Shulou(Shulou.com)06/02 Report--

How to use Xray and Synk escort, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

I. background

In the current software application development process, the proportion of self-developed internal code is gradually reduced, and open source frameworks and common libraries have been widely referenced. As shown in the figure below, we may not even develop 0.1% of our own code in a Kubernetes-deployed application.

Open source software can help developers share each other's work, allowing us to quickly reuse proven software libraries developed by others, thus focusing on innovative work. However, a large number of references to open source software also bring security risks to our applications. Security inspection has become an important part of the current DevOps process.

Is your application secure?

According to incomplete statistics, 78% of enterprises are now using open source software. However, while enjoying the research and development convenience brought by open source software, are we also aware of the security risks brought by open source software?

As can be seen from the statistics in the figure above, only 13% of enterprises put security as their primary concern when referencing open source software. Most users choose to believe that the creators and maintainers of open source software will ensure its security. However, the statistics shown in the following figure show that security is not a maintenance priority for open source software maintainers.

This situation leads to a variety of security vulnerabilities in our commonly used open source software libraries. For example, according to statistics, 14% of NPM packages and 30% of Docker Hub images contain security vulnerabilities. And after these loopholes are discovered, they can not be repaired in time. According to statistics, 59% of the known security vulnerabilities in Maven packages have not been fixed, while the average repair time for vulnerabilities is 290 days, and the average repair time for the most serious vulnerabilities is only 265 days. Hackers have gradually taken open source software as their main target.

How to ensure the security of our online applications?

3. JFrog Xray, a sharp weapon for monitoring security vulnerabilities

Artifactory+Xray provided by JFrog is a good product portfolio. Artifactory is a full-language product repository that can store and manage all external dependency packages used in our application research and development in the same warehouse. Through the monitoring of Artifactory, Xray can find security vulnerabilities in the construction and even development stage, which makes security monitoring in advance and avoids the dilemma of emergency troubleshooting before the application is online.

As shown in the figure above, when a new product package is added to the Artifactory warehouse, the Xray that is set to monitor it will initiate a security check and report any security vulnerabilities and License authorization found. For security vulnerabilities, Xray will provide detailed vulnerability information and accurate positioning in the application to assist us to analyze and check them.

At the same time, Xray also provides an analysis of the scope of its spread in view of the security vulnerabilities found. In other words, it can help us analyze what other applications also contain this security loophole in addition to the product package being checked.

In addition to the analysis of security vulnerabilities and their spread, Xray also provides the ability to customize questions. We can define the security problems found by other tools, or non-security problems such as low performance or old version, on the corresponding product package, and we can also use the ability of Xray to check the spread of these problems in our application.

4. Snyk, not just monitoring vulnerabilities

JFrog Xray is based on the open source NVD open source vulnerability database to monitor security vulnerabilities, while Snyk (https://snyk.io) provides additional commercial vulnerability databases. Through the integration with Snyk, Xray can make use of Snyk's commercial vulnerability database to check security vulnerabilities.

Of course, based on its own commercial vulnerability database, Snyk also provides the ability to scan and monitor security vulnerabilities. Snyk provides integration with a variety of platforms to help us monitor application security deployed on these platforms.

However, Snyk's ability is not only that, he can also help us fix security vulnerabilities. For example, when integrated with our Github Enterprise, we can select the projects we need to monitor.

Once selected, Snyk will automatically scan our code and report security vulnerabilities found in the project.

The most important feature of Snyk is that it can automatically give suggestions in the form of PR (Pull Request) to fix these security vulnerabilities. PR can target either all the vulnerabilities found or only a specific one.

Directly Merge these PR can help us to replace the dependency packages that have fixed security vulnerabilities and realize the automatic elimination of security risks.

A large number of references to open source software not only facilitate application development, but also bring security risks. The use of tools such as JFrog Xray and Snyk can help us to find the security vulnerabilities introduced by open source dependencies as soon as possible, analyze the scope of the spread of vulnerabilities, and give suggestions for repair to achieve automatic elimination of security risks.

After reading the above, have you mastered how to escort with Xray and Synk? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.