Forewarned is forearmed,” cautions the old proverb, and that truth coined in the 16th century is even more apt for DevSecOps in the 21st. The earlier you know about vulnerabilities, the better you can avoid making them part of your software. That’s the same principle behind a “Shift Left” DevSecOps strategy. Rather than waiting for … Continued
Bringing Kubernetes app security insights to developers This post is co-authored by Craig Peters of JFrog and Henrik Rosendahl of NeuVector and is also cross-posted on the NeuVector blog. Kubernetes, the container and orchestration tool favored by enterprises, provides great benefit in automating many aspects of application deployment at scale. But, like any emerging technology, … Continued
JFrog first released Xray in July 2016, and the response was phenomenal. Customers were very excited about the ability to hook up their Artifactory repositories and have Xray automatically do a deep recursive scan of their artifacts to weed out issues and vulnerabilities. Now, after several months, with the diverse experience and feedback from the many customers … Continued
Recently, we’ve heard a lot of discussion about the trust we place in public binary repositories. For example, Maven Central, a popular legacy repository maintained by Sonatype, was recently compromised by a successful MITM attack. In response, Sonatype set up an https access to central (removing the demand for a $10 donation to the Apache … Continued
Remember our take on .asc files? The thing is, digital certificates alone cannot guarantee the identity of someone. To fully trust someone there needs to exist a reliable Web of Trust (WoT) that leaves little to no doubt that the signer is who he claims to be. So what’s the solution then? Use Bintray as … Continued
JFrog Xray – not just another security vulnerabilities scanner. We have just officially launched JFrog Xray, and were already asked by customers why we think JFrog Xray should be used instead of $YOUR_FAVORITE_SECURITY_SCANNING_TOOL. Is Xray like Black Duck? Maybe it’s like Docker Security Scanning? Maybe it’s similar to Sonatype Nexus Component Intelligence? Before getting into … Continued
Holiday season is over. Gifts were exchanged, miles were traveled, resolutions were made, and much alcohol was consumed. Time to get back to work, renewed and energized for the new year. While we had our share of merry-making here at JFrog, we also managed to get some work done between the revelry, and released Artifactory … Continued
“Private repositories”, “Teams and Organizations”, “Permissions”…, sounds like that’s all you need to provide secure private downloads. Well, not quite. Those are great features that fit the bill if your consumer is a Bintray user. But what if she isn’t? Well, then there are signed URLs. Those should do the trick. Just sign your file … Continued
