PyPI Leaked Token in Binary

Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine

The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub, …

what is jfrog security

What is JFrog Security?

The security of the software supply chain is rapidly becoming a paramount concern for organizations — and for good reason. With the increasing number of published Common Vulnerabilities and Exposures (CVEs), developers face the challenge of delivering software faster than ever before. However, in their quest for speed, many dev and security teams have resorted …

Next Is Now - swampUP 2023 wrap up

Release with Trust or Die.
Key swampUP 2023 Announcements

Every year, JFrog brings the DevOps community and some of the world’s leading corporations together for the annual swampUP conference, aimed at providing real solutions to developers and development teams in practical ways to prepare us all for what’s coming next. Since the inception of swampUP – and truthfully since the creation of Artifactory – …

Prevent Credential Exposure in Code

In today’s software development world, developers rely on numerous types of secrets (credentials), to facilitate seamless interaction between application components. As modern applications become more complex and require authentication for services and dependencies, the practice of hardcoding secrets during software development is on the rise. The most common types of credentials are: Application Program Interface …

JFrog Advanced Security now available in IDEs

Save time fixing security vulnerabilities much earlier in your SDLC

Are you or your development team tired of using application security tools that generate countless results, making it difficult to identify which vulnerabilities pose actual risks? Do you struggle with inefficient or incorrect prioritization due to a lack of context? What adds insult to injury is that traditional CVSS scoring methods ignore critical details like …

Advanced DevOps Security With Development Flexibility

Advanced DevOps Security With Development Flexibility

Announcing the general availability of JFrog Xray’s advanced security features in self-hosted subscriptions, organizations have the flexibility to manage and secure their software development pipelines in-house and in the cloud. Since Developers and the DevOps infrastructure are the primary attack vector in the software supply chain, we designed our platform and the advanced security features …

JAS Contextual Analysis WebGoat Application

Testing the actual security of the most insecure Docker application

Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat – a deliberately insecure application. The results identified that …

IDC LINK: JFrog Introduces New Software Supply Chain Security Capabilities

As software becomes increasingly complex, the need to secure the software supply chain becomes more important — and more difficult.  But how can businesses address the challenges of securing their software supply chain? The International Data Corporation (IDC) offers critical insight. Following the release of JFrog Advanced Security on October 18, 2022 – the world’s …

JFrog Contextual Analysis 203x148

Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

Research motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our …

Announcing JFrog Advanced Security

DevOps-Centric Security is Finally Here | Announcing JFrog Advanced Security

Today marks an exciting day for JFrog and a substantial step forward towards ensuring end-to-end software supply chain security. JFrog Advanced Security is our unique approach for DevOps-centric security, and the only solution that was built especially for today’s modern DevOps workflows. Developers and the DevOps infrastructure are now the attack vector for today’s hackers …