Open Source Is Free. Until Someone Comes to Collect.
 Open Source Is Free. Until Someone Comes to Collect.By Jacqueline Winter, CFO & CISO, ActiveStateFinance has a long history of discovering that the liabilities nobody tracked were the ones nobody paid for ...
5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook
Let's be honest about the legacy Risk Management Framework (RMF): for the last decade, achieving an ATO has been less about actual cybersecurity and more about creative writing. We built three-year "snapshot" ...
Why IAM Access Analyzer Tells You About Unused Permissions But Won’t Remove Them
IAM Access Analyzer is a useful starting point for any team trying to enforce least privilege. It surfaces unused permissions, unused roles, unused access keys, and unused passwords across your AWS environment ...
Threat Actors Abuse ChatGPT Chats to Host Fake Outage Page, Deliver Malware
Threat actors are using legitimate-looking ChatGPT service outage notices planted in the chatbot's content-sharing feature to convince users to click on a button to download the ChatGPT desktop app. Hitting the button ...
The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation
In this post we break down the technical mechanics of TeamPCP’s recent campaign, the impact on the developer ecosystem, and the urgent steps needed to secure software supply chains. The post The ...
Adversarial Oracles: LLM-Guided EDR Signature Reduction
In previous blog posts we’ve talked about getting nerd sniped. Today we’re going to talk about a kind of nerd sniping that any offensive security tool creator is familiar with; when your ...
Initial Access Changed, The Attack Path Did Not: Findings From The Verizon 2026 DBIR
This year's report shows how credential sprawl across DevOps, SaaS, CI/CD, the cloud, and developer laptops turns initial access into operational impact ...
Software Development with AI: What Actually Works in 2026
An honest practitioner's view of AI-assisted software development in 2026: what Cursor, Claude Code, Copilot, and Devin actually do well, and where they still break ...
The Liability Nobody Put on the Balance Sheet
 The Liability Nobody Put on the Balance SheetBy Jacqueline Winter, CFO & CISO, ActiveStateMost organizations have detailed processes for approving financial instruments they take onto their books. Open source software does not ...
Your Outdated Repository Still Works, But It May Not Be Safe
Repositories have long served as the backbone of software infrastructure, sitting between developers, CI/CD pipelines, public registries, and production releases. Today, the most sophisticated attackers have set their sights on developers ...
