Today, ActiveState introduced the ability for JFrog Artifactory users to populate their repository with ActiveState’s securely-built open source artifacts. Developers get trustworthy, open source packages without being forced to build them from source code or manage them using a proprietary vendor’s package management tool. Enterprises can shift security left without disrupting the way developers work.
JFrog Artifactory is a popular language-agnostic repository that provides enterprise developers with a central location from which to retrieve the open source packages their software development projects require. Enterprises take two main approaches to populating JFrog Artifactory:
Proxying an open source repository directly places blind trust in a source that provides no guarantees around the security and integrity of the built open source artifacts they provide.
Building your own open source artifacts from source code requires significant time and effort but delivers no differentiating benefits to the enterprise.
We also know from our Secure Supply Chain Survey that ~80% of organizations that build from source code struggle with creating reproducible builds, meaning the open source artifacts they create are insecure since there is no way to verify if the source code was compromised when the original build was produced.
Loreli Cadapan, Vice President, Product Management, ActiveState, said: “Open source organizations are making great strides to improve the security of their public repositories, but the reality is that they are still the Wild West where anything goes. Our recent Supply Chain Security Survey results indicate that a worryingly high proportion of organizations continue to implicitly trust these open source repositories. Starting with our Artifactory offering, ActiveState is looking to help enterprises overcome these limitations in order to improve the security and integrity of their software development processes.”