open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
License Compliance Debt: The Quiet Risk Growing Alongside...
Open source license debt is compounding as fast as CVE backlogs, but has no CVSS score, no patch, and no dashboard — until an audit, M&A deal, or lawsuit forces the issue.
Why 'Time to Fix' Is a Better Supply Chain Metric Than Vu...
Vulnerability counts measure how hard you're looking, not how exposed you are. Here's why mean time to remediate is the metric that actually predicts breach risk.
The Long Tail of Abandoned Open Source Projects and Enter...
Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.
Monorepo vs Polyrepo: How Architecture Choices Shape Supp...
Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.
What a Decade of Open Source Vulnerability Data Tells Us ...
CVEs grew sixfold in a decade. Here is what a decade of open source vulnerability trends reveals about ecosystem maturity, from Log4Shell to the xz backdoor.
Direct vs Transitive Vulnerabilities: Why the Distinction...
Most CVEs in your stack aren't in packages you chose — they're transitive. Here's why direct vs transitive vulnerabilities need different fixes and different priority.
How Package Manager Design Choices Influence Supply Chain...
npm, PyPI, RubyGems, Go, and Cargo each made different design bets on install scripts, namespacing, and signing — and those bets directly shape supply chain attack surface.
The Economics of Free Riding in Open Source Security
Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.
Why Vulnerability Disclosure Timelines Still Vary Wildly ...
Google gives vendors 90 days, ZDI gives 120, the EU wants 24 hours, and Linux had no CVE process until 2024. Here's why disclosure timelines diverge so sharply across ecosystems.
From Log4Shell to Now: What Changed and What Didn't in Su...
Three years after Log4Shell, Log4j is still found in production systems. Here is what the industry fixed, what it didn't, and why the risk persists.
The Hidden Risk of Copy-Pasted Code Snippets from Forums ...
Copy-pasted code from Stack Overflow and AI chats often ships with hidden vulnerabilities. Here's the data behind the risk, real breaches it caused, and how to catch it.
Do Bug Bounties Actually Reduce Open Source Risk? An Inde...
Bug bounties didn't catch Log4Shell or the XZ Utils backdoor. An independent look at what OSS bounty programs actually cover — and where they structurally fall short.