JFrog to acquire Vdoo, take 'shift right' view of DevSecOps

DevOps vendor JFrog will acquire security software maker Vdoo in a deal valued at about $300 million, expanding its DevSecOps product focus from application artifacts to production deployments.

Vdoo's approximately 100 employees will join JFrog, originally known for its Artifactory application artifact repository, as part of the cash and stock-based deal made public this week. JFrog did not estimate when the deal will close but revealed plans to jointly develop new DevSecOps tools with the startup, which is based in Tel Aviv, Israel, in 2021, including an expansion of its Xray binary scanner that will encompass the full application deployment process.

JFrog's Artifactory tool represents a key stage of DevOps pipelines, in which raw developer source code is built into binaries that can run on machines. Xray scans those binaries for security and licensing issues. Vdoo, meanwhile, analyzes binaries at later stages of the CI/CD process and, after, they're deployed in production.

JFrog refers to this approach as "shift right," in contrast to the "shift left" approach popular among vendors in the early days of DevSecOps. These terms refer to a typical diagram of the DevOps pipeline, which places developer source code on the left side and production applications to the right.

Yoav Landman

"Compared to shift left solutions targeting developers, you lose track of the binary once it's already distributed or deployed," said Yoav Landman, co-founder and CTO at JFrog. "[With] Xray plus Vdoo ... even if your artifact is already deployed or distributed through the runtime, we allow you to continuously monitor it, so if there is a new vulnerability ... we can take action to protect [it]."

Vdoo, founded in 2017, also focuses on scanning binaries, rather than raw source code, which made it a good fit for JFrog's shift right plans, Landman said.

JFrog indicated plans to expand Xray beyond its original scope when it first launched its JFrog Pipelines CI/CD tool in February 2020. It signed on an application security partner in RunSafe in June 2020, but the Vdoo acquisition represents the first major step forward in the Xray DevSecOps expansion process, Landman said.

As with other recent updates from DevSecOps vendors such as Palo Alto Networks' Prisma Cloud, Vdoo can cut down on the security alert noise that reaches developers, assessing binary vulnerabilities according to the level of actual threat and prioritizing them accordingly.

Such updates reflect growing maturity among enterprise DevOps organizations through an increased emphasis on continuous deployment, rather than Agile development and continuous integration, which is reflected in analyst market research.

Daniel Kennedy

"It used to be that CI was what was real and CD was what was talked about, but now, deployments are way up," said Daniel Kennedy, an analyst at 451 Research, a division of S&P Global. "We've also been talking about shift left forever, but we're well past the point where developer IDE [security] plugins are adequate."

JFrog DevSecOps roadmap includes IoT

Vdoo also supports embedded Linux distributions and real-time operating systems used in IoT and edge computing environments, an increasingly important DevSecOps frontier for enterprise IT.

"Vdoo allows us to extend our DevOps platform and modern CI/CD to software on IoT devices, which we're seeing requests for coming from automotive and industrial companies," Landman said.

Focusing on application binaries, rather than source code, is a strategy already used by application security vendors such as Veracode for years, Kennedy said, but it's a timely approach for JFrog and Vdoo to take, amid increasing concern about third-party application security following the SolarWinds breach in 2020.

"You don't get access to source code for third-party [commercial] applications -- you only have access to the binaries for security testing," Kennedy said. "That resonates a little bit as software supply chain and code governance become watchwords."

A JFrog Pipelines update in late May also addressed the software supply chain security issues exposed by the SolarWinds attack, with a blockchain-like immutable pipeline execution process, fine-grained role-based access control features, and a means to securely store and distribute a software bill of materials for later attestation.

Netanel Davidi

"Binaries are the only way to identify backdoors -- bugs that seem innocent but are put there intentionally [by attackers]," said Netanel Davidi, co-founder and CEO at Vdoo. "[We] can scan for those backdoors and identify zero-day vulnerabilities, even on binaries from known third-party [vendors]."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.