Welcome to the JFrog Blog

FILTER BY

All
Products
Solutions
Other
Pyrsia: Open Source Software that Helps Protect the Open Source Supply Chain

Pyrsia: Open Source Software that Helps Protect the Open Source Supply Chain

Stephen Chin is no stranger to having big ideas and implementing them to help the developer community. In the last twenty years he’s been involved in building open source IDEs, bootstrapping rich client libraries, maintaining JVM languages, and cultivating relationships with developers that do the same. He has also authored several books including Raspberry Pi…
Pyrsia: Decentralized Package Network that Secures the Open Source Supply Chain

Pyrsia: Decentralized Package Network that Secures the Open Source Supply Chain

State of Supply Chain Security Supply chain security has received a lot of attention in recent years. And rightly so. Software vulnerability exploitation attacks have been a key tool in the hands of the hackers to hamper businesses, compromise sensitive data, and a cause of general sense of fear around open source software. Many of…
npm package hijacking through domain takeover – how bad is this “new” attack?

npm package hijacking through domain takeover – how bad is this “new” attack?

When relying on a 3rd-party package from a non-commercial entity, there is always the risk of lack of support, especially when it comes to outdated packages and versions. If the package stops being maintained, nobody will implement a new feature we might need or fix a newly-discovered security vulnerability. Consider, for example, CVE-2019-17571. A critical…
JFrog & Industry Leaders Join White House Summit on Open Source Software Security

JFrog & Industry Leaders Join White House Summit on Open Source Software Security

There’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked nearly 20 different open source software supply chain attacks – two of which were zero day threats. This steady barrage of vulnerabilities and malicious packages is driving…
How to Prevent the Next Log4j Style Zero-Day Vulnerability

How to Prevent the Next Log4j Style Zero-Day Vulnerability

Note: This blog post was previously published on Dark Reading Software testing is notoriously hard. Search Google for CVEs caused by basic CRLF (newline character) issues and you’ll see thousands of entries. Humanity has been able to put a man on the moon, but it hasn’t yet found a proper way to handle line endings…
Scan your software packages for security vulnerabilities with JFrog Xray

Scan your software packages for security vulnerabilities with JFrog Xray

Scanning your packages for security vulnerabilities and license violations should be done as early as possible in your SDLC, and the earlier the better. This concept is also known as “Shifting Left”, which helps your organization comply with security policies and standards early on in the software development process. As developers, this may seem like…
npm supply chain attack targets Germany-based companies with dangerous backdoor malware

npm supply chain attack targets Germany-based companies with dangerous backdoor malware

Update May 11th: Following the publication of this blog post, a penetration testing company called "Code White" took responsibility for this dependency confusion attack The JFrog Security research team constantly monitors the npm and PyPI ecosystems for malicious packages that may lead to widespread software supply chain attacks. Last month, we shared a widespread npm…
Complete Your Cloud Kubernetes Registry With Terraform Repositories in Artifactory

Complete Your Cloud Kubernetes Registry With Terraform Repositories in Artifactory

When developing container-based services that will be orchestrated by Kubernetes, Terraform is an essential part of your artifact ecosystem. These infrastructure-as-code configuration files help automate the provisioning and maintenance of the cloud environments where your K8s applications will run. That’s why it’s great news that you can now store your Terraform modules, providers, and remote…
JFrog Artifactory As Your NuGet Symbol Server

JFrog Artifactory As Your NuGet Symbol Server

We’ve got great news for .NET developers - JFrog Artifactory can now act as your fully featured Symbol Server! Artifactory has long offered native support for NuGet packages, now developers can also store their symbol files in Artifactory where they can be indexed and consumed by the Visual Studio Debugger and other debugging tools.  What…