JFrog Curation: Strengthening Security by Blocking Malicious Open-Source Packages

JFrog, the Liquid Software company and creators of the JFrog Software Supply Chain Platform, recently introduced JFrog Curation, an automated DevSecOps solution designed to thoroughly vet and block malicious open source or third-party software packages and their respective dependencies before entering an organization’s software development environment. We spoke to Prasanna Raghavendra– Senior Director, R&D at JFrog India, to understand more about the launch and how it will benefit the developer community.

Can you brief our readers on the new launch and why JFrog felt the need to launch such a product?

Software developers commonly use open source components to accelerate project delivery, but because open source libraries are often uncurated or well maintained (e.g. maintainer attack) this practice has the potential to inject malicious packages and vulnerabilities to the code – increasing the risk of software supply chain attacks. Application security must be taken seriously and looked at holistically from the point of creation through runtime on edge devices. JFrog Curation takes the ‘shift left’ concept to the next level by automatically blocking use of risky open source software components before entry to an organization, drastically reducing a company’s overall attack surface without compromising on speed or the developer experience.

How does JFrog Curation help address these security concerns?

In 2022, more than 10 million people were impacted by software supply chain attacks targeting roughly 1,700 entities worldwide – nearly all of which included some element of faulty or nefarious open source code.

JFrog Curation delivers centralized governance for automatically blocking malicious open-source packages and vulnerabilities from entering their organizations’ software supply chains by:

• Vetting and deflecting open source software components.
• Enabling central visibility and governance of every open source package requested by a developer or build tool with accurate, metadata-based insights on all infected packages, with actionable advice on ways to remediate.
• Providing transparent filtering, saving remediation costs by ensuring the quality of packages entering your software supply chain.
• Creating a comprehensive and transparent audit trail to help organizations comply with current and emerging regulatory requirements.
• Optimizing the developer experience with frictionless, validated software component retrieval.
• Helping organizations to avoid the unruly sprawl of various tool suites through integration with the JFrog Software Supply Chain Platform, which provides consistent, automated processes across development environments.

Could you explain how JFrog Curation integrates with the JFrog Software Supply Chain Platform to ensure consistent and automated processes across different development environments.

We are on a mission to create a world of software delivered without friction from developer to device and with JFrog Curation we are redefining “Shift Left” security for the enterprise software supply chain.

Natively integrated with Artifactory curation gives centralized control and visibility of the third-party binaries to streamline your software development workflow.

How does the launch of Curation benefit the developer’s community in India?

India has a vibrant and growing open-source community. Most of the digital experiences are powered by open-source software. Notably, more than 85 percent of India’s internet is running on open-source Courts, IRCTC, State Bank of India, LIC India etc rely on this ecosystem to scale operations and provide efficient services. With the growing dependencies on Open Source software especially at the key industries, we are unknowingly allowing the risk surface to widen and keeping developers in the center. With the introduction of JFrog Curation, we are enabling developers to confidently use reliable open source libraries and fast-track the development processes.

What are the potential risks that developers are exposed to while using Open-source software?

The use of open-source components can create a lot of additional work for already time-crunched teams and it often isn’t clear who is responsible for this work. You must keep track of what components are used, what version they are, where they’re used, and how they might interact with other components in use. Here are the top 3 risks of open source software:

Known vulnerability is the top risk associated with open source software. This risk occurs when a component version contains vulnerable code, accidentally introduced by its developers. If a known vulnerability is exploited by a threat actor, it could compromise the confidentiality, integrity or availability of the respective system or its data,

Open-source software comes with no claims or legal obligations for security and community support informing you how to implement it securely may be lacking. The developers responsible for creating software are often not security experts and may not understand how to implement best practices.

There are over 200 types of licenses that can be applied to open-source software, including Apache, GPL, and MIT. Many of these licenses are incompatible with each other, meaning that certain components cannot be used together since you have to comply with all terms when using open-source software. The more components you use, the more difficult it becomes to track and compare all of the license stipulations.