Development / DevOps / Security

JFrog Platform ‘Crypto-Signs’ Binaries for Zero-Trust Software Lifecycle Management

26 May 2021 9:26am, by

The JFrog DevOps Platform is putting the blockchain to use, digitally signing the software binaries to document and secure their journeys through the entire development process.

JFrog‘s crypto-signing functionality may be the first commercial use of a blockchain technology to capture changes on a CI/CD platform, asserted JFrog founder and chief technology officer Yoav Landman. This update, and others unveiled at the company’s SwampUP user conference being held this week virtually, are part of the JFrog’s overall goal to give enterprises, and their developers, more efficient and secure ways to manage the software development lifecycle.

The management of software binaries — the actual application after its code has been compiled into an executable program — is a huge portion of this lifecycle management, Landman said in an interview with The New Stack.

“Developers like to think about code, but in reality, what’s happening is that the transition to binary is almost immediate,” Landman said. Even in accelerated DevOps schedules, binaries are needed to build against as dependencies. “The binary that will travel all the way to the runtime, through scanning, distribution, all the QA testing for different phases, all the way to production.”

Zero-Trust Pipelines

A software development pipeline is essentially a series of events to build an application and then move it to production. Each action can be captured in a log for record-keeping and accountability purposes. The crypto-signing augmentation of JFrog Pipelines workflow functionality automatically signs each step, and outcome, in the continuous integration and delivery (CI/CD) pipeline, in effect creating immutable a set of artifacts.  The platform uses a blockchain,  a cryptographically signed write-only ledger to provide proof of each pipeline action.

This approach has an obvious security benefit in that only those binaries that have been signed at each step of the process can be moved into production.

It provides cryptographic “non-disputable proof that everything that happened in the background really happened,” Landman said. Every action is signed with a private key, which is then disposed, leaving only the corresponding public key to read the entry into the append-only log.  Each entry is formatted in JSON, which can be easy to read and program against.

“You have many steps in your pipeline for creating software, and for upgrading software. At the end of the day, you want to verify that what ends up in your runtime in your production is exactly the same thing that you initially built and packaged and compiled,” Landman said, pointing to the growing concern of securing the software development pipeline against attacks and malicious code.

As an example, a manager may have to approve through ServiceNow a software application being moved into production. This capability will capture that approval point in a tamper-proof way. It can also stop software drift, or minor configurations made by some developer that may in the short term be helpful, but ultimately moves the software away from the desired configuration.

Also in the Box

Other new features to the DevOps platform revealed include Cold Artifact Storage to archive software artifacts no longer actively needed but still required for regulatory requirements or corporate policies. A new security service, based on JFrog Xray, to scan open source third-party dependencies, will also be available later this year.

Also new for the platform are federation capabilities for the JFrog Artifactory, allowing organizations to build out multiple software repositories, synchronizing the contents across all of them. The new federated repository service offers automatic mirroring bi-directional synchronization of all binaries across separate instances of the JFrog DevOps Platform — the different “members” of the federation. In addition to the binaries, configuration and metadata can also be mirrored.

The JFrog DevOps platform is available both as a hosted service and as stand-alone software that can be run in-house.

JFrog is sponsoring our coverage of SwampUP, so check back here, and on our Twitter account,  for updates throughout the day, and in the week to come.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: MADE, JFrog.

A newsletter digest of the week’s most important stories & analyses.