Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Software Supply Chain Security

Dependency Cooldown Periods as a Malware Defense

Malicious npm packages are often caught within days. Cooldown periods exploit that lag — here's how they work, and how Endor Labs and Safeguard compare.

May 17, 20268 min read
Compliance

EU Cyber Resilience Act: what developers need to know

The EU Cyber Resilience Act sets hard deadlines starting Sept 2026 for SBOMs, vulnerability reporting, and patching. Here's what developers must build.

May 11, 20267 min read
Open Source Security

What is the BSD license? Top 10 questions answered

The BSD license explained: its 0-, 2-, 3-, and 4-clause variants, how it differs from MIT and GPL, and which real projects run on it.

May 9, 20268 min read
Open Source Security

5 risks of using open source software

Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.

May 9, 20267 min read
Open Source Security

GPL vs MIT vs Apache: license security and compliance implications

Redis, Vizio, and Cisco show how GPL, MIT, and Apache 2.0 licenses create real legal and compliance exposure across your software supply chain.

May 9, 20267 min read
Open Source Security

Building an SBOM that meets NTIA minimum elements

A field-by-field breakdown of NTIA's SBOM minimum elements, who's legally required to meet them in 2026, and why conformant fields don't guarantee real dependency coverage.

May 9, 20267 min read
Open Source Security

SPDX vs CycloneDX: comparing SBOM formats

SPDX and CycloneDX both satisfy federal SBOM rules, but they solve different problems. Here's how they actually differ — with real specs, dates, and tooling.

May 8, 20267 min read
Product

Real-time threat feed for open source malware detection

Malicious npm and PyPI packages spread in hours, not days. Here's why real-time threat feeds beat periodic scans, and how Safeguard detects supply chain malware before install.

May 8, 20267 min read
Product

Blocking malicious installs with a dependency firewall

How a dependency firewall stops malicious npm installs before they run, where Socket.dev-style scanners fall short, and how Safeguard closes the gap.

May 8, 20267 min read
Vulnerability Analysis

The XZ backdoor CVE-2024-3094 deep dive

A technical deep dive into CVE-2024-3094, the XZ Utils/liblzma SSH backdoor: affected versions, severity context, full timeline, and remediation steps.

May 5, 20268 min read
Vulnerability Analysis

Shellshock Bash vulnerability retrospective

A decade-plus retrospective on Shellshock (CVE-2014-6271): how a Bash parsing flaw led to critical, KEV-listed remote code execution.

May 4, 20267 min read
Open Source Security

Patch management strategies for open source dependencies

A practical guide to patch management for open source dependencies: prioritizing by reachability and EPSS, not CVSS alone, and building a repeatable remediation loop.

Apr 30, 20267 min read
open-source-security (Page 6) — Safeguard Blog