Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Why Maintainer Burnout Is a Security Metric, Not Just an ...

The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.

Jul 27, 20256 min read
Open Source Security

Corporate Dependence on Volunteer-Maintained Projects: A ...

Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.

Jul 27, 20257 min read
Open Source Security

What Would It Actually Cost Companies to Fund Their Criti...

Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.

Jul 27, 20257 min read
Open Source Security

Security Training Gaps Among Solo Maintainers of High-Imp...

xz-utils, event-stream, and ua-parser-js show how single-maintainer projects lack the security training and support that high-impact infrastructure now demands.

Jul 26, 20257 min read
Open Source Security

Succession Planning for Open Source Projects: Why It Rare...

Most open source maintainers have no succession plan. That gap has already caused real incidents, from event-stream to XZ Utils, and it explains why.

Jul 26, 20257 min read
Open Source Security

The XZ Utils Incident as a Case Study in Maintainer Trust...

CVE-2024-3094 shows how a patient social-engineering campaign turned trusted open source maintainership into a near-catastrophic SSH backdoor.

Jul 26, 20257 min read
Open Source Security

Why Automated Tooling Can't Fully Replace Human Maintaine...

Automated scanners missed the XZ Utils backdoor for years. Here's why CVE scores, SAST tools, and dependency bots can't replace human maintainer judgment.

Jul 25, 20257 min read
Open Source Security

Measuring Project Health: Bus Factor, Commit Velocity, an...

Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.

Jul 25, 20259 min read
Open Source Security

The Business Case for Consolidating SAST, SCA, and DAST U...

Fragmented SAST, SCA, and DAST tools cost more than three licenses — they cost analyst hours, slower remediation, and longer audits. Here's the real ROI math for consolidation.

Jul 23, 20258 min read
Open Source Security

PyPI's aliyun-ai-labs Campaign: Three Packages, One Targeted Region

Three PyPI packages impersonating Alibaba's AI Labs SDK exfiltrated .gitconfig data from developer machines in a regionally targeted 2025 espionage campaign.

Jul 21, 20256 min read
Open Source Security

The Quiet Consolidation of SCA, SAST, and Container Scann...

A wave of PE buyouts and platform acquisitions is quietly folding SCA, SAST, and container scanning into fewer, bigger AppSec platforms. Here's what's driving it.

Jul 15, 20258 min read
Open Source Security

Building an Open Source Risk Intelligence Platform: Beyond Vulnerability Scanning

Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.

Jun 25, 20257 min read
Open Source Security (Page 24) — Supply Chain Security Blog | Safeguard