Remember when you were a teenager, and your parents would go away for the weekend, so you threw a party at your house for a few close friends, and then 500 people you don’t even know showed up? And then you wake up the next morning and realize someone took your mother’s gold necklace?
That’s a lot like the dependencies in today’s modern application development. And because these third-party components have dependencies of their own, there are many points of entry into which a malicious actor can grab your data or bring your application down for ransom.
A coder is an artist, Bill Manning, solution engineering manager at JFrog, likes to say. They create their palettes of language and tools for the problems they’re trying to solve. They understand the resources in the company. But at the same time, with the largest threat to software being third-party transitive dependencies, there’s been a big increase in the tax created by attacks or downtime.
“Everybody always talks about SolarWinds, which was a fifth-level transitive dependency attack that came in under the radar,” Manning said. “It’s very easy to infiltrate these communities, because we’re very trusting. I’m part of the open-source community, and the more contributions we have the better. But at the same time, you can’t vet everybody, and the thing is that’s where these malicious packages come in.”
Manning explained that JFrog, through its Artifactory repository and its Xray software composition analysis tool, can screen these dependencies for potential vulnerabilities before the code is even released to the developer for use. “A developer requests a third-party dependency and all the indirect transitive dependencies that come with it,” he said. “We have the ability to actually pre-evaluate it before it even gets into the developer’s hands. What we say is ‘block unscanned artifacts.'”
If it meets the criteria defined by the company as to which third-party components or libraries can be used, “we would then release it to the developer or tool set,” Manning said. “If not, we will actually send them a message that the things they were requesting have some potential threat, something such as a malicious component to it, a security vulnerability or maybe a license compliance issue.”
JFrog can also indicate what it calls operational risk, which measures how old or outdated – or even abandoned – an open-source component or library is. Manning estimates that 75% of open-source libraries are abandoned or outdated over time.
Yet with the need for organizations in very competitive markets to release more quickly, reliance on open-source libraries can help them take advantage of emerging opportunities. “With the promise of DevOps, ‘you build it, you own it.’ And the whole concept of shift left is, how do you give security tools to developers, but do it in such a way that it’s not completely obtrusive, but at the same time gives them enough detail and information where they can make the cognitive choice on their own. Every organization has to determine how fast is fast enough; it’s one of the tradeoffs.”
The biggest problem most companies run into is the level of remediation and the time it takes. If a build has, for example, 287 vulnerabilities, you’re pulling engineering resources away to research the vulnerabilities. That, Manning said, is going to take time, no matter how many people you have. And that, he added, will lead to things like loss of revenue and damage to your reputation. In the recent JFrog TEI report by Forrester it was noted that JFrog’s automated vulnerability and compliance workflows reduced time spent on open source research tasks by 30% and increased operational efficiency, worth $6.7 million over three years.
The VP DevOps & Engineering Manager at a multi-billion dollar Financial Services company commented in the JFrog TEI report by Forrester that “JFrog definitely [provides] a good amount of coverage, especially with the latest-day integration, which gives us the assurance of additional security scrutiny and scanning before the artifact is even brought into our environment — that definitely helps.”