With software supply chain attacks on the rise, implementing DevSecOps best practices in an air gapped environment is a must. In an effort to secure an organization’s internal network, there is an increasing trend of separating the internal network from the external one. Essentially creating an enclosed and disconnected environment from the public internet. An air gapped solution provides stricter security requirements, but that’s not enough.

JFrog has been hard at work behind the scenes restructuring how we share information with the developer community. We wanted to create a one-stop resource for developers who code in a variety of languages, with a focus on DevOps, DevSecOps, and cloud native technologies. So without further ado … let me introduce you to our new JFrog Community site!

Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading). H2 is a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on disk.

Together with the community, JFrog pioneered what we now know as DevOps with a focus on binaries (aka software packages, artifacts or images). A decade ago, no one thought binary management would be a thing — now it’s a standard most companies can’t live without. Back then, we said software universality would be necessary, and now others follow suit. People thought cloud would be a single-vendor decision.

Over the last several years, systems architects have had to make sure their systems are cloud native, with applications that are optimized for scalable cloud technology infrastructure. In today’s environment, you should be asking whether your solutions are cloud nimble as well. For the modern enterprise, cloud computing is now the default model for applications, storage, and compute.

There are many benefits to working with JFrog Artifactory as your private Docker registry, allowing you to store, share and deploy your binary artifacts in a single source of truth. This blog post will focus on using Artifactory in Kubernetes. Specifically, we’ll walk through the steps for configuring Kubernetes to pull images from Artifactory and most importantly – scale up! It will also describe how you can enable cluster-wide authenticated access to Artifactory behind the scenes.

Dealing with hundreds of security alerts on a daily basis is a challenge. Especially when many are false positives that waste our time and all take up too much of our valuable time to sift through. Let me tell you how our security team fixed this, as we built security around the JFrog products. First, let me tell you a little bit about our team.

The high risk associated with newly discovered vulnerabilities in the highly popular Apache Log4j library – CVE-2021-44228 (also known as Log4Shell) and CVE-2021-45046 – has led to a security frenzy of unusual scale and urgency. Developers and security teams are pressed to investigate the impact of Log4j vulnerabilities on their software, revealing multiple technical challenges in the process.

The discovery of the Log4Shell vulnerability in the ubiquitous Apache Log4j package is a singular event in terms of both its impact and severity. Over 1 million attack attempts exploiting the Log4Shell vulnerability were detected within days after it was exposed, and it may take years before we see its full impact.

At many organizations, the surprise discovery that the widely used Apache log4j open source software has harbored a longtime critical vulnerability was as if Scrooge and the Grinch had teamed up for the biggest holiday heist of all. Incident response teams across the globe have scrambled to remediate thousands, if not millions of applications. “For cybercriminals this is Christmas come early,” explained Theresa Payton, former White House CIO and current CEO of Fortalice Solutions.