DEVOPSdigest

JFrog introduced JFrog Curation, an automated DevSecOps solution designed to thoroughly vet and block malicious open source or third-party software packages and their respective dependencies before entering an organization’s software development environment.

Natively integrated with JFrog Artifactory binary repository, JFrog Curation uses binary metadata for identification of malicious packages with higher-severity CVEs, operational, or license compliance issues – removing the need to download each package for scanning before use, which preserves developer speed and ease.

“Software developers use millions of open source components to accelerate project delivery and gain a competitive edge, but this practice could be abused to inject malicious packages and vulnerabilities to the code – increasing the risk of software supply chain attacks,” said Asaf Karas, CTO of Security, JFrog. “Application security must be taken seriously and looked at holistically from the point of creation through runtime on edge devices. JFrog Curation takes the ‘shift left’ concept to the next level by automatically blocking use of risky open source software packages before entry to an organization, drastically reducing a company’s overall attack surface without compromising on speed or the developer experience.”

JFrog Curation also validates incoming software packages against JFrog’s Security Research library of recorded Critical Vulnerabilities Exposures (CVE) and publicly available information to help establish a trusted repository of pre-approved, third-party software components for use in development. By effectively bridging public package repositories, developers, production, and security personas, JFrog Curation helps improve efficiency while preventing time-consuming and costly remediation efforts later.

JFrog Curation is designed to enable developers, security leaders, and DevSecOps engineers to:

- Vet and block open source software components without compromising the developer experience or speed.

- Have central visibility and governance of every open source package requested by a developer or build tool with accurate, metadata-based insights on all infected packages, with actionable advice on ways to remediate.

- Create a comprehensive and transparent audit trail to help organizations comply with current and emerging regulatory requirements.

- Optimize the developer experience with frictionless, validated software component retrieval.

- Avoid the unruly sprawl of various tool suites through its integration with the JFrog Software Supply Chain Platform, which provides consistent, automated processes across development environments.