Home / Companies / JFrog / Blog / February 2023

February 2023 Summaries

8 posts from JFrog

Filter
Month: Year:
Post Summaries Back to Blog
JFrog's research utilizing the Contextual Analysis feature of JFrog Xray reveals that in the deliberately insecure WebGoat application, only 10 out of 60 reported critical CVEs were truly exploitable. This discovery underscores the effectiveness of Contextual Analysis in distinguishing between applicable and non-applicable vulnerabilities by assessing exploitability factors such as code prerequisites, configuration settings, and running environments. The study highlights that many vulnerabilities remain unexploitable due to missing conditions necessary for their exploitation, demonstrating the importance of focusing on actual exploitability rather than merely the presence of vulnerabilities. This approach not only helps in prioritizing CVEs that demand immediate attention but also reduces the time security teams spend on addressing false positives. The research further indicates that even in a purposefully insecure application like WebGoat, many vulnerabilities remain non-exploitable, emphasizing the complexity of real-world vulnerability exploitation scenarios.
Feb 28, 2023 2,587 words in the original blog post.
Managing a comprehensive software supply chain involves more than just coding; it necessitates integrating security and DevOps best practices throughout the software release cycle to counter various security threats. Using GitLab as a CI workflow engine, companies can enhance their software delivery by integrating it with the JFrog Platform, which offers complete supply chain management solutions. The JFrog Template Gallery for GitLab CI/CD simplifies the integration, providing templates for popular build tools like .NET, Gradle, and Maven, which allow for security audits and license compliance checks. JFrog Artifactory plays a crucial role in this setup by serving as a centralized repository for managing and distributing binary artifacts, which helps streamline the release process and reduce errors. The platform supports over 30 package types and offers continuous security monitoring, along with unique capabilities like proxying third-party packages and providing a guaranteed uptime SLA in the cloud. Additionally, open-source tools such as JFrog Frogbot and various IDE integrations enable developers to address security vulnerabilities early in the development process, enhancing overall software quality and security.
Feb 27, 2023 750 words in the original blog post.
The blog post outlines a step-by-step process for automating the deployment of Docker images using JFrog Artifactory, GitHub Actions, and Kubernetes. It emphasizes the benefits of full automation in Continuous Deployment (CD), such as increased speed and reduced errors. The guide details setting up an Artifactory server to notify GitHub when a new Docker image tag is pushed, triggering a GitHub Action that redeploys a Helm chart with the updated image. Key components include creating Docker and Helm repositories, configuring a Kubernetes cluster with appropriate service accounts, and setting up a custom webhook in Artifactory. The webhook is configured to trigger a GitHub Actions workflow via a REST API call, which deploys the image on the Kubernetes cluster and updates the Helm chart. The process concludes with verifying the deployment by inspecting the Kubernetes pod to ensure the new Docker image is successfully running.
Feb 21, 2023 1,268 words in the original blog post.
JFrog emphasizes the importance of securing the software supply chain, particularly focusing on the risks associated with allowing public access to private registries or repositories. As a CVE Numbering Authority, JFrog's Security Research team actively identifies and discloses vulnerabilities, underscoring the need for robust security practices. Organizations may have valid reasons for allowing public access, such as facilitating collaboration or supporting open-source projects, but must guard against accidental exposure of sensitive information. To mitigate risks, JFrog recommends a series of preventive measures: verifying security configurations, managing user permissions carefully, keeping public and private content separate, and scanning public-facing registries for secrets. Additionally, JFrog has implemented UI changes and alerts to help prevent misconfigurations that could compromise supply chain security. These efforts are part of JFrog's broader commitment to ensuring the secure delivery of trusted software, supported by educational sessions and collaborations with partners like Aqua Security.
Feb 09, 2023 1,053 words in the original blog post.
Software plays a crucial role in modern life, and managing its development lifecycle requires effective control over binaries and their metadata. Binaries, or software packages, contain essential data, and their associated metadata provides valuable insights into their lifecycle, including creation dates, checksums, and user actions. Efficient management of binary metadata allows for operations such as retention policy creation, event marking, and security vulnerability checks. JFrog Artifactory offers a solution with its open-source tool, build-info, which records a comprehensive set of information during the build process, stored in JSON format. This build-info includes details like build modules, dependencies, source code repository information, and environment variables, which are crucial for software supply chain security. By frequently matching the list of dependencies against a vulnerability database, developers can ensure that builds remain secure. JFrog's approach, using tools like JFrog Xray, exemplifies how build-info can be used for security scanning and to alert developers of vulnerabilities, ensuring that only secure binaries are released.
Feb 08, 2023 1,255 words in the original blog post.
OpenSSH version 9.2p1 addresses a critical double-free vulnerability that could lead to Denial of Service (DoS) or Remote Code Execution (RCE) on affected servers. This vulnerability, identified by Mantas Mikulėnas and further investigated by JFrog Security Research, particularly impacts servers using the default OpenSSH configuration. It involves the misuse of the SSH_OLD_DHGEX option, leading to a double-free scenario in the compat_kex_proposal() function. Qualys Security has demonstrated that, without security mitigations like ASLR or NX, this vulnerability can be exploited for RCE on OpenBSD systems. The JFrog Security Research team has rated the vulnerability's severity as high and strongly recommends upgrading to OpenSSH version 9.2p1, which contains the necessary security fix. Despite the vulnerability's potential impact, the JFrog DevOps platform is confirmed not to be affected, and JFrog continues to enhance its security tools and research to improve software security measures.
Feb 08, 2023 1,447 words in the original blog post.
As the complexity of software development increases, staying informed about current trends is crucial for IT and software leaders, and the JFrog's Software Artifact State of the Union provides a unique perspective by analyzing data from JFrog Artifactory, used by over 7,000 global customers including major Fortune 100 companies. Unlike other indices that rely on indirect data, this report offers insights into the actual technologies used in production, emphasizing the significance of software packages as accurate indicators of technology utilization. Key findings reveal the dominance of containerization, the rising buzz around newer programming languages alongside the continued strength of traditional ones, and a growing focus on memory-safe languages. The report highlights the critical importance of software packages in production environments, showcasing trends in package popularity and adoption by drawing on data collected since 2020. Notably, C/C++ remains the preferred language for IoT device software, with a significant increase in the use of the Conan package manager since early 2020.
Feb 06, 2023 444 words in the original blog post.
Containerized deployment is increasingly becoming an industry standard, and ensuring the security of these containers is crucial. JFrog Advanced Security offers comprehensive protection by covering the full attack surface of the software supply chain, unlike many existing solutions that are limited in scope. It provides thorough analysis by looking for vulnerabilities not just in application layers but across all layers of container images, including exposed secrets, Infrastructure as Code (IaC) security misconfigurations, and application vulnerabilities. JFrog’s contextual analysis capability enhances this by delivering precise threat assessments, reducing false positives, and allowing developers to focus on critical CVEs, thus saving time and resources. JFrog Xray identifies Open Source Software components and their vulnerabilities, assessing contextual factors such as reachability paths, configuration relevancy, and compilation flags to determine the exploitability of CVEs. The expertise of the JFrog Security Research team supports this process by offering detailed insights and remediation strategies, enabling faster development and release cycles while maintaining high levels of security assurance.
Feb 02, 2023 739 words in the original blog post.