July 2021 Summaries
8 posts from JFrog
Filter
Month:
Year:
Post Summaries
Back to Blog
JFrog Xray has enhanced its capabilities to support developers in identifying vulnerabilities and license violations earlier in the software development lifecycle by allowing on-demand scanning of source code and binaries using the JFrog CLI. This shift-left approach aims to catch issues before code is uploaded to Artifactory, thus improving security and compliance. Developers can run ad-hoc scans of source directories for Maven, Gradle, and NPM packages without needing to compile or deploy, and apply Xray policy rules to manage security standards. Additionally, on-demand binary scans can be performed on local files, producing detailed reports about vulnerabilities and license issues, although Docker support is pending. These features are designed to enhance developer visibility and adherence to organizational compliance standards, ultimately aiming for more secure and efficient software development.
Jul 30, 2021
840 words in the original blog post.
Software package repositories like npm, PyPI, and RubyGems have become targets for supply chain attacks, with malicious packages infiltrating these sources and posing threats to developers and CI/CD systems. JFrog's security research team recently identified several malicious Python packages on PyPI, which were subsequently removed after being downloaded approximately 30,000 times. These packages, including noblesse and pytagora, used simple obfuscation techniques and targeted sensitive information such as Discord tokens, credit card data, and system information, often utilizing public tools for obfuscation and payload delivery. The researchers highlighted the lack of moderation and security controls in public repositories, making them vulnerable to attacks through methods like typosquatting and dependency confusion. They emphasized the need for ongoing monitoring to mitigate these risks and credited Dustin Ingram for his prompt action in removing the threats.
Jul 29, 2021
1,375 words in the original blog post.
Rust, a highly favored programming language, has gained popularity due to its focus on speed, memory safety, and parallelism, making it a preferred choice for embedded device and IoT developers. JFrog has recognized this trend and integrated Cargo, Rust's package management system, into Artifactory to enhance continuous integration processes. Rust's features, such as automatic garbage collection, strong concurrency support, and safety checks, contribute to its widespread adoption. Artifactory supports both remote and local Cargo repositories, allowing developers to manage dependencies efficiently and ensure consistent builds across teams. Remote repositories serve as caching proxies for crates.io, providing speed and connection reliability, while local repositories enable private sharing within teams. This setup helps maintain consistency and governance across Rust development projects, leveraging Artifactory’s capabilities to streamline DevOps practices.
Jul 29, 2021
978 words in the original blog post.
JFrog's recent acquisition of Vdoo aims to provide comprehensive, end-to-end security across the entire software lifecycle by integrating Vdoo's technology into the JFrog DevOps Platform. During a joint webinar, leaders from both companies highlighted the importance of focusing on binaries, a common ground for development, security, and operations teams, to reduce false positives and identify critical issues. Vdoo's capabilities in real contextual analysis, zero-day threat detection, and universal device protection will enhance JFrog's offerings, particularly through the JFrog Xray tool, which performs software composition analysis and vulnerability scanning. The integration promises a unified DevSecOps strategy by offering organizations a single solution for testing and analyzing software security and compliance, ensuring all teams work in harmony. The integration of Vdoo's vulnerability data into JFrog Xray is expected by the third quarter of the year, with further integration into the JFrog DevOps Platform planned for 2022.
Jul 28, 2021
1,214 words in the original blog post.
JFrog has appointed Sagi Dudai as the new Executive Vice President of Product and Engineering to drive innovation and global R&D growth. With over 25 years of experience in technology leadership roles, including as CTO at Vonage, Dudai brings expertise in building cloud-native, large-scale SaaS platforms. His appointment aligns with JFrog's vision of advancing its Liquid Software initiative, aiming to provide seamless and secure software delivery. Dudai is keen on exploring technological trends such as cloud-native architectures, AI's impact on the industry, and the evolving DevOps landscape, emphasizing the importance of collaboration, security, and automation in software delivery. He stresses the need for cohesive teamwork and continuous learning as vital components for industry success, drawing inspiration from famous quotes about standing on the shoulders of giants and recruiting top talent. Dudai is excited to join JFrog, which he believes has the potential to become a leading software company by efficiently delivering software services in a rapidly evolving digital era.
Jul 27, 2021
1,215 words in the original blog post.
JFrog's initiative to onboard a new cloud engineering team involved the creation of the JFrog CloudOps Academy, a tailored program designed to equip junior engineers with the necessary skills to integrate into the existing Production Engineering team, responsible for managing the efficiency and reliability of services on AWS, Azure, and GCP. The 10-week academy combined guided theory lessons with crucial hands-on experience in live cloud environments, emphasizing agile methodologies, iterative work practices, and automation skills. The program facilitated meaningful experience and mentorship, allowing new engineers to actively contribute to cloud maintenance tasks and enhance operational processes. This approach not only accelerated the onboarding process but also fostered a culture of knowledge sharing and problem-solving among team members, ultimately boosting workplace passion and curiosity while blending junior and senior engineers effectively.
Jul 21, 2021
1,038 words in the original blog post.
Reverse SSH tunneling is a crucial method for accessing remote machines, especially in decentralized and remote working environments highlighted by the COVID-19 pandemic. This technique is essential for overcoming firewall restrictions that typically reject incoming SSH connections when machines are behind NAT, allowing users to establish secure connections between local and remote systems. The text explains the fundamentals of SSH tunneling, including local, remote, and dynamic port forwarding, and discusses potential security risks associated with SSH tunneling, such as the misuse of SSH keys for unauthorized network access. It provides a comprehensive step-by-step guide for setting up reverse SSH tunneling on Linux-based systems, detailing the installation and configuration process of the SSH service and the creation of a reverse SSH tunnel. The guide emphasizes the importance of SSH key management and secure passphrase usage to enhance connection security and concludes by highlighting the utility of reverse SSH tunneling in accessing machines without a public IP address, with a nod to services like JFrog Connect that facilitate easy and secure remote device management.
Jul 20, 2021
1,459 words in the original blog post.
Organizations seeking rapid application development are increasingly adopting cloud-native containers across multiple cloud providers to avoid vendor lock-in and scale infrastructure efficiently. In a presentation at swampUP 2021, Google Cloud experts discussed best practices for building a hybrid multi-cloud DevOps CI/CD solution, using a web storefront application as a case study. This application employs a microservices architecture to allow independent updates and iterations, exemplified by the quick update of a CITY BIKE product in response to demand. The architecture integrates Cloud Run for Anthos, the JFrog DevOps Platform, and GitHub, offering a consistent development environment that supports CI/CD workflows across different cloud platforms. JFrog Artifactory serves as a repository for binaries, artifacts, and dependencies, providing a "source of truth" for development teams and ensuring that software components are up-to-date and secure. The CI/CD process is automated to quickly propagate updates to production environments, demonstrated by the seamless integration and deployment of new features like the CITY BIKE image update, ensuring efficient and secure software delivery in a multi-cloud setting.
Jul 19, 2021
1,672 words in the original blog post.