Docker, DeployHub, Oracle, and Others Join Community Initiative to Create a Fair and Open Governance Model for the Pyrsia Decentralized Package Network
Sunnyvale, Calif. and DETROIT – KUBECON – October 25, 2022 — JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog DevOps Platform, today announced Pyrsia, an open source software community initiative that utilizes blockchain technology to secure software packages (a.k.a. binaries) from vulnerabilities and malicious code, has become an incubating project under the Continuous Delivery Foundation (CDF). Working together, JFrog and the CD Foundation will ensure Pyrsia grows its backing and engagement through the use of a centralized governance model, defined roadmap, and broad representation within the wider technology and open source communities.
“We’re excited to join our long-time partners at the CD Foundation in creating a groundswell around Pyrsia to further its mission to better secure the software supply chain,” said Stephen Chin, VP of Developer Relations at JFrog and Governing Board Member for the CD Foundation. “With the CD Foundation’s support, and that of our incredible industry partners, developers can leverage Pyrsia to have peace of mind in knowing their open source components have not been compromised, and confidently deliver secure software at scale.”
Research shows open source libraries and components make up more than 75 percent of the code in the average software application, with the average software application depending on more than 500 components. While these open source dependencies are convenient, they also present new vulnerabilities that threat actors can exploit. For example, one bad actor injecting malware into a popular open source project has the potential to affect thousands of downstream users.
Pyrsia is an open source-based, decentralized, secure build network and software package repository that seamlessly integrates with the package management systems developers are already using today, so they can certify their software components without foregoing compatibility, security, or efficiency. Developers receive a digitally signed, immutable chain of evidence for their code, which is an essential building block for Software Bill of Materials (SBOMs). This provides developers and their customer’s assurance in knowing the exact source of their packages.
“We see Pyrsia as a natural extension of our organization’s mission to grow and sustain projects that are part of the wider continuous delivery ecosystem,” said Fatih Degirmenci, Executive Director, CD Foundation. “We’ve recently learned as an industry that no one is safe from cybercriminal activity, particularly when bad actors inject malicious packages into central repositories, wreaking havoc on downstream systems and applications. We’re proud to support Pyrsia because it puts the power back in the hands of developers and, ultimately, accelerates innovation.”
JFrog, along with other open source technology leaders, including Docker, DeployHub, Futurewei, and Oracle, collaborated to officially launch Pyrsia in May 2022. Since then, these software giants have lent their expertise on how to better secure the software supply chain to the Pyrsia network, creating opportunities for cross-project collaboration within the CD Foundation to interlink secure packages with community tools, helping improve developers’ ability to deliver secure software at scale.
To learn more and join the Pyrsia community, visit https://pyrsia.io. Those attending KubeCon + CloudNativeCon North America or the Continuous Delivery Summit can also join JFrog vice president of developer relations, Stephen Chin, for his keynote presentation on “Hacking the OSS Supply Chain,” at 9:05 a.m. ET on Tuesday, Oct. 25, 2022, or his session on, “Closing the Supply Chain Security Loop with Rust & Pyrsia,” at 2:20 p.m. ET, Tuesday, Oct. 25, 2022.
Supporting Quotes from Industry Partners
“The cloud native community in the last decade has been an amazing transformational force that has changed the lives of millions of developers and organizations. Looking forward to the next decade we need to explore new paths that provide even more transformation. Pyrsia is an ambitious community project that we are proud to be part of. The basic structure that emerged in the container ecosystem of immutable images is a key technology that is an ideal foundation to support distributed architectures while still providing trust. Pyrsia is exploring the possibilities with a focus on also improving supply chain security, a key emerging risk area. Together as a community we can reshape the second decade of cloud native.” – Justin Cormack, CTO, Docker
“It’s not hyperbole to say that, at some point, just about every developer has unwittingly run malicious packages or libraries. Pyrsia has the potential to solve the software supply chain problem where the binary that you get is built with different source code than what you think it’s built with. The beauty of it is, large and small businesses alike stand to benefit from Pyrsia, as will the entire software supply chain.”– Eric Sedlar, VP & Technical Director, Oracle Labs
“Pyrsia is the first open source project to introduce improvements to software supply chain security, and the DeployHub is proud to be part of it. Backing from the CD Foundation creates a whole new set of possibilities, and I’m excited to see where we go from here.” – Steve Taylor, CTO, DeployHub, Inc.
Like this story? Tweet this: .@jfrog-led open source project #Pyrsia to be incubated under the @CDFoundation to further secure the software supply chain. Learn how https://bit.ly/3FaKk8e #developers #SoftwareSupplyChain #OpenSourceSoftware
JFrog Ltd. (NASDAQ: FROG) is on a mission to power all the world’s software updates, driven by a “Liquid Software” vision to allow the seamless, secure flow of binaries from developers to the edge and connected devices. The JFrog Platform enables software creators to power their entire software supply chain throughout the full binary lifecycle, so they can build, secure, distribute, and connect any source with any production environment. JFrog’s hybrid, universal, multi-cloud DevOps platform is available as both self-managed and SaaS services across major cloud service providers. Millions of users and thousands of customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely manage their mission-critical software supply chain. Once you leap forward, you won’t go back. Learn more at jfrog.com and follow us on Twitter: @jfrog.
About the CD Foundation
The CD Foundation seeks to improve the world’s capacity to deliver software with security and speed. The CDF is a vendor-neutral organization that is establishing best practices of software delivery automation, propelling education and adoption of CD tools, and facilitating cross-pollination across emerging technologies. The CDF is home to many of the fastest-growing projects for CD, including Jenkins, Jenkins X, Tekton, and Spinnaker. The CDF is part of the Linux Foundation, a nonprofit organization. For more information about the CDF, please visit https://cd.foundation.
Cautionary Note About Forward-Looking Statements
This press release contains “forward-looking” statements, as that term is defined under the U.S. federal securities laws, including but not limited to statements regarding the Pyrsia Initiative, statements made by JFrog’s Executives, and the ability of the Pyrsia Initiative to provide better security to software supply chains.
These forward-looking statements are based on our current assumptions, expectations and beliefs and are subject to substantial risks, uncertainties, assumptions and changes in circumstances that may cause JFrog’s actual results, performance or achievements to differ materially from those expressed or implied in any forward-looking statement. There are a significant number of factors that could cause actual results, performance or achievements, to differ materially from statements made in this press release, including but not limited to risks detailed in our filings with the Securities and Exchange Commission, including in our annual report on Form 10-K for the year ended December 31, 2021, our quarterly reports on Form 10-Q, and other filings and reports that we may file from time to time with the Securities and Exchange Commission. Forward-looking statements represent our beliefs and assumptions only as of the date of this press release. We disclaim any obligation to update forward-looking statements.
Siobhan Lyons, Sr. MarComm Manager, JFrog, siobhanL@jfrog.com
Jeff Schreiner, VP of Investor Relations, jeffS@jfrog.com