UPDATED 19:30 EDT / MAY 28 2021

SECURITY

JFrog weighs in on ensuring security throughout the DevOps process

When it comes to your developing an application and going through the DevOps process, it’s critical that organizations keep it secure, including once its deploy.

That is especially the case when deploying Docker images. You can’t just leave your released Docker image on the shelf for a month because those vulnerabilities can accrue over time, according to Stephen Chin (pictured), vice president of developer relations at DevOps software creator JFrog Ltd.

“There are multiple different attack vectors for people to get into your software,” Chin said. “The best defense against security vulnerabilities is to know about them quickly and to mitigate them and fix them in production as quickly as possible.”

Chin spoke with John Furrier, host of theCube, SiliconANGLE Media’s livestreaming studio, during DockerCon. They discussed application security for Docker images, as well as how DevOps fits into that role. (* Disclosure below/)

Solutions to prevent app vulnerabilities

“If you’re not taking the right measures to secure your production applications and to patch critical vulnerabilities in libraries you’re using, you end up with supply chain vulnerability risks like what happened with SolarWinds,” Chin stated.

When doing deployments and production, it’s imperative to ensure absolute security and check for those vulnerabilities, as well as complete traceability.

“You need a database and a log of everything you’re pushing out to production,” he said.

There is no one solution to address all these security problems. It will require its fair share of tools, according to Chin. For JFrog, is has Xray. The product dives into the Docker image, looking at the installed packages and searching through the application library.

“It’s extremely important that you know what those are. You can evaluate the risk to your organization and then mitigate it as quickly as possible if there’s anything which could impact your customers,” Chin said.

The best way for organizations to address these vulnerabilities is to find them quickly, mitigate and fix them, according to Chin. Having scanning tools like Xray can help quickly identify these vulnerabilities, but it requires a fast and continuous deployment strategy, he added.

“At the end of the day, it’s the developers who both are picking the libraries and the dependencies which are going to be pushed into production,” Chin said. “They’re the ones who have to react and fix it when there’s a production incident.”

To follow through on this DevOps process, you need automation — from end-to-end, everything should be automated, according to Chin, because if there’s a failure — whether with build or test or even a security vulnerability — the automatic points will be triggered, thus stopping the release process.

“You have automated rollbacks in production so that you can make sure that if there are issues which affect your customers, you can quickly rollback,” Chin said. “This end-to-end automation gives you the visibility and the single pane of glass to know how to manage and diagnose your DevOps infrastructure.”

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of DockerCon. (* Disclosure: JFrog Ltd. sponsored this segment of theCUBE. Neither JFrog nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU