Home / Companies / JFrog / Blog / May 2022

May 2022 Summaries

12 posts from JFrog

Filter
Month: Year:
Post Summaries Back to Blog
Supply chain security in software development has become a critical focus due to the increasing exploitation of software vulnerabilities, particularly in open-source software, which forms the bulk of dependencies in proprietary software. JFrog addresses these concerns with Pyrsia, a decentralized package network designed to enhance the security and trustworthiness of open-source packages by using certified and peer-verified builds. Pyrsia operates through a system of random consensus, ensuring that packages are independently verified by multiple nodes before being committed to the network, which mitigates the risk of network attacks and improves resilience against outages. This approach parallels the distributed nature of power grids, aiming to provide a reliable and secure open-source supply chain. Pyrsia supports the distribution of Docker images and enhances CI system resilience by offering cached and verified images, allowing developers to continue using existing systems without modification while benefiting from improved security and efficiency.
May 25, 2022 1,184 words in the original blog post.
A recent exploration into the vulnerabilities of npm packages highlights the risk associated with domain takeover attacks, where attackers exploit expired email domains tied to npm maintainers to gain unauthorized access. This method allows attackers to hijack npm packages by purchasing expired domains, intercepting temporary passwords sent via npm's password recovery system, and potentially injecting malicious code. The analysis found that thousands of npm packages could be vulnerable due to maintainers having email domains available for purchase. However, security measures such as mandatory two-factor authentication (2FA) for top npm packages mitigate this risk, although dependencies on less secure packages could still pose threats. JFrog Security has developed a tool, npm_domain_check, to automate the detection of these vulnerabilities, encouraging package maintainers to update their information and enforce 2FA to protect against potential hijacking. The study underscores the importance of vigilance and proactive security measures in maintaining the integrity of software supply chains.
May 24, 2022 1,899 words in the original blog post.
In response to the increasing frequency and sophistication of software supply chain attacks, leaders in the open-source community, along with the Biden Administration and U.S. Federal agencies, have convened to develop a strategic action plan aimed at enhancing the resilience of open-source software. The Open Source Software Security Summit, marking the anniversary of the Biden Administration's Executive Order on software security, was attended by 90 executives from 37 companies, including JFrog and the Linux Foundation. The summit focused on critical areas such as the development of Software Bill of Materials (SBOMs) to provide transparency and security in software supply chains and the enhancement of major OSS build systems and package managers. JFrog emphasized the necessity of providing open-source projects with enterprise-level security tools and databases, advocating for a decentralized package management system to secure software distribution. The summit outlined a portfolio of initiatives aimed at securing OSS production, improving vulnerability discovery and remediation, and shortening patching response times, with the goal of solidifying the software supply chain against attacks.
May 18, 2022 970 words in the original blog post.
Software testing is notoriously challenging, with subtle issues such as CRLF vulnerabilities often overlooked, and the complexity of systems like Log4j elevates these challenges. The Log4Shell vulnerability, present since 2013 and unnoticed until its discovery as a zero-day exploit, highlights the difficulties of detecting unknown security vulnerabilities. Traditional methods like fuzzing and manual code review face limitations due to the vagueness of requirements and the inherent complexity of software. While static analysis offers a promising approach by examining potential data paths without code execution, its tendency for false positives poses a significant drawback. The article suggests a shift towards more interactive static analyzers that provide real-time, visual guidance on potential risks from user inputs during coding. This approach could be a game-changer in zero-day vulnerability detection by allowing developers to better identify and address vulnerabilities early in the development process, integrating seamlessly into DevSecOps practices.
May 17, 2022 1,405 words in the original blog post.
Shifting security and license compliance checks to the earliest stages of the software development lifecycle, known as "Shifting Left," is advocated to ensure adherence to security policies and standards. The JFrog CLI simplifies this process by allowing developers to scan dependencies directly from local sources with ease, providing detailed violation reports. Setting up the JFrog Platform and CLI is quick and can be accomplished through simple commands on various operating systems, including Mac, Linux, and Windows. The CLI supports multiple security scan commands, such as auditing project dependencies, scanning Docker images, and conducting on-demand binary scans, which return comprehensive security reports. These tools enable developers to address vulnerabilities early in development, preventing issues post-compilation, and the open-source nature of the JFrog CLI allows for further customization and plugin development.
May 17, 2022 515 words in the original blog post.
JFrog Security's research team uncovered a sophisticated dependency confusion attack targeting users of the npm registry, specifically aiming at prominent German companies such as Bertelsmann, Bosch, and DB Schenker. The attack involved creating malicious packages with specific payloads, acting as backdoors to enable attackers to control infected machines. The malware utilized a dropper to exfiltrate system data before executing a dynamic JavaScript-based payload that connected to a command-and-control server. Despite the sophisticated nature of the malware, which included custom code and dynamically configurable parameters, the use of a public JavaScript obfuscator suggested a potential gap in the attackers' operational security. While the true identity of the threat actor remains uncertain, the attack's targeted nature and reliance on insider information point to a highly skilled adversary, although some characteristics suggest it could be an extreme form of penetration testing. The attack was reported swiftly, resulting in the removal of the malicious packages from the npm registry, and JFrog emphasizes the importance of securing the software supply chain through tools like JFrog Artifactory and Xray.
May 10, 2022 1,592 words in the original blog post.
JFrog Xray's integration with Docker Desktop Extensions enhances container security by allowing developers to scan for vulnerabilities locally before deploying to remote repositories, thereby reducing the chance of encountering security flaws in production. This integration is designed to shift DevSecOps practices left, addressing vulnerabilities earlier in the software development process. JFrog Xray is a software composition analysis solution that identifies and mitigates open-source software vulnerabilities before they reach production. The integration with Docker Desktop is straightforward and free through JFrog's free tier subscription, allowing users to set up and connect their JFrog Platform environment with ease. It enables users to scan local Docker images for vulnerabilities, displaying any security issues within the Docker Desktop interface, and also supports command-line scanning via JFrog CLI. The extension was showcased at DockerCon 2022, providing a simple yet effective tool for ensuring container security.
May 10, 2022 422 words in the original blog post.
Podcasts have surged in popularity as a versatile alternative to music, offering educational and insightful content, particularly in the rapidly evolving field of machine learning. With nearly 60% of U.S. consumers over the age of 12 regularly tuning in, podcasts serve as a convenient medium to stay updated on the latest developments and breakthroughs in machine learning. Among the myriad of options available, several standout podcasts cater to both beginners and veterans in the field, such as "Data Skeptic," which offers concise episodes on complex topics, and "This Week in ML & AI," which provides insights from leading experts. Other notable mentions include "Machine Learning with Jay Shah," which explores academic and industrial applications, and "MLOps.community," focusing on operational best practices. Additionally, "AI in Business" examines AI's transformative impact on industries, while "The Robot Brains Podcast" and "Machine Learning Street Talk" delve into high-level discussions with prominent researchers. Lastly, "Eyes on AI," hosted by journalist Craig S. Smith, contextualizes the latest machine learning advancements within broader global implications.
May 05, 2022 1,469 words in the original blog post.
Terraform is a critical tool for managing cloud service infrastructure, using infrastructure-as-code (IaC) to automate the provisioning and maintenance of cloud environments where Kubernetes applications run. Artifactory can now store Terraform modules, providers, and remote state files, integrating them into the software supply chain alongside Docker images and Helm charts, thereby establishing a secure and traceable Kubernetes registry. By storing Terraform assets in Artifactory, developers benefit from authenticated access, checksum verification, and permissions management, enhancing the traceability and management of software delivery through all stages of the software development lifecycle. Artifactory supports various types of Terraform repositories, including local, remote, and virtual, enabling a streamlined GitOps experience by partnering with the JFrog DevOps Platform's BinOps approach. This integration accelerates cloud-native development, aligning IaC practices with software supply chain management to empower developers effectively.
May 05, 2022 750 words in the original blog post.
Natural Language Processing (NLP) has significantly advanced with the rise of transformer models, starting with the groundbreaking "Attention Is All You Need" paper published in 2017, which introduced the transformer architecture. Transformer models such as GPT-3, BERT, and XLNet have become the cornerstone of NLP, expanding in size and capability, with the largest example being Microsoft’s Megatron-Turing NLG model with 530 billion parameters. These models, while effective, are costly to train, prompting smaller businesses and start-ups to rely on platforms like Hugging Face, which offers a community-driven ecosystem of pre-trained models and tools for NLP, vision, and audio tasks. Hugging Face provides resources such as the transformers library, tokenizers, and the accelerate library, which supports distributed training, and has gained popularity with over 61,000 stars on GitHub. The company recently expanded by acquiring Gradio, enhancing its ability to demo ML models, and emphasizes the importance of data preparation, a significant part of the machine learning workflow. To address data processing challenges, platforms like Qwak enable the automation of data cleaning and MLOps processes, facilitating the efficient deployment and scaling of Hugging Face models.
May 05, 2022 1,663 words in the original blog post.
JFrog Artifactory has expanded its functionality for .NET developers by serving as a fully featured Symbol Server, enhancing the debugging process for NuGet packages. Symbol files, which are crucial for debugging, provide detailed information about the association between compiled and source code. With Artifactory, developers can store both NuGet and Symbol Packages, facilitating easier debugging through automatic indexing and retrieval of symbol files by tools like Visual Studio Debugger. The platform allows for comprehensive package management, enabling the setup of local, remote, and virtual NuGet Symbol Package repositories, as well as controlling access and ensuring version control. Artifactory's virtual repository functionality permits a streamlined configuration for managing Symbol Packages, supporting various operations such as upload, download, and proxying external symbol server registries, while also handling all associated metadata.
May 03, 2022 341 words in the original blog post.
JFrog's commitment to expanding its channel partner and ecosystem strategy is underscored by the appointment of Kelly Hartman as the new SVP of Global Channels and Alliances, bringing her extensive experience from roles at IBM, AWS, and Cisco. Hartman, who began her career in the military before transitioning to technology, emphasizes the importance of teamwork, continuous learning, and overcoming personal fears to achieve success. She highlights her leadership philosophy, inspired by a former mentor, centered on kindness and empathy, while encouraging women in tech to embrace challenges and build confidence. Her enthusiasm for DevOps and JFrog stems from the necessity of organizational and cultural shifts in dynamic enterprise environments, with JFrog's platform positioned to manage the end-to-end software supply chain in an increasingly software-driven world. Hartman sees significant growth potential for JFrog by partnering with other software and cloud providers to address the evolving needs of companies aiming for a coordinated approach to software change management.
May 02, 2022 1,285 words in the original blog post.