Xray Introduction (06:29)
Xray Architecture (07:52)
Xray Components (06:45)
JFrog Xray: Overview (2020+)
Improve DevSecOps in Software Delivery Automation Using JFrog Xray
Course Description: 25 minutes
In this short online course, we will provide an overview of the JFrog Xray DevSecOps tool, its architecture and accompanying components to enhance DevOps automation with full pledged DevSecOps insights and capabilities. We will also show you how Xray DevSecOps tool works at each step within the DevOps cycle for tracing vulnerable components and governing OSS (open source software) license compliance
Xray works with JFrog Artifactory to analyze binary files throughout their lifecycle beginning with the first inclusion in the source code through the build process and up to the production environment. With Artifactory, developers can automate the build process, and with Xray developers and security analysts can scan binaries for known security vulnerabilities and OSS license compliances. Scans include third-party libraries and external components that can lead to vulnerabilities and future issues. This course covers this functionality and analysis of build files to prepare DevOps teams for secure deployments.
This course shows developers interested in Xray what it can do for the software development lifecycle (SDLC). The course offers an introduction into DevSecOps training and essentials and will demonstrate how Xray can help integrate security into current DevOps automation pipelines. Students will also learn the benefits of a deep scan and impact analysis on their binary files. Since Artifactory works well with Xray, it will help students understand course material if they already are familiar with Artifactory use and binary repositories in CI/CD pipelines but it’s not necessary.
What we will cover
- Open with an Xray introduction and its use in DevSecOps
- Discover Xray architecture and how it integrates with DevOps
- Explore Xray components useful in development and the SDLC
Who should take this DevSecOps course?
Any Xray administrator, Artifactory administrator, application security engineer, DevSecOps and DevOps engineers who are new to JFrog Xray will benefit from this course. It will guide the student in the ways testing for vulnerabilities is necessary for stable and reliable systems and the importance of scanning binary files for issues before professionals deploy them to production. Any DevOps manager or developer who wants to better secure their software and find ways to build code without vulnerabilities and bug issues will also benefit from this course.
In order to complete the course, you have to answer at least 70% of the quiz questions correctly.
Software isn't flat. It’s built within a series of directories all stacked on top of each other. So you could have a java library that's embedded within a JAR, that's embedded inside a Docker Container. As a fully automated scanning service for your components, Xray requests binaries and extracts them–recursively at each level of encapsulation. Xray works with JFrog Artifactory symbiotically, which has the exclusive advantage of combining any number of data feeds with the exhaustive metadata stored in Artifactory. So even when you have that JAVA library embedded in the JAR, that's embedded inside a Docker Container, it doesn't matter. Xray is a universal tool that knows how to crack these packages open and discover what's inside. Components are indexed recursively, so you can see all the levels of encapsulation as it applies to a single package. Xray uses data on security vulnerabilities from multiple providers in its scans. It continually reassesses your Artifacts against the latest known security information, even after the initial scan. As in, all the time. Here’s what that looks like: Imagine Xray discovered a runtime bug in one of the NPM packages running inside a Docker Container in one of the production environments of one of the projects inside your organization. Did you see all of those layers? NPM packages... that live inside a Docker Container... that are deployed to a production environment... for one of your projects. Wouldn't it be useful if your colleagues working on other projects also knew about all the components affected by this bug? Once Xray is connected to your Artifactory instances and running inside different projects and organizations across your company, it builds a component graph. It then runs an impact analysis on all the components that can be affected by the single component in question. You could know right away about the vulnerability, its potential impact, and a complete map of all affected components. You could address the issue so quickly that it would almost be like it never existed. Having these issues brought to your attention instead of having to look for them, will help you to deploy better and remediate more effectively.