Prevent Inadvertent Software Supply Chain Exposures When Allowing Public Access to Private Registries

At JFrog, we’re serious about software supply chain security. As a CVE Numbering Authority, our JFrog Security Research team regularly discovers and discloses new malicious packages and vulnerabilities posing a threat to development organizations. We know that in order to deliver trusted software on demand, you must have a secure software supply chain — making …

Detecting Malicious Packages and How They Obfuscate Their Malicious Code

Wow! We made it to the last post in our Malicious Packages series. While parting is such sweet sorrow, we hope blogs one, two, and three provide insights into the havoc malicious packages cause throughout your DevOps and DevSecOps pipelines.  In the prior posts: We explained what software supply chain attacks are and learned the …

Enterprise Package Management for Everyone

Suppose you asked developers in the mid-2000s how they managed and compiled their binaries. You’d probably hear some anxiety-inducing answers (e.g., storing packages in git repositories or insecure file stores). Thankfully, organizations currently have various options for managing their first or third-party packages, dependencies, and containers. Different tools offer different levels of package support and …

Pie chart displaying number of artifacts that were analyzed by JFrog Secrets Detection by platform. DockerHub made up the biggest slice, with 5.78 million of the 8 million scanned artifacts.

JFrog’s Advanced Security Scanners Discovered Thousands of Publicly Exposed API Tokens – And They’re Active

Read our full research report on InfoWorld The JFrog Security Research team released the findings of a recent investigation wherein they uncovered thousands of publicly exposed, active API tokens. This was accomplished while the team tested the new Secrets Detection feature in the company’s JFrog Advanced Security solution, part of JFrog Xray.  The team scanned …

JFrog’s Best DevOps Blogs of 2021

In 2021, JFrog provided a steady stream of insightful articles about Software Distribution trends, DevOps best practices, JFrog innovations and more. Here we’ve selected what we consider the best posts of last year, in case you missed them or want to re-read them. You’ll find primers on how our customers benefit from our trailblazing partnership …

Log4j Vulnerable Packages in Maven Central

Log4j Vulnerability Alert: 100s of Exposed Packages Uncovered in Maven Central

The high risk associated with newly discovered vulnerabilities in the highly popular Apache Log4j library – CVE-2021-44228 (also known as Log4Shell) and CVE-2021-45046 – has led to a security frenzy of unusual scale and urgency. Developers and security teams are pressed to investigate the impact of  Log4j vulnerabilities on their software, revealing multiple technical challenges …

Log4shell Vulnerability Explained

Log4j Log4Shell 0-Day Vulnerability: All You Need To Know

On Thursday, Dec 9th 2021, a researcher from the Alibaba Cloud Security Team dropped a zero-day remote code execution exploit on Twitter, targeting the extremely popular log4j logging framework for Java (specifically, the 2.x branch called Log4j2). The vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th. …

Deploy Iron Bank-Approved Artifactory/Xray on AWS GovCloud and RKE2

With Artifactory and Xray now included in the U.S. Department of Defense’s Iron Bank container repository, we’re eager to help you benefit from this accreditation. Today, we’ll explain how to deploy these hardened JFrog images on AWS GovCloud using Rancher Kubernetes Edition (RKE2.) Specifically, we’ll describe the installation and configuration of the Iron Bank-accredited Artifactory …

New Xray Features Enhance Workflows, Productivity and UX

The recently released JFrog Xray versions 3.31 & 3.32 have brought to the table a raft of new capabilities designed to improve and streamline your workflows, productivity and user experience.  The new features, detailed below, solidify Xray as the optimum universal software composition analysis (SCA) solution for JFrog Artifactory  that’s trusted by developers and DevSecOps …

SDLC Security: It’s Personal for JFrog

The SolarWinds hack, which has affected high-profile Fortune 500 companies and large U.S. federal government agencies, has put the spotlight on software development security — a critical issue for the DevOps community and for JFrog. At a fundamental level, if the code released via CI/CD pipelines is unsafe, all other DevOps benefits are for naught. …