JFrog Software Supply Chain Report Shows Most Critical Vulnerabilities Scores Are Misleading

StreetInsider03-19

74% with High or Critical CVSS scores weren’t applicable in most common cases, but 60% of security and development teams still spend a quarter of their time remediating vulnerabilities SUNNYVALE, ...

Source Link

Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.

Comments

We need your insight to fill this gap

Leave a comment

{"i18n":{"language":"en_US"},"isChannel":false,"data":{"share":"https://ttm.financial/m/news/2420196032?lang=en_US&edition=fundamental","thumbnail":"","is_english":true,"pubTime":"2024-03-19 16:15","share_image_url":"https://static.laohu8.com/e9f99090a1c2ed51c021029395664489","id":"2420196032","market":"us","top_or_hot":-1,"title":"JFrog Software Supply Chain Report Shows Most Critical Vulnerabilities Scores Are Misleading","media":"StreetInsider","content":"<div>\n<p>74% with High or Critical CVSS scores weren’t applicable in most common cases, but 60% of security and development teams still spend a quarter of their time remediating vulnerabilities\n\n SUNNYVALE, ...</p>\n\n<a href=\"https://www.streetinsider.com/dr/news.php?id=22947359\">Source Link</a>\n\n</div>\n","source":"highlight_streetinsider","html":"<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no\"/>\n<meta name=\"format-detection\" content=\"telephone=no,email=no,address=no\" />\n<title>JFrog Software Supply Chain Report Shows Most Critical Vulnerabilities Scores Are Misleading</title>\n<style type=\"text/css\">\na,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,\nem,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,\nobject,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{ font:inherit;margin:0;padding:0;vertical-align:baseline;border:0 }\nbody{ font-size:16px; line-height:1.5; color:#999; background:transparent; }\n.wrapper{ overflow:hidden;word-break:break-all;padding:10px; }\nh1,h2{ font-weight:normal; line-height:1.35; margin-bottom:.6em; }\nh3,h4,h5,h6{ line-height:1.35; margin-bottom:1em; }\nh1{ font-size:24px; }\nh2{ font-size:20px; }\nh3{ font-size:18px; }\nh4{ font-size:16px; }\nh5{ font-size:14px; }\nh6{ font-size:12px; }\np,ul,ol,blockquote,dl,table{ margin:1.2em 0; }\nul,ol{ margin-left:2em; }\nul{ list-style:disc; }\nol{ list-style:decimal; }\nli,li p{ margin:10px 0;}\nimg{ max-width:100%;display:block;margin:0 auto 1em; }\nblockquote{ color:#B5B2B1; border-left:3px solid #aaa; padding:1em; }\nstrong,b{font-weight:bold;}\nem,i{font-style:italic;}\ntable{ width:100%;border-collapse:collapse;border-spacing:1px;margin:1em 0;font-size:.9em; }\nth,td{ padding:5px;text-align:left;border:1px solid #aaa; }\nth{ font-weight:bold;background:#5d5d5d; }\n.symbol-link{font-weight:bold;}\n/* header{ border-bottom:1px solid #494756; } */\n.title{ margin:0 0 8px;line-height:1.3;color:#ddd; }\n.meta {color:#5e5c6d;font-size:13px;margin:0 0 .5em; }\na{text-decoration:none; color:#2a4b87;}\n.meta .head { display: inline-block; overflow: hidden}\n.head .h-thumb { width: 30px; height: 30px; margin: 0; padding: 0; border-radius: 50%; float: left;}\n.head .h-content { margin: 0; padding: 0 0 0 9px; float: left;}\n.head .h-name {font-size: 13px; color: #eee; margin: 0;}\n.head .h-time {font-size: 11px; color: #7E829C; margin: 0;line-height: 11px;}\n.small {font-size: 12.5px; display: inline-block; transform: scale(0.9); -webkit-transform: scale(0.9); transform-origin: left; -webkit-transform-origin: left;}\n.smaller {font-size: 12.5px; display: inline-block; transform: scale(0.8); -webkit-transform: scale(0.8); transform-origin: left; -webkit-transform-origin: left;}\n.bt-text {font-size: 12px;margin: 1.5em 0 0 0}\n.bt-text p {margin: 0}\n</style>\n</head>\n<body>\n<div class=\"wrapper\">\n<header>\n<h2 class=\"title\">\nJFrog Software Supply Chain Report Shows Most Critical Vulnerabilities Scores Are Misleading\n</h2>\n\n<h4 class=\"meta\">\n\n\n2024-03-19 16:15 GMT+8&nbsp;&nbsp;&nbsp;<a href=https://www.streetinsider.com/dr/news.php?id=22947359><strong>StreetInsider</strong></a>\n\n\n</h4>\n\n</header>\n<article>\n<div>\n<p>74% with High or Critical CVSS scores weren’t applicable in most common cases, but 60% of security and development teams still spend a quarter of their time remediating vulnerabilities\n\n SUNNYVALE, ...</p>\n\n<a href=\"https://www.streetinsider.com/dr/news.php?id=22947359\">Source Link</a>\n\n</div>\n\n\n</article>\n</div>\n</body>\n</html>\n","isBrief":false,"type":0,"news_type":1,"symbol":"BK4170","symbol_name":"电脑硬件、储存设备及电脑周边","start_time":0,"source_url":"https://www.streetinsider.com/dr/news.php?id=22947359","article_id":"2420196032","we_media_id":null,"thumbnails":[],"rights":null,"url":"https://stock-news.laohu8.com/highlight/detail?id=2420196032","pubTimestamp":1710836100,"sourceInfo":{"source_id":"highlight_streetinsider","name":"StreetInsider"},"weMediaInfo":null,"summary":"74% with High or Critical CVSS scores weren’t applicable in most common cases, but 60% of security and development teams still spend a quarter of their time remediating vulnerabilities.  — JFrog Ltd.  , the Liquid Software company and creators of the JFrog Software Supply Chain Platform, today released the findings of its annual Software Supply Chain State of the Union report 2024, which identifies emerging development trends, risks and best practices for securing enterprise software supply chains.JFrog’s Software Supply Chain State of the Union report combines JFrog Artifactory developer usage data amongst 7K+ organizations, original CVE analysis by the JFrog Security Research team, and commissioned third-party survey data of 1,200 technology professionals worldwide to provide context into the broad, rapidly evolving software supply chain landscape. Key findings include:. Security taking a toll on productivity — Forty percent of survey respondents said it typically takes a week or lon","collect":0,"end_time":0,"defaultTopTitle":"streetinsider.com","property":[],"viewcount":null,"language":"en","relate_stocks":{"BK4170":"电脑硬件、储存设备及电脑周边","BK4097":"系统软件","OSS":"One Stop Systems","SLDC":"SOLIDUS COMMUNICATIONS INC.","FROG":"JFrog Ltd"},"translate_title":"JFrog软件供应链报告显示，大多数关键漏洞得分具有误导性","themeId":null,"isJumpTheme":false,"ttsUrl":null,"symbols_score_info":{"FROG":1,"OSS":1,"SLDC":1},"content_text":"74% with High or Critical CVSS scores weren’t applicable in most common cases, but 60% of security and development teams still spend a quarter of their time remediating vulnerabilities\n\n SUNNYVALE, Calif. & PARIS--(BUSINESS WIRE)--\n(KubeCon + CloudNativeCon Europe) — JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog Software Supply Chain Platform, today released the findings of its annual Software Supply Chain State of the Union report 2024, which identifies emerging development trends, risks and best practices for securing enterprise software supply chains.\nThis press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20240319775900/en/JFrog Software Supply Chain State of the Union Report 2024 (Graphic: JFrog)\n“DevSecOps teams worldwide are navigating a volatile field of software security, where innovation frequently meets demand in an age of rapid AI adoption,” said Yoav Landman, CTO and Co-Founder, JFrog. “Our data provides security and development organizations with a comprehensive snapshot of the rapidly evolving software ecosystem, including notable CVE scoring errors, perspectives on the security implications of using GenAI to code, the most risky packages to allow your organization to use for development, and more, so they can make more informed decisions.”\n\nKey Findings\n\nJFrog’s Software Supply Chain State of the Union report combines JFrog Artifactory developer usage data amongst 7K+ organizations, original CVE analysis by the JFrog Security Research team, and commissioned third-party survey data of 1,200 technology professionals worldwide to provide context into the broad, rapidly evolving software supply chain landscape. Key findings include:\n\n\nNot all CVEs are what they seem — Traditional CVSS ratings look purely at the severity of the exploit as opposed to the likelihood it will be exploited, which requires context to make an effective assessment. The JFrog Security Research team downgraded the severity of 85% of Critical CVEs and 73% of High CVEs on average after analyzing 212 different high-profile CVEs discovered in 2023. Additionally, JFrog found that 74% of the reported common CVEs with High and Critical CVSS scores on the top 100 Docker Hub community images weren’t exploitable.\n\n\nDenial of Service (DoS) attacks reign — Of the 212 high-profile CVEs analyzed by the JFrog Security Research team, 44% of them held the potential for a DoS attack vs. 17% with the potential to perform Remote Code Execution (RCE). This is good news for security organizations in the sense that RCE has a far more detrimental impact vs. DoS attacks due to their ability to offer full access to backend systems.\n\n\nSecurity taking a toll on productivity — Forty percent of survey respondents said it typically takes a week or longer to get approval to use a new package/library, extending time to market for new apps and software updates. Additionally, approximately 25% of security teams’ time is spent remediating vulnerabilities, even when those vulnerabilities may be overrated or even non-exploitable given their current context.\n\n\nApplying security checks is inconsistent across the software development lifecycle (SLDC) — The industry seems to be split pretty evenly down the middle when it comes to deciding where to apply application security testing across the software development lifecycle, underscoring the importance of shifting left and right simultaneously. Forty-two percent of developers claim it’s best to perform security scans during code writing while 41% say it’s best to perform scans on new software packages before bringing them into your organization from an Open-Source Software (OSS) repository.\n\n\nSecurity tool sprawl continues — Nearly half of IT professionals (47%) say they use between four and nine application security solutions. However, a third of survey respondents and security professionals (33%) say they’re using 10 or more application security solutions. This supports a market-wide trend of needing security tooling consolidation with a movement away from point solutions.\n\n\nDisproportionate use of AI/ML tools for security — While 90% of survey respondents indicate their organization currently uses AI/ML-powered tools in some capacity to assist in security scanning and remediation efforts, only one in three professionals (32%) claim their organization uses AI/ML-powered tools to write code, indicating the majority are still wary of the potential vulnerabilities GenAI-developed code can introduce to enterprise software.\n\n\n“Vulnerabilities are growing in number year over year, but that does not necessarily mean they are growing in severity. It’s clear that IT teams are willing to invest in new tools to bolster their security, but knowing where to put those tools, use their team’s time, and streamline processes is critical to keeping their SDLC secure,” said Shachar Menashe, Sr. Director, JFrog Security Research. “We designed this report to go beyond trend analysis, providing both counsel and clarity on the technology business leaders use to make decisions, whether it’s on AI navigation, malicious code, or security solutions.”\n\nFor deeper insights from the JFrog Software Supply Chain State of the Union 2024 download the full report. You can also register to join JFrog security and developer experts on Wednesday, April 17, 2024 at 10:00 a.m. PT for a webinar, “Safeguarding Software Supply Chains in 2024: A Deep Dive into the State of the Union Report,” detailing the challenges and complexities of managing and securing the software supply chain.\n\nLike this Story? Share this: @JFrog shares research findings in their annual Software Supply Chain State of the Union 2024 report. Discover the emerging #DevSecOps trends, risks & best practices to securing enterprise #SoftwareSupplyChain. Learn more: https://jfrog.co/3TzsVNg #SoftwareSupplyChain #DevOps #DevSecOps #cybersecurity #containers #CVE\n\nAbout JFrog\n\nJFrog Ltd. (NASDAQ: FROG) is on a mission to create a world of software delivered without friction from developer to device. Driven by a “Liquid Software” vision, the JFrog Software Supply Chain Platform is a single system of record that powers organizations to build, manage, and distribute software quickly and securely, ensuring it is available, traceable, and tamper-proof. The integrated security features also help identify, protect, and remediate against threats and vulnerabilities. JFrog’s hybrid, universal, multi-cloud platform is available as both self-hosted and SaaS services across major cloud service providers. Millions of users and 7K+ customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation. Once you leap forward, you won’t go back! Learn more at jfrog.com and follow us on Twitter: @jfrog.\n\nCautionary Note About Forward-Looking Statements\n\nThis press release contains “forward-looking” statements, as that term is defined under the U.S. federal securities laws, including but not limited to statements regarding the JFrog Software Supply Chain Report.\n\nThese forward-looking statements are based on our current assumptions, expectations and beliefs and are subject to substantial risks, uncertainties, assumptions and changes in circumstances that may cause JFrog’s actual results, performance or achievements to differ materially from those expressed or implied in any forward-looking statement. There are a significant number of factors that could cause actual results, performance or achievements, to differ materially from statements made in this press release, including but not limited to risks detailed in our filings with the Securities and Exchange Commission, including in our annual report on Form 10-K for the year ended December 31, 2023, our quarterly reports on Form 10-Q, and other filings and reports that we may file from time to time with the Securities and Exchange Commission. Forward-looking statements represent our beliefs and assumptions only as of the date of this press release. We disclaim any obligation to update forward-looking statements.\nView source version on businesswire.com: https://www.businesswire.com/news/home/20240319775900/en/\n\nMedia Contact:\nSiobhan Lyons, Sr. MarComm Manager, JFrog, [email protected]\n\nInvestor Contact:\nJeff Schreiner, VP of Investor Relations, [email protected]\n\nSource: JFrog Ltd.","kind":null,"is_publish_news":null,"is_publish_highlight":null,"is_publish_live":null,"is_publish_wemedia":null,"editions":null,"symbols":[],"gpt_button":1},"commentList":[],"isCommentEnd":true,"newsSizeData":{"likeSize":0,"commentSize":0,"repostSize":0,"favoriteSize":0,"likeStatus":false,"favoriteStatus":false},"APP":{"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","isDev":false,"isTTM":true,"deviceId":"web-server-community-laohu8-v3","version":"4.22.4","shortVersion":"4.22.4","platform":"web","vendor":"web","appName":"ttm","isIOS":false,"isAndroid":false,"isTiger":false,"isTHS":false,"isWeiXin":false,"isWeiXinMini":false,"isWeiBo":false,"isQQ":false,"isBaiduSwan":false,"isBaiduBox":false,"isDingTalk":false,"isToutiao":false,"isOnePlus":false,"isHuaWei":false,"isXiaomi":false,"isXiaomiWebView":false,"isOppo":false,"isVivo":false,"isSamsung":false,"isMobile":false},"href":"/m/news/2420196032"}