JFrog has introduced JFrog Curation, an automated DevSecOps solution that aims to vet and block malicious open source or third-party software packages and their respective dependencies before entering an organization’s software development environment.

JFrog provides an end-to-end DevOps platform for the software supply chain and has over 7K customers worldwide, including the majority (85%) of the Fortune 100.

The new tool is natively integrated with JFrog Artifactory binary repository, and the developers say it is unique in its use of binary metadata for identification of malicious packages with higher-severity CVEs, operational, or license compliance issues. The aim is that the technique removes the need to download each package for scanning before use.

The JFrog team says that existing DevSecOps platforms may provide advice, but none actively check packages against automated policies at request time without downloading them.

JFrog Curation also validates incoming software packages against JFrog’s Security Research library of recorded Critical Vulnerabilities Exposures (CVE) and publicly available information so organizations can set up a trusted repository of pre-approved, third-party software components for use in development.

JFrog Curation is designed to enable developers, security leaders, and DevSecOps engineers to vet and block open source software components without compromising the developer experience or speed. It provides central visibility and governance of every open source package requested by a developer or build tool with accurate, metadata-based insights on all infected packages, with actionable advice on ways to remediate.

The software creates a comprehensive and transparent audit trail to help organizations comply with current and emerging regulatory requirements.

JFrog says the tool means developers can be confident they're using trusted OSS packages, without their speed of application development being impaired, and DevSecOps teams can now streamline OSS package usage and approvals. JFrog Curation provides out-of-the-box templatized policies to assist application security teams with pre-built customized policies for malicious packages, CVEs, license types, and operational risk (packages that are aged, immature, or unmaintained).

More Information

JFrog Curation Webpage

Related Articles

JFrog Reveals The Popularity Of Software Technologies

JFrog Releases Conan 2

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info