Announcing JFrog Curation: Defend Your Software Supply Chain by Curating Open-Source Packages Entering Your Organization

UPDATE: Following the announcement at swampUP 2023, JFrog Curation now features a web user interface for its Catalog database service. This enables JFrog customers to search and explore over 4 million open-source packages for their up-to-date metadata including its versions, install command, dependencies, vulnerabilities (including any transitive ones), license types, OpenSSF aggregate score, and any operational risks.

Modern organizations are constantly striving to gain a competitive advantage by delivering software solutions at a remarkable pace. To achieve this, they heavily rely on open-source software (OSS) libraries and packages, which constitute a significant portion (80-90%) of their software solution. However, while open-source software offers numerous benefits, it presents potential security challenges. In fact, OSS has become a primary attack vector for threat actors and attackers seeking to exploit vulnerabilities in software supply chains. As a result, development teams have become prime targets within their organizations.

Is the package safe to use?

In this blog post, we will explore how JFrog Curation and its OSS package Catalog capability can effectively deliver the delicate balance between speed and security in modern software development. JFrog delivers speed for software development teams, with the assurance of secure binaries across the software supply chain.

The Trusted Software Supply Chain Platform

With the introduction of JFrog Curation, JFrog has made another leap forward to becoming a leading software supply chain security solution by advancing your organization’s shift-left strategy. JFrog Curation augments JFrog Artifactory, Xray, and Advanced Security – to protect against open-source security threats seamlessly at the entry of your software supply chain. JFrog Curation compliments the software supply chain security provided by JFrog Xray and Advanced Security throughout your software development lifecycle. The JFrog Platform becomes your single source of truth, with visibility, control, and security from code to edge.

JFrog Software Supply Chain Platform: Secure packages from curation to distribution

Introducing JFrog Curation

Organizations are looking for ways to have control and trust of the open-source components downloaded by developers, without slowing down software development pipelines. JFrog Curation brings the industry a truly nimble, shift-left security solution that defends against malicious and risky packages even before they enter an organization.

JFrog Curation utilizes Catalog for its open-source package metadata and intelligence to enable the identification and elimination of operationally risky, malicious, or overly vulnerable components and libraries. Curation is designed to help protect developers and strengthen software supply chain security from its earliest point. The solution is built for modern DevOps workflows and offers the earliest possible open-source package analysis to block risky or malicious packages at the time of request or update, without downloading them into your software ecosystem. This is done with a seamless experience for the developer and minimizes any friction in their day-to-day software development.

Catalog: Users can explore over 4 Million OSS Packages

Existing DevSecOps platforms have yet to bridge the gap between software developers, security teams, and OSS public package repositories. A few provide advice – but none actively check them against automated policies (at request time) without downloading them, as part of a streamlined DevSecOps workflow. JFrog Curation provides developers with a frictionless experience while writing code, improving their efficiency and ultimately saving remediation time later in the software development pipeline.

Centralized Control and Visibility

JFrog is the pioneer of end-to-end artifact lifecycle management, its core technology. This places it in a unique position as the only software supply chain platform that can now effectively bridge public package repositories, developers, production, and security personas, enabling centralized governance and control of the end-to-end software development pipeline.

This gives organizations the ability to track and manage the open-source packages downloaded by your organization to gain centralized visibility and control to prevent harmful packages from getting into your software development pipelines.

Creating a curation policy

Automate Curation of Third Party Package Downloads

A manual curation process with hands-on analysis and assessment is very time consuming and could take multiple developers many hours of research. This can end up costing thousands of hours and millions of dollars a year. Instead, with JFrog Curation, this can now be done in the background in an automated fashion, with our seamless capability.

Packages will be curated before development, enabling developers to freely utilize pre-screened software components for more efficient coding and faster release times. Automatic blocking of undesirable packages at the entry of your software supply chain will not only provide developers with a curated set of repositories but also become a cost-positive exercise in terms of savings in lost development time and improved time-to-market.

Trusted Software Supply Chain

Frictionless Package Consumption by Developers

Developers will be confident they’re using trusted OSS packages, without their speed of application development being impaired. DevSecOps teams can now streamline OSS package usage and approvals. JFrog Curation provides out-of-the-box templatized policies to assist legal and app sec teams with pre-built customized policies for malicious packages, CVEs, license types, and operational risk (packages that are aged, immature, or unmaintained). JFrog Curation can now reduce a software organization’s anxiety and deliver trust to the DevSecOps team that vulnerabilities were stopped before they entered the organization.

JFrog Curated Repositories

Improve Your DevSecOps Experience and Realize Cost Savings

Organizations are looking for a solution because they often have nothing in place to filter out malicious or unwanted packages at the gate of their software supply chain. This leaves their developers open to downloading any packages that can be malicious, vulnerable, operationally unsafe, or in conflict with their license policies. These may only be discovered later in the software development lifecycle when the remediation cost is more expensive.

Developers are unaware of package security or integrity

Companies are looking for a solution that will enable their developers to move fast by downloading and using only trusted OSS packages to keep their organization safe and compliant. JFrog Curation’s Catalog feature enables teams to search for and identify safe and trusted components and libraries to use in their development right from the get-go. This can be a huge time saver by reducing remediation efforts later in the SDLC.

Catalog: Cors.js OpenSSF Aggregated Scores

Protecting all Your Code Seamlessly

We aim to alleviate today’s security and development teams’ stress levels and workloads by providing cutting-edge security solutions with industry-leading security research at their fingertips. The elimination of malicious, vulnerable, or risky packages from development repositories saves developers time and effort, speeds up the software development process, and saves organizations millions of dollars.

JFrog Curation joins JFrog Xray, and JFrog Advanced Security, to enhance the JFrog Platform, the industry’s first DevOps-Centric security solution, by extending its capabilities to block malicious or risky packages even before downloading from public open-source repos. We protect binaries entering and throughout the DevOps workflow while uniting Developers, DevOps, and Security teams and delivering unrivaled vulnerability and risk reduction into a unified software supply chain platform.

The integration of Curation into the SDLC process enables an early, and cost-effective reduction of security threats, delivering on the promise of continuous end-to-end security. We invite you to learn more and test drive JFrog Curation.

Want to learn more about JFrog Curation?

Save your seat for our webinar on July 25th and/or sign up for a live Demo or trial where we’ll walk you through the features, and benefits, and dive deep into how you can easily take advantage of this simple yet effective software supply chain security solution.