Known vulnerability is the top risk associated with open source software: Prasanna Raghavendra, Senior Director, R&D, JFrog India

In an era dominated by rapidly evolving technology landscapes, managing software supply chains has become a paramount concern for organizations seeking to safeguard their digital assets. With a view to explore the intricacies of modern software security, we engaged in an enlightening conversation with Prasanna Raghavendra, Senior Director of Research and Development at JFrog India. Raghavendra delves into the nuances of JFrog Curation, an automated DevSecOps solution designed to enhance the integrity of software supply chains.

Some edited excerpts from the interview:

Can you explain how JFrog Curation works and how it helps organizations manage their software supply chains more effectively?

JFrog Curation is an automated DevSecOps solution designed to thoroughly vet and block malicious open source or third-party software packages and their respective dependencies before entering an organization’s software development environment. Natively integrated with the JFrog Artifactory binary repository, JFrog Curation is unique in its use of binary metadata for identification of malicious packages with higher-severity CVEs, operational, or license compliance issues – removing the need to download each package for scanning before use, which preserves developer speed and ease.

The are few reasons companies need to centralize open source software (OSS) package downloads and usage:
1. Software developers use millions of open source components to accelerate project delivery, but this practice often injects malicious packages and vulnerabilities to the code – increasing the risk of software supply chain attacks.
2. Several OSS packages may violate a company’s security/legal/operational risk policies and there are often no available versions of said package compliant with the company’s risk policies. Trying to find and replace a vulnerable or malicious OSS package/framework after it’s already in production can be not only expensive, but slows a business’s velocity and impacts the developer experience.
3. Sometimes, the OSS packages deemed “safe for use” today, are not always safe tomorrow. Thus, when a new OSS vulnerability is discovered, organizations need a central place to block further use of said package by any developer.

Additionally, when an OSS package is deemed unsafe, JFrog Curation will advise the developer on possible steps for making the package compliant with company risk policies. For example it may suggest the developer upgrade the package version to a newer one that is in compliance with company risk policies. The best part is, all of this scanning, assessing, advising and remediating is done before the first line of code is even written by the developer, improving the business velocity and the developer’s experience.

With the increasing threat of cybercriminals targeting open source repositories, what led JFrog to develop the curation capability for open source software components? How do you see this addressing the challenges in the cybersecurity landscape?

In 2022, more than 10 million people were impacted by software supply chain attacks targeting roughly 1,700 entities worldwide – nearly all of which included some element of faulty or nefarious open source code. When you look at the associated numbers, this is not surprising.
JFrog Curation delivers centralized and seamless governance for automatically blocking malicious open-source packages and vulnerabilities from entering their organizations’ software supply chains by:
● Providing central screening with seamless curation policies for downloads from public repositories such as https://www.npmjs.com/
● Blocking malicious packages from entering the organization’s development environment, saving OSS package replacement costs and remediation time later.
● Creating a comprehensive and transparent audit trail of packages entering the organization or being blocked by policies to help them comply with current and emerging regulatory requirements.
● Providing developers with insights for any blocked packages, and actionable advice on steps needed to be compliant with the company’s OSS package risk policies.
● Optimizing the developer experience with frictionless, validated software component retrieval.

Could you share some insights into the number and types of vulnerabilities that JFrog Curation has detected and blocked so far? How has this impacted the overall security posture of organizations using the JFrog Platform?

The use of open-source components can create a lot of additional work for already time-crunched teams and it often isn’t clear who is responsible for this workload. You must keep track of what components are used, what version they are, where they’re used, and how they might interact with other components in use.

Here are the top 3 risks of open source software:
● Known vulnerability is the top risk associated with open source software. This risk occurs when a component version contains vulnerable code, accidentally introduced by its developers. If a known vulnerability is exploited by a threat actor, it could compromise the confidentiality, integrity or availability of the respective system or its data,
● Open-source software comes with no claims or legal obligations for security and community support informing you how to implement it securely may be lacking. The developers responsible for creating software are often not security experts and may not understand how to implement best practices.
● Open-Source Software Licenses: There are over 200 types of licenses that can be applied to open-source software, including Apache, GPL, and MIT. Many of these licenses are incompatible with each other and cannot be used together since you have to comply with all terms when using open-source software. The more components you use, the more difficult it becomes to track and compare them against all license stipulations.

JFrog Curation enables organizations to block open source packages from entering their software supply chains if they are malicious, have high or critical CVEs, have any operational risk, or any type of license compliance issues. Millions of open source packages are updated each month (across the top 5 open source package types) with hundreds of thousands of new software packages created every month. That amounts to a huge number of software packages with potential risks that can be blocked by Curation.

How does JFrog Curation implement the “shift left” concept of application security, and how does it contribute to the DevSecOps practices adopted by organizations?

Application security must be taken seriously and looked at holistically from the point of creation through runtime on edge devices. JFrog Curation takes the ‘shift left’ concept to the next level by automatically blocking use of risky open source software packages before entry to an organization, drastically reducing a company’s overall attack surface without compromising on speed or the developer experience. It uses a proactive, preventative approach through an automated, centralized screening process for all OSS package downloads from public repositories against the organization’s specific risk policies.

JFrog Curation uses metadata from binaries to identify malicious packages and software components with licensing issues. Could you elaborate on the process of how this metadata is generated and utilized to validate software packages against JFrog’s Security Research library and publicly available information?

JFrog Curation relies on a service that runs in the background called “JFrog Catalog”. This is an open source package database that pulls metadata from public sources and also JFrog proprietary open source package information. This database is used as a reference for the management of open source package data and the application of policies against developer requests.

JFrog Curation intercepts the package download request from the package managers created by the developers and will do the following:
1. Retrieve the packages entire metadata provided by JFrog Catalog (e.g. Package CVEs, licenses, operational properties and whether it’s known to be malicious).
2. Seamlessly evaluate the package compliance with defined policies.
3. If a violation is identified, the package download is blocked and no download occurs; if it’s deemed safe for use, the package will be downloaded into the respective repository for development.
4. The developer gets an actionable guide on what violations occurred with each OSS package download and what needs to be done to remediate the situation.

With the adoption of open source software components increasing in application development, how do you strike a balance between maintaining software quality and reducing the friction in the development process?

Open source software components are actually improving the productivity of the development teams and we appreciate all those contributing to enhancing the open source libraries. We really can’t avoid open source components but security scanning tools like JFrog Xray and JFrog Curation can help development teams understand the dependency risk in open source libraries and help deliver secure releases faster.

A balanced approach recommended by JFrog is to block the critical violations on new open source packages before entering the organization and cleanup and fix the existing violations over time based on a strict SLA. For example block malicious packages and Critical CVEs on new packages before use, and ensure existing high and critical CVEs are fixed before they are released to production.

As organizations face the challenge of integrating security measures without disrupting the development workflow, how does JFrog Curation assist in eliminating the need to individually scan each package before developers employ them?

JFrog Curation is designed to allow seamless vetting of new packages requested from public repositories – meaning, it all takes place in the background of developers’ workflow without friction. This entails executing package searches and policy comparisons in fractions of a second without any change or extra steps required by developers. Only if the package is approved by all relevant policies will it be downloaded from the remote repository – and only when a violation occurs will the developer need to take action. To streamline that process, JFrog Curation provides a full description of the package violation and recommended steps needed to either upgrade the package version or replace it with a similar solution.

JFrog Curation blocks the use of risky open source software packages. Could you elaborate on the criteria used to determine what qualifies as “risky” and how organizations can best remediate the vulnerabilities discovered?

JFrog Curation is a policy-driven process. When developers attempt to download a software package from an open-source public repository to a curated repository within their organization – the package download request is checked against the relevant risk policies and the download is either approved or rejected based on that benchmark. Policies supported fall into the following categories:
1. Security – packages known to be malicious or have a critical CVE.
2. Legal – packages with an undesirable license type e.g. GPL, LGP or MIT etc.
3. Operational – packages that are aged with no newer version or considered too new for use.

In the current landscape where cybersecurity regulations are gaining prominence, how do you foresee organizations being impacted if they don’t implement proper scanning of open source software components for malware and vulnerabilities?

Organizations failing to identify vulnerabilities in advance of or during software development can put themselves and their company at stake if it’s released to production. Apart from the cost and time needed to identify and fix vulnerabilities in production, there could be big penalties for non-compliance as well as brand reputation damage following a security breach.

The United States recently passed new legislation requiring ransomware attacks and breaches that don’t expose personal information need to be reported and all software vendors need to provide customers with a Software Bill of Materials or SBOM. This is similar to an ingredients list for software allowing customers using any commercial off-the-shelf software (COTS) to understand exactly which OSS components are at use in their enterprise development environment.

Can you provide examples of the types of regulatory requirements that JFrog Curation addresses, and how it helps organizations in meeting those obligations?

Typically organizations who are in a highly-regulated industries such as Banking or Insurance, have regulatory requirements from governing bodies (as well as other strict internal compliance requirements) need to provide audit trails for software releases and will benefit from the full and transparent audit trail provided by JFrog Curation – as well as a full system of record available from code to release from within the JFrog Platform.

That said, there are also companies that will be complying with industry or company driven ISO standards that may also need this source of truth for their software releases – including auditability of the open source packages used in their software. Customers using the JFrog Software Supply Chain Platform will be best placed with the auditing capabilities of JFrog Curation, the DevOps system of record from JFrog Artifactory and automated SBOMs that can be created from within JFrog Xray.