Check Point® Software Technologies Ltd.(link is external) announced that its Quantum Firewall Software R82 — the latest version of Check Point’s core network security software delivering advanced threat prevention and scalable policy management — has received Common Criteria EAL4+ certification, further reinforcing its position as a trusted security foundation for critical infrastructure, government, and defense organizations worldwide.
Software security threats and DevOps risks are emerging in the AI era, according to the Software Supply Chain State of the Union 2025 from JFrog.
Source: JFrog(link is external)
The top security factors impacting the integrity and safety of the software supply chain include: CVEs, malicious packages, secrets' exposures, and misconfigurations/human errors. As an example, the JFrog Security Research Team detected 25,229 exposed secrets/tokens in public registries (up 64% YoY). The increasing complexity of software security threats are making it harder to maintain consistent software supply chain security.
"Many organizations are enthusiastically embracing public ML models to drive rapid innovation, demonstrating a strong commitment to leveraging AI for growth. However, over a third still rely on manual efforts to manage access to secure, approved models, which can lead to potential oversights," said Yoav Landman, CTO and Co-Founder, JFrog. "AI adoption will only grow more rapidly. Thus, in order for organizations to thrive in today's AI era they should automate their toolchains and governance processes with AI-ready solutions, ensuring they remain both secure and agile while maximizing their innovative potential."
Key Report Findings Include:
AI/ML Model Proliferation and Attacks are Growing
In 2024, more than 1 million new ML models were added to Hugging Face, with an accompanying 5x increase in malicious models, indicating AI and ML models are increasingly becoming a preferred attack vector for bad actors.
Manual Governance of ML Models is Increasing Risk
Most companies (94%) are using certified lists to govern ML artifact usage, however over one-third (37%) of those rely on manual efforts to curate and maintain their lists of approved ML models. This over-reliance on manual validation creates uncertainty around the accuracy and consistency of ML model security.
Limited Security Scanning Leaving Blind Spots
Alarmingly, only 43% of IT professionals say their organization applies security scans at both the code and binary levels, leaving many organizations vulnerable to security threats only detectable at the binary level. This is down from 56% last year — a sign that teams still have huge blind spots when it comes to identifying and preventing software risk as early as possible.
Critical Vulnerabilities Continue to Rise and be Mis-scored
In 2024, security researchers disclosed over 33K new CVEs, a 27% increase from 2023, surpassing the 24.5% growth rate of new software packages. This trend raises concerns as the growing number of CVEs increases complexity and pressure on developers and security teams, potentially hindering innovation. Meanwhile, JFrog Security found that only 12% of high-profile CVEs rated "critical" (CVSS 9.0-10.0) by government organizations justify the critical severity level they were assigned because they are likely to be exploited by attackers. This pattern is troubling due to a centralized and unchanged scoring methodology over time, which heightens the risk of false positives in assessments and contributes to developers experiencing "vulnerability fatigue."
"We uncovered a clear pattern by CVE scoring organizations to inflate scores and cause an unnecessary level of panic in the industry, sending developers scrambling on remediation efforts that often results in wasted cognitive and professional time," said Shachar Menashe, JFrog VP of Security Research. "When DevSecOps teams are forced to remediate vulnerabilities that aren't ultimately harmful, their everyday workflows are disrupted, which can lead to developer burnout and costly mistakes."
Methodology: The report combines insights from over 1,400 development, security and operations professionals across the US, UK, France, Germany, India and Israel, with developer usage data from JFrog's customers, alongside original CVE analysis by the JFrog Security Research team.
Industry News
Postman announced full support for the Model Context Protocol (MCP), helping users build better AI Agents, faster.
Opsera announced new Advanced Security Dashboard capabilities available as an extension of Opsera's Unified Insights for GitHub Copilot.
Lineaje launched new capabilities including Lineaje agentic AI-powered self-healing agents that autonomously secure open-source software, source code and containers, Gold Open Source Packages and Gold Open Source Images that enable organizations to source trusted, pre-fixed open-source software, and a software crawling and analysis engine, SCA360, that discovers and contextualizes risks at all software development stages.
Check Point® Software Technologies Ltd.(link is external) launched its inaugural AI Security Report(link is external) at RSA Conference 2025.
Lenses.io announced the release of Lenses 6.0, enabling organizations to modernize applications and systems with real-time data as AI adoption accelerates.
Sonata Software has achieved Amazon Web Services (AWS) DevOps Competency status.
vFunction® announced significant platform advancements that reduce complexity across the architectural spectrum and target the growing disconnect between development speed and architectural integrity.
Sonatype® introduced major enhancements to Repository Firewall that expand proactive malware protection across the enterprise — from developer workstations to the network edge.
Aqua Security introduced Secure AI, full lifecycle security from code to cloud to prompt.
Salt Security announced the launch of the Salt Model Context Protocol (MCP) Server, giving enterprise teams a novel access point of interaction with their API infrastructure, leveraging natural language and artificial intelligence (AI).
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of in-toto, a software supply chain security framework developed at the NYU Tandon School of Engineering.
SnapLogic announced the launch of its next-generation API management (APIM) solution, helping organizations accelerate their journey to a composable and agentic enterprise.
Apiiro announced Software Graph Visualization, an interactive map that enables users to visualize their software architectures across all components, vulnerabilities, toxic combinations, blast radius, data exposure and material changes in real time.
Check Point® Software Technologies Ltd.(link is external) and Illumio, the breach containment company, announced a strategic partnership to help organizations strengthen security and advance their Zero Trust posture.