JFrog Report Reveals AI-Driven Security Threats in Software Supply Chain

JFrog report finds AI growth driving new software supply chain threats - SiliconANGLE

JFrog report finds AI growth driving new software supply chain threats A new report out today from software supply chain company JFrog Ltd. warns that an expansion of artificial intelligence technology across the software supply chain has resulted in an alarming rise in security threats. The finding comes from JFrog's 2025 Software Supply Chain State of the Union, released to coincide with the KubeCon + CloudNativeCon Europe conferences. The report highlights emerging software security threats, evolving DevOps risks, best practices and increasingly serious security concerns in the AI era. Key findings in the report include that a "quad-fecta" of security vulnerabilities is threatening the software supply chain. The top security factors affecting the integrity and safety of the software supply chain include Common Vulnerabilities and Exposures, malicious packages, secrets' exposures, and misconfigurations and other human errors. In an example in the report, the JFrog Security Research Team detected 25,229 exposed secrets or tokens in public registries, up 64% year-over-year, of which 27% were active. The increasingly sophisticated and intertwined fabric of software security threats make it difficult for organizations to maintain consistent software supply chain security. AI and machine learning model proliferation and attacks were found to be growing. In 2024, there were more than 1 million new models and datasets added to Hugging Face, the largest repository of public machine learning models, with an accompanying 6.5-times increase in malicious models. Though publicly uploaded models are increasingly presenting risks, organizations manually governing machine learning models were also found to be increasing risks. Some 94% of organizations create certified lists of approved models to govern how developers use machine learning artifacts, but 37% of companies still rely on manual efforts to curate and maintain that list, creating trepidation around the accuracy and consistency of model security. Binary scanning -- the process of analyzing compiled software, or binaries, for security vulnerabilities and malicious code that may not be detectable in the source code -- was found to be lacking. Only 43% of information technology professionals said their organization applies security scans at both the code and binary levels, leaving many organizations vulnerable to security threats only detectable at the binary level. That's down from 56% in 2023, indicating that despite growing risks, security basics such as binary scanning are either being overlooked or intentionally not applied. Other findings in the report included persistent issues with open-source security. More than 70% of developers continuing to download packages directly from public registries, a risky practice that can expose entire organizations through a single compromised machine. Additionally, critical software vulnerabilities are on the rise, with more than 33,000 new CVEs disclosed in 2024, up 27% year-over-year. The report also highlights concerns over CVE mis-scoring, revealing that only 12% of CVEs rated as "critical" were actually exploitable, raising doubts about current scoring methods. Lastly, the growing use of multiple security tools -- 73% of professionals report using seven or more -- may be contributing to increased complexity and risk, suggesting that a streamlined, more focused approach could offer better protection.

JFrog Enables Trusted AI - Uncovers Critical Security Threats Emerging from AI's Expansion in the Software Supply Chain By Investing.com

The Software Supply Chain State of the Union 2025 Report Reveals Quad-fecta of Security Exploits, Mis-scored CVEs, Poor ML Model Governance, & more are Jeopardizing Trust in Newly Created Software SUNNYVALE, Calif. & LONDON--(BUSINESS WIRE)--(KubeCon + CloudNativeCon Europe) " JFrog Ltd (Nasdaq: FROG), the Liquid Software company and creators of the JFrog Software Supply Chain Platform, today released the Software Supply Chain State of the Union 2025 report, which highlights emerging software security threats, evolving DevOps risks and best practices, and potentially explosive security concerns in the AI era. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20250401200753/en/ "Many organizations are enthusiastically embracing public ML models to drive rapid innovation, demonstrating a strong commitment to leveraging AI for growth. However, over a third still rely on manual efforts to manage access to secure, approved models, which can lead to potential oversights," said Yoav Landman, CTO and Co-Founder, JFrog. "AI adoption will only grow more rapidly. Thus, in order for organizations to thrive in today's AI era they should automate their toolchains and governance processes with AI-ready solutions, ensuring they remain both secure and agile while maximizing their innovative potential." Managing and securing the software supply chain end-to-end is an imperative for delivering trusted software releases. By combining insights from over 1,400 development, security and operations professionals across the U.S., U.K., France, Germany, India and Israel, with developer usage data from JFrog's 7K+ customers, alongside original CVE analysis by the JFrog Security Research team, the JFrog Software Supply Chain State of the Union 2025 report reveals why this task is often challenging for companies amidst the expanding and frenzied threat landscape faced in today's AI era. Key Report Findings Include: We uncovered a clear pattern by CVE scoring organizations to inflate scores and cause an unnecessary level of panic in the industry, sending developers scrambling on remediation efforts that often results in wasted cognitive and professional time, said Shachar Menashe, Vice President of Security Research. When DevSecOps teams are forced to remediate vulnerabilities that aren't ultimately harmful, their everyday workflows are disrupted, which can lead to developer burnout and costly mistakes. The JFrog Software Supply Chain State of the Union 2025 report also outlines concerns around lack of code provenance visibility across the software supply chain, developers downloading open source software packages directly from public registries without filtering for vulnerabilities, the detriments of security tool sprawl, and more. To explore the full findings of this year's report visit https://jfrog.com/software-supply-chain-state-of-union/ or read this blog. You can also register to join JFrog security and developer experts on Thursday, April 24, 2025 at 9 AM PT for a webinar, JFrog's Software Supply Chain Report 2025: Trends, Threats & Actions, detailing the challenges and complexities of managing and securing the software supply chain. Like this Story? Share this on X (a.k.a. Twitter): @JFrog shares research findings in their Software Supply Chain State of the Union 2025 report. Discover the emerging #DevSecOps trends, risks & best practices to securing enterprise #SoftwareSupplyChain. Learn more: https://jfrog.co/43vkg3Y #SoftwareSupplyChain #DevOps #DevSecOps #cybersecurity #containers #CVE About JFrog JFrog Ltd. (Nasdaq: FROG) is on a mission to power the world with liquid software. We are replacing endless software updates with a single system of record that seamlessly delivers secure applications from developer to device. The JFrog Software Supply Chain Platform helps organizations build, manage, and distribute software quickly and securely, making applications available, traceable, and tamper-proof. Its integrated security features also help identify, protect, and remediate against threats and vulnerabilities. The Platform also brings ML models in line with all other software development processes, providing a single source of truth for all software components across Engineering, MLOps, DevOps, and DevSecOps teams so they can build and release AI applications faster, with minimal risk and less cost. JFrog's hybrid, universal, multi-cloud platform is available as both self-hosted and SaaS services across major cloud service providers. Millions of users and 7K+ customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation. Once you leap forward, you won't go back! Learn more at jfrog.com and follow us on X: @jfrog. 1 The JFrog Severity Rating methodology considers the likelihood of vulnerability exploitability, unlike CVSS ratings, which focus only on exploitation severity, often overestimating risks. View source version on businesswire.com: https://www.businesswire.com/news/home/20250401200753/en/ Media Contact: Siobhan Lyons, Sr. Manager, Global Communications, siobhanL@jfrog.com Investor Contact: Jeff Schreiner, VP of Investor Relations, jeffS@jfrog.com

JFrog Enables Trusted AI - Uncovers Critical Security Threats Emerging from AI's Expansion in the Software Supply Chain

(KubeCon + CloudNativeCon Europe) -- JFrog Ltd (Nasdaq: FROG), the Liquid Software company and creators of the JFrog Software Supply Chain Platform, today released the Software Supply Chain State of the Union 2025 report, which highlights emerging software security threats, evolving DevOps risks and best practices, and potentially explosive security concerns in the AI era. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20250401200753/en/ "Many organizations are enthusiastically embracing public ML models to drive rapid innovation, demonstrating a strong commitment to leveraging AI for growth. However, over a third still rely on manual efforts to manage access to secure, approved models, which can lead to potential oversights," said Yoav Landman, CTO and Co-Founder, JFrog. "AI adoption will only grow more rapidly. Thus, in order for organizations to thrive in today's AI era they should automate their toolchains and governance processes with AI-ready solutions, ensuring they remain both secure and agile while maximizing their innovative potential." Managing and securing the software supply chain end-to-end is an imperative for delivering trusted software releases. By combining insights from over 1,400 development, security and operations professionals across the U.S., U.K., France, Germany, India and Israel, with developer usage data from JFrog's 7K+ customers, alongside original CVE analysis by the JFrog Security Research team, the JFrog Software Supply Chain State of the Union 2025 report reveals why this task is often challenging for companies amidst the expanding and frenzied threat landscape faced in today's AI era. Key Report Findings Include: "We uncovered a clear pattern by CVE scoring organizations to inflate scores and cause an unnecessary level of panic in the industry, sending developers scrambling on remediation efforts that often results in wasted cognitive and professional time," said Shachar Menashe, Vice President of Security Research. "When DevSecOps teams are forced to remediate vulnerabilities that aren't ultimately harmful, their everyday workflows are disrupted, which can lead to developer burnout and costly mistakes." The JFrog Software Supply Chain State of the Union 2025 report also outlines concerns around lack of code provenance visibility across the software supply chain, developers downloading open source software packages directly from public registries without filtering for vulnerabilities, the detriments of "security tool sprawl", and more. To explore the full findings of this year's report visit https://jfrog.com/software-supply-chain-state-of-union/ or read this blog. You can also register to join JFrog security and developer experts on Thursday, April 24, 2025 at 9 AM PT for a webinar, "JFrog's Software Supply Chain Report 2025: Trends, Threats & Actions," detailing the challenges and complexities of managing and securing the software supply chain. Like this Story? Share this on X (a.k.a. Twitter): @JFrog shares research findings in their Software Supply Chain State of the Union 2025 report. Discover the emerging #DevSecOps trends, risks & best practices to securing enterprise #SoftwareSupplyChain. Learn more: https://jfrog.co/43vkg3Y #SoftwareSupplyChain #DevOps #DevSecOps #cybersecurity #containers #CVE About JFrog JFrog Ltd. (Nasdaq: FROG) is on a mission to power the world with liquid software. We are replacing endless software updates with a single system of record that seamlessly delivers secure applications from developer to device. The JFrog Software Supply Chain Platform helps organizations build, manage, and distribute software quickly and securely, making applications available, traceable, and tamper-proof. Its integrated security features also help identify, protect, and remediate against threats and vulnerabilities. The Platform also brings ML models in line with all other software development processes, providing a single source of truth for all software components across Engineering, MLOps, DevOps, and DevSecOps teams so they can build and release AI applications faster, with minimal risk and less cost. JFrog's hybrid, universal, multi-cloud platform is available as both self-hosted and SaaS services across major cloud service providers. Millions of users and 7K+ customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation. Once you leap forward, you won't go back! Learn more at jfrog.com and follow us on X: @jfrog. The JFrog Severity Rating methodology considers the likelihood of vulnerability exploitability, unlike CVSS ratings, which focus only on exploitation severity, often overestimating risks.