Jfrog Advanced Security

0 views
Skip to first unread message

Karlyn Hemmerling

unread,
Aug 4, 2024, 11:31:10 PM8/4/24
to slumimpaupho
Seehow these new features and the JFrog Platform identify common, but hidden supply chain security issues that attackers use to compromise development, release, and deployment processes, with the following features:

JFrog Xray does not depend on SBOM to identify the dependencies. Yes, it does use the build info from artifactory and the meta data associated with the artifacts. However, based on the package type it can automatically identify the direct and indirect dependencies and scan them. For more information please refer: +Dependencies+Scan


Please refer this +Visual+Studio+Extension for step by step instructions on how to install and use the JFrog extension on MS Code. Note there is a video demo of the extension as well on the same page.


JFrog Xray does not depend on SBOM to identify the dependencies. Yes, it does use the build info from artifactory and the meta data associated with the artifacts. However, based on the package type it can automatically identify the direct and indirect dependencies and scan them. For more information please refer to this page: +Dependencies+Scan


Yes, we do expect ops and security to be attracted to this offering. The new advanced security solution unifies developers, operations, and security teams to safeguard the software supply chain in a holistic, hybrid, multi-cloud platform.


It works beautifully with Jfrog Artifactory and of course with Xray. Every artifact that you upload can be scanned by advanced security. You can have actions from advanced security that, for example, alert you or deny downloading certain artifacts from Artifactory. So everything is seamless, both in the detection and the actions that you can take, which is very important for us for the CICD pipeline.


So Xray is and enhanced SDA tool or software composition analysis tool. So what we do today is obviously as a software composition and analysis tool, we are scanning for open source vulnerabilities, open source license risk, operational risk associated with using open source as well. However, with the advanced security, what we are allowing you to do is not only secure development, we want to make sure that you are deploying the application as well. Hence, what XR does today with our advance security capabilities, much more than any SDA tool can do.


So Xray uses a variety of techniques to identify a given package. This could just be versions, fuzzy hash, check sums, [inaudible 00:28:43] direct and indirect dependencies and so on. So there are a lot of techniques Xray uses internally to identify the package and the version number associated with the package.


The simplest thing that you can do is basically look up JFrog ID integrations and you will see the documentation and all the information about how to enable. And also there are YouTube videos as well that you can look up on how to install the extensions, how to use them and so on. So I would highly recommend you to just go to JFrog documentation page and search for like visual studio extension or IDE extensions.


So I think the best thing that I can suggest here is to just look at our documentation and you can just look up on our websites about exposure scanning categories or you can just look up our release notes that has a lot of good amount of documentation around how Xray can actually scan Terraform state files and flag issues with the way that you are defining infrastructure in your Terraform files.


So again, we just have to be very clear that advanced security features are additional subscription. So just because you get to the latest version of Xray does not mean that you will be able to use all the capabilities of this new release. You still need to request a license if you want to be able to utilize the advanced security features.


GFR research team actually has a lot of good content on this, so I would refer you to research.JFrog.com. Also, another resource that I would point you to is Forester Research has done a very good analysis on this and they have a report called the State of Application Security for 2022. You might want to just look it up and it does give you a lot of data on the trajectory of attacks and things like that.


Thank you for our last question today. Do the security updates expand your reach in terms of which customers will be attracted to this offering or should they be viewed as providing more depth of coverage to the existing base?


Our dedicated team of security engineers and researchers is committed to advancing software security by discovering, analyzing, and exposing new vulnerabilities and attack methods. They respond promptly with deep research and rapidly update our database.


Their research enhances the CVE data used in JFrog Xray, providing more details, context, and developer step-by-step remediation. Their advanced algorithms are implemented in JFrog Xray, for example, contextual CVE analysis.


Prisma Cloud can scan container images in public and private repositories on public and private registries. The registry is a system for storing and distributing container images. The most well-known public registry is Docker Hub. One of the main repositories Prisma Cloud customers use is JFrog Artifactory. This article describes how Prisma Cloud works with this registry.


JFrog Artifactory requires that every image added to the main repository, be added as a new Registry Scanning inside Prisma Cloud. When adding more than one image inside a main repository, you need to add a registry scanning per each image to be scanned properly. Using a wildcard is not supported by Prisma Cloud at this time.


Copy the install scripts command from the right side panel, which is generated according to the options you selected. On the host where you want to install Defender, paste the command into a shell window, and run it.






Install NGINX on The Private JFROG Instance



Registry scanning requires a secure connection which is HTTPS. Hence, we need to setup nginx reverse proxy in front of Artifactory. A reverse proxy configuration can be generated in the Artifactory UI by going to Administration->Artifactory->HTTP Settings.


This will need to be copied to your nginx config. You will need to have your own SSL certs and key and place them in the correct directory specified in the nginx config. Below is a sample configuration for reference:


The Scanner instance attempts to resolve the DNS private-jfrog.jmontufar.org of the JFROG instance. Route 53 indicates that the DNS private-jfrog.jmontufar.org corresponds to the server with IP address 10.0.138.85. Subsequently, the Scanner instance initiates a TLS negotiation request to the IP address 10.0.138.85, including the DNS private-jfrog.jmontufar.org in the request.


NGINX identifies the requested DNS as belonging to the default route and begins TLS negotiation, providing the Server Certificate for the negotiation. As the certificate installed on NGINX is a wildcard certificate (*.jmontufar.org) and the requested DNS is private-jfrog.jmontufar.org, the Scanner instance recognizes the certificate as valid and proceeds. Upon successful TLS negotiation, NGINX forwards scanning requests from the Scanner instance to the private JFROG instance. The Scanner instance subsequently transmits the report back to the Prisma Cloud Compute Console.


By integrating Prisma Cloud with JFrog Artifactory, you can enhance your container security posture by continuously scanning images for vulnerabilities and compliance issues. This integration allows seamless monitoring and remediation, ensuring that your containerized applications remain secure throughout their lifecycle.


Omoniyi Jabaru is senior customer success engineers specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. He uses simple approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.

3a8082e126
Reply all
Reply to author
Forward
0 new messages