Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Open source libraries, packages, and models power nearly every product team today. They accelerate development, democratize innovation, and let teams stand on the shoulders of giants. But there’s a dangerous assumption creeping into engineering orgs: that open source — or AI trained on open source — will keep your software safe. That assumption is wrong. Open source gives you speed and community, not guaranteed security.

Aikido Package Health surfaces the true health of an open source package with a single score. It helps devs understand stability, maintenance quality, and supply-chain risk before installing a dependency. Aikido Package Health is a public service that assigns a clear Health Score to open source packages. It gives you an honest signal about which dependencies are well-maintained and safe to adopt, and which ones might need extra scrutiny before you pull them into your project. The goal is simple.

Open source is one of the best things to ever happen to software development. It is also one of the easiest ways to accidentally ship legal obligations you did not sign up for. Most teams know they rely heavily on open-source dependencies. Fewer teams know exactly what licenses those dependencies use, what obligations come with them, or how those licenses travel through transitive dependencies and container images. That gap is what we call open-source license risk.

When it comes to distributing PHP applications, discussions often swing between two extremes: fully open-source everything or lock all your code behind encryption/encoding. Critics of encoding often argue that open source is superior because users can still inspect and customise code. But the truth is far more nuanced, and the most successful software vendors already know it.

AI agents are increasingly connecting to more systems and workflows. They read structured data, follow multi-step instructions, and can reach deep into applications and developer environments. The same capabilities that make them powerful also create new opportunities for attackers. As Zenity Labs continued to study these emerging attack classes, we noticed a pattern starting to appear.

Dependency issues are easiest to address when they show up directly in the development workflow. With this release, we’re bringing the full SCA workflow into the Aikido IDE extension, combining in-editor scanning with the ability to apply safe upgrades through AutoFix. Developers can detect vulnerable packages and resolve them without switching tools or breaking focus.

The evolution of your security stack is similar to the different phases of buying cars. In the beginning, you just need enough to transport a few items, maybe yourself and a few friends. The inexpensive two-door hatchback is perfect. However, as your family grows, whether with small humans or pets, you increasingly need more space and more capacity, leading to purchasing a four-door sedan or, even, a mini-van.

This blog post provides a dive into HTTP/3’s evolution for security engineers, an overview of our research journey, and what led us to develop the open-source tool QuicDraw, which can be used for fuzzing and racing HTTP/3 applications. QuicDraw implements “Quic-Fin-Sync” our implementation of the last-byte-sync with the single packet attack on HTTP/3. We conclude by evaluating QuicDraw’s performance against a real-world target and comparing its results to other tools.

There are millions of dollars on the line for companies relying on open source. Failure to stay CVE-free can lead to churn, closed-lost deals, and countless engineering hours wasted chasing fixes instead of shipping features. Unlike enterprises with large budgets and compliance buffers, a single failed review, missed SLA, or unresolved CVE can derail $5M–$20M in just one quarter. This is the difference between hitting growth targets or missing them entirely.

Unlike closed-source code or proprietary applications, open source software (OSS) exposes its source code, allowing anyone to view, modify, or contribute to it. This transparency delivers both opportunities and unique threats; developer communities can uncover flaws faster, but attackers can also examine code for weaknesses and even easily leverage known reported open source vulnerabilities.