Home / Companies / JFrog / Blog / August 2021

August 2021 Summaries

12 posts from JFrog

Filter
Month: Year:
Post Summaries Back to Blog
The concept of "build once, deploy anywhere" in cloud-native environments is nearing realization through containerization and Docker, although challenges remain due to the need for specific architecture compilations. Docker addresses this by enabling multi-architecture (multi-arch) images that support different CPU architectures, such as AMD64 and ARM64, through a Docker manifest list. This allows for the deployment of container applications across various environments by automatically selecting the correct image for the target architecture. The use of Docker's buildx plugin simplifies the creation and management of these multi-arch images, allowing them to be pushed to a Docker registry like Artifactory. Once in the registry, these images can be promoted through different stages of the software development life cycle (SDLC) while maintaining best practices for testing and validation. The process preserves the workflow of building once and promoting images through development, testing, and production stages, facilitated by tools like JFrog's Artifactory.
Aug 25, 2021 770 words in the original blog post.
In 2021, the Software Bill of Materials (SBOM) gained critical importance within the DevSecOps community due to its role in identifying security and compliance issues in software supply chains, propelled by events such as the SolarWinds hack and the White House cybersecurity executive order. SBOMs provide a detailed inventory of software components, offering transparency that helps mitigate risks of supply chain attacks, especially in regulated industries like finance and healthcare. Although misconceptions exist, such as fears of exposing source code or intellectual property, SBOMs only provide metadata about software components, enhancing security without revealing proprietary details. Tools like the JFrog DevOps Platform facilitate the creation and management of SBOMs by providing granular data on software dependencies, security, and compliance, helping organizations reduce legal liabilities and protect their reputation. As SBOMs become a regulatory requirement for selling software to the U.S. government and other entities, they are increasingly recognized as a best practice for ensuring software security and compliance.
Aug 24, 2021 1,532 words in the original blog post.
Supply chain attacks have emerged as a significant cybersecurity threat, with incidents like those involving SolarWinds and Kaseya highlighting their potential for widespread impact. These attacks involve embedding malware in legitimate software, which is then distributed to unsuspecting users, affecting both open-source and commercial software. The complexity and stealth of these attacks make them difficult to prevent, detect, and remediate, posing substantial risks to government, infrastructure, and private sector entities. Developers face challenges in ensuring the security of third-party code, which often forms the majority of an application's codebase, due to the lack of visibility into software components and dependencies. Strategies to mitigate these risks include implementing supply chain vetting processes, shifting security efforts to earlier stages of the software development lifecycle (SDLC), verifying binary code integrity, conducting thorough code analysis, demanding software bills of materials (SBOMs), and using multi-factor authentication in critical areas. The frequency of supply chain attacks has been rising, with significant increases in 2021, underscoring the need for organizations to prioritize these threats in their cybersecurity efforts.
Aug 20, 2021 1,390 words in the original blog post.
The evolution of computing technology has significantly transformed the IT landscape, beginning with timesharing in the 1970s, which enabled multiple users to share expensive mainframe resources, to the development of virtual machines, containers, and serverless computing. Timesharing allowed for more efficient use of computing resources, paving the way for virtualization technologies like virtual machines, which provided isolated environments for applications. Containers further streamlined resource usage by sharing a single operating system, offering faster performance and scalability. Serverless computing emerged as a lightweight, event-driven model that abstracts infrastructure management, allowing developers to focus on business logic and pay only for the resources used. This has led to hybrid solutions like Google Cloud Run, which combines the flexibility and persistence of containers with the on-demand scalability of serverless, offering developers versatile options to accelerate deployment and reduce costs. Each technological advancement has addressed specific challenges related to cost, deployment ease, and resource utilization, enhancing the capacity to develop and deploy applications that better serve business needs.
Aug 19, 2021 1,935 words in the original blog post.
In the realm of IoT projects, particularly when connecting numerous Raspberry Pis or microcontrollers, traditional methods like WiFi and Bluetooth may not suffice, especially in scenarios like Wireless Sensor Networks (WSNs) where low power and simplicity are crucial. In such cases, RF (Radio Frequency) communication devices become essential, with popular options including Semtech’s SX1278 LoRa module and Nordic’s NRF24L01+ module. The SX1278 LoRa module, operating in the ISM radio band, offers long-range communication up to 10km and is ideal for low-power applications, while the NRF24L01+, operating in the 2.4GHz band, provides higher bandwidth suitable for real-time data transmission but has a shorter range of around 800m. Both modules have their merits, with SX1278 excelling in power efficiency and full-duplex communication, whereas NRF24L01+ offers higher data rates, albeit without full-duplex capabilities. The choice between them depends on specific project requirements, such as range, power consumption, and data bandwidth, making neither module a definitive winner. For managing sensor networks and Raspberry Pi base stations, solutions like JFrog Connect offer comprehensive IoT device management services.
Aug 15, 2021 958 words in the original blog post.
The Nvidia Jetson Nano is a powerful System on Module (SoM) developed by Nvidia Corporation, featuring a 128-core NVIDIA Maxwell architecture-based GPU and a Quad-core ARM A57 CPU, equipped with 4GB of DDR4 RAM. It stands out for its GPU-accelerated processing capabilities, making it ideal for machine learning inference and image processing tasks, outperforming other Single Board Computers like the Raspberry Pi series in parallel processing. To fully leverage its capabilities, the CUDA (Compute Unified Device Architecture) framework, primarily written in C/C++ with support for Python and Fortran, needs to be installed, facilitating parallel computing through popular machine learning frameworks such as TensorFlow and PyTorch. The CUDA toolkit can be installed on the Jetson Nano using methods such as the JetPack SDK or Debian repositories, with the former providing a stable and ready-to-use installation of CUDA libraries. After installation, updating the OS PATH variable is crucial for system-wide access to the CUDA libraries, enabling compilation of CUDA applications. Additionally, multiple Jetson Nano devices can be managed simultaneously for CUDA installation or updates using JFrog Connect’s Update Flow and Deployment feature.
Aug 15, 2021 679 words in the original blog post.
The Raspberry Pi 4 and the Raspberry Pi Compute Module 4 are both powerful single-board computers, each tailored for different applications. The Raspberry Pi 4, in its fifth iteration, offers significant upgrades such as a faster processor, more RAM, USB 3 ports, dual HDMI ports with 4K support, and faster ethernet, making it ideal for general-purpose use, including desktop computing, TV streaming, and home automation. In contrast, the Raspberry Pi Compute Module 4 is designed for industrial and embedded systems, featuring the same processing power but in a more compact form without ports, necessitating a carrier board for use. This allows it to be integrated into smaller form factor projects like digital signage and IoT devices. Both models support over-the-air updates and remote access via JFrog Connect, catering to diverse needs from desktop PCs to industrial controllers.
Aug 15, 2021 1,067 words in the original blog post.
Organizations with strict security requirements, such as financial institutions and military installations, often require an air-gapped setup to manage dependencies without exposing operations to the internet. Artifactory provides a solution by setting up at least two instances: one on the DMZ and another on an internal network. This setup allows for secure downloading and transferring of dependencies via external devices or a one-way network connection. Various methods, such as dependencies declaration, dedicated scripts, and smart remote repositories, facilitate retrieving and caching necessary artifacts. Tools like JFrog CLI aid in the efficient management of these artifacts by allowing checksum-aware downloading and targeted uploading between instances. Additionally, Artifactory supports pull replication to synchronize dependencies into internal repositories while maintaining security protocols.
Aug 11, 2021 1,561 words in the original blog post.
Managing and organizing Node dependencies can be efficiently handled using an npm repository, which requires secure and consistent access to shared dependencies in a central location. JFrog’s cloud subscription, including JFrog Artifactory, Xray, and Pipelines, facilitates the setup of local, remote, and virtual npm registries quickly. The setup process involves logging into your environment, creating a local npm repository for custom packages, adding a remote repository to cache third-party packages, and configuring a virtual repository that integrates both. The virtual repository determines the order of dependency resolution and designates a default deployment repository. Users can also fork a JFrog npm example GitHub repository to practice building an npm project, configure the JFrog CLI for automation, and view the repository details in the Platform UI. This approach provides a structured way to manage dependencies while supporting automation and transparency in the development process.
Aug 10, 2021 641 words in the original blog post.
Artifactory is a universal repository manager that serves as the single source of truth for managing the diverse artifact ecosystem within development organizations, essential for transitioning from development to DevOps. By supporting over 30 package types and providing comprehensive metadata, Artifactory enables developers to store, organize, and trace the entire lifecycle of artifacts, including binaries, dependencies, images, and configuration files. This management facilitates seamless integration into continuous integration pipelines, ensuring that applications—composed of interoperating microservices—are efficiently built, stored, and deployed. Artifactory’s features, such as proxy remote repositories and metadata maintenance, help eliminate network latencies and trace artifacts’ origins, contributing to accelerated release cycles and alignment of software development lifecycle workflows across enterprises.
Aug 09, 2021 760 words in the original blog post.
JFrog announced that starting August 5, 2021, new users of its free JFrog cloud subscription will need to provide a valid credit or debit card to activate Pipelines CI/CD, due to a rise in misuse for cryptocurrency mining that violates the terms of service. This requirement aims to ensure service stability and optimal performance, as abuses have negatively affected resources and support capabilities. The policy only affects new free-level subscribers and not existing accounts, paid subscribers, or self-hosted users. The card information will be used solely for identity verification via a one-dollar preauthorization, which is immediately canceled, with no charges made. JFrog emphasizes that this measure, also adopted by other providers facing similar issues, is necessary to deter abuse while allowing users to experience the capabilities of Pipelines CI/CD. Users with questions are encouraged to contact JFrog's support or sales teams.
Aug 05, 2021 591 words in the original blog post.
NicheStack, a widely-used TCP/IP network stack in operational technology devices, has been found to contain 14 new security vulnerabilities by JFrog's security research team and Forescout Research Labs. These vulnerabilities, collectively named INFRA:HALT, could lead to remote code execution, denial of service, information leaks, TCP spoofing, and DNS cache poisoning. The vulnerabilities affect all NicheStack versions before 4.3, including NicheLite, and are found in various components such as DNSv4 clients and HTTP servers. To mitigate these risks, upgrading to NicheStack v4.3 is recommended, or alternatively, using open-source scripts to detect vulnerable devices, segmenting them from networks, and monitoring traffic for malicious activity. JFrog and Forescout are engaging with impacted vendors to prepare community advisories and will host webinars and talks to further discuss the findings and mitigation strategies.
Aug 04, 2021 1,235 words in the original blog post.