August 2020 Summaries
3 posts from JFrog
Filter
Month:
Year:
Post Summaries
Back to Blog
The blog post discusses the discovery and analysis of a directory traversal vulnerability in the QNX Slinger HTTP server, part of the BlackBerry QNX operating system commonly used in the automotive industry. This vulnerability arises due to an improper sequence of sanitization and URI decoding, allowing attackers to manipulate file paths using encoded sequences to access unauthorized files or execute remote code. The flaw, identified as CVE-2020-6932 with a CVSSv3 score of 10, limits impact due to minimal permissions but still poses a significant security risk. JFrog's security research team emphasizes the importance of automated security analysis and adherence to stringent security guidelines to prevent such vulnerabilities. The issue was responsibly disclosed to BlackBerry, which responded promptly, and the blog encourages further discussion on security vulnerabilities.
Aug 11, 2020
1,064 words in the original blog post.
Onboarding a new Software Composition Analysis (SCA) tool like JFrog Xray into the Software Development Life Cycle (SDLC) requires careful planning to avoid disruptions and improve adoption by fostering a DevSecOps culture. The blog emphasizes that a hasty reaction to the initial flood of alerts from such tools can lead to counterproductive measures, such as system lockdowns, which might result in business halts and alert fatigue, causing the tool to be ignored. To mitigate this, it recommends involving research and development teams to integrate security processes seamlessly, configuring Watches for specific teams or maturity stages to decentralize responsibility, and integrating security tools within developers' environments. Starting with a single team and focusing on critical issues initially can help manage the integration process more effectively, while avoiding disruptive measures until existing manageable issues are addressed. The gradual approach aims to balance maintaining the development pace with enhancing security practices, ultimately establishing a solid DevSecOps foundation.
Aug 04, 2020
769 words in the original blog post.
JFrog's annual swampUP DevOps user conference offered a virtual platform for the global DevOps community to connect and featured top-rated sessions that covered significant advancements and insights in DevOps practices. Key sessions included JFrog's roadmap keynote, which highlighted innovations in software distribution, metadata services, and JFrog Pipelines, as well as introducing the concept of BinOps. Chris Short discussed cloud migration strategies, emphasizing the importance of planning and cloud cost optimization. Brendan Burns provided guidance on creating robust Kubernetes clusters for production, focusing on testing and best practices for configuration and governance. Jessica Deen explored making Kubernetes implementations enterprise-grade by addressing architecture, resilience, and security. Lastly, Gal Marder and Shimi Bandiel presented JFrog's peer-to-peer approach to software distribution, which effectively manages the challenges of frequent deployment cycles and large-scale runtimes.
Aug 03, 2020
831 words in the original blog post.