open-source
Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.
138 articles
Tern: Container SBOM Generation Through Layer Analysis
A review of Tern, the open source tool that generates SBOMs by inspecting container image layers, including its strengths, limitations, and where it fits in your toolchain.
OSS Review Toolkit (ORT): Automating License Compliance at Scale
The OSS Review Toolkit handles license scanning, vulnerability detection, and compliance policy enforcement. Here's how to put it to work.
The Open Source Software Security Act of 2022: What It Means for Developers
The U.S. Senate introduced legislation directing CISA to secure open source software used by the federal government. Here's what the bill contains.
Trivy vs Grype: Open Source Vulnerability Scanners Compared
A practical comparison of Trivy and Grype for vulnerability scanning, covering detection accuracy, performance, SBOM support, and real-world usage patterns.
Linux Kernel Supply Chain Security: How the World's Largest Project Protects Itself
The Linux kernel is the most critical open source project on earth. Its supply chain security practices offer lessons for every project, but also reveal challenges that scale creates.
Software Supply Chain Security in Banking: A Practical Guide
Banks face unique software supply chain risks. This guide covers real threats, regulatory expectations, and what security teams should actually be doing.
Open Source Security Bounty Programs: Do They Actually Work?
Bug bounty programs for open source projects promise market-driven vulnerability discovery. The reality is more complicated, with perverse incentives, quality problems, and funding gaps.
Open Source Governance: Building an Enterprise Framework
Ad-hoc open source usage creates legal, security, and operational risk. This guide walks through building a governance framework that enables developers while managing risk.
The OWASP Top 10 (2021) Through a Supply Chain Security Lens
The 2021 OWASP Top 10 added supply chain risks for the first time. Here is what each category means when your code is mostly someone else's code.
Evaluating Open Source Alternatives Through a Security Lens
When choosing between open source packages that provide the same functionality, security factors should weigh as heavily as features. Here is a practical evaluation framework.
Open Source License Compliance: A Practical Guide for 2022
License compliance is not just a legal checkbox — it is a business risk. Misunderstanding copyleft obligations or violating attribution requirements can result in lawsuits, forced code disclosure, or product recalls.
Log4j and the Maintainer Burnout Crisis Nobody Talks About
The Log4Shell vulnerability exposed more than a critical flaw in Java logging. It revealed a systemic failure in how the industry treats the people who maintain critical open source infrastructure.