open-source
Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.
138 articles
Open-Source Contribution Security Guide
How to contribute to open-source projects without introducing security vulnerabilities, and how to evaluate the security posture of projects you contribute to.
XZ Utils Backdoor: Technical Breakdown
The xz-utils backdoor (CVE-2024-3094) nearly compromised SSH on every modern Linux distro. Here is how the implant worked and what it teaches us.
After XZ Utils: Rethinking Trust in Open Source Software
The XZ Utils backdoor forced the industry to confront uncomfortable questions about maintainer trust, funding, and the structural fragility of critical open source infrastructure.
Forking Security: What Happens When Open Source Projects Diverge
When an open source project forks, the security implications cascade through every downstream consumer. Understanding fork dynamics is essential for managing supply chain risk.
XZ Utils Backdoor (CVE-2024-3094): The Most Sophisticated Supply Chain Attack Ever Discovered
A multi-year social engineering campaign planted a backdoor in XZ Utils that would have compromised SSH on most Linux distributions. Technical deep dive into what happened.
Single-Maintainer Bus Factor Risk in OSS
A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a supply chain crisis. The bus factor is not a theoretical metric.
What Are Dependencies in Software?
A plain-English definition of software dependencies, how direct and transitive dependencies differ, and why most projects ship far more third-party code than code their own team wrote.
Abandoned Package Takeover: When Maintainers Walk Away
Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over package names and push malicious updates to millions of downstream projects.
Netflix's Open-Source Security Approach
How Netflix manages security across hundreds of open-source projects and thousands of internal dependencies while maintaining the velocity that streaming demands.
How to Security Audit an Open Source Project Before Adoption
Adopting an open source dependency is a trust decision. This guide provides a structured methodology for evaluating the security posture of open source projects before adding them to your supply chain.
Open Source Dependency Health Metrics That Actually Matter
Star counts and download numbers tell you popularity, not health. The metrics that predict dependency risk are harder to measure and more important to track.
Southeast Asia's Software Supply Chain Security Gap
Southeast Asia's booming tech sector is building fast but securing slowly. Supply chain attacks targeting the region are increasing, and most organizations lack basic visibility into their dependencies.