JFrog : No Internet? No Problem. Use Xray with an Air Gap – Part II

Published: 2022-01-19 10:24:08 ET FROG

With software supply chain attacks on the rise, implementing DevSecOps best practices in an air gapped environment is a must. In an effort to secure an organization's internal network, there is an increasing trend of separating the internal network from the external one. Essentially creating an enclosed and disconnected environment from the public internet.

An air gapped solution provides stricter security requirements, but that's not enough. The 3rd party dependencies used by your software developers, CI processes, and deployment pipelines must also be scanned for security vulnerabilities and license violations!

How? Combining a security vulnerability solution like JFrog Xray, allows you to protect your air gap environment, and exclude all vulnerable artifacts from being used within the internal development environment.

Our previous post showed how, with a bit of tooling and scripting, you can continue to access your remote dependencies in an air gapped environment. This post will go through the steps and best practices for protecting your software and maintaining strict security policies in your development environments.

The following setup shows an example solution that uses an external DMZ, with JFrog Xray installed to scan your remote dependencies for vulnerabilities. JFrog Xray is also installed internally, to provide continuous scanning for your software packages, protecting your organization from any potential vulnerabilities in the future.

For enterprise companies, with large development teams spread out around the world, an identity based solution is becoming the de facto standard approach. The next generation of air gapped environments is based on identifying everything about the request. More specifically, tracking:

The following diagram describes the process of selecting, organizing, and downloading 3rd party dependencies in an identity based air gapped solution. All within the context of artifact management, especially in a highly regulated and secured environment.

The process of managing the security of your software binaries in an air gapped environment

If no violation is created:

If violation is created:

If the violated artifacts is approved by SecOps:

If the violated artifacts is not approved by SecOps:

Keep in mind that this solution requires strong automation to be implemented, and a highly engaged SecOps team to properly handle the incoming tickets.

Disclaimer

JFrog Ltd. published this content on 19 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 19 January 2022 15:23:10 UTC.