Sergey Nivens - Fotolia
JFrog continues to bolster its core universal repository platform with new features and strategic partnerships to provide developers with a secure, integrated DevOps pipeline.
The Sunnyvale, Calif., company's continued evolution includes partnerships with established companies to provide services around JFrog's flagship Artifactory universal repository manager. This week, JFrog partnered with RunSafe Security of McLean, Va., to help secure code as it is created.
Under the partnership, RunSafe's security software will plug into users' Artifactory repositories to protect binaries and containers in development. RunSafe's Alkemist tool adds protection to all compiled binaries as developers add them to Artifactory, said Joe Saunders, founder and CEO of RunSafe.
Alkemist inserts in CI/CD pipelines at build or deploy time. The security software hardens third-party, open source components, compiled code that developers originate themselves, and it hardens containers as part of the process, he said.
"We immunize software without developer friction to enable continuous delivery of code or product," Saunders said.
How RunSafe works with JFrog
Rather than scanning and testing the code, RunSafe inserts protections into the code without changing the functionality, slowing it down or introducing any overhead.
"We eliminate a major set of vulnerabilities that are often attributed to both open source and general compiled code," Saunders said. "That is all the memory-based attacks, things like buffer overflow, etc."
RunSafe launched a beta program for developers to try the Alkemist plugin, as memory corruption-based attacks can be devastating and stopping them is no trivial exercise in most development environments.
"When a determined attacker understands the layout and memory allocations within an application, they can craft targeted exploits to devastating effect," said Chris Gonsalves, senior vice president of research at The 2112 Group in Port Washington, N.Y. "And they can keep using those attacks as long as the underlying binaries remain the same. What RunSafe does is bring reduced-friction binary hardening to app development."
RunSafe uses a "moving target approach" that changes the underlying binary in a way that keeps the app's functionality intact, while destroying the effectiveness of previous attacks, Gonsalves said.
"Just when a hacker thinks they know precise location of a buffer overflow vulnerability and how to exploit it, boom, RunSafe's Alkemist plugin for JFrog users switches things up and effectively neutralizes the attack," he said. "This is hand-to-hand combat with the bad guys at the binary level. That it can be done with negligible performance overhead and zero change in app functionality makes it an effective and important layer of defense in DevSecOps."
RunSafe employs a process known as binary randomization to thwart intruders. This process eliminates the footing that exploits need to find and identify vulnerabilities in code. Randomization is typically a runtime protection, but RunSafe has added it into the development process.
"What you see now, especially when you have to move faster, is a full integration with your security pipelines," said Shlomi Ben Haim, CEO of JFrog. The goal is to be able to avoid or to quickly resolve any kind of bugs or violations of vulnerability or license compliance issues, he said. "We want to provide continuous deployment all the way to the edge, fully automated, with no script."
JFrog-Tidelift deal assures open source integrity
Regarding open source license compliance, JFrog recently partnered with Boston-based Tidelift. The companies introduced an integration between the Tidelift Subscription, a managed open source subscription, and JFrog Artifactory.
Tidelift checks that open source software it supports is clean and secure with no licensing issues. The combination of the Tidelift Subscription and JFrog Artifactory gives development teams assurance that the open source components they are using in their applications 'just work' and are properly managed, said Matt Rollender, Tidelift's vice president of global partners, strategic alliances and business development, in a blog post.
"Customers save time by being able to offload the complexity of managing open source components themselves, which means they can develop applications faster, spend less time managing security issues and build fails, while improving software integrity," said Donald Fischer, CEO of Tidelift.
As more enterprises include large amounts of open source code to their repertoires, companies like Tidelift allow developers to use open source without having to think twice. While Tidelift is somewhat unique in its approach, its competitors could include Open Collective, License Zero, GuardRails and Eficode.
"Tidelift is taking a very interesting approach to developing a way to sustainably manage the maintenance on open source software components and tools that are used at enterprise development," said Al Gillen, an analyst at IDC. "The company is filling a niche that is not readily addressed by any other solutions in the market today."
The Tidelift Subscription ensures that all open source software packages in the subscription are issue-free and are backed and managed by Tidelift and the open source maintainers who created them.
"This means comprehensive security updates and coordinated responses to zero-day vulnerabilities, verified-accurate open source licenses, indemnification and actively maintained open source components," Rollender said.
JFrog tool updates
At its SwampUp 2020 virtual conference in June, JFrog introduced several new offerings and updates to existing products.
The company introduced content delivery network (CDN)-based and peer-to-peer software package distribution mechanisms to help companies that have to deliver large volumes of artifacts to internal teams and external clients. The company also released new features for its JFrog Pipelines CI/CD offering, expanding the number of prebuilt common functions, known as "Native Steps."
In addition, JFrog introduced ChartCenter, a free community repository that provides immutable Helm chart management for developers. Helm charts are collections of files that describe a related set of Kubernetes resources.
While JFrog has made some good strategic moves, a lot of them only strengthen the company's core business as a repository, said Thomas Murphy, a Gartner analyst.
"They have a solid footprint and are very robust, but the question is, over the next three years as we see a move from a toolchain of discrete tools to integrated pipelines and value stream tooling, what do they do to be bigger and broader?" Murphy said. "I think of the growth in ability of GitLab and GitHub, and the expansion of Digital.ai and CloudBees in contrast."