Sunnyvale, CA, USA
Mar 22, 2023   |  By Paul Garden
Are you or your development team tired of using application security tools that generate countless results, making it difficult to identify which vulnerabilities pose actual risks? Do you struggle with inefficient or incorrect prioritization due to a lack of context? What adds insult to injury is that traditional CVSS scoring methods ignore critical details like software configurations and security mechanisms.
Mar 20, 2023   |  By Natan Nehorai
Malicious packages are often spread by the open source NPM and PyPI package repositories, with few other repositories affected. Specifically – there was no public evidence of severe malicious activity in the NuGet repository other than spam packages used for spreading phishing links. As with other repositories, the JFrog Security Research team regularly monitors the NuGet repository for malicious packages, including manual analysis of suspicious code.
Mar 14, 2023   |  By Yair Mizrahi
The recent OpenSSH double-free vulnerability – CVE-2023-25136, created a lot of interest and confusion regarding OpenSSH’s custom security mechanisms – Sandbox and Privilege Separation. Until now, both of these security mechanisms were somewhat unnoticed and only partially documented. The double-free vulnerability raised interest for those who were affected and those controlling servers that use OpenSSH.
Mar 7, 2023   |  By Paul Garden
Announcing the general availability of JFrog Xray’s advanced security features in self-hosted subscriptions, organizations have the flexibility to manage and secure their software development pipelines in-house and in the cloud.
Feb 28, 2023   |  By David Fadida
Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat – a deliberately insecure application. The results identified that out of 60 CVEs reported with a Critical CVSS score, only 10 are actually applicable.
Feb 9, 2023   |  By Sean Pratt
At JFrog, we’re serious about software supply chain security. As a CVE Numbering Authority, our JFrog Security Research team regularly discovers and discloses new malicious packages and vulnerabilities posing a threat to development organizations. We know that in order to deliver trusted software on demand, you must have a secure software supply chain — making security a priority in everything we do.
Feb 8, 2023   |  By Yair Mizrahi
OpenSSH’s newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected, and a proof-of-concept to trigger it causing a Denial of Service (DoS).
Feb 2, 2023   |  By Neophytos Michael
Containerised deployment is widely becoming a standard in every industry, ensuring these containers are protected at every level with a high level of accuracy is one of the most important tasks. Some industry vendors rely solely on the manifest files to provide them with a list of components, others have to manually convert the container image to a TAR archive before scanning, and even then they may only work on the application layer instead of evaluating the entire filesystem.
Jan 30, 2023   |  By Jonathan Sar Shalom
Wow! We made it to the last post in our Malicious Packages series. While parting is such sweet sorrow, we hope blogs one, two, and three provide insights into the havoc malicious packages cause throughout your DevOps and DevSecOps pipelines. In the prior posts: Now let’s get to know attackers’ other, more discreet interests when creating a malicious package: hiding malicious code, and finally showing how malicious packages can be detected and prevented.
Jan 5, 2023   |  By Ori Hollander
The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain.
Mar 21, 2023   |  By JFrog

Learn more about bringing your Dev, Sec and Ops Teams together at https://jfrog.com/

Mar 21, 2023   |  By JFrog
Earlier this year, JFrog’s Security Research Team performed in-depth analysis of the top 10 most prevalent vulnerabilities in 2022 and found the severity rating of most CVEs were surprisingly OVERRATED. In this on-demand webinar session, you will learn: Here we’ll discuss how organizations can make better decisions, get better processes and use better tools for their DevOps security initiatives in 2023.
Feb 13, 2023   |  By JFrog
This Valentine's Day, bring your #Dev, #Sec and #Ops team together, and fall in love all over again!
Nov 22, 2022   |  By JFrog
In this video, learn the mission of Project Pyrsia, how it aids in securing the #softwaresupplychain and why it matters—from project partners at JFrog, DeployHub, and Oracle!
Nov 1, 2022   |  By JFrog
More and more attacks are aimed at the entire supply chain, which means that we developers are increasingly targeted by the attackers. Attacks like the SolarWinds hack show us that making sure you don’t use vulnerable dependencies isn’t enough. The attackers have their sights set on the entire development process with its components. In this workshop, we will look at the first steps and try them out in practice which will enable you to integrate the topic of security into your everyday life as a developer.
Oct 28, 2022   |  By JFrog

Meet our partner experts and learn more about how JFrog's Pyrsia project (the decentralized package network) works hard to secure the #softwaresupplychain! Learn more at https://pyrsia.io/.
#DevOps #DevSecOps

Oct 21, 2022   |  By JFrog
With JFrog Advanced Security, you can now intelligently deliver secure software at speed and scale with the industry’s only DevOps-centric security solution. The new advanced security solution unifies developers, operations, and security teams to safeguard the software supply chain in a holistic, hybrid, multi-cloud platform.
Oct 18, 2022   |  By JFrog
Introducing JFrog Advanced Security, the world’s first DevOps-centric security solution designed to control and protect your software supply chain from code to containers to production. As part of JFrog Xray and integrated into the universal JFrog DevOps Platform, these security features focus at the binary level, revealing issues that are not visible in source code alone. These new features go beyond the traditional software composition analysis (SCA) capabilities of JFrog Xray, with a focus on container security.
Oct 6, 2022   |  By JFrog
In this interview, we speak with Carlos Sanchez @csanchez Senior Cloud Software Engineer at Adobe, member at the Apache Software Foundation, author of Jenkins Kubernetes plugin about Kubernetes!! How moving to Kubernetes opens the door to a world of possibilities, the amount of workloads that can be run and the flexibility it provides. However this comes at a cost on managing the resources used by many applications and teams. Java applications can be specially challenging when running in containers.
Oct 3, 2022   |  By JFrog
In this interview, we speak to Eyal Ben Moshe, Head of the Ecosystem Engineering Group at JFrog, about the importance of shifting left and providing tools for developers to keep their software secure. He specifically discusses the release of Frogbit and Docker Desktop Extension and teases the BuildInfo resource, the metadata associated with a build in Artifactory.
Jan 12, 2020   |  By JFrog
Cloud DevOps tools offer greater flexibility, rapid deployment, cloud automation, reduced IT costs, and low upfront costs with subscription pricing. Setting up your environment with Artifactory on the cloud on your choice provides unlimited scalability allowing you to grow according to your needs and is easily achieved by using cloud storage providers (Amazon AWS, Google GCP or Microsoft Azure) in your environment with Artifactory.
Jan 12, 2020   |  By JFrog
Software businesses of every industry and all sizes, from small startups to large enterprises, are looking for ways to accelerate their software development process in the race to innovate and deliver their offerings to their customers ahead of their competition.
Jan 1, 2020   |  By JFrog
Today, we live in a very connected world, where our devices, homes and cars all communicate with each other, and every company with a product or service has the need to develop software. It is one of the primary mediums by which they strive to provide better products, services and solutions, and has become paramount to a company's success. To continuously improve their software, companies must have sound DevOps or DevSecOps practices in place.
Jan 1, 2020   |  By JFrog
In today's enterprises, software is your company's everyday face, whether through the desktop, the cloud, or a mobile device, to all parts of the globe. Cars are computers on wheels. Thermostats are data terminals. Banks live in your phone. In this new world, software updates serve customer's demands. Each one you deliver is your opportunity to renew - or, if botched, destroy - their trust. How can you make every update top-notch at top speed?
Dec 1, 2019   |  By JFrog
Over the last several years, software development has evolved from deploying products periodically to building them on an ongoing basis using CI servers. A company's end product may be built on a daily or even hourly basis. This means that DevOps must support the continual flow of code from the individual developer's machine to the organization's production environment.
Dec 1, 2019   |  By JFrog
Two numbers are shaking the foundations of business. What do these two figures mean to your business? They mean that, odds are your competitive landscape is irrevocably changed - already. To start, expectations for delivery speed for new products, services, and everything are faster. The new table stakes in the DevOps world have raised the bar on collaboration, cross-organizational visibility, efficiency, even company culture. Another thing these two simple stats mean is that most businesses are already there, or heading there now.

JFrog products seamlessly integrate with practically any development environment on Earth, from legacy code to the most recent containers and micro-services.

JFrog's end-to-end platform provides a fully automated pipeline for distributing trusted software releases. Connecting all developers, DevOps engineers and product owners to end devices, the JFrog Platform ensures software flows quickly and free from interruption.

End-to-End Universal DevOps Platform:

  • JFrog Artifactory: The undisputed software repository leader for integrated, universal artifact management at enterprise scale.
  • JFrog Container Registry: The world’s most flexible, hybrid container registry, with enterprise-grade resiliency backed by JFrog Artifactory.
  • JFrog XRay: Universal security vulnerability & compliance analysis, natively integrated with Artifactory for continuous governance across the DevOps pipeline.
  • JFrog Pipelines: Universally orchestrate software releases and master the entire CI/CD pipeline from code to production.
  • JFrog Distribution: Secure and validate your software releases, allowing trusted, optimized software distribution on a global scale.
  • JFrog Mission Control: A single access point providing a centralized dashboard to oversee your DevOps pipeline.

Universal Artifact Management for DevOps Acceleration.