White Paper – JFrog Xray – Security and Compliance of the Open Source Software Dependencies You Rely on

INTRODUCTION

With software now underpinning and fueling all business processes, DevOps teams are aligned with and directly influence their companies’ competitive position. Their work -­the continuous creation and enhancement of business-critical applications — impacts revenue growth, operational efficiency, customer satisfaction, brand reputation and much more. Because they’ve become crucial for business success, DevOps teams are under intensifying pressure to streamline and accelerate software development and delivery every day. However, in their eagerness to speed up their software pipelines through automation and collaboration, DevOps teams can’t overlook security. If they deliver unsafe applications to employees and customers, DevOps’ benefits evaporate and their business suffers.

DON’T OVERLOOK SECURITY

Unfortunately, security is still an afterthought for many enterprise DevOps teams, as GigaOm Analyst Jon Collins observed recently. “Too often, security is brought into the timeline just before deployment, risking last minute headaches and major delays,” he wrote in a blog post.

Because DevOps teams remove traditional gates and guardrails, and use more distributed, hybrid and componentized technologies, such as cloud, containers and microservices, they face new security challenges that can’t be overcome with legacy tools and processes. ”The continuous integration and continuous delivery (Cl/CD) process of DevOps is as impactful a change to cybersecurity programs as the changes to the applications and infrastructure that these methodologies manage,” Doug Cahill, ESG Research analyst, wrote.

Take the case of containers. whose popularity has revolutionized cloud-native application development, thanks to their portability, scalability and flexibility, but which organizations must secure with new best practices and tools. As Forrester Research analyst Sandy Carielli pointed out in a blog post “Security pros are brought in later and left with the suboptimal task of applying existing tools and traditional security mindsets to secure containers -­and discovering that those are ill-equipped to the task.”

Then there’s the growing usage of OSS components, which help quicken application development but often contain security issues, like vulnerabilities. Open source software (OSS) makes up almost half of the code in the applications built by developers surveyed recently by IDC. Clearly, DevOps teams that use these OSS components must properly scan and analyze them for security and compliance issues.

Other security challenges for DevOps teams include the growing use of hybrid cloud environments, along with organizational and logistical obstacles, such as siloed security teams. As these challenges have piled up, many IT teams have resorted to accumulating a growing number of security point products that often do not interoperate and change the defined development workflow to further cloud visibility into DevOps security and compliance practices.

“Organizations are overwhelmed with the amount of and overlap in issues raised from multiple testing tools, complicating prioritization and mitigation, so integrated application security platforms are desired,” ESG analyst Dave Gruber wrote.

Unsurprisingly, cyber criminals have taken notice of these challenges. Always on the hunt for new and effective hacking vectors, they’re increasingly targeting software development pipelines. For example, they’ve embraced upstream supply chain attacks, in which they stealthily infect a software provider’s code during the development stage. That way, hackers’ malware hides in legitimate software and gets shipped to thousands of customers through otherwise official distribution methods. A high-profile example of such an attack was the SolarWinds hack in late 2020, which affected prominent Fortune 500 companies and U.S. federal government agencies.

DEVSECOPS

To protect DevOps pipelines from vulnerabilities, misconfigurations, and other security gaps, what’s needed is an approach that automates and embeds security checks across the software development lifecycle (SDLC). This is called DevSecOps. As GigaOm’s Collins explains in his report “GigaOm Radar for Evaluating DevSecOps Tools,” DevSecOps’ principle is “bringing security best practices as early as possible into DevOps-based software creation, delivery and operation,” while the tools should “automate best practices, augment the pipeline and support development activities.” With DevSecOps, organizations can quickly and continuously detect security and compliance issues in their software — from design to production. That way, when a problem is identified, the DevOps team can immediately “shift left” in their Cl/CD process and fix it before the unsafe code in question moves to the next stage. “Historically, even if companies adopted new DevOps practices, security teams often still existed in silos and did not embrace ‘continuous methodologies.’ With security becoming an increasing priority, bringing it into the automation fold is rising. DevSecOps is the natural stepping-stone in the digital transformation journey,” reads a note from investment bank Cowen.

HOW JFROG CAN HELP YOU

In this white paper, we’ll explain how you can implement a DevSecOps strategy using the JFrog DevOps Platform — in particular JFrog Artifactory, a universal artifact repository manager, and JFrog Xray, a software composition analysis (SCA) tool for open source software. Read on to learn how to obtain continuous and comprehensive security and compliance, along with full visibility and control of your SDLC with JFrog as your DevSecOps centerpiece.