JFrog Adds Runtime Platform to Secure Cloud-Native Apps Running on Kubernetes
JFrog today at its swampUP 2024 conference revealed it has added an ability to automate real-time DevSecOps workflows spanning source code to binaries deployed in Kubernetes environments.
Company CTO Yoan Landman said JFrog Runtime is designed to foster better collaboration between application developers who need to fix vulnerabilities in source code and cybersecurity teams who need to remediate binaries running in production environments.
JFrog Runtime empowers users to track and centrally manage packages from various origins, organize repositories by environment types, and activate policies using the JFrog Xray vulnerability scanning tool. That capability also provides visibility into any alignment gaps that might exist between teams as they manage version control and package development, added Landman.
The overall goal is to prioritize security incidents based on their business impact in a way that streamlines workflows by making it simpler to identify that code has actually been loaded along with the source and ownership of vulnerable packages using the JFrog Artifactory repository, he noted.
As a result, it now becomes possible to continuously analyze workloads and Kubernetes clusters in real time as cloud-native application environments are dynamically updated, said Landman.
It’s not clear what level of DevSecOps maturity organizations that have deployed cloud-native applications are achieving, but recent IDC research noted that organizations spend an average of $542 per week per application developer on security-related or DevSecOps tasks. Unfortunately, JFrog security researchers have previously noted it’s probable most of those vulnerabilities are not as severe as they have been rated. After analyzing 212 vulnerabilities, the JFrog Security Research team downgraded the severity of 85% of the vulnerabilities rated as critical and 73% of one rated as high. JFrog researchers also found that 74% of the reported common vulnerabilities and exposure (CVEs) with high and critical CVSS scores assigned to the top 100 Docker Hub community images weren’t actually exploitable.
A recent JFrog survey also found only slightly more than half of organizations are using both source code and binary scanning to secure their software supply chains.
Most application developers would, naturally, prefer to spend more of their time writing new code rather than remediating vulnerabilities for existing applications, but given the number of vulnerabilities that exist in many application environments, it’s not likely the need to rip and replace existing containers is going to abate any time soon. However, it is possible to streamline workflows in a way that ensures that the most critical vulnerabilities are addressed first. Otherwise, there is a tendency to focus on the vulnerabilities that are easiest fix to regardless of their severity.
Ultimately, more stringent software supply chain regulations will force the DevSecOps issue within many organizations. Deploying software without scanning for vulnerabilities will one day soon be considered a form of negligence, noted Landman.
In the meantime, more developers are being tasked with addressing application security issues before they become much larger issues for overwhelmed cybersecurity teams that are already overwhelmed in an era where cybercriminals have become more adept at discovering application vulnerabilities, in what is now a matter of minutes.