JFrog
Application Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About JFrog
JFrog, founded in 2008 and headquartered in Sunnyvale, California, is a publicly traded company that focuses on modernizing software delivery. With around 1,600 employees, JFrog provides a universal DevOps platform that connects developers with the software packages they use and the infrastructure for deployment. The company's flagship product, Artifactory, is a universal artifact repository manager that facilitates the management, storage, and distribution of software packages across various development environments. JFrog's platform integrates multiple components aimed at enhancing software distribution, security, and DevOps automation. This enables enterprises to automate and accelerate their software release processes, improving overall efficiency and security. JFrog has expanded its product offerings through strategic acquisitions, including CloudMunch for CI/CD capabilities, Conan.io for C/C++ package management, and Vdoo for automated security analysis. The platform is designed to work seamlessly with a variety of DevOps tools and infrastructure, making it a valuable resource for large enterprises looking to streamline and secure their software development lifecycle.
Security at JFrog
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“JFrog's AppSec philosophy emphasizes that 'R&D Security Champions are responsible for establishing the application security posture within the R&D teams.' They are 'strong believers in the 'shift left' approach' and 'runs SAST and DAST scans every time code is checked in.' 'JFrog Xray is a universal software composition analysis (SCA) solution.' 'Threat modeling is a core element of the JFrog secure development lifecycle.' They ensure builds 'will cause builds to fail when certain security vulnerabilities are detected' and 'remediate the vulnerabilities according to the terms of our internal SLA.' Furthermore, 'products and features are pentested on an ongoing basis,' and JFrog 'manages private bug bounty and private vulnerability disclosure programs.' The company's CSO states that 'Trust is vital to success in our industry.'”
Security Team
The JFrog AppSec team includes Moran Ashkenazi, the 'JFrog Chief Security Officer.' Public-facing researchers, such as Or Peles, are identified through 'research.jfrog.com vulnerability listings.' As of, 'The JFrog CSO Office is seeking an Application Security Team Lead.' This job posting also lists 'Netanya/Tel Aviv, Israel | CTO Office,' indicating a potential contradiction in reporting lines. The 'Team size estimate' is 'Information not publicly available,' as a 'LinkedIn Search Query' yielded insufficient public data. The single active AppSec job posting highlights common skill patterns such as the ability to 'Develop and implement security automation solutions' and a 'Strong background in AI security and Security AI.'
Key Initiatives
JFrog has a 'Security Champions Program' where 'R&D Security Champions are responsible for establishing the application security posture.' Their 'shift left' practices include running 'SAST and DAST scans every time code is checked in.' For vulnerability management, 'JFrog Xray continuously scans the JFrog Platform,' and builds 'will cause builds to fail when certain security vulnerabilities are detected,' with remediation occurring 'according to the terms of our internal SLA.' Vulnerability intake sources include 'private bug bounty and private vulnerability disclosure programs, hosted on HackerOne.' Secure SDLC artifacts include 'Threat modeling is a core element' and 'R&D teams regularly receive relevant training.' Additionally, 'products and features are pentested on an ongoing basis.' The only 'Recent initiatives (last 6 months)' identified is the hiring of an 'Application Security Team Lead,' with other product or policy rollouts being 'Information not publicly available.'
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.