Welcome to the JFrog Blog

Latest from Xray :

GitHub and JFrog Partner To Unify Code and Binaries for DevSecOps

May 29, 2024 Thomas Dohmke, GitHub CEO Shlomi Ben Haim, JFrog CEO and Co-Founder

5 min read

Note: This post is co-authored by JFrog and GitHub and has also been published on the GitHub blog As the volume of code continues to grow exponentially, software developers, DevOps engineers, operations teams, security specialists, and everyone else who touches code are increasingly spending their time in the weeds of securing, delivering, and scaling software.…

Read More
Advanced DevOps Security With Development Flexibility

Advanced DevOps Security With Development Flexibility

March 7, 2023 adia | 8 min read

Announcing the general availability of JFrog Xray’s advanced security features in self-hosted subscriptions, organizations have the flexibility to manage and secure their software development pipelines in-house and in the cloud. Since Developers and the DevOps infrastructure are the primary attack vector in the software supply chain, we designed our platform and the advanced security features…
Read More
Testing the actual security of the most insecure Docker application

Testing the actual security of the most insecure Docker application

February 28, 2023 adia | 15 min read

Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat - a deliberately insecure application. The results identified that…
Read More
Complete your Software Supply Chain with GitLab CI/CD and JFrog

Complete your Software Supply Chain with GitLab CI/CD and JFrog

February 27, 2023 adia | 4 min read

Software is more than building code. Developing software and ensuring quality builds requires managing a complete software supply chain. With the many security threats across the supply chain, managing each and every aspect of the software you deliver to your customers, including the entire process of how it was made, is critical to your organization.…
Read More
Prevent Inadvertent Software Supply Chain Exposures When Allowing Public Access to Private Registries

Prevent Inadvertent Software Supply Chain Exposures When Allowing Public Access to Private Registries

February 9, 2023 Sean Pratt, Senior Product Marketing Manager | 7 min read

At JFrog, we’re serious about software supply chain security. As a CVE Numbering Authority, our JFrog Security Research team regularly discovers and discloses new malicious packages and vulnerabilities posing a threat to development organizations. We know that in order to deliver trusted software on demand, you must have a secure software supply chain — making…
Read More
OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept

OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept

February 8, 2023 adia | 8 min read

OpenSSH's newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected,…
Read More
Advanced Security in your Software Supply Chain – Part 1

Advanced Security in your Software Supply Chain – Part 1

February 2, 2023 adia | 5 min read

Containerised deployment is widely becoming a standard in every industry, ensuring these containers are protected at every level with a high level of accuracy is one of the most important tasks. Some industry vendors rely solely on the manifest files to provide them with a list of components, others have to manually convert the container…
Read More
Detecting Malicious Packages and How They Obfuscate Their Malicious Code

Detecting Malicious Packages and How They Obfuscate Their Malicious Code

January 30, 2023 Jonathan Sar Shalom, Director of Threat Research | 14 min read

Wow! We made it to the last post in our Malicious Packages series. While parting is such sweet sorrow, we hope blogs one, two, and three provide insights into the havoc malicious packages cause throughout your DevOps and DevSecOps pipelines.  In the prior posts: We explained what software supply chain attacks are and learned the…
Read More
Watch out for DoS when using Rust’s popular Hyper package

Watch out for DoS when using Rust’s popular Hyper package

January 5, 2023 adia | 5 min read

The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain. As part of this effort, we recently discovered and disclosed multiple vulnerabilities in popular Rust projects such as Axum, Salvo and…
Read More
Latest LastPass security breach highlights developers as a high-value target

Latest LastPass security breach highlights developers as a high-value target

December 29, 2022 Shachar Menashe | 5 min read

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However - while source code and technical information was stolen, no user data was compromised and no…
Read More
PyPI malware creators are starting to employ Anti-Debug techniques

PyPI malware creators are starting to employ Anti-Debug techniques

December 13, 2022 Andrey Polkovnychenko | 8 min read

The JFrog Security Research team continuously monitors popular open-source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques.…
Read More

Popular Tags