, it was released it contains critical issues. But you know as a developer if I’m doing this and I get a notification that something is terrible because something is bad. Well, you know what I am going to go ahead and I want to see so a typical docker registry looks like this doesn’t mean anything you do a docker run a docker pull you know pull a docker run magic happens. If you follow our procedures and those practices, I could say here’s the version of the node for them and the Java back in I’m hosting in this container. With all its dependencies, by the way, I’m going to show you it’s the OS it’s the runtime. It’s the actual application layer, not just in the single mindset, this is the whole the whole enchilada as you would say I’m hungry it’s lunchtime, I need food. But anyway, one of the nice things you can do is that quick remediation, and this is where I talked about where I’ve had examples where customers like this is the best thing I’ve ever seen. What if bill number 82 is terrible? You get a notification that there’s a problem you know from an exploit but it’s deeper than that it’s functionally terrible wow I know that this one is hosting. This version of the note friend and it was first in the job, the back end I can actually do a diff between bill number eight, which is the previous version and the new one. Well, you know what the node front end the same, but the Java back and change like that I was able to go in and see more change, and I can explore it. When we do the Xray scanning, you can scan your image utilizing the JFrog CLI and stuff like that. You know, we actually have like these functions of you know, built in for you to do those level of audits, but the thing is like this one’s got this is by the way, this is my disaster masterpieces I call it. This is when I actually have 1600 and 70 violations it’s terrible. But the thing is, though, it’s all about, you know as a developer understanding or even as a you know, even though I’m a production engineer a release manager release engineer QA or anything. If I find these issues, I want to know what’s affecting I want to know how I can remediate it, I mean here’s an example. Now this this actual spring, this is something that everybody uses spring framework it’s everywhere, and if I got this issue it’s a critical it’s a critical issue if I go in here, I can show you the summary and, if you look somebody just did a cut and paste this is terrible. But our research team, maybe do a little more research, well, we did, and we actually gave you a more of a detailed information and I want a quick fix you know fix this quickly well we even have remediate. Right here, you can upgrade or you can actually go ahead and actually migrate the deployment by changing something. Well I’ll show you one better I’ll just show you one of my favorite ones here’s fast right I’m seven fast here’s another Jackson issue typical thing right cut and paste terrible. I get nothing from that, but as a developer, I know one and say Oh, you know what this is critical, but you know what. Sometimes the library might have 100 functions in it one’s bad, do I really want to throw the whole thing out? Am I using it? We will have applicability soon, by the way, well, I won’t talk about that yet. But in here, you know, the thing is that the original source tells me nothing cut and paste what does that mean I’m just going to go over to this library. Well, our research team said oh yeah well here’s the issue and actually it’s only one function and we’ve actually said, if you change the mapper style and this it should work okay. And we’ve also included something like you can deploy an upgrade you can here’s a patch for it, or you can just change the way you function use it. But the important part is check this out, and this is where we come into is there things inside right so like if you say you did a docker compose check this out, I found this jar in a jar of a layer of an image of a bill, I found this very deep inside and I can go and attribute to it. I gave an export the software bill of materials from here, I could produce reports like violation license and security. I can see every license file that’s in this right, so I might have a compliance team that’s like tell me please what licenses are you using throughout your entire docker in there let’s all West runtime application. I’m going to show you the most nerve testing view I love this view here’s my note for and then here’s my Java backend. Here’s my docker image, I can expand this out and show you all the violations and even some groupings of any of the dependencies that are in this tar.gz. I can even go and she can even go ahead and view the component, I can even go ahead and assign it to another value, maybe it’s a critical, but I think it’s low. But here’s the big thing is right so issues, I can put all the Jira tickets here right if I wanted to do some other remediation I can actually do another dip, by the way. At the artifact dependency environmental system information level, so I can see if anything’s changed that some you know, Jeremy leave the debug flag on I don’t know. I can also see it’s a release history but that’s only one part because here’s The thing is, if you follow these best kind of practices say I say Okay, this is actually terrible well let’s go see it. I went from the docker bill the docker image does I’m want to have here’s the actual tar.gz. I can see all the information around it that’s our information I can see the package info and it’s dependencies and I could see this affect the permissions I can look also to. Add you know any of the security flaws and things like that, with its own Xray information I can look at any properties that I might want to use us to review later equals true belief like this, I don’t want to dress it now, I want to do it later. But check this out murder, before I talked about builds Well, first of all this, tar.gz which was actually produced here, here’s the bill. And where has it been used, maybe this is a terrible bill that contains a high security flaw right you can’t you know, maybe like that you a parcel, which is a bitcoin fun stuff. Right, I can say well here’s where it’s produced but here’s every place it’s been used, I can tell you from a remediation I should have loved to be like. Oh yeah you know what we’ve used these all these doctor bills, but you know what let’s go in and take a look at the bill here’s the bill that produced it. Well here’s my tar.gz that I’ve been hosting I can show you all 482 trends of dependencies around it. I can actually dip it with another version at some point and say hey  did anything change? I can see its release history if there was one here. Here’s a Jira ticket I’ve got associated to it, I can still diff between them, so this gives me another level of accountability as a developer as a release engineers info SEC. I can even go in and say I get notified that something is terrible like. Here I’ll grab one of these right I’ll grab Babel there’s a Babel package now, this is applicable across all package types so interesting I just happened to have an npm prod spam folder they go in and Babel six to 626 three is going to leak all the data, you have throughout time. Let’s go look at it well once again read me instructions. Now here’s where the guy told me he’s like this is the greatest remediation I’ve ever seen, and I basically a way for me to do my job more expediently is. Well, it doesn’t like it was built by anybody, but it’s been used in 28 bills that we’ve had while we’ve been exposing ourselves for a while. Also to what repository is, and I can go trace it back here’s this tone Xray data and also use our distribution side, where is it distributed to. Just so you’re aware I’ll type in JFrog I’ll say log4j right, so if you’re looking for it before, by the way we actually did. We did release a tool when it was actually announced and I’ll put this in the chat for anybody who wants to actually have a you know this little guy right here. This is actually a free tool that we actually open to the public that you can actually go and scan all your open source. Projects you know any of the projects you produce and plus also we also released a whole you know article on cookbook and remediation on how various ways to fix this, but this is kind of show you one of the first things you can do in here on the cover My big one is you could always say if you’ve got a CVs score notification right. I’m just going to go in here, let me kill that I’m going to click here and I actually have a CVs a store, so I have a CV here the somebody I’m sorry CVE that somebody sent me and I click on here. And what this is going to do is I put the CVE into security, you know compliance and it’s going to go in like it’s the parameters like licensing severity and whatnot but if I click on build. Right away, this is showing me all the bills that actually this actual component is actually been part of, I can say this CVE all these bills, right here are affected by it. And I can go view any of these bills that I want, I can tell you what artifacts are exposed, if this was this released into production with our release puggles. Here’s all the packages that actually contain this right, so I can actually go in and take a look at all of you know, the package itself, and is there any versions, thank gosh, there is well you know what here’s a version we were looking at. Let’s see you know, is there any repositories well as part of our cache haha unless it’s been downloaded 212 times. Here’s this Xray data and know what it’s got some security vulnerabilities or two right here. See how quickly I’m able to go in and do research on what I’ve used how I’ve used it, what are the remediation possible these it’s all there. And having the tool sets and the inclination to just understanding not only what you’re bringing in, but when you produce and where you’ve used, it is really where our products excel even down to the fact that I can go in, as part of this at any point, and I could produce a report. And I can say I need to get a vulnerability of violation or licensed diligence report on repositories builds or one that’s like I say you know what. I want to go ahead and look at violations I’m going to look at it by repositories I’m going to say all my test repository so let’s go do that I’m also going to say my npm so let’s go to my remote repository. I’m going to save and I’m just going to get everything I just want everything I don’t care and let’s see here Oh, I need to give it a report rain right so I’m going to say and PM bad stuff right. And let’s go ahead and generate the report and then this is going to go ahead and scan artifacts that I have there as you’re seeing here. And then I can go ahead and click on this, and this will actually produce a report on the actual components that are terrible. Including things like here’s a broken down here’s a broken version of the actual CVs a score right for vt and here’s one for v3. And then, on top of that, I can actually see all the little details about it so remember any tool can go detect any sort of vulnerability and violations there’s tons of them out there. But the thing is having the correlated information for you to do your job more effectively more efficiently and more rapidly, because let’s face it, some of these security issues, if you don’t address them right away, you are potentially in bad shape. So the thing is, is, I want you guys to understand that we have all the tools and resources that are available to you. We have all this knowledge out there, we produce things on a regular basis, Google is your friend. Like I said, you know I know there were some things here about you know I couldn’t find them PM we actually if you just aren’t you know JFrog and you know, like say like log4j we didn’t a ton of things on this we actually gave a bunch of open source tools to the Community to help everybody out because let’s face it. We have to stop this whole mentality idea of you know, us versus them in terms of like my company versus yours The thing is, is that these kind of issues, these kind of things that happened for a reason, and we as a Community, as a series of developers non dependent on where we are in terms of our status. You know, when we do our jobs or whatever it’s our job to combat this. But at the same time, we really do we need to go ahead, this systemic issue that’s affecting everybody out there. And having the right tool sets and the ability, you know, using policies and launches IDE integration right automated behind the scenes tool. Really, is where we excel and where we can really help you so I want to thank you today, I hope, this has been informative. We have one more thing I’ll just show you, by the way, so we can say, if you just type in Artifactory and you say docker compose. Right like, once again, like a type we have some great examples here on how to do it, so, if you look we actually have some docker compose examples, you should be able to find. Thank you so much, and if there’s any questions you can ask them now and, if not remember go sign up for your free tier. You know, you can do all the things I showed you utilizing the free tier as a sandbox but you know what be safe, be wonderful be well everybody, and thank you so much, and I truly appreciate it.

Host: Thank you so much, everyone and thank you Bill, it was such a great workshop and we’re so happy to have you all here join us for next workshop on our communities page. Thanks again have a great day!

Release Fast Or Die