VMblog: Can you give VMblog readers a quick overview of your company?
Stephen Chin: JFrog is a publicly traded company (NASDAQ: FROG) focused on enabling the seamless, secure flow of software from developers' keystrokes to edge and IoT devices. Most in the community know us best for our award-winning JFrog Artifactory binary repository, which serves as a central hub for DevOps - integrating with developer tools and processes to improve automation, increase integrity, and incorporate best practices along the way. Our universal JFrog Platform enables software creators to power their entire software supply chain with full binary lifecycle management, so they can build, secure, distribute, and connect any source with any production environment. Millions of users and thousands of customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely manage their mission-critical software supply chains.
VMblog: Your company is sponsoring this year's KubeCon + CloudNativeCon event. Can you talk about what that sponsorship looks like?
Stephen Chin: We are a Platinum sponsor of KubeCon this year, Gold sponsor of the co-located CD Summit, and proud members and supporters of the CD Foundation, CNDF, Linux Foundation, and OpenSSF. We'll have a terrific booth on the show floor, multiple presentations delivered by our JFrog community and technology experts, as well as some very exciting announcements.
VMblog: How can attendees of the event find you? What do you have planned at your booth this year? What type of things will attendees be able to do at your booth?
Stephen Chin: Attendees can find us at booth P10 where we'll have live demos of our universal JFrog Platform and our recently introduced JFrog Advanced Security- the world's first fully-integrated security solution specifically designed for DevOps workflows. In addition to our innovative product demos, we'll be offering taste-bud pleasing and thirst-quenching Frog-freshments, cool JFrog swag, and our famous JFrog t-shirts!
VMblog: Are you and your company excited for this event to be in person this year in Detroit? What are your thoughts and expectations for the show? Are attendees ready to come back in person, in full force?
Stephen Chin: We are so excited to be back this year - and In Person! Myself and my team often travel to industry events like KubeCon + CloudNativeCon and I can't describe how invigorating it is to see everyone back together - like a big reunion of old colleagues and friends who have not seen each other in years. The sense of community at this and other industry events is not only heartwarming, but inspiring. We know attendees are just as excited as we are to get back out there and go hands on with the latest technologies, collaborate with peers, connect with experts to get their questions answered, and more.
VMblog: Have you sponsored KubeCon + CloudNativeCon in the past? If so, what is it about this show that keeps you coming back as a sponsor?
Stephen Chin: Yes, absolutely. JFrog has been a long-time supporter of KubeCon + CloudNativeCon for several years. We believe strongly in the power of the developer community and always look forward to connecting with them here at the show to exchange ideas. JFrog Artifactory contains robust support for container and K8 registries, as well as cloud native development, and our entire JFrog Platform is focused on securing and powering the software supply chain.
VMblog: What do you attribute to the success and growth of this industry?
Stephen Chin: Building container images to freeze dependencies and provide a 'run everywhere' experience combined with Kubernetes resource specifications to manage the orchestration of container replicas is very powerful. And the forces that have helped propel Kubernetes (K8s) growth - such as containerization, app modernization, cloud-native development, and hybrid cloud infrastructure - are here to stay, which means the future is bright for K8s!
VMblog: Do you have any speaking sessions during the event? If so, can you give us the details?
Stephen Chin: We have have several speaking session during KubeCon and co-located events this week including:
- Sudhindra Rao will be presenting "Bringing Continuous Delivery to Open Source," on Tuesday, October 25 at 11:45am.
- Diego Rodriguez-Losada Gonzalez from our Conan.Io team will present on the Lessons Learned from Securing 40,000 C++ Packages," in Room 330 AB at the CloudNative Summit on Monday, Oct. 24 at 3:20 pm ET
- I'll be giving two talks during the CloudNative Summit - one on Hacking the OSS Supply Chain, at 9:05 am ET, Tuesday, Oct. 25, and the other on Closing the Supply Chain Security Loop with Rust & Pyrsia at 2:20 pm ET, on Tuesday, Oct. 25, 2022.
- Finally, Lori Larusso will be co-hosting the entire Continuous Delivery Summit on Tuesday, Oct. 25 along with executive director of the CD Foundation, Fatih Degirmenci
VMblog: What are you personally most interested in seeing or learning at KubeCon + CloudNativeCon?
Stephen Chin: Well, the topic of securing the software supply chain has been a big focus of discussion as of late, and I think it will be interesting to hear what others have to say on the topic, as well as how DevOps-centric security extends to the cloud and out to the edge.
I'm also personally interested to connect with fellow peers within the various technology and open source foundations to brainstorm about what more we can be doing collectively to help alleviate the seeming ‘fear' that has surrounded open source as of late. The recent barrage of attacks on our open source repositories is not only alarming, but against the founding principles of open source overall. I feel we need to be doing more.
VMblog: What kind of message will an attendee hear from you this year? What will they take back to help sell their management team and decision makers?
Stephen Chin: JFrog has a number of industry-changing initiatives and announcements that we'll be highlighting at the show this week.
First, at our annual developer conference last week, swampUp, which went on tour to New York, London, and San Francisco, we unveiled JFrog Advanced Security, the industry's first DevOps-centric security solution that finally unifies developers, operations and security teams to safeguard the entire software supply chain.
JFrog Advanced Security build on the existing security capabilities of JFrog Xray, to intelligently identify common, significant supply chain security issues that attackers use to compromise development, release and deployment processes, such as:
- Exposed Secrets Detection: Uncover "secrets" such as passwords, access tokens and private keys that have been leaked or left exposed in any container stored in JFrog Artifactory to prevent the accidental leak of API keys, internal tokens, or credentials that can put enterprises at risk.
- Container Contextual Analysis: This industry-first technology provides the ability to scan containers for the presence of malicious packages or use of vulnerable open-source code inside enterprise applications early in the development process. Container Contextual Analysis can also detail which open source vulnerabilities are actually exploitable in the context of a company's own code, allowing developers to disregard or de-prioritize non-applicable incidents, which helps sharpen focus and remediation efforts.
- Insecure use of Libraries and Services: Helps developers to quickly identify whether common open-source software libraries and services are used or configured insecurely, leaving their enterprises susceptible to attack.
- Vulnerable Infrastructure-as-Code (IaC): Inspect IaC files stored in JFrog Artifactory instances to ensure cloud infrastructure deployments are not misconfigured - making them exploitable.
We'll also be sharing with KubeCon attendees that Pyrsia, which is a JFrog-sponsored open-source software community initiative that utilizes blockchain technology to secure software packages from vulnerabilities and malicious code, has become an official project under the Continuous Delivery Foundation (CDF).
Working together, JFrog and the CD Foundation will ensure Project Pyrsia grows its backing and engagement through use of a centralized governance model, defined roadmap, and broad representation within the wider technology and open source communities.With the CD Foundation's support, and that of our incredible industry partners, developers can leverage Pyrsia to have peace-of-mind in knowing their open source components have not been compromised, and confidently deliver secure software at scale.
VMblog: Can you double click on your company's technologies? And talk about the types of problems you solve for a KubeCon + CloudNativeCon attendee.
Stephen Chin: Absolutely, David. JFrog provides an end-to-end DevOps Platform for automating, managing, securing, distributing, and monitoring your containers, binaries, artifacts, packages, - pretty much everything that goes into software - as they advance from build to production. It unifies developers, operations and security teams to safeguard the entire software supply chain in a holistic, hybrid, multi-cloud platform.
At the core of our platform is Artifactory, which delivers best-in-class binary lifecycle management for all your packages and containers in one place - for frictionless centralized control of your assets.
- The central hub for any action you need to take with your binaries (ie.securing, storing, curating, powering CI/CD, distributing to runtime etc.) - metadata captured along the way
- Truly universal w/ 30+ package types natively supported - including helm charts, container images, Terraform, etc. - Full flexibility in tech for dev teams
- Natively integrates with every popular tool such as Jenkins or CircleCI, but also has APIs for everything and a robust CLI
- Serves as your advanced container and k8s registry
- Caching dependencies from public registries
Once you have all of your binaries centrally managed in one system you can better secure and protect them. That's where Xray and our just announced Advanced Security comes in. It's the industry's first DevOps-centric security solution allowing teams to intelligently deliver secure software at speed and scale. There's cool functionality that make life easier like:
- Container contextual analysis - Scan containers to detect whether the open source software vulnerabilities discovered are actually exploitable in the application - an industry first.
- Enhanced CVE remediation data - Providing easy to follow, step-by-step instructions.
- Exposed secrets detection - Detect secrets left exposed in any containers stored in JFrog Artifactory to prevent any accidental leak of internal tokens or credentials
- Insecure use of libraries and services - Discover whether common OSS libraries and services are used or configured insecurely, causing exposure to attacks
- Infrastructure-as-Code (IaC) Security - Secure IaC files stored in JFrog Artifactory for early detection of cloud and infrastructure misconfigurations that can be exploitable
- And tons of developer-oriented features, like integrating directly into the most popular IDEs, Docker Desktop, vulnerability scanning via CLI, and a Frogbot scanner for discovering vulnerabilities in git repositories. Shifting left without shifting the burden of security.
Now that you have your binaries securely managed in one place we help you get them where they need to be whether that's internally or externally with JFrog Distribution and even on your IoT and Edge devices with JFrog Connect - keeping your software supply chain secure end-to-end.
VMblog: While thinking about your company's solutions, can you give readers a few examples of how your offerings are unique? What are your differentiators? What sets you apart from the competition?
Stephen Chin: The JFrog DevOps platform is the manifestation of our Liquid Software vision. We see a world without versions where software updates flow seamlessly and securely from development to any device, without bottlenecks, update pains, hassles, downtime, or risk - like water flows from faucets. Our unique, end-to-end platform solves challenges found in critical pieces of the software supply chain, such as safely storing, managing, securing, and distributing all types of code-sets (or artifacts), etc. We're also able to collect key metrics, correlate them across diverse systems, and provide actionable information to improve software updates and release cycles. Our complete platform with its unmatched development, security, and IoT capabilities sets us apart from our competitors.
VMblog: Where does your company fit within the container, cloud, Kubernetes ecosystem?
Stephen Chin: JFrog Artifactory and our entire JFrog Platform offers the best containerization solution for all the technologies you build, including cloud applications. The JFrog Platform is a hybrid, universal, comprehensive DevOps solution designed to secure your entire software supply chain from code to containers and connected devices. We also just introduced JFrog Advanced security, the industry's first DevOps-centric security solution for enabling developers to intelligently deliver secure software at speed and scale with cutting-edge new functionality that makes life easier, including container contextual analysis, enhanced CVE remediation data, and exposed secrets detection.
In addition to our products, JFrog is also a proud supporter, contributor, and board member for the CNCF, CD Foundation, Rust Foundation, and the Open Secure Software Foundation.
VMblog: KubeCon + CloudNativeCon is typically a great venue for a company to launch a new product or an update to an existing product. Will your company be announcing anything new? If so, can you give us a sneak preview?
Stephen Chin: Absolutely. We are excited to announce JFrog Advanced Security! Intelligently deliver secure software at speed and scale with the industry's only DevOps-centric security solution. It's security that finally unifies developers, operations and security teams to safeguard the entire software supply chain in a holistic, hybrid, multi-cloud platform.
VMblog: Where are we at in 2022 with regard to containers and Kubernetes? Is there anything still holding it back from a wider distribution? If so, what is it? And how do we overcome it?
Stephen Chin: I think there's no denying the pandemic accelerated all industries' migration to the cloud, which automatically increased use of cloud-native technologies like Kubernetes. And as more employees go back to the office and as a society we're getting out and doing things again, we'll continue to see increased use of the cloud, collaboration tools, a growing number of devices being used both remotely and while we're on the go. All of this puts increased pressure on developers to ensure software applications are always secure and up-to-date.
However, there are still certain industries where adoption is slower due to business requirements, or data location data privacy/sovereignty, regulatory requirements, etc. that will be the last or may never migrate to the cloud, but the overall shift to the cloud and adoption of K8s will -in my opinion -continue to accelerate.
VMblog: Are companies going all in for the cloud? Or do you see a return back to on-premises? Are there roadblocks in place keeping companies from going all cloud?
Stephen Chin: Companies are building and releasing software multiple times a day to stay ahead of their competitors, delight customers, and remain compliant. And it's this last point that will likely be the biggest roadblock keeping companies from going ‘all in' on cloud. There are several geographical and industry regulations that will deter some companies from moving entirely to the cloud, but they may experiment with certain departments. Our customers are telling us that their world is hybrid and multi-cloud. Thus, our approach to cloud is to offer customers choice when it comes to running DevOps in the cloud.
VMblog: Are you giving away any prizes at your booth or participating in any prize giveaways?
Stephen Chin: Absolutely. We have a number of cool giveaways and daily raffles in our booth (P10) for incredible prizes such as a DJI Mavic Mini, a Lego R2D2, and Mega Quest Pro! We'll also be serving up some tasty thirst quenchers in our crowd-pleasing JFrog Green Blinky Tumblers. So be sure to stop by and check it out.
VMblog: Is your company sponsoring any type of party or get together during the event that you'd like to notify attendees about?
Stephen Chin: No parties this year, but we do have a number of cool contests, tastebud pleasing and thirst-quenching Frog-freshments, cool swag, and our famous JFrog t-shirts to offer in our booth- P10.