Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
The Hidden Risk of Abandoned Open Source Projects
Abandoned open source projects do not disappear. They continue to be installed, depended upon, and deployed in production. They just stop getting security patches.
npm Tightens Unpublish Rules: What It Means for Supply Chain Security
npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.
Open Source Vulnerability Rewards: Can Bug Bounties Save Open Source?
Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source projects. It's a promising model, but not a silver bullet.
Open Source Malware Detection Techniques for Package Registries
Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to detect them.
Inside the Apache Foundation's Security Practices
The Apache Software Foundation oversees 350+ projects including some of the most widely deployed software on earth. Their security practices set the standard for foundation-governed open source.
A Taxonomy of Open Source Supply Chain Attacks
Supply chain attacks on open source come in distinct flavors. Understanding the taxonomy helps defenders prioritize controls and recognize threats before they reach production.
The March 2023 PyPI Malware Wave
PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.
Go Modules Checksum Database: Five Years In
sum.golang.org went public in August 2019. After four years of production, here is what the Go checksum database got right and what it did not.
PyPI Mandatory 2FA for Critical Packages: A Turning Point for Python Security
PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward securing the Python supply chain.
OpenSSL Project Governance: Security Lessons from Heartbleed and Beyond
OpenSSL's transformation from a two-person project securing half the internet to a properly governed foundation offers a blueprint for open source security governance.
Responsible Disclosure in Open Source: The Messy Reality
Responsible disclosure sounds simple in theory. In practice, coordinating vulnerability disclosure across open source projects with no budgets, no SLAs, and no obligation to respond is an exercise in patience and diplomacy.
PyPI Malware Campaigns Surge in Q4 2022: A Roundup of the Worst Offenders
Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.