kras99 - stock.adobe.com
JFrog connects key software supply chain management dots
JFrog ties in with GitHub and Nvidia and ships Runtime Security to offer visibility into software supply chains from source code to production and back again, including AI apps.
A new product and growing partnerships with GitHub and Nvidia by JFrog represent significant steps forward in the still-evolving field of software supply chain management, according to industry analysts.
JFrog Runtime Security, shipped this week, marks the vendor's first foray into managing software supply chain security for workloads running in production beyond source code analysis and static application security testing features previously released for its Xray artifact scanning tool. The vendor also previously offered curation for open source packages, a mechanism that could block certain vulnerable libraries from running in production, as well as contextual analysis that showed which common vulnerabilities and exposures (CVEs) users had running in production and detect exposed secrets data.
Now, Runtime completes the picture with bidirectional visibility and tracking of software packages from one end of the software supply chain to the other. This toolchain starts with JFrog's GitHub partnership, which connects source code in GitHub repositories with binary artifacts stored in its Artifactory repos, and now ends with data showing which packages and binaries are loaded into memory on production systems, according to CTO and co-founder Yoav Landman.
"You can examine the workloads in production and see what vulnerable artifacts are there, and then you can backtrack and go all the way back to the package, to the build that's created this package, to the source code that's created this package," Landman said. "This is the last mile. … We can have full traceability for anything in the runtime all the way to the source."
Visibility in line with NIST CI/CD guidelines
Users of JFrog and GitHub Actions can get integrated software bill of materials packages that attest to the provenance of binaries and their associated source code. Joint customers can also see GitHub Advanced Security findings together with JFrog Advanced Security findings in the same interface.
JFrog Runtime now adds an incident triage view that also centralizes visibility into production issues that's searchable by container image version, CVE or workload.
"This linkage is not just about security -- if you know about an image that is leaking memory or just very slow, you can hunt it down," Landman said. "Or we can tell you that you have an outdated version in runtime, and there's a new version waiting to be deployed."
There are other software supply chain management vendors that offer similar connections between vulnerabilities and workloads in production, along with remediation assistance and patching, which JFrog Runtime doesn't yet support. But the ability to trace connections among source code, binaries, release packages and runtime workloads throughout the software development process appears unique, according to Katie Norton, an analyst at IDC.
For example, Norton said, JFrog probably comes closest to meeting new recommendations from NIST's latest guidance for DevSecOps supply chain security issued in February. Specifically, one item in that document's guidelines for CI/CD pipelines isn't well established among open source and vendor tools yet. "The inputs and outputs of each build step should be verified to ensure that the correct steps have been executed by the expected component or entity."
There still isn't anything approaching an industry standard for such a verification process or a means to evaluate the accuracy of such tools. But JFrog's tools could now potentially satisfy that requirement, Norton said.
"If you bring in curation, which is even further left than the source code, [JFrog is] going even further … tracking a package from … being brought in [from open source repositories] all the way through to what's running in production," Norton said. "The release lifecycle management capability that [JFrog] launched last year … implemented [an] immutable release bundle … that's sort of the underpinning of all of this -- of actually being able to understand [the] provenance of an open source package [with] visibility into that whole path."
JFrog-Nvidia tie-in takes on AI security anxiety
JFrog also unveiled plans to integrate its JFrog Platform with Nvidia inference microservices to inject software supply chain management into AI workloads -- another area analysts said has begun to capture the attention of enterprise IT organizations.
"Security teams have already been challenged with software supply chain security, and the key is addressing security in a way that does not disrupt development, utilizing developer tools and workflows," said Melinda Marks, an analyst at TechTarget's Enterprise Strategy Group. "JFrog has a different vantage point than most application security tools, both from vendors and open source, that gain information by scanning or other ways of observing application changes. JFrog has ways to track the code and route the needed remediation actions via developer workflows."
After about a year as a hot topic following high-profile software supply chain attacks, software supply chain security and management was drowned out by generative AI hype in 2023 and early 2024. But the two trends are beginning to come together, Marks said.
Yoav LandmanCTO and co-founder, JFrog
"Our research shows security teams are looking for ways to gain visibility into which code is AI-generated, and ensuring they can secure it," Marks said.
Anecdotally, Norton said she's also received more end user inquiries about software supply chain management that go beyond the basics of what it is and get into specifics about the features of available tools. A Forrester Research "Budget Planning Guide" for 2025 recommended that software supply chain security and API security should be among enterprises' top spending priorities in the next year.
However, while interest and maturity continue to grow, so do software supply chain attacks. A February report from Enterprise Strategy Group indicated that 91% of 368 IT pros surveyed between November and December 2023 reported facing software supply chain incidents within the last year. Four in 10 said those incidents had been caused by exploitations of vulnerabilities in third-party code and/or misconfigured cloud services.
Software supply chain security remains immature compared to other types of supply chains, such as in the food industry, Norton said.
"The software industry is one of the only industries where we just accept a vulnerability as an inevitability," she said. "In the food industry, there are all these recalls -- in one box of cereal, someone found a shard of metal, and everything's recalled off the shelves. In software, there are no recalls. There are patches, which is the equivalent of saying, 'Hey, everybody search their box of cereal and pull the piece of metal out of it.'"
Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.