Blog

Webinar Recap: MyGet—The Secure Universal Package Manager

Nick Honegger on October 3, 2018

We recently hosted a webinar showcasing the newest addition to the Assembla suite of secure software development tools—MyGet Universal Package Management.

MyGet integrates with your existing source code ecosystem and enables secure, end-to-end package management. In this webinar, we discussed the fact that the majority of your code is based on open source packages downloaded from various places on the internet, often leaving your source code vulnerable and insecure. For this reason, you need a universal package management tool to serve as your first line of defense from the inside out.

What could the addition of a trusted, universal package management solution add to your source code security? Watch the short video below to find out.

Let us know what you think.

 
Interested in seeing how a strategic, non-piecemeal approach to package management could significantly reduce the security risk to your source code? We’ve opened up a free 14-day trial of the product so you can see for yourself how it works.

Start the Free Trial

Rachel
Good morning or good afternoon everyone. Thanks again for joining us. This is Rachel with Assembla. Today we're going to cover all things MyGet, the secure universal package manager. A few weeks back, we made this acquisition and we're really excited to share with you all of the benefits. Before we jump into the agenda, if at any time you have any questions about what you're seeing or what you're hearing, go ahead and submit those questions through the question box on the user interface. We'll make sure that we've got plenty of time at the end to answer all of your questions. And now I'm going to hand it over to Jacek Materna, Assembla CTO.

 Jacek Materna
Thanks Rachel. Welcome everybody to the webinar. I'm really excited to present MyGet and what it means for the future of software development with Assembla. So a little bit background on me: I'm the chief technology officer here at Assembla and my role in the company is, you know, looking at what customers are talking about related to pin points around the software development lifecycle and really observing where the market’s going and what are the real needs around today's software teams. And which brings me to, you know, why, you know, MyGet, why package management in 2018? It really, it comes down to what we see as three intersecting trends. The first one being that, you know, in the last 10-15 years, the consumption and creation of open source has grown exponentially. There's 30 million plus developers in the developer ecosystem and over the last 10-15 years, they've created a large amount of open source code that's been beneficial to pretty much every company on the planet to enable them to build products, web products, non-web products, various hardware devices. So that's one trend. The other one is that, you know, if you look at the news today, you can't go a week or two without having an article around a data breach. So customers, consumers, businesses are much more acutely aware and concerned about issues around privacy, data protection, you know, how secure is their information when they are using products, you know, web products like Assembla or any other types of applications you can get on the internet. And from a software development perspective, what we see very closely with Assembla customers, I talked to a lot of folks, is that the burden of security and addressing these questions is moving more and more to the developers. We call it shift left. So there's a trend where that responsibility is moving in that direction and that's really why, you know, MyGet is and has joined Assembla in recent days. Because, you know, 90% of code is open source and we really wanted to secure that flow, the software process, and make sure that companies have the tools and the developers have the tools to protect themselves in this new macro environment.

 So a little bit about what MyGet is and why it matters. You know, it's a package management platform centered around security and governance of open-source. It was founded in 2011 and we, you know, what was really exciting about the platform and why we brought it into the assembly ecosystem is that it enables you, enables teams to really address these points I talked about earlier which is, you know, 90% of the software that you write or use in your products is not coming from your software development team, it's actually coming from other teams. And what's interesting about it is that it's not necessarily coming in as code or software code, it's coming in as what's called packages. You know, so what is a package? Package is really a series of software pieces, you know, could be code, could be assets and all that gets wrapped up in a package or an artifact and that's what's being incorporated by your teams, you know. If you're building a web application today, you are probably consuming hundreds, if not thousands of open source packages across your stack and that is why MyGet is really important because it really allows you to control what kind of packages your developers are using. It brings a level of governance around licensing and vulnerabilities to those packages that was not possible in the past. And the testament to that is MyGet has accumulated, you know, thousands of customers over the last seven years on this mission and the excitement that I have to share is that, you know, as it joins Assembla in the ecosystem, it really fits in nicely with our long-term strategy for securing your source code really high level, you know, the three benefits, as I mentioned on MyGet, its package control. It's the ability to build those packages and distribute those and there's a really clever set of features around the verification, or what I call governance, of, you know, who can access those packages, how they're accessed. It really gives you a fine-grained control of your team to find getting control. It gives your CIO and CISO a level of visibility that was not present there before around this 90 percent, you know, this huge volume of assets that your teams are consuming which you may not really be aware of because when you look at just the text source code, it's hiding the fact that that code is dependent on a large amount of external packages.

So, you know, MyGet completes that DevOps lifecycle, as we call it. For Assembla customers that have been with us for quite a long time or just joined the journey, you know, Assembla has a really robust project management planning component. We have a strong pedigree in version control around Git subversion enforce with, you know, code scanning, code review, all the tools that are necessary for software developers to collaborate and where MyGet fits in is that as you look beyond that to the full lifecycle, building packages, distributing them, looking at dependencies, governing the vulnerabilities and the licensing elements of those packages, all the way through deploying those into production. This is kind of the continuum, you know, we called it the DevOps lifecycle. DevOps can mean different things for different people but with MyGet entering the ecosystem, you truly now have a capability to do this end-to-end. And, you know, from a technical perspective, developers on the webinar or folks in and around that lifecycle, you know, the exciting thing about MyGet is that it supports a really large set of package languages today from NPM to NuGet to Maven, which is heavily used by the Java Enterprise community, to Bower, a lot of Microsoft packaged technologies. So there's a really robust coverage already, but we've got things on the horizon. You know, Ruby gems is something that we're actively developing to support, I'd say almost eighteen-nineteen percent of development teams at some level use Ruby packages and then there's the future discussion about technologies such as Kubernetes. Kubernetes is a fairly new technology but its growth is accelerating so the entire space of containers and Kubernetes, there is a packaged infrastructure and a packaged story there called helm and so we're going to be working on releasing that as well into this platform so you can truly have, I would say, almost 100% coverage of any kind of packaged language type.

So the feature level, again going back to some of the previous points, it really boils down to control of the packages. You know, ninety percent of your source code is open-source packages and to deliver that in a useful manner, you know, you really need to deliver robust build services so whether you call that continuous integration or just assembling the components needed for a package for distribution, critical component, so that comes built-in and controllable in MyGet. Vulnerability scanning is a really important one. That's a growing space. There's a lot of data and services out there that show you what vulnerabilities are built into what packages but what we wanted to do is bring that in front center so MyGet has that built into the flow, and there's going to be a lot of things that were going to be talking about in the future related to the vulnerability scanning that components as well. And then I also will add, you know, the element of license compliance. So, more often than not, because of the large volume of open-source packages that are being consumed, there's various license models that are used in this community. There's things that are familiar such as GPL, MIT, Apache 2.0, BSD, so there's loads of different licensed types and from a business perspective, or for those building applications, in most cases if you're building commercial applications, it's really important to be able to prove or audit what licenses are in use. Some are actually non-friendly for commercial applications and so with the ability to have the view of what licenses are being used across this MyGet control point, it gives the teams or the security team or it could be the dev team itself, a view into that so you can govern. Hey, you know, we've got all the licenses that our corporate compliance officer or maybe our internet security policies are allowing us to and by having that directly built into MyGet, you don't need to go to another tool or fish around so it's really exciting and we're going to be talking more about licensing and how that is going to expand in the ecosystem in the future as well.

So with that, I think we've got a demo scheduled. So what I wanted to do is switch quickly over to, you know, show the folks on the webinar a little bit about what MyGet get looks like, go through some of these topics that I mentioned earlier, and, like I said, at any time you can go to MyGet.org, start a trial and poke around yourselves and test this. So, that is available as well. So, MyGet, is a, it's a web application delivered over the web browser, so all the control and management of that application is done through your web browser, just like Assembla, and there's different technologies that interact with your MyGet packaged infrastructure, which I'll talk a little bit about later, which happens outside of the browser but all the control management and all the usual stuff that you'd be used to around, you know, these applications comes through that web browser. So when you log into MyGet, you know, you're basically, the home view, you're presented with really a list of what are called feeds. So think of a feed as an area that you can store more, one or more packages, give it a name and the feed is really kind of a, you know, for Assembla folks, think of it as a space. You know, it's a place where you can organize these packages of different flavors and create control points, different rules, distribution models and that's how you partition data and packages in the MyGet space, in the platform. So when you dig into a package, you know, in this case it's called the Jacek Materna package, aptly named, really what you're presented with is that there's a list of features on the left side, all the way down through vulnerabilities, licensing, but at the core of it comes in terms of the application, comes, you know, an area where you upload and manage what packages are actually part of his feed. And so, here is where you're able to interact with different service providers that I mentioned earlier like NuGet, NPM, Bower, Maven, and you're able to pull those in from, you know, Maven sources like Maven Central, Microsoft's NuGet, or even private NuGet or Maven services that your company may have exposed on the internet for specific purposes so that they're not they may not necessarily be, you know, the community one. So it's really flexible in that perspective. And then once you upload them, they, you have them in kind of a manifest, here on the screen, and you're able to kind of dig into some of those details, download those directly in various things like that.

 The other cool feature around packages, and this is really one of the most popular features in terms of just controlling the data itself, is what we call package retention rules. So, here is a series of business rules that the team can configure to keep good housekeeping on your data. So as you create new packages and iterate on the versions, or you bring in new versions of packages from the open-source community, you're able to control the retention strategy. So you may want to keep just the latest packages, you may want to keep a set of packages, couple of versions behind, minor, major versions. So, again, it gives you a lot of flexibility around controlling what packages are actually stored in your plan. There is a storage limit with different plans so this becomes important to do good housekeeping. Another area is what we call upstream sources. And so, upstream sources, think of that as a, you know, where does all my package information come from and the tool comes predefined with the, you know, popular open-source hubs from Bower to Maven, NuGet, etc. but you can add your own, and this is really where a lot of the power and flexibility comes in to this single control point which is MyGet. You know, you can pull in packages, even from Dropbox, you know, it doesn't have to be a, you know, a single point. So you can really start to think about the upstream sources and MyGet as a way to kind of orchestrate, really, could be even, pretty advanced pipeline. So you can have one community feed that your team pulls from and then you can have, you can set up hierarchies, so only certain packages are distributed to subsequent feeds. So, we see a lot of customers creating one-, two-, or three-layer deep hierarchies and they're able to control different layers with different user access, different retention policies, and it becomes important as you create a little bit more complex DevOps lifecycle. You may have distributed teams, maybe you're working with contractors, third parties, you want to have specific data accessible to those organizations that you may not, that you may not want to show them and I think it gives you a lot of flexibility and we're always looking to improve this section, to bring in even more capabilities, in terms of bringing data in.

 The next one is web hooks. I wanted to cover this one real quick, it's kind of at the bottom, but, you know, for those in the, using Assembla or software service tools, you know, a web book is a critical integration feature. You know, we realized that there's lots of different systems you want to connect to, you want to notify systems that something's happening, so there's a really robust web hook API that's easy to use where you can, you know, have emails sent when things happen, you can post information to Microsoft's Teams, Slack, Twitter Twilio, you know you can even just do a raw HTTP POST request to really any kind of service that could consume it. So, there's a lot of flexibility here around creating an enterprise lifecycle and we see a lot of customers digging really deep into the web hooks because it lets them bring other tools and other systems into the fold to solve these, the lifecycle challenges that they're having. Which brings me to build services, you know I mentioned earlier that this build component-continuous integration is a critical piece, it definitely is. So what you get with certain plans on the MyGet platform is, think of it as your own dedicated build farm. So you're able to take data from different code sources, you know, you can integrate with GitHub, BitBucket, Visual Team Services, Assembla, any place that's actually storing information, could be an SDN repo, could be a Git repo, could be Perforce repo (20:46), as long as it's accessible from an API perspective, you can have these servers or server build the, build the code into a package and then distribute that package onto one or more feeds. So, this is really that assembly line component that lets you move things across from code to package to distribution and again, this is a really popular component. There's lots of different applications in the ecosystem that do just this job. What's great about this is you get this capability built in, you know, you don't have to go to another tool, manage access control. You know, we hear a lot of customers that, you know, they want to bring all their tools into one spot one, control point, so that's why this area is really exciting and we're constantly improving this section because it's a strategic piece of the platform. 

So it brings me to licensing and vulnerabilities. You know, we spoke about the macro environment around security, which we'll talk about a minute around vulnerabilities, but touching on licensing real quick. This is an important piece. It's an important piece that some developers may not be thinking about day to day, someone in the company or some team in the company is. It's part of corporate compliance, you know, it's part of many pieces of the business because at the end of the day, the code and the packages that you're using to create the commercial products, you know, they need to have commercial friendly licenses. So, there's, you know, using the licensing tool here, it basically at the, for every package that's in the feed, it does a scan of the package contents and it makes sure that, you know, you're running certain licenses. So maybe, you have a corporate policy that allows you MIT but doesn't allow GPL, or maybe you just want to have a quick report and say, “hey, 50% of our packages are from Apache”. You'd be surprised how many times that question’s asked in an organization and everybody scrambles to create spreadsheets, trying to pull data in from 20 different sources. This comes built-in. It's automatic and like I said, we're going to be looking at extending this functionality to give you a lot more control about how packages that meet your licensing needs or maybe are not allowed, how they're stored and retained in your feed. So, one particular customer is actually really excited about being able to reject packages that have specific licenses or only allow certain users to use those licenses. So, more to come in this area for sure.

And then the last one is, you know, vulnerabilities. This is a broad, broad term, you know, vulnerabilities. What is it really in terms of MyGet? Well, in terms of what it is, is, you know, there's lots of tools out there that provide vulnerability scanning, vulnerability reporting remediation, etc., you know, this isn't a vulnerability tool. You know, MyGet is a package management tool that's critical for securing your code and what's exciting about this feature is it really lets you, again, in an automatic way, staying in this ecosystem, get a view of potential vulnerabilities that your team is using in terms of packages. You know everyone's seen the famous Equifax data breach. There's been multiple breaches beyond that breach in the last, I'd say, year, year-and-a-half. All of them stem from a single component that was consumed and is still being consumed by tens of thousands of software developers all over the world. You know they fixed the issue. There's still a couple issues with it but bottom line is it's important to understand that, you know, your team is using components that have potential vulnerabilities. This is something that, you know, my team is constantly looking at. This is something that our customers say that their teams are dealing with. So, this gives you that capability to look at, you know, “hey, this feed’s got potential vulnerabilities” and it really lets you when you've got a lot of them you can surge and it lets you look at all the, in this case, this is struts I pulled up, which was the component that was part of the Equifax story. It's a Java-based Maven-hosted package, you know, it's got the list of CVEs information about them, things you would get in a typical vulnerability assessment tool, and with links to where you can get more information. So stay tuned, again, for this area because we're going to be adding more control capabilities to this functionality. It's currently in preview state but we're going to have a lot more coming down the hatch around controlling the data that comes into your organization because of the vulnerability data.

So again, most companies have stated they have disbanded the use of struts. How do you actually accomplish that? You know it's important to have business rules and really some level of assurance from a corporate perspective that says, “hey, you know, our team, for sure, is using struts and we know that because the entire team is using MyGet and MyGet is basically blocking use of struts”. So, you know, simple use case but typically very difficult to implement in a large distributed software team which is why this capability is so important. And that's really it. You know, just a quick overview which really brings me to kind of the next section of our webinar.

Rachel
Great. So, thanks for that Jay. That was really helpful. We do have a couple of questions in the queue and if you have any questions based on what you just saw, go ahead and submit some questions in the question box. And our first question is around private composer, so as private composer, projects stored on Git supported by MyGet?

Jacek Materna
Yeah. That's a great question. So, if I'm understanding it correctly, we're talking about PHP, from what I see here, and absolutely. So there's a couple of things to touch on here: one, we've got full support for Git subversion and, you know, the popular version troll technologies out there, so if you're storing your projects in those ecosystems, that integration is present. And then in terms of support for PHP modules themselves and being able to build that, cache them, we've had full support, like I said, I'd encourage you to check out, sign up for a trial, look at that. We have excellent documentation about all the different package technologies as well but the PHP side is pretty robust and there's a lot of configurability that I didn't go through in the demo that you can really customize exactly how you want to orchestrate your PHP stuff. And like I said, if there's something that is missing, you know, we want to fix it, you know, we want to add it. So I'm not saying that we've got everything covered, we've got the large majority but, you know, there is something very important and, you know, engage with us and we will definitely look at that functionality.

 Rachel
Awesome. So, Jay, where can folks sign up for MyGet? 

Jacek Materna
Great question. Yeah, so MyGet.org, www.MyGet.org, go there. There's various places on that web page to sign up but you just put in your email address, you know, click sign up now and fill in a couple pieces of information and then you're in a 14-day trial with all the functionalities. So you can check out, you know, all the things that I just mentioned earlier and that's where you go get it.

 Rachel
Awesome. So how does this, how does MyGet integrate into Assembla? How does it integrate with Assembla?

Jacek Materna
Yeah. So there's a couple of points here. From an integration point of view at the version control level, you know we touched on that a little bit, you know, Assembla supports Git next-gen subversion, you know, that capability is there so you just pull that in, you know, in the UI, as I mentioned before, so the capability’s already built-in so there's not really much you need to do there. You can integrate with other, obviously version control providers as well; no big deal, and then I think at a broader level, how does it integrate with the Assembla strategy around securing your code? You know, it goes back to that ecosystems slide, which I had earlier, it really fills the gap. Everything to the right of the code, the code review, you know, the next steps that are involved in the DevOps lifecycle, whether you're using an existing tool, maybe you've created your own tools, maybe you want to use your own tools and MyGet, it really doesn't matter. It adds a level of enrichment to the platform that was just not there before and again, the ultimate goal is we want to enable you to write secure code so it's a strategic component to any software teams and strategy.

 Rachel
Sure. So to that point, how does this impact the overall security of the Assembla ecosystem? 

Jacek Materna
Yeah. Very good question. You know, security's top in mind for Assembla. I think it's top in mind for customers. As I mentioned before the burden of security, the burden of addressing a lot of these issues, is moving very quickly to the left to development teams, the development managers, the DevOps components of those teams and from the perspective of security, it really provides a single platform, a single ecosystem that you can do all of your planning, your source code management, version control, builds verification, all that end-to-end. So, all of it is tied together and what's exciting about it is you've got full coverage, so you're not doing version control extremely well and then you're piecing together your package management. You know, we want to focus on quality, we want to focus on bringing those security tools to bear, so to me it really is about having that end-end experience and not having to, like I said, assemble your own solutions or go to other vendors and potentially have integration problem. So for Assembla folks that are on the platform today, you know, the integrations and the continuity between Assembla and MyGet is only just getting started. So I think that's really how I see it: it's around end-end coverage.

 Rachel
Awesome. Would you have another question in the queue coming through? Will MyGet be available as part of a standard Assembla user plan or does it need a separate subscription?

 Jacek Materna
Yeah. Great question. I'd say the answer to that is today it's a separate subscription. You know, you go to MyGet.org, you sign up, you go to Assembla.com, you sign up, but in the future, as part of the ecosystem of the platform, you know, stay tuned. There's going to be things we're going to be doing there that's really going give a single point purchase for, really an ecosystem, so I can't speak to the specifics around, you know, the five user plan or this plan specifically but, you know when we talk about an enterprise platform, it really boils down to, you know one place of purchase. So, it's something that we're aggressively looking at and it's something to, you know, either contact us now if you want to have a conversation or just stay tuned as we roll out more information.

 Rachel
And then how does, how does MyGet compare to maybe other options on the market, other competitors?

Jacek Materna
Yeah. Great question. There's a few competitors in the space, I’ll name two that are fairly popular and, you know, I talk to clients all the time that either had them, have them, are looking at them. The first one is JFrog, company is real, great platform, you know, they really centered their entire history around a product called Artifactory and a lot of customers use them. They're kind of, in a lot of ways, a leader in the artifact binary management space and then there's Sonatype, which was in the news recently, they just did a big VC raise. I'd say, you know, when you compare MyGet to these platforms, I think it comes around the focus and around the ecosystem. So, you know, you go to a GitLab, you go to a GitHub today, you know, they need to leverage these tools from different companies to fill these critical gaps. You know at Assembla, we're on the mission to secure your code, so we believe in a central control point single experience and so when it comes to that, I'd say at a really tactical level, it's about having one company ensuring that end-to-end process now and into the future. So if you're thinking about a long-term play for your team, that's important. It's important for me when I evaluate platforms, for sure. And then the other one is, you know, MyGet’s always had a history of being cloud-first. We're one of the easiest to set up cloud-focused package management tools. A lot of these tools that I mentioned before started with on premise versions, now they offer, you know, “host it on your own cloud” versions. MyGet’s truly a software as a service platform. You know, you can get set up with a feed in less than 60 seconds, but that being said, we do offer MyGet Enterprise, you know, it's a large portion of our customer base. I didn't talk a lot about that in the demo but that product has a lot of enterprise capabilities like LDAP, SAML, all the usual things that larger teams want and the cool thing about that platform is that it's a software as a service platform as well so it's not focused on running on your own premise. We believe that customers want to focus on their code; they want to focus on their projects, their deliverables. We offer a managed service, you know, it's a managed SAS product. The infrastructure runs, you get your own dedicated systems, you get your dedicated performance, it could be deployed in multiple locations in the world and, like I said, it's a very popular component of it. So, again, I think that's how we fit. It's the speed of deployment. I think we’re the most cost-effective option and we’re cloud-native. 

Rachel
It looks like we are all out of questions, right now, so I'll hand it back to Jay if you want to close it out.

Jacek Materna
Yeah. Absolutely. Thanks Rachel. So, like I said, I just wanted to thank everybody for joining. There's going to be lots of stuff coming from Assembla and MyGet in the future, so please do keep in contact with us, you know, follow us on the social mediums. Don't hesitate to engage with our team. If you, if there's any questions that weren't answered, we'd love to hear from you and, like I said, we're just getting started with MyGet and I think as an Assembla customer, it's an exciting time to be in the ecosystem. So, like I said, stay tuned. 

Rachel
Awesome. Thanks for joining us today and if you have any other questions, please reach out.