ActiveState

Your AI coding tool will change. Your security layer shouldn't have to. The architecture argument nobody is making: govern the dependency, not the tool. Read More: buff.ly/jP77n9E #opensourcesecurity #softwaresupplychain #devsecops #CISO #AppSec

Malicious packages grew 156% YoY. Your AI coding assistant is pulling from those same registries right now. A plugin for your AI tool doesn't fix that. Governing what it resolves to does. Read more: buff.ly/jP77n9E #opensourcesecurity #softwaresupplychain #AIcode #CISO

AI-generated code doesn't just accelerate development. It accelerates the inherited trust problem. Every import statement an AI coding tool generates is a potential new open source dependency. At 500-1,000 developers, that intake rate isn't human-scale anymore. The governance model most teams are running was never built for this. The road ahead requires a different kind of decision. Read more at buff.ly/Cf6bswN #softwaresupplychain #opensourcesecurity #AppSec #AIcode #CISOnotes

Different generations, same source for trusted open source.

'We were running a scanner' is not an audit trail for your OSS. SEC breach notification rules and the EU Cyber Resilience Act require documented, verifiable due diligence over your software supply chain. The question regulators will ask isn't whether you had tools. It's whether you made decisions. Most orgs cannot answer that question on demand today. Read more at buff.ly/Cf6bswN #CyberResilienceAct #softwaresupplychain #opensourcesoftwaresecurity #CISOnotes #compliance

The attack logic that TeamPCP used is still valid. Five package ecosystems. Transitive dependency layer. Inherited trust from upstream maintainers. No explicit governance decision about what open source software was safe to consume. That structure has not changed. The next attack will use the same entry points. Read more at buff.ly/Cf6bswN #opensourcesoftwaresecurity #softwaresupplychain #AppSec #CISOnotes #devsecops

TeamPCP was caught because a developer's laptop ran hot. The OSS governance gap it exposed is still open at most organizations. The scanner passed the binary through correctly. The failure was a decision about open source software provenance that was never made. Same structure. Same exposure. Still no decision. Read more at buff.ly/Cf6bswN #opensourcesecurity #softwaresupplychain #CISOnotes #AppSec #supplychainsecurity

Everyone is asking whether their AI agents will do the wrong thing. Nobody is asking what happens if they were built on the wrong thing. That's the conversation missing from every governance framework, every session agenda, every vendor pitch right now. Underneath every agent in your environment is a software stack. Inside that stack: open source dependencies pulled in by AI coding assistants, accepted in a single keystroke, with no provenance check, no manual review, no assigned owner. Behavioral trust is a real problem worth solving. Can the agent do what I asked? Yes. But that question rests on a foundation most organizations have never looked at. Security doesn't start with what your agent does. It starts with what it was built on. #CyberSecurity #AIAgents #SoftwareSupplyChain

CISOs: AI coding assistants don't just generate code. They generate open source risk. At machine speed. The fix can't be tethered to a single AI tool. It has to be at the dependency layer. That's exactly what the ActiveState Curated Catalog does. And today we expanded it to cover any AI coding environment. buff.ly/u1Sgjy0

ActiveState has sponsored the latest IDC Analyst Brief on open source software governance at scale. What the IDC Analyst Brief found: curated open source catalogs are the only governance model that intervenes at the point where the problem actually starts. Learn more here: buff.ly/MhIARTY

Outsourcing moves the work. It does not move the liability. When your open source dependencies ship through a vendor's pipeline, your compliance exposure travels with them, whether your security team can see it or not. The governance gap in IT outsourcing is a software supply chain problem. Read more at buff.ly/TIPio2j #OpenSourceSecurity #SoftwareSupplyChain #CISOInsights #ITOutsourcing

Two Apache ActiveMQ CVEs are now being chained for unauthenticated remote code execution. One is already in CISA KEV. ActiveState's Jonny Rivera on why this one stings: most organizations don't know they're running ActiveMQ at all. It's buried in transitive dependencies, untracked, and nowhere near the patch queue. You cannot patch what you cannot see. Patch target: 5.19.4 or 6.2.3. Read more at buff.ly/xEvq0hy #SoftwareSupplyChain #OpenSourceSecurity #CVE #DevSecOps

The most important number in your security program right now is not your CVE count. It is how long your remediation sequence takes from "critical CVE identified" to "clean deployment in production." Most teams do not know that number. Project Glasswing is going to surface it for them. Full read: buff.ly/EjYfOTB #OpenSourceSecurity #CyberSecurity #AppSec

A 27-year-old flaw in OpenBSD. A 16-year-old vulnerability in FFmpeg that survived 5 million automated tests. AI found both in the same project. The finding problem is getting solved. The question is whether your remediation infrastructure is built for what that actually means. Full read: buff.ly/EjYfOTB #ProjectGlasswing #OpenSourceSecurity #SoftwareSupplyChain

Project Glasswing found a 27-year-old zero-day in OpenBSD. Autonomously. The finding problem just got solved. The remediation problem just got harder. Industry average MTTR for a critical CVE: 60+ days. More CVEs, same infrastructure. Do the math. activestate.com/blog/project-g… #ProjectGlasswing #OpenSourceSecurity

Securing the container was never the whole answer. The application dependencies inside it were always the risk. In 2026, that gap has a name and a price tag. buff.ly/v5ooi3Q #OpenSourceSecurity #SoftwareSupplyChain #CyberSecurity

5 reasons your open source software strategy is a personal liability in 2026. AI code volume broke the scan-and-pray model. Here's what's left exposed. buff.ly/0QNitoA #OpenSourceSecurity #SoftwareSupplyChain #CyberSecurity

AI pulls open source dependencies faster than humans can vet them. The perimeter was never the problem. The ingredients were. We broke down where application layer security actually stands in 2026. substack.com/home/post/p-19… #OpenSourceSecurity #SoftwareSupplyChain #CyberSecurity

Speed is a competitive advantage, and security is a requirement. 🛡️💻 As GenAI scales, shadow AI is becoming a massive risk to proprietary IP. Private repositories are now the gold standard for securing the AI driven development boom. Insights via @AppDevMag: ✅ IP Sovereignty ✅ AI Governance ✅ Risk Mitigation Read more: buff.ly/em8XVXm #GenAI #CyberSecurity #DevSecOps #TechLeadership

RSAC 2026 made one thing clear: Security teams are hitting a wall. Faster reaction is no longer the answer. Here are the 4 key takeaways from ActiveState: Reactive security has peaked. CVE triage is exhausting teams. We need cleaner foundations, not faster patches. Visibility is the biggest hurdle. Many teams still don't know where their open source lives. You can't secure what you can't see. AI is outdistancing its supply chain. Rapid AI adoption is leaving the underlying open source libraries unexamined and at risk. Curation is the new prevention. Shifting to a verified base of packages stops the firefighting before it starts. The goal for 2026: Reduce the number of things that require a response in the first place. Read the full report here: buff.ly/tmo7nyb #RSAC2026 #CyberSecurity #OpenSource