Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Organizations increasingly demand platforms that not only accelerate software delivery but also provide trust, security, and traceability. At JFrog, the software supply chain is managed and secured by default, from commit to runtime. That’s why our deep integration with GitHub is central to how we help teams manage, monitor, and secure every step of software delivery. In this post, we’ll explore.

Every automation initiative starts with excitement, intent-based networking, AI-driven decisions, and Python scripts promising speed and resilience. But when someone asks, “Do we know what IPs are in use?” silence often follows. If your IP tracking lives in spreadsheets, you’re not alone, but you are vulnerable. Before writing a single script, teams need an authoritative and current IP source of truth.

Static application security testing (SAST) is foundational to modern application and code security programs. Yet these tools inevitably produce false positives that require manual review. When scanners find vulnerabilities that are not genuine issues, they erode trust, slow down remediation, and make it harder for teams to understand which alerts require attention.

TLDR: Excessive Data Exposure (leaking internal data via API responses) is the silent, pervasive threat that is more dangerous than single dramatic flaws like SQL Injection. It amplifies every other API vulnerability (like BOLA) and happens everywhere because developers prioritize speed over explicit data filtering. Fixing it means systematically checking hundreds of endpoints for unneeded PII and sensitive internal data.

As we near the end of Cybersecurity Awareness Month, a quick reminder that digital threats aren’t just a concern for Fortune 500 companies. Small and medium-sized businesses (SMB’s) face mounting cyber risks, yet many lack the resources or expertise to defend against increasingly sophisticated attacks. The reality? Cybercriminals target SMBs precisely because they assume you’re unprepared.

Endpoint detection and response (EDR) tools, and the analysts using them, have become incredibly effective. They have become so good, in fact, that we're now seeing a clear shift in adversary behavior: attackers are being pushed off the endpoint and onto places where EDR cannot run. This isn't just a theory. As I was writing a separate blog about a recent Cisco exploit which spurred an immediate CISA emergency directive, news dropped about another major network edge vendor, F5.

At the AI Agent Security Summit in San Francisco, some of the brightest minds in AI security and top industry leaders gathered to tackle one of the most challenging problems in tech nowadays - how do we secure super smart systems that change at runtime and are designed to think, adapt, and compete? As someone who spends every day turning AI security challenges into tangible solutions, I left the summit both inspired by the innovation on display and concerned by the magnitude of what’s still ahead.

Zero Standing Privileges (ZSP), where no user or system account has access unless there is a task being performed, is a milestone goal for most security teams. No always-on accounts, no secrets sitting around “just in case,” and nothing waiting to be misused. For a long time, privileged access management (PAM) has meant using credential vaults to store, rotate, and protect privileged credentials like administrative passwords, SSH keys, and API tokens.

False positives from security scanners cost one enterprise over 200 developer hours in a single quarter. At a loaded cost of $150/hour, that’s $30,000 in wasted productivity. Frustrated, they disabled their scanners entirely. Multiplied across dozens of teams, this problem costs enterprise organizations millions, and it is not an isolated issue. This impossible trade-off between noise and risk is why organizations need a more intelligent approach to security.

These days it can be hard to tell if something is or isn’t a scam. Take this email I recently received. It claims to be from HP. It included a PDF file attachment: It would be great if it actually told me the product it was referring to beyond some obscure serial number. I checked the serial number. It didn’t match my HP printer sitting next to my desk. All my laptops and older desktop computers are Dell. I didn’t like how it didn’t have my full name. Just Roger. No product name.