dependency-risk
Safeguard articles tagged "dependency-risk" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Checkmarx vs Snyk: which AppSec platform fits your stack
Checkmarx vs Snyk searches usually miss the real question: does your AppSec stack cover source code, or the full build-to-deploy supply chain? Here's how to check.
5 risks of using open source software
Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.
Abandoned Dependency Risk Study
The Safeguard Research team measured how much abandonment exists in real dependency graphs, how it correlates with risk, and what to do about it.
How slopsquatting exploits AI-hallucinated package names
Slopsquatting attacks turn AI-hallucinated package names into real supply chain threats. Here's how it works, the numbers behind it, and how Safeguard stops it.
Unmaintained Open Source Software: A Supply Chain Risk
Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.
How Snyk Advisor's package health score weighs popularity...
Snyk Advisor scores packages 0-100 using four signals: popularity, maintenance, community, and security. Here is exactly how each one is calculated.
The Long Tail of Abandoned Open Source Projects and Enter...
Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.
The Economics of Free Riding in Open Source Security
Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.
Security Training Gaps Among Solo Maintainers of High-Imp...
xz-utils, event-stream, and ua-parser-js show how single-maintainer projects lack the security training and support that high-impact infrastructure now demands.
Measuring Project Health: Bus Factor, Commit Velocity, an...
Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.
Abandoned Package Takeover: When Maintainers Walk Away
Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over package names and push malicious updates to millions of downstream projects.