DEV Community

Cover image for The Strong Frog Practice: Make DevSecOps Part of Cloud-Based Development
Laurent Balmelli, PhD
Laurent Balmelli, PhD

Posted on • Edited on • Originally published at strong.network

The Strong Frog Practice: Make DevSecOps Part of Cloud-Based Development

Secure Cloud Development Environments are pivotal in DevSecOps for the ability to manage development environments in a centralized manner, ensuring uniform security policies, compliance and regulatory adherence across all projects. While Strong Network’s platform manages coding environments, the implementation of policies is provided by JFrog. We explain how this is achieved in this article.

Author: Laurent Balmelli & Fernando Monje

Why Strong Network’s Platform Integrates with JFrog

Secure Cloud Development Environment (CDEs) platforms like Strong Network’s are pivotal in DevSecOps for the ability to manage development environments in a centralized manner, ensuring uniform security policies, compliance and regulatory adherence across all projects. While Strong Network’s platform enables the definition and management of coding environments, the implementation and execution of these policies is the task of a platform like the one provided by JFrog. The wealth of Jfrog’s platform services is pictured in the figure below.

Image description
Figure Strong Nework’s platform integrates with Jfrog’s platform services to make them available directly and transparently in secure Cloud Development Environments.

The joint use of Strong Network and JFrog’s platforms streamlines security management and auditing, providing a robust framework for consistent security practices. This setup automates key security tasks like vulnerability scanning and compliance checks, embedding security into every stage of the development lifecycle. This approach aligns with the 'shift-left' philosophy, where security is a foundational element from the project's inception.

Secure CDEs also offer scalability and flexibility, crucial for adapting to the evolving demands of software development without compromising security. They provide development teams the agility and resources needed in a controlled environment. Jfrog’s platform service makes sure that scaling occurs in a controlled manner.

Finally, the joint platform setting discussed here is a key enabler for secure remote collaboration, a necessity in today’s distributed workforce. It ensures that teams, irrespective of their location, can collaborate effectively while getting access to strong DevSecOps practices in a way that keeps the organization secure: both from the perspective of infrastructure and resource access control as well as the compliance and security of the code produced through the collaboration.

Let’s explore the features delivered when associating the two strongest platforms in secure code development available today and how they satisfy both perspectives above.

Prerequisites and Platform Sign-In

To successfully integrate the Strong Network platform with JFrog's platform, there are a few prerequisites that must be met in order to leverage their combined strengths.

First, your organization must have deployed the self-hosted Strong Network platform and have access to the JFrog platform, either in a SaaS or a self-hosted solution. Administrative access is needed to both platforms to perform necessary initial set-up configurations.

From the Strong Network platform perspective, the Jfrog platform is integrated as a third party application as shown in the next figure, very much like other applications such as GitHub, Gitlab or BitBucket. The goal is this integration is to leverage the services in a transparent manner within the Cloud Development Environments (CDEs).

This whole of the integration is only done through administrative settings of Strong Network’s platform, so that the availability of JFrog’s platform becomes visible in the Integration tab in the user’s profile (figure below). This allows users to sign into the JFrog platform from Strong Network’s.

Image description
Figure: Users log in to the JFrog platform once from their profile and access all services from their CDEs without the need to provide any further authentication information.

Once signed in, JFrog CLI becomes automatically available in the user’s CDEs. In turn, the integration brings transparent access to every user to Jfrog services from any CDEs. This also allows for the management of user permissions to the services and the establishment of security protocols.

In cases where the JFrog platform is being used in a SaaS model, a specific custom OAuth template provided by JFrog is necessary. The custom OAuth template must be set up and configured in accordance with JFrog's guidelines to ensure compatibility and security.

DevSecOps Integration in Cloud Development Workflow

Let’s explore the available features once a user is signed-in in the following paragraphs.

Automated Platform Integration With All CDEs

One of the standout features of integrating the Strong Network platform with JFrog is the automated integration of JFrog’s CLI into any newly created CDE during the development process, when building an application on the workspace. This means that whenever a new CDE is created, the JFrog CLI and services are automatically installed and authenticated within the workspace. This seamless integration streamlines the development workflow, as developers can immediately start using JFrog's services without the need for manual setup or authentication. It enhances efficiency and ensures a consistent environment across all CDEs.

Image description
Figure: Whenever a new CDE is created, the user can verify that the JFrog CLI and services are automatically installed and authenticated within the workspace.

Automated Scanning of Container Images with JFrog XRay

The integration also brings the advantage of automated scanning of container images during workspace creation using JFrog XRay. This feature is particularly crucial for maintaining high standards of security and compliance regarding the development infrastructure. As soon as a workspace is created, the container image is automatically scanned, and a summary of any vulnerabilities found is displayed (see the next figure). This immediate feedback allows developers to identify and address security concerns attached to the infrastructure and tools used for development. This integration is possible because Strong Network’s platform embeds the management of workspaces’ containers as platform resources. Hence, the integration with JFrog allows the automated enforcement of infrastructure security best-practices in the development process.

Image description
Figure: Because Strong Network’s platform embeds the management of workspace containers, the integration allows the automated enforcement of infrastructure security best-practices in the development process.

Secure Artifactory Access from User Workspaces

Another significant feature is the automated and secure access to JFrog Artifactory from the user’s workspace. This is achieved without storing JFrog credentials in the workspace or exposing them to the developer. This approach not only simplifies the process of accessing JFrog Artifactory but also upholds stringent security protocols by ensuring that sensitive credentials are never compromised. Developers can seamlessly interact with Artifactory, retrieving and deploying whitelisted, compliant dependencies to ensure code security as needed, while the platform manages the underlying security and authentication mechanisms.

Image description
Figure: The transparent and automated integration of JFrog Artifactory in the build process allows the production of secure and compliant code through the use of pre-approved, sanitized software libraries.

JFrog VSCode Extension Pre-installed and Authenticated

Lastly, the integration ensures that the JFrog Visual Studio Code (VSCode) extension is already installed and authenticated in each workspace from its inception. This eliminates the need for developers to manually set up the extension, allowing them to immediately leverage its functionalities for enhanced productivity. The pre-authentication aspect of the extension ensures that developers can start using JFrog’s services within VSCode right away, further enhancing the overall user experience.

Image description
Figure: JFrog Visual Studio Code (VSCode) extension is installed and authenticated in each workspace from its inception.

In Conclusion: Deploy a Secure Development Infrastructure That Delivers Secure Code

The integration of Strong Network's platform with JFrog's platform services represents a significant business value for security-minded organizations. This collaboration, aptly named "The Strong Frog Practice," is a demonstration of how combining leading technologies integrates DevSecOps best-practices across the development process with the use of secure cloud-based development environments. In other words, best-practices are smoothly assimilated, avoiding interferences with the developer experience. In all, the integration brings together productivity and security, both from the infrastructure and software aspect from a unified perspective.

Through this integration, developers gain the benefit of automated processes, such as the inclusion of JFrog’s CLI in every new secure CDE and the automatic scanning of container images with JFrog XRay. These features not only bolster security but also enhance efficiency, allowing developers to focus more on coding and less on setup and security concerns.

The seamless and secure access to JFrog Artifactory directly from user workspaces, without exposing sensitive credentials, is a game-changer in managing dependencies and ensuring code security. Additionally, the pre-installed and authenticated JFrog VSCode extension in each workspace further streamlines the set-up process, ensuring a smooth and efficient development workflow.

This powerful platform alliance underscores a commitment to elevating DevSecOps practices, where security is not an afterthought but an integral and automated part of the development process. "The Strong Frog Practice" is a shining example of how the right technological partnerships can create an environment that is not only secure and compliant but also agile and developer-friendly, catering to the dynamic needs of modern software development.


All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

Copyright © 2020-2024 Strong Network All rights reserved.

Top comments (0)