open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
The XZ Utils Backdoor: A Timeline and Technical Post-Mortem
A technical post-mortem of CVE-2024-3094, the XZ Utils backdoor: how a trusted maintainer identity was used to plant a supply chain backdoor in sshd.
When to Fork an Abandoned Dependency
Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.
The Software Composition Analysis Market in 2024: Consolidation and Evolution
The SCA market is maturing fast, with acquisitions, AI-powered analysis, and SBOM mandates reshaping the competitive landscape and what buyers should expect.
OpenSSF Launches SIREN: A Mailing List for Open Source Threat Intelligence
The Open Source Security Foundation introduces SIREN, a dedicated mailing list for sharing real-time threat intelligence about attacks targeting open source ecosystems.
The MIT License, Meaning in Plain English
The MIT license meaning, stripped of legalese: do almost anything you want with the code, keep the copyright notice, and the author owes you nothing if it breaks.
SCA in Cyber Security: What It Actually Means
SCA in cyber security stands for software composition analysis — the practice of identifying every open-source component in an application and checking it against known vulnerabilities and licenses.
CNCF Project Security Audits: What They Find and Why They Matter
The Cloud Native Computing Foundation funds independent security audits for its projects. The findings reveal patterns that every cloud native adopter should understand.
Open Source License Types: A Quick Guide for Engineers
Open source license types split into permissive and copyleft, and knowing which one a dependency uses can matter as much as knowing whether it has a CVE.
How One Engineer's Curiosity Saved Linux: The XZ Utils Backdoor Discovery Story
Andres Freund noticed SSH was 500ms slower than expected. That observation prevented the most dangerous supply chain attack in open source history from reaching stable Linux distributions.
What Does SCA Stand For, and Why Does It Matter Now?
SCA stands for software composition analysis, and it matters more in 2024 than it did five years ago because open source now makes up the majority of most codebases.
Endor Labs SCA Review: Reachability Analysis Changes the Game
A review of Endor Labs and its reachability-based approach to software composition analysis, examining how call graph analysis reduces vulnerability noise.
Google Assured Open Source Software: Curated Security for Enterprise Dependencies
Google's Assured OSS service provides enterprise-grade security guarantees for open source packages. It's a compelling model, but it raises questions about who controls the open source supply chain.