JFrog Integrates Runtime Security for Enhanced DevSecOps Platform

Write for InfoQ

JFrog has introduced JFrog Runtime to its suite of security capabilities, adding real-time vulnerability detection to its software supply chain platform. This update is aimed at developers and DevSecOps teams working with Kubernetes clusters and cloud-native applications.

JFrog Runtime enhances the security of a Kubernetes cluster by providing real-time monitoring. This allows the team to detect and prioritize security incidents based on actual risk, ensuring that they promptly address vulnerabilities. By integrating security into the development process, JFrog Runtime helps maintain the integrity of container images and ensures compliance with regulatory requirements.

JFrog Runtime complements JFrog’s existing suite of advanced security capabilities by enhancing the security measures in place for software development and deployment. A key feature, AI/ML Model Curation, allows organizations to protect their software supply chain by detecting and blocking potentially malicious ML models from open-source repositories like Hugging Face before they enter the organization. JFrog’s scalable security platform natively proxies Hugging Face, enabling developers to access open-source AI/ML models while simultaneously providing the ability to detect and block any malicious models and enforce license compliance, ensuring a safer use of AI.

Additionally, the Secure OSS Catalog functions as a "search engine for software packages", accessible through the JFrog UI or API. Supported by both public and proprietary JFrog data, this catalog offers users rapid insights into the security and risk metadata associated with all open-source software packages, thereby enhancing the security and reliability of software deployments.

Industry research shows that one in five applications contain runtime exposure, with 20 percent of all applications having high, critical, or apocalyptic issues during the execution stage. By automating security for fast-moving, dynamic applications like those that run in containers, JFrog Runtime addresses the visibility and insight needs of cloud-native environments.

One of the important challenges in cloud-native environments is managing the complexity of security across various stages of the development lifecycle. JFrog Runtime simplifies this by offering advanced triage and prioritization features. These features help security teams quickly identify and mitigate risks, allowing developers to focus on coding rather than security-related tasks.

The update also improves the handling of Google IDs and IAM binding for external resources. This makes it easier for teams to secure applications running in the cloud. Here, tools like Terraform play a crucial role. Terraform is an open-source infrastructure as code (IaC) tool that allows developers to define and provision data center infrastructure using a declarative configuration language. By parsing Google IDs when adding IAM binding to resources managed outside of Terraform, JFrog Runtime simplifies the process and reduces the potential for errors, making cloud security more accessible and reliable.

In addition to these enhancements, JFrog Runtime addresses the common issue of runtime exposure in applications. By automating security for dynamic, containerized applications, it ensures that vulnerabilities are detected and mitigated during the execution stage. This is particularly important for organizations that rely on fast-moving, dynamic applications where manual security checks are not feasible. The integration of JFrog Runtime into software supply-chain platforms also improves collaboration among R&D, DevOps and security teams.

At its core, the platform deploys real-time monitoring agents across a Kubernetes cluster, continuously scanning for potential threats. These agents feed data into an incident response engine, which prioritizes security incidents based on their severity and potential impact. This prioritization is powered by advanced machine-learning algorithms, ensuring that the most critical vulnerabilities are addressed first. Additionally, the compliance manager ensures that all container images and running instances adhere to regulatory and organizational policy. The platform’s centralized dashboard views security posture, enhancing collaboration and response times.

Related Topics:

• DevOps
• Software Supply Chain
• DevSecOps
• Security
• Cloud-Native
• Kubernetes

We protect your privacy.