#DevOpsSpeakeasy at #KubeCon EU 2022 with James Strong on Supply Chain Security
James Strong, lead solution architect at Chainguard, discusses the challenges of securing software supply chains and recommendations for developers
Security | Threat Detection | Cyberattacks | DevSecOps | Compliance
The Latest Cybersecurity News & Insights From Around The World
SATisfying our way into remote code execution in the OPC UA industrial stack
The JFrog Security team recently competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. One of our research targets for the competition was the Unified Automation C++-based OPC UA Server SDK. Other than the vulnerabilities we disclosed as part of the pwn2own competition, we managed to find and disclose eight additional vulnerabilities to the vendor. These vulnerabilities were fixed in the SDK in version 1.7.7.
A new generation of OTA updates for Linux devices with Jfrog Connect
Discover how you can update, control, monitor and secure remote Linux & IoT devices, at scale, with the click of a button.
Software Supply Chain Super Heroes: Binary Management Plus Security
Go to any DevOps or security conference today and you’re likely to see “Secure your Software Supply Chain” blazoned across most booths in some form or another. And that’s for good reason. Recent data shows that supply chain attacks have more than doubled in 2021, a trend that is likely to continue. Leading companies are actively rethinking their approach to how to develop and release software.
Black Hat 2022: The CVSS Fallacy - can you trust the world's most popular vulnerability metric?
The NVD defines one of the usages of CVSS as “a factor in prioritization of vulnerability remediation” and it is the current de-facto vulnerability metric, often seen as infallible guidance and a crucial element in many compliance processes. In our session we will go over real-world CVE examples, demonstrating cases and entire categories where CVSSv3.1 falls short of providing an accurate assessment, both due to its design and its various mishandlings. The session will also touch upon specific indicators in the CVE description that can raise the confidence in a CVSS score, and vice versa.
#DevOpsSpeakeasy at #KubeCon EU 2022 with Tom Granot on Developer -Native Observability
In this interview Tom walked us through the importance of devloper native observability and how it can be easily obtained with Lightrun.
JFrog Xray Integration with AWS Security Hub
SecOps demands vigilance, but it requires visibility, too. With JFrog’s latest integration for Xray with AWS Security Hub, you can help make sure that discovered vulnerabilities are not just seen, but quickly acted on. AWS Security Hub is the cloud security posture management service available to AWS users. It provides central security administration across AWS accounts, performing security best practice checks, aggregating alerts, and enabling automated remediation.
How To Put Cloud Nimble to Work to Shift Left Security
Shifting security left means preventing developers from using unacceptably vulnerable software supply chain components as early as possible: before their first build. By helping assure that no build is ever created using packages with known vulnerabilities, this saves substantial remediation costs in advance. Some JFrog customers restrict the use of open source software (OSS) packages to only those that have been screened and approved by their security team.
Testing resiliency against malicious package attacks: a double-edged sword?
The JFrog Security research team continuously monitors popular open-source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. At times, we notice trends that are worth analyzing and learning from.
Team Up on DevSecOps with JFrog Platform App for Microsoft Teams
The JFrog DevOps Platform is your mission-critical tool for your software development pipelines. The results of key binary management events in Artifactory, Xray, and Distribution can reveal whether or not your software pipelines are on-track to deliver production-quality releases.