Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Automate NIST SSDF Compliance: A Technical Guide to Policy as Code in JFrog AppTrust

For many engineering and security teams, NIST SP 800-218 (Secure Software Development Framework, or SSDF) compliance feels like a hurdle that is too difficult to overcome. To meet these and other emerging regulations and be effective in today’s DevSecOps environment, organizations are moving toward codifying these standards into machine-readable rules, also known as Policy as Code (PaC).

You Can't Trust What You Can't Trace

Picture this: Your security team finishes an AI vendor evaluation. The offering looks ironclad, with content filtering, output guardrails, and a stellar red-teaming report. Everyone leaves the meeting satisfied, and another governance box is checked. Six months later, a production incident hits. An AI agent, powered by a model your team “vetted,” starts executing unauthorized deletions in your CRM.

Navigating DORA Compliance: Software Development Requirements for Financial Services Companies

Note: This blog was originally published in July 2024 and updated on an annual basis. It was most recently updated in April 2026. Regulatory compliance is a common and critical part of today’s rapidly evolving financial services landscape. One new regulation that EU financial institutions must adhere to is the Digital Operational Resilience Act (DORA), enacted to enhance the operational resilience of digital financial services.

Governance That Ships: Embedding Policy as Code Into Your System of Record

Proving compliance is a necessity, but in a world of tightening regulations, the path to compliance is currently paved with spreadsheets, screenshots, and manual attestations. We call this the “Audit Tax”, the millions of dollars and thousands of people hours spent not just integrating security, but on proving you are handling security.

AI Models Won't Pick Sides in the Security War. Governance and Policy Will.

Two significant software supply chain cybersecurity attacks, seven days apart, with one hundred and eighty million weekly downloads between them. The chaos from development teams to the boardroom is real. And the pace is only going to get faster. Much, much faster…

Accelerating Secure Software Delivery in Southeast Asia: Why the "Surge of Binaries" Demands a Unified Strategy

For years, the conversation around digital transformation in Southeast Asia focused on “getting to the cloud.” Today, that conversation has shifted. Our region is no longer just adopting the cloud; we are leapfrogging traditional development cycles by integrating AI and cloud-native architectures at a staggering pace. However, this acceleration has created a byproduct that many organizations are struggling to contain.

From Shai-Hulud to LiteLLM: Supply Chain Attackers Are Coming for Your Agents

The LiteLLM supply chain compromise of March 24, 2026, is not an isolated incident. It is the latest and perhaps most dangerous chapter in an evolving attacker playbook that JFrog Security Research has been tracking for years. The target has shifted from developers to the AI agents that developers now rely on to build software.

Stop Policies From Breaking Your Builds

Security policies exist to protect your software supply chain. So why do they keep breaking your builds? This is the unspoken frustration inside most DevOps and security teams today. Supply chain attacks drove 30% of external breaches in 2025. So your security team did the right thing. They added policies to flag packages that are too new, unproven, or missing from the organization’s approved package list.

9 New Innovations. One Trust Layer.

The software supply chain is no longer just about shipping code, it is about managing intelligence and risk. As DevOps, DevSecOps, DevGovOps and AI/ML practices converge into a single AI-driven and increasingly agentic delivery pipeline, the demands on development and security teams have reached a new level. The platform that once managed packages and artifacts now governs models, agents, and skills at enterprise scale, speed, and accountability.