Welcome to the JFrog Blog

Latest from Xray :

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration

May 30, 2024 Batel Zohar, JFrog Developer Advocate Carmit Hershman, JFrog Senior Software Architect, CTO Office

8 min read

The latest JFrog collaboration with GitHub enables you to easily combine your favorite solutions for source code and binaries in a seamless integration. This means you now have a unified comprehensive and secure end-to-end experience that supports your software projects. This integration covers everything from curating open source packages, coding, CI, release management, deployment andโ€ฆ

Read More
Advanced DevOps Security With Development Flexibility

Advanced DevOps Security With Development Flexibility

March 7, 2023 adia | 8 min read

Announcing the general availability of JFrog Xrayโ€™s advanced security features in self-hosted subscriptions, organizations have the flexibility to manage and secure their software development pipelines in-house and in the cloud. Since Developers and the DevOps infrastructure are the primary attack vector in the software supply chain, we designed our platform and the advanced security featuresโ€ฆ
Read More
Testing the actual security of the most insecure Docker application

Testing the actual security of the most insecure Docker application

February 28, 2023 adia | 15 min read

Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xrayโ€™s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat - a deliberately insecure application. The results identified thatโ€ฆ
Read More
Complete your Software Supply Chain with GitLab CI/CD and JFrog

Complete your Software Supply Chain with GitLab CI/CD and JFrog

February 27, 2023 adia | 4 min read

Software is more than building code. Developing software and ensuring quality builds requires managing a complete software supply chain. With the many security threats across the supply chain, managing each and every aspect of the software you deliver to your customers, including the entire process of how it was made, is critical to your organization.โ€ฆ
Read More
Prevent Inadvertent Software Supply Chain Exposures When Allowing Public Access to Private Registries

Prevent Inadvertent Software Supply Chain Exposures When Allowing Public Access to Private Registries

February 9, 2023 Sean Pratt, Senior Product Marketing Manager | 7 min read

At JFrog, weโ€™re serious about software supply chain security. As a CVE Numbering Authority, our JFrog Security Research team regularly discovers and discloses new malicious packages and vulnerabilities posing a threat to development organizations. We know that in order to deliver trusted software on demand, you must have a secure software supply chain โ€” makingโ€ฆ
Read More
OpenSSH Pre-Auth Double Free CVE-2023-25136 โ€“ Writeup and Proof-of-Concept

OpenSSH Pre-Auth Double Free CVE-2023-25136 โ€“ Writeup and Proof-of-Concept

February 8, 2023 adia | 8 min read

OpenSSH's newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected,โ€ฆ
Read More
Advanced Security in your Software Supply Chain โ€“ Part 1

Advanced Security in your Software Supply Chain โ€“ Part 1

February 2, 2023 adia | 5 min read

Containerised deployment is widely becoming a standard in every industry, ensuring these containers are protected at every level with a high level of accuracy is one of the most important tasks. Some industry vendors rely solely on the manifest files to provide them with a list of components, others have to manually convert the containerโ€ฆ
Read More
Detecting Malicious Packages and How They Obfuscate Their Malicious Code

Detecting Malicious Packages and How They Obfuscate Their Malicious Code

January 30, 2023 Jonathan Sar Shalom, Director of Threat Research | 14 min read

Wow! We made it to the last post in our Malicious Packages series. While parting is such sweet sorrow, we hope blogs one, two, and three provide insights into the havoc malicious packages cause throughout your DevOps and DevSecOps pipelines.  In the prior posts: We explained what software supply chain attacks are and learned theโ€ฆ
Read More
Watch out for DoS when using Rustโ€™s popular Hyper package

Watch out for DoS when using Rustโ€™s popular Hyper package

January 5, 2023 adia | 5 min read

The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain. As part of this effort, we recently discovered and disclosed multiple vulnerabilities in popular Rust projects such as Axum, Salvo andโ€ฆ
Read More
Latest LastPass security breach highlights developers as a high-value target

Latest LastPass security breach highlights developers as a high-value target

December 29, 2022 Shachar Menashe | 5 min read

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However - while source code and technical information was stolen, no user data was compromised and noโ€ฆ
Read More
PyPI malware creators are starting to employ Anti-Debug techniques

PyPI malware creators are starting to employ Anti-Debug techniques

December 13, 2022 Andrey Polkovnychenko | 8 min read

The JFrog Security Research team continuously monitors popular open-source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques.โ€ฆ
Read More

Popular Tags