Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The UK government has taken a proactive step by recently releasing the Software Security Code of Practice, a vital framework aimed at strengthening the cybersecurity posture of organizations that develop and sell software. This code outlines essential practices and principles, guiding companies to enhance their software security throughout the development lifecycle, from initial design to final deployment.

Embedding security within the Software Development Life Cycle (SDLC) is no longer just a best practice; it’s a full-on necessity. DevSecOps extends the DevOps model by making security a shared responsibility from the earliest stages of development. Today’s enterprises require this kind of integrated approach to streamline workflows from development to deployment.

The RSA Conference 2025 at the Moscone Center in San Francisco on April 28 – May 1, brought together over 44,000 cybersecurity professionals from around the world. This year’s event, marking the 34th annual flagship conference, placed significant emphasis on software supply chain security and secure software development lifecycle (SDLC) practices. From the keynotes, speaking sessions, and 1:1 conversations I had on the show floor, there were eight key themes that came up over and over again.

Last week, one of the biggest concerns in the cybersecurity industry created a crisis that was avoided at the last minute. On April 16th, 2025, the MITRE Corporation announced: “The current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire.” Official letter from MITRE Corp announcing the implications and expiration of the CVE Program.

The JFrog Security Research team regularly monitors open source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential supply chain security threats, our research team reports any malicious packages that were discovered to the repository’s maintainers in order to have them removed. This blog provides an analysis of the ccxt-mexc-futures malicious package which aims to leak crypto currency trading credentials.

Managing and securing the software supply chain is crucial for trusted releases, but as any tech organization knows, it also presents significant challenges. With over 15 years of experience and a dedicated security research team, we at JFrog understand these threats. In a rapidly evolving post-AI world, DevSecOps teams are struggling to keep pace with changes.

On March 21st, 2025, the Next.js maintainers announced a new authorization bypass vulnerability – CVE-2025-29927. This vulnerability can be easily exploited to achieve authorization bypass. In some cases – exploitation of the vulnerability can also lead to cache poisoning and denial of service.

Update: This issue was discovered and disclosed independently to Keras by JFrog’s research team and Peng Zhou. Machine learning frameworks often rely on serialization and deserialization mechanisms to store and load models. However, improper code isolation and executable components in the models can lead to severe security risks. The structure of the Keras v3 ML Model in TensorFlow.

ML operations, data scientists, and developers currently face critical security challenges on multiple fronts. First, staying up to date with evolving attack techniques requires constant vigilance and security know-how, which can only be achieved by a dedicated security team. Second, existing ML model scanning engines suffer from a staggering rate of false positives.