ActiveState Your One Stop For Secure Trusted Open Source

  The Liability Nobody Put on the Balance Sheet By Jacqueline Winter, CFO & CISO, ActiveState Most organizations have detailed processes for approving financial instruments they take onto their books. Open source software does not seem to get the same treatment. This week's events are a useful reminder of what that inconsistency costs. Every CFO understands that an unmanaged liability is a governance failure. When a company takes on a contractual commitment, it runs due diligence. It documents the decision. It assigns ownership of the ongoing risk. It does not simply accept the commitment because it arrived through an approved channel with valid paperwork. Open source software is on every balance sheet in the industry, and in most organizations, it has never been through that process. I have seen this failure mode in other domains. In financial controls, in vendor risk, in operational infrastructure. The pattern is identical every time: an organization builds processes for the ...

  Your CISO Cannot Answer the Question Your CFO Is About to Ask By Jacqueline Winter, CFO & CISO, ActiveState AI-assisted development created an accountability gap that most security leaders cannot fill. The regulatory and financial consequences are arriving on schedule. A CFO reading the current software supply chain security headlines would ask their CISO one question: who approved the packages your AI coding tools installed last sprint? Most CISOs do not have a satisfying answer yet. That gap is not a technology failure. It is a governance failure with a specific regulatory and financial consequence attached to it. I have watched organizations make this mistake in other domains. A financial control looks adequate until an auditor asks who owned the decision at a specific point in time, and the organization discovers that the control existed but accountability did not. The resulting exposure is not measured by the size of the mistake. It is measured by the documented evidence...

  Open Source Is on Every Balance Sheet. Most Organizations Have Just Not Found It Yet. By Jacqueline Winter, CFO & CISO, ActiveState Every CFO understands that an unmanaged liability is a governance failure. It does not matter whether the liability is in the loan portfolio, the vendor contract stack, or the software supply chain. The principle is identical: if you have assumed exposure you have not priced, quantified, or assigned to an owner, you have a governance gap. And governance gaps do not stay academic. Recent systemic failures have turned this abstraction into a hard reality for a number of organizations. The elementary-data package, downloaded more than 1 million times per month from PyPI, was pushing malicious code to production environments after attackers used a compromised GitHub Actions workflow to access signing keys and publish a credential-harvesting version. The Bitwarden CLI NPM package was compromised in a coordinated campaign designed to sweep credentials ...

The Due Diligence You Would Never Skip Anywhere Else By Jacqueline Winter, CFO & CISO, ActiveState Every CFO who has ever approved a contract, signed off on an M&A transaction, or capital allocation request understands one thing with complete clarity: unreviewed liability is a governance failure. You do not let unvetted instruments into a financial portfolio. You do not close an acquisition without knowing what is on the balance sheet. Due diligence is not optional. It is the minimum condition for defensible decision-making.  Open source software is the largest unmanaged liability on the enterprise technology balance sheet, and in most organizations it does not appear on any ledger the board reviews. April 2026 gave us four incidents that make the cost of that oversight very concrete. What the Board Has Not Been Told OpenAI revoked its macOS app signing certificate after a compromised Axios dependency executed briefly in a GitHub workflow. Two separate attackers poisoned w...