Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Effectively protecting your software supply chain has reached a critical turning point where the traditional strategy of patching together “best of breed” or point AppSec solutions is no longer sustainable.

Securing your Docker containers just got a lot easier. On December 17, Docker announced that their catalog of over 1,000 Docker Hardened Images (DHI)—previously a premium-only feature—is now free and open source. This big change means every developer can now start their Dockerfile with a minimalist, near-zero CVE, SLSA Level 3 compliant foundation.

Imagine this. Your phone rings on January 2nd, and it’s your DevSecOps and AppSec groups. A major security vulnerability is exposing your business, and your teams are trying desperately to find and fix it to protect your data. You probably have scars as far back as Log4j, as well as threats from more recent incidents like npm attacks, Glassworm and others ringing in your ears. With CVEs expected to rise by tens of thousands a year, you can envision that the situation will only worsen.

The pressure to integrate AI is immense. Your developers need to move fast, and they’re finding ways to get the job done. But this rush for innovation often happens outside of established governance, creating a sprawling, invisible risk known as Shadow AI. To secure your organization, you must first understand what Shadow AI actually is. It’s not just a developer downloading a file to their laptop. Shadow AI is the totality of unmanaged AI assets within your supply chain.

JFrog continues to track and provide updates on React2Shell at research.jfrog.com.

JFrog Security Research found 3 zero-day critical vulnerabilities in PickleScan, which would allow attackers to bypass the most popular Pickle model scanning tool. PickleScan is a widely used, industry-standard tool for scanning ML models and ensuring they contain no malicious content.