ActiveState @ActiveState

Dependency cooldowns are table stakes now. Good. Adopt them. Also: patient attackers already know your window. And your AI coding agent's npm install mid-session bypasses your .npmrc config entirely. A time-based filter is not a software supply chain sourcing strategy. Provenance is. #SoftwareSupplyChain #OpenSourceSecurity #DevSecOps #SLSA Read more at buff.ly/kLYTGA0

Industry average MTTR for critical CVEs: above 50 days. ActiveState contractual SLA for critical CVEs: 5 business days. The 45 days in between are not a performance gap. For the security leader whose name is on the program, they are a documented liability window with a start date. Mitchell Hashimoto said it directly: someone has to charge for the relationship open source licenses won't provide. Read more at buff.ly/yKk2qmp #OpenSourceSecurity #CVE #SoftwareSupplyChain #CISO #AppSec

EU CRA Phase 1: September 2026. Mandatory 24-hour vulnerability reporting to ENISA. Applies to all products on market, including legacy. "We had a scanner" is not a sufficient legal defense. "Here is our provenance chain, our SBOM, and our contractual 5-day remediation SLA" is. The clock is running. Read more at buff.ly/yKk2qmp #EUCyberResilienceAct #OpenSourceSecurity #CISO #SoftwareSupplyChain #Compliance

Learn more and what this means for you in our article: buff.ly/fjJ6bGF

NIST can't enrich all CVEs anymore. Your scanner didn't tell you. It's still returning results as if nothing changed. The detection model that most open source software security programs are built around just became structurally incomplete, and the EU CRA enforcement date is September 11. The documentation regulators want cannot be assembled from scan exports. ActiveState joined the @linuxfoundation and @openssf this week because no single org secures the software supply chain alone. What 30 years of production-scale build infrastructure brings to that work is the point. Read more: buff.ly/whHtmla #SoftwareSupplyChain #OpenSourceSoftwareSecurity #OpenSSF #SLSA

Sonatype's 2025 Open Source Software Supply Chain Risk Report: 454,000+ new malicious open source packages in 2025. Cumulative total past 1.2 million. Your AI coding assistant is pulling from that ecosystem, one keystroke at a time, without checking maintainer status or vulnerability history. Scanning what entered your environment is a record of what you missed, not a prevention strategy. Read more at buff.ly/yKk2qmp #SoftwareSupplyChain #OpenSourceSecurity #AppSec #DevSecOps #AISecurity

The "as is" clause in open source licenses was never the problem. The problem was enterprise governance built on a warranty the license explicitly withheld. AI coding assistants just made that gap impossible to sustain. NIST says CVE submissions are up 263% and they can't keep up. Neither can your scanner. Read more at buff.ly/yKk2qmp #OpenSourceSecurity #SoftwareSupplyChain #CISO #AppSec #CyberResilience

Your AI coding tool will change. Your security layer shouldn't have to. The architecture argument nobody is making: govern the dependency, not the tool. Read More: buff.ly/jP77n9E #opensourcesecurity #softwaresupplychain #devsecops #CISO #AppSec

Malicious packages grew 156% YoY. Your AI coding assistant is pulling from those same registries right now. A plugin for your AI tool doesn't fix that. Governing what it resolves to does. Read more: buff.ly/jP77n9E #opensourcesecurity #softwaresupplychain #AIcode #CISO

AI-generated code doesn't just accelerate development. It accelerates the inherited trust problem. Every import statement an AI coding tool generates is a potential new open source dependency. At 500-1,000 developers, that intake rate isn't human-scale anymore. The governance model most teams are running was never built for this. The road ahead requires a different kind of decision. Read more at buff.ly/Cf6bswN #softwaresupplychain #opensourcesecurity #AppSec #AIcode #CISOnotes

Different generations, same source for trusted open source.

'We were running a scanner' is not an audit trail for your OSS. SEC breach notification rules and the EU Cyber Resilience Act require documented, verifiable due diligence over your software supply chain. The question regulators will ask isn't whether you had tools. It's whether you made decisions. Most orgs cannot answer that question on demand today. Read more at buff.ly/Cf6bswN #CyberResilienceAct #softwaresupplychain #opensourcesoftwaresecurity #CISOnotes #compliance

The attack logic that TeamPCP used is still valid. Five package ecosystems. Transitive dependency layer. Inherited trust from upstream maintainers. No explicit governance decision about what open source software was safe to consume. That structure has not changed. The next attack will use the same entry points. Read more at buff.ly/Cf6bswN #opensourcesoftwaresecurity #softwaresupplychain #AppSec #CISOnotes #devsecops

TeamPCP was caught because a developer's laptop ran hot. The OSS governance gap it exposed is still open at most organizations. The scanner passed the binary through correctly. The failure was a decision about open source software provenance that was never made. Same structure. Same exposure. Still no decision. Read more at buff.ly/Cf6bswN #opensourcesecurity #softwaresupplychain #CISOnotes #AppSec #supplychainsecurity

Everyone is asking whether their AI agents will do the wrong thing. Nobody is asking what happens if they were built on the wrong thing. That's the conversation missing from every governance framework, every session agenda, every vendor pitch right now. Underneath every agent in your environment is a software stack. Inside that stack: open source dependencies pulled in by AI coding assistants, accepted in a single keystroke, with no provenance check, no manual review, no assigned owner. Behavioral trust is a real problem worth solving. Can the agent do what I asked? Yes. But that question rests on a foundation most organizations have never looked at. Security doesn't start with what your agent does. It starts with what it was built on. #CyberSecurity #AIAgents #SoftwareSupplyChain

CISOs: AI coding assistants don't just generate code. They generate open source risk. At machine speed. The fix can't be tethered to a single AI tool. It has to be at the dependency layer. That's exactly what the ActiveState Curated Catalog does. And today we expanded it to cover any AI coding environment. buff.ly/u1Sgjy0

ActiveState has sponsored the latest IDC Analyst Brief on open source software governance at scale. What the IDC Analyst Brief found: curated open source catalogs are the only governance model that intervenes at the point where the problem actually starts. Learn more here: buff.ly/MhIARTY

Outsourcing moves the work. It does not move the liability. When your open source dependencies ship through a vendor's pipeline, your compliance exposure travels with them, whether your security team can see it or not. The governance gap in IT outsourcing is a software supply chain problem. Read more at buff.ly/TIPio2j #OpenSourceSecurity #SoftwareSupplyChain #CISOInsights #ITOutsourcing

Two Apache ActiveMQ CVEs are now being chained for unauthenticated remote code execution. One is already in CISA KEV. ActiveState's Jonny Rivera on why this one stings: most organizations don't know they're running ActiveMQ at all. It's buried in transitive dependencies, untracked, and nowhere near the patch queue. You cannot patch what you cannot see. Patch target: 5.19.4 or 6.2.3. Read more at buff.ly/xEvq0hy #SoftwareSupplyChain #OpenSourceSecurity #CVE #DevSecOps

The most important number in your security program right now is not your CVE count. It is how long your remediation sequence takes from "critical CVE identified" to "clean deployment in production." Most teams do not know that number. Project Glasswing is going to surface it for them. Full read: buff.ly/EjYfOTB #OpenSourceSecurity #CyberSecurity #AppSec