Introduction
Architecture
Onboard
Introduction
Teams
Users
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with SpinnakerRun Ansible Playbook
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
Publish test results
CI insights for Jenkins

ASPM

2 minute read

ASPM on the CloudBees platform provides a real-time view of security issues. It collects, analyzes, and prioritizes security issues from across the SDLC, allowing you to continuously manage application risk via a single window.

It performs an implicit security analysis, automatically triggering scans on code assets when you create a component, or when you commit changes to a linked repository. It also automatically triggers scans on binary assets whenever a workflow runs successfully with the upload artifact build step.

Security leaders can use ASPM to improve application security, and better manage risk. Potential users of ASPM on the CloudBees platform include:

  • Chief information security officers responsible for designing and implementing organization-wide security control frameworks.

  • Development leaders, or application or service owners responsible for prioritizing, triaging, and tracking SLAs to manage effective remediation.

  • Risk and compliance officers tracking risk at each application level.

  • Shared services operating the technology controls mandated by security teams.

The problem

As applications become more complex, and with security tools and responsibilities spanning multiple groups, visibility into the overall security posture of applications becomes progressively more difficult to obtain. This complicates efforts to assess, measure, prioritize and respond to application risks.

It is not easy to enforce minimum security outcomes for every build, or to have visibility into the effectiveness of the enforcement. Nor is it easy for developers to know what is needed to improve their application security posture. Heavy investment in security tooling, and additional hours spent in security-related activites, are frequently both necessary but not sufficient.

The solution

ASPM capabilities include:

ASPM capability overview
Figure 1. ASPM capability overview

  1. Risk management: Achieve enterprise-wide visibility of open risks, across the application estate.

  2. Prioritization and triage: Correlate the findings back to an application. Contextualize, prioritize, then triage and track resolutions.

  3. Security orchestration: Integrate with all the security tools used in the SDLC. Orchestrate as needed to generate the outcomes required to meet security control objectives, such as SAST and SCA.

  4. Real time visibility of inventory: Utilize an asset data model that holds a near real-time inventory of all the source code, binary, and infrastructure assets that make up an application.

Security center