JFrog Runtime is a new security solution that enables developers to discover vulnerabilities in runtime environments. It monitors Kubernetes clusters in real time to identify, prioritize, and remediate security incidents based on their risk.

It provides developers with a method to track and manage packages, organize repositories by environment types, and activate JFrog Xray policies. Other benefits include centralized incident awareness, comprehensive analytics for workloads and containers, and continuous monitoring of post-deployment threats like malware or privilege escalation.

“By empowering DevOps, Data Scientists, and Platform engineers with an integrated solution that spans from secure model scanning and curation on the left to JFrog Runtime on the right, organizations can significantly enhance the delivery of trusted software at scale,” said Asaf Karas, CTO of JFrog Security.

Next, the company announced an expansion to its partnership with GitHub. New integrations will provide developers with better visibility into project status and security posture, allowing them to address potential issues more rapidly. 

JFrog customers now get access to GitHub’s Copilot chat extension, which can help them select software packages that have already been updated, approved by the organization, and safe for use. 

It also provides a unified view of security scan results from GitHub Advanced Security and JFrog Advanced Security, a job summary page that shows the health and security status of GitHub Actions Workflows, and dynamic project mapping and authentication. 

Finally, the company announced a partnership with NVIDIA, integrating NVIDIA NIM microservices with the JFrog Platform and JFrog Artifactory model registry. 

According to JFrog, this integration will “combine GPU-optimized, pre-approved AI models with centralized DevSecOps processes in an end-to-end software supply chain workflow.” The end result will be that developers can bring LLMs to production quickly while also maintaining transparency, traceability, and trust. 

Benefits include unified management of NIM containers alongside other assets, continuous scanning, accelerated computing through NVIDIA’s infrastructure, and flexible deployment options with JFrog Artifactory. 

“As enterprises scale their generative AI deployments, a central repository can help them rapidly select and deploy models that are approved for development,” said Pat Lee, vice president of  enterprise strategic partnerships at NVIDIA. “The integration of NVIDIA NIM microservices into the JFrog Platform can help developers quickly get fully compliant, performance-optimized models quickly running in production.”

The post JFrog helps developers improve DevSecOps with new solutions and integrations appeared first on SD Times.

This is compared to around 75% for JavaScript services, 64% for Python, and 50% for .NET. The average for all languages studied was 47%

The company found that Java services are also more likely to be actively exploited compared to other languages. Fifty-five percent have suffered from this, compared to a 7% average for other languages.

Datadog believes this may be due to the fact that there are many prevalent vulnerabilities in popular Java libraries, such as Tomcat, Spring Framework, Apache Struts, Log4j, and ActiveMQ. 

“The hypothesis is reinforced when we examine where these vulnerabilities typically originate. In Java, 63 percent of high and critical vulnerabilities derive from indirect dependencies— i.e., third-party libraries that have been indirectly packaged with the application. These vulnerabilities are typically more challenging to identify, as the additional libraries in which they appear are often introduced into an application unknowingly,” Datadog wrote in the report.

The company says this serves as a reminder that developers need to consider the full dependency tree when scanning for application vulnerabilities, not just the direct dependencies.

The second major finding of the report is that the largest number of exploitation attempts is done by automated security scanners, but that most of those attacks aren’t harmful and are just a source of noise for companies trying to defend against attacks.

Only 0.0065 percent of attacks performed by automated security scanners actually triggered vulnerabilities. 

Given the prevalence of these attacks but their harmlessness, Datadog believes this underscores the need for a good system for prioritizing alerts. 

According to the report, over 4,000 high and 1,000 critical vulnerabilities were discovered by the CVE project last year. However, research published in the Journal of Cybersecurity in 2020 found that only 5 percent of vulnerabilities are ever actually exploited. 

“Given these numbers, it’s easy to see why practitioners are overwhelmed with the amount of vulnerabilities they face, and why they need prioritization frameworks to help them focus on what matters,” Datadog wrote. 

Datadog found that organizations who have made efforts to address their critical vulnerabilities have success in removing them. Sixty-three percent of organizations that had a critical CVE at one point no longer have any, and 30% have seen the number of critical vulnerabilities reduced by half.  

The company recommends that organizations prioritize vulnerabilities based on if the impacted service is publicly exposed, the vulnerability is running in production, or there is publicly available code for the exploit. 

“While other vulnerabilities might still carry risk, they should likely be addressed only after issues that meet these three criteria,” Datadog wrote. 

Other interesting findings in Datadog’s report are that lightweight container images lead to fewer vulnerabilities, adoption of infrastructure as code is high, manual cloud deployments are still widespread, and usage of short-lived credentials in CI/CD pipelines is still low.

The post Report: Java is the language that’s most prone to third-party vulnerabilities appeared first on SD Times.

Those are certainly trendy topics. But based on the work I do on an everyday basis helping businesses plan and execute DevOps strategies, I’m noticing a different set of salient trends in the world of DevOps. Although much is being said about how technologies like AI might impact DevOps, the biggest changes I’m seeing right now involve other types of solutions and techniques.

Here’s a look at what I view as the three most important DevOps trends at present, as well as a breakdown of how they are poised to change DevOps tools and processes.

Trend 1: Policy-based management and IaC enable drive DevOps security innovation

Security has always been a priority for most DevOps practitioners. But right now, I’m seeing DevOps teams adopting new strategies in a bid to improve the security of the applications and environments they support.

One large-scale change is greater use of cloud-based policy management as a means of enforcing security best practices in cloud environments. Teams are configuring cloud services and resources using the code-based configuration frameworks that cloud providers support, then scanning the configurations to detect risks.

This approach makes it possible to enforce cloud governance consistently, centrally and automatically. Instead of simply writing governance policies and hoping that engineers remember to follow them when they are configuring cloud resources, businesses are increasingly building automated governance guardrails via policy-based management.

In a similar vein, more and more of the DevOps teams I work with are embracing static code analysis of Infrastructure-as-Code (IaC) templates as a means of detecting risks. As with policy-based management of cloud resources, an IaC-centric approach to infrastructure provisioning makes it possible not just to automate infrastructure management, but also to identify security risks earlier in the development lifecycle.

What’s more, some teams are making use of cloud policy and IaC code scanning as a way of warning each other about security policy changes that might cause an application or service to break. They do this by inserting configuration changes into their code using “audit” mode if their configuration framework supports it, or by simply configuring IaC scanners to flag changes if an audit feature is not available. This allows engineers to detect whether a change might cause a problem for an existing deployment.

This is important because within many organizations, the security team operates separately from application teams. When the two groups lack an efficient way of communicating with each other about changes, they may end up disrupting each other’s operations – an issue I like to call the “right hand/left hand” problem. Configuration scanning provides a systematic way of ensuring that each group is on the same page when it comes time to introduce changes – and the “audit” mode approach provides a grace period that allows time to react before a change actually takes effect.

Trend 2: Doubling down on DevOps automation with GitOps

Another overarching trend that is currently reshaping DevOps is the use of GitOps to make DevOps automation more efficient and consistent.

GitOps is the use of Git (or a similar source control system) to manage automated DevOps workflows. It involves defining configurations using code, then applying them through features like GitHub actions.

When you opt for GitOps, you move DevOps automation controls from individual workstations to centralized source control repositories. The result is the ability to track and manage all automated workflows via a central hub, which increases efficiency and mitigates issues like different engineers working with different versions of the same automation frameworks on their personal desktops.

In addition, GitOps automatically generates records of what has changed and how it has changed, since every action is logged through the source control system. This isn’t exactly documentation in the traditional sense, but it does mean that GitOps comprehensively documents every change – which is beneficial because human engineers tend not to be so thorough when it comes to documenting their actions.

To be sure, GitOps is not without its challenges. Implementing GitOps effectively requires additional skills – namely, expertise with both IaC frameworks and source control systems – that not all DevOps engineers possess. I also notice a tendency on the part of some teams to set up GitOps pipelines, but rely on manual approvals instead of automated actions to trigger changes – an approach that largely undercuts the value of automating pipelines in the first place.

However, these are challenges that teams can solve through education and by fully leaning into GitOps. In addition, techniques like automated testing of GitOps configuration code can help to build teams’ confidence in automations and reduce reliance on manual approvals.

Going forward, expect to see more and more adoption of GitOps techniques among teams seeking to level-up their approach to DevOps automation. Automating individual DevOps processes like software testing and deployment won’t be enough; truly efficient organizations will turn to GitOps as a way of automating their entire DevOps workflows, from end-to-end.

Trend 3: Investing in developer experience

Making software delivery processes more predictable and efficient is merely a step toward the ultimate goal of DevOps, which is to help developers become more productive and satisfied with their jobs.

To that end, I’m noticing a great deal of interest and investment right now in the realm of developer experience. This is playing out through two interrelated types of initiatives.

One is platform engineering, which involves creating DevOps teams who specialize in certain functions – such as network management or security – and designating them to support those functions throughout the organization. This approach reduces cognitive overhead for developers by freeing them from having to handle types of work that are not their main focus. In other words, instead of forcing developers to be DevOps generalists, platform engineering lets different teams focus on doing what they know and enjoy best – leading to greater productivity and higher levels of job satisfaction.

The other major trend currently playing out in the realm of developer experience is developer self-service. This means the ability of developers to obtain the technical solutions they need on-demand, without a complicated procurement process. In most cases, organizations enable self-service by implementing Internal Development Platforms, or IDPs, which host ready-made infrastructure resources and software environments that developers can deploy on a self-service basis.

There are risks inherent in these trends. They require specialized types of skills, and when poorly implemented, platform engineering and IDP solutions can create more problems than they solve. However, when you ensure that your teams have the requisite expertise, and when you deploy a carefully planned IDP that gives developers access to the resources they actually need, you’re likely to see a significant reduction in friction within your organization, and a boost in developer productivity and happiness.

Conclusion

Admittedly, discussing DevOps trends that center on security, automation and developer experience may not be as exciting as debating whether AI will take away DevOps engineers’ jobs. But if you want to know what’s actually changing in the world of DevOps – as opposed to which conversations are most hype-worthy – these are the places to look.

Security, automation and developer experience are also among the domains of DevOps where there is a great deal of opportunity at present to innovate – and, indeed, where adopting new tools and techniques will be critical for organizations that don’t want to be left behind as DevOps evolves.

The post Security, automation and developer experience: The top DevOps trends of 2024 appeared first on SD Times.

In the new integration, ML models are immutable, traceable, secure, and validated. Additionally, JFrog has enhanced its ML Model management solution with new versioning capabilities, ensuring that compliance and security are integral parts of the ML model development process.

“As more companies begin managing big data in the cloud, DevOps team leaders are asking how they can scale data science and ML capabilities to accelerate software delivery without introducing risk and complexity,” said Kelly Hartman, SVP of global channels and alliances at JFrog. “The combination of Artifactory and Amazon SageMaker creates a single source of truth that indoctrinates DevSecOps best practices to ML model development in the cloud – delivering flexibility, speed, security, and peace of mind – breaking into a new frontier of MLSecOps.”

A Forrester survey found that half of the data decision-makers see the application of governance policies within AI/ML as a major challenge for its widespread use, and 45% view data and model security as a key issue. 

JFrog’s integration with Amazon SageMaker addresses these concerns by applying DevSecOps best practices to ML model management. This allows developers and data scientists to enhance and speed up the development of ML projects while ensuring enterprise-grade security and compliance with regulatory and organizational standards, JFrog explained.

JFrog has also introduced new versioning capabilities in its ML Model Management solution, complementing its Amazon SageMaker integration. These capabilities integrate model development more seamlessly into an organization’s existing DevSecOps workflow. According to JFrog, this enhancement significantly increases transparency regarding each version of the model.

The post JFrog announces partnership with AWS to streamline secure ML model deployment appeared first on SD Times.

Denali ensures compatibility with the latest operating systems and development frameworks
and optimizes performance of the most critical applications. With Denali, organizations can
leverage the power of AI to further automate software delivery and orchestrate and govern code
from AI-assisted development, while gaining better insights across each phase of the software
delivery lifecycle — saving developers time and improving their access to knowledge. Additional
enhancements such as self-guided workflows, templates and best practices create efficiencies
and alignment around measurable goals. Denali also provides comprehensive support for cloud-
native application development, and features additional integrations with Terraform by
Hashicorp, Azure Biceps, Azure Key Vault and AWS Secret Manager.

Derek Holt, CEO of Digital.ai, said, “As companies embark on their AI adoption journey, we are
seeing exponential improvements in application development. But with the vast adoption of AI
code-assist tools, the question becomes, can DevSecOps processes, teams, and tools keep up
with developer improvements? Businesses need to support an enhanced developer experience
while overcoming roadblocks in their release pipelines, toolchains and security challenges. We
have designed Denali to empower teams at every stage of the software development lifecycle
(SDLC), helping to align developer outcomes with business strategy and accelerate innovation
throughout the enterprise.”

“Our partnership with Digital.ai is focused on enabling secure digital transformation at leading
financial services companies,” said Jhonny Telles, Leadcomm’s Director of Digital
Transformation. “Ongoing R&D is crucial for us, and Digital.ai continually reinvests in their
solution so that together, we can meet the fast-evolving needs of banking customers and help
them deliver innovative applications that work for their customers. The new ARM Protection
feature is an example of how Digital.ai makes application protection significantly easier while
also eliminating extra steps.”

Denali enables enterprise teams to:

Deliver high-quality, secure apps at scale by supporting more iOS development
frameworks and by providing ARM protection for iOS applications running in these new
environments

● Utilize the power of AI to further automate software delivery through improved access to
product knowledge, expanded test coverage across teams, and better release
orchestration and code governance from AI-assisted development

● Enhance the developer experience by aligning developer outcomes to business strategy,
increasing developer efficiency, and improve cloud strategy & transformation across
hybrid environments

Greg Ellis, General Manager, Application Security, added, “Security risks are growing in quantity
and complexity. Our new security enhancements for web applications, including the creation of
a new proprietary language that is interpretable by a new virtual machine, exemplifies our
commitment to continue to make the task of reverse engineering applications as frustrating as
possible for threat actors.”

Availability
The Denali release of Digital.ai’s AI-Powered DevSecOps Platform is generally available today.
Digital.ai solutions can be easily integrated into existing processes, applications, and
infrastructure to optimize existing investments.

To learn more about all the latest capabilities or to view solution-focused videos please visit:

Digital.ai AI-Powered DevSecOps Platform – Denali Release

To read the blog post with more details, please visit: LINK.
For more information about Digital.ai, visit Digital.ai.

The post Digital.ai to Launch Denali, Latest Version of its Open, AI-Powered DevSecOps Platform, to Accelerate Enterprise Software Delivery at Scale appeared first on SD Times.

This tool addresses the challenge of safeguarding secrets in the cloud-native application development realm, where organizations struggle with secrets spreading across developer tools. According to the company, these secrets are also at risk of being leaked, especially during off-hours, and might end up in personal GitHub repositories outside the organization’s reach. 

“HasMySecretLeaked” is a private database with over 20 million records of hashed secrets leaked in public sources, including GitHub.com. Users can query the database by submitting a hashed version of their secret in the search console, and GitGuardian will look for their perfect matches without revealing any other secrets or their locations.

“Knowing whether your ‘vaulted’ secrets have leaked publicly is just one API call away. We built a privacy-safe and secure process that returns an unequivocal answer to the crucial question: Has my secret leaked?” said Eric Fourrier, co-founder and CEO of GitGuardian.

Starting today, GitGuardian users can use the ‘HasMySecretLeaked’ tool directly through the ggshield command-line interface. Additionally, ggshield has plugins for retrieving secrets from tools like HashiCorp Vault and AWS Secrets Manager, allowing users to inspect them for leaks in local environments. 

This feature is also integrated into the GitGuardian Platform, which notifies security teams if hardcoded secrets in organization-owned repositories, Slack workspaces, or Jira projects are accidentally exposed in public sources beyond the organization’s control or visibility.

GitGuardian actively scans every public commit on GitHub to identify potential leaks of sensitive information, such as API keys, database access credentials, and developer secrets. In 2020, it detected 3 million exposed secrets, and this number increased to 6 million in 2021, with a jump to 10 million in 2022.

The post GitGuardian unveils “HasMySecretLeaked” to bring leak detection to DevOps pipelines appeared first on SD Times.

Platform engineering is a discipline that brings together several different roles and integrates siloed technology into a single platform.

The new platform centers the developer experience, minimizing cognitive loads and making DevOps processes invisible. It achieves this through blocks, automations, and “golden paths.” 

The platform is also open and extensible so that platform engineers can make use of other DevOps tools in the industry, including CloudBees’ Jenkins. “This flexibility to orchestrate any other tool enables organizations to protect the investments they have already made in tooling. Teams can continue to use their preferred technologies simply by plugging them into the platform,” CloudBees wrote in a press release. 

It uses a self-service model to enable developers to be more autonomous and not have to wait on others for automations, actions, or resources.

The platform also centers security and includes out-of-the-box workflow templates with security measures already built in. CloudBees abstracts away sensitive information out of the pipeline, such as passwords and tokens. 

It also includes automated DevSecOps capabilities, such as security checks of source code, binaries, cloud environments, data, and identity. These checks are made possible by utilizing the Open Policy Agent project. 

The new platform also comes with frameworks for security standards like FedRamp and SOC2. 

“Today we are announcing the most open and extensible platform on the market, architected for cloud scale and the problems developers and platform teams face today,” said Shawn Ahmed, chief product officer of CloudBees. “Over the past 24 months we have listened, crafted, iterated, and developed a solution based on thousands of unique points of feedback. Time and time again, customers highlight the challenges in going fast, staying secure and improving developer experience. The CloudBees platform is the culmination of our commitment to reshaping the DevSecOps landscape. Our new platform empowers developers, unifies teams, and accelerates innovation while offering unprecedented flexibility and choice.”

The post CloudBees has a new DevSecOps platform specifically for platform engineering appeared first on SD Times.

New predictive intelligence features include Flow Acceleration, which predicts development cycle times; Quality Improvement, which provides early detection of defects; Change Risk Prediction, which identifies risky changes, reduces change failure, and manages risk before production; and Service Management Process Optimization, which can be used to anticipate future service risks. 

The company is also providing capabilities that will help companies manage the impact or risk of generative AI, such as scoring methods for ranking code changes that have higher risks, workflow templates based on industry best practices, and policies and regulatory controls. 

The company also teased upcoming features that use generative AI. Test Creation will make it easy to create and update test cases based on feature requirements, User Story Generation will be able to create requirements and user stories based on product descriptions, Knowledge Assistant will identify useful information in planning repositories, and Threat Insight will share recommended changes to protect applications.  

“There is little doubt that this next wave of AI has and will continue to change how teams plan, build, test, secure, deliver and monitor software. At Digital.ai, we have been building up for this moment for over a decade,” said Derek Holt, CEO of Digital.ai. “Our DevSecOps Platform has a proven track record in helping the world’s largest enterprise organizations to responsibly leverage AI to deliver software and automate delivery workflows. Today’s announcement regarding the evolution of our market-leading portfolio marks a major milestone in allowing the world’s largest enterprises to leverage AI safely and responsibly.”

The post Digital.ai updates platform to offer better predictive analytics appeared first on SD Times.

This release provides an enterprise-grade, AI-powered DevSecOps platform with features geared at helping customers write better code faster. Users also gain security testing and analysis, observability, and proactive vulnerability detection.

Current AI-powered features include Suggested Reviewers, Explain This Code, Explain This Vulnerability, and Value Stream Forecasting. A few features have not yet been released, such as Refactor This Code and Resolve This Vulnerability.

GitLab 16 also automates software delivery and secures the end-to-end software supply chains of users. Enterprises are enabled to start, scale, and secure their software supply chains while also gaining increased visibility into their threat landscape and establishing policies to ensure compliance standards are met and accelerate the delivery of secure software.

Additionally, GitLab Dedicated is slated for release this coming summer, and is a single-tenant SaaS solution intended to offer organizations in regulated fields a DevSecOps platform that focuses on data residency, isolation, and private networking.

“Developers are under tremendous pressure to ship software faster than ever before to keep up with the speed of the market, and too often that leaves security as an afterthought,” said Mark Portofe, director of platform engineering at CARFAX. “GitLab’s DevSecOps platform proves that security and efficiency are not mutually exclusive by integrating security seamlessly throughout development workflows and enabling us to ship software faster. With the implementation of GitLab, we’ve seen a 33% decrease in vulnerabilities in less than a year, as well as a 20% year-over-year increase in deployments.”

With GitLab 16, users also gain access to Value Stream Analytics to assist teams in visualizing and managing the DevSecOps workflow all the way through to delivery. Lastly, the Value Stream Dashboard offers an enterprise-wide view of DORA metrics, cycle times, and other important metrics such as critical vulnerabilities and deployment frequency. 

More information can be found on the website. 

The post GitLab 16 offers new AI-powered DevSecOps platform appeared first on SD Times.

Increasingly, organizations are adopting DevSecOps, which focuses on “shift left” security, the idea of introducing security practices earlier in the software development life cycle. Practically speaking, however, DevSecOps is more of an overall strategy or approach, rather than a concrete set of responsibilities assigned to a specific group or individual.  DevSecOps  is best used to define how an organization addresses product security, or establish a cultural and technical “shift left” within the integrated development environment. It can also provide an organizational framework to address security efforts between compliance, security and development teams.

The reality, however, is that while both security and development teams are committed to fortifying the business, collaboration between the two groups can be challenging.  A company’s security teams are tasked to do whatever it takes to secure the business, while developers prefer to write quality code instead of spending their day fixing vulnerabilities.

It is the DevOps team that in fact owns the specific responsibilities, tasks and budget needed to secure the software supply chain.

Defining DevOps-Centric security

As the name implies, DevOps teams manage the operational side of software development and are responsible for each step of the software development life cycle (SDLC).  While security teams set policies and development teams write code, DevOps teams manage the SDLC workflow. They are the actual owners of the software supply chain.

DevOps teams are also the logical owners for software supply chain security.  DevOps teams have the resources, skills and accountability to identify and address security issues across the entire DevOps workflow, from development to runtime to deployment. DevOps teams are involved in every step of the software development process, so they’re ideally suited to serve as a bridge between security teams, responsible for compliance and business requirements, and development teams, which can get overwhelmed with security requests, processes and regulations that are not their core competency.

DevOps-centric security delivers an end-to-end view of an organization’s software supply chain and flags a multitude of vulnerabilities and weaknesses such as CVEs, configuration issues, secrets exposure, and infrastructure-as-code violations. It also suggests remediation strategies at each stage of the software development life cycle, from code to container, to device.

How does DevOps-Centric security work?

A DevOps-centric approach to security builds on the rigorous process and continuous, automated testing that’s the hallmark of all DevOps teams. More importantly, it guides organizations with a clear understanding of each vulnerability and suggests actions to efficiently fix the issues.

Focus on binaries as well as source code

The modern software supply chain has just one core asset that is delivered into production: the software binary, which takes many forms – from package, to container, to archive file.  Attackers are increasingly focusing on attacking binaries, as they contain more information than source code alone. By analyzing the binary as well as the source code, DevOps teams can provide a more complete picture of any impact or point of exploitation. This helps eliminate complexity and streamlines security detection, assessment, and remediation efforts.

Contextual analysis: Determining which vulnerabilities, weaknesses, and exposures need remediation and the most cost-effective way to do it

Serious vulnerabilities are being identified daily through the efforts of researchers and bug bounty programs.  Yet these CVEs may or may not be exploitable, depending on factors such as the application’s configurations, use of authentication mechanisms, and exposure of keys. DevOps-centric security looks at the context in which software is operating to prioritize and recommend how to remediate vulnerabilities quickly and effectively, without wasting developers’ time on non-applicable issues.  It’s particularly important to be able to scan and analyze containers for open-source vulnerabilities, since the use of containers to hide malicious code is now on the rise.

Providing a holistic view of the software supply chain

Through their involvement in each step of the software development process, DevOps teams offer a holistic view of a company’s software supply chain and all its weaknesses.  DevOps-centric security analyzes binaries, infrastructure, integrations, releases, and flows all in one place, eliminating the confusion of disparate security systems with varying or limited  information, and inconsistent reporting.  Thus, when you implement security using DevOps processes, you not only scan to identify problems within the software, but also help developers prioritize and fix them quickly and easily. 

The post Tackling today’s software supply chain issues with DevOps-centric security appeared first on SD Times.