Managing and securing the software supply chain is crucial for trusted releases, but as any tech organization knows, it also presents significant challenges. With over 15 years of experience and a dedicated security research team, we at JFrog understand these threats. In a rapidly evolving post-AI world, DevSecOps teams are struggling to keep pace with โฆ
ML operations, data scientists, and developers currently face critical security challenges on multiple fronts. First, staying up to date with evolving attack techniques requires constant vigilance and security know-how, which can only be achieved by a dedicated security team. Second, existing ML model scanning engines suffer from a staggering rate of false positives. When a โฆ
On July 24th 2024, Curl maintainers announced a new stack buffer Use After Free (UAF) vulnerability โ CVE-2024-6197. This type of vulnerability is very uncommon since UAF issues usually occur on the heap and not on the stack. While the vulnerability can be easily exploited for causing denial of service, in this blog we will โฆ
While researching CVE-2024-38428 in GNUโs Wget, our team found a new 0-day vulnerability. The vulnerability, later assigned CVE-2024-10524, may lead to various types of attacks โ including phishing, SSRF, and MiTM. These attacks can have severe consequences such as resource restriction bypass and sensitive information exposure. Upon discovering this vulnerability, our team responsibly disclosed it โฆ
Note: This blog post was previously published on DevOps.com Imagine if the worldโs most pervasive programming language, used in the majority of organizations, services, websites and infrastructure today, was itself made to be malicious? Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker containerโฆ due to the popularity of โฆ
On Sunday, June 2nd 2024, a fix commit was pushed for a vulnerability in GNUโs popular Wget tool. Two weeks later, the vulnerability was assigned the ID CVE-2024-38428 and later was classified as a critical vulnerability โ with a CVSS score of 9.1. In this blog, we take a dive deep into this threat by โฆ
Note: This blog post was previously published on Hackeroon We surveyed 1,200+ technology professionals from around the globe, including 300+ VP and C-level executives, on their AI/ML usage and software supply chain security efforts. Upon analysis, a surprising gap emerged between what executives believe is happening and what developers and engineers report is happening. Hereโs โฆ
With the rapid adoption of AI-enabled services into production applications, itโs important that organizations are able to secure the AI/ML components coming into their software supply chain. The good news is that even if you donโt have a tool specifically for scanning models themselves, you can still apply the same DevSecOps best practices to securing โฆ
An organizationโs software supply chain includes all the elements involved in developing and distributing software, such as components, tools, processes, and dependencies. Each link in this important chain presents the potential for security threats. Recent research conducted by Gartner shows a major increase in attacks targeting code, tools, open-source components, and development processes, particularly in โฆ
Itโs a wrap! RSA 2024 brought together cybersecurity experts, industry leaders, and innovators to delve into critical topics defining the future of digital security. One of the key themes that garnered significant attention at RSA 2024 was software supply chain security. The Growing Importance of Software Supply Chain Security With 61% of U.S. businesses directly โฆ
