Home / Companies / JFrog / Blog / September 2021

September 2021 Summaries

5 posts from JFrog

Filter
Month: Year:
Post Summaries Back to Blog
Integrating security into DevOps pipelines is essential, and the collaboration between JFrog Artifactory and JFrog Xray facilitates this by embedding security throughout the software development lifecycle to address open source software vulnerabilities and license compliance issues. A significant development in this area is the integration of JFrog Xray data with the Splunk Enterprise through a new SIEM Plugin available in the Splunkbase marketplace, allowing DevSecOps teams to collect and analyze real-time vulnerability and compliance data. The data is mapped to Splunk’s Common Information Model, enabling seamless integration with other SIEM tools, thus enhancing the ability to identify and address security issues effectively. Out-of-the-box dashboards in Splunk provide a comprehensive view of security and license violations, along with detailed insights into the most vulnerable repositories, artifacts, and components. This integration allows teams to assess their security measures' effectiveness and understand the impact of vulnerabilities across their environment, with additional resources and detailed information accessible through the JFrog Platform Log Analytics app and accompanying documentation.
Sep 29, 2021 402 words in the original blog post.
Conan Center has reached a significant milestone with the public contribution of over 1,000 Conan recipes, which are Python-language files that describe how a Conan package is consumed, significantly impacting the C/C++ package community. Since its inception, Conan Center has experienced considerable growth, amassing nearly 400 contributors, 10,000 commits, and 5,500 pull requests, all thanks to its active and supportive community. To celebrate this achievement, the Conan team has organized a virtual event on September 30, 2021, to be streamed on YouTube, where contributors can engage with the community and have a chance to win a Nintendo Switch. Participants are encouraged to join the Conan Slack channel for interaction during the event.
Sep 28, 2021 199 words in the original blog post.
Integrating software security processes throughout the software development lifecycle is essential for releasing secure products, with a particular focus on the verification phase to ensure that security features are correctly implemented. This involves identifying vulnerabilities, security gaps, and assessing the overall security profile of both individual components and the finished product. Vendors, integrators, and OEMs can be held liable for security issues, making it crucial to employ various security verification methods, including internal quality assurance, penetration testing, and external certification. While traditional methods like manual penetration testing offer in-depth analysis, they can be time-consuming and subjective, whereas automated vulnerability scanning tools provide objective, efficient results that can be seamlessly integrated into CI/CD workflows. Independent security certification, although costly and time-consuming, can offer a competitive advantage, especially as cybersecurity regulations become more stringent. As cyber threats evolve, the need for robust security verification processes, including automated solutions, becomes increasingly critical for maintaining trust and compliance in the marketplace.
Sep 21, 2021 2,264 words in the original blog post.
With the acquisition of Upswift, JFrog aims to bridge the gap between IoT device management and modern DevOps pipelines by integrating IoT software updates, monitoring, and security into a unified platform. Upswift's technology, which enables remote management, continuous monitoring, and secure updates of edge and IoT devices, complements JFrog's existing CI/CD capabilities, providing end-to-end visibility and control over software releases. This integration addresses the challenges of deploying software to distributed environments while maintaining security and operational efficiency, positioning JFrog as a leader in delivering seamless, automated updates across both backend and device software. By combining their expertise, the two companies plan to offer a comprehensive solution that enhances security and extends DevSecOps practices into the IoT landscape, ensuring that software updates and device management are fully incorporated into the continuous delivery process.
Sep 13, 2021 1,352 words in the original blog post.
JFrog Security identified a critical vulnerability, CVE-2021-40346, in HAProxy, a widely used open-source load balancer, which could lead to an HTTP Request Smuggling attack due to an integer overflow. This vulnerability, with a CVSSv3 score of 8.6, allows attackers to bypass security controls, access sensitive data, execute unauthorized commands, and more by sending specially crafted HTTP requests that exploit parsing inconsistencies between frontend and backend servers. The issue is rooted in HAProxy's handling of Content-Length headers and was responsibly disclosed, with fixes incorporated in versions 2.0.25, 2.2.17, 2.3.14, and 2.4.4. Users unable to upgrade can apply configuration changes to mitigate the risk. The discovery highlights the importance of thorough security audits and automated detection tools for identifying potential vulnerabilities in widely deployed software.
Sep 07, 2021 2,194 words in the original blog post.