JFrog Ltd., the Liquid Software company and creators of the JFrog Software Supply Chain Platform, today announced the addition of JFrog Runtime to its suite of security capabilities, empowering enterprises to seamlessly integrate security into every step of the development process, from writing source code to deploying binaries into production.
The JFrog Platform streamlines collaboration between developers and security teams, automating DevSecOps tasks to save time and strengthen security for modern, cloud-native application development. It equips teams to monitor Kubernetes clusters in real time, enabling them to identify, prioritize, and quickly address security incidents based on actual risk. Additionally, it helps ensure image integrity and helps meet compliance requirements effectively.
"As organizations increasingly shift left to combat today’s growing threat landscape, the disconnect among siloed tools places additional strain on developers, security, and MLOps teams," said Asaf Karas, CTO of JFrog Security. "Companies can alleviate this burden by adopting a unified platform that provides end-to-end visibility, remediation, and traceability across the development and security processes. By empowering DevOps, Data Scientists, and Platform engineers with an integrated solution that spans from secure model scanning and curation on the left to JFrog Runtime on the right, organizations can significantly enhance the delivery of trusted software at scale."
A recent IDC survey sponsored by JFrog found that organizations spend an average of $542 per week per developer on security-related or DevSecOps tasks, equating to $1.89 million annually. Developers want to focus on coding, while security teams prioritize risk mitigation.
JFrog Runtime empowers users to track and manage packages from various origins, organize repositories by environment types, and activate JFrog Xray policies, ultimately fortifying security from code to runtime. As part of the JFrog Platform, Runtime also addresses the visibility and alignment gaps among teams, optimizing version control and package development, while ensuring R&D, DevOps, and security teams can collaborate effectively and efficiently, saving developers hours of valuable time.
"Runtime security is critical for our customers as it ensures that their applications remain protected while in operation. With the increasing complexity of cloud environments and the rise of containerized applications, real-time visibility into potential vulnerabilities is essential," said Paul Goldman, CEO, iTMethods. "JFrog Runtime will help enhance our customers' security posture by allowing them to rapidly detect and respond to threats, thus safeguarding their data and maintaining trust in their cloud services."
Industry research shows that one in five applications contain runtime exposure, with 20 percent of all applications having high, critical, or apocalyptic issues during the execution stage. By automating security for fast-moving, dynamic applications like those that run in containers, JFrog Runtime security addresses the unique visibility and insight needs of cloud-native environments.
Key features and benefits of JFrog Runtime include:
-
Real-Time Vulnerability Visibility: Gain real-time insights into vulnerabilities within your runtime environment.
-
Accelerated Triage with Advanced Prioritization: Streamline the identification and prioritization of security incidents based on their business impact.
-
Reduced Risk Through Exposure Management: Quickly identify the source and ownership of vulnerable packages, enabling faster risk mitigation.
-
Protection for Cloud-Based Workloads: Aid in safeguarding applications with continuous monitoring for post-deployment threats such as malware attacks and privilege escalation.
-
Comprehensive Analytics for Kubernetes clusters: Enable continuous runtime evaluation of workloads and containers for real-time vulnerability detection and alignment to the corresponding processes and files within JFrog Artifactory.
-
Centralized Incident Awareness: Maintain a consolidated view of your runtime environment to facilitate accurate incident identification and response.
"A platform that unifies security across the software supply chain from development to production can provide critical visibility and traceability that developers and DevSecOps teams need to manage and remediate risks effectively," said Katie Norton, research manager, DevSecOps and Software Supply Chain Security at IDC. "JFrog's addition of runtime security supports a shift-left and shift-right strategy, fostering comprehensive protection and streamlined processes that lessen the strain on development and security teams."
JFrog Runtime complements JFrog’s suite of advanced security capabilities including:
-
AI/ML Model Curation: JFrog Curation helps defend your software supply chain by enabling early detection and blocking of malicious ML Models retrieved from open-source repositories like Hugging Face before they even enter your organization. JFrog’s universal, scalable security platform also natively proxies Hugging Face allowing developers to access open source AI/ML models while simultaneously detecting malicious models, block their use if needed, and enforcing license compliance to enable safer use of AI.
-
Secure OSS Catalog: The JFrog open-source software (OSS) package catalog provides a "search engine for software packages" using the JFrog UI or via API. Backed by both public and JFrog data, the OSS Catalog gives users quick insight into the security and risk metadata associated with all OSS packages.
A suite of new partnerships
JFrog announced a new product integration with NVIDIA NIM microservices, part of the NVIDIA AI Enterprise software platform. The integration of the JFrog Platform with the JFrog Artifactory model registry and NVIDIA NIM is expected to combine GPU-optimized, pre-approved AI models with centralized DevSecOps processes in an end-to-end software supply chain workflow. This allows organizations to bring secure machine learning (ML) models and large language models (LLMs) to production quickly and with increased transparency, traceability, and trust.
"As organizations rapidly adopt AI technology, it's essential to implement practices that ensure their efficiency and safety, and that incorporate AI responsibly," said Gal Marder, EVP Strategy, JFrog. "By integrating DevOps, security, and MLOps processes into an end-to-end software supply chain workflow with NVIDIA NIM microservices, customers will be able to efficiently bring secure models to production while maintaining high levels of visibility, traceability, and control throughout the pipeline."
With the rise and accelerated demand for AI in software applications, data scientists and ML engineers face significant challenges when scaling ML model deployments in enterprise environments. Fragmented asset management, security vulnerabilities, compliance issues, and performance bottlenecks are compounded by the complexities of integrating AI workflows with existing software development processes and the requirement for flexible, secure deployment options across various environments. This compounded complexity can result in very long, expensive deployment cycles and, in many cases, failure of AI initiatives.
"As enterprises scale their generative AI deployments, a central repository can help them rapidly select and deploy models that are approved for development," said Pat Lee, Vice President, Enterprise Strategic Partnerships, NVIDIA. "The integration of NVIDIA NIM microservices into the JFrog Platform can help developers quickly get fully compliant, performance-optimized models quickly running in production."
JFrog Artifactory provides a single solution for housing and managing all the artifacts, binaries, packages, files, containers, and components for use throughout software supply chains. The JFrog Platform’s integration with NVIDIA NIM is expected to incorporate containerized AI models as software packages into existing software development workflows.
By coupling NVIDIA NGC – a hub for GPU-optimized deep learning, ML and HPC models – with the JFrog platform and JFrog Artifactory model registry, organizations will be able to maintain a single source of truth for all software packages and AI models, while leveraging enterprise DevSecOps best practices to gain visibility, governance, and control across their software supply chain.
The integration between the JFrog Platform and NVIDIA NIM is anticipated to deliver multiple benefits, including:
-
Unified Management: Centralized access control and management of NIM microservice containers alongside all other assets, including proprietary artifacts and open-source software dependencies, in JFrog Artifactory as the model registry to enable seamless integration with existing DevSecOps workflows.
-
Comprehensive Security and Integrity: Continuous scanning at every stage of development - including containers and dependencies - delivering contextual insights across NIM microservices with JFrog auditing and usage statistics that drive compliance.
-
Exceptional Model Performance and Scalability: Optimized AI application performance using NVIDIA accelerated computing infrastructure, offering low latency and high throughput for scalable deployment of LLMs to large-scale production environments.
-
Flexible Deployment: Flexible deployment options via JFrog Artifactory, including self-hosted, multi-cloud, and air-gap deployment options.
JFrog and GitHub also announced a new product integration. This deepening collaboration provides developers with a consolidated view of project status and security posture to help quickly address potential vulnerabilities discovered by the companies’ respective Advanced Security offerings.
Additionally, to help developers quickly gain insight on third-party packages, the companies announced a Copilot chat extension to quickly select software packages that are updated, approved by the organization, and safe for use.
"For developers to be productive, they need complete information about the quality and security of the code and binaries they integrate into their software. Our partnership with GitHub enables teams to do this quickly and with confidence using Copilot," said Yoav Landman, CTO and Co-Founder, JFrog. "Our partnership also allows developers to navigate between code and the binary artifacts produced by the build process through a more intuitive workflow so they can build and release trusted software, faster. We're excited about our shared roadmap, and look forward to driving a single platform experience for our customers."
According to JFrog’s 2024 Software Supply Chain State of the Union report, only 56% of companies use both source code and binary scanning to secure their software supply chains, leaving nearly half of companies vulnerable to attacks at the binary level.
This is very risky, as underscored by the JFrog Security Research team’s recent discovery of a token inadvertently left at the binary level in a Docker container that granted full access to the Python package repository. Had this token been discovered and exploited, it would have impacted tens of millions of computer systems worldwide that run most of today’s internet and cloud infrastructure, automation tasks, financial services and data analysis.
Creating Secure Developer Workflows by Uniting Best-of-Breed Source Code and Binary Platforms
JFrog’s integration with GitHub is expected to offer an easier, more secure way to trace code from its source to the resulting binaries across both platforms with the following key capabilities:
-
Copilot Chat Integration for Software Package Insights: The new GitHub Copilot extension boosts developer productivity by providing insights on open-source packages within the JFrog binary environment alongside GitHub code data, eliminating the need to search through documentation or online forums. It also aligns recommendations with organizational curation policies, enabling informed software package choices that consider security and market adoption. Combining Copilot's chat features with JFrog's artifact metadata creates an invaluable AI-powered assistant for developers.
-
Consolidated, Single Pane of Glass Security Dashboard: A unified view of security scan results from GitHub Advanced Security and JFrog Advanced Security (including the scanners that found the Python vulnerability mentioned above), helping developers address and remove potential software vulnerabilities earlier in the development lifecycle, saving time and reducing risk.
-
Bidirectional End-to-End Release Lineage: The new job summary page on GitHub offers a quick view of the health and security status of each GitHub Actions Workflow, allowing developers to quickly see the output packages from each build, navigate to their location in JFrog Artifactory and back again. This bidirectional navigation utilizes a software bill of materials (SBOM) preserved in JFrog Artifactory, enhancing software lineage traceability.
-
Dynamic Project Mapping and Authentication: Improved automatic authorization and seamless project mapping between GitHub Repositories and JFrog Projects in Artifactory utilizing current OpenID Connect (OIDC) integration, eliminating the need for developers to reauthenticate per repository.
