Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On October 25th, The OpenSSL team announced that OpenSSL 3.0.7 will contain a fix for a critical severity vulnerability that affects OpenSSL 3.x. The full details about the vulnerability were held in an embargo until November 1st. Due to the rarity of an OpenSSL critical-severity issue and the overwhelming popularity of OpenSSL, social media was flooded with messages about this issue, expecting a “Log4Shell”-level event.

Welcome to the second post in our series on Malicious Software Packages. This post focuses on the infection methods attackers use to spread malicious packages, and how the JFrog Security research team unveiled them.

Welcome to the first post of the malicious software packages series for the DevOps and DevSecOps community. Each Monday, this technical series will focus on various malicious packages and their effects on the software supply chain, all published over the next four weeks. We’ll dive deeper into malicious packages in each post, including Here we go. Let’s discuss malicious software packages in your software supply chain.

The JFrog Security Research team released the findings of a recent investigation wherein they uncovered thousands of publicly exposed, active API tokens. This was accomplished while the team tested the new Secrets Detection feature in the company’s JFrog Advanced Security solution, part of JFrog Xray.

Today marks an exciting day for JFrog and a substantial step forward towards ensuring end-to-end software supply chain security. JFrog Advanced Security is our unique approach for DevOps-centric security, and the only solution that was built especially for today’s modern DevOps workflows.

Code that an organization’s developers create is only the beginning of modern software development. In fact, first-party code is likely to be only a small proportion of an application – sometimes as little as 10% of the application’s artifact ecosystem. An enterprise’s software supply chain is made of many parts, from many sources: open source packages, commercial software, infrastructure-as-code (IaC) files, and more.

Not all of the recognizable risks in your software supply chain can be identified by their known vulnerabilities recorded as CVEs. A component that is outdated or inactive may present risks to your application that no one has had cause to investigate. Yet these components could still harbor threats.

The JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting.

The JFrog Security team recently competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. One of our research targets for the competition was the Unified Automation C++-based OPC UA Server SDK. Other than the vulnerabilities we disclosed as part of the pwn2own competition, we managed to find and disclose eight additional vulnerabilities to the vendor. These vulnerabilities were fixed in the SDK in version 1.7.7.

Go to any DevOps or security conference today and you’re likely to see “Secure your Software Supply Chain” blazoned across most booths in some form or another. And that’s for good reason. Recent data shows that supply chain attacks have more than doubled in 2021, a trend that is likely to continue. Leading companies are actively rethinking their approach to how to develop and release software.