Skip to main content

Posts

The Liability Nobody Put on the Balance Sheet

  The Liability Nobody Put on the Balance Sheet By Jacqueline Winter, CFO & CISO, ActiveState Most organizations have detailed processes for approving financial instruments they take onto their books. Open source software does not seem to get the same treatment. This week's events are a useful reminder of what that inconsistency costs. Every CFO understands that an unmanaged liability is a governance failure. When a company takes on a contractual commitment, it runs due diligence. It documents the decision. It assigns ownership of the ongoing risk. It does not simply accept the commitment because it arrived through an approved channel with valid paperwork. Open source software is on every balance sheet in the industry, and in most organizations, it has never been through that process. I have seen this failure mode in other domains. In financial controls, in vendor risk, in operational infrastructure. The pattern is identical every time: an organization builds processes for the ...
Post a Comment
Read more
Recent posts

Your CISO Cannot Answer the Question Your CFO Is About to Ask

  Your CISO Cannot Answer the Question Your CFO Is About to Ask By Jacqueline Winter, CFO & CISO, ActiveState AI-assisted development created an accountability gap that most security leaders cannot fill. The regulatory and financial consequences are arriving on schedule. A CFO reading the current software supply chain security headlines would ask their CISO one question: who approved the packages your AI coding tools installed last sprint? Most CISOs do not have a satisfying answer yet. That gap is not a technology failure. It is a governance failure with a specific regulatory and financial consequence attached to it. I have watched organizations make this mistake in other domains. A financial control looks adequate until an auditor asks who owned the decision at a specific point in time, and the organization discovers that the control existed but accountability did not. The resulting exposure is not measured by the size of the mistake. It is measured by the documented evidence...
Post a Comment
Read more

Open Source Is on Every Balance Sheet. Most Organizations Have Just Not Found It Yet.

  Open Source Is on Every Balance Sheet. Most Organizations Have Just Not Found It Yet. By Jacqueline Winter, CFO & CISO, ActiveState Every CFO understands that an unmanaged liability is a governance failure. It does not matter whether the liability is in the loan portfolio, the vendor contract stack, or the software supply chain. The principle is identical: if you have assumed exposure you have not priced, quantified, or assigned to an owner, you have a governance gap. And governance gaps do not stay academic. Recent systemic failures have turned this abstraction into a hard reality for a number of organizations. The elementary-data package, downloaded more than 1 million times per month from PyPI, was pushing malicious code to production environments after attackers used a compromised GitHub Actions workflow to access signing keys and publish a credential-harvesting version. The Bitwarden CLI NPM package was compromised in a coordinated campaign designed to sweep credentials ...
Post a Comment
Read more

Due Diligence You Would Never Skip Anywhere Else

The Due Diligence You Would Never Skip Anywhere Else By Jacqueline Winter, CFO & CISO, ActiveState Every CFO who has ever approved a contract, signed off on an M&A transaction, or capital allocation request understands one thing with complete clarity: unreviewed liability is a governance failure. You do not let unvetted instruments into a financial portfolio. You do not close an acquisition without knowing what is on the balance sheet. Due diligence is not optional. It is the minimum condition for defensible decision-making.  Open source software is the largest unmanaged liability on the enterprise technology balance sheet, and in most organizations it does not appear on any ledger the board reviews. April 2026 gave us four incidents that make the cost of that oversight very concrete. What the Board Has Not Been Told OpenAI revoked its macOS app signing certificate after a compromised Axios dependency executed briefly in a GitHub workflow. Two separate attackers poisoned w...
Post a Comment
Read more

The CEO Shift: Why Abby Kearns at ActiveState Signals a Turning Point for Enterprise Risk

  The CEO Shift: Why Abby Kearns at ActiveState Signals a Turning Point for Enterprise Risk The Software Supply Chain Is Now a Boardroom Problem Abby Kearns has spent her career at the intersection of open source software and enterprise infrastructure. At Cloud Foundry Foundation, she watched the world's largest organizations bet their digital futures on open source. At Puppet, she saw firsthand how automation was the only viable path to managing infrastructure at scale. Her appointment as CEO of ActiveState isn't a standard leadership transition. It's a signal that the industry is moving from experimental growth to mature governance, and that the software supply chain has finally become a boardroom problem. The 96% Problem Nobody Is Talking About Here's a number that should get every CISO's attention: roughly 96% of modern applications contain open source components. That means the vast majority of proprietary software is built on code the organization didn't w...
Post a Comment
Read more
  This post originally appeared in ActiveState News  https://www.activestate.com/resources/press-releases/activestate-unifies-79m-components-to-launch-worlds-largest-secure-open-source-catalog/ ActiveState Unifies 79M Components to Launch World’s Largest Secure Open Source Catalog By consolidating 12+ language ecosystems into a single repository, the ActiveState Catalog enables DevSecOps teams to slash CVE exposure by up to 99% and reclaim 30% of engineering time Vancouver, BC - Feb. 17, 2025 - ActiveState, a global leader in open source language solutions and secure software supply chain management, today announced it has grown its catalog of secure open source components to 79 million, effectively doubling coverage from 2025 and expanding to more than 12 languages. This provides DevSecOps teams one stop for acquiring trusted open source components for their software development and CVE remediation efforts. ActiveState’s catalog now covers the most popular languages used in ...
Post a Comment
Read more