Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
5 risks of using open source software
Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.
GPL vs MIT vs Apache: license security and compliance implications
Redis, Vizio, and Cisco show how GPL, MIT, and Apache 2.0 licenses create real legal and compliance exposure across your software supply chain.
Building an SBOM that meets NTIA minimum elements
A field-by-field breakdown of NTIA's SBOM minimum elements, who's legally required to meet them in 2026, and why conformant fields don't guarantee real dependency coverage.
SPDX vs CycloneDX: comparing SBOM formats
SPDX and CycloneDX both satisfy federal SBOM rules, but they solve different problems. Here's how they actually differ — with real specs, dates, and tooling.
OpenSSF Scorecard v6 and the OSPS Baseline: Turning Probe Evidence Into Registry Trust Signals
The Scorecard v6 roadmap introduces conformance labels (PASS/FAIL/UNKNOWN/NOT_APPLICABLE/ATTESTED) layered over the same probe evidence, aligning Scorecard output with the OSPS Baseline for registry-side trust decisions.
Patch management strategies for open source dependencies
A practical guide to patch management for open source dependencies: prioritizing by reachability and EPSS, not CVSS alone, and building a repeatable remediation loop.
Transitive dependency vulnerabilities explained
A vulnerability three layers deep in your dependency graph is still your problem. Here's how transitive flaws like Log4Shell hide, spread, and get fixed.
Securing mobile app dependencies: CocoaPods and Gradle
CocoaPods and Gradle power millions of mobile apps. See how orphaned pods, build-script RCE, and dependency confusion put them at real risk today.
The State of Open Source Security report (annual series)
Safeguard's annual State of Open Source Security Report finds transitive dependencies now drive most exposure, and reachability — not CVSS alone — separates mature security programs.
5 risks of open source software in 2026
Open source now makes up most enterprise code. Here are 5 risks defining open source software security in 2026 — and how to close the exploitability gap.
Open source package health scoring explained
Health scores from OSSF Scorecard, Snyk, and npms.io compress package risk into one number -- but xz-utils proves a high score isn't the same as safe.
What to check before installing an open source package
A practical guide to vetting open source packages before you install them — real incidents, concrete checks, and how reachability analysis cuts through CVE noise.