Earlier this year, software supply chain platform (and binary specialist) JFrog announced a partnership with GitHub that, among other things, allowed developers and the teams behind them to track code from source to binary package on the two platforms. On Tuesday, at the JFrog conference SwampUp Conference in AustinThe two companies are expanding this initial work on their integrations with a focus on security.
Additionally, JFrog is also releasing a runtime security solution as well as an integration with Nvidia's NIM microservices, expanding its ambition as an MLOps platform after acquired Qwak Earlier this year.
Deeper integration with GitHub
CEO and Co-Founder of JFrog Shlomi Ben Haim He told me that the idea behind the partnership with GitHub was always meant to go beyond the original integration of the two companies. announced In May, Ben Haim said that JFrog and GitHub customers wanted the two companies to break down the barriers between their products so they could choose the best platforms to manage their source code and binaries. What customers are telling him is that they want a single control panel.
“What we hear from our users is, ‘Listen, this is very important. Source code security is very important. Software supply chain security is very important,’” he said. “But we can’t keep running between tools and scanners. We want to have a single pane of glass to see all the findings so we can remediate faster, so we can react faster, so we can have full traceability for all the sources. And JFrog comes with the binary findings, while GitHub comes with the source code findings, so everything will be in the developer platform, shown in the security tab on GitHub.”
Basically, this means that JFrog Advanced Security and Healing by JFrogits service for tracking which open source packages are being used by developers, is now integrated directly with GitHub. Advanced Security service.
“Developers often don’t realize there’s a problem until something breaks – only then can they start piecing together the puzzle to figure out what went wrong. Our partnership with GitHub allows teams to seamlessly navigate between code development and binary storage, enabling a more intuitive workflow,” said Yoav Landman, CTO and co-founder of JFrog. “This integration is expected to improve developer experience and traceability, ensuring they can easily connect their source code to the corresponding binaries while maintaining a consolidated view of security so they can focus on delivering high-quality software without worrying about invisible vulnerabilities.”
Jfrog is now also participating in GitHub’s Copilot Extensions program, allowing developers to use Copilot Chat to ask coding questions about the JFrog platform directly in their IDE.
Nvidia NIM Integration
Since JFrog is focused on binaries, it is no surprise that the company also wants to manage machine learning models. In this space, too, companies are quickly realizing that they need a DevSecOps solution to manage their software/model supply chain workflow. With NIM, Nvidia aims to create a de facto standard for managing and deploying inference microservices.
“As enterprises scale their generative AI deployments, a central repository can help them quickly select and deploy models that are approved for development,” said Nvidia’s Pat Lee, who is vice president of Enterprise Strategic Alliances. “Integrating Nvidia’s NIM microservices into the JFrog platform can help developers quickly get fully supported, performance-optimized models up and running quickly in production.”
JFrog's security tools will now scan and monitor the security of these models, and Artifactory, JFrog's service for storing and managing binaries, can become a company's local model registry.
Ben Haim said the company’s overall strategy in this case is “too integrated to fail.” “I’m giving you what you’ve already chosen, just with a better experience. You’ve already chosen these tools. I just want you to have a better experience,” he said.
JFrog Runtime Security
JFrog is also releasing a runtime security solution that now keeps an eye on the binary while it is in production. Since JFrog knows exactly what is running in production (and can trace how that binary was generated from source code to deployment), the service can now inform its users when a binary is vulnerable.
“JFrog Runtime Security will provide full visibility and traceability to our customers, whether they swipe right or left when it comes to binary scanning,” said Ben Haim.
He also noted that while JFrog has obviously already secured the binaries going into production, this is the first time the company has deployed sensors into the runtime environment.
“A platform that unifies security across the entire software supply chain, from development to production, can provide the critical visibility and traceability that developers and DevSecOps teams need to effectively manage and remediate risks,” said Katie Norton, research director, DevSecOps and software supply chain security at IDC. “The addition of JFrog runtime security supports a shift-left-and-right strategy, fostering comprehensive protection and streamlined processes that reduce pressure on development and security teams.”
(tags to translate)GitHub
Leave feedback about this