JFrog Runtime is a new security solution that enables developers to discover vulnerabilities in runtime environments. It monitors Kubernetes clusters in real time to identify, prioritize, and remediate security incidents based on their risk.

It provides developers with a method to track and manage packages, organize repositories by environment types, and activate JFrog Xray policies. Other benefits include centralized incident awareness, comprehensive analytics for workloads and containers, and continuous monitoring of post-deployment threats like malware or privilege escalation.

“By empowering DevOps, Data Scientists, and Platform engineers with an integrated solution that spans from secure model scanning and curation on the left to JFrog Runtime on the right, organizations can significantly enhance the delivery of trusted software at scale,” said Asaf Karas, CTO of JFrog Security.

Next, the company announced an expansion to its partnership with GitHub. New integrations will provide developers with better visibility into project status and security posture, allowing them to address potential issues more rapidly. 

JFrog customers now get access to GitHub’s Copilot chat extension, which can help them select software packages that have already been updated, approved by the organization, and safe for use. 

It also provides a unified view of security scan results from GitHub Advanced Security and JFrog Advanced Security, a job summary page that shows the health and security status of GitHub Actions Workflows, and dynamic project mapping and authentication. 

Finally, the company announced a partnership with NVIDIA, integrating NVIDIA NIM microservices with the JFrog Platform and JFrog Artifactory model registry. 

According to JFrog, this integration will “combine GPU-optimized, pre-approved AI models with centralized DevSecOps processes in an end-to-end software supply chain workflow.” The end result will be that developers can bring LLMs to production quickly while also maintaining transparency, traceability, and trust. 

Benefits include unified management of NIM containers alongside other assets, continuous scanning, accelerated computing through NVIDIA’s infrastructure, and flexible deployment options with JFrog Artifactory. 

“As enterprises scale their generative AI deployments, a central repository can help them rapidly select and deploy models that are approved for development,” said Pat Lee, vice president of  enterprise strategic partnerships at NVIDIA. “The integration of NVIDIA NIM microservices into the JFrog Platform can help developers quickly get fully compliant, performance-optimized models quickly running in production.”

The post JFrog helps developers improve DevSecOps with new solutions and integrations appeared first on SD Times.

According to research from IDC, there has been a 241% increase year-over-year in supply chain attacks, but a new survey from JFrog had only 30% of respondents citing supply chain security as a top security concern.

The report also revealed disconnects between how leaders perceive the security of their organization versus the frontline software teams managing it. Ninety-two percent of executives believe their companies have tools to detect malicious open-source packages, compared to only 70% of developers. Similarly, 67% of executives think that code-level security scans are being regularly conducted, compared to only 41% of developers confirming they do this. 

There is a similar disconnect when it comes to AI/ML. Over 90% of executives said that their development teams were using ML models in their applications, but only 63% of developers say that’s true. 

And 88% of executives think that AI tools are being used for security scanning, but only 60% of DevSecOps teams say they are actually using AI-powered security tools. 

“The complexity of today’s software supply chain poses unprecedented risks. Despite leadership efforts to enable frontline teams with the right equipment, developers are struggling to improve efficiency and accelerate productivity due to tool sprawl, lengthy open source and ML model approvals, plus audit and compliance checks,” said Moran Ashkenazi, SVP & CISO, JFrog. “This discrepancy highlights the urgency for organizations to rethink their security strategies, focus more on AI/ML components, and align executives and doers on a mission to fortify their software supply chains.”

You may also like…

Companies still need to work on security fundamentals to win in the supply chain security fight

Developers, leaders disconnect on productivity, satisfaction

The post Report: Execs and devs have different perceptions around supply chain security, AI use appeared first on SD Times.

In the new integration, ML models are immutable, traceable, secure, and validated. Additionally, JFrog has enhanced its ML Model management solution with new versioning capabilities, ensuring that compliance and security are integral parts of the ML model development process.

“As more companies begin managing big data in the cloud, DevOps team leaders are asking how they can scale data science and ML capabilities to accelerate software delivery without introducing risk and complexity,” said Kelly Hartman, SVP of global channels and alliances at JFrog. “The combination of Artifactory and Amazon SageMaker creates a single source of truth that indoctrinates DevSecOps best practices to ML model development in the cloud – delivering flexibility, speed, security, and peace of mind – breaking into a new frontier of MLSecOps.”

A Forrester survey found that half of the data decision-makers see the application of governance policies within AI/ML as a major challenge for its widespread use, and 45% view data and model security as a key issue. 

JFrog’s integration with Amazon SageMaker addresses these concerns by applying DevSecOps best practices to ML model management. This allows developers and data scientists to enhance and speed up the development of ML projects while ensuring enterprise-grade security and compliance with regulatory and organizational standards, JFrog explained.

JFrog has also introduced new versioning capabilities in its ML Model Management solution, complementing its Amazon SageMaker integration. These capabilities integrate model development more seamlessly into an organization’s existing DevSecOps workflow. According to JFrog, this enhancement significantly increases transparency regarding each version of the model.

The post JFrog announces partnership with AWS to streamline secure ML model deployment appeared first on SD Times.

OpenAI board replaced 

OpenAI went through some major changes this month. Over the course of just a couple days, Sam Altman was fired by the board, was hired at Microsoft along with OpenAI president Greg Brockman, and then finally reinstated as CEO at OpenAI, along with Brockman. When he returned, it was announced that most of the board of OpenAI who had voted him out was being replaced too. While all of this was happening, about two thirds of the company had also signed a letter threatening to quit if Altman wasn’t brought back and the board replaced.

The original board consisted of Ilya Sutskever, chief scientist at OpenAI; Adam D’Angelo, CEO of Quora; Tasha McCauley, a technology entrepreneur; and Helen Toner, director of strategy and foundational research grants at the Georgetown Center for Security and Emerging Technology.

On November 22, the new interim board was announced, removing everyone except for D;’Angelo. The board now includes Bret Taylor, previous co-CEO of Salesforce, as chair, Larry Summers, president at Harvard; and D’Angelo. 

Meet JFrog’s new executive vice president of strategy: Gal Marder

Marder has been with the company since 2018, with the company’s acquisition of Trainlogic, which he was the CEO of. He previously held roles of vice president of DevOps consulting and vice president of global DevOps acceleration at the company.  

Applitools goes through several changes in executive leadership, including new CEO

New appointments include Alex Barry as CEO, Keri Cook as CMO, and Tom van Gorder as chief revenue officer. Gil Sever, the company’s previous CEO and co-founder, will remain on the company’s board of directors. 

Leapwork hires new CMO and CTO 

Mike Anand has been appointed CMO and Robert Salesas has been appointed CTO. In addition, Lou Shipley, former CEO and president of Black Duck Software (acquired by Synopsys), was added to the company’s board of directors. 

“With the new additions to our Board and Management Team, Leapwork is well-positioned to become the leading automation platform as we empower Enterprises to digitize their businesses. Lou Shipley has unique experience in technology and a proven track record driving business growth of fast-growing software companies, and I am delighted to welcome him to our Board of Directors,” said Christian Brink Frederiksen, CEO and co-founder of Leapwork.

Archie Deskus is PayPal’s new CTO 

As CTO, Deskus will be in charge of global technology, engineering, and information organizations at the company. She will also lead transformation of its technology stacks, systems support, and infrastructure. Since March 2022, she has been the company’s chief information officer, and before that she was senior vice president and CIO at Intel and at HPE. 

Exabeam welcomes Steve Wilson as new chief product officer

With over 20 years of experience in leadership positions in tech, Wilson will help lead the company in innovation for its AI-driven security and New-Scale SIEM portfolios. Most recently he held the role of chief product officer at Contrast Security, and before that he held roles at Citrix, Oracle, and Sun Microsystems.

The post People on the Move in Tech in November appeared first on SD Times.

With the growing shift towards the cloud, organizations are under pressure to scale rapidly, and JFrog’s integrations aim to address concerns about software supply chain security. The company emphasizes its commitment to innovation and investment in its global partner ecosystem.

The new JFrog Security within Jira Cloud allows JFrog security data to be integrated into Jira, making vulnerability management, application security, and compliance an integral part of developers’ workflows. It enhances collaboration and automation to ensure trusted releases at scale, and it is currently available in beta.

JFrog Workers, available in open beta for JFrog SaaS customers, offers a serverless execution environment for managing JFrog and third-party execution flows. It allows the creation and execution of custom scripts to further automate and connect developer workflows securely.

Other capabilities include PagerDuty Security Incident Alerts as part of the integration of JFrog Xray with PagerDuty, Datadog Log Analytics, and out-of-the-box log streaming for JFrog SaaS Customers to Datadog and Splunk, which will be available in open beta in Q4 ’23.

“The increasing complexity of today’s software ecosystems requires best-of-breed integrations between developer tools to help accelerate time to market without compromising security,” said Gal Marder, executive vice president of strategy at JFrog. “To truly protect your software supply chain you need to consider code both in development and in production at the binary level. I look forward to further collaborating with our partners on solutions and go-to-market strategies that provide significant value to our customers wanting to migrate and innovate securely in the cloud.”

The post JFrog introduces native integrations with developer tools at KubeCon appeared first on SD Times.

The new ML capabilities enable companies to detect and block malicious ML models, scan model licenses for compliance reasons, store models, and bundle models as part of software releases. 

Also part of these new capabilities is a new integration with Hugging Face, which is a collaborative platform for building and sharing AI models, datasets, and applications. JFrog users will now be able to grab ML models from that platform and cache them. 

“Increasing numbers of organizations are starting to incorporate ML models into their applications and with several government regulations requiring software vendors to list exactly what’s inside their software, we believe it won’t be long before these guidelines grow to include ML and AI models as well,” said Yossi Shaul, SVP of product and engineering at JFrog. “We’re excited to give customers an easy way to proxy, store, secure, and manage models alongside their other software components to help accelerate their pace of innovation while remaining well-positioned for tomorrow’s demands.”

In addition to the new ML capabilities, the company also announced other new security features so that developers can secure their applications throughout the software development life cycle. 

New SAST capabilities integrate within the development environment and scan code for vulnerabilities. JFrog SAST also uses contextual analysis to help developers prioritize their remediation plans.

A new open-source software catalog has also been added to the package management tool JFrog Curation. Now developers will have a better understanding of the risks associated with the open-source software they are using. 

“With the alarming rise of software supply chain attacks, securing at the binary level with immutable software bundles is a must because it’s the only way to certify that what you’re releasing is safe for use,” said Asaf Karas, CTO of JFrog Security. “By providing a comprehensive platform that is developer-friendly and enterprise-ready – with security baked in at every phase, backed by an expert team of security researchers always watching for emerging threats – we can better arm companies to innovate faster with peace of mind in knowing their software is safe for use both today, and tomorrow.” 

The post JFrog adds new ML model management and security capabilities appeared first on SD Times.

JFrog Curation, which is integrated with JFrog Artifactory, uses binary metadata for the identification of high-risk packages with high-severity CVEs as well as operational or license compliance issues. This eliminates the need to download each package for scanning before use, thereby maintaining developer speed and convenience.

“A lot of companies don’t have control. And because of the need for speed, developers are pulling down all kinds of packages from NPM, Maven, and Go. The other bad option is, ‘Hey, I can place a whole bunch of restrictions on my software development team, but it’s gonna kill my software development velocity so I have to figure out a way to enable my development team without slowing down my development.’ At the same time, they want to be able to know that they’re using trusted packages,” said Paul Garden, who heads up the JFrog Xray and DevSecOps outbound product marketing function at JFrog. “So essentially, that’s the big problem we’re solving. And we’ve actually been working with a couple of our strategic customers for nearly two years on how we approach this problem.”

JFrog Curation verifies incoming software packages against JFrog’s Security Research library of recorded Critical Vulnerabilities Exposures (CVE) and publicly available information. This process helps create a trusted repository of pre-approved, third-party software components for development use. By bridging the gap between public package repositories, developers, production, and security personas, JFrog Curation improves efficiency and helps avoid time-consuming and costly fixes down the line.

The tool provides centralized visibility and governance of every open-source package requested by a developer or build tool, offering accurate, metadata-based insights on all compromised packages, with practical suggestions for remediation.

“Security incidents such as log4Shell, Spring4Shell, etc., have taught us that what’s safe today may not be safe tomorrow when using public open-source libraries,” said Jim Mercer, research vice president of DevOps and DevSecOps at IDC. “A tool that simplifies the developer experience while ensuring packages comply with established, regularly updated security policies, and are validated against relevant vulnerability databases, is essential for securing modern DevOps workflows.”

JFrog Curation also allows the creation of a comprehensive and transparent audit trail, assisting organizations in complying with current and future regulatory requirements. It enhances the developer experience by facilitating the retrieval of vetted software components with minimal friction.

The tool also helps to prevent the excessive spread of different tool suites through its integration with the JFrog Software Supply Chain Platform, which offers consistent, automated processes across development environments.

The post JFrog Curation identifies high-risk packages and compliance issues appeared first on SD Times.

That’s a lot like the dependencies in today’s modern application development. And because these third-party components have dependencies of their own, there are many points of entry into which a malicious actor can grab your data or bring your application down for ransom.

A coder is an artist, Bill Manning, solution engineering manager at JFrog, likes to say. They create their palettes of language and tools for the problems they’re trying to solve. They understand the resources in the company. But at the same time, with the largest threat to software being third-party transitive dependencies, there’s been a big increase in the tax created by attacks or downtime.

“Everybody always talks about SolarWinds, which was a fifth-level transitive dependency attack that came in under the radar,” Manning said. “It’s very easy to infiltrate these communities, because we’re very trusting. I’m part of the open-source community, and the more contributions we have the better. But at the same time, you can’t vet everybody, and the thing is that’s where these malicious packages come in.”

Manning explained that JFrog, through its Artifactory repository and its Xray software composition analysis tool, can screen these dependencies for potential vulnerabilities before the code is even released to the developer for use.  “A developer requests a third-party dependency and all the indirect transitive dependencies that come with it,” he said. “We have the ability to actually pre-evaluate it before it even gets into the developer’s hands. What we say is ‘block unscanned artifacts.'”

If it meets the criteria defined by the company as to which third-party components or libraries can be used, “we would then release it to the developer or tool set,” Manning said. “If not, we will actually send them a message that the things they were requesting have some potential threat, something such as a malicious component to it, a security vulnerability or maybe a license compliance issue.”

JFrog can also indicate what it calls operational risk, which measures how old or outdated – or even abandoned – an open-source component or library is. Manning estimates that 75% of open-source libraries are abandoned or outdated over time.

Yet with the need for organizations in very competitive markets to release more quickly, reliance on open-source libraries can help them take advantage of emerging opportunities.  “With the promise of DevOps, ‘you build it, you own it.’ And the whole concept of shift left is, how do you give security tools to developers, but do it in such a way that it’s not completely obtrusive, but at the same time gives them enough detail and information where they can make the cognitive choice on their own. Every organization has to determine how fast is fast enough; it’s one of the tradeoffs.”

The biggest problem most companies run into is the level of remediation and the time it takes. If a build has, for example, 287 vulnerabilities, you’re pulling engineering resources away to research the vulnerabilities. That, Manning said, is going to take time, no matter how many people you have. And that, he added, will lead to things like loss of revenue and damage to your reputation. In the recent JFrog TEI report by Forrester it was noted that JFrog’s automated vulnerability and compliance workflows reduced time spent on open source research tasks by 30% and increased operational efficiency, worth $6.7 million over three years.

The VP DevOps & Engineering Manager at a multi-billion dollar Financial Services company commented in the JFrog TEI report by Forrester that “JFrog definitely [provides] a good amount of coverage, especially with the latest-day integration, which gives us the assurance of additional security scrutiny and scanning before the artifact is even brought into our environment — that definitely helps.” 

The post Third-party dependencies open doors to attack appeared first on SD Times.

With this integration, users are able to access real-time visibility into CI/CD pipelines, APIs, and web application development workflows so that DevOps and security leaders can solve software supply chain performance and security issues.

Additionally, site reliability engineers, security, and operations teams are enabled to consistently monitor the health, security, and usage trends through each stage of the software development lifecycle.

The integration allows engineering teams to track key metrics and generate alerts in New Relic to identify performance degradation so that administrators can manage performance, mitigate risks, and remediate any issues in a single view. 

“Today’s developers need a 360-degree view of applications to monitor and remediate both performance and security, no matter if they’re running on-premises, in the cloud, or at the edge,” said Omer Cohen, executive vice president of strategy at JFrog. “Our integration with New Relic gives DevOps, security, and operations teams the real-time insights needed to optimize their software supply chain environment and accelerate time to market.”

Preconfigured New Relic dashboards also bring a complete view of performance data, artifact usage, and security metrics from JFrog Artifactory and JFrog Xray environments alongside their telemetry data.

To get started, visit the website. 

The post New Relic announces JFrog integration to provide a single point of access for monitoring appeared first on SD Times.

“Organizations of all sizes are challenged to keep software up-to-date and secure while operating at the speed of business, particularly when development teams are globally distributed, which can result in a lack of standardization and gaps in visibility,” Yoav Landman, co-founder and CTO at JFrog said. 

What prompted this release is the lack of standardization of software release processes within organizations which requires an increase in customization by engineering and platform teams. 

Development organizations can now confidently attest to the quality and security of software releases, thanks to JFrog Artifactory’s new capabilities. This tool allows developers to group a release candidate and all its associated artifacts into a single, signed, and immutable bundle, to be promoted toward production.

“These new lifecycle management capabilities will help developers increase velocity, identify areas for process improvement, and make security an integral part of the software supply chain so companies can quickly improve value streams with confidence,” Landman continued.

The new features include DevOps best practices and consistency, improved application security, and automated traceability metrics for improved efficiency.

The post JFrog announced new capabilities to improve security of software releases appeared first on SD Times.