The vulnerability disclosure process involves reporting security flaws in software or hardware, and can be complex. Cooperation between the organization responsible for the software or hardware, and the security researcher who discovers the vulnerability can be complicated. In this blog weโll look at the vulnerability disclosure process, the parties involved and how they can collaborate โฆ
The United States Government equates cybersecurity with national security. Thatโs the crux of the recent Executive Order that will mandate that not only must software applications be vetted, but there will be upcoming regulations on providing all of the components that make up the software. As section 1 notes: โprevention, detection, assessment, and remediation of โฆ
The SolarWinds hack, which has affected high-profile Fortune 500 companies and large U.S. federal government agencies, has put the spotlight on software development security โ a critical issue for the DevOps community and for JFrog. At a fundamental level, if the code released via CI/CD pipelines is unsafe, all other DevOps benefits are for naught. โฆ
Editorโs Note (2024): Please refer to the current JFrog Software Supply Chain Platform listing on Azure Marketplace to get started with JFrog on Microsoft Azure. In a prior blog post, we explained how to install or update Artifactory through the Azure Marketplace in the amount of time it takes for your coffee order to arrive on โฆ
Most modern software today has moved aggressively into using third-party open source dependencies to reduce duplication and accelerate development by using pre-existing code. These dependencies are often built and managed by a distributed team of engineers and while this model of building software has often resulted in faster feature improvement (better feedback loops that help โฆ
โForewarned is forearmed,โ cautions the old proverb, and that truth coined in the 16th century is even more apt for DevSecOps in the 21st. The earlier you know about vulnerabilities, the better you can avoid making them part of your software. Thatโs the same principle behind a โShift Leftโ DevSecOps strategy. Rather than waiting for โฆ
Bringing Kubernetes app security insights to developers This post is co-authored by Craig Peters of JFrog and Henrik Rosendahl of NeuVector and is also cross-posted on the NeuVector blog. Kubernetes, the container and orchestration tool favored by enterprises, provides great benefit in automating many aspects of application deployment at scale. But, like any emerging technology, โฆ
NOTE: This blog post refers to JFrog Xray v1.x. For information about the current release of Xray, please see this knowledge base article. JFrog first released Xray in July 2016, and the response was phenomenal. Customers were very excited about the ability to hook up their Artifactory repositories and have Xray automatically do a deep โฆ
Recently, weโve heard a lot of discussion about the trust we place in public binary repositories. For example, Maven Central, a popular legacy repository maintained by Sonatype, was recently compromised by a successful MITM attack. In response, Sonatype set up an https access to central (removing the demand for a $10 donation to the Apache โฆ
UPDATE: As of May 1, 2021 Bintray services will no longer be available (ConanCenter and JCenter are not affected) for more information read the Centers Deprecation Blog Remember our take on .asc files? The thing is, digital certificates alone cannot guarantee the identity of someone. To fully trust someone there needs to exist a reliable โฆ
