JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company that created the JFrog DevOps Platform, today announced Project Pyrsia, an open source software community initiative that uses blockchain technology to secure software packages (A.K.A Binaries) from vulnerabilities and malicious code. Project Pyrsia, which is now accepting sign-ups, is an open source-based, decentralised, secure build network and software package repository aimed at assisting developers in establishing a chain of provenance for their software components, thereby increasing confidence and trust.
Open source software is an essential component of nearly every technology we use today, from operating systems and browsers to the applications and services we rely on to run our lives. Nonetheless, there is no doubt that the volume, sophistication, and severity of software supply chain attacks have increased in the last year. The JFrog Security Research team has tracked over 20 different open-source software supply chain attacks in recent months, two of which were zero-day threats. While open-source components are intended to improve development efficiency, not knowing where your software comes from makes it difficult to identify risks, sowing doubt and uncertainty about its safety.
As a result, JFrog and other open source technology leaders such as Docker, DeployHub, Futureway, and Oracle collaborated to create the Project Pyrsia network for validating the source and security of open source software packages. Pyrsia enables developers to use open source software with confidence, knowing that their components have not been compromised, without the need to build, maintain, or operate complex processes for securely managing dependencies.
“At JFrog we believe open source security will only be successful if we provide the community with the same tools and services that are available to enterprises,” said Stephen Chin, VP of Developer Relations, JFrog. “The combination of an open source, customizable architecture, and a robust, active community makes Pyrsia the most transparent and trustworthy way to obtain secure software packages. We’re grateful for the help of our industry partners and the community for joining us in securing open source so it can remain a true fountain of innovation.”
Pyrsia aims to integrate seamlessly with the package management systems that developers are already using, allowing them to certify their software components without sacrificing compatibility, security, or efficiency. Using standards such as Sigstore’s Cosign and Notary V2, developers can quickly access their containers via the Pyrsia network. Developers receive an immutable chain of evidence for their code by using digital signatures, providing peace of mind by knowing the exact source of their packages.
A few entities will build and publish images that will be available for everyone’s use to help guide developers through the process of using Pyrsia for validating software components, otherwise known as ‘bootstrapping’ the project. Organizations interested in helping Pyrsia establish its first distributed network can volunteer their resources. Following that, Project Pyrsia’s decentralised framework will assist in providing:
- An independent, secure open source software development network
- Software package trustworthiness
- Completeness of known open source software dependencies