open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Slopsquatting in the AI Era: Registering Packages AI Mode...
AI coding assistants hallucinate package names at rates as high as 19.7% — and attackers are registering those exact names. Here's how slopsquatting works and how to stop it.
The Unpaid Labor Behind Critical Internet Infrastructure
Open source runs on unpaid maintainer labor. From xz-utils to Log4Shell to colors.js, we examine why burnout became a top supply chain security risk.
Why Maintainer Burnout Is a Security Metric, Not Just an ...
The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.
Corporate Dependence on Volunteer-Maintained Projects: A ...
Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.
What Would It Actually Cost Companies to Fund Their Criti...
Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.
Security Training Gaps Among Solo Maintainers of High-Imp...
xz-utils, event-stream, and ua-parser-js show how single-maintainer projects lack the security training and support that high-impact infrastructure now demands.
Succession Planning for Open Source Projects: Why It Rare...
Most open source maintainers have no succession plan. That gap has already caused real incidents, from event-stream to XZ Utils, and it explains why.
The XZ Utils Incident as a Case Study in Maintainer Trust...
CVE-2024-3094 shows how a patient social-engineering campaign turned trusted open source maintainership into a near-catastrophic SSH backdoor.
Why Automated Tooling Can't Fully Replace Human Maintaine...
Automated scanners missed the XZ Utils backdoor for years. Here's why CVE scores, SAST tools, and dependency bots can't replace human maintainer judgment.
Measuring Project Health: Bus Factor, Commit Velocity, an...
Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.
The Business Case for Consolidating SAST, SCA, and DAST U...
Fragmented SAST, SCA, and DAST tools cost more than three licenses — they cost analyst hours, slower remediation, and longer audits. Here's the real ROI math for consolidation.
What Is a Package Registry?
A package registry is the network service your package manager pulls code from. Here is how registries work, why they are a critical trust boundary, and how to secure what you download.