JFrog Software Supply Chain Report Shows Most Critical Vulnerabilities Scores Are Misleading
74% with High or Critical CVSS scores weren’t applicable in most common cases, but 60% of security and development teams still spend a quarter of their time remediating vulnerabilities
SUNNYVALE, Calif. & PARIS–(BUSINESS WIRE)–(KubeCon + CloudNativeCon Europe) —
“DevSecOps teams worldwide are navigating a volatile field of software security, where innovation frequently meets demand in an age of rapid AI adoption,” said Yoav Landman, CTO and Co-Founder, JFrog. “Our data provides security and development organizations with a comprehensive snapshot of the rapidly evolving software ecosystem, including notable CVE scoring errors, perspectives on the security implications of using GenAI to code, the most risky packages to allow your organization to use for development, and more, so they can make more informed decisions.”
Key Findings
JFrog’s Software Supply Chain State of the Union report combines JFrog Artifactory developer usage data amongst 7K+ organizations, original CVE analysis by the JFrog Security Research team, and commissioned third-party survey data of 1,200 technology professionals worldwide to provide context into the broad, rapidly evolving supply chain landscape software. Key findings include:
- Not all CVEs are what they seem — Traditional CVSS ratings look purely at the severity of the exploit as opposed to the likelihood