Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. JFrog Security Workshop
  3. Curation Workshop

Part 5: Apply Organization-Wide Blocking Policies

This part of the workshop focuses on applying organization-wide blocking policies after evaluating their impact using dry run mode.

Goal: Develop organization-wide policies informed by the impact assessment conducted in the previous step. Organization-level policies are designed to be applicable across all repositories, ensuring uniform adherence to the organization’s security standards. This broad approach contrasts with narrow-scope policies, which may only apply to a few repositories and cater specifically to individual team or project needs.

By establishing general-scope policies, we can better protect the entire organization and promote a cohesive security posture across all teams and projects.

Implementation suggestions:

Before you start:

Remediation Workflow:

  • Establish clear procedures for handling vulnerabilities detected by Curation, including triaging, assigning ownership, and tracking remediation efforts.
  • Monitor progress and ensure timely resolution of vulnerabilities to minimize exposure to security risks and developers frustration.

Education and Training:

  • Provide comprehensive training on secure coding practices, dependency management, and vulnerability remediation.
  • Incorporate Curation into developer training programs to promote awareness of security best practices and tools.
  • Foster a culture of shared responsibility for security among developers, DevOps teams, and other stakeholders.

Team-by-team application approach:

This approach is ideal for organizations with multiple teams that may need help to assimilate information about the Curation operation all at once. By adopting a team-by-team strategy, we ensure that each group receives tailored communication and support. * In smaller teams, where all team members have direct access to the security team, it can be done at one go.

  1. Identify the desired teams or specific package types (such as NPM or PyPI) to start with. Inform these teams about the impact of Curation, training and remediation workflow.

  2. Implement Policies: Deploy critical policies on a scope basis, specifically targeting issues such as Critical CVEs, Immature packages, and Missing Licenses.

  3. Iterative Process: Once the initial teams are comfortable with the process, repeat this method to onboard additional teams, ensuring a comprehensive rollout across the organization.

When to move on

Once organization-wide blocking is stable and understood, you can move to more granular control.

Proceed to Part 6: Apply Scoped and Project-Level Policies


Updated 3 months ago