How contextual analysis guards against Log4Js of the world

When you’re developing security software, you’d better have squeaky-clean code libraries to reference. If not, your work may all be in vain and you will quickly be out of a job. Security developers in hundreds of thousands of companies last year whose Log4J libraries were unknowingly infiltrated with malware by nasty hackers are certainly wishing they could go back in time and clean them out.

Last fall, a vulnerability in the universally-used Log4j-core Java library was found that enabled remote code execution (RCE) and/or extracting information from affected systems. It was still rampaging through systems in February 2022 and is considered one of the most serious bugs in recent software history. Every application using the Log4j-core library directly or indirectly might be affected, amounting to millions of apps.

This is precisely the protection that security software toolmaker JFrog brings to a company’s tool ensemble. It provides an end-to-end, multiple-package, secure binary code repository that organizations large and small can use to host, manage, and distribute their software. It catches malware like Log4j long before it gets into an application. It also uses a freemium model to give away a portion of its functionality for free. But the Sunnyvale, California-based company has added a lot more functionality to its devops platform in recent months.

JFrog’s devops team automated its science and model training to validate secure versions. The company has put into production some AI/ML techniques it has built internally, and the results thus far have been intriguing. In addition to securing only the code line by line in a library, it also secures the code binaries, where the malware often hides. Few other companies are doing this, and JFrog competes with security software providers that include InsightAppSec, Micro Focus Fortify Static Code Analyzer, GitLab, Snyk Code, and good old homemade managed security testing.
Putting all this together, JFrog, creator of the JFrog DevOps Platform, today introduced advanced contextual analysis security capabilities in JFrog Xray, the company’s DevSecOps solution. This new platform version enables customers to more precisely determine the threat level and relevance of common vulnerability exposures (CVEs), leading to more rapid and accurately prioritized remediation. Together with JFrog Artifactory, this X-ray release provides a holistic, automated, scalable solution to find, replace, recover and prioritize hazardous CVEs, JFrog SVP of Security Natti Davidi told VentureBeat.

Some context for Log4j

On February 3, the U.S. Department of Homeland Security (DHS) announced the establishment of the Cyber Safety Review Board (CSRB), as directed in President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity.” 

• The CSRB’s first review will focus on the vulnerabilities discovered in late 2021 in the widely used Log4j software library. 
• Log4J (used in billions of devices) impacted more than 48% of corporations worldwide and is currently seen as one of the five threats that will drive the 2022 cybercrime economy ($1.2 trillion market). 
• From Solar Winds to Log4J: This is just the tip of the iceberg, and the FTC said in a blog post published on Jan. 4 that it “intends to use its full legal authority to pursue companies that failed to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.”

How JFrog uses contextual analysis to secure code binaries

Rather than spending time and resources on researching or solving each new CVE based on the common vulnerability scoring system (CVSS), JFrog Xray’s contextual analysis capabilities take an intelligent approach to software scans at the binary level, painting a more complete picture of the applicability and danger of each vulnerability, Davidi said.  Knowing whether a particular CVE is relevant to a specific environment and easily exploitable will help already over-stretched DecSecOps teams identify and address their most critical security gaps. Because JFrog Xray (which came to the company with its Vdoo acquisition) is part of the JFrog Platform, once a vulnerability is identified, customers can securely build, distribute, and connect the required software updates from end-to-end, Davidi said. 

“That’s a very big thing we are getting really very, very good at,” Davidi told VentureBeat. “We go through and secure all the binaries. This is especially important at scale among large enterprises, including Fortune 100 companies. This is because after they use X-ray, they can find all those large and small vulnerabilities in a Python or Java library, but they are able to tell the developer: ‘Listen, you do have 6,000 issues officially, but you really need to fix only 18 of them.’ That’s a huge advantage.”

Contextual analysis and the other new features in JFrog Xray will be rolled out progressively across the JFrog customer base starting in mid-February. This JFrog Xray update is supported across multiple languages and architectures, including JS, Java and Python, based on JFrog’s universal product philosophy.