Software supply chain security provider JFrog has added a new DevSecOps capability, dubbed JFrog Curation, to enable validating open source packages before they enter development.
Integrated with JFrog software supply chain platform, JFrog Curation is designed to vet and block infected open source or third-party software packages and their respective dependencies.
“Tracking open source can be like playing a game of whack-a-mole since what’s safe today may not be safe tomorrow because new vulnerabilities are found daily,” said IDC analyst Jim Mercer. “The JFrog Curation can help simplify the developer experience by ensuring packages comply with established, regularly updated security policies and are validated against current and relevant vulnerability databases.”
The new capability provides centralized control and automated enforcement of security policies on all packages before they’re consumed by developers, JFrog said.
Vetting external dependencies for threats and compliance
The new capability will vet and block open source software components without compromising developer speed or project delivery, according to JFrog. It will create a “comprehensive and transparent” audit trail to help organizations comply with current and emerging regulatory requirements.
“It should help simplify things for developers and DevOps teams while making it easier for security teams to ensure the development teams are using open source components that are pre-vetted and comply with their defined policies,” Mercer said.