The JFrog Platform enables proactive prevention of software vulnerabilities before they can be exploited

Proactive Vulnerability Management is a No Brainer for Security, butโ€ฆ

In December 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) identified exploits against vulnerable public-facing applications as the most common initial attack vector for cybercriminals, followed by attacks on external remote services such as VPNs. According to a study by CrowdStrike, exploit activity targeting cloud apps and assets grew 95% from 2021 to 2022, โ€ฆ

Top 7 ML Model Monitoring Tools in 2024

Taking a machine learning model to production from the proof of concept stage is a complex journey. Deploying the model is only the tip of the iceberg when it comes to operationalizing machine learning (ML) models. After the initial deployment, maintaining deployed models and continuously improving them requires specialized tools and systems. ML model monitoring โ€ฆ

Terrapin Attack

SSH protocol flaw โ€“ Terrapin Attack CVE-2023-48795: All you need to know

The SSH Terrapin attack (CVE-2023-48795) has recently caught attention, targeting the SSH protocol security by truncating cryptographic information. The inherent flaw in the SSH protocol itself affects a wide range of SSH client and server implementations. Following our initial research communication, this post will detail its fundamentals and impact. Affected Implementations Terrapin Attack Exploitation Impacts โ€ฆ

JFrog Access and AWS AssumeRoll enhance Kuernetes security.

Empowering Kubernetes Security: JFrogโ€™s Seamless Integration with AWS AssumeRole

Security Use Cases for AWS AssumeRole In the fast-paced environment of cloud-native apps, security and seamless connections are a priority. Many DevOps and SecOps professionals use Kubernetes native features to handle their container security, keeping a tight grip on access and secrets to improve security posture. The integration between AWS AssumeRole and JFrog Access in โ€ฆ

dome over boxes to show security over software packages

N-Day Hijack: Analyzing the lifespan of package hijacking attacks

Software package hijacking has become a prominent concern for individuals, businesses, and the cybersecurity community at large. Weโ€™ve seen this new threat trend rise over the past couple of years, with the potential to severely impact the software supply chain by attackers exploiting software packages to execute malicious code. This blog post details a case โ€ฆ

CVE-2021-44521 - Exploiting Apache Cassandra User-Defined Functions

CVE-2021-44521: Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

JFrogโ€™s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned to CVE-2021-44521 (CVSS 8.4). This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra. Cassandra is a highly scalable, distributed โ€ฆ

Log4j Log4shell vulnerability Questions and Answers

Log4j Log4Shell Vulnerability Q&A

In our recent webinar, Log4j Log4Shell Vulnerability Explained: All You Need To Know, our  Senior Director Security Research expert Shachar Menashe shared information on the security issue and how to detect and remediate it. We are happy to share additional information in the following Q&A, based on the questions raised during the webinar. The Log4j โ€ฆ

Leveraging Typosquatting for Crypto Mining

Developers Under Attack โ€“ Leveraging Typosquatting for Crypto Mining

Reviewers: Shachar Menashe, Sr. Director Security Research Itay Vaknin, Threat Intelligence Researcher The complexity of the modern software development process and its reliance on large community-maintained codebases introduces a risk for developers to inadvertently include malicious code into the project. The implications can be severe: in many cases, it can mean a complete takeover of โ€ฆ

HAProxy Vulnerability

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling

JFrog Security research teams are constantly looking for new and previously unknown vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a potentially critical vulnerability in HAProxy, a widely used open-source load balancer proxy server that is particularly suited for very high traffic web sites โ€ฆ

TensorFlow Python code injection 203x148

TensorFlow Python Code Injection: More eval() Woes

Background JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped with TensorFlow, a popular Machine Learning platform thatโ€™s widely used in the industry. The issue has been assigned to CVE-2021-41228. Read more about our previous, similar disclosure in Yamale in our previous blog post. The โ€ฆ