Operations | Monitoring | ITSM | DevOps | Cloud

June 2022

Software supply chain: What it is and how to keep it secure

As shortages of consumer goods and rising prices caused by bottlenecks in international supply networks have become more common, the global supply chain and its vulnerabilities have been top of mind for many. For developers, several high-profile software security exploits have recently underscored the risks inherent in a similar type of supplier network: the software supply chain.

Prevent XSS attacks with browser testing

Security is a never-ending battle on the web. You can have a server up in just a few minutes, and the next minute, someone is already trying to hack into it. These attacks could be automated using malicious bots or launched manually. Websites can be targeted by a malicious user trying to compromise your web presence or data. Cross-site scripting (XSS) is just one type of attack your site may be vulnerable to.

Trusted SBOMs delivered with the JFrog Platform and Azure

SBOMs provide essential visibility into all the components that make up a piece of software and detail how it was put together. With an SBOM in hand it’s possible to determine if software contains existing security and compliance issues or is impacted by newly discovered vulnerabilities. The SBOM is imperative due to the White House’s cybersecurity executive order from May 2021 requiring them for all government software purchases and many private organizations following suit.

Human-Friendly, Production-Ready Data Science Stack with Metaflow & Argo Workflows with Savin Goyal

There is a pressing need for tools and workflows that meet data scientists where they are. This is also a serious business need: How to enable an organization of data scientists, who are not software engineers by training, to build and deploy end-to-end machine learning workflows and applications independently. In this talk, we discuss the problem space and the approach we took to solving it with Metaflow, the open-source framework we developed at Netflix, which now powers hundreds of business-critical ML projects at Netflix and other companies from bioinformatics and drones to real estate.

Supply Chain Security Meetup June 21 2022 (Sponsored by JFrog)

Software Supply Chain Security Virtual Meetup Open-source vulnerabilities are in many applications. While finding them is critical, even more, critical is remediating them as fast as possible. Securing your software supply chain is absolutely critical as attackers are getting more sophisticated in their ability to infect software at all stages of the development lifecycle, as seen with Log4j and Solarwinds.

Automating deployment of a Dockerized Python app to Docker Hub

CI/CD systems follow a multi-tiered environments pattern: development, testing, staging, and production release are all part of this process. Each setting in this cycle could have a variety of set ups and configurations. As a result, having to set up separate configurations for different environments could be inconvenient and burdensome. In this tutorial, we will take a look at what Docker is and how it has freed developers from set-up problems and port clashes.

The 15 Best Continuous Deployment Tools In 2022

Today's technology companies need to release quality features quickly and put them in users' hands even quicker. According to the State of DevOps Report, organizations with CI/CD tools deploy 208X more often and have a 106X shorter lead time than organizations without one. You can release software with minimal downtime for your customers when you use robust continuous deployment software.

Part I: A Journey of a Thousand Binaries - Types of Software Dependencies

As software developers, one of the things that we worry a lot about is our software dependencies. To speed up delivery time of new functionality within our code we reuse software – we don’t have time to reinvent the wheel. We stand on the shoulders of giants and leverage all the hard work and lessons learned from the software developers of our past. Sounds great right! Well mostly great because we are faced with the underlying trials intrinsec to software development.

Trunk-based vs. feature-based development

When you are the only dev building a software project, you can create and modify your code according to personal preference. When you contribute code to a team-run project, you need to follow a standardized set of guidelines and coordinate precisely with other team members. Standard guidelines and coordinated work effort are vital to the success of every team-based software development project.

Continuous Validation: What Is It And Why Is It Important?

By investing in a CI/CD pipeline, it’s entirely possible to automate a large part of the software development life cycle – letting businesses deliver high-quality, high-efficiency outputs with a faster time to market. But there are multiple elements to the CI/CD process, including the all-seeing eye that is continuous validation. So what exactly is continuous validation, and why should software developers bother to engage with it?

Continuous Documentation In A CI/CD World

Continuous documentation is the process of creating and maintaining code documentation incrementally throughout a project in a way that seamlessly incorporates it into the development workflow. It is a key part of improving reliability within an organization. It’s not just new features that need to be documented – anything useful from bug fixes, to how to get started using the code should be documented. It should also be updated frequently to ensure that it stays relevant.

The value of blameless culture - from IC to C-Suite

At CircleCI, CI has a second meaning: Continuous Improvement. We continuously seek out feedback not only to improve our code but to improve our processes and get better at our jobs along the way. This Continuous Improvement starts with one important company value: a blameless culture. Our blameless culture extends into every part of how we operate.

JFrog Frogbot version 2

Frogbot scans every pull request created for security vulnerabilities with JFrog Xray and in version 2 it even opens pull requests for upgrading vulnerable dependencies to a version with a fix!. With Frogbot installed, you can make sure that new pull requests don’t add new security vulnerabilities to your code base alongside them. If they do, the creator of the pull request has the opportunity to change the code before it is merged.

Tech Ops is a mess. Here's why we're committed to fixing it.

Building software is hard. Building cloud software is even harder because things move much faster — and require mission-critical reliability and availability. To effectively build software in the cloud, engineering teams need observability, CI/CD, reporting, and lots of tooling. At every organization I’ve worked at, we’ve needed a system of tools that lets us: But all the tools available to engineering teams never quite fit together with our specific processes.

Fostering Fearlessness: Working in the Middle of the Day Instead of the Middle of the Night

There’s no shortage of articles on CI/CD and how to run a configuration validation utility before reloading or restarting a service, but this type of validation is not the same as acceptance testing. Furthermore, these validations don’t always give you (or your leadership team) the confidence to allow you to make big changes to your Production Infrastructure during normal business hours, often preferring to err on the side of caution and scheduling a maintenance window when you might prefer to be in bed.

What is cloud bursting? Managing sporadic workloads on the hybrid cloud

The DevOps field is engaged in a great, collective migration into the cloud. Businesses are decentralizing their applications and databases, hosting them in the cloud to make them available regardless of geography or user device. Some organizations choose to host their applications on private servers, but in periods of high demand take advantage of the public cloud by directing overflow traffic to cloud servers. This approach is called cloud bursting.

Developing a pipeline-builds logging system with CircleCI webhooks and Airtable Automations

Ever since CircleCI introduced webhooks, I have been excited about the possibilities this new way of integration opens up to developers. I decided to try out one of the use cases described in the webhooks documentation. This use case involves transmitting information about build-pipeline workflows into an Airtable database. The data piped into Airtable forms a log for you to monitor your workflows and you can go as far as designing graphs and other visualizations to analyze the build data.

5 Takeaways From "Behind the Curtain: The Road to Terraform"

How much time are you wasting initializing your Terraform environments? If your answer is, “more than we should,” then we have some tips for you. Terraform is a popular infrastructure-as-code (IaC) tool for anyone who deploys to the cloud. We use it here at JFrog to help manage infrastructure for our SaaS customers, and recently added support in Artifactory to manage your Terraform files (provider, modules, and backend).

How to change your mind about failure with Rollbar CPO, Cyrus Radfar

Nearly every project can benefit from improvements, but which effort has the most impact? Rob sits down with Rollbar CPO Cyrus Radfar to discuss how to reframe your mindset on failure, knowing and operating from your top-level goal, and making failures a vital part of company culture.

Testing Commander.js command line applications

Breaking changes in production are inconvenient and can be costly to fix. Using commands like git clone < some GitHub repository >, executed on your terminal is a common practice, known as using the command line. This practice can be faster and more efficient than using a GUI. For this tutorial, I will walk you through the process of testing command-line applications git, explain why you need command-line applications, and describe in detail how they work.

How to review your CircleCI configuration

Configuration files can take some time to set up, but after that initial push they are easy to forget about. “If it’s not broken, don’t fix it” is a common approach that many developers take with their configuration files. But when it comes to your continuous integration pipelines, small changes can have huge benefits.

Continuous integration for a production-ready Dockerized Django application

Continuous integration has become a widely accepted practice for software projects. As more technologies are introduced in both continuous integration and software development, developers are looking for practical ways to benefit from them. Basic tutorials that cover toy examples are not always enough for real-life practitioners. As an actual user of Django, Docker, and CircleCI, this was certainly a pain point for me. That is why I wrote this tutorial.

Artifactory, Your Swift Package Repository

If you’re looking forward to WWDC 2022 for some exciting Swift news, we have just the thing. JFrog now offers the first and only Swift binary package repository, enabling developers to use JFrog Artifactory for resolving Swift dependencies instead of enterprise source control (Git) systems. Swift developers can benefit from Artifactory’s robust binary management and the ways that it contributes to stable and efficient CI/CD, massive scalability, and securing the software supply chain..

Introduction to CI/CD

In a business world where time is money and every dollar counts, efficiency and productivity are critical success factors. Continuous Integration (CI)/Continuous Deployment (CD) is a process that helps organizations rapidly release software with confidence The process relies heavily on automation and modern cloud-based services to provide tools for build management, monitoring, testing, and deployment automation.

Data structures for effective Python applications

Because computers rely on data to execute instructions, computing will always entail data interaction. The amount of data can be overwhelming in real world applications, so developers must consistently devise methods to access it quickly and efficiently in a programmatic way. A solid understanding of data structures is a great advantage for teams that specialize in developing tools and systems. Organizing data optimally maximizes efficiency and makes data processing easy and seamless.

The Road to Terraform with JFrog

Transitioning to a new DevOps technology can be a daunting task, especially when it potentially impacts a solution being used by millions of developers around the globe. JFrog’s own DevOps team recently adopted Terraform in support of the JFrog SaaS offering and in the process helped guide creation of Artifactory’s support for Terraform modules, provider, and state files.