Welcome to the JFrog Blog

Latest from Xray :

OpenSSH Pre-Auth Double Free – CVE-2023-25136 – Writeup and Proof-of-Concept

February 8, 2023 Yair Mizrahi, Senior Security Researcher

8 min read

OpenSSH's newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected,…

Read More
4 Operational Risks to Not Leave to Chance

4 Operational Risks to Not Leave to Chance

September 1, 2022 JFrog Team | 5 min read

Not all of the recognizable risks in your software supply chain can be identified by their known vulnerabilities recorded as CVEs. A component that is outdated or inactive may present risks to your application that no one has had cause to investigate. Yet these components could still harbor threats. Security teams and developers must also…
Read More
JFrog Providers Support the Terraform Community

JFrog Providers Support the Terraform Community

August 29, 2022 Sean Pratt, Product Marketing Manager | 4 min read

If you’re reading this blog you’re probably at least somewhat familiar with Hashicorp Terraform and the value it brings to managing the deployment and provisioning of infrastructure resources at scale. We’re big fans and users of it ourselves here at JFrog (see how in our recent webinar!).   Terraform is one of the most, if…
Read More
CVE-2021-38297 – Analysis of a Go Web Assembly vulnerability

CVE-2021-38297 – Analysis of a Go Web Assembly vulnerability

August 30, 2022 Uriya Yavnieli | 9 min read

The JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting. The following analysis of a vulnerability discovered in the…
Read More
SATisfying our way into remote code execution in the OPC UA industrial stack

SATisfying our way into remote code execution in the OPC UA industrial stack

August 25, 2022 Or Peles, Omer Kaspi and Uriya Yavnieli | 18 min read

The JFrog Security team recently competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. One of our research targets for the competition was the Unified Automation C++-based OPC UA Server SDK. Other than the vulnerabilities we disclosed as part of the pwn2own competition, we managed to find and…
Read More
Crashing Industrial Control Systems at Pwn2Own Miami 2022

Crashing Industrial Control Systems at Pwn2Own Miami 2022

August 25, 2022 Or Peles, Omer Kaspi and Uriya Yavnieli | 13 min read

Earlier this year, the JFrog Security research team competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. We were proud to take part in this competition and join other researchers in the effort to make mission-critical industrial environments safe and secure. During the Pwn2Own Miami competition we competed…
Read More
How To Put Cloud Nimble to Work to Segment Dev/Test from Production

How To Put Cloud Nimble to Work to Segment Dev/Test from Production

August 23, 2022 John Cabaniss and Gianni Truzzi | 7 min read

In every workplace, most work gets done at the most cluttered desks. Yet the business also requires an orderly front office to run efficiently. It’s much the same with your DevOps pipeline environments, as the rough and tumble process of innovating code must ultimately produce cleanly released applications. Continuous integration means that developers perform many…
Read More
Recapping Yalla! DevOps 2022

Recapping Yalla! DevOps 2022

July 28, 2022 The JFrog Team | 9 min read

TL;DR Yalla! DevOps 2022 community event -- Learning. Networking. Fun. Driven by the DevOps community. All about the DevOps community. Yalla! DevOps was back again this year with an exciting lineup of content ranging from DevOps, DevSecOps, professional development and more. Local speakers from the DevOps community and industry leaders from around the world took…
Read More
JFrog Xray Integration with AWS Security Hub

JFrog Xray Integration with AWS Security Hub

July 26, 2022 Alex Hung, Sr. Software Developer & Daniel Miakotkin, Software Engineer | 5 min read

SecOps demands vigilance, but it requires visibility, too. With JFrog’s latest integration for Xray with AWS Security Hub, you can help make sure that discovered vulnerabilities are not just seen, but quickly acted on. AWS Security Hub is the cloud security posture management service available to AWS users. It provides central security administration across AWS…
Read More
7 Ways to Accelerate Cloud Native Development

7 Ways to Accelerate Cloud Native Development

July 21, 2022 Gianni Truzzi | 7 min read

Modern enterprises understand the need to move away from developing monolithic applications to ones that make best use of the cloud to enable business acceleration at scale and speed. That means transforming development to more resilient cloud native architectures that can be readily deployed to cloud, multi-cloud, and hybrid environments. What does it mean to…
Read More
How To Put Cloud Nimble to Work to Shift Left Security

How To Put Cloud Nimble to Work to Shift Left Security

July 20, 2022 John Cabaniss, Strategic Solutions Architect and Gianni Truzzi | 6 min read

Shifting security left means preventing developers from using unacceptably vulnerable software supply chain components as early as possible: before their first build. By helping assure that no build is ever created using packages with known vulnerabilities, this saves substantial remediation costs in advance. Some JFrog customers restrict the use of open source software (OSS) packages…
Read More

Popular Tags