Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Vulnerability Analysis

The XZ Utils Backdoor: A Timeline and Technical Post-Mortem

A technical post-mortem of CVE-2024-3094, the XZ Utils backdoor: how a trusted maintainer identity was used to plant a supply chain backdoor in sshd.

Jul 13, 20258 min read
Supply Chain

When to Fork an Abandoned Dependency

Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.

Mar 18, 20256 min read
Industry Analysis

The Software Composition Analysis Market in 2024: Consolidation and Evolution

The SCA market is maturing fast, with acquisitions, AI-powered analysis, and SBOM mandates reshaping the competitive landscape and what buyers should expect.

Nov 20, 20246 min read
Industry News

OpenSSF Launches SIREN: A Mailing List for Open Source Threat Intelligence

The Open Source Security Foundation introduces SIREN, a dedicated mailing list for sharing real-time threat intelligence about attacks targeting open source ecosystems.

Nov 15, 20246 min read
Licensing

The MIT License, Meaning in Plain English

The MIT license meaning, stripped of legalese: do almost anything you want with the code, keep the copyright notice, and the author owes you nothing if it breaks.

Aug 30, 20245 min read
Supply Chain

SCA in Cyber Security: What It Actually Means

SCA in cyber security stands for software composition analysis — the practice of identifying every open-source component in an application and checking it against known vulnerabilities and licenses.

Jul 30, 20245 min read
Open Source Security

CNCF Project Security Audits: What They Find and Why They Matter

The Cloud Native Computing Foundation funds independent security audits for its projects. The findings reveal patterns that every cloud native adopter should understand.

May 12, 20246 min read
Licensing

Open Source License Types: A Quick Guide for Engineers

Open source license types split into permissive and copyleft, and knowing which one a dependency uses can matter as much as knowing whether it has a CVE.

Apr 9, 20246 min read
Supply Chain Security

How One Engineer's Curiosity Saved Linux: The XZ Utils Backdoor Discovery Story

Andres Freund noticed SSH was 500ms slower than expected. That observation prevented the most dangerous supply chain attack in open source history from reaching stable Linux distributions.

Apr 1, 20247 min read
Supply Chain

What Does SCA Stand For, and Why Does It Matter Now?

SCA stands for software composition analysis, and it matters more in 2024 than it did five years ago because open source now makes up the majority of most codebases.

Mar 12, 20245 min read
Tool Reviews

Endor Labs SCA Review: Reachability Analysis Changes the Game

A review of Endor Labs and its reachability-based approach to software composition analysis, examining how call graph analysis reduces vulnerability noise.

Mar 12, 20246 min read
Tools & Platforms

Google Assured Open Source Software: Curated Security for Enterprise Dependencies

Google's Assured OSS service provides enterprise-grade security guarantees for open source packages. It's a compelling model, but it raises questions about who controls the open source supply chain.

May 15, 20239 min read
open-source-security (Page 28) — Safeguard Blog