Tag Archives: repository

JFrog taps partners, adds features to bolster DevOps platform

JFrog continues to bolster its core universal repository platform with new features and strategic partnerships to provide developers with a secure, integrated DevOps pipeline.

The Sunnyvale, Calif. company’s continued evolution includes partnerships with established companies to provide services around JFrog’s flagship Artifactory universal repository manager. This week, JFrog partnered with RunSafe Security of McLean, Va. to help secure code as it is created.

Under the partnership, RunSafe’s security software will plug into users’ Artifactory repositories to protect binaries and containers in development. RunSafe’s Alkemist tool adds protection to all compiled binaries as developers add them to Artifactory, said Joe Saunders, founder and CEO of RunSafe.

Alkemist inserts in CI/CD pipelines at build or deploy time. The security software hardens third-party, open-source components, compiled code that developers originate themselves, and it hardens containers as part of the process, he said.

“We immunize software without developer friction to enable continuous delivery of code or product,” Saunders said.

How RunSafe works with JFrog

Rather than scanning and testing the code, RunSafe inserts protections into the code without changing the functionality, slowing it down, or introducing any overhead.

“We eliminate a major set of vulnerabilities that are often attributed to both open source and general compiled code,” Saunders said. “That is all the memory based attacks, things like buffer overflow, etc.”

RunSafe launched a beta program for developers to try out the Alkemist plugin, as memory corruption-based attacks can be devastating and stopping them is no trivial exercise in most development environments.

“When a determined attacker understands the layout and memory allocations within an application, they can craft targeted exploits to devastating effect,” said Chris Gonsalves, senior vice president of research at The 2112 Group in Port Washington, N.Y. “And they can keep using those attacks as long as the underlying binaries remain the same. What RunSafe does is bring reduced-friction binary hardening to app development.”

RunSafe uses a “moving target approach” that changes the underlying binary in a way that keeps the app’s functionality intact while destroying the effectiveness of previous attacks, Gonsalves said.

“Just when a hacker thinks they know precise location of a buffer overflow vulnerability and how to exploit it, boom, RunSafe’s Alkemist plugin for JFrog users switches things up and effectively neutralizes the attack,” he said. “This is hand-to-hand combat with the bad guys at the binary level. That it can be done with negligible performance overhead and zero change in app functionality makes it an effective and important layer of defense in DevSecOps.”

RunSafe employs a process known as binary randomization to thwart intruders. This process eliminates the footing that exploits need to find and identify vulnerabilities in code. Randomization is typically a runtime protection, but RunSafe has added it into the development process.

“What you see now, especially when you have to move faster, is a full integration with your security pipelines,” said Shlomi Ben Haim, CEO of JFrog. The goal is to be able to avoid or to quickly resolve any kind of bugs or violations of vulnerability or license compliance issues, he said. “We want to provide continuous deployment all the way to the edge, fully automated, with no script.”

JFrog-Tidelift deal assures open source integrity

Regarding open source license compliance, JFrog recently partnered with Boston-based Tidelift. The companies introduced an integration between the Tidelift Subscription, a managed open source subscription, and JFrog Artifactory.

Tidelift checks that open-source software it supports is clean and secure with no licensing issues. The combination of the Tidelift Subscription and JFrog Artifactory gives development teams assurance  that the open source components they are using in their applications ‘just work’ and are properly managed, said Matt Rollender, Tidelift’s vice president of global partners, strategic alliances and business development, in a blog post.

“Customers save time by being able to offload the complexity of managing open source components themselves, which means they can develop applications faster, spend less time managing security issues and build fails, while improving software integrity,” said Donald Fischer, CEO of Tidelift.

As more enterprises include large amounts of open-source code to their repertoires, companies like Tidelift allow developers to use open-source without having to think twice. While Tidelift is somewhat unique in its approach, its competitors could include Open Collective, License Zero, GuardRails and Eficode.

“Tidelift is taking a very interesting approach to developing a way to sustainably manage the maintenance on open source software components and tools that are used at enterprise development,” said Al Gillen, an analyst at IDC. “The company is filling a niche that is not readily addressed by any other solutions in the market today.”

The Tidelift Subscription ensures that all open-source software packages in the subscription are issue-free and are backed and managed by Tidelift and the open source maintainers who created them.

“This means comprehensive security updates and coordinated responses to zero-day vulnerabilities, verified-accurate open source licenses, indemnification, and actively maintained open source components,” Rollender said.

JFrog tool updates

At its SwampUp 2020 virtual conference in June, JFrog introduced several new offerings and updates to existing products.

The company introduced CDN-based and peer-to-peer software package distribution mechanisms to help companies that have to deliver large volumes of artifacts to internal teams and external clients. The company also released new features for its JFrog Pipelines CI/CD offering, expanding the number of pre-built common functions, known as “Native Steps.”

In addition, JFrog introduced ChartCenter, a free community repository that provides immutable Helm Chart management for developers. Helm charts are collections of files that describe a related set of Kubernetes resources.

While JFrog has made some good strategic moves, a lot of them only strengthen the company’s core business as a repository, said Thomas Murphy, a Gartner analyst.

“They have a solid footprint and are very robust, but the question is, over the next three years as we see a move from a toolchain of discrete tools to integrated pipelines and value stream tooling, what do they do to be bigger and broader?” Murphy said. “I think of the growth in ability of GitLab and GitHub, and the expansion of Digital.ai and CloudBees in contrast.”

Go to Original Article
Author:

Data center energy usage combated by AI efficiency

Data centers have become an important part of our data-driven world. They act as a repository for servers, storage systems, routers and all manner of IT equipment and can stretch as large as an entire building — especially in an age of AI that requires advanced computing

Establishing how much power these data centers utilize and the environmental impact they have can be difficult, but according to a recent paper in Science Magazine, the entire data center industry in 2018 utilized an estimated 205 TWh. This roughly translates to 1% of global electricity consumption.

Enterprises that utilize large data centers can use AI, advancements in storage capacity and more efficient servers to mitigate the power required for the necessary expansion of data centers.

The rise of the data center

Collecting and storing data is fundamental to business operation, and while having your own infrastructure can be costly and challenging, having unlimited access to this information is crucial to advancements.

Provoking the most coverage because of their massive size, data centers of tech giants like Google and Amazon often require the same amount of energy as small towns. But there is more behind these numbers, according to Eric Masanet, associate professor of Mechanical Engineering and Chemical and Biological Engineering at Northwestern University and coauthor of the aforementioned article.

The last detailed estimates of global data center energy use appeared in 2011, Masanet said.

Since that time, Masanet said, there have been many claims that the world’s data centers were requiring more and more energy. This has given policymakers and the public the impression that data centers’ energy use and related carbon emissions have become a problem.

Counter to this, Masanet and his colleagues’ studies on the evolution of storage, server and network technology found that efficiency gains have significantly mitigated the growth in energy usage in this area. From 2010 to 2018, compute instances went up by 550%, while energy usage increased just 6% in the same time frame. While data center energy usage is on the rise, it has been curbed dramatically through the development of different strategies.

Getting a step ahead of the data center footprint

The workings behind mediated energy increases are all tied to advancements in technology. Servers have become more efficient, and the partitioning of servers through server virtualization has curbed the energy required for the rapid growth of compute instances.

A similar trend is noticeable in the storage of data. While the demand has significantly increased, the combination of storage-drive efficiencies and densities has limited total increase of global storage energy usage to just threefold. To further curb the rising desire for more data and therefore the rising energy costs and environmental impact, companies integrating AI when designing their data centers.

Data center efficiency gains have stalled
Data center efficiency has increased greatly but may be leveling off.

“You certainly could leverage AI to analyze utility consumption data and optimize cost,” said Scott Laliberte, a managing director with Protiviti and leader of the firm’s Emerging Technologies practice.

“The key for that would be having the right data available and developing and training the model to optimize the cost.”  

By having AI collect data on their data centers and optimizing the energy usage, these companies can help mitigate the power costs, especially concerning cooling, one of the more costly and concerning of the processes within data centers.

“The strategy changed a little bit — like trying to build data centers below ground or trying to be near water resources,” said Juan José López Murphy, Technical Director and Data Science Practice Lead at Globant, a digitally native services company.

But cooling these data centers has been such a large part of their energy usage that companies have had to be creative. Companies like AWS and GCP are trying new locations like the middle of the desert or underground and trying to develop cooling systems that are based on water and not just air, Murphy said.

Google utilizes an algorithm that manages cooling at some of their data centers that can learn from data gathered and limit energy consumption by adjusting cooling configurations.

Energy trends

For the time being, both the demand for data centers and their efficiency has grown. Now the advancement of servers and storage drives as well as the implementation of AI in the building process has almost matched the growing energy demand. This may not continue, however.

“Historical efficiency gains may not be able to outpace rapidly rising demand for data center services in the not-too-distant future,” Masanet said. “Clearly greater attention to data center energy use is warranted.”

The increased efficiencies have done well to stem the tide of demand, but the future remains uncertain for data center’s energy requirements.

Go to Original Article
Author:

AWS leak exposes passwords, private keys on GitHub

An Amazon Web Services engineer uploaded sensitive data to a public GitHub repository that included customer credentials and private encryption keys.

Cybersecurity vendor UpGuard earlier this month found the exposed GitHub repository within 30 minutes of its creation. UpGuard analysts discovered the AWS leak, which was slightly less than 1 GB and contained log files and resource templates that included hostnames for “likely” AWS customers.

“Of greater concern, however, were the many credentials found in the repository,” UpGuard said in its report Thursday. “Several documents contained access keys for various cloud services. There were multiple AWS key pairs, including one named ‘rootkey.csv,’ suggesting it provided root access to the user’s AWS account.”

The AWS leak also contained a file for an unnamed insurance company that included keys for email and messaging providers, as well as other files containing authentication tokens and API keys for third-party providers. UpGuard’s report did not specify how many AWS customers were affected by the leak.

UpGuard said GitHub’s token scanning feature, which is opt-in, could have detected and automatically revoked some of the exposed credentials in the repository, but it’s unclear how quickly detection would have occurred. The vendor also said the token scanning tool would not have been able to revoke exposed passwords or private keys.

The documents in the AWS leak also bore the hallmarks of an AWS engineer, and some of the documents included the owner’s name. UpGuard said it found a LinkedIn profile for an AWS engineer that matched the owner’s exact full name, and the role matched the types of data found in the repository; as a result, the vendor said it was confident the owner was an AWS engineer.

While it’s unclear why the engineer uploaded such sensitive material to a public GitHub repository, UpGuard said there was “no evidence that the user acted maliciously or that any personal data for end users was affected, in part because it was detected by UpGuard and remediated by AWS so quickly.”

UpGuard said at approximately 11 a.m. on Jan. 13, its data leaks detection engine identified potentially sensitive information had been uploaded to the GitHub repository half an hour earlier. UpGuard analysts reviewed the documents and determined the sensitive nature of the data as well as the identity of the likely owner. An analyst contacted AWS’ security team at 1:18 p.m. about the leak, and by 4 p.m. public access to the repository had been removed. SearchSecurity contacted AWS for comment, but at press time the company had not responded.

Go to Original Article
Author:

Icelandair turns to headless CMS to improve CX

Icelandair’s web content repository has taken flight from a traditional, on-premises content management system to a headless CMS in the cloud to improve its online travel booking experience for customers.

The migration started several years ago, and remains ongoing as processes move one at a time into the headless system from Contentstack.

We spoke with Icelandair’s global director of marketing Gísli Brynjólfsson and UX writer Hallur Þór Halldórsson to discuss how they made this IT purchasing decision and what CX improvements the airline stands to gain by going to the cloud.

What was the technology problem that got Icelandair thinking about changing to a headless CMS in the cloud?

Halldórsson: When I came on to the project in 2015 we had a very old-fashioned on-premises CMS with a publishing front-end attached to it, which handled all the content for our booking site. Content managers had to go in and do a lot of cache-flushing and add code here, add code there to the site.

Icelandair jetliner in flight
Icelandair’s headless CMS is making flight reservations more efficient for customers.

Load tests during cloud containerizing experiments on AWS in 2016 made people scared the site would crash a lot; people weren’t sure the CMS could handle what was coming in our digital transformation. We started looking for another CMS, using a different one for a year that wasn’t headless — but had API functionality — but it wasn’t quite doing what we expected. We ended up trying several cloud CMS vendors and Contentstack won the contract.

What about headless CMS made sense in the context of your digital transformation plan?

The ability to adapt quickly and scalability were the primary reasons to go with a headless CMS.
Hallur Þór HalldórssonUX writer, Icelandair

Halldórsson: Headless became a requirement at one point to decouple it from the publishing end of the old CMS. We needed this approach if we wanted to personalize content for customers, which we eventually would like to do. But the ability to adapt quickly and scalability were the primary reasons to go with a headless CMS.

What features or functionality won the bid for Contentstack’s headless CMS?

Halldórsson: The way it handles localized content. We support 11 languages online and 16 locales (four different versions of English, two French), and you have to be able to manage that. Other vendors that impressed us otherwise didn’t have mature localization features. 

What is on your digital transformation roadmap over the next couple years?

Halldórsson: The first thing we did was integrate our translation process into the CMS. Before, we had to paste text into a Microsoft Word document, send it to the translation agency, wait for it to come back and paste it into the CMS. Now it gets sent to the agency via API and is delivered back. Automating that workflow was first. Next is a Salesforce integration to more quickly give salespeople and customer service agents the content we know they’re looking for. Integrating a personalization engine, too, is a dream.

Editor’s note: This Q&A has been edited for clarity and brevity.

Go to Original Article
Author:

Jaguar Land Rover, BI Worldwide share GitLab migration pros and cons

Microsoft’s proposed acquisition of popular code repository vendor GitHub also thrust competitor GitLab into the spotlight. A quarter-million customers tried to move code repositories from GitHub to GitLab last week in the wake of the Microsoft news, a surge that crashed the SaaS version of GitLab.

Enterprises with larger, more complex code repositories will need more than a few days to weigh the risks of the Microsoft acquisition and evaluate alternatives to GitHub. However, they were preceded by other enterprise GitLab converts who shared their experience with GitLab migration pros and cons.

BI Worldwide, an employee engagement software company in Minneapolis, considered a GitLab migration when price changes to CloudBees Jenkins Enterprise software drove a sevenfold increase in the company’s licensing costs for both CloudBees Jenkins Enterprise and GitHub Enterprise.

GitLab offers built-in DevOps pipeline tools with its code repositories in both SaaS and self-hosted form. BI Worldwide found it could replace both GitHub Enterprise and CloudBees Jenkins Enterprise with GitLab for less cost, and made the switch in late 2017.

“GitLab offered better functionality over GitHub Enterprise because we don’t have to do the extra work to create web hooks between the code repository and CI/CD pipelines, and its CI/CD tools are comparable to CloudBees,” said Adam Dehnel, product architect at BI Worldwide.

GitLab pipelines
GitLab’s tools include both code version control and app delivery pipelines.

Jaguar Land Rover-GitLab fans challenge Atlassian incumbents

Automobile manufacturer Jaguar Land Rover, based in London, also uses self-hosted GitLab among the engineering teams responsible for its in-vehicle infotainment systems. A small team of three developers in a company outpost in Portland, Ore., began with GitLab’s free SaaS tool in 2016, though the company at large uses Atlassian’s Bitbucket and Bamboo tools.

As of May 2018, about a thousand developers in Jaguar Land Rover’s infotainment division use GitLab, and one of the original Portland developers to champion GitLab now hopes to see it rolled out across the company.

Sometimes vendors … get involved with other parts of the software development lifecycle that aren’t their core business, and customers get sold an entire package that they don’t necessarily want.
Chris Hillhead of systems engineering, Jaguar Land Rover’s infotainment systems

“Atlassian’s software is very good for managing parent-child relationships [between objects] and collaboration with JIRA,” said Chris Hill, head of systems engineering for Jaguar Land Rover’s infotainment systems. “But sometimes vendors can start to get involved with other parts of the software development lifecycle that aren’t their core business, and customers get sold an entire package that they don’t necessarily want.”

A comparison between tools such as GitLab and Bitbucket and Bamboo largely comes down to personal preference rather than technical feature gaps, but Hill said he finds GitLab more accessible to both developers and product managers.

“We can give developers self-service capabilities so they don’t have to chew up another engineer’s time to make merge requests,” Hill said. “We can also use in-browser editing for people who don’t understand code, and run tutorials with pipelines and rundeck-style automation jobs for marketing people.”

Jaguar Land Rover’s DevOps teams use GitLab’s collaborative comment-based workflow, where teams can discuss issues next to the exact line of code in question.

“That cuts down on noise and ‘fake news’ about what the software does and doesn’t do,” Hill said. “You can make a comment right where the truth exists in the code.”

GitLab offers automated continuous integration testing of its own and plugs in to third-party test automation tools. Continuous integration testing inside GitLab and with third-party tools is coordinated by the GitLab Runner daemon. Runner will be instrumental to deliver more frequent software updates over the air to in-car infotainment systems that use a third-party service provider called Redbend, which will mean Jaguar Land Rover vehicle owners will get automatic updates to infotainment systems without the need to go to a dealership for installation. This capability will be introduced with the new Jaguar I-Pace electric SUV in July 2018.

Balancing GitLab migration pros and cons

BI Worldwide and Jaguar Land Rover both use the self-hosted version of GitLab’s software, which means they escaped the issues SaaS customers suffered with crashes during the Microsoft GitHub exodus. They also avoided a disastrous outage that included data loss for GitLab SaaS customers in early 2017.

Still, their GitLab migrations have come with downsides. BI Worldwide jumped through hoops to get GitLab’s software to work with AWS Elastic File System (EFS), only to endure months of painful conversion from EFS to Elastic Block Store (EBS), which the company just completed.

GitLab never promised that its software would work well with EFS, and part of the issue stemmed from the way AWS handles EFS burst credits for performance. But about three times a day, response time from AWS EFS in the GitLab environment would shoot up from an average of five to eight milliseconds to spikes as high as 900 milliseconds, Dehnel said.

“EBS is quite a bit better, but we had to get an NFS server setup attached to EBS and work out redundancy for it, then do a gross rsync project to get 230 GB of data moved over, then change the mount points on our Rancher [Kubernetes] cluster,” Dehnel said. “The version control system is so critical, so things like that are not taken lightly, especially as we also rely on [GitLab] for CI/CD.”

GitLab is working with AWS to address the issues with its product on EFS, a company spokesperson said. For now, its documentation recommends against deployment with EFS, and the company suggests users consider deployments of GitLab to Kubernetes clusters instead.