Welcome to the JFrog Blog

Latest from Xray :

GitHub and JFrog Partner To Unify Code and Binaries for DevSecOps

May 29, 2024 Thomas Dohmke, GitHub CEO Shlomi Ben Haim, JFrog CEO and Co-Founder

5 min read

Note: This post is co-authored by JFrog and GitHub and has also been published on the GitHub blog As the volume of code continues to grow exponentially, software developers, DevOps engineers, operations teams, security specialists, and everyone else who touches code are increasingly spending their time in the weeds of securing, delivering, and scaling software.…

Read More
Don’t let Prometheus Steal your Fire

Don’t let Prometheus Steal your Fire

October 12, 2021 Andrey Polkovnychenko and Shachar Menashe | 12 min read

Background Prometheus is an open-source, metrics-based event monitoring and alerting solution for cloud applications. It is used by nearly 800 cloud-native organizations including Uber, Slack, Robinhood, and more. By scraping real-time metrics from various endpoints, Prometheus allows easy observation of a system's state in addition to observation of hardware and software metrics such as memory…
Read More
23andMe’s Yamale Python code injection, and properly sanitizing eval()

23andMe’s Yamale Python code injection, and properly sanitizing eval()

October 5, 2021 Andrey Polkovneychenko and Shachar Menashe | 5 min read

Background JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in Yamale, a popular schema validator for YAML that's used by over 200 repositories. The issue has been assigned to CVE-2021-38305. The injection issue An attacker that can control the contents of the schema file that's supplied to Yamale (-s/--schema command…
Read More
The Vulnerability Conundrum: Improving the Disclosure Process

The Vulnerability Conundrum: Improving the Disclosure Process

October 4, 2021 Asaf Karas, Security CTO and VP, JFrog | 5 min read

The vulnerability disclosure process involves reporting security flaws in software or hardware, and can be complex. Cooperation between the organization responsible for the software or hardware, and the security researcher who discovers the vulnerability can be complicated.  In this blog we’ll look at the vulnerability disclosure process, the parties involved and how they can collaborate…
Read More
JFrog Xray + Splunk + SIEM: Towards Implementing a Complete DevSecOps Strategy

JFrog Xray + Splunk + SIEM: Towards Implementing a Complete DevSecOps Strategy

September 29, 2021 Ali Sardar, Senior Product Manager, JFrog | 3 min read

Making security an intrinsic part of a DevOps pipeline is a “must-have” for organizations looking to secure their applications earlier in the development process.  The combination of JFrog Artifactory and JFrog Xray enables organizations to build security into all phases of their software development lifecycle, so they can proactively detect and mitigate open source software…
Read More
Penetration Testing vs. Vulnerability Scanning

Penetration Testing vs. Vulnerability Scanning

September 21, 2021 Asaf Cohen | 12 min read

To release reasonably secure products, vendors must integrate software security processes throughout all stages of the software development lifecycle. That would include product architecture and design; implementation and verification; deployment and monitoring in the field; and back again to design to address the changing threat landscape, market needs, and product issues. In this blog post,…
Read More
It’s Time to Get Hip to the SBOM

It’s Time to Get Hip to the SBOM

August 24, 2021 Bill Manning, JFrog Solution Architect | 8 min read

The DevOps, IT security and IT governance communities will remember 2021 as the year when the Software Bill of Materials, or SBOM, graduated from a “nice to have” to a “must have.”  Around for years, the SBOM has now become a critical DevSecOps piece, which everyone must thoroughly understand and incorporate into their SDLC (Software…
Read More
A Year of Supply Chain Attacks: How to Protect Your SDLC

A Year of Supply Chain Attacks: How to Protect Your SDLC

August 20, 2021 Juan Perez | 8 min read

One of the most worrisome trends in cybersecurity today is the skyrocketing incidence of supply chain attacks, such as the ones that hit SolarWinds last year and Kaseya more recently. Because they focus on compromising software development and delivery, supply chain attacks have forced developers and DevOps teams to scramble for solutions.  Unfortunately, supply chain…
Read More
Bring Xray Out of the Box with Dependency and Binary Scanning

Bring Xray Out of the Box with Dependency and Binary Scanning

July 30, 2021 Paul Garden | 5 min read

Shifting left security means you, the developer, catching and fixing vulnerabilities and license violations early in the SDLC. That’s why Xray scans binaries pushed to Artifactory by your builds, and alerts you when there are issues with your dependencies. But catching them earlier, even before checking in code, can be important for developers shifting left.…
Read More
JFrog and Vdoo: Better Together

JFrog and Vdoo: Better Together

July 28, 2021 Paul Garden | 8 min read

JFrog customers will soon enjoy end-to-end, holistic security across their software lifecycle -- from development to devices -- as the technology of recently-acquired Vdoo gets integrated into the JFrog DevOps Platform. That was the pledge made by JFrog and Vdoo leaders during their first joint webinar, in which they explained why JFrog acquired Vdoo, how…
Read More
How to Accelerate Software Delivery with Hybrid Cloud CI/CD

How to Accelerate Software Delivery with Hybrid Cloud CI/CD

July 19, 2021 Mark Milinkovich | 10 min read

Are you looking for solutions to deliver rapid application development and iterations? You’re not alone. To accomplish this, many organizations are embracing cloud native containers across multiple cloud providers. The reason? This strategy reduces the risk of vendor lock-in, and helps you scale the application infrastructure horizontally.  In their recent swampUP 2021 talk “Going Serverless,…
Read More

Popular Tags