Safeguard
Tag

open-source

Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.

138 articles

Organizational Security

Open-Source Contribution Security Guide

How to contribute to open-source projects without introducing security vulnerabilities, and how to evaluate the security posture of projects you contribute to.

Apr 12, 20247 min read
Incident Analysis

XZ Utils Backdoor: Technical Breakdown

The xz-utils backdoor (CVE-2024-3094) nearly compromised SSH on every modern Linux distro. Here is how the implant worked and what it teaches us.

Apr 5, 20246 min read
Supply Chain Security

After XZ Utils: Rethinking Trust in Open Source Software

The XZ Utils backdoor forced the industry to confront uncomfortable questions about maintainer trust, funding, and the structural fragility of critical open source infrastructure.

Apr 5, 20247 min read
Open Source Security

Forking Security: What Happens When Open Source Projects Diverge

When an open source project forks, the security implications cascade through every downstream consumer. Understanding fork dynamics is essential for managing supply chain risk.

Apr 2, 20246 min read
Supply Chain Security

XZ Utils Backdoor (CVE-2024-3094): The Most Sophisticated Supply Chain Attack Ever Discovered

A multi-year social engineering campaign planted a backdoor in XZ Utils that would have compromised SSH on most Linux distributions. Technical deep dive into what happened.

Mar 29, 20246 min read
Open Source Security

Single-Maintainer Bus Factor Risk in OSS

A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a supply chain crisis. The bus factor is not a theoretical metric.

Mar 18, 20246 min read
Dev Practices

What Are Dependencies in Software?

A plain-English definition of software dependencies, how direct and transitive dependencies differ, and why most projects ship far more third-party code than code their own team wrote.

Mar 14, 20246 min read
Software Supply Chain Security

Abandoned Package Takeover: When Maintainers Walk Away

Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over package names and push malicious updates to millions of downstream projects.

Mar 5, 20245 min read
Case Studies

Netflix's Open-Source Security Approach

How Netflix manages security across hundreds of open-source projects and thousands of internal dependencies while maintaining the velocity that streaming demands.

Jan 22, 20247 min read
Software Supply Chain Security

How to Security Audit an Open Source Project Before Adoption

Adopting an open source dependency is a trust decision. This guide provides a structured methodology for evaluating the security posture of open source projects before adding them to your supply chain.

Jan 15, 20246 min read
Open Source Security

Open Source Dependency Health Metrics That Actually Matter

Star counts and download numbers tell you popularity, not health. The metrics that predict dependency risk are harder to measure and more important to track.

Dec 5, 20236 min read
Regional Security

Southeast Asia's Software Supply Chain Security Gap

Southeast Asia's booming tech sector is building fast but securing slowly. Supply chain attacks targeting the region are increasing, and most organizations lack basic visibility into their dependencies.

Oct 22, 20235 min read
open-source (Page 8) — Safeguard Blog