At JFrog, we’re serious about software supply chain security. As a CVE Numbering Authority, our JFrog Security Research team regularly discovers and discloses new malicious packages and vulnerabilities posing a threat to development organizations. We know that in order to deliver trusted software on demand, you must have a secure software supply chain — making security a priority in everything we do.

Contributing members of the open source project git deployed a code change in June 2022 that switched the default file compression method from the gzip program to an internal gzip-compatible implementation. The change was made for performance reasons and to reduce the dependency on the aging gzip project. Unfortunately, it also impacted SaaS offerings like GitHub that use git under the hood. GitHub deployed the change and was also forced to quickly roll it back in January 2023.

Attacks on software supply chains have been around for some time, but recently they have evolved into much more dangerous threats. Let's dive into the SLSA framework to understand where supply chain security is headed.

Containerised deployment is widely becoming a standard in every industry, ensuring these containers are protected at every level with a high level of accuracy is one of the most important tasks. Some industry vendors rely solely on the manifest files to provide them with a list of components, others have to manually convert the container image to a TAR archive before scanning, and even then they may only work on the application layer instead of evaluating the entire filesystem.

Identified as leaders in IoT (Internet of Things) Device Identity Lifecycle Management by ABI Research, and leaders in IoT IAM according to Quadrant, Device Authority and Entrust have worked together to integrate Device Authority’s KeyScaler® IoT IAM (Identity and Access Management) platform with PKI (Public Key Infrastructure) services from Entrust, extending the existing collaboration for Hardware Security Module (HSM) services, to provide device trust, data trust and automation at IoT sca

Last month, over the holidays, we witnessed multiple vendors experience security breaches of varying levels of severity. From LastPass and Okta to Slack and CircleCI, the news has been filled with headlines reporting on the aftermath of these incidents. We wanted to briefly cover these stories and discuss their implications for you in the current year.

Keeping up with supply chain threats is hard work and, unfortunately, never-ending. There are some good frameworks out there that, when implemented, minimizes the risk of exposure. But for smaller organizations it can be a challenge to get the resources and time to implement them correctly. Not to mention keeping them maintained over time.

As the cyber threat evolves, adversaries are increasingly targeting non-publicly disclosed vulnerabilities in the software supply chain. Attackers are able to stealthily travel between networks because to a vulnerability in the supply chain. To combat this risk, the cybersecurity community must center its efforts on protecting the software development lifecycle.