Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

5 risks of using open source software

Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.

May 9, 20267 min read
Open Source Security

GPL vs MIT vs Apache: license security and compliance implications

Redis, Vizio, and Cisco show how GPL, MIT, and Apache 2.0 licenses create real legal and compliance exposure across your software supply chain.

May 9, 20267 min read
Open Source Security

Building an SBOM that meets NTIA minimum elements

A field-by-field breakdown of NTIA's SBOM minimum elements, who's legally required to meet them in 2026, and why conformant fields don't guarantee real dependency coverage.

May 9, 20267 min read
Open Source Security

SPDX vs CycloneDX: comparing SBOM formats

SPDX and CycloneDX both satisfy federal SBOM rules, but they solve different problems. Here's how they actually differ — with real specs, dates, and tooling.

May 8, 20267 min read
Open Source Security

OpenSSF Scorecard v6 and the OSPS Baseline: Turning Probe Evidence Into Registry Trust Signals

The Scorecard v6 roadmap introduces conformance labels (PASS/FAIL/UNKNOWN/NOT_APPLICABLE/ATTESTED) layered over the same probe evidence, aligning Scorecard output with the OSPS Baseline for registry-side trust decisions.

May 4, 20267 min read
Open Source Security

Patch management strategies for open source dependencies

A practical guide to patch management for open source dependencies: prioritizing by reachability and EPSS, not CVSS alone, and building a repeatable remediation loop.

Apr 30, 20267 min read
Open Source Security

Transitive dependency vulnerabilities explained

A vulnerability three layers deep in your dependency graph is still your problem. Here's how transitive flaws like Log4Shell hide, spread, and get fixed.

Apr 30, 20267 min read
Open Source Security

Securing mobile app dependencies: CocoaPods and Gradle

CocoaPods and Gradle power millions of mobile apps. See how orphaned pods, build-script RCE, and dependency confusion put them at real risk today.

Apr 29, 20267 min read
Open Source Security

The State of Open Source Security report (annual series)

Safeguard's annual State of Open Source Security Report finds transitive dependencies now drive most exposure, and reachability — not CVSS alone — separates mature security programs.

Apr 25, 20267 min read
Open Source Security

5 risks of open source software in 2026

Open source now makes up most enterprise code. Here are 5 risks defining open source software security in 2026 — and how to close the exploitability gap.

Apr 24, 20267 min read
Open Source Security

Open source package health scoring explained

Health scores from OSSF Scorecard, Snyk, and npms.io compress package risk into one number -- but xz-utils proves a high score isn't the same as safe.

Apr 21, 20267 min read
Open Source Security

What to check before installing an open source package

A practical guide to vetting open source packages before you install them — real incidents, concrete checks, and how reachability analysis cuts through CVE noise.

Apr 20, 20267 min read
Open Source Security (Page 4) — Supply Chain Security Blog | Safeguard