open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Dependency Cooldown Periods as a Malware Defense
Malicious npm packages are often caught within days. Cooldown periods exploit that lag — here's how they work, and how Endor Labs and Safeguard compare.
EU Cyber Resilience Act: what developers need to know
The EU Cyber Resilience Act sets hard deadlines starting Sept 2026 for SBOMs, vulnerability reporting, and patching. Here's what developers must build.
What is the BSD license? Top 10 questions answered
The BSD license explained: its 0-, 2-, 3-, and 4-clause variants, how it differs from MIT and GPL, and which real projects run on it.
5 risks of using open source software
Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.
GPL vs MIT vs Apache: license security and compliance implications
Redis, Vizio, and Cisco show how GPL, MIT, and Apache 2.0 licenses create real legal and compliance exposure across your software supply chain.
Building an SBOM that meets NTIA minimum elements
A field-by-field breakdown of NTIA's SBOM minimum elements, who's legally required to meet them in 2026, and why conformant fields don't guarantee real dependency coverage.
SPDX vs CycloneDX: comparing SBOM formats
SPDX and CycloneDX both satisfy federal SBOM rules, but they solve different problems. Here's how they actually differ — with real specs, dates, and tooling.
Real-time threat feed for open source malware detection
Malicious npm and PyPI packages spread in hours, not days. Here's why real-time threat feeds beat periodic scans, and how Safeguard detects supply chain malware before install.
Blocking malicious installs with a dependency firewall
How a dependency firewall stops malicious npm installs before they run, where Socket.dev-style scanners fall short, and how Safeguard closes the gap.
The XZ backdoor CVE-2024-3094 deep dive
A technical deep dive into CVE-2024-3094, the XZ Utils/liblzma SSH backdoor: affected versions, severity context, full timeline, and remediation steps.
Shellshock Bash vulnerability retrospective
A decade-plus retrospective on Shellshock (CVE-2014-6271): how a Bash parsing flaw led to critical, KEV-listed remote code execution.
Patch management strategies for open source dependencies
A practical guide to patch management for open source dependencies: prioritizing by reachability and EPSS, not CVSS alone, and building a repeatable remediation loop.