Shifting Left of Left: Secure Enterprise Data with JFrog Curation

In 2022, nearly 1,700 entities across the globe fell victim to software supply chain attacks, impacting over 10 million people. Nearly each of these attacks included some element of faulty or nefarious open-source code. Software developers commonly rely on open-source components to speed up the development process, but as we can see, this practice has the potential to introduce malicious packages and vulnerabilities into the code due to the lack of proper curation and maintenance.

JFrog Curation takes the ‘shift left’ concept to the next level by automatically blocking the use of dangerous open-source software components before they enter an organization, significantly reducing the attack surface without hindering speed or the developer experience.

How JFrog Curation addresses security concerns

Statistics like the one above show us how critical it is for application security to be taken seriously and examined from the creation of the code all the way to its usage on edge devices. JFrog Curation addresses this need by delivering centralized governance for automatically blocking malicious open-source packages from entering organizations’ software supply chains.

Here’s how it works.

• Vets and deflects open-source software components
• Enables central visibility and governance of every open-source package requested by a developer or build tool with metadata-based insights, and provides an action plan to remediate
• Provides transparent filtering, saving remediation costs by ensuring the quality of packages entering your software supply chain
• Creates a comprehensive and transparent audit trail to help you follow current and emerging regulatory requirements
• Optimizes the developer experience with frictionless, validated software component retrieval
• Its integration with the JFrog Software Supply Chain Platform helps you avoid tool sprawl through provides consistent, automated processes across development environments

How JFrog Curation integrates with the JFrog Software Supply Chain Platform

Our mission is to create a world of “liquid software”, where updates are frictionlessly and securely delivered from developer to device. Natively integrated with Artifactory and the rest of the JFrog Software Supply Chain Platform, JFrog Curation gives centralized control and visibility of third-party binaries, further streamlining your enterprise software development workflow. The integration ensures consistent and automated processes across different development environments and redefines shift-left security for the software supply chain.

The risks of using open-source software

Using open-source components can create a lot of additional work for teams that are already tight on time. On top of that, it’s too often unclear who’s responsible for this work. You need to keep track of the components used, their versions, where they’re used, and how they interact with other components that are in use. This leaves a lot of room for human error, making open-source inherently risky.

Here are the top 3 risks of open-source software:

1. A known vulnerability is the top risk associated with open-source software. Known vulnerabilities occur when a component version contains vulnerable code that’s been accidentally introduced by developers. If a known vulnerability is exploited, it could compromise the confidentiality, integrity, or availability of a system or its data.
2. Open-source software comes with no claims or legal obligations for security, and any community support that tries to help you implement it securely may be lacking. The developers responsible for creating software are often not security experts, and therefore may not understand how to implement security best practices.
3. There are over 200 types of licenses that can be applied to open-source software. Because many licenses are incompatible with one another, certain components can’t be used together since you need to comply with all terms. The more components you use, the more difficult it is to track, compare, and follow all of the license stipulations.

How JFrog Curation will impact the developer community

The open-source community is vibrant and ever-expanding, and most digital experiences today are powered by open-source software. As the dependency on open-source software grows — especially within the world’s largest, most complex, and heavily regulated industries like banking, energy, and telecommunications — we are dealing with a widening risk surface, with developers in the eye of the storm. With the introduction of JFrog Curation, developers can now confidently use reliable open-source libraries, fast-track the development process, and redirect resources toward building and innovating.

It should be noted that while platforms and solutions like JFrog Curation can provide all that’s needed to manage these open source components effectively, from a security point of view, it’s very important that the teams are educated, engaged, and supported to manage this completely, consistently, and effectively.