Welcome to the JFrog Blog

Latest from Xray :

GitHub and JFrog Partner To Unify Code and Binaries for DevSecOps

May 29, 2024 Thomas Dohmke, GitHub CEO Shlomi Ben Haim, JFrog CEO and Co-Founder

5 min read

Note: This post is co-authored by JFrog and GitHub and has also been published on the GitHub blog As the volume of code continues to grow exponentially, software developers, DevOps engineers, operations teams, security specialists, and everyone else who touches code are increasingly spending their time in the weeds of securing, delivering, and scaling software.…

Read More
IDC LINK: JFrog Introduces New Software Supply Chain Security Capabilities

IDC LINK: JFrog Introduces New Software Supply Chain Security Capabilities

December 6, 2022 The JFrog Team | 3 min read

As software becomes increasingly complex, the need to secure the software supply chain becomes more important — and more difficult.  But how can businesses address the challenges of securing their software supply chain? The International Data Corporation (IDC) offers critical insight. Following the release of JFrog Advanced Security on October 18, 2022 – the world’s…
Read More
Invisible npm malware – evading security checks with crafted versions

Invisible npm malware – evading security checks with crafted versions

November 29, 2022 Or Peles, JFrog Vulnerability Research Team Leader | 6 min read

The npm CLI has a very convenient and well-known security feature - when installing an npm package, the CLI checks the package and all of its dependencies for well-known vulnerabilities - The check is triggered on package installation (when running npm install) but can also be triggered manually by running npm audit. This is an…
Read More
Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

November 15, 2022 Shachar Menashe, Jonathan Sar-Shalom and Nitay Meiron, JFrog Security Research Team | 15 min read

Research motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our…
Read More
Common Payloads Attackers Plant in Malicious Software Packages

Common Payloads Attackers Plant in Malicious Software Packages

November 14, 2022 Jonathan Sar Shalom, Director of Threat Research, JFrog | 9 min read

In this third post in our series on Malicious Software Packages, we’ll focus on the aftermath of a successful attack and how the attacker executes payloads to serve their needs through various real-life scenarios. Before we start, let’s review a few highlights from the second post you might've missed: There are common types of infection methods…
Read More
Five Examples of Infection Methods Attackers Use to Spread Malicious Packages

Five Examples of Infection Methods Attackers Use to Spread Malicious Packages

October 31, 2022 Jonathan Sar Shalom, Director of Threat Research, JFrog | 13 min read

Welcome to the second post in our series on Malicious Software Packages. This post focuses on the infection methods attackers use to spread malicious packages, and how the JFrog Security research team unveiled them. If you missed the first blog, here are some key takeaways: Third-party software packages contain vulnerabilities or malicious code delivered through…
Read More
CVE-2022-3602 and CVE-2022-3786 – High-severity OpenSSL Vulnerabilities Finally Published

CVE-2022-3602 and CVE-2022-3786 – High-severity OpenSSL Vulnerabilities Finally Published

November 2, 2022 Shachar Menashe, Sr. Director Security Research | 7 min read

How did we get here? On October 25th, The OpenSSL team announced that OpenSSL 3.0.7 will contain a fix for a critical severity vulnerability that affects OpenSSL 3.x. The full details about the vulnerability were held in an embargo until November 1st. Due to the rarity of an OpenSSL critical-severity issue and the overwhelming popularity…
Read More
Enterprise Package Management for Everyone

Enterprise Package Management for Everyone

October 25, 2022 The JFrog Team | 5 min read

Suppose you asked developers in the mid-2000s how they managed and compiled their binaries. You'd probably hear some anxiety-inducing answers (e.g., storing packages in git repositories or insecure file stores). Thankfully, organizations currently have various options for managing their first or third-party packages, dependencies, and containers. Different tools offer different levels of package support and…
Read More
Malicious Packages Are a Rising Threat in Software Supply Chain Attacks

Malicious Packages Are a Rising Threat in Software Supply Chain Attacks

October 24, 2022 Jonathan Sar Shalom, Director of Threat Research, JFrog | 7 min read

Welcome to the first post in the malicious software packages series for the DevOps and DevSecOps community. This technical series will focus on various malicious packages and their effects on the software supply chain. We’ll dive deeper into malicious packages in each post, including  Defining software supply chain attacks and learning the critical role that malicious…
Read More
DevOps-Centric Security is Finally Here | Announcing JFrog Advanced Security

DevOps-Centric Security is Finally Here | Announcing JFrog Advanced Security

October 18, 2022 Nati Davidi, SVP JFrog Security | 13 min read

Today marks an exciting day for JFrog and a substantial step forward towards ensuring end-to-end software supply chain security. JFrog Advanced Security is our unique approach for DevOps-centric security, and the only solution that was built especially for today’s modern DevOps workflows. Developers and the DevOps infrastructure are now the attack vector for today’s hackers…
Read More
JFrog Joins Rust Foundation as Platinum Member

JFrog Joins Rust Foundation as Platinum Member

September 6, 2022 Lori Lorusso, JFrog Open Source Program Manager & Stephen Chin, JFrog VP of Developer Relations | 3 min read

The technology ecosystem is continually evolving but one truth remains, if there is a new and emerging coding language that captures the heart and minds of developers JFrog will be there. JFrog provides a DevOps Platform to store and secure its artifacts while engaging with the community and foundations that support developers using that language.…
Read More

Popular Tags