JFrog : Took Security to New Heights in 2021

With security now a critical "must have" for DevOps teams, JFrog significantly deepened and extended our platform's already solid security capabilities in 2021. In this post, we'll look back at our major advances last year - and look forward at what's to come in 2022.

Our goal: To explain how we're providing to our customers the best DevOps security and compliance protection for their entire SDLC - at a time when attacks against software supply chains are getting more aggressive and sophisticated.

2021: A Challenging Year

As the pandemic disruptions extended into 2021, DevOps teams had to continue working remotely, so flexibility and scalability became key for their success. On top of this challenge, hacks continued to climb, including supply chain attacks, which compromised software development and delivery.

As a result, DevOps teams had to dig deep and search for new solutions, especially as the global cybersecurity threats prompted governments to issue new regulations and mandates, like the White House Executive Order on Improving the Nation's Cybersecurity.

We ended the year with a bang: the critical, once-in-a-decade, zero-day vulnerability in Log4j, one of the most popular pieces of software in existence. This made clear that critical vulnerabilities that are easily exploited still exist in common open source software.

A key takeaway from Log4j has been the importance for organizations to quickly understand which production systems are affected by such vulnerabilities. Ultimately, we learned that this question can only be answered in truth by scanning binaries and artifacts that are about to be deployed.

In addition to real threats like Log4j, developers continued to be flooded with issues that were overhyped and unjustifiably ranked as high severity. More and more, developers, DevOps and security teams need smart prioritization solutions that through context-based analysis help them pinpoint their most critical vulnerabilities, compliance violations and other security flaws.

How JFrog Can Help

With theJFrog DevOps Platform, and with our Xray software composition analysissolution in particular, you protect your entire software release cycle - coding, building, testing, distributing and production monitoring. These automated security and compliance checks are built into all your development and release processes. As a result, you get unparalleled visibility into your security posture, and are able to zero in quickly on the most critical threats impacting your SDLC.

In short: With JFrog, developers, security and DevOps teams get empowered to detect, prioritize and remediate security and compliance issues quickly and continuously - without having to be security experts.

Big Advances

We made bold leaps in 2021 as we continued to invest heavily in Xray, acquired a product security company and much more. Read on for all the details!

• With all eyes on the Log4j crisis, JFrog provided methods to detect, mitigate and block this threat using JFrog Artifactory and Xray, along with continuous technical coverage of the issue. Check out ourLog4j vulnerability resources.

• In addition, we released afree and open-source solutionfor determining whether your binaries or source files are impacted by the Log4j/Log4shell vulnerabilities. Here arethe details.

• With ouracquisition of Vdoo, a product security leader, JFrog gained both a top-notch team of security researchers and world-class security technology, with capabilities including:
  • Contextual threat analysis for prioritizing remediation of critical security gaps
  • Automatic detection of zero-day vulnerabilities
  • Detection of malicious packagesin your software supply chain
  • Enhanced CVE data with step-by-step mitigation advice for developers
  • Detection of binary packages in C/C++ regardless of how they were compiled
  • Analysis of embedded software on devices/IoT, along with firmware scanning
  • Detailed, actionable vulnerability database containing research-backed information on critical CVEs as well as guidance on how to solve or mitigate them
  • Detection of configuration risks,secretsand implementation gaps
  • Real-time runtime protection for embedded devices
  • Deeper, research-based coverage to identify known and unknown security risks
  • Security risk matching to 40+ security standards and regulations

• JFrog madeseveral impactful CVE vulnerability disclosuresthat affected, among others, the H2 Database, InfraHalt, PyPI, HAProxy, 23andMe's Yamale, BusyBox, and TensorFlow's utility.

• We added significant capabilities to Xray, including:
  • CVE vulnerability contextual and applicability analysis and prioritization
  • Enhanced CVE data with developer step-by-step mitigation advice
  • Native Jira integration
  • Git dependency scanning
  • Support for SPDX/CycloneDX standard SBOM formats

• JFrog Artifactory and Xray achievedIronBank certificationfrom the U.S. Department of Defense, a significant milestone of great benefit for our customers in the public sector.

• Also important for government customers, the JFrog Platform became available onAWS and Azure Government Clouds, making it easy and secure for them to deploy Artifactory and Xray directly on these public clouds.

• Xray achievedRedHat's Vulnerability Scanner Certification, which gives organizations improved assurance that the vulnerability and license compliance data identified by Xray is accurate and that their risk assessment is based on trusted, certified sources.

• Thanks to anXray-Splunk SIEM integration, DevSecOps teams can now collect and analyze vulnerability and license compliance violation data from Xray using Splunk Enterprise.

• Another integration, this time betweenXray and PagerDuty, allows DevOps teams to receive PagerDuty notifications for security violations detected by Xray's deep binary scanning of artifacts.

• Last but not least, Xray won DevOps.com'sBest DevSecOps Solution of 2021award. The publication editors remarked: "JFrog has expanded its impact and expertise in cybersecurity, DevSecOps, secure device fleet management and IoT."

What's Next?

Maintaining a solid security and compliance posture will continue to be a challenge for DevOps teams in 2022, which is why JFrog continues to relentlessly boost the security capabilities of our platform and of Xray in particular.

We're very excited for all the great things we're already working on in 2022 in areas such as:

• protecting embedded software, mobile apps, and IoT/edge devices
• detecting software configuration issues and secrets
• wider support for CycloneDX, specifically around the new 1.4 version of the specification
• performing holistic, contextual analysis and providing remediation guidance of issues
• generating new, better dashboards and reports for better visibility into your security and compliance levels
• And much more!

Stay tuned!