JFrog Enables Trusted AI - Uncovers Critical Security Threats Emerging from AI’s Expansion in the Software Supply Chain
JFrog (NASDAQ: FROG) has released its Software Supply Chain State of the Union 2025 report, revealing critical security challenges in the AI era. The study, based on insights from 1,400+ professionals across six countries and data from 7K+ customers, highlights a 'Quad-fecta' of security threats: CVEs, malicious packages, secrets exposure, and misconfigurations.
Key findings show a 64% year-over-year increase in exposed secrets/tokens in public registries, totaling 25,229 instances. The report also reveals that while 94% of companies use certified lists for ML model governance, 37% rely on manual validation. Additionally, only 43% of organizations implement both code and binary level security scans, down from 56% last year.
The study identified over 33K new CVEs in 2024, marking a 27% increase from 2023. Notably, only 12% of CVEs rated as 'critical' were found to truly justify that severity level, indicating potential scoring inflation that may lead to unnecessary remediation efforts and developer burnout.
JFrog (NASDAQ: FROG) ha pubblicato il suo rapporto Software Supply Chain State of the Union 2025, rivelando sfide di sicurezza critiche nell'era dell'IA. Lo studio, basato su informazioni fornite da oltre 1.400 professionisti in sei paesi e dati provenienti da oltre 7.000 clienti, evidenzia una 'Quad-fecta' di minacce alla sicurezza: CVE, pacchetti dannosi, esposizione di segreti e configurazioni errate.
I risultati chiave mostrano un aumento del 64% anno su anno nei segreti/token esposti in registri pubblici, per un totale di 25.229 casi. Il rapporto rivela inoltre che, mentre il 94% delle aziende utilizza elenchi certificati per la governance dei modelli ML, il 37% si affida alla validazione manuale. Inoltre, solo il 43% delle organizzazioni implementa scansioni di sicurezza sia a livello di codice che binario, in calo rispetto al 56% dell'anno scorso.
Lo studio ha identificato oltre 33.000 nuovi CVE nel 2024, segnando un aumento del 27% rispetto al 2023. È interessante notare che solo il 12% dei CVE classificati come 'critici' è stato trovato realmente giustificato a quel livello di severità, indicando una potenziale inflazione del punteggio che potrebbe portare a sforzi di remediation non necessari e burnout degli sviluppatori.
JFrog (NASDAQ: FROG) ha lanzado su informe Software Supply Chain State of the Union 2025, revelando desafíos críticos de seguridad en la era de la IA. El estudio, basado en las opiniones de más de 1.400 profesionales de seis países y datos de más de 7.000 clientes, destaca una 'Quad-fecta' de amenazas a la seguridad: CVEs, paquetes maliciosos, exposición de secretos y configuraciones incorrectas.
Los hallazgos clave muestran un aumento del 64% interanual en secretos/tokens expuestos en registros públicos, totalizando 25.229 instancias. El informe también revela que, aunque el 94% de las empresas utilizan listas certificadas para la gobernanza de modelos de ML, el 37% depende de la validación manual. Además, solo el 43% de las organizaciones implementa escaneos de seguridad tanto a nivel de código como binario, una disminución del 56% del año pasado.
El estudio identificó más de 33.000 nuevos CVE en 2024, marcando un aumento del 27% con respecto a 2023. Notablemente, solo el 12% de los CVE clasificados como 'críticos' se encontró realmente justificado a ese nivel de severidad, lo que indica una posible inflación en la puntuación que podría llevar a esfuerzos de remediación innecesarios y agotamiento de los desarrolladores.
JFrog (NASDAQ: FROG)는 AI 시대의 중요한 보안 문제를 드러내는 소프트웨어 공급망 상태 보고서 2025를 발표했습니다. 이 연구는 6개국의 1,400명 이상의 전문가와 7,000명 이상의 고객 데이터를 기반으로 하여 CVE, 악성 패키지, 비밀 노출 및 잘못된 구성이라는 '쿼드펙타' 보안 위협을 강조합니다.
주요 결과는 공용 레지스트리에서 노출된 비밀/토큰이 전년 대비 64% 증가하여 총 25,229건에 달한다는 것을 보여줍니다. 보고서는 또한 94%의 기업이 ML 모델 거버넌스를 위해 인증된 목록을 사용하지만, 37%는 수동 검증에 의존하고 있다고 밝혔습니다. 추가로, 오직 43%의 조직만이 코드와 바이너리 수준의 보안 스캔을 모두 구현하고 있으며, 이는 작년의 56%에서 감소한 수치입니다.
이 연구는 2024년에 33,000개 이상의 새로운 CVE를 식별했으며, 이는 2023년 대비 27% 증가한 수치입니다. 특히, '치명적'으로 평가된 CVE 중 단 12%만이 실제로 그 심각도 수준을 정당화하는 것으로 나타났으며, 이는 불필요한 수정 노력과 개발자 탈진으로 이어질 수 있는 점수 인플레이션을 나타냅니다.
JFrog (NASDAQ: FROG) a publié son rapport Software Supply Chain State of the Union 2025, révélant des défis de sécurité critiques à l'ère de l'IA. L'étude, basée sur les retours de plus de 1.400 professionnels dans six pays et des données de plus de 7.000 clients, met en évidence une 'Quad-fecta' de menaces à la sécurité : CVE, paquets malveillants, exposition de secrets et configurations incorrectes.
Les résultats clés montrent une augmentation de 64% d'une année sur l'autre des secrets/tokens exposés dans des registres publics, totalisant 25.229 cas. Le rapport révèle également que, bien que 94% des entreprises utilisent des listes certifiées pour la gouvernance des modèles ML, 37% dépendent de la validation manuelle. De plus, seulement 43% des organisations mettent en œuvre des analyses de sécurité à la fois au niveau du code et des binaires, en baisse par rapport à 56% l'année dernière.
L'étude a identifié plus de 33.000 nouveaux CVE en 2024, marquant une augmentation de 27% par rapport à 2023. Notamment, seulement 12% des CVE classés comme 'critiques' ont été jugés réellement justifiés à ce niveau de gravité, ce qui indique une possible inflation des scores pouvant conduire à des efforts de remédiation inutiles et à l'épuisement des développeurs.
JFrog (NASDAQ: FROG) hat seinen Bericht Software Supply Chain State of the Union 2025 veröffentlicht, der kritische Sicherheitsherausforderungen im KI-Zeitalter offenbart. Die Studie, die auf Erkenntnissen von über 1.400 Fachleuten aus sechs Ländern und Daten von über 7.000 Kunden basiert, hebt eine 'Quad-fecta' von Sicherheitsbedrohungen hervor: CVEs, bösartige Pakete, Geheimnisaussetzungen und Fehlkonfigurationen.
Wichtige Erkenntnisse zeigen einen 64% Anstieg im Jahresvergleich bei exponierten Geheimnissen/Tokens in öffentlichen Repositories, insgesamt 25.229 Fälle. Der Bericht zeigt auch, dass 94% der Unternehmen zertifizierte Listen zur Governance von ML-Modellen verwenden, während 37% auf manuelle Validierung angewiesen sind. Darüber hinaus implementieren nur 43% der Organisationen sowohl Code- als auch Binärsicherheits-Scans, was einen Rückgang von 56% im letzten Jahr darstellt.
Die Studie identifizierte über 33.000 neue CVEs im Jahr 2024, was einem Anstieg von 27% im Vergleich zu 2023 entspricht. Bemerkenswert ist, dass nur 12% der als 'kritisch' eingestuften CVEs tatsächlich als solches gerechtfertigt waren, was auf eine mögliche Inflationsbewertung hinweist, die zu unnötigen Behebungsmaßnahmen und Entwickler-Burnout führen könnte.
- 94% of companies use certified lists for ML artifact governance
- Comprehensive research coverage across 1,400+ professionals and 7K+ customers
- Identification of CVE scoring inflation helps prevent unnecessary remediation efforts
- Security threats increased significantly with 64% YoY rise in exposed secrets/tokens
- Only 43% of organizations implement comprehensive security scans, down from 56%
- 6.5x increase in malicious ML models detected
- 37% of companies still rely on manual ML model governance, increasing security risks
- 27% increase in new CVEs, adding complexity to security management
The Software Supply Chain State of the Union 2025 Report Reveals “Quad-fecta” of Security Exploits, Mis-scored CVEs, Poor ML Model Governance, & more are Jeopardizing Trust in Newly Created Software
"Many organizations are enthusiastically embracing public ML models to drive rapid innovation, demonstrating a strong commitment to leveraging AI for growth. However, over a third still rely on manual efforts to manage access to secure, approved models, which can lead to potential oversights," said Yoav Landman, CTO and Co-Founder, JFrog. "AI adoption will only grow more rapidly. Thus, in order for organizations to thrive in today’s AI era they should automate their toolchains and governance processes with AI-ready solutions, ensuring they remain both secure and agile while maximizing their innovative potential."
Managing and securing the software supply chain end-to-end is an imperative for delivering trusted software releases. By combining insights from over 1,400 development, security and operations professionals across the
Key Report Findings Include:
-
A “Quad-fecta” of Security Vulnerabilities are Threatening the Software Supply Chain: The top security factors impacting the integrity and safety of the software supply chain include: CVEs, malicious packages, secrets’ exposures, and misconfigurations/human errors. As an example, the JFrog Security Research Team detected 25,229 exposed secrets/tokens in public registries (up
64% YoY). The increasing complexity of software security threats are making it harder to maintain consistent software supply chain security. - AI/ML Model Proliferation and Attacks are Growing: In 2024, more than 1 million new ML models were added to Hugging Face, with an accompanying 6.5x increase in malicious models, indicating AI and ML models are increasingly becoming a preferred attack vector for bad actors.
-
Manual Governance of ML Models is Increasing Risk: Most companies (
94% ) are using certified lists to govern ML artifact usage, however over one-third (37% ) of those rely on manual efforts to curate and maintain their lists of approved ML models. This overreliance on manual validation creates uncertainty around the accuracy and consistency of ML model security. -
Limited Security Scanning Leaving Blind Spots: Alarmingly, only
43% of IT professionals say their organization applies security scans at both the code and binary levels, leaving many organizations vulnerable to security threats only detectable at the binary level. This is down from56% last year - a sign that teams still have huge blind spots when it comes to identifying and preventing software risk as early as possible. -
Critical Vulnerabilities Continue to Rise and be Mis-scored: In 2024, security researchers disclosed over 33K new CVEs, a
27% increase from 2023, surpassing the24.5% growth rate of new software packages. This trend raises concerns as the growing number of CVEs increases complexity and pressure on developers and security teams, potentially hindering innovation. Meanwhile, JFrog Security found that only12% of high-profile CVEs rated "critical" (CVSS 9.0-10.0) by government organizations justify the critical severity level they were assigned because they are likely to be exploited by attackers.1 This pattern is troubling due to a centralized and unchanged scoring methodology over time, which heightens the risk of false positives in assessments and contributes to developers experiencing "vulnerability fatigue."
“We uncovered a clear pattern by CVE scoring organizations to inflate scores and cause an unnecessary level of panic in the industry, sending developers scrambling on remediation efforts that often results in wasted cognitive and professional time,” said Shachar Menashe, Vice President of Security Research. “When DevSecOps teams are forced to remediate vulnerabilities that aren’t ultimately harmful, their everyday workflows are disrupted, which can lead to developer burnout and costly mistakes.”
The JFrog Software Supply Chain State of the Union 2025 report also outlines concerns around lack of code provenance visibility across the software supply chain, developers downloading open source software packages directly from public registries without filtering for vulnerabilities, the detriments of “security tool sprawl”, and more. To explore the full findings of this year’s report visit https://jfrog.com/software-supply-chain-state-of-union/ or read this blog.
You can also register to join JFrog security and developer experts on Thursday, April 24, 2025 at 9 AM PT for a webinar, “JFrog’s Software Supply Chain Report 2025: Trends, Threats & Actions,” detailing the challenges and complexities of managing and securing the software supply chain.
Like this Story? Share this on X (a.k.a. Twitter): @JFrog shares research findings in their Software Supply Chain State of the Union 2025 report. Discover the emerging #DevSecOps trends, risks & best practices to securing enterprise #SoftwareSupplyChain. Learn more: https://jfrog.co/43vkg3Y #SoftwareSupplyChain #DevOps #DevSecOps #cybersecurity #containers #CVE
About JFrog
JFrog Ltd. (Nasdaq: FROG) is on a mission to power the world with liquid software. We are replacing endless software updates with a single system of record that seamlessly delivers secure applications from developer to device. The JFrog Software Supply Chain Platform helps organizations build, manage, and distribute software quickly and securely, making applications available, traceable, and tamper-proof. Its integrated security features also help identify, protect, and remediate against threats and vulnerabilities. The Platform also brings ML models in line with all other software development processes, providing a single source of truth for all software components across Engineering, MLOps, DevOps, and DevSecOps teams so they can build and release AI applications faster, with minimal risk and less cost. JFrog’s hybrid, universal, multi-cloud platform is available as both self-hosted and SaaS services across major cloud service providers. Millions of users and 7K+ customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation. Once you leap forward, you won’t go back! Learn more at jfrog.com and follow us on X: @jfrog.
____________________ |
1 The JFrog Severity Rating methodology considers the likelihood of vulnerability exploitability, unlike CVSS ratings, which focus only on exploitation severity, often overestimating risks.
View source version on businesswire.com: https://www.businesswire.com/news/home/20250401200753/en/
Media Contact:
Siobhan Lyons, Sr. Manager, Global Communications, siobhanL@jfrog.com
Investor Contact:
Jeff Schreiner, VP of Investor Relations, jeffS@jfrog.com
Source: JFrog Ltd.
FAQ
What are the main security threats identified in JFrog's (FROG) 2025 Supply Chain Report?
How many new CVEs were disclosed in 2024 according to JFrog's (FROG) research?
What percentage of organizations implement comprehensive security scanning according to JFrog (FROG)?
How many ML models were added to Hugging Face in 2024 according to JFrog's (FROG) report?
What percentage of companies manually manage their ML model governance according to JFrog (FROG)?
