Welcome to the JFrog Blog

FILTER BY

All
Products
Solutions
Other
Turns out 78% of reported CVEs on top DockerHub images are not really exploitable

Turns out 78% of reported CVEs on top DockerHub images are not really exploitable

Research motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our…
Common Payloads Attackers Plant in Malicious Software Packages

Common Payloads Attackers Plant in Malicious Software Packages

In this third post in our series on Malicious Software Packages, we’ll focus on the aftermath of a successful attack and how the attacker executes payloads to serve their needs through various real-life scenarios. Before we start, let’s review a few highlights from the second post you might've missed: There are common types of infection methods…
JFrog’s security scanners discovered thousands of publicly exposed API tokens – and they’re active! The Full Report

JFrog’s security scanners discovered thousands of publicly exposed API tokens – and they’re active! The Full Report

Note: This report was previously published in InfoWorld When developing the recently announced JFrog Advanced Security, our Research team decided to try out its new “Secrets Detection” feature. Our goal was to test our vulnerability detection on as much real world data as possible, to make sure we eliminate false positives and catch any bugs…
Supply Chain Security for Open Source: Pyrsia at CD Summit and KubeCon 2022

Supply Chain Security for Open Source: Pyrsia at CD Summit and KubeCon 2022

I was super excited to be at Kubecon+CloudNativeCon this year. Kubecon has managed to build a great community that goes beyond Kubernetes and has been a good catalyst in bringing together people passionate about OpenSource. Kubecon also has attracted a lot of interest due to the quality of sessions, the number of co-located events, and…
CVE-2022-3602 and CVE-2022-3786 – High-severity OpenSSL Vulnerabilities Finally Published

CVE-2022-3602 and CVE-2022-3786 – High-severity OpenSSL Vulnerabilities Finally Published

How did we get here? On October 25th, The OpenSSL team announced that OpenSSL 3.0.7 will contain a fix for a critical severity vulnerability that affects OpenSSL 3.x. The full details about the vulnerability were held in an embargo until November 1st. Due to the rarity of an OpenSSL critical-severity issue and the overwhelming popularity…
Five Examples of Infection Methods Attackers Use to Spread Malicious Packages

Five Examples of Infection Methods Attackers Use to Spread Malicious Packages

Welcome to the second post in our series on Malicious Software Packages. This post focuses on the infection methods attackers use to spread malicious packages, and how the JFrog Security research team unveiled them.  If you missed the first blog, here are some key takeaways: Third-party software packages contain vulnerabilities or malicious code delivered through…
Tour Terraform Registries in Artifactory

Tour Terraform Registries in Artifactory

Why should you keep Terraform module, provider, and backend registries in a binary repository manager like Artifactory? Because, like your builds, packages, and other artifacts, your Terraform files are a key part of your software supply chain. Terraform is a widely used open source infrastructure-as-code (IaC) software tool to manage the entire lifecycle of cloud…
Enterprise Package Management for Everyone

Enterprise Package Management for Everyone

Suppose you asked developers in the mid-2000s how they managed and compiled their binaries. You'd probably hear some anxiety-inducing answers (e.g., storing packages in git repositories or insecure file stores). Thankfully, organizations currently have various options for managing their first or third-party packages, dependencies, and containers. Different tools offer different levels of package support and…
Malicious Packages Are a Rising Threat in Software Supply Chain Attacks

Malicious Packages Are a Rising Threat in Software Supply Chain Attacks

Welcome to the first post in the malicious software packages series for the DevOps and DevSecOps community. Each week, this technical series will focus on various malicious packages and their effects on the software supply chain, all published over the next four weeks. We’ll dive deeper into malicious packages in each post, including  Defining software supply chain…
JFrog’s Advanced Security Scanners Discovered Thousands of Publicly Exposed API Tokens – And They’re Active

JFrog’s Advanced Security Scanners Discovered Thousands of Publicly Exposed API Tokens – And They’re Active

Read our full research report on InfoWorld The JFrog Security Research team released the findings of a recent investigation wherein they uncovered thousands of publicly exposed, active API tokens. This was accomplished while the team tested the new Secrets Detection feature in the company’s JFrog Advanced Security solution, part of JFrog Xray.  The team scanned…