Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

JFrog

jfrog

npm package hijacking through domain takeover - how bad is this "new" attack?

May 24, 2022 By Andrey Polkovnychenko and Shachar Menashe In JFrog

When relying on a 3rd-party package from a non-commercial entity, there is always the risk of lack of support, especially when it comes to outdated packages and versions. If the package stops being maintained, nobody will implement a new feature we might need or fix a newly-discovered security vulnerability. Consider, for example, CVE-2019-17571. A critical remote code vulnerability which was never fixed in Log4j 1.x, since it was not supported anymore, and only fixed in Log4j 2.x.

Read Post
jfrog

JFrog & Industry Leaders Join White House Summit on Open Source Software Security

May 18, 2022 By Stephen Chin In JFrog

There’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked nearly 20 different open source software supply chain attacks – two of which were zero day threats.

Read Post
jfrog

Scan your software packages for security vulnerabilities with JFrog Xray

May 17, 2022 By Robi Nino In JFrog

Scanning your packages for security vulnerabilities and license violations should be done as early as possible in your SDLC, and the earlier the better. This concept is also known as “Shifting Left”, which helps your organization comply with security policies and standards early on in the software development process. As developers, this may seem like a hassle, but with JFrog CLI it’s easy!

Read Post
jfrog

How to Prevent the Next Log4j Style Zero-Day Vulnerability

May 17, 2022 By Asaf Karas, Oren Ish-Shalom, Ilya Khivrich In JFrog

Software testing is notoriously hard. Search Google for CVEs caused by basic CRLF (newline character) issues and you’ll see thousands of entries. Humanity has been able to put a man on the moon, but it hasn’t yet found a proper way to handle line endings in text files. It’s those subtle corner cases that have a strong tendency of being overlooked by programmers.

Read Post

OWASP Bay Area Meetup Host Sponsored by JFrog - April 28

May 17, 2022 By JFrog In JFrog
Followed by talks Talk #1 Demystifying the SBOM’s impact on Secure Software Deployment With the White House’s cybersecurity executive order in May 2021, has the Software Bill of Materials (aka SBOMs), graduated from being a “nice to have” to a “must-have” global standard when developing and deploying secure software from the cloud? In a nutshell, SBOMs provides visibility into which components make up a piece of software and detail how it was put together, so it's easy to determine if it contains security and compliance issues. In this talk, we’ll discuss • What exactly is an SBOM? • Securing your Software Supply Chain • Why SBOM must be a key element of your software development life cycle's (SDLC) security and compliance approach • The misconceptions that exist around SBOMs • Insights and best practices on SBOM creation and usage.
View Video

(SBOM) Creation of your Software Bill of Materials

May 13, 2022 By JFrog In JFrog
Because of growing software supply chain cyber-attacks and incidents like Log4J, tracking your Software Bill of Materials has become essential. It’s a list of the “ingredients” that make up a piece of software. SBOMs are used by software producers to manage components, software buyers to assess security and compliance, and operators to monitor risks and threats. SBOMs are required by military, and government agencies and will likely become the norm, especially in highly regulated industries. Documenting and reporting your SBOM will become a universal best practice.
View Video
jfrog

Get Peace of Mind about Security When Deploying Containers from Docker Desktop

May 10, 2022 By Eyal Ben Moshe In JFrog

Have you ever deployed Docker containers and hoped they delivered safe software? Would you like to get peace of mind that the contents of your containers are secure and clear of vulnerabilities? With JFrog Xray’s new integration with Docker Desktop Extensions, you will be able to do just that. By scanning for vulnerabilities locally before pushing to your remote repositories, your deployed software will inherently be more secure.

Read Post
jfrog

npm supply chain attack targets Germany-based companies with dangerous backdoor malware

May 10, 2022 By Andrey Polkovnychenko and Shachar Menashe In JFrog

The JFrog Security research team constantly monitors the npm and PyPI ecosystems for malicious packages that may lead to widespread software supply chain attacks. Last month, we shared a widespread npm attack that targeted users of Azure npm packages. Over the past three weeks, our automated scanners have detected several malicious packages in the npm registry, all using the same payload.

Read Post

CTO Corner with Yoav Landman, Episode 2: The Importance of Securing Binaries

Apr 27, 2022 By JFrog In JFrog
Want a glimpse at what it is like to be a CTO of a DevOps company? Join JFrog’s CTO Yoav Landman for our new CTO Corner Series. Each episode will feature a topic that is at the forefront of every technologist's mind… or should be. Yoav will be discussing hot topics in tech with other industry leaders giving you an opportunity to see behind the curtain of the decision makers.
View Video

Copyright © 2024 OpsMatters™. All rights reserved.