Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

Slopsquatting in the AI Era: Registering Packages AI Mode...

AI coding assistants hallucinate package names at rates as high as 19.7% — and attackers are registering those exact names. Here's how slopsquatting works and how to stop it.

Jul 30, 20257 min read
Open Source Security

The Unpaid Labor Behind Critical Internet Infrastructure

Open source runs on unpaid maintainer labor. From xz-utils to Log4Shell to colors.js, we examine why burnout became a top supply chain security risk.

Jul 27, 20257 min read
Open Source Security

Why Maintainer Burnout Is a Security Metric, Not Just an ...

The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.

Jul 27, 20256 min read
Open Source Security

Corporate Dependence on Volunteer-Maintained Projects: A ...

Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.

Jul 27, 20257 min read
Open Source Security

What Would It Actually Cost Companies to Fund Their Criti...

Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.

Jul 27, 20257 min read
Open Source Security

Security Training Gaps Among Solo Maintainers of High-Imp...

xz-utils, event-stream, and ua-parser-js show how single-maintainer projects lack the security training and support that high-impact infrastructure now demands.

Jul 26, 20257 min read
Open Source Security

Succession Planning for Open Source Projects: Why It Rare...

Most open source maintainers have no succession plan. That gap has already caused real incidents, from event-stream to XZ Utils, and it explains why.

Jul 26, 20257 min read
Open Source Security

The XZ Utils Incident as a Case Study in Maintainer Trust...

CVE-2024-3094 shows how a patient social-engineering campaign turned trusted open source maintainership into a near-catastrophic SSH backdoor.

Jul 26, 20257 min read
Open Source Security

Why Automated Tooling Can't Fully Replace Human Maintaine...

Automated scanners missed the XZ Utils backdoor for years. Here's why CVE scores, SAST tools, and dependency bots can't replace human maintainer judgment.

Jul 25, 20257 min read
Open Source Security

Measuring Project Health: Bus Factor, Commit Velocity, an...

Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.

Jul 25, 20259 min read
Open Source Security

The Business Case for Consolidating SAST, SCA, and DAST U...

Fragmented SAST, SCA, and DAST tools cost more than three licenses — they cost analyst hours, slower remediation, and longer audits. Here's the real ROI math for consolidation.

Jul 23, 20258 min read
Concepts

What Is a Package Registry?

A package registry is the network service your package manager pulls code from. Here is how registries work, why they are a critical trust boundary, and how to secure what you download.

Jul 14, 20256 min read
open-source-security (Page 27) — Safeguard Blog