JFrog ushers in a new era of open source software security, launching the Pyrsia project to help prevent software supply chain attacks


SUNNYVALE, CA & SAN DIEGO–(BUSINESS WIRE)–(swampUP 2022) – JFrog Ltd. (“JFrog”) (NASDAQ: FROG), Liquid Software Company and the creators of the JFrog DevOps Platform, today introduced Project Pyrsia, a community-based open-source software initiative that uses blockchain technology to protect software packages (aka Binaries) from vulnerabilities and malicious code. Available for immediate registrationsProject Pyrsia is a decentralized and secure open source-based build network and repository of software packages aimed at helping developers establish a chain of provenance for their software components, thereby creating greater trust.

“Open source is everywhere, and while it has always been seen as a seed of innovation and modernization, the recent increase in software supply chain attacks has left every organization vulnerable,” said Shlomi Ben. Haim, co-founder and CEO of JFrog. “Led by developers, for developers, JFrog is proud to work with the community on the development of Project Pyrsia so that everyone can continue to embrace open source with confidence, while protecting the software supply chain.”

Open source software is an essential part of nearly every technology we use today – from our operating systems and browsers to the apps and services we depend on to run our lives. Yet there is no doubt that the volume, sophistication and severity of software supply chain attacks has increased over the past year. In recent months, the JFrog Security Research The team tracked more than 20 different open source software supply chain attacks, two of which were zero-day threats. While open-source components are designed to make development more efficient, not knowing where your software comes from makes it difficult to spot risks – sowing doubt and uncertainty about its security.

So JFrog and other open source technology leaders, including Docker, DeployHub, Futureway, and Oracle, worked together to establish the Project Pyrsia network for validating the source and security of open source software packages. With Pyrsia, developers can confidently use open source software knowing that its components have not been compromised, without the need to create, maintain or operate complex processes to securely manage dependencies.

“At JFrog, we believe that open source security will only be successful if we provide the community with the same tools and services available to enterprises,” said Stephen Chin, vice president of developer relations, JFrog. “The combination of a customizable open source architecture and a robust and active community makes Pyrsia the most transparent and reliable way to get secure software packages. We are grateful for the help of our industry and community partners for joining us in securing open source so that it can remain a true fountain of innovation.

Pyrsia aims to seamlessly integrate with the package management systems developers already use today, so they can certify their software components without giving up compatibility, security or efficiency. Using standards such as Cosign and Sigstore’s Notary V2 allows developers to quickly access their containers by leveraging the Pyrsia network. Using digital signatures, developers receive an immutable chain of evidence for their code, giving them peace of mind knowing the exact source of their packages.

To help guide developers through the process of using Pyrsia for software component validation, a few select entities will create and release images that will be available for everyone to use – otherwise known as project “bootstrapping”. . Organizations interested in supporting Pyrsia can offer their resources to help establish the project’s first distributed network. From there, the decentralized framework of the Pyrsia project will help provide:

  • An independent and secure build network for open source software

  • Reliability of software packages

  • Completeness of known open source software dependencies

For more information on the Pyrsia project or to register as a contributor, visit https://pyrsia.io/. You can also read more about the project in this blog or chat directly with JFrog community leaders and Pyrsia project experts during swamp 2022 will take place in San Diego, May 25-26. For more information and to register, visit https://swampup.jfrog.com/.

Citations in support of industry partners

“The DeployHub team has a strong focus on securing the supply chain, and there’s no better place to start than a comprehensive audit of the build and package stage. To that end, Pyrsia is the first open source project to introduce improvements in this area through a “consensus building network”. Disruption in this area is long overdue. DeployHub is proud to be part of this innovative team.” – Steve Taylor, CTO DeployHub, Inc.

“At Docker, we believe this is an exciting time for the community to work together on innovation around the supply chain and its critical building and packaging components. We are excited to join and working with the community on the Pyrsia project. There is a huge opportunity to build new kinds of infrastructure on top of the core container primitives that will drive innovation and better experiences for developers. – Justin Cormack, CTO, Docker

“The Pyrsia open source project develops a network of distributed, decentralized, third-party verified software packages that provide security, transparency and integrity for the open source software supply chain. Futurewei is committed to collaborating with open source communities to accelerate innovations for digital transformation through open source, open standards and open ecosystems. As open source software becomes more widespread, securing the open source software supply chain becomes a critical issue. We are delighted to be a founding member of Project Pyrsia and excited to have the opportunity to collaborate with other members to accelerate Pyrsia for a secure and trusted open source software supply chain ecosystem – bringing value to the open source community. – David Lai, Director, Cloud Infrastructure and Platform Architecture Open-Source Ecosystem Partnerships, Futurewei Technologies, Inc.

Do you like this story? Tweet this: [email protected] unveils a new blockchain-based security validation system for open source software component decentralization monitoring, compliance violations and response for #developers. Learn more https://bit.ly/3Gm1JJY

About JFrog

JFrog Ltd. (NASDAQ: FROG) is on a mission to power all software updates worldwide, guided by a vision of “liquid software” to enable the seamless and secure flow of binaries from developers to the edge. The JFrog Platform enables software creators to power their entire software supply chain through the full binary lifecycle, so they can build, secure, distribute, and connect any source to any production environment. JFrog’s hybrid, universal, multi-cloud DevOps platform is available as self-managed and SaaS services from leading cloud service providers. Millions of users and thousands of customers worldwide, including the majority of Fortune 100 companies, depend on JFrog solutions to securely manage their critical software supply chain. Once you leap forward, you won’t go back. Learn more at jfrog.com and follow us on Twitter: @jfrog.

Caution Regarding Forward-Looking Statements

This press release contains “forward-looking” statements, as that term is defined under United States federal securities laws, including, but not limited to, statements regarding the Pyrsia project and the analytical capabilities of software packages to detect vulnerabilities and malicious code, our ability to meet customer needs and our ability to drive market standards. These forward-looking statements are based on our current assumptions, expectations and beliefs and are subject to substantial risks, uncertainties, assumptions and changes in circumstances that may cause JFrog’s actual results, performance or achievements to differ materially from those expressed or implied. -heard in everything – looking statement.

There are a number of important factors that could cause actual results, performance or achievements to differ materially from the statements made in this press release, including, but not limited to, the risks detailed in our filings with the Securities and Exchange Commission, including in our annual report. on Form 10-K for the fiscal year ended December 31, 2021, our quarterly reports on Form 10-Q, and other filings and reports that we may file from time to time with the Securities and Exchange Commission. Forward-looking statements represent our beliefs and assumptions only as of the date of this press release. We disclaim any obligation to update any forward-looking statements.


Comments are closed.