From the Frog's mouth

Save time fixing security vulnerabilities much earlier in your SDLC

March 22, 2023 Paul Garden, Security Product Marketing | 4 min read

Are you or your development team tired of using application security tools that generate countless results, making it difficult to identify which vulnerabilities pose actual risks? Do you struggle with inefficient or incorrect prioritization due to a lack of context? What adds insult to injury is that traditional CVSS scoring methods ignore critical details like…

Gain real-time observability into your software supply chain with the New Relic Log Analytics Integration

March 15, 2023 Kristian Taernhed, Sr. Technical Alliance Manager and Mahitha Byreddy, Senior Software Engineer | 4 min read

JFrog’s new log analytics integration with New Relic brings together powerful observability capabilities to monitor, analyze, and visualize logs and metrics from self-hosted JFrog environments. The integration is free for all tiers of self-hosted JFrog customers and utilizes the powerful, open source log management tool, Fluentd, to collect, process, and surface data in New Relic…

Attackers are starting to target .NET developers with malicious-code NuGet packages

March 20, 2023 Natan Nehorai, Application Security Researcher Brian Moussalli, Security Research Tech Lead | 12 min read

Update 2023-03-21 - We've talked with members of the NuGet team and they had already detected and removed the malicious packages in question. Malicious packages are often spread by the open source NPM and PyPI package repositories, with few other repositories affected. Specifically - there was no public evidence of severe malicious activity in the…

Examining OpenSSH Sandboxing and Privilege Separation – Attack Surface Analysis

March 14, 2023 Yair Mizrahi, Senior Security Researcher | 18 min read

The recent OpenSSH double-free vulnerability - CVE-2023-25136, created a lot of interest and confusion regarding OpenSSH’s custom security mechanisms - Sandbox and Privilege Separation. Until now, both of these security mechanisms were somewhat unnoticed and only partially documented. The double-free vulnerability raised interest for those who were affected and those controlling servers that use OpenSSH.…

Release Trusted Software Faster – Our New release Lifecycle Management Beta Is Here

March 9, 2023 Sean Pratt, Senior Product Marketing Manager | 4 min read

Releasing production-ready software is a complicated tangle of tools and processes lacking visibility, traceability, and consistency. This leads to custom integrations and human intervention, which create opportunities for mistakes, impede automation, and increase the likelihood of insecure software being released. JFrog's release lifecycle management capabilities enable "release first" software supply chain (SSC) management, delivering trusted…

How to Onboard to a Federated Repository

March 8, 2023 Muhammed Kashif, Enterprise Solution Lead, JFrog | 7 min read

Scaling up your development organization typically involves spreading development across multiple locations around the globe. One of the key challenges with multisite development is ensuring reliable access to required software packages and artifacts for teams collaborating across time zones. The JFrog Software Supply Chain Platform solves this challenge with federated repositories in JFrog Artifactory. What…

Striving for a “DigitALL” World That Empowers Everyone on International Women’s Day

March 8, 2023 Shlomi Ben Haim, CEO, JFrog | 5 min read

As I pondered the theme of this year’s International Women’s Day - DigitALL and Embracing Equality - it struck me how much we take for granted in our always-on, always-connected world. Technology has opened up countless opportunities for everyone, including women. At least those who have the necessary digital access to take advantage of it.…

Advanced DevOps Security With Development Flexibility

March 7, 2023 Paul Garden, Security Product Marketing | 9 min read

Announcing the general availability of JFrog Xray’s advanced security features in self-hosted subscriptions, organizations have the flexibility to manage and secure their software development pipelines in-house and in the cloud. Since Developers and the DevOps infrastructure are the primary attack vector in the software supply chain, we designed our platform and the advanced security features…

swampUP 2023 City Tour: Call for Speakers Is Open

March 3, 2023 Lori Lorusso, Open Source Program Manager | 2 min read

Are you ready for what’s next for DevOps in 2023? If you are, then we have good news for you - the call for speakers for JFrog’s annual user conference, swampUP 2023 City Tour is open! The call for speakers closes March 17, 2023, so now is your time to submit. We can’t wait for…

Testing the actual security of the most insecure Docker application

February 28, 2023 David Fadida, JFrog Security Researcher | 15 min read

Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat - a deliberately insecure application. The results identified that…

JFrog Advanced Security

Welcome to the JFrog Blog

Latest:

5 tips on how Developers, DevOps and security teams can work together

FILTER BY

Products

Solutions

Other