JFrog Ltd. announced
Pyrsia,
an open source software community initiative that utilizes blockchain
technology to secure software packages (a.k.a. binaries) from
vulnerabilities and malicious code, has become an incubating project
under the Continuous Delivery Foundation (CDF).
Working together, JFrog and the CD Foundation will ensure Pyrsia grows
its backing and engagement through the use of a centralized governance
model, defined roadmap, and broad representation within the wider
technology and open source communities.
"We're excited to join our long-time partners at the CD Foundation in
creating a groundswell around Pyrsia to further its mission to better
secure the software supply chain," said Stephen Chin, VP of Developer
Relations at JFrog and Governing Board Member for the CD Foundation.
"With the CD Foundation's support, and that of our incredible industry
partners, developers can leverage Pyrsia to have peace of mind in
knowing their open source components have not been compromised, and
confidently deliver secure software at scale."
[ Watch the VMblog KubeCon 2022 Video Interview with Stephen Chin of JFrog ]
Research
shows open source libraries and components make up more than 75 percent
of the code in the average software application, with the average
software application depending on more than 500 components. While these
open source dependencies are convenient, they also present new
vulnerabilities that threat actors can exploit. For example, one bad
actor injecting malware into a popular open source project has the potential to affect thousands of downstream users.
Pyrsia is an open source-based, decentralized, secure build network and
software package repository that seamlessly integrates with the package
management systems developers are already using today, so they can
certify their software components without foregoing compatibility,
security, or efficiency. Developers receive a digitally signed,
immutable chain of evidence for their code, which is an essential
building block for Software Bill Of Materials (SBOMs). This provides
developers and their customer's assurance in knowing the exact source of
their packages.
"We see Pyrsia as a natural extension of our organization's mission to
grow and sustain projects that are part of the wider continuous delivery
ecosystem," said Fatih Degirmenci, Executive Director, CD Foundation.
"We've recently learned as an industry that no one is safe from
cybercriminal activity, particularly when bad actors inject malicious
packages into central repositories, wreaking havoc on downstream systems
and applications. We're proud to support Pyrsia because it puts the
power back in the hands of developers and, ultimately, accelerates
innovation."
JFrog, along with other open source technology leaders, including
Docker, DeployHub, Futurewei, and Oracle, collaborated to officially
launch Pyrsia in May 2022.
Since then, these software giants have lent their expertise on how to
better secure the software supply chain to the Pyrsia network, creating
opportunities for cross-project collaboration within the CD Foundation
to interlink secure packages with community tools, helping improve
developers' ability to deliver secure software at scale.
To learn more and join the Pyrsia community, visit
https://pyrsia.io.