open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
What is Fuzz Testing (Fuzzing)
Fuzz testing bombards software with malformed inputs to surface crashes and memory bugs. Here's how fuzzers work, what they've found, and where they fall short.
What Was the Shellshock Vulnerability
Shellshock (CVE-2014-6271) let attackers run code on millions of Bash-based systems via a single crafted header. Here's the full breakdown and fix.
The XZ Utils Backdoor Explained
A trusted maintainer, years of quiet social engineering, and one hidden SSH backdoor: how CVE-2024-3094 nearly compromised the global Linux supply chain.
What is a Software License
A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.
What is Open Source Software
Open source software now sits in 96% of codebases. Here's what OSS actually is, how licensing works, and where the real security risk hides.
What is a Package Manager
Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.
What is npm Security
A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.
What is PyPI Security
PyPI security stops typosquats, dependency confusion, and poisoned CI builds before pip install ever runs your code.
What is Maven Security
Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.
Using cargo-audit and the RustSec Advisory Database to ca...
A hands-on cargo-audit tutorial: scan Rust dependencies against the RustSec advisory database, interpret results, and block vulnerable crates before they ship.
What is Binary Composition Analysis
Binary composition analysis identifies open source components inside compiled artifacts—no source code needed. Here's how it works and why it matters.
What is License Scanning
License scanning finds every open source license in your dependency tree before it becomes a legal or compliance problem — here's how it works and why it changed in 2024.