We’ve Agreed to Acquire Vdoo, Unifying Developers and Security Teams from Source to Device

We’re extremely excited to announce we’ve agreed to acquire Vdoo, a leading, Israeli-based product security company with its roots in binaries and IoT/devices. Vdoo’s team and entire technology portfolio will be incorporated into JFrog, delivering a solution that truly unifies development and security teams with a holistic security approach.

Most corporations today address security with disparate systems, much in the same way the software development pipeline was operated before unifying under DevOps processes. Maintaining and integrating security tools and their data for source code analysis, vulnerability prioritization, network security, Kubernetes security, regulatory compliance, policy adherence and more create friction between development teams tasked with “fixing” issues and security teams juggling a myriad of data sources and tools to identify problems and the best approach for resolution.

Why did we plan this acquisition?

The realization of the Liquid Software vision – software flowing seamlessly and securely from any source to any device – can only be achieved if development teams have minimal noise, with rapid, automated, actionable remediation capabilities. Likewise, security teams must have a consolidated view of the application’s context (such as network configuration, security regulations, operating system settings, etc.), as well as trust in their partners and vendors to discover zero-day vulnerabilities in open source and proprietary code before their breaches become headlines.

To this end, JFrog Xray already provides industry-leading scanning capabilities that are integrated into development workflows, including coding, building, promoting, distribution and more. We wanted to extend these capabilities with a holistic, intelligent view of security that Vdoo will bring to the JFrog Platform. This includes the ability to scan in context, looking not just at a binary or image, but a holistic approach that examines the environment binaries run in, using contextual threat analysis and application scanning that prioritizes critical security gaps; Intelligent remediation that covers code, service and operating system changes; Embedded software security; Zero-day vulnerability detection to automatically detect new vulnerabilities, malware, exploits, backdoors, supply chain risks, and other threats; as well as runtime protection for IoT and embedded devices, alerting and blocking exploitation attempts in real-time.

These new capabilities naturally complete the JFrog philosophy to focus on binaries as the single source of truth that makes up a software distribution and that ends up in the runtime, therefore being the highest trustable format for security analysis.

As a result of this comprehensive look at your binaries and smart recommendations, DevOps teams and security practitioners will have less “noise” in remediating security risks, and be able to shift left responsibly without compromising on findings, focusing on the most appropriate pathways to fix issues across these many factors.

Additionally, JFrog is also “shifting right” with this move, as Vdoo is bringing capabilities that will allow JFrog to better serve embedded software and devices, bringing device security into the CI/CD process:

• Scanning of compiled C/C++ software that very few vendors can do, and identifying security risks in these components
• Support for various embedded Linux, Android and RTOS formats
• Active runtime monitoring and protection for these devices

What will this solution bring specifically to developers?

Developers, DevOps organizations (and of course security teams) will immediately see the value of the JFrog and Vdoo solution, which will expand the reach of JFrog security solutions as part of the JFrog DevOps Platform:

• Single integrated security solution with no need to combine disparate products or data points, or maintain complex configurations and filter through noisey vulnerability lists
• Holistic security that universally works across your pipelines, and sees DevSecOps beyond being just a “scanner” but also as part of the integrated repository, distribution and CI/CD flow (e.g. JFrog Artifactory and Distribution security aspects, JFrog Pipelines’ Signed Pipelines and more). This provides you with a unified view and visibility into previous development phases to maintain a strong security posture while shortening release cycles and enabling on-time delivery.
• Easily-understood and accessible security data and remediation paths, saving developer time, effort and confusion while empowering DevOps and DevSecOps teams to solve issues on their own by providing detailed findings and professional mitigation hints – shift left responsibly and providing security as an engineering value instead of something to be feared!
• Minimal false positives to focus on what matters most by eliminating the need to sift through long lists of vulnerabilities to identify relevance, via sophisticated prioritization and applicability scanning that takes the full context of an application into account
• Automatic detection of zero-day vulnerabilities, malware, exploits, backdoors, supply chain risks, and other threats using advanced scanning and fuzzing techniques
• Extend your secure CI/CD pipelines to device software creation, including identification and security scanning for compiled C/C++ binaries

The People

JFrog’s culture is an important aspect of anything we do, and the cultural fit of a company and their philosophy is considered as heavily as the technology portfolio. In Vdoo, we found a like-minded company that put binaries first, a passion for securing to the edge, and a mindset of people wanting to revolutionize the security landscape for development and security teams.

Vdoo’s 80+ employees will join JFrog, immediately fortifying the security engineering team of JFrog, delivering advanced solutions more rapidly, and serving customers more effectively. Vdoo’s team includes some of the most accomplished security researchers and engineers in the industry. The team is actively contributing their findings and publishing groundbreaking methods for discovering and mitigating new security risks. In fact, they’ve already discovered hundreds of zero-day threats to date, working with and protecting Fortune 500 companies.

The Timeline

In the third quarter of 2021, as the first step in the integration process, JFrog will expand JFrog Xray’s vulnerability scanning to include Vdoo’s advanced data, immediately offering fortified protection for customers. As we move into Q4 and 2022, we plan to provide deeper ties into the JFrog Platform, including applicability analysis, support for embedded software packages, a fully-integrated scanning experience, developer features for zero-day vulnerabilities and more.

To the Vdoo team: we are beyond excited to have you join the JFrog security family!

The amazing foundation laid by the Xray team will be amplified with our joint passion to enable fearless software updates. We look forward to changing the way software is being created and released across the world.