August 2021 Summaries
17 posts from Cloudsmith
Filter
Month:
Year:
Post Summaries
Back to Blog
The cabin in the woods is a metaphor for an unmonitored public software repository, where a dependency not tracked by developers can unleash devastating consequences. The incantations to unlock demonic possession represent the risks of ignoring security vulnerabilities and lack of protection. Unwitting temporary residents, such as developers and processes, are vulnerable to attacks without knowledge or defense. The book in the cabin represents the dependency that is not being monitored, while the demonic possession symbolizes the chaos and destruction caused by neglecting software supply chain security.
Aug 27, 2021
367 words in the original blog post.
Cloudsmith offers an on-demand security scanning service for repositories, allowing users to identify vulnerable packages and track their introduction. The service can be run daily, weekly, monthly, or at a custom cadence, with the option to schedule multiple images for simultaneous scanning. Users can access a summary report of their repository's health in the Security Scanning view, view security scan results for specific vulnerabilities, and use the Vulnerability API to programmatically access scan results and historic data. The service also provides insights into the version of packages that introduced vulnerabilities, making it easier to identify and address potential security issues.
Aug 06, 2021
603 words in the original blog post.
At Cloudsmith, helping startups grow from a single person operation to enterprise-level organisations is a constant joy!`
Cloudsmith provides a self-service approach to managing storage and bandwidth limits to keep costs under control while allowing for scaling. The Quota API allows developers to track usage programmatically, enabling automation of solutions using the API or CLI. With Cloudsmith, users can quickly view usage and limits, adjust them as needed, and automate alerts through integration with CI/CD or monitoring services.
Aug 06, 2021
339 words in the original blog post.
Cloudsmith and Buildkite` are two popular tools in the DevOps space that can be integrated to automate various tasks, such as building and pushing packages to a private repository. `Buildkite` is a platform for running continuous integration pipelines on your own infrastructure, while `Cloudsmith` provides a central source of truth for packages and build artifacts. The integration allows users to automate the process of pushing build artifacts to their private Cloudsmith repository, making it easier to manage software assets and integrate with other DevOps tools. By following a simple four-step process, users can set up a pipeline that builds, pushes, and deploys packages to their Cloudsmith repository using `Buildkite` as the execution engine. The integration is designed to be secure, scalable, and easy to use, making it an attractive option for companies looking to automate their CI/CD workflows.
Aug 06, 2021
1,300 words in the original blog post.
Cloudsmith is offering vulnerability webhooks as an alternative to polling its API across various repositories to check for security vulnerabilities in uploaded packages. These webhooks enable real-time notifications when a package's security scan completes, allowing developers to quickly identify and address potential vulnerabilities before distributing them globally. With this feature, Cloudsmith will dispatch a corresponding vulnerability webhook event whenever a scan is completed, providing a summary of the vulnerabilities found within the package and their severity. The process of setting up webhooks for this functionality is straightforward, requiring only an update to existing event subscriptions or creating a new one with selected individual events. By leveraging vulnerability webhooks, developers can stay on top of security updates and ensure the integrity of their packages.
Aug 06, 2021
516 words in the original blog post.
A quick look at how Cloudsmith repositories are fully Multi-Format, and how you can mix and match different package types in one repository.`
Cloudsmith repositories support multiple package formats, allowing developers to create a single repository that contains various types of packages. This flexibility enables developers to manage their dependencies and packages efficiently, without being limited by specific format constraints. By mixing and matching different package types in one repository, developers can simplify their workflow and improve the overall management of their projects.
Aug 06, 2021
55 words in the original blog post.
Creating a Puppet manifest involves specifying the packages and dependencies required for deployment, as well as setting up the necessary infrastructure such as repositories and user accounts. A private Cloudsmith repository is used to manage access to the package, allowing developers to control who can install and update the package. The walkthrough will guide you through the process of creating a Puppet manifest that integrates with your existing infrastructure, ensuring seamless deployment and management of your package.
Aug 06, 2021
56 words in the original blog post.
The software supply chain is vulnerable to attacks, with malicious actors able to insert weaknesses into builds through supply chain manipulation. Recent examples include the SolarWinds breach and the Dependency Confusion Attack, which exploits public repositories to inject malicious packages. To defend against this type of attack, it's essential to take back control by minimizing trust, isolating from third parties, restricting publishers, pinning dependencies, using environment segregation, promoting secure builds, and drawing a thread from build to deployment. By doing so, developers can secure their supply chain and prevent similar breaches in the future.
Aug 06, 2021
920 words in the original blog post.
Combining continuous packaging with integration & delivery is a key discussion point in this webinar, where CircleCI, Cloudsmith, and HashiCorp explore how to apply holistic security principles across the whole value stream. Using infrastructure-as-code techniques to build, stage, and deploy is also covered, highlighting the importance of securing the build and staging assets to ensure quality in pipelines all the way through production.
Aug 06, 2021
61 words in the original blog post.
We are pleased to announce that Cloudsmith has been accepted into The Northern Ireland Cyber Security Cluster, a group of companies developing world-leading cybersecurity technologies from Northern Ireland.
Cloudsmith is committed to advancing the concept of Universal Provenance as a key aspect of software security solutions, enabling developers to secure their intellectual property in a centralised and traceable repository.
Our tooling provides high-fidelity control plane for organisations to understand the provenance of their deployments, minimising modern security risks and accelerating development cycles.
Aug 06, 2021
246 words in the original blog post.
IoT devices are increasingly being deployed globally, with billions of devices already online, each running firmware or an embedded OS and software written in performant languages like C++ or Rust. Companies building IoT devices need to ship their products fully loaded with working software and receive security patches, which is where Cloudsmith comes in as a distribution toolkit for IoT that helps solve the issues with global rollout at scale. Cloudsmith provides accelerated edge delivery of software, enabling fast and reliable deployment infrastructure, and enables automation of software rollout using entitlement tokens, which can be created to secure standards and attached metadata for additional information. The platform also offers analytics to track device updates and export data to big data or analytics platforms, and supports multi-tenant repositories for package formats, simplifying package management and gaining control.
Aug 06, 2021
548 words in the original blog post.
Cloudsmith provides a platform for vendors to sell, license and distribute software as packages, handling all licensing and invoicing/billing challenges, making it convenient and easy for customers to access the packages they need from anywhere in the world. The traditional approach of distributing software through package repositories was limited by the need for vendors to manage their own infrastructure, but Cloudsmith solves these problems by taking responsibility for availability and scalability, delivering high performance, handling licensing and access controls, and enabling vendors to share packages in multiple languages and formats.
Aug 06, 2021
1,323 words in the original blog post.
Webhooks are a powerful tool for integrating different systems, enabling automation across workflows by sending data or notifications to other tools in a stack. They differ from API calls in that they notify another system of an event rather than retrieving information or performing an action. Cloudsmith webhooks can trigger on various events such as package uploads, synchronizations, and failures, allowing users to automate different workflows like CI/CD automation, messaging, monitoring & alerting, customer contacts, and more. With the ability to process HTTP POST requests and handle JSON or Handlebars template payloads, webhooks can be integrated with most platforms, offering out-of-the-box functionality for accepting incoming webhooks. Users can leverage webhooks to expand their integrations, improve DevOps processes, and create custom automation workflows.
Aug 06, 2021
659 words in the original blog post.
With the introduction of the Package Activity API and accompanying CLI command, users can now easily check their repository for packages' activity status or view them individually. This allows users to save on storage costs by eliminating inactive packages and retaining only those that derive value from storing and distributing via Cloudsmith. Automated retention/lifetime rules are available on the Velocity plan and above, enabling automatic management of storage for packages by deleting or moving packages outside of defined retention rules. The rules can be based on package downloads, size, or days, making it easier to identify inactive packages and automate their removal. Users can explore these metrics using the CLI command or implementing a programmatic solution using the API, and get started quickly by querying total active/inactive packages for their repository.
Aug 06, 2021
528 words in the original blog post.
You can now craft Entitlement tokens with individual usage limits using the UI, API, and CLI, allowing you to control the exact level of usage for each token. Combining new and existing limits, allowances are configurable to provide fine-grained control for any combination of properties, such as bandwidth usage or number of unique clients. You can also scope your tokens by restrictions for advanced control, and provide lifetime limits or refresh periods to configure bandwidth restrictions with a specific unit and amount. With the Cloudsmith UI, API, and CLI, you can edit individual tokens to apply visibility restrictions, usage limits, or additional metadata, making it easy to manage entitlement token controls and fine-tune your offering to suit different users.
Aug 06, 2021
531 words in the original blog post.
Invest NI is supporting Cloudsmith, a company that offers platform as a service (PaaS) solutions, through the European Union's Investment for Growth and Jobs Programme. This 12-month support will help Cloudsmith expand its research and development efforts to improve its platform and develop new features to increase its global customer base. The funding announced last year was one of Northern Ireland's largest seed rounds, with investors including Frontline Ventures, MMC, and Techstart. Cloudsmith has already gained significant traction, with customers on six continents and serving millions of software packages per month, generating over 90% of its revenue outside the UK and Ireland.
Aug 06, 2021
138 words in the original blog post.
A modern tech stack is filled with choices; as the tech market has exploded over the last ten years; there are solutions for nearly every conceivable problem. Software as a Service is now commonplace amongst companies large and small. With so many options to choose from, it's easy to make bad choices that could haunt you for years or even centuries. A company called Cloudsmith made such a choice in 2016 when they selected Chef over Puppet for configuration management, and later opted for Chef Provisioning instead of Hashicorp's Terraform for Infrastructure as Code. However, Terraform continued to improve while Chef Provisioning became outdated, causing Cloudsmith significant issues that ultimately led them to switch to Terraform after a month-long engineering hiatus. The experience serves as a cautionary tale about the importance of choosing wisely when evaluating tools and technologies.
Aug 06, 2021
590 words in the original blog post.