Kavita Viswanath, General Manager, JFrog India in discussion with CXOToday on the launch of JFrog Advanced Security
CXOToday has engaged in an exclusive interview with Ms. Kavita Viswanath, General Manager, JFrog India
- Security is seen as the #1 challenge across IT organisations today. What are the top challenges companies face today in cyber security?
Malicious packages are increasingly becoming a common threat in software supply chain attacks. Modern software development entails integrating third-party software into enterprise applications; in fact, nearly 80% of all enterprise software includes some form of open-source code; however, only 52% of developers have a formal process for selecting third-party libraries, while more than a quarter are unsure or even unaware. Open-source code is the most common threat vector in today’s cybersecurity attacks, as attackers seek to target “weak links” in a company’s software supply chain, such as significant flaws, misconfigured services, or disclosed information. An adversary inserts a malicious vulnerability, malicious code, or a full malicious component into a trusted piece of software or hardware provided and consumed in a hardware or software supply chain.
The massive volumes of open source libraries and binaries, as well as the plethora of tools and processes employed in today’s enterprise companies, all provide chances for unintentional and malicious risk injection across the software supply chain. More comprehensive solutions are required to assist in managing today’s new era of software supply chain security concerns.
Why does this matter?:
The global pandemic accelerated digital transformation for many organisations including those that were on the fence. As businesses move online and an increasing volume and ubiquity of software, investment in robust security becomes imperative. According to research, the cybercrime cost figure is predicted to rise to $10.5 trillion by 2025. A recent Gartner report said, 89% of firms have experienced a supplier risk event in the last five years. According to a recent Argon Research analysis, software supply chain attacks increased by more than 300% compared to 2020 statistics, and a global survey of 1,000 CIOs revealed that 82% believe their firms are vulnerable to cyberattacks targeting software supply chains.
- Why do you think there has been a rise in cyber-attacks recently?
The last two years have seen a significant surge in cybersecurity attacks globally and the 2023 threat landscape doesn’t seem to be improving. In this data-driven era, businesses face intense pressure to continually strengthen its cyber security to keep their data safe and secure. The online world has become a favourite hunting ground for cybercriminals who are becoming smarter and are fine-tuning their methods and becoming more professional. The myriad tools and processes, not to mention the huge amounts of open-source libraries and binaries, all introduce opportunities for accidental and nefarious injection of risk across the software supply chain. Simultaneously, hackers’ attacks have become more complex, while organisations struggle to keep up, resulting in a briar patch of security solutions being deployed to try and source the problem. According to an IDC report, less than 60% of firms are utilising DevSecOps approaches for more than 40% of their apps under development, which is similar to the results of the same poll in 2021. A new strategy is required, both technologically and organizationally.
- The launch of JFrog Advanced Security and why it is important to businesses?
A recent report by IDC suggests that a mere 21% of Indian Organisations Incorporate Security Testing at the Earliest Stage of SDLC. DevOps teams have become the ‘security owners’ in organisations as owners of the software supply chain. At the same time, security teams are balancing multiple tools, configurations, reports and more than that, all require development team resources, as well as being held responsible for compliance and business requirements. While both parties are making investments to strengthen the business, coordination between the two teams and a clear view of software package dependencies might be hampered by divergent systems, variable or redundant information, and inconsistent reporting. The need right now is different, holistic tools for a new era of software supply chain security threats.
Recognising the need, we introduced JFrog Advanced Security. The newly launched JFrog Platform intelligently identifies common, significant supply chain security issues that attackers use to compromise developers’ processes. A single, unified platform and user-friendly interface are used in JFrog Advanced Security to provide visibility and control over a company’s software supply chain. This significantly reduces overhead and makes it easier to spot malicious code that frequently compromises development, deployment, and runtime processes.
- How does a DevOps-centric security solution help?
JFrog is the first company to provide a comprehensive, DevOps-centric, binary-based security solution. This is significant because DevOps teams genuinely own the software supply chain. DevOps teams oversee the DevOps workflow while security teams define policies and development teams write code. DevOps-centric security considers the entire software development life cycle, from development to runtime to deployment procedures, with security as the primary pillar at each stage. It examines binaries, infrastructure, integrations, releases, and flows to ensure that the entire workflow is free of flaws.
- How is JFrog different from other security providers?
JFrog is in a unique position to secure the software supply chain more than anyone in the industry. JFrog Advanced Security integrates the company’s DevOps and security expertise in a single, unified platform, providing the enterprise visibility and control needed to safeguard the entire software supply chain and intelligently deliver secure software at speed and scale. JFrog Advanced Security delivers holistic, binary-based security for the entire DevOps workflow, enabling organizations to identify and resolve cybersecurity threats in hours instead of weeks with a focus on binaries as well as source code, revealing issues that are not visible in source alone, providing a full picture of any impact or point of exploitation. Many of today’s enterprise software security solutions fall short because they only focus on source code and what happens before that software is in production. However, to truly protect your software supply chain you need to consider both codes in development and production at the binary level.
- What would be your message to CXOs to ensure they stay away from cyber-attacks and secure their data?
To answer this question, let’s start with the data: A recent study by Argon Research indicates software supply chain attacks grew by more than 300% compared with 2020 data and a global study of 1,000 CIOs indicated that 82% say their organizations are vulnerable to cyberattacks targeting software supply chains. Additionally, the S. Department of Justice indicated it will be pursuing a new policy seeking C-level sign-off on corporate compliance programs and signalled that it will be expecting CEOs to vouch for corporate compliance programs. In addition, the recent criminal conviction of a Chief Information Security Officer (CISO) for a data breach has resulted in some commentators calling for boards to be held accountable rather than CISOs. So the net-net of all of this is:
- CISOs and any C-suite executive really can’t take lais·sez-faire approach to software supply chain management any longer. It is not only becoming a boardroom conversation but a matter of national security. So if you are currently doing business with the government – or want to in the future – you need to practise good ‘cyber hygiene’ and have a very thorough view of your entire software supply chain. The only way to do that is to add DevOps-centric security to your tool set – otherwise, you won’t be able to scale securely.