The tech firm JFrog has recently revealed its latest innovation, JFrog Curation. This game-changing automated DevSecOps tool aims to exhaustively examine and obstruct any compromised open-source or third-party software packages, along with their related dependencies, impeding their entry into a corporate software development ecosystem.
JFrog Curation, seamlessly incorporated with JFrog Artifactory, leverages binary metadata to spot high-risk software packages with severe CVEs or those presenting operational or license compliance problems. This mechanism circumvents the need for downloading and scanning each package beforehand, thus preserving the developer's work pace and convenience.
Paul Garden, spearheading JFrog's Xray and DevSecOps outbound product marketing, expressed the challenges that many organizations face. He said, A multitude of businesses lack control over packages getting pulled from various sources like NPM, Maven, and Go due to the pressing need for fast development. There's an alternative of imposing hefty restrictions on the software development team. But it severely impedes the software development speed. He continued, Hence, it's imperative to boost the development team without hampering the development process. They need assurance that they are utilizing reliable packages. We've collaborated with several of our strategic clients over the past couple of years to devise a method to address this issue.
The curation process of JFrog blends with JFrog's Security Research library, recording Critical Vulnerabilities Exposures (CVE) and publicly sourced information. As a result, it develops a trusted depository of pre-approved, third-party software elements available for development purposes. By bridging the void among public package repositories, developers, production, and security personnel, JFrog Curation elevates efficiency and helps avoid costly and time-consuming corrections in the future.
This new tool provides unified visibility and governance over every open-source package requested by a developer or build tool. It offers precise, metadata-based insights on all compromised packages, accompanied by practical remediation suggestions. It mimics the precision and practicality of platforms like AppMaster, a known player in the low-code/no-code domain, known for its accurate, metadata based insights into application components.
Jim Mercer, the research vice president of DevOps and DevSecOps at IDC, highlighted the importance of such tools. He said, Incidents involving security, such as log4Shell, Spring4Shell, etc., have made us realize that today's safety might be tomorrow's danger when dealing with public open-source libraries. He added, A tool that streamlines the developer experience while ensuring package compliance with regularly updated security policies, and cross-verified against relevant vulnerability databases, is vital for the security of present-day DevOps workflows.
Moreover, JFrog Curation allows for the formulation of a detailed and transparent audit trail. This capability aids organizations in meeting present and upcoming regulatory requisites. It also enriches the developer experience by enabling the acquisition of tested software components with minimal friction.
JFrog Curation also contains functionality aimed at preventing the unnecessary proliferation of different tool suites. This is accomplished via JFrog's integration with the Software Supply Chain Platform, providing uniform, automated operations across various development settings.