Strong DevSecOps Practices With JFrog

Cloud Development provides the ability to manage development environments in a centralized manner, allowing organizations to ensure uniform security policies and regulatory compliance across all projects. One way to implement code security policies with Strong Network is by using JFrog’s platform. In this article, we detail the process and benefits of using JFrog’s solutions to achieve this goal.

Published: January 16, 2024

Author:Laurent Balmelli & Fernando Monje

Strong DevSecOps Practices With JFrog

Why Strong Network’s Platform Integrates with JFrog

Strong Network’s platform is pivotal to implement secure Cloud-based development with the ability to manage development environments in a centralized manner, ensuring uniform security policies, compliance and regulatory adherence across all projects. By integrating with platforms such as JFrog’s, this also includes DevSecOps, code security best-practices that can be automatically deployed with secure Cloud Development Environments.
In this article, we explain how the joint use of Strong Network and JFrog’s platforms streamlines code security practices and provides transparent integration in every developer’s environments, in addition to systematic application and auditing of these practices.

DevSecOps’ Integration Optimizes the Developer’s Experience

Here I’ll explain that, through this integration developers gain the benefit of automation across several processes, such the access to Jfrog’s platform, the inclusion of JFrog’s CLI in every environment, the automatic scanning for vulnerabilities and the transparent management of a secure SBOM.
These features not only bolster security but also enhance efficiency, allowing developers to focus more on coding and less on setup and security concerns, thus improving the experience. The next figure represents the various integration touchpoints.
Integration touchpoints betwen Strong Network's and JFrog's Platforms
Figure: Integration touchpoints: automated authentication to JFrog services and installation in VSCode, direct CLI access and deployment of best-practices such as container scanning and secure SBOM management.
In addition, I’ll explain that JFrog’s platform is automatically integrated to Strong Network’s platform without exposing sensitive credentials. This frees the developer from other security-related tasks, while at the same time making the organization more secure.
Let’s explore in detail the features delivered when associating the two strongest platforms in secure code development available today.

Prerequisites and JFrog Platform Sign-In From Strong Network

To successfully integrate the Strong Network platform with JFrog's platform, there are a few prerequisites that must be met in order to leverage their combined strengths.
First, your organization must have deployed the self-hosted Strong Network platform and have access to the JFrog platform, either in a SaaS or a self-hosted solution. Administrative access is needed to both platforms to perform necessary initial set-up configurations.
From the Strong Network platform perspective, the Jfrog platform is integrated as a third party application as shown in the next figure. The goal is this integration is to leverage the services in a transparent manner within the developer’s environment.
This whole of the integration is only done through administrative settings of Strong Network’s platform, so that the availability of JFrog’s platform becomes visible in the Integration tab in the user’s profile (figure below). This allows users to sign into the JFrog platform from Strong Network’s.
Authentication dialogue between JFrog's and Strong Network's platforms
Figure: Users log in to the JFrog platform once from their profile and access all services from their environment without the need to provide any further authentication information.
Once signed in, JFrog CLI becomes automatically available in the user’s environment. In turn, the integration brings transparent access to every user to Jfrog services. This also allows for the management of user permissions to the services and the establishment of security protocols.
In cases where the JFrog platform is being used in a SaaS model, a specific custom OAuth template provided by JFrog is necessary. The custom OAuth template must be set up and configured in accordance with JFrog's guidelines to ensure compatibility and security.
Let’s explore the available features once a user is signed-in in the following paragraphs.

DevSecOps Practices’ Integration in Cloud-Based Development

One of the standout features of integrating the Strong Network platform with JFrog is the automated integration of JFrog’s CLI into any newly created environment during the development process, when building an application in the environment. This means that whenever a new environment is created, the JFrog CLI and services are automatically installed and authenticated within the environment. This seamless integration streamlines the development workflow, as developers can immediately start using JFrog's services without the need for manual setup or authentication. It enhances efficiency and ensures a consistent environment across all environments.
Terminal view when accessing JFrog's CLI in Strong Network
Figure: Whenever a new environment is created, the user can verify that the JFrog CLI and services are automatically installed and authenticated.

Automated Scanning of Container Images with JFrog Xray

The integration also brings the advantage of automated scanning of container images during the environment set-up using JFrog XRay. This feature is particularly crucial for maintaining high standards of security and compliance regarding the development infrastructure. As soon as an environment is created, the container image is automatically scanned, and a summary of any vulnerabilities found is displayed (see the next figure). This immediate feedback allows developers to identify and address security concerns attached to the infrastructure and tools used for development. This integration is possible because Strong Network’s platform embeds the management of environment’s containers as platform resources. Hence, the integration with JFrog allows the automated enforcement of infrastructure security best-practices in the development process.
CVE detection on Containers using Strong Network's Platform
Figure: Because Strong Network’s platform embeds the management of containers, the integration allows the automated enforcement of infrastructure security best-practices in the development process.

Secure SBOM Management With JFrog Artifactory

Another significant feature is the management of a secure Software Bill-Of-Material (SBOM) via the integrated access to JFrog Artifactory from the user’s environment. This is achieved without storing JFrog credentials in the environment or exposing them to the developer.
This approach not only simplifies the process of accessing JFrog Artifactory but also upholds stringent security protocols by ensuring that sensitive credentials are never compromised. Developers can seamlessly interact with Artifactory, retrieving and deploying whitelisted, compliant dependencies to ensure code security as needed, while the platform manages the underlying security and authentication mechanisms.
SBOM automation in Containers using Strong Network's Platform
Figure: The transparent and automated integration of JFrog Artifactory in the build process allows the production of secure and compliant code through the use of pre-approved, sanitized software libraries downloaded from JFrog’s Artifactory.

JFrog VSCode Extension Pre-installed and Authenticated

Lastly, the integration ensures that the JFrog Visual Studio Code (VSCode) extension is already installed and authenticated in each IDE’s environment from its inception. This eliminates the need for developers to manually set up the extension, allowing them to immediately leverage its functionalities for enhanced productivity. The pre-authentication aspect of the extension ensures that developers can start using JFrog’s services within VSCode right away, further enhancing the overall user experience.
VSCode JFrog Extension using Strong Network's Platform
Figure: JFrog Visual Studio Code (VSCode) extension is installed and authenticated in each IDE.

Secure Cloud-Based Development Also Delivers Secure Code

The integration of Strong Network's platform with JFrog's platform services represents a significant business value for security-minded organizations. This collaboration is a demonstration of how combining leading technologies integrates DevSecOps best-practices across the development process with the use of secure cloud-based development environments.
In other words, best-practices are smoothly assimilated, avoiding interferences with the developer experience. In all, the integration brings together productivity and security, both from the infrastructure and software aspect from a unified perspective,
Contact me or our engineering team for any questions regarding this platform capability.
---
All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network
Copyright © 2020-2024 Strong Network All rights reserved.

Recomended Reads

Implementing the Digital Operational Resilience Act (DORA) Using Secure CDEs
Industry Brief

Implementing the Digital Operational Resilience Act (DORA) Using Secure CDEs

In the scope of application development, compliance with the Digital Operational Resilience Act Compliance (DORA) can be efficiently implemented with Secure Cloud Development Environments (CDE) such that it jointly enables data security and developer experience. We explain how this is achieved in this brief article.

Read more

26/07/2024

Team-as-Code: How to Apply Platform Engineering to DevOps’ Coding Stage
Tech Brief

Team-as-Code: How to Apply Platform Engineering to DevOps’ Coding Stage

Learn how secure Cloud Development Environments (CDEs) enable platform engineering to automate the creation and setup of user environments, personalize developer experiences, define and enforce data security policies, and streamline team onboarding at scale.

Read more

19/07/2024

The Need for Secure Cloud Development Environments
Tech Brief

The Need for Secure Cloud Development Environments

In this article, I am discussing why organizations need Secure Cloud Development Environments (CDEs) for onboarding efficiently and securely diverse, global development teams. I review the benefits and challenges around this new approach to CDEs. Read how Secure CDEs are different from “standard CDE” like the ones from GitHub Codespace, GitPod or Coder.

Read more

17/06/2024

Enterprise Compliant GenAI Coding with Secure Cloud-Based Development
Tech Brief

Enterprise Compliant GenAI Coding with Secure Cloud-Based Development

In this article, we look at how GenAI practices can be made secure, compliant and productive for application development across the enterprise. In particular, we look at the main threats of using AI for code development and explain four key reasons why a Secure CDE platform is a key enabler to deploy a GenAI enterprise strategy.

Read more

10/06/2024

Rediscovering DevOps' Heartbeat with Secure CDEs
Tech Brief

Rediscovering DevOps' Heartbeat with Secure CDEs

Cloud Development Environments are pivotal in DevOps, streamlining the path from development to deployment. In this brief, I look at how they enhance the core DevOps principles: flow, feedback, and continuous learning. I focus on secure CDEs and the advantages of online coding, to show how they bring DevOps principles closer to developers and improve application development.

Read more

07/05/2024

Securing Development: Differences in VDI, Browsers and CDEs
Industry Brief

Securing Development: Differences in VDI, Browsers and CDEs

Which technology to secure your development process against data leaks? Check the key differences between the use of virtual desktops, enterprise browsers and secure cloud development environments along dimensions such as applicability to the development process, security and developer experience.

Read more

06/05/2024

How Secure Cloud Development Replaces Virtual Desktops
Industry Brief

How Secure Cloud Development Replaces Virtual Desktops

In this article, I discuss how modern virtualization and security advancements have led to technology that enables the online delivery of secure development environments, eliminating the need for a virtual desktop infrastructure and secure development laptops.

Read more

07/03/2024

How to Work with Remote Teams with Secure CDEs
Industry Brief

How to Work with Remote Teams with Secure CDEs

Secure Cloud Development Environments (CDEs) have transformed software development, especially for organization facing challenges in remote collaboration settings. I explain here how these environments secure and streamline collaboration across geographically dispersed teams and allow organization to save costs.

Read more

12/02/2024

Why and How We Made Cloud-Based Development Secure
Tech Brief

Why and How We Made Cloud-Based Development Secure

This article is a short story of why and how my co-founder and I created the first Secure Cloud Development platform to jointly address the efficiency and security challenges of cloud-native application development. In particular, I explain how Secure Cloud Development is different from other Cloud-based development approaches and our target market.

Read more

06/02/2024

The Trusted Liquid Workforce (Revisited)
Industry Brief

The Trusted Liquid Workforce (Revisited)

In this revisited version of my 2022 article on the subject of managing a remote development workforce, I discuss strategies to securely incorporate a 'liquid workforce', exemplifying the use of secure Cloud Development Environments to implement digital trust while providing flexibility to developers when working remotely.

Read more

02/02/2024

Brief History of DevOps and the Link to Cloud Development Environments
Tech Brief

Brief History of DevOps and the Link to Cloud Development Environments

In this article, I use the famous DevOps HandBook to regurgitate a concise history of DevOps, add my personal experience and opinion, and establish a link to Cloud Development Environments (CDEs), i.e. the practice of providing access to, and running, development environments online as a service for developers.

Read more

31/01/2024

Secure Cloud Development:Tenets for Enterprise Data Security
Industry Brief

Secure Cloud Development:Tenets for Enterprise Data Security

In the article, we discuss the critical role of data security in the cloud for enterprises. In particular, we review ten security tenets and highlight how Secure Cloud Development Environments (CDEs) are essential for protecting sensitive data, ensuring regulatory compliance, and maintaining customer trust.

Read more

10/01/2024

How Sirius Tech Reduces IT Costs by 46% With Secure CDEs
Case Study

How Sirius Tech Reduces IT Costs by 46% With Secure CDEs

The case study describes how Sirius Technologies reduced IT costs by 46% by adopting Strong Network's Secure Cloud Development Environments (CDEs). This strategy enhanced productivity and security, streamlined onboarding, and improved resource management, particularly for a distributed workforce and BYOD policy.

Read more

07/01/2024

What is a Cloud Development Environment?
Tech Brief

What is a Cloud Development Environment?

A Cloud Development Environment (CDE) is implemented with a container or virtual machine accessible for the purpose of supporting code development activities. Here is a brief history of this technology, how it was recently recognized as a Gartner category and a summary of the benefits of coding online.

Read more

14/11/2023

Preventing the Theft of OAuth Session Tokens
Tech Brief

Preventing the Theft of OAuth Session Tokens

In this blog, we explore the rising trend of cyberattacks targeting session tokens, illustrating their impact through recent high-profile cases, and explain how online, secure Cloud Development Environments (CDEs) can fortify your DevOps process against such threats.

Read more

10/02/2023

How Zero-Trust Enables Global Business Processes
Industry Brief

How Zero-Trust Enables Global Business Processes

In this article, we address the security challenges posed by globalization in code development and data science processes, discussing the implementation of dynamic, zero-trust security architectures and how they can protect intellectual property in distributed work environments.

Read more

26/05/2021