Welcome to the JFrog Blog

DevSecOps 101 Webinar Series

DevSecOps 101 Webinar Series

Security should be embedded into the DevOps workflow by default, but for many organizations, it isn't. Enter "DevSecOps". What is DevSecOps? It is a practice to build more secure applications, secure the software supply chain, and secure cloud and on-prem workloads. It is an essential practice that needs visibility. Our new “DevSecOps 101” webinar series…
CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability

CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability

A few days ago, security researcher Neil Madden published a blog post, in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or "Psychic Signatures". This security vulnerability originates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15. This vulnerability allows an attacker to potentially intercept communication…
CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder

CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in…
Secure your git repository with Frogbot the git bot

Secure your git repository with Frogbot the git bot

Introducing the newest member of the JFrog ecosystem team - Frogbot. This new git bot tool works for you by protecting your git projects, as they are being developed, from security vulnerabilities. Register for my talk “Bots to Protect your Source Code” swampUP 2022 How does Frogbot work? The concept is simple. Frogbot scans every…
Your SpringShell (Spring4Shell) Remediation Cookbook Using the JFrog Platform

Your SpringShell (Spring4Shell) Remediation Cookbook Using the JFrog Platform

A new zero-day exploit in the spring-web package called "SpringShell" (nicknamed “Spring4Shell”) was just leaked and is threatening the internet and the community. The JFrog security research team is investigating the exploit and continuously updating our blog post with technical details on the SpringShell (Spring4Shell) vulnerability.  In this technical blog post, we explain how you…
Large-scale npm attack targets Azure developers with malicious packages

Large-scale npm attack targets Azure developers with malicious packages

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Two days ago, several of our automated analyzers started alerting on a set of packages…
Diving into CVE-2022-23943 – a new Apache memory corruption vulnerability

Diving into CVE-2022-23943 – a new Apache memory corruption vulnerability

A few days ago it was reported that the new Apache version 2.4.53 contains fixes for several bugs which exposed the users of the well known HTTP server to attacks: CVE-2022-22719 relates to a bug in the mod_lua modules which may lead to Denial of Service after reading from a random memory Area, CVE-2022-22720 exposes…
Shift Left for DevSecOps Success

Shift Left for DevSecOps Success

Not long ago, developers built applications with little awareness about security and compliance. Checking for vulnerabilities, misconfigurations and policy violations wasn’t their job. After creating a fully-functional application, they’d throw it over the proverbial fence, and a security team would evaluate it at some point – or maybe never. Those days are gone – due…