# Safeguard.sh > Software Supply Chain Security Platform Safeguard.sh provides comprehensive SBOM intelligence, continuous security monitoring, and enterprise compliance for software supply chains. ## Products - Enterprise SSCM: https://safeguard.sh/products/esscm - Portal: https://safeguard.sh/products/portal - TPRM: https://safeguard.sh/products/tprm - Open Source Manager: https://safeguard.sh/products/osm - Griffin AI: https://safeguard.sh/products/griffin-ai - CLI Tool: https://safeguard.sh/products/cli - IDE Extension: https://safeguard.sh/products/ide-extension - MCP Server: https://safeguard.sh/products/mcp-server - SCA: https://safeguard.sh/products/sca - Marketplace: https://safeguard.sh/products/marketplace ## Documentation - Docs: https://docs.safeguard.sh - API Reference: https://safeguard.sh/resources/api-reference ## Blog Posts - [Building an Eval Suite for Your Security LLM Workflows](https://safeguard.sh/resources/blog/building-eval-suite-security-llm-workflows): If you use an LLM anywhere in your security program — triage, remediation, detection — you need an eval suite with the s - [Zero-Day Discovery With LLM-Augmented Reachability: A Safeguard Engine Walkthrough](https://safeguard.sh/resources/blog/zero-day-discovery-llm-augmented-reachability): Pattern-matching scanners miss zero-days by definition. An engine that follows taint across package boundaries plus a mo - [2026 Q1 CVE Trend Analysis](https://safeguard.sh/resources/blog/2026-q1-cve-trend-analysis): A data-driven look at CVE trends from Q1 2026: publication volume, severity distribution, exploitation patterns, and wha - [What Is a Software Supply Chain Attack? A 2026 Primer](https://safeguard.sh/resources/blog/software-supply-chain-attack-primer-2026): A grounded 2026 primer on software supply chain attacks: definitions, the four real attack vectors, landmark incidents, - [Frontier LLM Vendors Are Not Your Supply Chain Security Vendor](https://safeguard.sh/resources/blog/frontier-llm-vendors-not-supply-chain-security): Coding agents from OpenAI, Anthropic, and Google are excellent tools. They are also not supply chain security platforms, - [Total Cost of Ownership: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-total-cost-of-ownership): List price is the easiest number to compare and the least interesting one. TCO over three years is where Griffin AI vs M - [SBOM vs. VEX: What's the Difference and When Do You Need Each?](https://safeguard.sh/resources/blog/sbom-vs-vex-when-do-you-need-each): SBOMs tell you what is in your software. VEX tells you which of those components are actually exploitable. Here is how t - [How to Read a CycloneDX SBOM: A Line-by-Line Walkthrough](https://safeguard.sh/resources/blog/how-to-read-a-cyclonedx-sbom-walkthrough): A walkthrough of a CycloneDX 1.6 JSON document — metadata, components, services, dependencies, and vulnerabilities — wit - [Model Context Protocol Permissions Model Explained](https://safeguard.sh/resources/blog/model-context-protocol-permissions-model): MCP's permissions model is subtle. Here is a careful walkthrough of how tool scoping, sampling, and resource access actu - [Why LLMs Are Structurally Insecure (and What That Means for Your Pipeline)](https://safeguard.sh/resources/blog/why-llms-are-structurally-insecure): Language models are not insecure because of a bug you can patch. They are insecure by construction — non-deterministic, - [Qilin Ransomware Supply Chain Tactics 2025](https://safeguard.sh/resources/blog/qilin-ransomware-supply-chain-tactics-2025): Qilin became a top ransomware operator in 2024-2025 by pairing edge-device exploitation with managed service provider co - [Anthropic's Mythos Vulnerability Scanner: An Honest Assessment of Strengths, Weaknesses, and Reasons to Be Cautious](https://safeguard.sh/resources/blog/anthropic-mythos-vulnerability-scanner-honest-review): Anthropic's Mythos model is generating buzz for AI-powered vulnerability detection. We break down what it does well, whe - [The Limits of Single-Model Vulnerability Scanning: A Technical Analysis of the Mythos Approach](https://safeguard.sh/resources/blog/single-model-vulnerability-scanning-limitations-mythos-analysis): Anthropic's Mythos model claims to find vulnerabilities in open-source code using a single LLM. We analyze where this ap - [API Surface Reviewed: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-api-surface-review): Most platform comparisons stop at features. The API surface is where automation and integration actually happen — and wh - [Why LLM-Based Vulnerability Scanning Needs More Than a Single Model](https://safeguard.sh/resources/blog/why-llm-vulnerability-scanning-needs-more-than-a-model): Large language models are being used to find vulnerabilities in open-source code. But a single model, no matter how capa - [The EU Cyber Resilience Act Explained for Software Vendors](https://safeguard.sh/resources/blog/eu-cyber-resilience-act-explained-for-software-vendors): What the EU CRA actually requires from software vendors — SBOMs, vulnerability handling, CE marking, timelines through 2 - [Launching Zero-Day Discovery: How Safeguard's Multi-Agent TAOR Deep Think AI Engine Finds Vulnerabilities Before Anyone Else](https://safeguard.sh/resources/blog/safeguard-zero-day-discovery-taor-architecture): Safeguard.sh launches its Zero-Day Discovery Engine, powered by the Multi-Agent TAOR Deep Think AI Engine — a multi-lead - [EU AI Act Enforcement Begins: 2026 Reality Check](https://safeguard.sh/resources/blog/eu-ai-act-enforcement-begins-2026): A 2026 reality check on EU AI Act enforcement: which obligations are active, what regulators expect, and the technical e - [Open Source vs Commercial Security Scanners 2026](https://safeguard.sh/resources/blog/open-source-vs-commercial-security-scanners-2026): When to use Trivy, Grype, and OSV-Scanner versus commercial scanners in 2026: honest tradeoffs, integration realities, a - [LLM Traces and Evals: The Missing Layer in AI Supply Chain Security](https://safeguard.sh/resources/blog/llm-traces-and-evals-ai-supply-chain-signal): Prompt traces and offline evals are standard hygiene for ML teams, but almost nobody treats them as supply chain telemet - [Reachability Analysis vs. SCA: Which Reduces Your Backlog?](https://safeguard.sh/resources/blog/reachability-vs-sca-vulnerability-backlog): SCA lists every CVE in every dependency. Reachability filters to the ones your code actually invokes. Here is how the tw - [Go Toolchain Supply Chain Risks: 2025 Research](https://safeguard.sh/resources/blog/go-toolchain-supply-chain-risks-2025-research): 2025 research on Go toolchain supply chain risks: module proxy abuse, replace directive attacks, cgo linker vectors, and - [CISA KEV Catalog Growth Analysis 2025-2026](https://safeguard.sh/resources/blog/cisa-kev-catalog-growth-analysis-2025-2026): A data-grounded analysis of CISA Known Exploited Vulnerabilities catalog growth through 2025 and 2026, and the operation - [CycloneDX 1.7 New Features Reviewed](https://safeguard.sh/resources/blog/cyclonedx-1-7-new-features-review): CycloneDX 1.7 brings richer ML-BOM, better attestations, and VEX tightening. A practical review of what changed and what - [Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)](https://safeguard.sh/resources/blog/why-slsa-level-3-matters-level-4-usually-doesnt): SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic build - [Prompt Injection in RAG: Indirect Attacks](https://safeguard.sh/resources/blog/prompt-injection-rag-pipeline-indirect-attacks): A senior engineer's breakdown of indirect prompt injection in RAG pipelines, how real attacks land through retrieved con - [Real-World Deployment: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-real-world-deployment): Demos live on a single repo and a curated dataset. Real deployments hit fifty repos, three CI providers, two cloud accou - [Lazarus Financial Sector Campaigns 2024-2025](https://safeguard.sh/resources/blog/lazarus-financial-sector-campaigns-2024-2025): Lazarus Group's 2024-2025 financial sector campaigns combined exchange compromises, DeFi exploits, and developer social - [Buyer Guide: Software Supply Chain Security 2026](https://safeguard.sh/resources/blog/buyer-guide-software-supply-chain-security-2026): A senior-engineer buyer guide for software supply chain security in 2026: what the categories mean, what to test, and wh - [MCP Server Telemetry Data Governance](https://safeguard.sh/resources/blog/mcp-server-telemetry-data-governance): MCP server telemetry captures sensitive prompts, arguments, and outputs. A governance framework for retention, redaction - [Provenance, Attestation, and Signing: A Practical Glossary](https://safeguard.sh/resources/blog/provenance-attestation-signing-practical-glossary): Provenance describes how software was built, attestations are signed claims about that process, and signing proves origi - [Composer/PHP Supply Chain Threats: 2025 Report](https://safeguard.sh/resources/blog/composer-php-supply-chain-threats-2025-report): A senior engineer's 2025 report on Composer and Packagist supply chain threats: namespace abuse, abandoned maintainers, - [California SB-327 IoT Security Enforcement Update](https://safeguard.sh/resources/blog/california-sb-327-iot-security-enforcement-update): A 2026 enforcement update on California SB-327, the IoT security statute that set a national precedent, and what manufac - [Safeguard Griffin AI: Eval Benchmarks Published](https://safeguard.sh/resources/blog/safeguard-griffin-ai-eval-benchmarks-2026): Griffin AI's evaluation harness results published for the first time. Benchmark methodology, comparison against baseline - [OpenAI API Key Leakage on GitHub at Scale](https://safeguard.sh/resources/blog/openai-api-key-leakage-on-github-at-scale): A senior engineer's view of OpenAI API key leakage on GitHub at scale, why automated secret scanning misses so many, and - [Symbol Conflict and Binary Planting Attacks 2025](https://safeguard.sh/resources/blog/symbol-conflict-malicious-binary-planting-2025): Symbol conflicts and binary planting are the oldest native-code attacks, and they are showing up in modern software supp - [Safeguard Q1 2026 Release Recap](https://safeguard.sh/resources/blog/safeguard-changelog-q1-2026-recap): A quarterly recap of Q1 2026 at Safeguard.sh: the signed chain from source to runtime, self-healing GA, taint tracking, - [White House M-22-18 SBOM Attestation Update](https://safeguard.sh/resources/blog/white-house-memo-m-22-18-sbom-attestation-update): OMB M-22-18 and the CISA Secure Software Self-Attestation form continue to evolve. Here is what producers and federal bu - [Best Secret Scanning Tools 2026 Comparison](https://safeguard.sh/resources/blog/best-secret-scanning-tools-2026-comparison): A senior-engineer view of secret-scanning tools worth running in 2026: what TruffleHog, Gitleaks, GitGuardian, and platf - [SLSA v1.1 Framework Update: What's New](https://safeguard.sh/resources/blog/slsa-v1-1-framework-update-review): SLSA v1.1 sharpens the build track, adds a source track draft, and clarifies attestation semantics. Here is the practica - [Container Image Supply Chain: From Dockerfile to Production](https://safeguard.sh/resources/blog/container-image-supply-chain-dockerfile-to-production): Every container pulled in production is a trust decision. Here's how to secure the chain from base image selection throu - [Chrome Extension Cyberhaven Supply Chain Attack 2024](https://safeguard.sh/resources/blog/chrome-extension-cyberhaven-supply-chain-2024): A technical retrospective on the 2024 Cyberhaven Chrome extension compromise: the phishing chain, the malicious OAuth fl - [Reachability Analysis: Cutting Through CVE Noise to Find What Actually Matters](https://safeguard.sh/resources/blog/reachability-analysis-reducing-cve-noise): Why most CVEs in your dependency tree are not exploitable in your application, and how reachability analysis separates r - [Top Software Supply Chain Security Predictions 2026](https://safeguard.sh/resources/blog/top-software-supply-chain-security-predictions-2026): A senior-engineer set of 2026 predictions for software supply chain security, grounded in current adoption curves, regul - [Software Supply Chain Side-Channel Attacks 2025](https://safeguard.sh/resources/blog/software-supply-chain-side-channel-attacks-2025): Side-channel attacks are moving from hardware into software supply chains, where build-time timing, error messages, and - [Scaling Across Repos: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-multi-repo-scale): Multi-repo security reasoning is a graph problem, not a retrieval problem. How Griffin AI's engine scales where pure-LLM - [MCP Server Lifecycle Management Patterns](https://safeguard.sh/resources/blog/mcp-server-lifecycle-management-patterns): Patterns for managing MCP servers through development, staging, rollout, and deprecation — with an eye on the security g - [Fine-Tune Backdoor Insertion: Academic Research](https://safeguard.sh/resources/blog/fine-tune-backdoor-insertion-academic-research): A senior engineer's review of academic research on fine-tune backdoor insertion, from BadNets to sleeper agents, and how - [Flax Typhoon Residential Proxy Supply Chain 2024](https://safeguard.sh/resources/blog/flax-typhoon-residential-proxy-supply-chain-2024): Flax Typhoon's Raptor Train botnet turned consumer IoT into a state-aligned proxy network. Here is the tradecraft, the t - [Incident Response for Supply Chain Attacks: A 2026 Playbook](https://safeguard.sh/resources/blog/incident-response-supply-chain-playbook-2026): A practical incident response playbook tailored for supply chain compromises — from initial detection through containmen - [How to Detect Dependency Confusion Attacks Before They Ship](https://safeguard.sh/resources/blog/detect-dependency-confusion-before-it-ships): Dependency confusion still works in 2026 because teams keep missing the same three controls. Here's how to detect and bl - [India DPDP Act Software Security Implications 2026](https://safeguard.sh/resources/blog/india-dpdp-act-software-security-implications-2026): A senior engineer's view of the Digital Personal Data Protection Act in 2026: security safeguards, significant data fidu - [Reflection-Based Dependency Confusion Techniques](https://safeguard.sh/resources/blog/reflection-based-dependency-confusion-techniques): Dependency confusion is moving beyond name-typosquat. Reflection-based techniques let attackers hijack packages through - [Okta Cross-Tenant Impersonation 2024](https://safeguard.sh/resources/blog/okta-cross-tenant-impersonation-incident-2024): Okta's cross-tenant impersonation advisory and related social-engineering campaigns exposed how identity providers get t - [State of Open Source Funding and Security 2026](https://safeguard.sh/resources/blog/state-of-open-source-funding-and-security-2026): How open source funding flows connect to security outcomes in 2026: maintainer capacity, critical project support, and t - [MCP Server Sandbox Escapes: Threat Model](https://safeguard.sh/resources/blog/mcp-server-sandbox-escapes-threat-model): A threat model for sandbox escapes in Model Context Protocol servers, mapping attack surfaces from tool execution enviro - [Training Data Poisoning: Pipeline Defenses](https://safeguard.sh/resources/blog/data-poisoning-training-pipeline-defenses): A senior engineer's guide to training data poisoning defenses in 2026, from split-learning detection to provenance attes - [Introducing the Safeguard Marketplace: Extend Your Supply Chain Security](https://safeguard.sh/resources/blog/safeguard-marketplace-launch): The Safeguard Marketplace brings community-built integrations, policy templates, and compliance packs to the platform. - [Tool-Call Hijacking: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-tool-call-hijacking-defences): A hijacked tool call is more consequential than a hijacked response. The defence requires the tool layer to police the m - [Griffin AI vs Sourcegraph Cody for Security Use](https://safeguard.sh/resources/blog/griffin-ai-vs-sourcegraph-cody-security-use): Cody's codebase-wide context is valuable for security review. Griffin AI adds reachability, taint, and policy grounding - [How to Secure AI Agents on the MCP Protocol](https://safeguard.sh/resources/blog/how-to-secure-ai-agents-mcp-protocol-2026): MCP gives AI agents real tools, real credentials, and real blast radius. Here is a hardening guide for running MCP serve - [Zero Trust for CI/CD Pipelines: A Concrete Blueprint](https://safeguard.sh/resources/blog/zero-trust-cicd-pipelines-blueprint): CI/CD runners are a top attacker target. Here's a concrete zero-trust blueprint using OIDC federation, pinned action SHA - [UK PSTI Act Consumer IoT: Year-One Review](https://safeguard.sh/resources/blog/uk-psti-act-consumer-iot-year-one-review): The UK PSTI Act's first year of enforcement reveals how consumer IoT vendors are struggling with minimum security requir - [Enterprise AI Center Of Excellence Blueprint](https://safeguard.sh/resources/blog/enterprise-ai-center-of-excellence-blueprint): An AI Center of Excellence is not a committee. It is the function that makes AI adoption coherent across business units. - [ROI Timeline: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-roi-timeline): The honest answer to "when does this pay back?" is where sales decks and procurement reality diverge. Griffin - [Griffin AI vs Open Weights: Supply Chain Risks](https://safeguard.sh/resources/blog/griffin-ai-vs-open-weight-supply-chain-risks): Open-weight models give you total deployment control. They also give you a new supply chain to secure. The tradeoff is w - [npm Garbage Collection Abuse: Attack Research](https://safeguard.sh/resources/blog/npm-garbage-collection-abuse-attack-research): npm's unpublish and tarball retention rules create a narrow but real window for attackers to reclaim deleted names and s - [AI Scaffold Prompts: Enterprise Governance](https://safeguard.sh/resources/blog/ai-scaffold-prompts-enterprise-governance): System prompts that scaffold AI assistants are now load-bearing enterprise assets. A framework for versioning, reviewing - [Regression Gate Design Patterns For Security LLMs](https://safeguard.sh/resources/blog/ai-security-regression-gate-design-patterns): A release gate that fails on regression is the most important operational control for AI-for-security tools. The design - [Griffin AI vs Claude Citations: Advisory Work](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-citations-for-advisory-work): Claude's citations feature makes the model say where its claims come from. Griffin AI uses it for advisory workflows whe - [FDA Premarket Cybersecurity for Medical Devices 2026](https://safeguard.sh/resources/blog/fda-premarket-cybersecurity-medical-devices-2026): A senior engineer's guide to FDA premarket cybersecurity for medical devices in 2026: section 524B, SBOM expectations, S - [Introducing Safeguard TPRM: Evidence-Based Third-Party Risk Management](https://safeguard.sh/resources/blog/safeguard-tprm-module-release): Safeguard's new TPRM module replaces vendor questionnaires with SBOM-driven, continuous third-party risk assessment. - [State of DevSecOps 2026: What Teams Actually Ship](https://safeguard.sh/resources/blog/state-of-devsecops-2026-what-teams-ship): A senior-engineer review of DevSecOps in 2026: what teams ship in production, which controls moved the needle, and where - [Griffin AI vs OpenAI Pricing: Security Workloads](https://safeguard.sh/resources/blog/griffin-ai-vs-openai-pricing-for-security-workloads): Per-token pricing on the OpenAI API looks cheap on a single call and expensive on a year-long security workload. Griffin - [Small Language Models: Security Use-Case Fit](https://safeguard.sh/resources/blog/small-language-model-security-usecase-fit): Small language models aren't a worse version of large ones. For specific security workflows, they're the right - [Open Source Funding Crisis: What It Means for Your Tree](https://safeguard.sh/resources/blog/open-source-funding-crisis-dependency-tree-impact): Critical infrastructure depends on unpaid maintainers, and burnout creates openings attackers exploit. xz-utils was the - [Claude MCP Tool Poisoning Threat Model 2026](https://safeguard.sh/resources/blog/claude-mcp-tool-poisoning-threat-model-2026): A senior engineer's threat model for Claude MCP tool poisoning in 2026, covering malicious servers, description hijackin - [Developer Social Engineering Campaigns 2024-2025](https://safeguard.sh/resources/blog/dev-0270-developer-social-engineering-campaign): State-aligned and financially motivated actors now target individual developers with bespoke social engineering. Here is - [Hugging Face Token Exposure 2024 Analysis](https://safeguard.sh/resources/blog/hugging-face-token-exposure-2024-analysis): Researchers found thousands of valid Hugging Face API tokens in public code and models. Analysis of the 2024 exposures a - [AWS re:Inforce 2026 Supply Chain Sessions: Field Notes](https://safeguard.sh/resources/blog/aws-reinforce-2026-supply-chain-sessions): Field notes from AWS re:Inforce 2026 supply chain track: signing at scale, SBOM adoption, and the Inspector and ECR upda - [Fine-Tune Drift Measured On Eval Sets](https://safeguard.sh/resources/blog/frontier-model-limit-fine-tune-drift-on-evals): Fine-tuning to improve one task frequently regresses others. Without eval harnesses, the regressions ship. The measurabl - [Griffin AI vs Gemini On-Device: Developer Tools](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-on-device-for-developer-tools): Gemini on-device models are fast and cheap. For the developer-tool layer, they're useful. For the engine-plus-LLM layer, - [Grounded Reasoning vs Hallucinated: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-reasoning-grounded-vs-hallucinated): The difference between grounded reasoning and hallucinated reasoning is not eloquence — it's citation. A look at how Gri - [DevSecOps and Platform Engineering: The Convergence No One Expected](https://safeguard.sh/resources/blog/devsecops-platform-engineering-convergence): Platform engineering teams are becoming the new home for security controls. Here's why that is both promising and risky. - [How to Implement SLSA Level 3 Practically](https://safeguard.sh/resources/blog/how-to-implement-slsa-level-3-practical-guide): SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical pat - [DNS Cache Poisoning for Software Updates: 2025](https://safeguard.sh/resources/blog/loophole-dns-cache-poisoning-software-updates-2025): DNS cache poisoning is a known attack class with a new application: hijacking software update checks to ship malicious b - [Guardrail Consolidation: Market Dynamics 2026](https://safeguard.sh/resources/blog/ai-security-trend-guardrail-consolidation-market): Two dozen AI guardrail vendors in 2023. A much smaller set in 2026. The consolidation has pattern — integrated platforms - [Breaking Change Awareness: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-breaking-change-awareness): An auto-fix that closes a vulnerability and breaks the build is not a fix. Breaking-change awareness separates auto-PRs - [Best Container Image Scanners 2026](https://safeguard.sh/resources/blog/best-container-image-scanners-2026): A fact-based review of the best container image scanners in 2026, comparing Trivy, Grype, Snyk, Prisma Cloud, and Safegu - [PyPI Trusted Publishing Token Leaks in 2025](https://safeguard.sh/resources/blog/pypi-trusted-publishing-token-leak-campaign-2025): Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaig - [EU AI Act: Software Supply Chain Implications 2026](https://safeguard.sh/resources/blog/eu-ai-act-software-supply-chain-implications-2026): The EU AI Act's 2026 obligations reshape software supply chain requirements for AI system providers, deployers, and upst - [Audit Trail Quality: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-audit-trail-quality): An audit trail is only useful if you can answer questions from it. Quality is not about volume — it's about the abi - [Sanitizer Detection: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-sanitizer-detection): A vulnerability that passes through a working sanitizer is not a vulnerability. Detecting that sanitizer accurately is t - [GenAI Code Assistants and Package Hallucination: 2026 Update](https://safeguard.sh/resources/blog/genai-package-hallucination-2026-update): LLM-suggested package names that do not exist are a registered attack vector in 2026. Here is where hallucination rates - [AI Bill of Materials (ML-BOM) Standards in 2026](https://safeguard.sh/resources/blog/ai-bill-of-materials-ml-bom-standards-2026): A senior engineer's survey of AI-BOM and ML-BOM standards in 2026, from CycloneDX ML components to SPDX 3.0 AI profile, - [Continuous Compliance Monitoring: A Practical Guide for Security Teams](https://safeguard.sh/resources/blog/continuous-compliance-monitoring-guide): How to replace periodic compliance audits with continuous, automated monitoring that catches drift before auditors do. - [DORA Third-Party ICT Risk for Financial Services 2026](https://safeguard.sh/resources/blog/dora-financial-services-third-party-ict-risk-2026): A senior engineer's view of DORA third-party ICT risk in 2026: register of information, concentration risk, subcontracto - [State of CVE Disclosure and KEV in 2026](https://safeguard.sh/resources/blog/state-of-cve-disclosure-and-kev-2026): A senior-analyst view of CVE disclosure, KEV catalog growth, and the operational patterns that keep pace with them in 20 - [Cross-Vendor SBOM Normalization: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cross-vendor-sbom-normalization): Your SBOMs come from a dozen vendors, three scanners, and two CI systems. Normalising them into one queryable graph is w - [How to Scan Docker Images for Vulnerabilities](https://safeguard.sh/resources/blog/how-to-scan-docker-images-vulnerabilities-guide): A production-grade vulnerability scanning pipeline for Docker images using Trivy and Grype, with reachability-based prio - [GitHub Actions Cache Poisoning Attack Class 2025](https://safeguard.sh/resources/blog/github-actions-cache-poisoning-attack-class-2025): GitHub Actions caches were never designed as a trust boundary. In 2025 researchers turned that mismatch into a repeatabl - [NIST SP 800-161 Rev. 2 Third-Party Risk 2026](https://safeguard.sh/resources/blog/nist-sp-800-161-revision-2-third-party-2026): NIST SP 800-161 Rev. 2 reshapes cyber supply chain risk management for federal contractors and commercial buyers. Here i - [Docker Hub Exposed Secrets at Scale 2024](https://safeguard.sh/resources/blog/docker-hub-exposed-secrets-at-scale-2024): Researchers keep finding valid AWS, GitHub, and cloud credentials baked into public Docker Hub images. What the 2024 dat - [Benchmark Reproducibility: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-benchmark-reproducibility): A benchmark you can't reproduce is marketing. A benchmark you can rerun on your own infrastructure is evidence. The - [Prompt Injection Defences: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-prompt-injection-defences): Prompt injection is the defining AI security problem of this generation. The defences are structural, not cosmetic — and - [Griffin AI vs Windsurf Cascade for Security Review](https://safeguard.sh/resources/blog/griffin-ai-vs-windsurf-cascade-security-review): Windsurf's Cascade agent is among the more capable in-editor agents. For security review specifically, it's a complement - [Supply Chain Security for Aerospace & Defense (DoD) 2026](https://safeguard.sh/resources/blog/supply-chain-security-aerospace-defense-dod-2026): Supply chain security for aerospace and defense contractors in 2026 means CMMC 2.0 final rule, DFARS 7012/7020/7021, and - [Enterprise AI Metric Design For Executive Reporting](https://safeguard.sh/resources/blog/enterprise-ai-metric-design-for-executive-reporting): AI-for-security metrics that show up on board slides are different from the ones engineers use day-to-day. Designing bot - [Griffin AI vs Self-Hosted Llama: Real Costs](https://safeguard.sh/resources/blog/griffin-ai-vs-llama-vs-self-hosting-costs): Self-hosting Llama looks cheap on paper. The real costs — GPUs, operations, engineering — make the comparison less obvio - [Pricing Predictability: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-pricing-predictability): A 40% cost surprise in year two is not a pricing issue — it is an architecture issue. Griffin AI and Mythos-class tools - [MCP Client-Side Security Considerations](https://safeguard.sh/resources/blog/mcp-client-side-security-considerations): The MCP client surface is often overlooked. We examine trust boundaries, schema handling, credential storage, and safe d - [Best SBOM Management Platforms 2026 Review](https://safeguard.sh/resources/blog/best-sbom-management-platforms-2026-review): A 2026 review of the best SBOM management platforms, comparing Dependency-Track, Anchore, Lineaje, Kusari, and Safeguard - [CrowdStrike Falcon Outage: Post-Mortem Lessons](https://safeguard.sh/resources/blog/crowdstrike-falcon-outage-post-mortem-lessons): The CrowdStrike Falcon outage of July 2024 bricked 8.5 million Windows hosts. A content validator bug and no staged roll - [FedRAMP 20x and Continuous Compliance for Software Vendors](https://safeguard.sh/resources/blog/fedramp-20x-continuous-compliance-software-vendors): FedRAMP 20x replaces document-heavy review with machine-verifiable assertions. SBOMs and runtime evidence become first-c - [SBOMs in Healthcare: Patient Safety Meets Software Transparency](https://safeguard.sh/resources/blog/software-bill-of-materials-healthcare): Healthcare organizations face unique SBOM challenges driven by FDA requirements, device lifecycles, and patient safety s - [Confused Deputy Attacks on CI/CD Service Accounts](https://safeguard.sh/resources/blog/confused-deputy-attacks-ci-cd-service-accounts): Build systems hold broad trust and tight deadlines, which makes them perfect confused deputies. Here is how the attack p - [The Complete SBOM Compliance Guide for 2026](https://safeguard.sh/resources/blog/sbom-compliance-guide-2026): Everything you need to know about SBOM requirements under EO 14028, NIST SSDF, and emerging global regulations. - [AI Coding Assistant Data Leakage Paths](https://safeguard.sh/resources/blog/ai-coding-assistant-data-leakage-paths): AI coding assistants promise productivity but expand the data leakage surface in specific, mappable ways. The paths, the - [Real-World Vs Synthetic Eval Gap In Security](https://safeguard.sh/resources/blog/ai-security-real-world-vs-synthetic-eval-gap): Synthetic eval benchmarks are controllable. Real-world data is messy. The gap between performance on each is usually lar - [Griffin AI vs Claude Computer Use: Security](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-computer-use-for-security): Claude's Computer Use lets an agent drive a GUI. For security, this is powerful and dangerous in equal measure. The arch - [Cryptography Misuse Detection: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cryptography-misuse-detection): Crypto misuse is not about broken algorithms. It is about misused parameters, missing checks, and the gap between " - [AI Agent Tool Confused Deputy Problem in 2026](https://safeguard.sh/resources/blog/ai-agent-tool-confused-deputy-problem-2026): A senior engineer's take on the confused deputy problem in AI agent tool use, why it keeps reappearing in 2026, and the - [APT29 Cloud Supply Chain Tradecraft 2025](https://safeguard.sh/resources/blog/apt29-cloud-supply-chain-tradecraft-update-2025): APT29's 2024-2025 cloud-native tradecraft — from Midnight Blizzard's Microsoft intrusion to the Teams phishing pivots — - [CMMC Level 3 Software Supply Chain Checklist 2026](https://safeguard.sh/resources/blog/cmmc-level-3-software-supply-chain-checklist-2026): A senior engineer's CMMC Level 3 checklist focused on software supply chain: SBOM, SC-SR controls, SSP evidence, and the - [CVE-2024-4367 PDF.js Arbitrary Code Execution](https://safeguard.sh/resources/blog/cve-2024-4367-pdfjs-arbitrary-code-execution): CVE-2024-4367 is a PDF.js code-execution flaw via font handling that affects Firefox, Thunderbird, and every embedder. R - [State of Container Security 2026: Survey Summary](https://safeguard.sh/resources/blog/state-of-container-security-2026-survey-summary): A survey-style summary of container security in 2026: what production teams actually ship, where image security stands, - [Ensemble LLMs For High-Precision Security Findings](https://safeguard.sh/resources/blog/ensemble-llm-for-high-precision-security-findings): One model's confident answer is a guess. Multiple models agreeing is evidence. Ensemble approaches raise precision - [Griffin AI vs GPT-5: Compliance Posture](https://safeguard.sh/resources/blog/griffin-ai-vs-gpt-5-compliance-posture): Compliance posture is about what you can prove, not what you can do. GPT-5 has impressive capabilities; Griffin AI is en - [How to Prevent Dependency Confusion in npm (2026)](https://safeguard.sh/resources/blog/how-to-prevent-dependency-confusion-npm-2026): Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks a - [Safeguard Local Runner: Agentic Security on Your Laptop](https://safeguard.sh/resources/blog/safeguard-local-runner-release-agentic-security): The Local Runner is a command-line agent that runs Safeguard workflows against your working tree. Think claude-code-for- - [UNC5221 Ivanti Exploitation Campaign Analysis](https://safeguard.sh/resources/blog/unc5221-ivanti-exploitation-campaign-analysis): UNC5221 chained Ivanti Connect Secure zero-days through 2024 and 2025. The campaign reads like a masterclass in living o - [Hallucinated Security Findings: Measurable Rates](https://safeguard.sh/resources/blog/frontier-model-limit-hallucinated-security-findings): Pure-LLM security analysis hallucinates findings at rates between 20% and 70% depending on the task and model. Grounding - [Griffin AI vs Gemini for FedRAMP Workflows](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-compliance-fedramp): Gemini has FedRAMP-authorised deployment options. Griffin AI builds on FedRAMP-aligned infrastructure. The comparison is - [False Positive Rates: Griffin AI vs Mythos Benchmarked](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-false-positive-rates): Why pure-LLM security products generate false positives that engine-grounded platforms like Griffin AI structurally cann - [Support Model: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-support-model): Support tier comparisons look identical on paper. The real difference shows up at 2am during an incident, and the shape - [Best SCA Tools for Enterprise: 2026 Comparison](https://safeguard.sh/resources/blog/best-sca-tools-enterprise-2026-comparison): A fact-based 2026 review of the best Software Composition Analysis tools for enterprise teams, covering depth, reachabil - [CVE Triage Is Broken. Here's a Better Workflow.](https://safeguard.sh/resources/blog/cve-triage-is-broken-better-workflow): Most enterprise CVE queues are noise. KEV plus EPSS plus reachability plus policy-as-code cuts the real actionable list - [tj-actions Compromise: One Year Retrospective](https://safeguard.sh/resources/blog/tj-actions-compromise-one-year-retrospective): A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix - [Supply Chain Security for Energy (NERC CIP) 2026](https://safeguard.sh/resources/blog/supply-chain-security-energy-nerc-cip-2026): Supply chain security for energy utilities in 2026 means CIP-013-2, CIP-010-4 software integrity, and the CIP-015-1 inte - [Automating Third-Party Risk Assessment: Moving Beyond Spreadsheets and Questionnaires](https://safeguard.sh/resources/blog/third-party-risk-assessment-automation): Why manual vendor risk assessments are failing, and how automation is reshaping third-party risk management for software - [CVE-2025-24071 Windows Explorer NTLM Hash Leak](https://safeguard.sh/resources/blog/cve-2025-24071-windows-explorer-ntlm-leak): A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE - [Fine-Tune Backdoors: The Quiet Threat](https://safeguard.sh/resources/blog/ai-security-trend-fine-tune-backdoors): Fine-tuning a model on an attacker-controlled dataset can implant behaviour that only activates under specific condition - [Rollback Safety: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-rollback-safety): Sometimes a remediation has to be reverted. Griffin AI's minimal, grounded patches roll back cleanly; Mythos-class patch - [Storm-0558 Microsoft Cloud Identity Aftermath](https://safeguard.sh/resources/blog/storm-0558-microsoft-cloud-identity-aftermath): Storm-0558 forged Microsoft cloud tokens with a stolen MSA key and read government email. Three years later the architec - [VS Code Marketplace Malware Campaigns in 2025](https://safeguard.sh/resources/blog/vscode-extension-marketplace-malware-campaigns-2025): A senior engineer's review of the 2025 VS Code Marketplace malware wave, including typosquats, trojanized themes, and ex - [CMMC Pass-Through: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cmmc-pass-through): CMMC 2.0 rollout has made flow-down expectations concrete. AI-for-security tools used by DIB contractors are in scope, a - [Transitive Depth: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-transitive-depth-comparison): Most scanners stop at five or six levels of transitive depth. Real production graphs run sixty levels deep, and the most - [Executive Order 14028 at Five Years: A Comprehensive Review](https://safeguard.sh/resources/blog/eo-14028-five-years-comprehensive-review): Five years after President Biden signed EO 14028, we assess what it accomplished, what it missed, and what comes next. - [How to Sign Container Images with Cosign in Production](https://safeguard.sh/resources/blog/how-to-sign-container-images-cosign-production): Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, - [Safeguard March 2026 Release Notes](https://safeguard.sh/resources/blog/safeguard-changelog-march-2026): March 2026 at Safeguard.sh: Griffin taint tracking, Eagle SBOM-driven advisories, Lino cross-service baselines, and the - [FTC and Software Supply Chain Enforcement 2026](https://safeguard.sh/resources/blog/ftc-mgm-breach-settlement-software-implications): The FTC's widening enforcement posture after the MGM breach and related consent orders is reshaping software supply chai - [How to Rotate Leaked Secrets With Automation (2026)](https://safeguard.sh/resources/blog/how-to-rotate-leaked-secrets-automation-2026): The 2026 playbook for automated secret rotation: detection pipelines, credential broker patterns, blast-radius analysis, - [CVE-2024-29849 Veeam Auth Bypass Analysis](https://safeguard.sh/resources/blog/cve-2024-29849-veeam-auth-bypass-analysis): CVE-2024-29849 is a CVSS 9.8 auth bypass in Veeam Backup Enterprise Manager. Root cause, exploitation, detection, and pa - [State of AI Security in Enterprise 2026](https://safeguard.sh/resources/blog/state-of-ai-security-in-enterprise-2026): Where enterprise AI security actually stands in 2026: model supply chain risks, agent threats, governance gaps, and the - [Training Data Provenance: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-training-data-provenance): Training data is a supply chain component. Knowing what went into a model is the precondition for knowing what could com - [Mitigating npm Install Scripts Without Breaking Your Build](https://safeguard.sh/resources/blog/mitigate-npm-install-scripts-without-breaking-builds): `--ignore-scripts` is the blunt fix that breaks node-sass and better-sqlite3. Here is the surgical version that keeps bu - [Safeguard vs Wiz: Supply Chain Focus 2026](https://safeguard.sh/resources/blog/safeguard-vs-wiz-supply-chain-focus-2026): How Safeguard.sh and Wiz compare in 2026 for software supply chain security, SCA depth, container provenance, and autono - [Software Supply Chain Security for Healthcare (HIPAA) 2026](https://safeguard.sh/resources/blog/software-supply-chain-security-healthcare-hipaa-2026): Software supply chain security for healthcare in 2026 means the new HIPAA Security Rule, 405(d) practices, and FDA postm - [Vendor Offboarding and Supply Chain Data Destruction](https://safeguard.sh/resources/blog/vendor-offboarding-supply-chain-data-destruction): A practical playbook for offboarding software vendors and ensuring data is actually destroyed, not just promised to be d - [Cost Per Finding: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cost-per-finding): Token spend per scan is the wrong metric. Cost per actionable finding is the right one — and it's where engine-plus - [Dependency Confusion: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-dependency-confusion-scenarios): Dependency confusion is older than most of the AI tooling trying to detect it. The attacks have adapted to the defences - [Griffin AI vs Poolside for Enterprise Security](https://safeguard.sh/resources/blog/griffin-ai-vs-poolside-for-enterprise-security): Poolside's on-prem code AI is a credible enterprise offering. For security-specific workflows, Griffin AI's grounding ar - [JSR JavaScript Registry Security Model](https://safeguard.sh/resources/blog/jsr-javascript-registry-security-model): JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Her - [MCP Authentication Patterns for Enterprise](https://safeguard.sh/resources/blog/mcp-authentication-patterns-enterprise): Enterprise MCP deployments need more than a static API key. The protocol is evolving toward OAuth 2.1 and dynamic client - [Snowflake Customer Breaches 2024: Root Cause](https://safeguard.sh/resources/blog/snowflake-customer-breaches-2024-root-cause): The Snowflake customer breaches of 2024 were not a Snowflake compromise. Infostealer logs, shared credentials, and absen - [Software Signing and Code Integrity in 2026: The Practical State of Play](https://safeguard.sh/resources/blog/software-signing-code-integrity-2026): Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned a - [Enterprise AI Red Team Program Design](https://safeguard.sh/resources/blog/enterprise-ai-red-team-program-design): AI red teaming is not a one-off exercise. Programmatic red-teaming of AI systems requires specific structure — and most - [Elastic Scale Behaviour: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-elastic-scale-behaviour): Scanning bursts when a monorepo merges. We explain why Griffin AI absorbs the spike gracefully while Mythos-class tools - [Griffin AI vs Open Weights: The Eval Gap](https://safeguard.sh/resources/blog/griffin-ai-vs-open-weight-eval-gap): Frontier models pass eval benchmarks that open-weight models miss by specific measurable margins. For security workflows - [Akira Ransomware VPN Appliance Exploitation](https://safeguard.sh/resources/blog/akira-ransomware-vpn-appliance-exploitation): Akira has industrialized VPN appliance exploitation. Here is the tradecraft, the advisories that document it, and what d - [OSS Maintainer Account Takeover Trends 2025](https://safeguard.sh/resources/blog/open-source-maintainer-account-takeover-trends-2025): A senior engineer's breakdown of how maintainer account takeovers evolved in 2025, from phishing kits targeting PyPI to - [CVE-2025-1974 Ingress NGINX Controller RCE](https://safeguard.sh/resources/blog/cve-2025-1974-ingress-nginx-controller-rce): IngressNightmare - CVE-2025-1974 in Kubernetes ingress-nginx - gave unauthenticated attackers cluster-wide RCE. Here is - [The Reproducibility Crisis In AI Security Evals](https://safeguard.sh/resources/blog/ai-security-reproducibility-crisis-mini): ML research has a reproducibility crisis. AI security evaluation inherits it. Vendors publishing numbers that can't - [Griffin AI vs Claude Prompt Caching: Security](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-prompt-caching-for-security): Claude's prompt caching gives you 90% discount on cached tokens. Security workloads have massive cacheable surface area. - [Auth Bypass Discovery: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-auth-bypass-discovery): Auth bypasses are rarely a single bug. They live in the interaction between layers — middleware, route handlers, framewo - [How to Generate an SBOM with GitHub Actions (2026)](https://safeguard.sh/resources/blog/how-to-generate-sbom-github-actions-2026): SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs - [PyPI 2FA Lessons Two Years In](https://safeguard.sh/resources/blog/pypi-2fa-lessons-two-years-in): PyPI mandated 2FA for all maintainers in 2024. Two years in, account takeovers dropped — but attackers shifted to OIDC t - [How to Detect Malicious npm Packages: A Workflow](https://safeguard.sh/resources/blog/how-to-detect-malicious-npm-packages-workflow): A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability check - [Procurement Security Questionnaires That Actually Work](https://safeguard.sh/resources/blog/procurement-security-questionnaires-that-work): How to design a supplier security questionnaire that produces usable signal, what to cut from standard templates, and ho - [Safeguard Desktop App 1.0 Release](https://safeguard.sh/resources/blog/safeguard-desktop-application-1-0-release): The Safeguard desktop application is 1.0 on macOS, Windows, and Linux. It brings the full workflow engine, Local Runner, - [CVE-2024-32002 Git RCE on Clone: Walkthrough](https://safeguard.sh/resources/blog/cve-2024-32002-git-rce-on-clone-walkthrough): CVE-2024-32002 is a Git submodule RCE triggered by a recursive clone on case-insensitive filesystems. Root cause, exploi - [Software Supply Chain Security Market Map 2026](https://safeguard.sh/resources/blog/software-supply-chain-security-market-map-2026): A senior-analyst market map of software supply chain security in 2026: the vendor categories that consolidated, the ones - [Chain-Of-Thought For Vulnerability Reasoning](https://safeguard.sh/resources/blog/chain-of-thought-for-vulnerability-reasoning): Chain-of-thought helps LLMs with multi-step problems. For vulnerability reasoning, it helps — but only when the chain is - [Context Window Limits: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-context-window-limits): Context-window size matters less than context quality. A look at how Griffin AI's engine-grounded context beats pure-LLM - [Griffin AI vs OpenAI Assistants API for SecOps](https://safeguard.sh/resources/blog/griffin-ai-vs-openai-assistants-api-for-secops): The OpenAI Assistants API is a general agent framework. SecOps needs more than a framework — it needs the engine-grounde - [Post-Quantum Signing: An Artifact Migration Plan](https://safeguard.sh/resources/blog/post-quantum-signing-artifact-migration-plan): A concrete migration plan for artifact signing from ECDSA to ML-DSA and SLH-DSA, covering Sigstore, Notary, HSMs, and st - [Change Healthcare Ransomware 2024: Deep Dive](https://safeguard.sh/resources/blog/change-healthcare-ransomware-2024-deep-dive): The Change Healthcare ransomware attack knocked US healthcare payments offline for weeks. A missing MFA on a Citrix port - [Safeguard vs Aqua Security Platform Review](https://safeguard.sh/resources/blog/safeguard-vs-aqua-security-platform-review): A fact-based comparison of Safeguard.sh and Aqua Security in 2026 across container coverage, runtime protection, SCA dep - [The Supply Chain Attack Kill Chain: A Framework for Defense](https://safeguard.sh/resources/blog/supply-chain-attack-kill-chain-framework): We propose a kill chain framework specific to software supply chain attacks, mapping attacker techniques to defensive co - [The Future of Software Signing Is Keyless](https://safeguard.sh/resources/blog/the-future-of-software-signing-is-keyless): Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing - [Composer/PHP Package Supply Chain in 2026](https://safeguard.sh/resources/blog/composer-php-package-supply-chain-2026): PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand - [Supply Chain Security for Financial Services 2026](https://safeguard.sh/resources/blog/supply-chain-security-financial-services-2026): Supply chain security for financial services in 2026 means DORA, NYDFS 500, FFIEC, and OCC expectations. A practical gui - [CISA Minimum Elements for SBOM: 2026 Update](https://safeguard.sh/resources/blog/minimum-elements-sbom-cisa-2026-update): A clear walkthrough of CISA's 2026 revisions to the minimum elements for SBOM, what changed from the original NTIA basel - [Model Substitution Risk In Enterprise Deployments](https://safeguard.sh/resources/blog/frontier-model-limit-model-substitution-risk): The model you think you're calling might not be the model that returns. Model substitution is a quiet supply chain - [Griffin AI vs Gemini Pricing: Security Scans](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-pricing-for-security-scans): Gemini's pricing table favours long-context workloads. Security scans have long-context structure. The question is how m - [Onboarding Velocity: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-onboarding-velocity): Time from contract signature to first meaningful finding is the metric procurement cares about. Griffin AI and Mythos-cl - [SBOM Generation: Syft, Tern, Trivy Compared (2026)](https://safeguard.sh/resources/blog/sbom-generation-tools-syft-tern-comparison-2026): An engineer's side-by-side of Syft, Tern, and Trivy for SBOM generation in 2026, with honest notes on accuracy, performa - [SBOM-Driven Due Diligence for M&A](https://safeguard.sh/resources/blog/sbom-for-mergers-acquisitions-due-diligence): How SBOMs have become a standard input to technical due diligence for software acquisitions, what acquirers actually loo - [RAG Poisoning In The Wild: Trend Watch](https://safeguard.sh/resources/blog/ai-security-trend-rag-poisoning-in-the-wild): Retrieval-augmented generation was the 2024 success story. 2026 is when RAG poisoning moved from research to production - [Transitive Fix Cascades: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-transitive-fix-cascades): A vulnerable transitive dependency may require upgrading an ancestor. Griffin AI computes the cascade; Mythos-class tool - [How to Comply With EU CRA: A Practical Checklist](https://safeguard.sh/resources/blog/how-to-comply-eu-cyber-resilience-act-checklist): The EU Cyber Resilience Act requires vendors to ship secure-by-default products, provide SBOMs, and report exploited vul - [The Minimal Base Image Myth: What Actually Reduces Attack Surface](https://safeguard.sh/resources/blog/minimal-base-image-myth-attack-surface-reduction): Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, r - [npm Protestware Patterns From 2020 to 2026](https://safeguard.sh/resources/blog/npm-protestware-patterns-2020-to-2026): A senior engineer's view of six years of npm protestware, from colors.js to peacenotwar, and the supply chain lessons th - [Right-to-Repair and Software Supply Chain Security](https://safeguard.sh/resources/blog/right-to-repair-software-supply-chain-security): How the right-to-repair movement is reshaping software supply chain obligations in 2026, from firmware transparency to t - [EU AI Act Alignment: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-eu-ai-act-alignment): EU AI Act enforcement began in 2026. Vendors sold as "AI security tools" are now high-risk systems with docume - [Version-Aware Resolution: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-version-aware-resolution): A vulnerability in version 1.2.0 may not affect your 1.3.5 install if the fix reshaped the call signature. Version-aware - [Nullcon Berlin 2026 Supply Chain Highlights](https://safeguard.sh/resources/blog/nullcon-berlin-2026-software-supply-chain-highlights): Nullcon Berlin 2026 delivered a dense European view of software supply chain research. Here are the themes and sessions - [Safeguard vs GitHub Advanced Security 2026](https://safeguard.sh/resources/blog/safeguard-vs-github-advanced-security-2026): A technical comparison of Safeguard.sh and GitHub Advanced Security in 2026 across scanning depth, secret detection, con - [How to Audit Open Source Licenses for Compliance](https://safeguard.sh/resources/blog/how-to-audit-open-source-licenses-compliance-guide): A senior engineer's playbook for auditing open source licenses across modern polyglot repos, from SPDX extraction to enf - [Safeguard Open Source Manager: A Deep Dive Into Dependency Governance](https://safeguard.sh/resources/blog/safeguard-open-source-manager-deep-dive): An inside look at Safeguard's Open Source Manager — how it tracks, evaluates, and enforces policies across every open-so - [SBOM Requirements for Automotive (ISO 21434) 2026](https://safeguard.sh/resources/blog/sbom-requirements-automotive-iso-21434-2026): A senior engineer's guide to SBOM requirements for automotive suppliers under ISO/SAE 21434, UNECE WP.29 R155, and the 2 - [Volt Typhoon: Critical Infrastructure Supply Chain](https://safeguard.sh/resources/blog/volt-typhoon-critical-infrastructure-supply-chain): Volt Typhoon is pre-positioning inside U.S. critical infrastructure using living-off-the-land tradecraft and third-party - [CVE-2024-21413 Outlook Moniker Link Analysis](https://safeguard.sh/resources/blog/cve-2024-21413-outlook-moniker-link-analysis): CVE-2024-21413 is a critical Outlook Moniker Link RCE that bypasses Protected View via a crafted file URL. Root cause, e - [CVE-2024-55956 Cleo Harmony/VLTrader RCE](https://safeguard.sh/resources/blog/cve-2024-55956-cleo-harmony-vltrader-rce): Cleo's Harmony, VLTrader, and LexiCom carried an unauthenticated RCE that Clop abused for mass data theft. Here is the t - [MCP Server Inventory: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-mcp-server-inventory): MCP servers are privileged dependencies. An inventory that tracks them like SBOM tracks packages is the minimum bar — an - [Container Runtime Security in 2026: What's Changed and What Hasn't](https://safeguard.sh/resources/blog/container-runtime-security-2026-guide): Container security has matured significantly, but runtime protection remains a weak spot. Here's a practical guide to wh - [XZ Utils Backdoor: One Year Retrospective](https://safeguard.sh/resources/blog/xz-utils-aftermath-one-year-retrospective): A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and wh - [Cloudflare Workers: Supply Chain Threat Model](https://safeguard.sh/resources/blog/cloudflare-workers-supply-chain-threat-model): Cloudflare Workers collapse the build, deploy, and runtime into one surface. That changes the supply chain threat model - [Container Security: Why Reachability Analysis Changes Everything](https://safeguard.sh/resources/blog/container-security-reachability-analysis): Stop chasing phantom vulnerabilities. Learn how reachability analysis reduces CVE noise by 80% and focuses remediation o - [GenAI Coding Agent Privilege Escalation](https://safeguard.sh/resources/blog/genai-coding-agent-privilege-escalation): Autonomous coding agents can escalate privilege in subtle ways that traditional threat models miss. A breakdown of the c - [Griffin AI vs GitHub Copilot for Vulnerability Fixing](https://safeguard.sh/resources/blog/griffin-ai-vs-github-copilot-for-vulnerability-fixing): GitHub Copilot suggests fixes. Griffin AI generates fix PRs with taint paths and disproof attached. The difference is re - [Continuous Eval & Release Gating: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-continuous-eval-release-gating): Evals that run once are marketing. Evals that run on every build are infrastructure. Griffin AI runs the harness on ever - [Race Condition Detection: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-race-condition-detection): Race conditions are the hardest class of vulnerabilities for static analysis. Specific architectural capabilities separa - [Post-Quantum Cryptography Migration for Software Supply Chains](https://safeguard.sh/resources/blog/post-quantum-cryptography-migration-supply-chains): NIST finalized ML-KEM, ML-DSA, and SLH-DSA in 2024. Here's what it means for Sigstore, package registry signing, TLS, an - [How Safeguard Partners With MSSP Programs](https://safeguard.sh/resources/blog/how-safeguard-partners-with-mssp-programs): A practical guide to how Safeguard.sh works with managed security service providers — including the partners under explo - [Cyber Insurance Exclusions for Supply Chain Incidents](https://safeguard.sh/resources/blog/insurance-cyber-policy-software-supply-chain-exclusions): What 2026 cyber insurance policies actually exclude for software supply chain incidents, how carriers test your controls - [JSR/Deno Package Ecosystem Supply Chain](https://safeguard.sh/resources/blog/jsr-deno-package-ecosystem-supply-chain): JSR is the first mainstream package registry designed with supply chain security as a founding constraint. Here is what - [Enterprise AI Data Residency Requirements, 2026](https://safeguard.sh/resources/blog/enterprise-ai-data-residency-requirements): Data residency for AI workloads has moved from nice-to-have to contractually required. The shape of the requirement is s - [False Positive Cost: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-false-positive-cost): A false positive is not free. It costs engineer attention, trust in the tool, and eventually the security programme's cr - [Injection Path Detection: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-injection-path-detection): Injection vulnerabilities are not really about the sink. They are about the path from untrusted input to the sink. The p - [Griffin AI vs Open Weights: On-Prem Tradeoffs](https://safeguard.sh/resources/blog/griffin-ai-vs-open-weight-on-prem-tradeoffs): Open-weight models let you run everything locally. The tradeoff is quality, cost, and operational overhead. Griffin AI p - [Fine-Tuning Poisoning Detection for Supply Chains](https://safeguard.sh/resources/blog/fine-tuning-poisoning-detection-supply-chain): Fine-tuning inherits every problem of the base model and adds dataset provenance as a new one. Here is how detection act - [Safeguard vs Snyk: Detailed 2026 Comparison](https://safeguard.sh/resources/blog/safeguard-vs-snyk-comparison-2026): A senior engineer's breakdown of how Safeguard.sh and Snyk differ in 2026 across SCA depth, reachability analysis, remed - [Safeguard MCP Server: Public Release Details](https://safeguard.sh/resources/blog/safeguard-mcp-server-public-release-2026): The Safeguard MCP Server is publicly available and works with Claude Desktop, claude.ai, Claude Code, ChatGPT, Cursor, G - [CVE-2024-23897 Jenkins CLI File Read Deep Dive](https://safeguard.sh/resources/blog/cve-2024-23897-jenkins-cli-file-read-deep-dive): CVE-2024-23897 is a Jenkins CLI arbitrary file-read flaw that leaks secrets and enables RCE chains. Root cause, exploita - [LLM-As-Judge Pitfalls In Security Evals](https://safeguard.sh/resources/blog/ai-security-llm-as-judge-pitfalls): Using an LLM to score another LLM's output is expedient and dangerous. The judge has its own biases — ones that aff - [Griffin AI vs Claude Batch API for Scanning](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-batch-api-for-scanning): Claude's Batch API gives you 50% off for async workloads. Griffin AI uses it internally. The question is whether your te - [Automotive OEM ISO 21434 Compliance](https://safeguard.sh/resources/blog/customer-story-automotive-oem-iso-21434-compliance): An anonymized look at how a major automotive OEM used Safeguard.sh to operationalize ISO/SAE 21434 software supply chain - [Why Developer Experience Matters to Security Programs](https://safeguard.sh/resources/blog/why-developer-experience-matters-security-programs): Security programs that ignore developer experience fail. This is not a culture complaint — it is a throughput argument, - [Dependency Update Triage Strategy for Eng Teams](https://safeguard.sh/resources/blog/dependency-update-triage-strategy-engineering-teams): An update PR is not a security finding. Here is a triage model that keeps reachability, risk, and engineering effort in - [SBOM Quality Across Ecosystems: 2026 Report](https://safeguard.sh/resources/blog/safeguard-research-sbom-quality-across-ecosystems-report): The Safeguard Research team measured SBOM quality across ecosystems and generators. The gaps between formats, tools, and - [Griffin AI vs GPT-5: Enterprise Controls](https://safeguard.sh/resources/blog/griffin-ai-vs-gpt-5-enterprise-controls): Frontier models offer impressive enterprise features. Security programs need deeper controls than chat can provide—contr - [Why Engine-Plus-LLM Beats Pure-LLM: Griffin vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-engine-plus-llm-advantage): The structural case for engine-plus-LLM security reasoning — and why pure-LLM products in the Mythos class hit a ceiling - [Task-Routed LLM Architectures For Security](https://safeguard.sh/resources/blog/task-routed-llm-architectures-for-security): One model for every task wastes budget on trivial work. Task-routed architectures match model capability to task require - [Windsurf vs Sourcegraph Cody: Security Comparison](https://safeguard.sh/resources/blog/windsurf-cody-security-comparison): A side-by-side security comparison of Windsurf and Sourcegraph Cody: data handling, agent scope, deployment models, and - [Microsoft Midnight Blizzard Source Code Theft 2024](https://safeguard.sh/resources/blog/microsoft-midnight-blizzard-source-code-theft-2024): Midnight Blizzard moved from email exfiltration to Microsoft source code repositories. The pivot from stolen OAuth token - [SBOMs for Firmware and IoT Devices: The Hard Problem](https://safeguard.sh/resources/blog/sbom-for-firmware-iot-devices): Generating accurate SBOMs for firmware and IoT devices remains one of the toughest challenges in supply chain security. - [Cozy Bear / Midnight Blizzard Supply Chain Tactics](https://safeguard.sh/resources/blog/apt-cozy-bear-midnight-blizzard-supply-chain): Midnight Blizzard (APT29, Cozy Bear) has refined long-dwell supply chain access into an operational art. Here is what th - [DORA for Financial Services Software Supply Chain](https://safeguard.sh/resources/blog/dora-eu-software-supply-chain-for-financial-services): How EU DORA is reshaping software supply chain expectations for financial services in 2026, with practical guidance on I - [CVE-2024-45519 Zimbra Unauth RCE Breakdown](https://safeguard.sh/resources/blog/cve-2024-45519-zimbra-unauth-rce-breakdown): A technical breakdown of CVE-2024-45519, the unauthenticated RCE in Zimbra's postjournal service, how it was exploited i - [Retrieval Context Poisoning At Scale](https://safeguard.sh/resources/blog/frontier-model-limit-retrieval-context-poisoning): Retrieval context poisoning scales differently than direct prompt injection. The attacker's leverage grows with the - [Griffin AI vs Gemini Multimodal: Security](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-multimodal-for-security): Gemini's multimodal capabilities are genuinely useful for some security workflows. For most security workflows, the moda - [Federal Compliance Readiness: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-federal-compliance-readiness): Federal compliance is a long investment, not a marketing claim. Safeguard's FedRAMP HIGH and IL7 readiness is the differ - [Incident Response Playbook for a Compromised Dependency](https://safeguard.sh/resources/blog/incident-response-playbook-compromised-dependency): A concrete, timed playbook for the 72 hours after a critical dependency advisory — inventory, reachability, containment, - [AWS EKS Pod Identity vs. IRSA for Supply Chain](https://safeguard.sh/resources/blog/aws-eks-pod-identity-vs-irsa-supply-chain): Pod Identity and IRSA both give EKS workloads AWS identities. The supply chain implications diverge once you look past t - [Buy vs. Build a Supply Chain Security Platform](https://safeguard.sh/resources/blog/buy-vs-build-supply-chain-security-platform): When building your own software supply chain security platform makes sense, when it does not, and the hybrid architectur - [pnpm and Yarn Modern Lockfile Security](https://safeguard.sh/resources/blog/pnpm-yarn-modern-lockfile-security): pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters - [The Eval Culture Shift in AI Security](https://safeguard.sh/resources/blog/ai-security-trend-eval-culture-shift): Two years ago, AI vendors shipped without evals. In 2026, the posture has shifted. Customers expect benchmarks. Vendors - [Dependency Upgrade Picks: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-dependency-upgrade-recommendations): The version a remediation tool picks matters more than the fact that it picked one. Griffin AI grounds its choice in the - [Gartner SRM Summit 2025 Recap](https://safeguard.sh/resources/blog/gartner-security-risk-management-summit-2025-recap): Gartner's 2025 Security & Risk Management Summit pushed CISOs to focus on supply chain risk, AI governance, and measurab - [CVE-2024-4577 PHP CGI Argument Injection Explained](https://safeguard.sh/resources/blog/cve-2024-4577-php-cgi-argument-injection-explained): CVE-2024-4577 is a CVSS 9.8 argument injection in PHP-CGI on Windows that bypasses CVE-2012-1823's fix. Root cause, expl - [HIPAA Supply Chain Controls: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-hipaa-supply-chain-controls): HIPAA's software supply chain expectations have sharpened in 2025-2026. Evidence generation is the difference between pa - [Source/Sink Classification: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-source-sink-classification): Taint analysis only works if sources and sinks are labeled correctly. Griffin AI uses a curated catalog; Mythos-class to - [MCP Server Registry Security Governance](https://safeguard.sh/resources/blog/mcp-server-registry-security-governance): MCP servers are becoming a new dependency class with their own supply chain risks. How to think about registry governanc - [Agent-to-Agent Security in Multi-Agent Systems](https://safeguard.sh/resources/blog/agent-to-agent-security-multi-agent-systems): Multi-agent systems inherit every trust problem of single-agent systems and add a few more. Here is how the threat model - [FAQ: When Do You Need a Dedicated SBOM Tool?](https://safeguard.sh/resources/blog/faq-when-do-you-need-a-dedicated-sbom-tool): When a scanner's built-in SBOM export stops being enough — signals you need a dedicated SBOM tool, what one actually doe - [Federal Software Procurement and SBOM Requirements: A Vendor's Playbook](https://safeguard.sh/resources/blog/federal-software-procurement-sbom-requirements): If you sell software to the US government, SBOM requirements are now non-negotiable. Here's a practical playbook for com - [Multi-Arch Image Builds and Attestation Pitfalls](https://safeguard.sh/resources/blog/multi-arch-image-builds-attestation-pitfalls): Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to - [Model Inventory Tracking: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-model-inventory-tracking): You cannot secure what you cannot enumerate. Griffin AI maintains a typed inventory of every model, version, and deploym - [Griffin AI vs Cursor Tab for Security Review](https://safeguard.sh/resources/blog/griffin-ai-vs-cursor-tab-for-security-review): Cursor Tab is excellent at in-editor autocomplete. For security review, the workflow is different enough that the right - [CSRF Modern Forms: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-csrf-modern-forms): CSRF in 2026 is not the 2012 attack. SameSite cookies, fetch metadata, and modern frameworks changed the landscape. Dete - [Golden Dataset Design: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-golden-dataset-design): Benchmark scores are only as honest as the dataset behind them. Griffin AI publishes golden-dataset design notes; Mythos - [KEV, EPSS, CVSS: Which Signal Should Drive Patching?](https://safeguard.sh/resources/blog/kev-epss-cvss-which-signal-drives-patching): CVSS measures severity, EPSS predicts exploitation, KEV confirms active exploitation. Each answers a different question, - [Open Source Security Summit 2026: Key Takeaways](https://safeguard.sh/resources/blog/open-source-security-summit-2026-recap): We attended the Open Source Security Summit 2026 and came back with five actionable insights for security teams. - [cargo-audit and cargo-deny: A Real Workflow](https://safeguard.sh/resources/blog/cargo-audit-deny-advisories-workflow): A senior-engineer-grade workflow for using cargo-audit and cargo-deny together, with realistic policy decisions and the - [Dependabot vs. Renovate: Operational Experience](https://safeguard.sh/resources/blog/dependabot-vs-renovate-operational-experience): Both tools open the same kind of PR. The differences that matter at scale show up in configuration, grouping, platform s - [DPRK IT Worker Supply Chain Insider Threat](https://safeguard.sh/resources/blog/north-korea-it-worker-supply-chain-insider-threat): DPRK operatives have placed themselves inside Western companies as remote developers. Here is how that pattern functions - [Safeguard Partnership Strategy 2026](https://safeguard.sh/resources/blog/safeguard-partnership-strategy-2026): How Safeguard.sh thinks about partnerships in 2026 — the motions we prioritize, the partners we seek, and the customer o - [Self-Healing Containers Now Generally Available](https://safeguard.sh/resources/blog/safeguard-self-healing-containers-general-availability): Self-healing containers detect, remediate, and rebuild images when CVEs appear in their dependency closure. Here is how - [TCO of SCA Platforms in 2026: What to Model](https://safeguard.sh/resources/blog/total-cost-of-ownership-sca-platforms-2026): A realistic model for the total cost of ownership of software composition analysis platforms in 2026, including the hidd - [Hugging Face Model Hub Supply Chain Risks in 2025](https://safeguard.sh/resources/blog/huggingface-model-hub-supply-chain-risks-2025): Pickle deserialization, malicious Spaces, and namespace squatting: what 2024-2025 taught us about the Hugging Face model - [Enterprise AI Procurement Due Diligence Checklist](https://safeguard.sh/resources/blog/enterprise-ai-procurement-due-diligence-checklist): AI-for-security procurement covers more than feature comparison. The due diligence checklist that surfaces structural di - [Deserialization Chains: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-deserialization-chains): CWE-502 deserialisation chains are the canonical stress test for AI bug hunters. Why Griffin AI's grounded synthesis fin - [Triage Backlog Reduction: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-triage-backlog-reduction): A shrinking triage queue is the clearest sign a security programme is working. We explain why Griffin AI shrinks queues - [Griffin AI vs Fine-Tuned Open Weights for SecOps](https://safeguard.sh/resources/blog/griffin-ai-vs-open-weight-fine-tuning-for-secops): Fine-tuning an open-weight model sounds like a shortcut to a custom SecOps copilot. In practice, it is one step of a muc - [Buy, Build, or Hybrid: Supply Chain Security in 2026](https://safeguard.sh/resources/blog/buy-build-hybrid-supply-chain-security-2026): The build-it-yourself era of supply chain security is ending. The full-stack vendor era has not arrived. The right archi - [Defense Contractor IL7 Deployment Walkthrough](https://safeguard.sh/resources/blog/customer-story-defense-contractor-il7-deployment): An anonymized account of how a US defense prime deployed Safeguard.sh in an IL7 classified environment supporting a DoD - [Getting Started: Safeguard Kubernetes Admission](https://safeguard.sh/resources/blog/getting-started-safeguard-kubernetes-admission): Deploy the Safeguard admission controller to block images with unresolved critical vulnerabilities before they run in yo - [Multi-Cloud Software Supply Chain Abstractions](https://safeguard.sh/resources/blog/multi-cloud-software-supply-chain-abstractions): Running supply chain controls across AWS, Azure, and GCP means picking the right abstractions. Here is which ones hold u - [Top 10 Riskiest Transitive Dependencies 2026](https://safeguard.sh/resources/blog/safeguard-research-top-10-riskiest-transitive-deps-2026): The Safeguard Research team built a risk index for transitive dependencies and ranked the ten categories that concentrat - [Leakage Testing Methods For Security Benchmarks](https://safeguard.sh/resources/blog/ai-security-benchmark-leakage-testing-methods): A benchmark that the model has seen in training is a benchmark of memorisation. Specific leakage-testing methods separat - [Griffin AI vs Claude Desktop MCP for Security](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-desktop-mcp-integration): Claude Desktop's MCP support makes it a capable security tool. Griffin AI builds on that foundation rather than competin - [Griffin AI vs Mythos: Architecture Deep Dive](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-architecture-deep-dive): An architectural comparison of Griffin AI's engine-grounded reasoning stack against the pure-LLM pattern that Mythos-cla - [MCP Transport Layer Security Options](https://safeguard.sh/resources/blog/mcp-transport-layer-security-options): MCP supports stdio, streamable HTTP, and a handful of experimental transports. Each has distinct security properties, an - [Multi-Modal AI Supply Chain Considerations](https://safeguard.sh/resources/blog/multi-modal-ai-supply-chain-considerations): Multi-modal models bring image, audio, and video into the AI supply chain. Each modality introduces provenance and integ - [AI-Generated Dockerfile Vulnerability Patterns](https://safeguard.sh/resources/blog/ai-generated-dockerfile-vulnerability-patterns): LLM-generated Dockerfiles repeat the same six or seven mistakes. Here is the pattern catalog and how to catch them befor - [Cloud Supply Chain Security Across AWS, Azure, and GCP](https://safeguard.sh/resources/blog/cloud-supply-chain-security-aws-azure-gcp): Each major cloud provider approaches supply chain security differently. Here's a practical comparison and what it means - [npm Slopsquat: The Hallucinated Package Risk in 2026](https://safeguard.sh/resources/blog/npm-slopsquat-hallucinated-package-risk-2026): Slopsquatting is the practice of registering package names that LLMs hallucinate, turning AI coding assistants into an a - [Safeguard February 2026 Release Notes](https://safeguard.sh/resources/blog/safeguard-changelog-february-2026): February 2026 at Safeguard.sh: Lino behavioral baselines, Eagle base image advisories, Griffin reachability for Rust, an - [YAML Deserialization Attacks: The Config File That Runs Code](https://safeguard.sh/resources/blog/yaml-deserialization-attacks): YAML's type system allows object instantiation during parsing. In many languages, this means a YAML file can execute arb - [NIST SSDF Audit: What Auditors Actually Check](https://safeguard.sh/resources/blog/nist-ssdf-secure-software-development-framework-audit): A practical walkthrough of what NIST Secure Software Development Framework audits look like in 2026, where evidence gaps - [Griffin AI vs OpenAI Function Calling: Scoping](https://safeguard.sh/resources/blog/griffin-ai-vs-openai-function-calling-scoping): Function calling gives models the ability to act. Acting safely on behalf of a specific user, in a specific context, wit - [LLM Selection Cost-Quality Tradeoff For Security](https://safeguard.sh/resources/blog/llm-selection-cost-quality-tradeoff-security): LLM selection is ultimately a cost-quality optimisation under workflow constraints. The curve is not smooth, and the rig - [Black Basta Ransomware Leak Lessons Learned](https://safeguard.sh/resources/blog/blackbasta-ransomware-leak-lessons-learned): The Black Basta chat leak gave defenders a rare inside view of how a ransomware program operates. Here are the durable e - [NuGet Package Signing Status in 2026](https://safeguard.sh/resources/blog/nuget-package-signing-microsoft-2026): NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what - [Unbounded Output Space And Security Contracts](https://safeguard.sh/resources/blog/frontier-model-limit-unbounded-output-space): A function whose output space is finite and enumerable can be secured by testing. A function whose output space is every - [Bring-Your-Own-Model: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-bring-your-own-model): Model lock-in is the quiet liability of pure-LLM vendors. Safeguard's bring-your-own-model story gives enterprises the o - [Griffin AI vs Vertex AI Safety for Enterprise](https://safeguard.sh/resources/blog/griffin-ai-vs-vertex-ai-safety-for-enterprise): Vertex AI Safety is Google's approach to enterprise AI controls. For security-specific workflows, Griffin AI adds ground - [FAQ: How Much Does Supply Chain Security Cost?](https://safeguard.sh/resources/blog/faq-how-much-does-supply-chain-security-cost-2026): Real numbers for supply chain security in 2026 — tool spend, headcount, hidden costs, SMB vs enterprise ranges, and wher - [KubeCon NA 2025: Supply Chain Security Themes](https://safeguard.sh/resources/blog/kubecon-na-2025-supply-chain-security-themes): KubeCon + CloudNativeCon NA 2025 put supply chain security at the center of the cloud-native conversation. Here is what - [Board-Level Supply Chain Security Reporting](https://safeguard.sh/resources/blog/board-level-supply-chain-security-reporting): A practical template for reporting software supply chain risk to the board, including the three slides that work, the la - [K8s RBAC Blast Radius in Supply Chain Attacks](https://safeguard.sh/resources/blog/kubernetes-rbac-blast-radius-supply-chain): How Kubernetes RBAC determines what a supply chain attack can actually do once a compromised workload runs, and the RBAC - [EU AI Act Enforcement: Year One Review](https://safeguard.sh/resources/blog/ai-security-trend-eu-ai-act-enforcement-first-year): The first enforcement window under the EU AI Act has closed. The actual pattern of enforcement looks different from the - [Patch Minimality: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-patch-minimality): A minimal patch is easier to review, safer to merge, and cheaper to roll back. Griffin AI enforces minimality; Mythos-cl - [MCP Server Rate-Limiting Patterns](https://safeguard.sh/resources/blog/mcp-server-rate-limiting-patterns): A practical look at rate-limiting patterns for Model Context Protocol servers, covering per-tool quotas, token budgets, - [Securing MCP Servers in the Enterprise: A Practical Guide](https://safeguard.sh/resources/blog/securing-mcp-servers-enterprise-guide): MCP servers connect AI agents to your infrastructure. Here's how to secure them without killing the productivity gains. - [AI Models in Your Supply Chain: The Security Risks Nobody Talks About](https://safeguard.sh/resources/blog/ai-supply-chain-security-risks): AI/ML models are the new open source libraries. Here's why your supply chain security strategy needs to account for mode - [Framework Routing Awareness: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-framework-routing-awareness): Every HTTP vulnerability begins at a route. Griffin AI models routing; Mythos-class tools guess it. That difference shap - [PCI DSS 4.0 Alignment: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-pci-dss-4-alignment): PCI DSS 4.0 raised the evidence bar for software security, supplier management, and continuous assurance. Griffin AI mee - [Getting Started: Safeguard GitHub Actions Gate](https://safeguard.sh/resources/blog/getting-started-safeguard-github-actions-gate): Set up the Safeguard GitHub Action to block risky pull requests on dependency vulnerabilities, license violations, and p - [GCP Artifact Analysis API for Vulnerability Triage](https://safeguard.sh/resources/blog/gcp-artifact-analysis-api-vulnerability-triage): GCP's Artifact Analysis API is the most direct way to get scan results into your triage tooling. Here is how to use it w - [Multi-Tenant Isolation for FedRAMP HIGH](https://safeguard.sh/resources/blog/safeguard-multi-tenant-isolation-architecture-fedramp): How Safeguard achieves hard multi-tenant isolation in a platform that meets FedRAMP HIGH — the boundaries, the proofs, a - [Supply Chain Security KPIs for Engineering Leaders](https://safeguard.sh/resources/blog/supply-chain-security-kpis-for-engineering-leaders): If you cannot measure your supply chain security posture, you cannot invest in it. Here are the KPIs that separate real - [SLSA Provenance Consumption: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-slsa-provenance-consumption): SLSA provenance is the cryptographic receipt of a build. Griffin AI verifies it, parses it, and uses it as typed evidenc - [Copilot Code Review Security: What It Misses](https://safeguard.sh/resources/blog/copilot-code-review-security-limitations): Copilot's code review is useful. It is also not a security review, and treating it as one is how vulnerabilities ship. H - [LockBit Takedown: What Came After](https://safeguard.sh/resources/blog/lockbit-operational-takedown-aftermath): Operation Cronos disrupted LockBit's infrastructure but not the underlying affiliate economy. Here is what actually chan - [Safeguard Gold Expands to 6,000+ Artifacts](https://safeguard.sh/resources/blog/safeguard-gold-registry-expansion-6000-artifacts): The Gold Registry now carries 6,000+ curated zero-CVE packages and images across ten ecosystems. Here is what is in it, - [debug/chalk npm Compromise Sept 2025: Deep Dive](https://safeguard.sh/resources/blog/debug-chalk-npm-compromise-sept-2025): A phishing campaign against a prolific npm maintainer poisoned chalk, debug, and several other packages with a Web3 hija - [Cursor IDE Security Model: What Enterprises Need to Know](https://safeguard.sh/resources/blog/cursor-ide-security-model-2026): Cursor's 2026 security model introduces privacy modes, indexing controls, and agent sandboxes. Here is the enterprise-re - [Regression Gates: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-regression-gates): Every release risks making the model worse. Griffin AI's regression gates block bad builds before they ship. Mythos-clas - [XSS Variants: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-xss-variants): Stored, reflected, DOM, mutation, and template-injection XSS each live in a different part of the application and demand - [Griffin AI vs Reka Multimodal for Security](https://safeguard.sh/resources/blog/griffin-ai-vs-reka-multimodal-security-use): Reka's multimodal models are interesting for specific security workflows. The question is whether multimodal is the bind - [SaaS Vendor's EU CRA Readiness Sprint](https://safeguard.sh/resources/blog/customer-story-saas-vendor-cra-readiness-sprint): An anonymized account of how a mid-sized European SaaS vendor prepared for the EU Cyber Resilience Act using a focused 1 - [The End of CVSS-Only Prioritization](https://safeguard.sh/resources/blog/the-end-of-cvss-only-prioritization): A single static severity score cannot tell you which vulnerability to fix first. Modern prioritization is a function of - [Maven Central Sigstore Migration Status](https://safeguard.sh/resources/blog/maven-central-sigstore-migration-status): Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands an - [AI Code Assistant Package Hallucination Study](https://safeguard.sh/resources/blog/safeguard-research-ai-code-assistant-package-hallucination-study): The Safeguard Research team measured how often AI coding assistants hallucinate non-existent packages, how sticky those - [Sify Technology and US Enterprise Reach: What We're Evaluating](https://safeguard.sh/resources/blog/safeguard-sify-technology-us-enterprise-reach): A closer look at the enterprise accounts, verticals, and delivery capabilities that make Sify Technology (USA) an intere - [Enterprise AI Incident Response Playbooks](https://safeguard.sh/resources/blog/enterprise-ai-incident-response-playbooks): AI incidents are not the same shape as traditional security incidents. The playbooks need to be specific to how AI syste - [Griffin AI vs Gemma for Lightweight Scanning](https://safeguard.sh/resources/blog/griffin-ai-vs-gemma-for-lightweight-scanning): Gemma is built for efficiency. Can a small open-weight model replace Griffin AI for lightweight scanning workflows, or d - [Engineer-Hour Savings: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-engineer-hour-savings): The real cost of a scanner is not the subscription. It is the engineer hours lost to false positives, bad remediations, - [Novel Bug Class Detection: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-novel-bug-class-detection): What happens when the bug does not match any known CWE? A study of how grounded and pure-LLM scanners perform on genuine - [Container Breakout Class Vulnerabilities 2024-2025](https://safeguard.sh/resources/blog/container-breakout-class-vulnerabilities-2024-2025): A look at the container breakout vulnerabilities disclosed in 2024 and 2025, what they actually required to exploit, and - [EU Cyber Resilience Act Enforcement Timeline 2026](https://safeguard.sh/resources/blog/eu-cyber-resilience-act-enforcement-timeline-2026): The EU Cyber Resilience Act is already biting in 2026. Here is the enforcement timeline manufacturers, integrators, and - [OpenVEX vs. CycloneDX VEX: Which to Pick](https://safeguard.sh/resources/blog/vex-openvex-vs-cyclonedx-vex-which-to-pick): A direct comparison of OpenVEX and CycloneDX VEX in 2026, covering spec differences, tooling support, and the operationa - [VMware ESXi CVE-2024-37085 Auth Bypass by Ransomware](https://safeguard.sh/resources/blog/cve-2024-37085-vmware-esxi-auth-bypass): CVE-2024-37085 abuses ESXi's AD domain join to grant admin via a specially named group. Exploitation by Akira and Black - [Benchmark Contamination Concerns In Security Evals](https://safeguard.sh/resources/blog/ai-security-benchmark-contamination-concerns): When the test set is in the training set, the benchmark is broken. Security eval contamination is widespread and the mit - [Griffin AI vs Claude Agent Skills for Security](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-agent-skills-for-security): Anthropic's Claude Agent Skills let you package tools and context for Claude. Here's how that primitive compares to Grif - [Griffin AI vs Mythos: The Security Platform Comparison](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-security-platform-comparison): A senior engineer's side-by-side look at Griffin AI and Mythos — why engine-grounded reasoning beats pure-LLM security i - [FAQ: Building an AppSec Program From Scratch](https://safeguard.sh/resources/blog/faq-building-appsec-program-from-scratch-2026): How to stand up an application security program from zero in 2026 — headcount, tooling, first 90 days, metrics, and the - [Maven Central Malicious Publishing Trends 2025](https://safeguard.sh/resources/blog/maven-central-malicious-publishing-trends-2025): Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicio - [Azure ACR Image Signing with Notation Policy](https://safeguard.sh/resources/blog/azure-acr-image-signing-notation-policy): Azure Container Registry plus Notation gives you signing, trust policy, and AKS enforcement without bolting on Sigstore. - [FIN7 Supply Chain Social Engineering (2024)](https://safeguard.sh/resources/blog/fin7-supply-chain-social-engineering-2024): FIN7 built tooling that made its social engineering feel like a SaaS product. Here is how its 2024 tradecraft blended ma - [Reproducible Builds: Why Bother in 2026?](https://safeguard.sh/resources/blog/reproducible-builds-why-bother-in-2026): Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SB - [Introducing Griffin AI v2: Context-Aware Security Intelligence](https://safeguard.sh/resources/blog/safeguard-griffin-ai-v2-release): Griffin AI v2 brings multi-step reasoning, remediation generation, and deep organizational context to Safeguard's AI eng - [Griffin AI vs GPT-5: Context Grounding](https://safeguard.sh/resources/blog/griffin-ai-vs-gpt-5-context-grounding): A million-token context window is a tool, not a solution. Context grounding for security requires architecture, not just - [Evaluating Security-Specific Reasoning Models](https://safeguard.sh/resources/blog/security-specific-reasoning-model-evaluation): Reasoning models have arrived in security tooling. Evaluating them requires different methodology from evaluating classi - [Getting Started with Safeguard MCP + ChatGPT](https://safeguard.sh/resources/blog/getting-started-safeguard-mcp-with-chatgpt): Expose the Safeguard MCP server to ChatGPT so the assistant can run live dependency scans and pull advisory data instead - [RSA Conference 2026: Supply Chain Themes](https://safeguard.sh/resources/blog/rsa-conference-2026-supply-chain-themes): RSA Conference 2026 centered on AI governance, software supply chain regulation, and vendor consolidation. Here is the a - [Hiring Software Supply Chain Security Engineers](https://safeguard.sh/resources/blog/hiring-software-supply-chain-security-engineers): What to screen for, how to structure interviews, and the signals that distinguish real supply chain security engineers f - [xrpl.js npm Backdoor April 2025 Incident Analysis](https://safeguard.sh/resources/blog/xrpl-js-npm-backdoor-april-2025): A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL i - [Tool-Call Privilege Escalation In Practice](https://safeguard.sh/resources/blog/frontier-model-limit-tool-call-privilege-escalation): When an agent can call tools, the permission boundary is no longer between the user and the system. It is between the mo - [Griffin AI vs Gemini Function Calling: Security](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-function-calling-for-security): Gemini's function calling is strong and flexible. Griffin AI's tool layer is narrow and opinionated. For security workfl - [RBAC & Scoping: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-rbac-and-scoping): An AI that reads your security data needs the same access controls as a human analyst. Most pure-LLM vendors stop at the - [MCP Server Multi-Tenant Isolation](https://safeguard.sh/resources/blog/mcp-server-multi-tenant-isolation): Practical guidance on isolating tenants on shared Model Context Protocol servers, covering identity, data, compute, and - [AI Model Weights: Signing, Attestation, Provenance](https://safeguard.sh/resources/blog/ai-model-weights-signing-attestation): Model weights are binaries with the privilege of code and the review of documents. Here is what signing, attestation, an - [GitLab OIDC Token Theft: Workflow Research](https://safeguard.sh/resources/blog/gitlab-oidc-token-theft-workflow-research): GitLab CI OIDC tokens are becoming the keys to cloud kingdoms. Recent research shows how workflow misconfigurations leak - [SBOM Enrichment and Vulnerability Correlation: Turning Inventory into Intelligence](https://safeguard.sh/resources/blog/sbom-enrichment-vulnerability-correlation): A raw SBOM is a parts list. An enriched SBOM is a risk assessment. Here's how to bridge the gap. - [Safeguard Policy Evaluation Engine](https://safeguard.sh/resources/blog/safeguard-policy-evaluation-engine-architecture): How Safeguard's policy engine evaluates thousands of rules per artifact with predictable latency — the compiler, the cac - [AI-BOM Adoption: State of the Art in 2026](https://safeguard.sh/resources/blog/ai-security-trend-ai-bom-adoption-2026): The AI Bill of Materials went from concept paper to procurement requirement in under two years. Here is what the current - [Fix Explanation Quality: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-fix-explanation-quality): A remediation PR explanation is either evidence or storytelling. Griffin AI attaches taint paths and disproof attempts; - [Go Module Checksum Database In Depth](https://safeguard.sh/resources/blog/go-module-checksum-database-in-depth): The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it - [Dynamic Dispatch: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-dynamic-dispatch-handling): Dynamic dispatch hides real exploits behind indirection. Griffin AI models the dispatch; Mythos-class tools guess. That - [Fargate/ECS Container Supply Chain Pitfalls](https://safeguard.sh/resources/blog/fargate-ecs-container-supply-chain-pitfalls): The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do - [Gamaredon Ukraine Targeting Supply Chain 2025](https://safeguard.sh/resources/blog/gamaredon-ukraine-targeting-supply-chain-2025): Gamaredon's 2025 operations against Ukraine have leaned harder into software and MSP supply chain pivots. Here is the tr - [Lazarus Group: 3CX and Software Builds](https://safeguard.sh/resources/blog/lazarus-group-3cx-and-software-builds): Lazarus turned a developer's personal machine into a corporate build-system compromise. Here is how that cascade actuall - [Secure Defaults for Internal Developer Platforms](https://safeguard.sh/resources/blog/secure-defaults-for-internal-developer-platforms): An IDP that makes the secure path the easy path wins. One that requires engineers to opt into security loses. Here is ho - [CUPS CVE-2024-47176: Network RCE via IPP](https://safeguard.sh/resources/blog/cve-2024-47176-cups-network-rce): CVE-2024-47176 in cups-browsed lets attackers add rogue printers over UDP 631 and chain to RCE. Exploit flow, detection, - [ISO 27001 Mapping: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-iso-27001-mapping): ISO 27001 Annex A has 93 controls in the 2022 revision, each needing documented evidence. Griffin AI emits records that - [VEX Integration: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-vex-integration): VEX is how you turn a vulnerability list into an actionable work queue. Griffin AI ingests VEX documents as structured s - [LLM Output Filtering as a Security Control](https://safeguard.sh/resources/blog/llm-output-filtering-as-security-control): Output filters are the last line before the user and the tool call. We cover when they work, when they fail, and how to - [Federal Agency FedRAMP Evidence Pack in 30 Days](https://safeguard.sh/resources/blog/customer-story-federal-agency-fedramp-evidence-pack): An anonymized look at how a US federal civilian agency assembled a complete FedRAMP High supply chain evidence pack in 3 - [LLM Jailbreak as a Supply Chain Risk in 2026](https://safeguard.sh/resources/blog/llm-jailbreak-as-supply-chain-risk-2026): A jailbreak in a model you ship downstream is a supply chain incident, not a trivia item. Here is how to reason about it - [SBOM as a Product, Not a Checkbox](https://safeguard.sh/resources/blog/sbom-as-a-product-not-a-checkbox-2026): Most SBOMs are generated, filed, and forgotten. Treating them as compliance artifacts rather than operational products i - [Vulnerability Management Automation in 2026: Beyond Scanning](https://safeguard.sh/resources/blog/vulnerability-management-automation-2026): Modern vulnerability management is shifting from periodic scanning to continuous, automated triage and remediation. Here - [AWS ECR Signing Policies with Notation](https://safeguard.sh/resources/blog/aws-ecr-signing-policies-notation): ECR now supports Notation-based image signing and trust policy enforcement. Here is how to design signing policies that - [Abandoned Dependency Risk Study](https://safeguard.sh/resources/blog/safeguard-research-abandoned-dependency-risk-study): The Safeguard Research team measured how much abandonment exists in real dependency graphs, how it correlates with risk, - [Solana web3.js npm Backdoor: Dec 2024 Post-Mortem](https://safeguard.sh/resources/blog/solana-web3-js-npm-backdoor-2024): A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and - [Griffin AI vs Inflection Pi for Security Assistance](https://safeguard.sh/resources/blog/griffin-ai-vs-inflection-pi-for-security-assistance): - [Path Traversal: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-path-traversal-cases): Path traversal is the vulnerability class that punishes lazy analysis. Framework-specific path normalisation, OS-depende - [Refusal Rate Analysis: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-refusal-rate-analysis): A security AI that refuses too often is useless. One that refuses too rarely is dangerous. Griffin AI publishes calibrat - [FAQ: CycloneDX vs SPDX — Which to Use?](https://safeguard.sh/resources/blog/faq-sbom-format-choice-cyclonedx-vs-spdx): Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX suppo - [Getting Started with Safeguard MCP + Claude Desktop](https://safeguard.sh/resources/blog/getting-started-safeguard-mcp-with-claude-desktop): Connect the Safeguard MCP server to Claude Desktop so your AI assistant can scan dependencies, read SBOMs, and suggest f - [Leaky Vessels: The runc Container Escape Class (2024)](https://safeguard.sh/resources/blog/leaky-vessels-runc-container-escape-class-2024): Leaky Vessels bundled four CVEs that let container processes escape into the host. Two years later the class is still mi - [Safeguard Lino 2.0: Multi-Jurisdiction Compliance](https://safeguard.sh/resources/blog/safeguard-lino-2-0-release-compliance-model): Lino 2.0 is Safeguard's compliance model. The 2.0 release adds multi-jurisdiction mapping, control-level evidence, and a - [SBOM Ingestion at Scale: An Architecture Guide](https://safeguard.sh/resources/blog/sbom-ingestion-at-scale-architecture): A pragmatic architecture for ingesting, normalizing, and querying hundreds of thousands of SBOMs across an enterprise or - [SEC Cyber Incident Disclosure Rule: Year Two](https://safeguard.sh/resources/blog/sec-cybersecurity-incident-disclosure-rule-year-two): Two years into Item 1.05 of Form 8-K, the SEC has clarified materiality, enforcement posture, and how Regulation S-K Ite - [State of Vulnerability Management 2026 Report](https://safeguard.sh/resources/blog/state-of-vulnerability-management-2026-report): Where vulnerability management actually stands in 2026: KEV-driven prioritization, reachability, SLAs that hold, and the - [Enterprise LLM Budget Management Patterns](https://safeguard.sh/resources/blog/enterprise-llm-budget-management-patterns): LLM spend forecasting is where finance teams meet AI engineering for the first time. The patterns that produce predictab - [Griffin AI vs DeepSeek Coder for Security Review](https://safeguard.sh/resources/blog/griffin-ai-vs-deepseek-coder-for-security-review): DeepSeek Coder has become a favourite for code-focused workloads. This is how it compares to Griffin AI when the job is - [Exploit Path Synthesis: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-exploit-path-synthesis): Finding a bug is not the same as proving it is exploitable. How Griffin AI synthesises concrete exploit paths and why pu - [Throughput At Scale: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-throughput-at-scale): Engine work parallelises cleanly. Model calls do not. We explain why Griffin AI's throughput scales with CPU while Mytho - [RAG Pipeline Supply Chain Attacks: Vector DBs and More](https://safeguard.sh/resources/blog/rag-pipeline-supply-chain-attacks): RAG pipelines have six or seven supply chain surfaces, and most teams are only watching one. Here is how the attacks act - [Automated Zero-Day Discovery: How AI Is Changing Vulnerability Research](https://safeguard.sh/resources/blog/zero-day-discovery-automated-approaches): AI-powered fuzzing and code analysis are accelerating zero-day discovery. Here's what that means for defenders. - [OCI + CNCF Image Supply Chain: 2026 Snapshot](https://safeguard.sh/resources/blog/ocid-cncf-image-supply-chain-2026): Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, - [SEvenLLM Design And Coverage](https://safeguard.sh/resources/blog/ai-security-benchmark-sevenllm-design): SEvenLLM set out to measure how well LLMs handle Security Event analysis, the unglamorous day-to-day work of SOCs and IR - [Griffin AI vs Claude Haiku for Bulk Scanning](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-haiku-for-bulk-scanning): Claude Haiku is the cost-efficient model Griffin uses for high-volume scan interpretation. Here's how raw Haiku compares - [DEF CON 33 Software Supply Chain Sessions Recap](https://safeguard.sh/resources/blog/defcon-33-recap-software-supply-chain-sessions): DEF CON 33 brought hacker-energy attention to package ecosystems, CI/CD abuse, and AppSec Village. Here is what supply c - [PyPI mexalz Malware Campaign Deep Dive](https://safeguard.sh/resources/blog/pypi-mexalz-malware-campaign-deep-dive): Researchers tracked a PyPI campaign publishing malicious packages under the mexalz and related account names, targeting - [Dev Container Security Posture (incl. Dotfiles)](https://safeguard.sh/resources/blog/dev-container-security-posture-dotfiles): Dev containers promise reproducibility and isolation. They also pull in a long tail of scripts, dotfiles, and feature re - [Measuring AppSec Program Effectiveness in 2026](https://safeguard.sh/resources/blog/measuring-appsec-program-effectiveness-2026): The metrics that actually distinguish high-functioning application security programs from theater, with concrete formula - [RansomHub Ransomware and EDR Bypass (2024)](https://safeguard.sh/resources/blog/ransomhub-ransomware-edr-bypass-2024): RansomHub absorbed affiliates displaced by BlackCat and ran one of the most prolific extortion operations of 2024. Here - [Rust crates.io Supply Chain Controls in 2026](https://safeguard.sh/resources/blog/rust-crates-io-supply-chain-controls-2026): crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is s - [Safeguard Explores Partnership With Sify Technology (USA)](https://safeguard.sh/resources/blog/safeguard-exploring-partnership-sify-technology-usa): Safeguard.sh is in early discussions with Sify Technology (USA) to evaluate a joint motion across network services, mana - [Griffin Agent Loop: Design Decisions](https://safeguard.sh/resources/blog/safeguard-griffin-agent-loop-design): The design rationale behind Griffin, Safeguard's triage agent — how the loop is structured, why we bounded reasoning dep - [Salt Typhoon Telecom Supply Chain Campaign 2024](https://safeguard.sh/resources/blog/salt-typhoon-telecom-supply-chain-campaign-2024): Salt Typhoon's 2024 intrusions into U.S. telecoms reframed supply chain risk as a routing and lawful-intercept problem. - [SonicWall SMA 1000 CVE-2025-23006 Pre-Auth RCE](https://safeguard.sh/resources/blog/cve-2025-23006-sonicwall-sma-1000-rce): CVE-2025-23006 is a pre-auth deserialization RCE in SonicWall SMA 1000. Exploit chain, detection signals, and appliance - [Audit Log Completeness: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-audit-log-completeness): Audit logs are where enterprise AI either proves its seriousness or exposes its improvisation. The gap between Griffin A - [Griffin AI vs OpenAI o1 for Security Reasoning](https://safeguard.sh/resources/blog/griffin-ai-vs-openai-o1-reasoning): Deep reasoning models are transformative for hard logical problems. Security reasoning is only partially a logic problem - [Small-Model Distillation For Security Workflows](https://safeguard.sh/resources/blog/small-model-distillation-for-security-workflows): Distillation compresses the capability of a large model into a small one for a narrow task. For high-volume security wor - [The Software Transparency Act of 2026: What It Means for the Industry](https://safeguard.sh/resources/blog/software-transparency-act-2026-analysis): Proposed legislation would require SBOMs for all critical infrastructure software. Here's a detailed analysis of the bil - [GCP Cloud Build + Workload Identity Federation](https://safeguard.sh/resources/blog/gcp-cloud-build-workload-identity-federation): Workload Identity Federation is the right way to give Cloud Build and external CI access to GCP. Here is the architectur - [Ledger Connect Kit Attack: What Devs Missed](https://safeguard.sh/resources/blog/ledger-connect-kit-supply-chain-attack-2023): A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tell - [Training Data Opacity As A Trust Limit](https://safeguard.sh/resources/blog/frontier-model-limit-training-data-opacity): You cannot audit what you cannot see. Frontier model training corpora are effectively opaque to their users, and that op - [Griffin AI vs Gemini Long Context for Codebases](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-long-context-for-codebases): Gemini's million-token context window is a genuinely new capability. For security analysis of large codebases, is it eno - [Human Review Burden: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-human-review-burden): Auto-remediation only scales if human review stays cheap. Griffin AI's grounded PRs keep reviewer time low; Mythos-class - [Agent Security: Enterprise Adoption Patterns](https://safeguard.sh/resources/blog/ai-security-trend-agent-security-enterprise-adoption): Enterprise agent deployments have moved past pilot phase. The security patterns that have survived contact with producti - [Claude Code Coding Agent: Security Posture Review](https://safeguard.sh/resources/blog/claude-code-coding-agent-security-posture): A working review of Claude Code's security posture, sandboxing model, and the practical controls enterprises need to dep - [Cross-Package Analysis: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cross-package-analysis): Real exploits cross package boundaries. Griffin AI's graph follows them; Mythos-class tools often stop at the file they - [CISO FAQ: Software Supply Chain Security 2026](https://safeguard.sh/resources/blog/faq-software-supply-chain-security-for-cisos-2026): The questions CISOs actually ask about software supply chain security in 2026: scope, budget, reporting lines, SBOMs, AI - [Getting Started with Safeguard CLI: Your First Scan](https://safeguard.sh/resources/blog/getting-started-safeguard-cli-first-scan): Install the Safeguard CLI, authenticate, and run your first dependency and SBOM scan in under ten minutes. Covers config - [Sigstore Policy Controller for K8s in Production](https://safeguard.sh/resources/blog/kubernetes-supply-chain-sigstore-policy-controller): How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pi - [Scattered Spider: Identity as Supply Chain 2024-25](https://safeguard.sh/resources/blog/scattered-spider-identity-supply-chain-2024-2025): Scattered Spider showed that help-desk processes, SaaS federation, and MSPs are the new software supply chain. Here is h - [State of SBOM Adoption Across Industries 2026](https://safeguard.sh/resources/blog/state-of-sbom-adoption-across-industries-2026): How SBOM adoption differs across finance, healthcare, public sector, manufacturing, and tech in 2026, where the real ope - [AI-BOM Awareness: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-ai-bom-awareness): AI-BOM is how you describe an AI system's supply chain — models, datasets, prompts, inference environments. Griffin AI i - [SOC 2 Type II Evidence: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-soc2-type2-evidence): A SOC 2 Type II auditor samples a control population across a reporting period. Griffin AI creates that population as a - [AI Model Weight Tampering Detection Techniques](https://safeguard.sh/resources/blog/ai-model-weight-tampering-detection-techniques): Weight-level tampering leaves cryptographic and statistical fingerprints. Here is what current research says about detec - [FinTech Cuts CVE Noise 80% With Reachability](https://safeguard.sh/resources/blog/customer-story-fintech-80-percent-cve-noise-cut): An anonymized story of how a high-growth payments FinTech slashed vulnerability backlog noise by 80% using Safeguard.sh' - [Sandboxing LLM Agent Code Execution: Patterns](https://safeguard.sh/resources/blog/llm-agent-code-execution-sandboxing): If your agent can execute code, something it reads from the internet can execute code. Pick your sandbox before the agen - [The Case for Autonomous Remediation Now](https://safeguard.sh/resources/blog/the-case-for-autonomous-remediation-now): Manual patching is a losing race against the rate of new vulnerabilities. Autonomous remediation is not a future technol - [Reachability Noise Reduction: Findings](https://safeguard.sh/resources/blog/safeguard-research-reachability-noise-reduction-findings): The Safeguard Research team ran reachability analysis across a large corpus of real codebases. This is what we learned a - [ScreenConnect CVE-2024-57727 Path Traversal Detailed](https://safeguard.sh/resources/blog/cve-2024-57727-screenconnect-path-traversal): CVE-2024-57727 is a path traversal in ConnectWise ScreenConnect enabling arbitrary file read on self-hosted instances. C - [Citation Accuracy: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-citation-accuracy): An AI security tool that cites the wrong advisory is worse than one that says nothing. Griffin AI benchmarks citation ac - [SSRF Detection: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-ssrf-detection): Server-side request forgery is a test of how well your scanner understands the boundary between trusted and untrusted UR - [MCP Server Capability Declaration Audit](https://safeguard.sh/resources/blog/mcp-server-capability-declaration-audit): An MCP server tells the world what it can do through its capability declaration. Auditing those declarations catches dri - [Black Hat USA 2025: Supply Chain Security Recap](https://safeguard.sh/resources/blog/black-hat-usa-2025-supply-chain-security-recap): Black Hat USA 2025 highlighted AI-generated code risks, build system attacks, and the maturation of SBOM tooling. Here i - [Safeguard January 2026 Release Notes](https://safeguard.sh/resources/blog/safeguard-changelog-january-2026): January 2026 release notes from Safeguard.sh: Lino runtime attestations, Griffin cache sharing, self-healing workflows, - [CISA Secure by Design Pledge: Signatories in 2026](https://safeguard.sh/resources/blog/cisa-secure-by-design-pledge-signatories-2026): CISA's Secure by Design Pledge has crossed 300 signatories. Here is what the 2026 cohort is committing to, what regulato - [FDA Premarket Cybersecurity SBOM in 2026](https://safeguard.sh/resources/blog/fda-premarket-cybersecurity-sbom-2026): What the FDA's 2026 premarket cybersecurity guidance actually requires for SBOMs, how reviewers evaluate them, and the p - [PyPI Trusted Publishing Common Pitfalls](https://safeguard.sh/resources/blog/pypi-trusted-publishing-common-pitfalls): PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configura - [Safeguard Gold Build Pipeline: How It Works](https://safeguard.sh/resources/blog/safeguard-gold-build-pipeline-how-it-works): A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and bina - [SBOM Review in Pull Request Workflows](https://safeguard.sh/resources/blog/sbom-in-pull-request-workflows-practical): An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here i - [Rspack npm Account Takeover: 2024 Incident Analysis](https://safeguard.sh/resources/blog/rspack-npm-account-takeover-2024): Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, - [Griffin AI vs AI21 Jurassic for Security Workflows](https://safeguard.sh/resources/blog/griffin-ai-vs-ai21-jurassic-security-workflows): - [Cache Hit Optimisation: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cache-hit-optimisation): Prompt caching and engine memoisation combine to make Griffin AI scans repeat-cheap. Pure-LLM tools recompute the same r - [Azure DevOps Supply Chain Hardening Guide](https://safeguard.sh/resources/blog/azure-devops-supply-chain-hardening-guide): A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: exte - [Enterprise RAG Security Rollout Antipatterns](https://safeguard.sh/resources/blog/enterprise-rag-security-rollout-antipatterns): Retrieval-augmented generation systems are where enterprise AI meets enterprise data, and where most security rollouts s - [CWE Classification Accuracy: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cwe-classification-accuracy): Getting the CWE right is not a taxonomic hobby. It drives remediation, compliance mapping, and detection engineering. He - [Griffin AI vs Qwen for Code Security](https://safeguard.sh/resources/blog/griffin-ai-vs-qwen-for-code-security): Qwen's open-weight models have strong code benchmarks. We dig into how they compare to Griffin AI when the workflow is r - [Cilium Tetragon Runtime Security with eBPF](https://safeguard.sh/resources/blog/cilium-tetragon-runtime-security-ebpf): A practical look at Cilium Tetragon for Kubernetes runtime security, what eBPF gives you that audit logs do not, and whe - [Build a Software Supply Chain Program in 90 Days](https://safeguard.sh/resources/blog/how-to-build-a-software-supply-chain-program-90-days): A pragmatic, phase-by-phase blueprint for standing up a credible software supply chain security program inside a single - [SecBench Methodology Reviewed](https://safeguard.sh/resources/blog/ai-security-benchmark-secbench-methodology): SecBench positioned itself as a comprehensive cybersecurity knowledge and reasoning benchmark for LLMs. A methodology re - [Griffin AI vs Claude Sonnet for Remediation](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-sonnet-for-remediation): Claude Sonnet is the workhorse model Griffin leans on for remediation. Here's how raw Sonnet compares to Sonnet inside G - [Data Residency Controls: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-data-residency-controls): Data residency is no longer a procurement checkbox. It is an architectural property that most pure-LLM vendors cannot de - [CISA SBOM Mandate Enforcement Begins: What Federal Contractors Need to Know](https://safeguard.sh/resources/blog/cisa-sbom-mandate-enforcement-begins): CISA is moving from SBOM guidance to enforcement in 2026. Here's what the mandate requires and how to prepare. - [Getting Started with Safeguard IDE Extension (VS Code)](https://safeguard.sh/resources/blog/getting-started-safeguard-ide-extension-vscode): A step-by-step walkthrough for installing, configuring, and using the Safeguard VS Code extension to catch supply chain - [Windows LDAP LSASS CVE-2024-49113 (LDAPNightmare)](https://safeguard.sh/resources/blog/cve-2024-49113-windows-ldap-lsass-rce): CVE-2024-49113 crashes LSASS over LDAP referrals and pairs with CVE-2024-49112 for RCE. Exploit chain, detection, and do - [State of Software Supply Chain Security 2026](https://safeguard.sh/resources/blog/state-of-software-supply-chain-security-2026): A senior-engineer view of where software supply chain security stands in 2026: what's changed, what's stuck, and where b - [Domain-Adapted LLMs For Vulnerability Detection in 2026](https://safeguard.sh/resources/blog/domain-adapted-llm-vulnerability-detection-2026): Domain adaptation has quietly become the default for LLM-assisted vulnerability detection. A look at what works in 2026, - [Griffin AI vs GPT-4o: Security Limits Exposed](https://safeguard.sh/resources/blog/griffin-ai-vs-gpt-4o-security-limits): GPT-4o is an excellent general-purpose model. Security workflows are a specialty, and specialty work exposes the limits - [Regression Testing on Fixes: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-regression-testing-on-fixes): A remediation PR is only useful if it does not break anything else. Griffin AI runs targeted regression before opening; - [Prompt Injection as a Supply Chain Risk in 2026](https://safeguard.sh/resources/blog/prompt-injection-supply-chain-risk-2026): Prompt injection stopped being an LLM curiosity the moment agents started committing code. It is now a software supply c - [GitHub Actions: SHA-Pin Tags or Get Burned](https://safeguard.sh/resources/blog/github-actions-pinning-sha-vs-tag): Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option i - [Safeguard Eagle 3.0 Release: Classifier Update](https://safeguard.sh/resources/blog/safeguard-eagle-3-0-release-malware-classifier): Eagle 3.0 is the classification model behind Safeguard's package, image, and secret detection. Here is what changed, wha - [Instruction/Data Conflation: Why Prompt Injection Persists](https://safeguard.sh/resources/blog/frontier-model-limit-instruction-data-conflation): Prompt injection is not a vulnerability that will be patched. It is what happens when a system cannot distinguish the in - [Griffin AI vs Gemini Code Assist: Security](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-code-assist-for-security): Gemini Code Assist makes developers faster. But faster is not safer. Here's how Griffin AI layers a security engine onto - [SPDX Coverage: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-spdx-coverage): SPDX is the format auditors ask for, the format regulators reference, and the format most enterprise procurement teams s - [Clop/Cl0p Supply Chain Exploitation Patterns](https://safeguard.sh/resources/blog/clop-cl0p-supply-chain-exploitation-patterns): Clop has industrialized third-party file-transfer exploitation. Here is how the group operates, what it keeps repeating, - [Safeguard Knowledge Graph Architecture](https://safeguard.sh/resources/blog/safeguard-knowledge-graph-architecture-deep-dive): How Safeguard's knowledge graph unifies components, vulnerabilities, policies, and runtime evidence into a single querya - [Polyfill.io CDN Supply Chain Attack: 100K+ Sites](https://safeguard.sh/resources/blog/polyfill-io-cdn-supply-chain-attack-june-2024): After a domain handover, polyfill.io began serving malware to more than 100,000 sites. Here is the attack chain and what - [MCP Ecosystem Maturation: Where It's Going](https://safeguard.sh/resources/blog/ai-security-trend-mcp-ecosystem-maturation): The Model Context Protocol went from a single-vendor proposal to a multi-implementation standard in under eighteen month - [FedRAMP HIGH Posture: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-fedramp-high-posture): FedRAMP HIGH demands 421 controls with documented, continuous evidence. Griffin AI produces control-mapped records every - [Taint Propagation: Griffin AI vs Mythos Approaches](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-taint-propagation): Taint tells you whether attacker data actually reaches a sink. Griffin AI propagates it; Mythos-class tools infer it. Th - [MCP Server Discovery Protocol Security](https://safeguard.sh/resources/blog/mcp-server-discovery-protocol-security): MCP server discovery turns a client connection string into a live capability graph. The protocol mechanics that make thi - [A Healthcare System's Self-Healing Container Rollout](https://safeguard.sh/resources/blog/customer-story-healthcare-system-self-healing-containers): An anonymized account of how a regional North American healthcare system deployed Safeguard's self-healing container bas - [Hugging Face Pickle Backdoor Research 2025](https://safeguard.sh/resources/blog/huggingface-pickle-backdoor-research-2025): Pickle-serialized model files remain a live attack surface on Hugging Face. Here is what 2025 research disclosed about p - [Next-Generation Software Composition Analysis: Beyond Dependency Lists](https://safeguard.sh/resources/blog/software-composition-analysis-next-generation): Traditional SCA tools tell you what's in your software. Next-gen SCA tells you what matters. Here's how the category is - [Why Scanning Alone Doesn't Work Anymore](https://safeguard.sh/resources/blog/why-scanning-alone-does-not-work-anymore-2026): Scanners generate findings. Programs produce outcomes. After a decade of dashboards and CVE counts, it is time to admit - [AWS CodeBuild/CodePipeline Hardening in 2026](https://safeguard.sh/resources/blog/aws-codebuild-codepipeline-hardening-2026): CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them - [Cosign for Container Signing: A Production Setup](https://safeguard.sh/resources/blog/container-image-signing-with-cosign-production): A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts - [npm Provenance Statements in Practice (2026)](https://safeguard.sh/resources/blog/npm-provenance-statements-practical-2026): A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly f - [OSS Malware Trends Q1 2026 (Safeguard Research)](https://safeguard.sh/resources/blog/safeguard-research-oss-malware-trends-q1-2026): The Safeguard Research team analyzed first-quarter 2026 malicious package telemetry across npm, PyPI, RubyGems, and crat - [Tech-D Cybersecurity: A Joint Opportunity Under Review](https://safeguard.sh/resources/blog/safeguard-tech-d-cybersecurity-joint-opportunity): A deeper look at the commercial and technical thesis behind Safeguard's exploratory partnership discussions with Tech-D - [Adversarial Resistance: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-adversarial-resistance): Griffin AI reports 98-100% hold rate against adversarial probes. Most Mythos-class tools have never published an adversa - [CISA Secure by Design Pledge: Practical Impact](https://safeguard.sh/resources/blog/cisa-secure-by-design-pledge-practical-impact): An engineer's assessment of what the CISA Secure by Design Pledge actually changed inside product teams, what it did not - [Veeam Backup CVE-2024-40711 Unauth RCE Walkthrough](https://safeguard.sh/resources/blog/cve-2024-40711-veeam-backup-rce): CVE-2024-40711 is a critical unauth RCE in Veeam Backup & Replication. Deserialization flaw, exploit chain, and ransomwa - [Deserialization Vulnerabilities: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-deserialization-vulns): Unsafe deserialization looks obvious on a slide and impossible on a real codebase. Sinks are language-specific, gadgets - [AI Agent Security Risks: Why Autonomous Systems Are the Next Supply Chain Frontier](https://safeguard.sh/resources/blog/ai-agent-security-risks-2026): AI agents are consuming APIs, installing packages, and executing code autonomously. The security implications are massiv - [The npm 'everything' Package Attack (2024) Analyzed](https://safeguard.sh/resources/blog/npm-everything-package-attack-2024-analysis): In January 2024 a developer published npm packages that depended on every public npm package, triggering a denial-of-ser - [Pre-commit Hook Security Gotchas You'll Hit](https://safeguard.sh/resources/blog/pre-commit-hooks-security-gotchas): Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundarie - [From DevOps to DevSecOps: A Practical Shift-Left Guide](https://safeguard.sh/resources/blog/devops-devsecops-shift-left): Shift-left security doesn't mean dumping security tools on developers. Here's a practical guide to integrating security - [Griffin AI vs Cohere Command for SecOps](https://safeguard.sh/resources/blog/griffin-ai-vs-cohere-command-for-secops): - [The Disproof Step: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-disproof-step): Most AI bug hunters skip the hardest step: trying to kill their own findings. Here is why Griffin AI's disproof pass is - [Model Tiering Strategy: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-model-tiering-strategy): Opus for reasoning, Sonnet for drafting, Haiku for scale. We break down when each tier earns its keep and why single-mod - [Distroless vs. Chainguard vs. Wolfi: Real Differences](https://safeguard.sh/resources/blog/distroless-vs-chainguard-vs-wolfi-base-images): A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actuall - [Lottie Player npm Supply Chain Attack Explained](https://safeguard.sh/resources/blog/lottie-player-npm-supply-chain-attack): A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet dra - [AI Safety Eval Datasets as Supply Chain](https://safeguard.sh/resources/blog/ai-safety-eval-datasets-supply-chain): The datasets you use to evaluate model safety are themselves a supply chain, and almost nobody is treating them that way - [Enterprise AI Agent Deployment Lessons, 2026](https://safeguard.sh/resources/blog/enterprise-ai-agent-deployment-lessons-2026): Lessons learned from a year of enterprise AI agent deployments: what worked, what failed, and what we would do different - [Griffin AI vs Mistral Large for Remediation](https://safeguard.sh/resources/blog/griffin-ai-vs-mistral-large-for-remediation): Mistral Large is a strong reasoning model, but remediation is more than generating a diff. We look at what Griffin AI ad - [SSO & SCIM: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-enterprise-sso-scim): Enterprise identity is not a paywall. It is the substrate on which every other security control depends, and it is where - [The MCP Threat Model: What Actually Matters in 2026](https://safeguard.sh/resources/blog/model-context-protocol-threat-model-2026): Most MCP threat models confuse protocol risk with deployment risk. Here is what the real attack surface looks like after - [Inside Safeguard's Reachability Engine](https://safeguard.sh/resources/blog/inside-safeguard-reachability-engine-architecture): A deep look at how Safeguard's reachability engine combines call graph construction, symbolic analysis, and runtime evid - [SWE-Bench With Security Extensions: Field Review](https://safeguard.sh/resources/blog/ai-security-benchmark-swe-bench-security-extensions): SWE-bench became the default benchmark for measuring AI coding agents, but the security extensions that were bolted on a - [Griffin AI vs Claude Opus for Triage](https://safeguard.sh/resources/blog/griffin-ai-vs-claude-opus-for-triage): Griffin uses Claude Opus as its deepest reasoning engine. Here's what triage looks like with Opus alone versus Opus runn - [Auto-Fix Compile Rates: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-auto-fix-compile-rates): Griffin AI's auto-fixes compile clean 73 percent of the time and pass with minor edits 87 percent. Mythos-class pure-LLM - [WinRAR CVE-2025-0411 Mark-of-the-Web Bypass](https://safeguard.sh/resources/blog/cve-2025-0411-winrar-mark-of-the-web-bypass): CVE-2025-0411 lets WinRAR archives bypass Windows Mark-of-the-Web when extracted. Here is the flaw, the observed campaig - [Fine-Tuning Security LLMs vs Grounding: Which Wins](https://safeguard.sh/resources/blog/fine-tuning-security-llm-vs-grounding-approach): Fine-tuning teaches a model to be a security expert. Grounding lets a general model act like one by reading the right so - [EU CRA Readiness: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-eu-cra-readiness): The EU Cyber Resilience Act wants mandatory vulnerability handling, SBOM delivery, and documented due diligence. Griffin - [Griffin AI vs OpenAI Codex for Security](https://safeguard.sh/resources/blog/griffin-ai-vs-openai-codex-security): Codex-style coding agents are powerful for writing features. Security remediation needs a different shape of system—one - [Secrets Management in CI Pipelines: 2026 Guide](https://safeguard.sh/resources/blog/secrets-management-in-ci-pipelines-2026): Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI se - [Anthropic MCP Security Model: A Deep Dive](https://safeguard.sh/resources/blog/anthropic-mcp-security-model-deep-dive): Anthropic's Model Context Protocol introduces a new trust boundary between agents and tools. Here is how the security mo - [Context Window As A Security Limit](https://safeguard.sh/resources/blog/frontier-model-limit-context-window-security): The context window is usually marketed as a capability parameter. In a security setting, it behaves like a budget, a for - [Griffin AI vs Gemini Ultra for Security Reasoning](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-ultra-reasoning): Gemini Ultra sets a high bar on complex reasoning benchmarks. But security reasoning is not benchmark reasoning. Here's - [CycloneDX Support: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-cyclonedx-support): CycloneDX is not a text format to be summarized — it's a typed graph with dozens of semantically-rich fields. Griffin AI - [How a Fortune 500 Bank Ran Its SBOM Program](https://safeguard.sh/resources/blog/customer-story-fortune-500-bank-sbom-program-2026): An anonymized look at how a Fortune 500 financial services firm operationalized an enterprise SBOM program using Safegua - [5 Software Supply Chain Security Trends Defining 2026](https://safeguard.sh/resources/blog/supply-chain-security-trends-2026): From AI-generated code risks to regulatory enforcement, these are the supply chain security trends that will shape the y - [Training Data Provenance: The Regulatory Wave](https://safeguard.sh/resources/blog/ai-security-trend-training-data-provenance-regulation): Regulators across three continents are converging on a single demand: show where your training data came from. The engin - [Call Graph Depth Compared: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-call-graph-depth): Shallow call graphs miss real exploits; deep graphs surface them. We examine how Griffin AI and Mythos-class tools diffe - [EO 14028 Two Years In: What Actually Shipped](https://safeguard.sh/resources/blog/eo-14028-two-years-in-what-shipped): A clear-eyed look at what parts of Executive Order 14028 actually made it into production across federal agencies, vendo - [tj-actions/changed-files Compromise: What Happened](https://safeguard.sh/resources/blog/tj-actions-changed-files-compromise-march-2025): A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, - [Eval Methodology: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-eval-methodology): A benchmark number is only as good as the methodology that produced it. Here is how Griffin AI builds its harness and wh - [SQL Injection Chains: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-sql-injection-chains): SQL injection stopped being a single-line bug years ago. Modern chains stitch a tainted parameter through ORMs, caches, - [K8s Admission Controllers for Supply Chain Policy](https://safeguard.sh/resources/blog/kubernetes-admission-controller-supply-chain-policy): How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-m - [Apache OFBiz CVE-2024-38856 Pre-Auth RCE Analysis](https://safeguard.sh/resources/blog/cve-2024-38856-apache-ofbiz-pre-auth-rce): CVE-2024-38856 is an unauthenticated RCE in Apache OFBiz that bypasses authentication via screen rendering. Exploit chai - [Hypothesis Quality: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-hypothesis-quality): Two AI bug hunters can both generate hypotheses. Only one can defend them. A field study of grounded versus ungrounded h - [Zero-Knowledge Proofs for Supply Chain Attestation](https://safeguard.sh/resources/blog/zero-knowledge-proofs-supply-chain-attestation): Where zk-SNARKs, STARKs, and Bulletproofs actually fit in software supply chain attestation, and where conventional sign - [Vulnerability Scanning for AI Models: A New Frontier](https://safeguard.sh/resources/blog/ai-model-vulnerability-scanning): AI models ship with dependencies, use vulnerable libraries, and introduce novel attack surfaces. Traditional scanning is - [Safeguard Q4 2025 Release Recap](https://safeguard.sh/resources/blog/safeguard-changelog-q4-2025-recap): A full recap of Q4 2025 at Safeguard.sh: Griffin for Java and .NET, Eagle attestations, Lino serverless, Gold policy-awa - [Securing Claude Code MCP Server Deployments](https://safeguard.sh/resources/blog/securing-claude-code-mcp-server-deployments): Claude Code MCP servers run with the privileges of the developer who invoked them. That makes deployment posture the ent - [XML Parsing Security: XXE, Billion Laughs, and Beyond](https://safeguard.sh/resources/blog/xml-parsing-security-xxe-billion-laughs): XML's feature richness is its security weakness. XXE, entity expansion, and XSLT injection continue to plague applicatio - [Safeguard Explores Partnership With Tech-D Cybersecurity](https://safeguard.sh/resources/blog/safeguard-exploring-partnership-tech-d-cybersecurity): Safeguard.sh is in early-stage discussions with Tech-D Cybersecurity Ltd to explore co-selling, joint delivery, and shar - [Air-Gapped Environments: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-air-gapped-environments): Air-gapped AI is not a feature flag. It is an architectural commitment, and it separates serious enterprise products fro - [Per-Scan Token Cost: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-per-scan-token-cost): Tiered models and a deterministic engine cut token consumption to the moments that need reasoning. Pure-LLM tools pay fu - [Griffin AI vs xAI Grok for Security](https://safeguard.sh/resources/blog/griffin-ai-vs-xai-grok-for-security): - [Enterprise AI Security Rollout: The Governance Gap](https://safeguard.sh/resources/blog/enterprise-ai-security-rollout-governance-gap): Most enterprises rolled out AI-for-security tools faster than their governance processes could keep up. The resulting ga - [Griffin AI vs Llama 3 for Security Workflows](https://safeguard.sh/resources/blog/griffin-ai-vs-llama-3-for-security): Llama 3 is a powerful open-weight foundation model, but security workflows demand more than raw inference. Here is how G - [Remediation PR Quality: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-remediation-pr-quality): Griffin AI produces draft PRs with taint paths, exploit hypotheses, and disproof attempts. Mythos-class pure-LLM tools s - [The State of SBOM Adoption in 2026: Progress, Gaps, and Reality](https://safeguard.sh/resources/blog/state-of-sbom-adoption-2026): SBOM adoption has grown rapidly, but maturity varies wildly. Here's where the industry actually stands heading into 2026 - [Safeguard Griffin 3.0 GA: What's New](https://safeguard.sh/resources/blog/safeguard-griffin-3-0-ga-release-announcement): Griffin 3.0 is now generally available. Here is what changed in the reasoning and remediation model, how it behaves in p - [CyberSecEval Reviewed: What It Measures](https://safeguard.sh/resources/blog/ai-security-benchmark-cybersecevval-review): A working engineer's review of CyberSecEval, the Meta-originated benchmark that has quietly become the default sniff tes - [SSDF Attestation: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-ssdf-attestation): The NIST SSDF attestation form asks structured questions with structured answers. A chat transcript is not an answer. We - [Griffin AI vs Raw Claude for Security Workflow](https://safeguard.sh/resources/blog/griffin-ai-vs-raw-claude-security-workflow): Griffin AI runs on Anthropic's Claude models under the hood. Here's what the engine context, eval harness, and workflow - [Windows MSHTML Spoofing CVE-2024-43573 Explained](https://safeguard.sh/resources/blog/cve-2024-43573-windows-mshtml-spoofing): CVE-2024-43573 is a zero-day MSHTML spoofing flaw patched by Microsoft in October 2024. Here is the chain, detection, an - [Ultralytics PyPI Compromise: Dec 2024 Post-Mortem](https://safeguard.sh/resources/blog/ultralytics-pypi-compromise-december-2024): How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering - [AI Agent Tool-Scope Enforcement Patterns](https://safeguard.sh/resources/blog/ai-agent-tool-scope-enforcement-patterns): Agents get tool lists, not tool boundaries. We walk through scoping patterns that actually hold when Claude 4 or GPT-5 p - [Griffin AI vs Pure GPT-5 for Security Workflows](https://safeguard.sh/resources/blog/griffin-ai-vs-gpt-5-security-workflow): Frontier models are remarkable reasoners, but security workflows demand more than raw intelligence. Here's how Griffin A - [Reachability Analysis: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-reachability-analysis): Reachability-grounded reasoning produces actionable findings. Ungrounded LLM reasoning produces speculation. We explain - [Specialised Security LLM vs Frontier Model: The Choice](https://safeguard.sh/resources/blog/specialised-security-llm-vs-frontier-model-choice): Frontier models are general polymaths. Security-specific LLMs are narrow experts. Choosing between them is rarely about - [Frontier Model Non-Determinism As A Security Limit](https://safeguard.sh/resources/blog/frontier-model-limit-non-determinism): Non-determinism is not a rough edge frontier labs will polish away. It is an architectural property of how transformer d - [Griffin AI vs Gemini Pro for Security Workflow](https://safeguard.sh/resources/blog/griffin-ai-vs-gemini-pro-security-workflow): Gemini Pro brings capable reasoning and a massive context window to general-purpose workflows. Griffin AI brings a secur - [SBOM Ingestion: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-sbom-ingestion): A detailed comparison of how Griffin AI consumes SBOMs as structured reasoning context while Mythos-class pure-LLM tools - [Prompt Injection At Scale: 2026 Trend Review](https://safeguard.sh/resources/blog/ai-security-trend-prompt-injection-at-scale-2026): Prompt injection has evolved from demonstration exploits into a category of attack that runs continuously against produc - [Published Benchmarks: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-published-benchmarks): Griffin AI publishes a five-family eval harness with concrete numbers. Most Mythos-class competitors ask buyers to trust - [AI Code-Generation Audit Trail Patterns](https://safeguard.sh/resources/blog/ai-code-generation-audit-trail-patterns): When AI writes code that ships to production, the audit trail is a compliance requirement, not a nice-to-have. Patterns - [Zero-Day Discovery Pipelines: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-zero-day-pipeline): A candid look at how Griffin AI's three-stage zero-day pipeline compares to pure-LLM Mythos-class bug hunters, and why f - [Safeguard Q3 2025 Release Recap](https://safeguard.sh/resources/blog/safeguard-changelog-q3-2025-recap): A quarterly recap of everything Safeguard.sh shipped in Q3 2025 across Griffin, Eagle, Lino, and Gold — with the improve - [Safeguard v5: One Year In — What We Built, What We Learned](https://safeguard.sh/resources/blog/safeguard-v5-one-year-anniversary): A retrospective on Safeguard v5's first year in production, the features that resonated, and where we're headed next. - [Apache Struts CVE-2024-53677: The Path Traversal RCE](https://safeguard.sh/resources/blog/cve-2024-53677-apache-struts-rce-deep-dive): CVE-2024-53677 lets attackers abuse Struts file upload parameter pollution to plant webshells. Here is the chain, detect - [Open Source Risk Management: Beyond Vulnerability Scanning](https://safeguard.sh/resources/blog/open-source-risk-management): Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dep - [On-Prem Deployment: Griffin AI vs Mythos](https://safeguard.sh/resources/blog/griffin-ai-vs-mythos-on-premises-deployment): Why enterprise AI for security requires genuine on-premises deployment, not just a SaaS endpoint with a VPN in front of - [Homomorphic Encryption in Software Supply Chains](https://safeguard.sh/resources/blog/homomorphic-encryption-software-supply-chain-use): A grounded look at BFV, CKKS, and TFHE schemes for supply chain workloads, measured costs, library choices, and where HE - [10 Predictions for Software Supply Chain Security in 2026](https://safeguard.sh/resources/blog/predictions-software-security-2026): From AI-generated SBOMs to regulatory enforcement and the death of CVSS-only triage, here is what the software security - [SBOM Compliance in 2025: Tracking Global Mandates and Deadlines](https://safeguard.sh/resources/blog/sbom-compliance-global-mandate-tracker): SBOM requirements are now embedded in regulations across the US, EU, Japan, and beyond. A practical tracker of what is r - [AI Tool Confused-Deputy: A Deep Dive](https://safeguard.sh/resources/blog/ai-tool-confused-deputy-deep-dive): The confused deputy problem takes on new and subtle forms when AI agents invoke tools on behalf of users. A technical de - [The 2025 Software Supply Chain Security Report: Summary](https://safeguard.sh/resources/blog/annual-sscs-report-summary-2025): The 2025 annual SSCS report lands into a changed landscape. Key findings, trend lines, and what the numbers actually imp - [Software Supply Chain Security in 2025: The Year in Review](https://safeguard.sh/resources/blog/software-supply-chain-security-2025-year-review): From the CVE program funding crisis to the rise of AI-targeted supply chain attacks, 2025 reshaped the software security - [The Secure Software Development Lifecycle in 2025: What Actually Changed](https://safeguard.sh/resources/blog/secure-software-development-lifecycle-2025): A practical look at how SSDLC practices evolved in 2025, what worked, what failed, and why most organizations are still - [Prompt Injection Detection in Retrieval Systems](https://safeguard.sh/resources/blog/prompt-injection-detection-retrieval-systems): Indirect prompt injection arrives through your retrieval corpus, not your chat box. We cover the detection strategies th - [The ROI of Vulnerability Remediation Automation: Numbers That Justify the Investment](https://safeguard.sh/resources/blog/vulnerability-remediation-automation-roi): Manual vulnerability remediation costs more than most organizations realize. Breaking down the real costs, time savings, - [A Practical Kubernetes Operator Security Checklist](https://safeguard.sh/resources/blog/kubernetes-operator-security-checklist): Kubernetes operators run with broad cluster access. This checklist covers the controls that matter most in 2025, from RB - [AI Model Watermarking and Provenance](https://safeguard.sh/resources/blog/ai-model-watermarking-provenance-techniques): Watermarking and provenance are the two most confused terms in AI security. A practical breakdown of what each actually - [Safeguard CLI v5: Faster, Smarter, More Extensible](https://safeguard.sh/resources/blog/safeguard-cli-v5-release): Safeguard CLI v5 brings a rewritten scanning engine, plugin architecture, and native CI/CD integration. Here is what is - [Software Supply Chain Security for Regulated Industries](https://safeguard.sh/resources/blog/supply-chain-security-for-regulated-industries): Healthcare, finance, energy, and defense face unique supply chain security requirements. Here is how regulated industrie - [Training Data Provenance for Enterprise Fine-Tuning](https://safeguard.sh/resources/blog/training-data-provenance-enterprise-fine-tuning): Fine-tuning corpora are supply chain artifacts. We cover the provenance signals, attestations, and drift controls enterp - [npm Provenance: Adoption Tracking in Late 2025](https://safeguard.sh/resources/blog/npm-provenance-adoption-tracking-late-2025): Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture acros - [AI-Generated SBOMs: How Accurate Are They?](https://safeguard.sh/resources/blog/ai-generated-sboms-accuracy-assessment): LLMs can now generate SBOMs from source code and documentation. We tested five AI SBOM generators against traditional to - [Automating Open Source License Compliance: From Manual Audits to Continuous Enforcement](https://safeguard.sh/resources/blog/open-source-license-compliance-automation): Manual license audits cannot keep pace with modern dependency trees. Automated license detection, policy enforcement, an - [WebAssembly WASI Security Model in 2025](https://safeguard.sh/resources/blog/webassembly-wasi-security-model-2025): A technical look at WASI Preview 2, the component model, and capability-based isolation for running untrusted code insid - [Software Provenance: An End-to-End Guide](https://safeguard.sh/resources/blog/software-provenance-end-to-end-guide): Provenance answers where software came from and how it was built. Here is how to implement end-to-end provenance trackin - [The Complete Guide to Dependency Lifecycle Management](https://safeguard.sh/resources/blog/dependency-lifecycle-management-guide): Dependencies are not static. They are born, maintained, deprecated, and abandoned. Here is how to manage the full lifecy - [DHS Software Assurance Guidance: A Review](https://safeguard.sh/resources/blog/dhs-software-assurance-guidance-2025): CISA and DHS's October 2025 software assurance guidance refines federal expectations on SBOMs, attestation, and secure-b - [Open Source Vulnerability Databases Compared: NVD, OSV, GitHub Advisory, and More](https://safeguard.sh/resources/blog/open-source-vulnerability-database-comparison): Not all vulnerability databases are created equal. A detailed comparison of coverage, timeliness, accuracy, and practica - [RAG Poisoning: Defenses That Work](https://safeguard.sh/resources/blog/retrieval-augmented-generation-poisoning-defenses): Retrieval-augmented generation is the most common LLM deployment pattern in the enterprise and the most commonly poisone - [Embedding Model Supply Chain Risks](https://safeguard.sh/resources/blog/embedding-model-supply-chain-risks): Embedding models are the silent dependency under every RAG system. We cover poisoning, deprecation, and provenance gaps - [ISO 27001:2022 Transition Deadline: The Approach](https://safeguard.sh/resources/blog/iso-27001-2022-transition-deadline-approach): The October 31, 2025 ISO/IEC 27001:2022 transition deadline is weeks away. Here's what auditors will look for in Annex A - [Introducing Safeguard Guardrails: Automated Policy Enforcement for Your Supply Chain](https://safeguard.sh/resources/blog/safeguard-guardrails-feature-release): Safeguard Guardrails brings automated, configurable policy enforcement to your software supply chain. Define rules once, - [CVSS 4.0 Scoring Adoption: What Changed](https://safeguard.sh/resources/blog/cvss-4-0-scoring-adoption-review): Two years after CVSS 4.0's release, adoption remains uneven. Here is where scoring really changed, where it did not, and - [CISA's Software Identification Ecosystem: What You Need to Know](https://safeguard.sh/resources/blog/cisa-software-identification-ecosystem): CISA is building a comprehensive software identification ecosystem that ties SBOMs, vulnerabilities, and procurement tog - [Prisma Cloud vs Wiz: Supply Chain Features](https://safeguard.sh/resources/blog/prisma-cloud-vs-wiz-supply-chain-features): Both Prisma Cloud and Wiz have expanded into supply chain territory from cloud security origins. A head-to-head on what - [Container SBOM Generation: Best Practices for 2025](https://safeguard.sh/resources/blog/container-sbom-generation-best-practices): Container images are multi-layered artifacts that challenge SBOM generators. Here is how to generate comprehensive, accu - [Supply Chain Attack Trends: Q3 2025](https://safeguard.sh/resources/blog/supply-chain-attack-trends-q3-2025): A data-led look at software supply chain attacks in Q3 2025: npm maintainer phishing, VS Code extension abuse, and a qui - [Software Attestation Frameworks Compared: SLSA, in-toto, and Sigstore](https://safeguard.sh/resources/blog/software-attestation-framework-comparison): Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in - [TLS Library Comparison: OpenSSL vs. LibreSSL vs. BoringSSL](https://safeguard.sh/resources/blog/tls-library-comparison-openssl-libressl-boringssl): Three forks of the same codebase, three different security philosophies. Here is how to choose the right TLS library for - [VEX Adoption in the Enterprise: Lessons From Early Adopters](https://safeguard.sh/resources/blog/vex-adoption-enterprise-case-studies): Vulnerability Exploitability eXchange documents promise to reduce alert fatigue by distinguishing exploitable vulnerabil - [AI Agent Memory: Security Risks](https://safeguard.sh/resources/blog/ai-agent-memory-security-risks): Persistent memory makes AI agents more useful and more dangerous. A security engineer's walkthrough of how agent memory - [The HIPAA Security Rule Update and Your Supply Chain](https://safeguard.sh/resources/blog/hipaa-security-rule-update-supply-chain): HHS's December 2024 NPRM rewrites the HIPAA Security Rule with explicit software supply chain, SBOM, and business associ - [Vector DB Security Considerations](https://safeguard.sh/resources/blog/vector-db-security-considerations-2025): Vector stores hold derivatives of your most sensitive text. We cover the access, isolation, and integrity controls produ - [SBOM Interoperability: Bridging CycloneDX and SPDX](https://safeguard.sh/resources/blog/sbom-interoperability-cyclonedx-spdx-bridge): Your suppliers send SPDX. Your tools expect CycloneDX. Interoperability between SBOM formats is a real operational chall - [CNAPPs in 2025: What Cloud-Native Application Protection Platforms Actually Protect](https://safeguard.sh/resources/blog/cloud-native-application-protection-platforms): CNAPP has become the dominant category in cloud security. But the label covers wildly different capabilities. A clear-ey - [GenAI Code Review Tools: A 2025 Field Test](https://safeguard.sh/resources/blog/genai-code-review-tools-field-test-2025): We field-tested five GenAI code review tools against 240 seeded security defects to see which catch real issues and whic - [Supply Chain Attacks Targeting AI/ML Pipelines](https://safeguard.sh/resources/blog/supply-chain-attacks-targeting-ai-ml-pipelines): AI and ML pipelines introduce unique supply chain risks -- from poisoned training data to compromised model registries. - [Open-Weight Model Sandboxing Patterns](https://safeguard.sh/resources/blog/open-weight-model-sandboxing-patterns): Running an open-weight model inside an enterprise perimeter seems safer than calling a hosted API. It is, and it isn't. - [Safeguard Desktop App: Supply Chain Security Without the Browser Tab](https://safeguard.sh/resources/blog/safeguard-desktop-app-release): Announcing the Safeguard Desktop App -- a native application for macOS, Windows, and Linux that brings SBOM management, - [How to Add Reachability Analysis to PR Checks](https://safeguard.sh/resources/blog/how-to-add-reachability-analysis-to-pr-checks): Run reachability analysis on every pull request to slash vulnerability false positives by 70%+, gate merges on exploitab - [Runtime Threat Detection in Cloud-Native Environments](https://safeguard.sh/resources/blog/runtime-threat-detection-cloud-native): Static analysis catches known vulnerabilities. Runtime detection catches exploitation. Here is how to implement runtime - [EU NIS2 Directive: Enforcement at One Year](https://safeguard.sh/resources/blog/eu-nis2-directive-enforcement-first-year): Twelve months after the NIS2 transposition deadline, enforcement is uneven, fines are real, and software supply chain ob - [Local LLM Deployment: Enterprise Risks](https://safeguard.sh/resources/blog/local-llm-deployment-enterprise-risks): Running LLMs on local hardware eliminates some risks and introduces others. A clear-eyed look at the enterprise risk pro - [Open Source Maintainer Succession Planning: A Supply Chain Imperative](https://safeguard.sh/resources/blog/open-source-maintainer-succession-planning): When a solo maintainer disappears, entire dependency chains are at risk. How organizations should approach succession pl - [Binary SBOM Analysis: Creating Software Bills of Materials Without Source Code](https://safeguard.sh/resources/blog/binary-sbom-analysis-reverse-engineering): Not all software comes with source code. Binary analysis techniques can extract component information from compiled arti - [Supply Chain Security Budget Justification](https://safeguard.sh/resources/blog/security-budget-justification-supply-chain-program): How to build a budget case for a supply chain security program that survives CFO scrutiny, with dollar-denominated risk, - [SBOM Quality Metrics: Moving Beyond Completeness](https://safeguard.sh/resources/blog/sbom-quality-metrics-beyond-completeness): Most SBOM quality discussions stop at completeness. Real quality requires measuring accuracy, freshness, depth, and acti - [Rust Memory Safety: A CVE Trend Analysis](https://safeguard.sh/resources/blog/rust-memory-safety-cve-trend-analysis): Analysis of CVE data across Rust crates and std releases, measuring how memory safety affects vulnerability shape, densi - [Reachability Analysis in 2025: Separating Exploitable Vulnerabilities from Noise](https://safeguard.sh/resources/blog/reachability-analysis-state-of-the-art-2025): Reachability analysis determines whether a vulnerable function is actually called by your application. The technology ha - [Citrix Bleed 2: Analysis and Mitigation](https://safeguard.sh/resources/blog/citrix-bleed-2-analysis): CVE-2025-5777 revived the memory-leak pattern that broke NetScaler in 2023. Here is what the 2025 variant does, who is e - [Securing AI Agents: MCP Protocol Risks and Mitigations](https://safeguard.sh/resources/blog/securing-ai-agents-mcp-protocol-risks): The Model Context Protocol is transforming how AI agents interact with tools, but it introduces new attack surfaces. Her - [Artifactory vs Nexus for Enterprise in 2025](https://safeguard.sh/resources/blog/artifactory-vs-nexus-enterprise-2025): JFrog Artifactory and Sonatype Nexus both remain viable enterprise artifact repositories in 2025. A head-to-head on scal - [The CVE Program Funding Crisis: What Happened and What It Means](https://safeguard.sh/resources/blog/cve-program-funding-crisis-and-resolution): The CVE program nearly lost its funding in early 2025, exposing deep structural risks in how we track vulnerabilities. H - [MGM Ransomware One Year Later: A Retrospective](https://safeguard.sh/resources/blog/mgm-ransomware-one-year-later-retrospective): A 2025 retrospective on the September 2023 MGM Resorts ransomware incident, what changed, what stalled, and how supply c - [Software Supply Chain Attacks: H1 2025 Report](https://safeguard.sh/resources/blog/software-supply-chain-attacks-h1-2025-report): A data-driven breakdown of supply chain attacks from January through June 2025, covering attack vectors, targeted ecosys - [Compliance Reporting with Safeguard: From Raw Data to Audit-Ready Documents](https://safeguard.sh/resources/blog/safeguard-compliance-reporting-guide): How to use Safeguard's compliance reporting engine to generate audit-ready documentation for SOC 2, ISO 27001, NIST SSDF - [Introducing the Safeguard MCP Server: AI-Native Software Supply Chain Security](https://safeguard.sh/resources/blog/safeguard-mcp-server-release): Safeguard.sh launches its MCP Server, bringing software supply chain security directly into AI-powered development workf - [Japan AMED Software Supply Chain Guidance Overview](https://safeguard.sh/resources/blog/japan-amed-software-supply-chain-guidance): Japan's AMED, METI, and PMDA guidance now converges on SBOMs and supply chain controls, reshaping how medical and indust - [Building an Open Source Risk Intelligence Platform: Beyond Vulnerability Scanning](https://safeguard.sh/resources/blog/open-source-risk-intelligence-platform): Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate mainta - [Kubernetes 1.33 Security Deep Dive](https://safeguard.sh/resources/blog/kubernetes-1-33-security-deep-dive): Kubernetes 1.33 shipped with meaningful security changes: stronger admission controls, expanded structured authorization - [Safeguard Griffin AI: Autonomous Vulnerability Remediation That Actually Works](https://safeguard.sh/resources/blog/safeguard-griffin-ai-autonomous-remediation): Griffin AI moves beyond scan-and-alert to autonomously generate, test, and propose vulnerability fixes. How Safeguard's - [Runbooks for Dependency Disclosure Events](https://safeguard.sh/resources/blog/runbooks-for-dependency-disclosure-events): Detailed runbooks for responding to dependency CVE disclosures across languages and ecosystems, with roles, commands, an - [AI SBOMs and Model Cards: Building Transparency Into the AI Supply Chain](https://safeguard.sh/resources/blog/ai-sbom-model-cards-transparency-2025): As AI models become critical software components, the need for AI-specific SBOMs and model cards grows urgent. How the i - [How Safeguard Auto-Fix Actually Works Under the Hood](https://safeguard.sh/resources/blog/safeguard-auto-fix-how-it-works): A technical breakdown of Safeguard's automated vulnerability remediation engine, from dependency resolution to pull requ - [OWASP ASVS 5.0 Adoption Guide](https://safeguard.sh/resources/blog/owasp-asvs-5-0-adoption-guide): OWASP ASVS 5.0 restructured the verification levels and added new requirements for modern stacks. A practical adoption g - [Software Supply Chain Security Maturity: Where Does Your Organization Stand?](https://safeguard.sh/resources/blog/software-supply-chain-maturity-assessment): Most organizations know they should care about software supply chain security, but few have a structured way to assess t - [Service Mesh for Supply Chain Policy Enforcement](https://safeguard.sh/resources/blog/service-mesh-supply-chain-policy-enforcement): Using Istio, Linkerd, and Cilium service mesh to enforce signed-artifact, SPIFFE identity, and provenance-aware policy i - [Safeguard IDE Extension v5: Security Feedback Where Developers Actually Work](https://safeguard.sh/resources/blog/safeguard-ide-extension-v5-deep-dive): The Safeguard IDE Extension v5 brings SBOM generation, vulnerability alerts, and policy checks directly into VS Code and - [Enterprise Rails Security Audit: 2025 Field Notes](https://safeguard.sh/resources/blog/enterprise-ruby-on-rails-security-audit-2025): After 14 Rails audits in the last 12 months, the same eight issues kept surfacing. Here's the 2025 field checklist for R - [Coinbase Social Engineering and Insider Threat: How Bribed Support Agents Led to a $400M Breach](https://safeguard.sh/resources/blog/coinbase-social-engineering-insider-threat): Attackers bribed overseas Coinbase support agents to steal customer data, then demanded a $20M ransom. Coinbase refused - [Vulnerability Prioritization in 2025: EPSS, VEX, and the End of CVSS-Only Triage](https://safeguard.sh/resources/blog/vulnerability-prioritization-epss-vex-2025): CVSS scores alone cannot tell you what to patch first. EPSS exploit prediction and VEX documents are reshaping how matur - [Dior Customer Data Breach 2025: Luxury Fashion's Cybersecurity Problem](https://safeguard.sh/resources/blog/dior-customer-data-breach-2025): Christian Dior disclosed a breach exposing customer personal data in May 2025. The luxury sector's data protection chall - [Choosing a Private Package Registry in 2025](https://safeguard.sh/resources/blog/choosing-a-private-package-registry-2025): A 2025 buyer's guide comparing JFrog Artifactory, Sonatype Nexus, GitHub Packages, Google Artifact Registry, and Cloudsm - [Enterprise Software Supply Chain Management with Safeguard ESSCM](https://safeguard.sh/resources/blog/safeguard-esscm-enterprise-guide): A practical guide to implementing Safeguard's Enterprise Software Supply Chain Management framework across large organiz - [Container Hardening Guide 2025: From Base Image to Production](https://safeguard.sh/resources/blog/container-hardening-guide-2025): A practical guide to hardening container images and deployments. Covers base image selection, build-time security, runti - [Harrods Cyber Attack: The UK Retail Sector Under Sustained Assault](https://safeguard.sh/resources/blog/harrods-cyber-attack-retail-sector): Harrods became the third major UK retailer hit by cyber attacks in weeks, following M&S and Co-op. The pattern points to - [Commvault CVE-2025-34028: SSRF to RCE in Enterprise Backup Software](https://safeguard.sh/resources/blog/commvault-cve-2025-34028-ssrf-rce): A critical SSRF vulnerability in Commvault Command Center allowed unauthenticated attackers to achieve remote code execu - [AWS Service-Linked Role Abuse Techniques, 2025](https://safeguard.sh/resources/blog/aws-service-linked-role-abuse-techniques): Service-linked roles are the soft underbelly of AWS IAM. We catalogue the 2024-2025 abuse primitives and the detection q - [Audio Processing Library Vulnerabilities: The Sound of Exploitation](https://safeguard.sh/resources/blog/audio-processing-library-vulnerabilities): Audio libraries parse complex binary formats in C code. They share the same vulnerability patterns as image and video co - [Nova Scotia Power Cyber Incident: When Critical Infrastructure Gets Hit](https://safeguard.sh/resources/blog/nova-scotia-power-cyber-incident): Nova Scotia Power disclosed a cyber incident in April 2025 that compromised customer data. The attack highlights the per - [SAP NetWeaver CVE-2025-31324: Unrestricted File Upload Zero-Day](https://safeguard.sh/resources/blog/sap-netweaver-cve-2025-31324-zero-day): A critical file upload vulnerability in SAP NetWeaver Visual Composer was exploited to deploy web shells on enterprise S - [Marks & Spencer DragonForce Ransomware Attack: Retail Giant Brought to Its Knees](https://safeguard.sh/resources/blog/marks-spencer-dragonforce-ransomware): The April 2025 ransomware attack on M&S disrupted online orders for weeks, wiped out hundreds of millions in market valu - [DevSecOps Tools Comparison 2025: Choosing the Right Stack](https://safeguard.sh/resources/blog/devsecops-tools-comparison-2025): The DevSecOps tooling landscape has exploded. From SAST to SCA to SBOM management, this guide compares the major categor - [Safeguard Portal Deep Dive: Navigating the Security Dashboard](https://safeguard.sh/resources/blog/safeguard-portal-deep-dive): A comprehensive walkthrough of the Safeguard.sh portal, covering every panel, metric, and workflow that security teams u - [Erlang/OTP SSH CVE-2025-32433: Unauthenticated RCE Scoring 10.0](https://safeguard.sh/resources/blog/erlang-otp-ssh-cve-2025-32433-rce): A maximum-severity vulnerability in Erlang/OTP's SSH server allowed unauthenticated remote code execution. Any system ru - [Rust Supply Chain: cargo-vet Expansion in 2025](https://safeguard.sh/resources/blog/rust-supply-chain-cargo-vet-expansion-2025): Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without dr - [Windows NTLM Hash Disclosure CVE-2025-24054: The Protocol That Won't Die](https://safeguard.sh/resources/blog/windows-ntlm-hash-disclosure-cve-2025-24054): CVE-2025-24054 leaks NTLM hashes through .library-ms files with minimal user interaction. Microsoft patched it in April - [How to Test Your Signing Pipeline End to End](https://safeguard.sh/resources/blog/how-to-test-your-signing-pipeline-end-to-end): Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that - [Software Transparency Goes Global: Regulatory Developments in 2025](https://safeguard.sh/resources/blog/software-transparency-global-regulations-2025): From the EU Cyber Resilience Act to Japan's software security guidelines, governments worldwide are mandating software t - [Bounty Program Scoping for Dependencies](https://safeguard.sh/resources/blog/bounty-program-scoping-for-dependencies): How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on - [CrushFTP CVE-2025-31161: Authentication Bypass Exploited in the Wild](https://safeguard.sh/resources/blog/crushftp-cve-2025-31161-authentication-bypass): A critical authentication bypass in CrushFTP allowed unauthenticated access to file transfer servers. Exploitation was o - [MCP Server Authentication and Authorization: Securing the AI Tool Layer](https://safeguard.sh/resources/blog/mcp-server-authentication-authorization): The Model Context Protocol enables AI agents to interact with external tools and data sources. Securing MCP servers requ - [Ivanti Connect Secure CVE-2025-22457: Another Critical Zero-Day, Same Product](https://safeguard.sh/resources/blog/ivanti-connect-secure-cve-2025-22457): A stack-based buffer overflow in Ivanti Connect Secure was exploited by Chinese threat actors just months after the prev - [npm Supply Chain Attacks Q1 2025: Dependency Confusion, Typosquatting, and Maintainer Takeovers](https://safeguard.sh/resources/blog/supply-chain-attacks-npm-2025-q1): The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze t - [Supply Chain Security Metrics for Executive Reporting](https://safeguard.sh/resources/blog/supply-chain-security-metrics-executive-reporting): A field-tested board-level metrics framework for supply chain security, covering MTTR, reachable risk, SBOM coverage, an - [PyPI Malicious Packages 2025: Python's Growing Supply Chain Problem](https://safeguard.sh/resources/blog/pypi-malicious-packages-2025-report): PyPI faced a surge of malicious package uploads in early 2025, targeting data science, AI/ML, and cloud development work - [Oracle Critical Control Baseline: Regulatory Impact](https://safeguard.sh/resources/blog/oracle-ccb-regulatory-impact-analysis): Oracle's February 2025 Critical Control Baseline for critical infrastructure customers reshapes SCRM obligations. Here's - [Chrome Zero-Day CVE-2025-2783: Sandbox Escape Used in Espionage Campaign](https://safeguard.sh/resources/blog/chrome-zero-day-cve-2025-2783-kaspersky): Kaspersky discovered a Chrome zero-day being exploited in a targeted espionage campaign dubbed Operation ForumTroll. The - [Next.js Middleware Authorization Bypass: CVE-2025-29927](https://safeguard.sh/resources/blog/next-js-middleware-cve-2025-29927): A critical flaw in Next.js allowed attackers to bypass middleware-based authorization by setting a single HTTP header. A - [Scattered Spider 2025: How the Most Dangerous Social Engineering Group Evolved](https://safeguard.sh/resources/blog/scattered-spider-2025-evolution): Scattered Spider adapted its tactics in 2025, moving beyond casino hacks to target retail, healthcare, and manufacturing - [Confidential Computing in Supply Chain Integration](https://safeguard.sh/resources/blog/confidential-computing-supply-chain-integration): How Intel TDX, AMD SEV-SNP, and AWS Nitro enclaves plug into build and signing pipelines, with attestation flows and ope - [CISA KEV Catalog in 2025: What the Data Tells Us About Real-World Exploitation](https://safeguard.sh/resources/blog/cisa-known-exploited-vulnerabilities-2025-update): The CISA Known Exploited Vulnerabilities catalog has become the definitive list of actively exploited flaws. An analysis - [GitHub Actions Supply Chain Attack: The tj-actions/changed-files Compromise](https://safeguard.sh/resources/blog/github-actions-supply-chain-attack-tj-actions): Attackers compromised the popular tj-actions/changed-files GitHub Action, injecting credential-stealing code that affect - [FedRAMP Continuous Monitoring Automation Playbook](https://safeguard.sh/resources/blog/fedramp-continuous-monitoring-automation-2025): FedRAMP 20x demands real-time ConMon. Here's how to automate monthly POA&M, vulnerability deviation, and SBOM attestatio - [Apple WebKit Zero-Day CVE-2025-24201: Out-of-Bounds Write Exploited in the Wild](https://safeguard.sh/resources/blog/apple-webkit-zero-day-cve-2025-24201): Apple patched CVE-2025-24201, a WebKit zero-day that allowed sandbox escape through malicious web content. Here's the te - [PyPI Attestation Requirements: A Roadmap Read](https://safeguard.sh/resources/blog/pypi-attestation-requirements-roadmap): PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it me - [AI Agent Tool Calling Security: Risks and Mitigations](https://safeguard.sh/resources/blog/ai-agent-tool-calling-security): AI agents that call tools -- APIs, databases, file systems, code interpreters -- convert non-deterministic LLM output in - [Open Source Security Census 2025: Who Maintains the Code We All Depend On?](https://safeguard.sh/resources/blog/open-source-security-census-2025): An analysis of the state of open-source security in 2025. Critical infrastructure runs on projects maintained by small, - [Video Codec Supply Chain Risks: The Hidden Attack Surface in Media Libraries](https://safeguard.sh/resources/blog/video-codec-supply-chain-risks): Video codecs are some of the most complex code in your dependency tree. Their complexity and privileged execution make t - [AI Agent Frameworks: A Security Assessment of the New Autonomous Frontier](https://safeguard.sh/resources/blog/ai-agent-frameworks-security-assessment): AI agents that can execute code, browse the web, and manage infrastructure are proliferating. The security implications - [How to Monitor Go Module Substitution Attacks](https://safeguard.sh/resources/blog/how-to-monitor-go-module-substitution-attacks): Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitori - [Broadcom VMware Zero-Days March 2025: ESXi, Workstation, and Fusion Under Active Attack](https://safeguard.sh/resources/blog/broadcom-vmware-zero-days-march-2025): Three VMware zero-days exploited in the wild in March 2025 let attackers escape virtual machine sandboxes. Broadcom patc - [Paragon Partition Manager BYOVD: CVE-2025-0289 Kernel-Level Exploitation](https://safeguard.sh/resources/blog/paragon-partition-manager-cve-2025-0289): Five vulnerabilities in Paragon Partition Manager's kernel driver were exploited in BYOVD attacks, allowing attackers to - [LLM-Augmented Bug Discovery Methodology](https://safeguard.sh/resources/blog/llm-augmented-bug-discovery-methodology): A practitioner's methodology for using LLMs to augment — not replace — traditional bug discovery workflows, with pattern - [Software Supply Chain Security: An Executive Guide for 2025](https://safeguard.sh/resources/blog/supply-chain-security-executive-guide-2025): Software supply chain attacks have surged 742% since 2019. This guide cuts through the noise to explain what executives - [GitLab CI/CD Security Hardening for 2025](https://safeguard.sh/resources/blog/gitlab-cicd-security-hardening-2025): A practical hardening playbook for GitLab 17.8 covering runner isolation, OIDC federation, CI variable scoping, and prot - [Juniper Router CVE-2025-21589: Authentication Bypass That Puts Network Perimeters at Risk](https://safeguard.sh/resources/blog/juniper-router-cve-2025-21589-auth-bypass): A critical authentication bypass in Juniper's Session Smart Router lets remote attackers hijack admin sessions. Here's w - [MCP Protocol Security: What the Model Context Protocol Means for Supply Chains](https://safeguard.sh/resources/blog/mcp-protocol-security-implications): Anthropic's Model Context Protocol standardizes how AI models interact with external tools. The security implications fo - [Qilin Ransomware Group: Dissecting a Rising Threat Actor](https://safeguard.sh/resources/blog/qilin-ransomware-group-analysis): Qilin has rapidly become one of the most active ransomware operations, targeting healthcare, manufacturing, and critical - [Microsoft Power Pages CVE-2025-24989: Privilege Escalation in Low-Code Platforms](https://safeguard.sh/resources/blog/microsoft-power-pages-cve-2025-24989): Microsoft patched an actively exploited privilege escalation vulnerability in Power Pages, its low-code web platform. Th - [Canadian Cyber Centre Supply Chain Guidance](https://safeguard.sh/resources/blog/canadian-cyber-center-supply-chain-guidance): The CCCS's 2024-2025 supply chain guidance and Bill C-26 reshape Canada's expectations for SBOMs, vendor assurance, and - [Python Cython Extensions and the Supply Chain](https://safeguard.sh/resources/blog/python-cython-extensions-supply-chain): Cython-built Python extensions ship as platform-specific binaries with a build toolchain behind them. That introduces su - [Palo Alto PAN-OS Authentication Bypass: CVE-2025-0108](https://safeguard.sh/resources/blog/palo-alto-pan-os-cve-2025-0108-auth-bypass): A path traversal flaw in Palo Alto Networks PAN-OS management web interface allowed unauthenticated access to sensitive - [AI Deepfake Phishing Campaigns in 2025: When Seeing and Hearing Isn't Believing](https://safeguard.sh/resources/blog/ai-deepfake-phishing-campaigns-2025): AI-generated voice and video deepfakes powered a new wave of phishing campaigns in early 2025. The technology is cheap, - [AI Code Assistants and Security: The Hidden Risks in 2025](https://safeguard.sh/resources/blog/ai-code-assistants-security-implications-2025): AI coding assistants are generating millions of lines of production code. But they also introduce dependency hallucinati - [2025 Bug Bounty Program Reforms: What Changed](https://safeguard.sh/resources/blog/cve-2025-bug-bounty-program-reform): From Microsoft's AI bounty expansion to the EU CRA's good-faith researcher protections, bug bounty rules of engagement s - [Zyxel Router Command Injection: CVE-2024-40891 Exploited in the Wild](https://safeguard.sh/resources/blog/zyxel-router-cve-2024-40891-exploitation): Threat actors began mass-exploiting a Telnet-based command injection flaw in Zyxel CPE routers, with over 1,500 devices - [How to Run Grype in Offline/Airgap Environments](https://safeguard.sh/resources/blog/how-to-run-grype-in-offline-airgap-environments): A hands-on tutorial for running Grype vulnerability scans in offline and airgapped environments, including vulnerability - [SonicWall SMA 1000 Zero-Day: CVE-2025-23006 Pre-Auth RCE](https://safeguard.sh/resources/blog/sonicwall-sma-cve-2025-23006-zero-day): SonicWall disclosed CVE-2025-23006, a critical deserialization vulnerability in its SMA 1000 series gateways that was ac - [Exploit Chaining: A Supply Chain Perspective](https://safeguard.sh/resources/blog/exploit-chaining-supply-chain-perspective): How attackers chain low and medium severity flaws across dependencies to reach critical impact, and why supply chain con - [PyPI Organization Accounts: The Security Model](https://safeguard.sh/resources/blog/pypi-organization-accounts-security-model): PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at th - [Prompt Injection as a Supply Chain Risk: When AI Dependencies Are Exploitable](https://safeguard.sh/resources/blog/prompt-injection-supply-chain-risks): Prompt injection is not just an application vulnerability. When LLMs process content from the software supply chain -- p - [Citrix NetScaler CVE-2025 Vulnerabilities: Another Year, Another Gateway Crisis](https://safeguard.sh/resources/blog/citrix-netscaler-cve-2025-vulnerabilities): Citrix NetScaler started 2025 with multiple critical CVEs affecting ADC and Gateway products. We break down the technica - [The SBOM Compliance Landscape in 2025: What You Need to Know](https://safeguard.sh/resources/blog/sbom-compliance-landscape-2025): From the US Executive Order to the EU Cyber Resilience Act, SBOM requirements are becoming law. Here is where things sta - [DORA Operational Resilience: Software Implications](https://safeguard.sh/resources/blog/dora-operational-resilience-software-implications): DORA became fully applicable January 17, 2025. Here's what Articles 6, 8, 28, and the ICT third-party RTS mean for the s - [Medusa Ransomware: How Supply Chain Tactics Fuel a Growing Threat](https://safeguard.sh/resources/blog/medusa-ransomware-supply-chain-tactics): Medusa ransomware has evolved beyond traditional encryption schemes, leveraging supply chain compromise to infiltrate vi - [Salt Typhoon Telco Intrusion: What We Know](https://safeguard.sh/resources/blog/salt-typhoon-telco-intrusion-analysis): Salt Typhoon breached at least nine U.S. carriers, exposing lawful intercept systems. We unpack the attack chain and wha - [Fog Ransomware: Why the Education Sector Keeps Getting Hit](https://safeguard.sh/resources/blog/fog-ransomware-education-sector-attacks): Fog ransomware has carved a niche targeting schools and universities, exploiting chronic underfunding and SonicWall VPN - [Fortinet FortiGate Authentication Bypass: CVE-2024-55591 Explained](https://safeguard.sh/resources/blog/fortinet-fortigate-auth-bypass-cve-2024-55591): A critical authentication bypass in FortiOS and FortiProxy allowed attackers to gain super-admin privileges via crafted - [Ivanti Connect Secure Zero-Day: CVE-2025-0282 Under Active Exploitation](https://safeguard.sh/resources/blog/ivanti-connect-secure-cve-2025-0282-zero-day): A stack-based buffer overflow in Ivanti Connect Secure allowed unauthenticated remote code execution. Chinese threat act - [Safeguard 5.0: The Next Generation of Software Supply Chain Security](https://safeguard.sh/resources/blog/safeguard-v5-release-announcement): Safeguard 5.0 introduces Griffin AI, expanded SBOM analysis, and a redesigned policy engine. Here is what is new and why - [Space Industry Software Supply Chain: Emerging Reality](https://safeguard.sh/resources/blog/space-industry-software-supply-chain-emerging): COTS software, mega-constellations, and export controls are colliding. The space sector's software supply chain risk is - [Zoom Incidents: Software Supply Chain Dimensions](https://safeguard.sh/resources/blog/zoom-incidents-software-supply-chain-dimensions): Zoom's security history from 2020 onward reshaped how the industry thinks about conferencing software supply chains, fro - [End-of-Year Security Planning: Setting Up Next Year for Success](https://safeguard.sh/resources/blog/end-of-year-security-planning-guide): The end of the year is when security programs are made or broken. Here is how to conduct an effective annual security re - [Data Pipeline Platform Migration Security](https://safeguard.sh/resources/blog/data-pipeline-platform-migration-security): Moving from one orchestration platform to another surfaces hidden trust relationships. A security-first migration plan f - [Digital Health HIPAA Supply Chain Intersection](https://safeguard.sh/resources/blog/digital-health-hipaa-supply-chain-intersection): Digital health startups collide with HIPAA obligations as soon as they touch clinical data. A regulatory map of the supp - [Fulcio Certificate Lifecycle: Enterprise View](https://safeguard.sh/resources/blog/fulcio-certificate-lifecycle-enterprise): Fulcio issues short-lived certificates for keyless signing. Here is the enterprise view of how those certificates are is - [Software Supply Chain Security in 2024: A Year in Review](https://safeguard.sh/resources/blog/software-supply-chain-security-2024-year-review): From the CrowdStrike outage to state-sponsored npm campaigns and regulatory milestones, 2024 was the year supply chain s - [eBPF Security Controls: A Production Experience Report](https://safeguard.sh/resources/blog/ebpf-security-controls-production-experience): Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhe - [Post-Incident Vendor Coordination](https://safeguard.sh/resources/blog/post-incident-vendor-coordination): When a vendor's incident affects you, the coordination work between their IR team and your ops becomes its own project. - [Reproducible Builds Debian: The Long View](https://safeguard.sh/resources/blog/reproducible-builds-debian-long-view): Debian's Reproducible Builds project has been at it for over a decade. Here's what they've learned, what still isn't rep - [Software Supply Chain Security Predictions for 2025](https://safeguard.sh/resources/blog/supply-chain-security-predictions-2025): From AI-generated code risks to regulatory enforcement and package manager security evolution, here are the trends that - [The 2024 End-of-Year Vulnerability Disclosure Report](https://safeguard.sh/resources/blog/end-of-year-vulnerability-disclosure-report-2024): A look back at vulnerability disclosure in 2024: counts, severity distribution, time-to-patch, and the handful of incide - [MITRE ATT&CK Meets SSDF: A Mapping](https://safeguard.sh/resources/blog/mitre-attack-meets-ssdf-mapping): ATT&CK describes how adversaries operate; SSDF describes how to build software that resists them. Here's how to map adve - [OpenTelemetry for Supply Chain Traces: Instrumenting the Pipeline](https://safeguard.sh/resources/blog/opentelemetry-for-supply-chain-traces): How OpenTelemetry turns CI/CD pipelines into a traceable, queryable graph that exposes supply chain risk from source con - [RubyGems Reserved Namespace Claims](https://safeguard.sh/resources/blog/rubygems-reserved-namespace-claims): A look at how organizations can claim reserved namespace prefixes on RubyGems.org, what the policy currently supports, a - [Rust Embedded Supply Chain Guide](https://safeguard.sh/resources/blog/rust-embedded-supply-chain-guide): Rust is moving into embedded production fast. The supply chain shape for firmware is different from server-side Rust — s - [Azure Sentinel for Supply Chain Detection](https://safeguard.sh/resources/blog/azure-sentinel-supply-chain-detection): Sentinel has everything it needs to detect supply chain attacks in Azure — but only if the analytics rules are tuned to - [BlackTech Firmware Supply Chain Operations](https://safeguard.sh/resources/blog/blacktech-firmware-supply-chain-operations): BlackTech's firmware implants in Cisco routers turned edge devices into long-dwell footholds. A look at the tradecraft a - [PyPI Download Statistics as a Security Signal](https://safeguard.sh/resources/blog/pypi-download-statistics-as-security-signal): PyPI download numbers are noisy, gameable, and widely misused. A closer look at what they actually measure, how to read - [Vulnerability Exploitation Trends in 2024: What the Data Shows](https://safeguard.sh/resources/blog/vulnerability-exploitation-trends-2024): Analysis of 2024 vulnerability exploitation patterns reveals faster weaponization timelines, shifting target profiles, a - [Coordinated Disclosure Zero-Day Playbook](https://safeguard.sh/resources/blog/coordinated-disclosure-zero-day-playbook): A playbook for coordinated disclosure of zero-day vulnerabilities, covering timelines, stakeholder management, embargo d - [OSS Code of Conduct: Security Impact](https://safeguard.sh/resources/blog/oss-community-code-of-conduct-security-impact): Codes of conduct are not just social documents. They affect maintainer retention, contributor diversity, and ultimately - [Dev Machine Secrets: The Exfiltration Risks](https://safeguard.sh/resources/blog/dev-machine-secrets-exfiltration-risks): Engineer laptops are the softest target in most organizations. Here is a senior engineer's look at the real exfiltration - [Open Source Security Funding in 2024: Who Pays for the Code We All Depend On](https://safeguard.sh/resources/blog/open-source-security-funding-report-2024): Despite growing recognition that open source underpins critical infrastructure, security funding remains fragmented and - [Turborepo Monorepo Supply Chain Security](https://safeguard.sh/resources/blog/turborepo-monorepo-supply-chain-security): Turborepo makes large JavaScript monorepos fast, and speed changes how teams think about dependencies. The supply chain - [GCP Security Command Center Integration](https://safeguard.sh/resources/blog/gcp-security-command-center-integration): An industry-level look at integrating GCP Security Command Center with the rest of the security stack: which findings ar - [DevSecOps Automation Maturity in 2024: Where Teams Actually Stand](https://safeguard.sh/resources/blog/devsecops-automation-maturity-2024): Industry surveys and real-world data paint a sobering picture of DevSecOps automation maturity. Most organizations are s - [Hardening GitLab vs GitHub Default Settings](https://safeguard.sh/resources/blog/hardening-gitlab-vs-github-default-settings): GitLab and GitHub both ship with defaults that prioritize usability. A head-to-head on the specific hardening steps each - [Java SBOM Generation Tools Compared](https://safeguard.sh/resources/blog/java-supply-chain-sbom-generation-tools): Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their o - [Woodpecker CI Security Review](https://safeguard.sh/resources/blog/woodpecker-ci-security-review): A security review of Woodpecker CI, the community fork of Drone: runner isolation, secret handling, plugin ecosystem, an - [Container Security Best Practices for 2025: Beyond Image Scanning](https://safeguard.sh/resources/blog/container-security-best-practices-2025): Container security has evolved far past vulnerability scanning. Here is what mature container security programs look lik - [Crypto Exchange Supply Chain Hardening](https://safeguard.sh/resources/blog/crypto-exchange-supply-chain-hardening): Crypto exchanges are the highest-value software supply chain targets on the internet. A hardening playbook drawn from La - [Go Build Cache Poisoning Risks](https://safeguard.sh/resources/blog/go-build-cache-poisoning-risks): The Go build cache makes builds fast and reproducible, but a poisoned cache can reuse malicious compiled output indefini - [An npm Incident Response Playbook](https://safeguard.sh/resources/blog/npm-incident-response-playbook): When an npm package in your dependency graph is compromised at midnight, you need a playbook, not a brainstorm. Here is - [Mailchimp 2022-2023 Incidents: A Timeline](https://safeguard.sh/resources/blog/mailchimp-2022-2023-incidents-timeline): Mailchimp disclosed three social-engineering-driven intrusions in thirteen months; the timeline illustrates how repeated - [NYDFS 500 Meets SBOM Requirements](https://safeguard.sh/resources/blog/nydfs-500-meets-sbom-requirements): 23 NYCRR Part 500 was amended in 2023 with stronger third-party and vulnerability management language. For covered finan - [Zero Trust Principles Applied to the Software Supply Chain](https://safeguard.sh/resources/blog/zero-trust-software-supply-chain-2024): Zero trust is not just a network architecture concept. Applied to the software supply chain, it fundamentally changes ho - [Azure Monitor for Supply Chain Observability](https://safeguard.sh/resources/blog/azure-monitor-supply-chain-observability): Supply chain observability in Azure is not missing telemetry — it is missing the right queries. A walk through the Azure - [NIST CSF 2.0 Rollout: Field Observations](https://safeguard.sh/resources/blog/nist-csf-2-0-rollout-observations): NIST CSF 2.0 added the Govern function, broadened the target audience, and clarified supply chain expectations. Field ob - [NuGet Signed Packages Verification](https://safeguard.sh/resources/blog/nuget-signed-packages-verification): NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to - [Secrets Rotation Across Microservices: A Playbook](https://safeguard.sh/resources/blog/secrets-rotation-across-microservices): A practical senior engineer's playbook for rotating secrets across microservices without downtime, drift, or the quiet c - [FIN7: Financial-Sector Supply Chain Tradecraft](https://safeguard.sh/resources/blog/fin7-financial-sector-supply-chain-tradecraft): FIN7 has spent a decade evolving from POS malware to supply chain operations. A look at the current tradecraft and the i - [Provenance Attestation Consumer Workflow](https://safeguard.sh/resources/blog/provenance-attestation-consumer-workflow): Generating provenance is half the story. Consuming it correctly, at the right points in the pipeline, is where the secur - [The Software Composition Analysis Market in 2024: Consolidation and Evolution](https://safeguard.sh/resources/blog/software-composition-analysis-market-2024): The SCA market is maturing fast, with acquisitions, AI-powered analysis, and SBOM mandates reshaping the competitive lan - [Automotive ISO/SAE 21434: Supply Chain Implications](https://safeguard.sh/resources/blog/automotive-iso-21434-supply-chain-implications): ISO/SAE 21434 makes cybersecurity a type-approval requirement. Here is how the standard reshapes OEM and tier-N software - [Dataflow Analysis in Modern Codebases](https://safeguard.sh/resources/blog/dataflow-analysis-modern-codebases): Dataflow analysis is the workhorse behind most vulnerability research. Here's how it adapts to TypeScript, Rust, and the - [GCP Terraform Provider Security Review](https://safeguard.sh/resources/blog/gcp-terraform-provider-security-review): A security-focused review of the Google Terraform providers: provenance, authentication paths, state handling, and the m - [Migrating VPN to Zero Trust: Supply Chain](https://safeguard.sh/resources/blog/migrating-vpn-to-zero-trust-supply-chain): A phased playbook for retiring corporate VPN concentrators in favor of zero trust network access, with specific guidance - [Auditing Rust unsafe Code at Scale](https://safeguard.sh/resources/blog/rust-unsafe-code-audit-at-scale): How to actually audit unsafe blocks across a large Rust dependency graph without drowning in false positives or miss rea - [Security Team Topology for a Supply Chain Program](https://safeguard.sh/resources/blog/security-team-topology-supply-chain-program): How to structure a supply chain security program across AppSec, platform, TPRM, and incident response with clear ownersh - [Java Modules Supply Chain Security](https://safeguard.sh/resources/blog/java-modules-supply-chain-security): The Java Platform Module System arrived in Java 9 and has aged into quiet maturity. What JPMS actually does for supply c - [OpenSSF Launches SIREN: A Mailing List for Open Source Threat Intelligence](https://safeguard.sh/resources/blog/openssf-siren-mailing-list-launch): The Open Source Security Foundation introduces SIREN, a dedicated mailing list for sharing real-time threat intelligence - [Play Ransomware: Supply Chain Exploitation Through Managed Service Providers](https://safeguard.sh/resources/blog/play-ransomware-supply-chain-exploitation): Play ransomware refined the MSP attack model, exploiting FortiOS and RDP vulnerabilities to cascade through managed serv - [How to Build a Vulnerability SLA Dashboard](https://safeguard.sh/resources/blog/how-to-build-a-vulnerability-sla-dashboard): Track remediation SLAs across projects with a self-service dashboard that surfaces aging findings, breach risk, and team - [Kata Containers Security Model Review](https://safeguard.sh/resources/blog/kata-containers-security-model-review): Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and - [Grafana Loki for Build Pipeline Logs: Patterns That Scale](https://safeguard.sh/resources/blog/grafana-loki-build-pipeline-logs): Design a Loki-based log pipeline for CI/CD observability and supply chain forensics. Labels, retention, LogQL patterns, - [Signing Python Wheels in Production](https://safeguard.sh/resources/blog/python-wheel-signing-production-guide): PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time - [Code Signing Infrastructure Breach Response](https://safeguard.sh/resources/blog/code-signing-infrastructure-breach-response): A compromised signing key is the quietest crisis in security. A concrete playbook for responding when your code signing - [Cryptographic Bill of Materials (CBOM): The Next Frontier](https://safeguard.sh/resources/blog/cryptographic-bill-of-materials-cbom): Post-quantum cryptography migration requires knowing what cryptographic algorithms your software uses. CBOMs provide tha - [Concourse CI Supply Chain Hardening](https://safeguard.sh/resources/blog/concourse-ci-supply-chain-hardening): A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source - [Earthly Containerized Builds Supply Chain](https://safeguard.sh/resources/blog/earthly-containerized-builds-supply-chain): Earthly combines container isolation with Makefile-style ergonomics. Here's what that means for supply chain posture, wi - [SBOM Quality Benchmarking: What We Found in 2024](https://safeguard.sh/resources/blog/sbom-quality-benchmarking-2024): We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised an - [Palo Alto Expedition CVE-2024-9463: Command Injection in Migration Tool](https://safeguard.sh/resources/blog/palo-alto-expedition-cve-2024-9463): Critical command injection vulnerabilities in Palo Alto Networks Expedition tool exposed firewall credentials and config - [AWS IAM Roles Anywhere and the Supply Chain](https://safeguard.sh/resources/blog/aws-iam-roles-anywhere-supply-chain): IAM Roles Anywhere lets workloads outside AWS assume IAM roles using X.509 certificates. It is also becoming the authent - [JRuby Supply Chain Considerations](https://safeguard.sh/resources/blog/jruby-supply-chain-considerations): JRuby sits at the intersection of the Ruby and Java supply chains, and the security story reflects both. A look at how J - [Medusa Ransomware: How Supply Chain Infiltration Became Their Signature Move](https://safeguard.sh/resources/blog/medusa-ransomware-supply-chain-infiltration): Medusa ransomware operators have refined a playbook that targets managed service providers and software vendors as stepp - [Fog Ransomware: Why Schools and Universities Are Under Siege](https://safeguard.sh/resources/blog/fog-ransomware-education-sector-targeting): Fog ransomware has carved a niche by targeting educational institutions — organizations with tight budgets, thin securit - [Security Tool Consolidation: Doing More With Less Without Losing Coverage](https://safeguard.sh/resources/blog/security-tool-consolidation-strategy): The average enterprise runs 60-80 security tools. Most overlap, many go unused, and the integration tax exceeds the valu - [Forking Strategy for Enterprise OSS](https://safeguard.sh/resources/blog/forking-strategy-for-enterprise-oss): Forking was once a last resort. In 2024 it became a standard response to license changes, governance failures, and stall - [Font File Vulnerability History: When Typography Becomes an Exploit](https://safeguard.sh/resources/blog/font-file-vulnerability-history): Font parsing has been a goldmine for attackers. The history of font vulnerabilities reveals deep supply chain risks in e - [NIST NVD Recovery: The New Consortium Reshaping Vulnerability Data](https://safeguard.sh/resources/blog/nist-nvd-recovery-new-consortium): After months of processing backlogs and community frustration, NIST announces a new consortium to modernize and sustain - [Reachability Analysis: Cutting Through Vulnerability Noise](https://safeguard.sh/resources/blog/safeguard-reachability-analysis-launch): Not every vulnerability in your dependencies is exploitable. Safeguard's reachability analysis determines whether vulner - [Scoping a Vulnerability Bounty Program for Supply Chain](https://safeguard.sh/resources/blog/vulnerability-bounty-program-scoping-for-supply-chain): How to scope a bug bounty program that addresses supply chain risks: in-scope assets, payout tiers, triage workflow, and - [age + SOPS: A Git-Native Secrets Workflow](https://safeguard.sh/resources/blog/age-sops-git-native-secrets-workflow): How age and SOPS together deliver a lightweight, auditable, Git-native secrets workflow that stands up to real productio - [EHR System Dependency Governance](https://safeguard.sh/resources/blog/ehr-system-dependency-governance): Electronic Health Record platforms carry decades of transitive dependencies. A practical governance model for hospitals, - [Rust Procedural Macros: Security Risks](https://safeguard.sh/resources/blog/rust-procedural-macro-security-risks): Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most under - [Buildkite Supply Chain Hardening](https://safeguard.sh/resources/blog/buildkite-supply-chain-hardening): A practical hardening guide for Buildkite: agent isolation, pipeline upload security, plugin risks, and the agent-token - [Differential Testing for Supply Chain Vulns](https://safeguard.sh/resources/blog/differential-testing-supply-chain-vulnerabilities): Differential testing compares the behavior of multiple implementations of the same specification. In supply-chain work, - [Foundation-Neutral Governance Evaluation](https://safeguard.sh/resources/blog/foundation-neutral-governance-evaluation): CNCF, Linux Foundation, Apache, Eclipse — each has a different governance model. A practical evaluation of what that mea - [OpenSSF Scorecard Adoption Metrics: Late 2024](https://safeguard.sh/resources/blog/openssf-scorecard-adoption-metrics-2024): OpenSSF Scorecard crossed 1M scanned repos in October 2024. We break down adoption, score drift, and which checks are ac - [Cisco ASA and FTD CVE-2024-20481: Brute-Force DoS in VPN Services](https://safeguard.sh/resources/blog/cisco-asa-ftd-cve-2024-20481): CVE-2024-20481 in Cisco ASA and Firepower Threat Defense VPN services was actively exploited in large-scale brute-force - [FortiJump: CVE-2024-47575 FortiManager Zero-Day Exploited at Scale](https://safeguard.sh/resources/blog/fortinet-fortimanager-cve-2024-47575): CVE-2024-47575, dubbed FortiJump, allowed unauthenticated attackers to execute commands on FortiManager devices. Mandian - [Buck2 (Meta) Build Security Considerations](https://safeguard.sh/resources/blog/buck2-meta-build-security-considerations): A security engineer's look at Buck2, Meta's open-source build system, including Starlark sandbox properties, remote exec - [Maven Release Plugin Hardening](https://safeguard.sh/resources/blog/maven-release-plugin-hardening): The Maven Release Plugin is the oldest piece of release automation most Java shops still run. A look at the hardening st - [On-Prem to Cloud Supply Chain Continuity](https://safeguard.sh/resources/blog/on-prem-to-cloud-supply-chain-continuity): A year inside a financial services cloud migration, and how to keep your software supply chain intact when everything el - [React Native Supply Chain Risks in 2024](https://safeguard.sh/resources/blog/react-native-supply-chain-risks-2024): React Native bundles native modules, JavaScript dependencies, and CodePush-style OTA updates into one app. The supply ch - [Slack 2022-2023 Incidents: Operational Retrospective](https://safeguard.sh/resources/blog/slack-2022-2023-incidents-operational-retrospective): Slack disclosed a stolen-token incident over the 2022 holidays and a related GitHub repository access event; the operati - [Typosquatting Meets AI: The New Threat of AI-Generated Package Names](https://safeguard.sh/resources/blog/typosquatting-ai-generated-package-names): AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This ne - [AWS SSM Parameter Store Security](https://safeguard.sh/resources/blog/aws-ssm-parameter-store-security): Parameter Store is everywhere in AWS workloads, which means it accumulates secrets, configuration, and bad IAM over time - [FedRAMP Meets STIG: Practical Mapping](https://safeguard.sh/resources/blog/fedramp-meets-stig-mapping-practical): FedRAMP wants NIST 800-53 Rev 5 controls. DISA STIGs want hardening settings. The mapping between them is what determine - [Package Registry Forensic Log Analysis](https://safeguard.sh/resources/blog/package-registry-forensic-log-analysis): Extracting investigative signal from package registry logs — publish events, download patterns, and account activity — d - [Panther SIEM Supply Chain Rules: A Detection Engineering Playbook](https://safeguard.sh/resources/blog/panther-siem-supply-chain-rules): Write Panther Python detections that catch package poisoning, CI token abuse, and registry compromise. Real rule example - [CISA's SBOM Sharing Lifecycle: A Framework for Practical Adoption](https://safeguard.sh/resources/blog/cisa-sbom-sharing-lifecycle-2024): CISA releases updated guidance on SBOM sharing practices, addressing the full lifecycle from generation to consumption a - [go generate Supply Chain Risks](https://safeguard.sh/resources/blog/go-generate-supply-chain-risks): go generate is a seam where arbitrary commands run with the full privileges of the developer, and it does not show up in - [SLSA Build Provenance for Python Publish](https://safeguard.sh/resources/blog/slsa-build-provenance-for-python-publish): Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and - [State and Local Government SBOM Mandates](https://safeguard.sh/resources/blog/state-local-government-sbom-mandates): States and cities are adopting SBOM requirements faster than most vendors have noticed. A survey of where the mandates s - [Security Testing for LLM-Powered Applications](https://safeguard.sh/resources/blog/llm-application-security-testing): Applications built on large language models introduce novel attack surfaces that traditional security testing does not c - [CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them](https://safeguard.sh/resources/blog/safeguard-cyclonedx-spdx-dual-support): The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and le - [dotnet restore Reproducibility Concerns](https://safeguard.sh/resources/blog/dotnet-restore-reproducibility-concerns): dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-determi - [Azure App Service Deployment Security](https://safeguard.sh/resources/blog/azure-app-service-deployment-security): App Service deployments are easy, which is the problem. A look at the deployment paths, credential surfaces, and hardeni - [Kimsuky Developer Targeting Analysis](https://safeguard.sh/resources/blog/kimsuky-developer-targeting-analysis): Kimsuky has pivoted from diplomats to developers. A look at the tradecraft behind its supply-chain-flavored operations a - [EU Cyber Resilience Act: Final Text Analysis and Compliance Roadmap](https://safeguard.sh/resources/blog/eu-cyber-resilience-act-final-text-analysis): The EU Cyber Resilience Act was finalized in 2024, mandating cybersecurity requirements and SBOMs for products with digi - [How to Rotate Build Signing Keys Safely](https://safeguard.sh/resources/blog/how-to-rotate-build-signing-keys-safely): A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verificat - [Ruby Native Extensions Supply Chain](https://safeguard.sh/resources/blog/ruby-native-extensions-supply-chain): Native C extensions are the most under-audited part of the Ruby supply chain: how they get built, what can go wrong, and - [Docker Hub Rate Limit Changes and CI Impact](https://safeguard.sh/resources/blog/docker-hub-rate-limit-policy-changes-2024): Docker's 2024 rate-limit reforms hit CI pipelines hard. Measured impact on 30 real build farms and the mirror and pull-t - [GCP Pub/Sub Security Configuration](https://safeguard.sh/resources/blog/gcp-pub-sub-security-configuration): A working security configuration for GCP Pub/Sub: topic and subscription IAM, message encryption, VPC Service Controls, - [Safeguard v3: Compliance-First Supply Chain Security](https://safeguard.sh/resources/blog/safeguard-v3-release-compliance-features): Safeguard v3 adds compliance framework mapping, automated evidence collection, audit-ready reporting, and VEX document s - [SBOM Adoption in 2024: Enterprise Survey Results and Reality Check](https://safeguard.sh/resources/blog/sbom-adoption-rates-enterprise-survey-2024): Despite growing regulatory pressure, enterprise SBOM adoption remains uneven. A look at where organizations actually sta - [GraphQL Supply Chain Security Considerations](https://safeguard.sh/resources/blog/graphql-supply-chain-security-considerations): Supply chain risks specific to GraphQL stacks: Apollo, graphql-js, persisted queries, introspection, and transitive risk - [Volt Typhoon: Living-Off-the-Land and Supply Chain](https://safeguard.sh/resources/blog/volt-typhoon-living-off-the-land-supply-chain): The PRC-linked pre-positioning group that scared DHS and the NSA into a public warning, and what it means for supply cha - [GCP Binary Authorization Policy Patterns](https://safeguard.sh/resources/blog/gcp-binary-authorization-policy-patterns): Policy design patterns for GCP Binary Authorization that hold up in production: attestor topology, exception handling, c - [CUPS Vulnerability Chain: Remote Code Execution via Linux Printing](https://safeguard.sh/resources/blog/cups-linux-rce-vulnerability-chain): A chain of vulnerabilities in the CUPS printing system allows unauthenticated attackers to achieve remote code execution - [AWS CDK Construct Library Security](https://safeguard.sh/resources/blog/aws-cdk-construct-library-security): CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here - [Doppler Enterprise Secrets Platform Reviewed](https://safeguard.sh/resources/blog/doppler-enterprise-secrets-platform-review): Doppler pitches itself as the secrets platform that gets out of developers' way. A detailed look at what works, what doe - [Open Source Foundation Governance Models](https://safeguard.sh/resources/blog/open-source-foundation-governance-models): The Linux Foundation, Apache Software Foundation, CNCF, and Eclipse each codify different theories of how open source pr - [Witness Attestation Collection Workflow](https://safeguard.sh/resources/blog/witness-attestation-collection-workflow): Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it do - [Ransomware-as-a-Service in 2024: The Ecosystem That Won't Die](https://safeguard.sh/resources/blog/ransomware-as-a-service-ecosystem-2024): The RaaS ecosystem proved resilient through 2024 despite major law enforcement takedowns, with new groups filling every - [Fastify Security Posture in 2024](https://safeguard.sh/resources/blog/fastify-security-posture-2024): Fastify hit version 5.0 in September 2024 with a slimmer core, a plugin model that encourages correctness, and a securit - [Kubernetes 1.30 and 1.31 Security Rundown](https://safeguard.sh/resources/blog/kubernetes-1-30-and-1-31-security-rundown): ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for c - [RubyGems.org and Sigstore: Progress Check](https://safeguard.sh/resources/blog/rubygems-org-sigstore-integration-progress): An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, an - [Cloud Workload Protection Platforms in 2024: What Actually Matters](https://safeguard.sh/resources/blog/cloud-workload-protection-platforms-2024): Cutting through the CWPP marketing noise to identify the capabilities that genuinely protect cloud workloads from modern - [Qilin Ransomware and the Chrome Credential Harvesting Gambit](https://safeguard.sh/resources/blog/qilin-ransomware-credential-harvesting-techniques): Qilin ransomware operators pioneered a mass credential theft technique using Group Policy to extract saved Chrome browse - [Dagger.io Supply Chain Pipelines](https://safeguard.sh/resources/blog/dagger-io-supply-chain-pipelines): Dagger programmatic pipelines offer genuine supply chain benefits when used well. Here are the patterns and pitfalls fro - [Database Platform Migration: Supply Chain](https://safeguard.sh/resources/blog/database-platform-migration-supply-chain): Database migrations touch every part of the software supply chain. This guide covers how to keep schemas, secrets, and d - [GitGuardian vs TruffleHog: Secret Detection Showdown](https://safeguard.sh/resources/blog/gitguardian-vs-trufflehog-secret-detection): Compare GitGuardian and TruffleHog on detector coverage, validation, historical scans, developer workflow, and pricing t - [Public-Sector Software Procurement Requirements](https://safeguard.sh/resources/blog/public-sector-software-procurement-requirements): A tour through the attestations, self-certifications, and supply chain obligations that now shape how governments buy so - [PyPI Typosquatting Detection at Scale](https://safeguard.sh/resources/blog/pypi-typosquatting-detection-at-scale): Typosquatting remains a steady drumbeat on PyPI. What detection actually looks like when you're trying to catch it at ec - [Kubernetes Service Mesh Policy Depth](https://safeguard.sh/resources/blog/kubernetes-service-mesh-policy-depth): Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deploymen - [LastPass 2022-2023: A Retrospective at Depth](https://safeguard.sh/resources/blog/lastpass-2022-2023-retrospective-depth): A detailed walk through the two LastPass breaches of 2022 and their long 2023 tail, reconstructing how a developer lapto - [Vulnerability Intelligence Platforms Compared for Supply Chain Security](https://safeguard.sh/resources/blog/vulnerability-intelligence-platform-comparison): Vulnerability intelligence platforms aggregate, enrich, and prioritize vulnerability data. This comparison examines how - [INC Ransom: Inside the Group Targeting Healthcare Infrastructure](https://safeguard.sh/resources/blog/inc-ransom-group-healthcare-attacks): INC Ransom has made healthcare a primary target, exploiting the sector's unique vulnerabilities and urgency. A deep dive - [How to Validate SLSA Provenance in CI](https://safeguard.sh/resources/blog/how-to-validate-slsa-provenance-in-ci): Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder - [PCI DSS Meets SBOM Requirements](https://safeguard.sh/resources/blog/pci-dss-meets-sbom-requirements): PCI DSS v4.0.1 doesn't say the word SBOM, but its software inventory and vulnerability management requirements make one - [Supply Chain IoC Catalog](https://safeguard.sh/resources/blog/supply-chain-indicator-of-compromise-catalog): A practical catalog of indicators of compromise for software supply chain attacks, with detection queries and false-posi - [Ivanti Cloud Services Appliance CVE-2024-8963: Chained Exploitation](https://safeguard.sh/resources/blog/ivanti-csa-cve-2024-8963-exploitation): Ivanti's Cloud Services Appliance faced chained zero-day exploitation in September 2024, with attackers combining path t - [Healthtech FDA Software Supply Chain Guidance](https://safeguard.sh/resources/blog/healthtech-fda-software-supply-chain-guidance): The FDA's cybersecurity guidance has quietly turned into one of the most consequential supply chain regulations in US so - [Rust Feature Flags: Supply Chain Implications](https://safeguard.sh/resources/blog/rust-feature-flags-supply-chain-implications): Cargo feature flags look like a compilation convenience but they are a load-bearing piece of your supply chain posture. - [GitLab Pipeline Execution Vulnerability CVE-2024-6678: Running Pipelines as Any User](https://safeguard.sh/resources/blog/gitlab-pipeline-execution-cve-2024-6678): CVE-2024-6678 allowed attackers to trigger GitLab CI/CD pipelines as arbitrary users, potentially accessing secrets and - [FluxCD Security Model in Production](https://safeguard.sh/resources/blog/fluxcd-security-model-production): A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image autom - [Jenkins + Maven Integration Security](https://safeguard.sh/resources/blog/jenkins-maven-integration-security): Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain inciden - [Office Document Macro Security: The Attack Vector That Will Not Die](https://safeguard.sh/resources/blog/office-document-macro-security): Microsoft disabled macros by default in 2022. Attackers adapted. The macro threat has evolved, not disappeared. - [Python Package Typosquatting in 2024: Scale, Tactics, and Defenses](https://safeguard.sh/resources/blog/python-package-typosquatting-2024-report): Typosquatting on PyPI reached industrial scale in 2024, with attackers using automated tooling to register thousands of - [Datadog Security for Supply Chain Monitoring](https://safeguard.sh/resources/blog/datadog-security-supply-chain-monitoring): Using Datadog's Cloud SIEM, ASM, and logs pipeline to monitor software supply chain threats across CI/CD, registries, an - [Cisco ASA Firepower Zero-Day Trends, 2024 Edition](https://safeguard.sh/resources/blog/cisco-asa-firepower-zero-day-trends-2024): Six zero-days against ASA and FTD in 2024, two tied to ArcaneDoor. We chart the trend, the CVSS distribution, and the pa - [.NET Source Generator Security Risks](https://safeguard.sh/resources/blog/dotnet-source-generator-security-risks): Source generators are C# code that executes during compilation with developer privileges. The .NET equivalent of Rust's - [Migrating to npm Granular Access Tokens](https://safeguard.sh/resources/blog/npm-granular-access-tokens-migration): Granular access tokens have been GA for over a year. Here is the migration playbook that has worked for me across four o - [Cross-Platform App Supply Chain Risks You Cannot Ignore](https://safeguard.sh/resources/blog/cross-platform-app-supply-chain-risks): Cross-platform frameworks multiply supply chain attack surfaces by combining multiple dependency ecosystems. Understandi - [North Korean Threat Actors Flood npm with Malicious Packages](https://safeguard.sh/resources/blog/npm-malicious-packages-north-korea-2024): In 2024, DPRK-linked groups dramatically escalated their campaign to compromise developers through malicious npm package - [PyPI Trusted Publishing: An Adoption Guide](https://safeguard.sh/resources/blog/pypi-trusted-publishing-adoption-guide): Trusted Publishing replaces long-lived PyPI tokens with OIDC-issued short-lived credentials. A practical guide to adopti - [Build Server Compromise Investigation](https://safeguard.sh/resources/blog/build-server-compromise-investigation): A hands-on investigation guide for compromised build servers, from initial containment through rootkit checks and clean - [CCPA Meets Software Supply Chain](https://safeguard.sh/resources/blog/ccpa-meets-software-supply-chain): CCPA and CPRA are mostly about data rights, but the reasonable-security provisions and service-provider obligations reac - [Labyrinth Chollima and Open Source Targeting](https://safeguard.sh/resources/blog/labyrinth-chollima-open-source-targeting): Labyrinth Chollima's operations show a specific pattern — poisoned open source packages as initial access. A profile of - [Legacy COBOL Supply Chain Modernization: A Pragmatic Playbook](https://safeguard.sh/resources/blog/legacy-cobol-supply-chain-modernization): Modernize the supply chain around COBOL systems without rewriting them. Build provenance, SBOMs, and policy gates for ma - [Please Build System Security Review](https://safeguard.sh/resources/blog/please-build-system-security-review): A hands-on security review of Please, the open-source Bazel-inspired build system, including sandbox behavior, BUILD rul - [SLSA Builder Requirements in Production](https://safeguard.sh/resources/blog/slsa-builder-requirements-production): The SLSA specification sets explicit requirements for builders at each level. Here is what those requirements actually m - [A Framework for Security Patch Prioritization](https://safeguard.sh/resources/blog/security-patch-prioritization-framework): You cannot patch everything immediately. Here is a risk-based framework for deciding which patches to apply first when y - [UK NCSC Software Supply Chain Guidance Update](https://safeguard.sh/resources/blog/uk-ncsc-software-supply-chain-guidance-update): The UK NCSC expanded its supply chain guidance in 2023-2024, aligning with the Cyber Security and Resilience Bill and pu - [Azure Bicep vs ARM: Security Comparison](https://safeguard.sh/resources/blog/azure-bicep-vs-arm-security-comparison): Bicep and ARM templates produce the same deployments, but their security properties diverge — in module provenance, what - [CyberArk Conjur for Enterprise Secrets Management](https://safeguard.sh/resources/blog/conjur-secrets-management-enterprise): Where Conjur fits in 2024 for enterprise secrets management, what it does well, where it hurts, and how to roll it out w - [RubyGems Typosquatting Incidents: 2024](https://safeguard.sh/resources/blog/rubygems-typosquatting-incidents-2024): A running ledger of typosquat incidents on RubyGems.org through 2024, the patterns across them, and what the year's data - [CRI-O vs containerd: Security Comparison](https://safeguard.sh/resources/blog/cri-o-vs-containerd-security-comparison): Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter fo - [Rust Tokio Dependency Security Review](https://safeguard.sh/resources/blog/rust-tokio-dependency-security-review): Tokio is the async runtime underneath most production Rust. A supply chain review of Tokio and the crates that orbit it - [Static Analysis False-Positive Reduction](https://safeguard.sh/resources/blog/static-analysis-false-positive-reduction-techniques): A technique-by-technique tour of how modern static analyzers cut false positives, from CodeQL's path pruning to Infer's - [SonicWall SSL VPN CVE-2024-40766: Ransomware's Favorite Front Door](https://safeguard.sh/resources/blog/sonicwall-sslvpn-cve-2024-40766): CVE-2024-40766 in SonicWall SonicOS became an immediate target for Akira and Fog ransomware groups, highlighting the ong - [Zig's Memory Safety Model: A Security Analysis for Systems Programmers](https://safeguard.sh/resources/blog/zig-language-memory-safety-security): Zig offers memory safety features that C lacks but does not go as far as Rust. For security-critical code, understanding - [Telemedicine Supply Chain Privacy and Security](https://safeguard.sh/resources/blog/telemedicine-supply-chain-privacy-security): Telehealth platforms depend on video SDKs, third-party transcription, and mobile frameworks. A regulatory walkthrough fo - [Incident Response Playbook: Supply Chain Compromise](https://safeguard.sh/resources/blog/incident-response-playbook-supply-chain-compromise): A step-by-step playbook for responding to upstream dependency, build system, and vendor compromises, including roles, ti - [Gradle Version Catalogs Security](https://safeguard.sh/resources/blog/gradle-version-catalogs-security): Gradle version catalogs centralise dependency versions in one file. The security payoff is concrete: auditability, unifo - [Spinnaker Deployment Security Patterns](https://safeguard.sh/resources/blog/spinnaker-deployment-security-patterns): Practical security patterns for Spinnaker deployments: account isolation, pipeline template governance, artifact binding - [The GitHub Dependabot Token Incident: Retrospective](https://safeguard.sh/resources/blog/github-dependabot-token-incident-retrospective): In 2023, attackers used stolen GitHub personal access tokens to push malicious commits masquerading as Dependabot; a sho - [New Relic Security: Building a Supply Chain View](https://safeguard.sh/resources/blog/new-relic-security-supply-chain-view): How to extend New Relic's APM and Vulnerability Management features into a working software supply chain dashboard for s - [NuGet Package Vulnerabilities Dashboard](https://safeguard.sh/resources/blog/nuget-package-vulnerabilities-dashboard): Listing every CVE in your NuGet dependency tree is easy. Turning it into a dashboard someone can act on is the work. A p - [Kubernetes 1.31 Security Improvements: What You Need to Know](https://safeguard.sh/resources/blog/kubernetes-1-31-security-improvements): Kubernetes 1.31 'Elli' shipped in August 2024 with significant security improvements including AppArmor GA support, refi - [Deep Dive: Safeguard Container Scanning](https://safeguard.sh/resources/blog/safeguard-container-scanning-launch): Container images are supply chain artifacts. Safeguard's container scanning analyzes every layer -- base images, OS pack - [Security Data Lake Architecture for Supply Chain Intelligence](https://safeguard.sh/resources/blog/security-data-lake-architecture): A security data lake aggregates SBOMs, vulnerability data, build provenance, and runtime signals into a queryable store. - [Go Toolchain Distribution Security](https://safeguard.sh/resources/blog/go-toolchain-distribution-security): The Go toolchain directive can automatically download and run a different compiler version than the one your developers - [SolarWinds Post-Incident Governance Changes Reviewed](https://safeguard.sh/resources/blog/solarwinds-post-incident-governance-changes): Four years after SUNBURST, SolarWinds has rebuilt its SDLC around signed pipelines, parallel builds, and a new CSO offic - [SvelteKit Supply Chain Considerations](https://safeguard.sh/resources/blog/svelte-kit-supply-chain-considerations): SvelteKit's compiled-output philosophy gives it a smaller runtime footprint than React frameworks, but the build-time su - [GitHub Actions Artifact Poisoning: A Growing Supply Chain Attack Vector](https://safeguard.sh/resources/blog/github-actions-artifact-poisoning): Researchers disclosed techniques to poison GitHub Actions artifacts, enabling code execution in CI/CD pipelines of downs - [AWS Step Functions Workflow Security](https://safeguard.sh/resources/blog/aws-stepfunctions-workflow-security): Step Functions workflows orchestrate everything from data pipelines to security automations. The workflow IAM role is al - [OSS Trademark Policies: Security Angle](https://safeguard.sh/resources/blog/oss-trademark-policies-security-considerations): Trademarks matter in open source security because they are the signal of authentic origin. When trademark policies fail, - [Compliance Automation Tools Compared: What Actually Reduces Audit Pain in 2024](https://safeguard.sh/resources/blog/compliance-automation-tools-comparison-2024): The compliance automation market is crowded with platforms promising to make audits painless. Here is an honest comparis - [Aviation RTCA DO-326A and the Software Supply Chain](https://safeguard.sh/resources/blog/aviation-rtca-do-326a-supply-chain): How DO-326A and DO-356A reframe airworthiness security around the supply chain, and what engineering teams must deliver - [Rhysida Ransomware: Systematic Targeting of Government and Critical Infrastructure](https://safeguard.sh/resources/blog/rhysida-ransomware-government-targeting): Rhysida ransomware distinguished itself through deliberate targeting of government agencies, education institutions, and - [AI Supply Chain Attacks: Emerging Threats in Model and Data Pipelines](https://safeguard.sh/resources/blog/ai-supply-chain-attacks-emerging-threats): As organizations adopt AI at scale, the AI/ML supply chain is becoming a new attack surface. From poisoned models to com - [Safeguard v2: The Platform Grows Up](https://safeguard.sh/resources/blog/safeguard-v2-release-announcement): Safeguard v2 introduces container scanning, enhanced policy engine, team workspaces, and API v1.1 with webhook support. - [Cosign Verification Policies in Production](https://safeguard.sh/resources/blog/cosign-verification-policies-production): Writing cosign verification policies that actually pass production deployment gates requires more precision than the exa - [NuGet Private Feed Security Hardening](https://safeguard.sh/resources/blog/nuget-private-feed-security-hardening): Private NuGet feeds sit in the blind spot of most security programs. The hardening work is not glamorous but the failure - [Rancher Cluster Security Hardening](https://safeguard.sh/resources/blog/rancher-cluster-security-hardening): Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific w - [VMware ESXi Under Siege: Ransomware Campaigns Targeting Hypervisors in 2024](https://safeguard.sh/resources/blog/vmware-esxi-ransomware-campaigns-2024): Ransomware groups increasingly target VMware ESXi hypervisors to encrypt entire virtual environments at once. The 2024 c - [Azure Container Registry Trust Model](https://safeguard.sh/resources/blog/azure-container-registry-trust-model): What Azure Container Registry actually guarantees about the images you pull — signing, attestation, content trust, and w - [Dependency Compromise Timeline Reconstruction](https://safeguard.sh/resources/blog/dependency-compromise-timeline-reconstruction): How to rebuild a precise timeline after a dependency has been compromised, using lockfile history, registry metadata, an - [Monolith to Microservices: Supply Chain Changes](https://safeguard.sh/resources/blog/monolith-to-microservices-supply-chain-changes): What really happens to your software supply chain when you decompose a monolith into services, and how to avoid trading - [CrowdStrike Falcon Global Outage: A Post-Mortem Deep Dive](https://safeguard.sh/resources/blog/crowdstrike-falcon-global-outage-deep-dive-2024): A technical reconstruction of the July 19 CrowdStrike Falcon sensor crash that grounded 8.5M Windows hosts, and what sup - [Pydantic v2 Security Implications](https://safeguard.sh/resources/blog/pydantic-v2-security-implications): Pydantic v2 rewrote the core in Rust and changed validation semantics. Here is what that means for security-sensitive co - [US DoD Zero Trust: Software Dimensions](https://safeguard.sh/resources/blog/us-dod-zero-trust-software-dimensions): Where the DoD Zero Trust Reference Architecture meets the software supply chain, and what program offices are actually d - [AWS ECR Image Signing in Production](https://safeguard.sh/resources/blog/aws-ecr-image-signing-production): Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS S - [GDPR Meets CRA: Software Overlap](https://safeguard.sh/resources/blog/gdpr-meets-cra-software-overlap): GDPR Article 32 and the EU Cyber Resilience Act look like separate regimes, but for any software handling personal data - [How to Build a VEX Document for Your Consumers](https://safeguard.sh/resources/blog/how-to-build-a-vex-document-for-consumers): A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product - [Scattered Spider: Developer Targeting Patterns](https://safeguard.sh/resources/blog/scattered-spider-developer-targeting-patterns): The English-speaking social engineering crew behind MGM and Caesars keeps going after developers and help desks. Here's - [SentinelOne Supply Chain Detection Logic for Build Systems](https://safeguard.sh/resources/blog/sentinel-one-supply-chain-detection-logic): How to extend SentinelOne's behavioral detection engine to cover build agents, package registries, and developer endpoin - [Lessons from CrowdStrike: Rethinking How We Deploy Software Updates](https://safeguard.sh/resources/blog/crowdstrike-outage-lessons-software-updates): The CrowdStrike outage wasn't just an EDR problem. It exposed fundamental weaknesses in how the entire industry handles - [GraalVM Native Image Supply Chain](https://safeguard.sh/resources/blog/graalvm-native-image-supply-chain): GraalVM native images change the supply chain story in ways that most SBOM tooling has not caught up with yet. Here is w - [CrowdStrike Falcon Update Triggers Global IT Outage: What Happened](https://safeguard.sh/resources/blog/crowdstrike-falcon-global-outage-july-2024): On July 19, 2024, a faulty CrowdStrike Falcon sensor update caused 8.5 million Windows machines to blue-screen worldwide - [Dropbox 2022: The Supply Chain Angle](https://safeguard.sh/resources/blog/dropbox-incident-2022-supply-chain-angle): Dropbox's 2022 GitHub phishing incident began with a developer-targeted CircleCI lookalike campaign; the supply chain le - [External Secrets Operator: A Kubernetes Guide](https://safeguard.sh/resources/blog/external-secrets-operator-kubernetes-guide): A senior engineer's walkthrough of External Secrets Operator, covering architecture, SecretStore design, rotation, and t - [npm Token Rotation: An Enterprise Strategy](https://safeguard.sh/resources/blog/npm-token-rotation-enterprise-strategy): Rotating a few npm tokens is easy. Rotating a few thousand across a shared CI fleet is a project. A practical strategy t - [Open Banking API Supply Chain Security](https://safeguard.sh/resources/blog/open-banking-api-supply-chain-security): Open banking depends on a tangle of SDKs, certificate authorities, and directory services. What PSD2, the UK's Open Bank - [Drone CI Security Considerations](https://safeguard.sh/resources/blog/drone-ci-security-considerations): A security-focused look at Drone CI: runner isolation, secret handling, plugin risks, and the differences between Drone - [Fuzzing Open Source for Supply Chain Findings](https://safeguard.sh/resources/blog/fuzzing-open-source-for-supply-chain-findings): How modern coverage-guided fuzzing finds real vulnerabilities in open-source dependencies, and how to fold it into a sup - [Safeguard Auto-Fix: Automated Vulnerability Remediation That Respects Your Codebase](https://safeguard.sh/resources/blog/safeguard-auto-fix-automated-remediation): Auto-Fix generates pull requests that update vulnerable dependencies with compatibility checks, test validation, and rol - [rust crates.io Security Model Reviewed](https://safeguard.sh/resources/blog/rust-crates-io-security-model-review): A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in - [GCP Workload Identity Federation: Supply Chain Uses](https://safeguard.sh/resources/blog/gcp-workload-identity-federation-supply-chain): How to use GCP Workload Identity Federation to eliminate long-lived service account keys from your supply chain: GitHub - [Nix Reproducible Builds: A Supply Chain Case](https://safeguard.sh/resources/blog/nix-reproducible-builds-supply-chain-case): Practical supply chain lessons from running Nix and Nix flakes in production, including flake.lock handling, content-add - [Mean Time to Remediation Benchmarks: How Fast Should You Be Patching?](https://safeguard.sh/resources/blog/mean-time-to-remediation-benchmarks): MTTR is the most important vulnerability management metric. But what is a good MTTR? Industry benchmarks, realistic targ - [ServiceNow CVE-2024-4879: Remote Code Execution via Jelly Template Injection](https://safeguard.sh/resources/blog/servicenow-cve-2024-4879-rce-exploitation): Critical RCE vulnerabilities in ServiceNow were chained together for unauthenticated access, with active exploitation ob - [Securing ML Model Serving Infrastructure](https://safeguard.sh/resources/blog/ml-model-serving-infrastructure-security): Model serving infrastructure is a growing attack surface that most security teams overlook. From model poisoning to infe - [Maintainer Burnout: Security Implications](https://safeguard.sh/resources/blog/maintainer-burnout-security-implications): Exhausted maintainers are not just a welfare problem. They are a security problem. Burnout is a precondition for social - [Semgrep vs CodeQL: SAST Comparison](https://safeguard.sh/resources/blog/semgrep-vs-codeql-sast-comparison-2024): Compare Semgrep and CodeQL on rule authoring, language coverage, taint analysis, scan time, IDE integration, and pricing - [Code Repository Security Hardening](https://safeguard.sh/resources/blog/code-repository-security-hardening): Your source code repository is the starting point of your entire supply chain. Hardening it against unauthorized access, - [FastAPI Supply Chain Security: A Working Guide](https://safeguard.sh/resources/blog/fastapi-supply-chain-security-guide): FastAPI's dependency surface is deceptively large. Here is how to lock it down in practice, covering Starlette, Pydantic - [Go Checksum Verification Patterns](https://safeguard.sh/resources/blog/go-checksum-verification-patterns): go.sum and the Go checksum database are among the most rigorous integrity mechanisms in any language ecosystem, and the - [bundler-audit Production Setup](https://safeguard.sh/resources/blog/bundler-audit-production-setup): A practical guide to running bundler-audit in production CI pipelines, including advisory database updates, exception ha - [Safeguard SCA: Vulnerability Scanning Built for the Supply Chain](https://safeguard.sh/resources/blog/safeguard-sca-vulnerability-scanning): Safeguard SCA goes beyond basic CVE matching with multi-source intelligence, version-range precision, and exploitability - [regreSSHion: CVE-2024-6387 OpenSSH Remote Code Execution](https://safeguard.sh/resources/blog/regresshion-openssh-cve-2024-6387): A regression in OpenSSH's signal handler reintroduced a vulnerability from 2006, enabling unauthenticated remote code ex - [Azure Policy for Supply Chain Enforcement](https://safeguard.sh/resources/blog/azure-policy-supply-chain-enforcement): Azure Policy is the enforcement layer most Azure platforms underuse. A concrete, policy-by-policy guide to wiring it int - [Retail POS Supply Chain Security](https://safeguard.sh/resources/blog/retail-pos-supply-chain-security): Practical controls and standards shaping point-of-sale software supply chains, from PCI DSS 4.0 to PA-DSS successors and - [AWS Secrets Manager vs Parameter Store](https://safeguard.sh/resources/blog/aws-secrets-manager-vs-parameter-store-comparison): Two AWS services, overlapping features, and a pricing difference that adds up to real money. The decision framework for - [Firecracker micro-VM Security Model](https://safeguard.sh/resources/blog/firecracker-micro-vm-security-model): AWS built Firecracker to run Lambda. The security model is the entire value proposition, and it holds up under scrutiny. - [in-toto Attestation Formats Reviewed](https://safeguard.sh/resources/blog/in-toto-attestation-formats-review): The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practic - [ArgoCD GitOps Security Depth](https://safeguard.sh/resources/blog/argocd-gitops-security-depth): A deep look at ArgoCD security in production: RBAC models, repo credentials, ApplicationSet risks, and the CVEs that hav - [Commercial OSS License Shifts: An Analysis](https://safeguard.sh/resources/blog/commercial-open-source-license-shift-analysis): From MongoDB to HashiCorp, commercial open source vendors have repeatedly relicensed away from OSI-approved licenses. Th - [ISO 27001 Meets NIST CSF: Integration](https://safeguard.sh/resources/blog/iso-27001-meets-nist-csf-integration): Running an ISMS under ISO 27001:2022 while executives want NIST CSF 2.0 reporting? These frameworks integrate cleanly if - [Microsoft Midnight Blizzard: Detailed Timeline](https://safeguard.sh/resources/blog/microsoft-midnight-blizzard-detailed-timeline): A reconstructed public timeline of Microsoft's Midnight Blizzard intrusion, from the initial password spray in November - [Polyfill.io Supply Chain Attack: When a CDN Domain Changes Hands](https://safeguard.sh/resources/blog/polyfill-io-supply-chain-attack): A Chinese company acquired the polyfill.io domain and began injecting malicious code into websites that relied on the CD - [GN and Meson Build Systems: Security](https://safeguard.sh/resources/blog/gn-meson-build-system-security-comparison): A side-by-side security comparison of GN (Chromium) and Meson, covering declarative posture, wrap files, toolchain handl - [NuGet Central Package Management Security](https://safeguard.sh/resources/blog/nuget-central-package-management-security): Central Package Management pulled NuGet's multi-project version chaos into a single source of truth. The security implic - [PyPI API Token Scopes: An Audit Guide](https://safeguard.sh/resources/blog/pypi-api-token-scopes-audit): PyPI API tokens look simple, but how you scope them decides whether a leaked CI secret is a bad day or an ecosystem even - [Malicious Package Quarantine Procedures](https://safeguard.sh/resources/blog/malicious-package-quarantine-procedures): How to quarantine a malicious package across your registries, caches, and running systems without breaking every develop - [Migrating From Ansible to GitOps: A Supply Chain Perspective](https://safeguard.sh/resources/blog/migrating-off-ansible-to-gitops): Move from Ansible to GitOps with supply chain security intact. Pattern-by-pattern migration, trust boundary changes, and - [npm Package Takeover: The Summer 2024 Wave](https://safeguard.sh/resources/blog/npm-package-takeover-summer-2024-wave): Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We ma - [Vulnerability Management at Enterprise Scale: What Actually Works](https://safeguard.sh/resources/blog/vulnerability-management-at-scale-enterprise): Managing vulnerabilities across thousands of applications and millions of dependencies requires fundamentally different - [The Middle East Cybersecurity Landscape: Rapid Digitization Meets Rising Threats](https://safeguard.sh/resources/blog/middle-east-cybersecurity-landscape-2024): The Middle East is investing heavily in digital transformation, but the cybersecurity infrastructure is not keeping pace - [Go Module Hijacking Detection](https://safeguard.sh/resources/blog/go-module-hijacking-detection): Module hijacking in Go is rare compared to npm, but it does happen, and the patterns worth watching are different from w - [Payment Processor Dependency Risks](https://safeguard.sh/resources/blog/payment-processor-dependency-risks): The libraries and services that sit between a merchant and the card networks carry concentrated risk. A practical look a - [AWS CodePipeline Hardening Patterns](https://safeguard.sh/resources/blog/aws-codepipeline-hardening-patterns): CodePipeline is the glue between your source, build, and deploy. It is also the thing that gets the widest IAM role in m - [Clop: Supply Chain Exploitation Tradecraft](https://safeguard.sh/resources/blog/clop-supply-chain-exploitation-tradecraft): Clop has turned supply chain exploitation into a repeatable playbook — MOVEit, GoAnywhere, Cleo. A look at the tradecraf - [DevEx Meets DevSecOps: Why Developer Experience Determines Security Outcomes](https://safeguard.sh/resources/blog/devex-meets-devsecops-developer-experience): Security tools that developers hate get bypassed. The organizations with the best security outcomes are the ones that tr - [Safeguard IDE Extension: Supply Chain Intelligence in Your Editor](https://safeguard.sh/resources/blog/safeguard-ide-extension-launch): The Safeguard VS Code extension surfaces vulnerability data, dependency health, and policy violations directly in your e - [Elastic Security Supply Chain Signals](https://safeguard.sh/resources/blog/elastic-security-supply-chain-signals): How to surface software supply chain threats in Elastic Security using EQL, detection rules, and the Elastic Common Sche - [Bundler Lockfile Security Practices](https://safeguard.sh/resources/blog/bundler-lockfile-security-practices): How to use Gemfile.lock as a real security artifact: checksums, frozen mode, reproducible resolves, and what changed in - [npm Workspaces Security Considerations](https://safeguard.sh/resources/blog/npm-workspaces-security-considerations): Workspaces are fantastic for developer experience and hostile to naive security tooling. Here is what actually changes w - [Gramm-Leach-Bliley Software Security Update](https://safeguard.sh/resources/blog/gramm-leach-bliley-software-security-update-2024): The FTC Safeguards Rule amendments effective May 13, 2024 expand breach-notification and software supply chain expectati - [Gradle Build Cache Security Hardening](https://safeguard.sh/resources/blog/gradle-build-cache-security-hardening): The Gradle build cache is a performance feature with supply chain consequences. Here is how to configure it so cache poi - [How to Sign Container Images With Cosign: A Complete Guide](https://safeguard.sh/resources/blog/how-to-sign-container-images-with-cosign-guide): A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing - [Snowflake Customer Data Breaches: 165 Organizations Hit by Credential Theft Campaign](https://safeguard.sh/resources/blog/snowflake-customer-data-breaches): Attackers used stolen credentials from infostealer malware to access Snowflake customer accounts without MFA, compromisi - [GCP Secret Manager Rotation Strategy](https://safeguard.sh/resources/blog/gcp-secret-manager-rotation-strategy): A workable rotation strategy for GCP Secret Manager: how to structure secret versions, schedule rotation, coordinate con - [Rust Edition Migration Security Notes](https://safeguard.sh/resources/blog/rust-edition-migration-security-notes): Field notes from migrating a production workspace from Rust 2018 to 2021, and what to watch for when 2024 lands in editi - [Security Team Scaling Strategies: Growing Without Burning Out](https://safeguard.sh/resources/blog/security-team-scaling-strategies): Your security team is probably understaffed. Here is how to scale security coverage without proportionally scaling headc - [Tauri Desktop App Security Model: What Developers Need to Know](https://safeguard.sh/resources/blog/tauri-desktop-app-security-model): Tauri offers a fundamentally different security model than Electron for desktop applications. Understanding its permissi - [OpenAI Internal Breach: What the 2023 Forum Hack Reveals About AI Company Security](https://safeguard.sh/resources/blog/openai-internal-breach-2024): Reports emerged that a hacker accessed OpenAI's internal messaging systems in early 2023, raising questions about AI com - [Next.js Supply Chain Security Hardening](https://safeguard.sh/resources/blog/nextjs-supply-chain-security-hardening-2024): Next.js pulls hundreds of transitive dependencies into production bundles, and the middleware auth bypass of March 2025 - [Safeguard CLI: Supply Chain Security Without Leaving Your Terminal](https://safeguard.sh/resources/blog/safeguard-cli-tool-developer-workflow): The Safeguard CLI brings SBOM generation, vulnerability scanning, policy checks, and supply chain queries directly into - [Infisical: An Open-Source Secrets Platform Review](https://safeguard.sh/resources/blog/infisical-open-source-secrets-platform): A senior engineer's assessment of Infisical as a self-hostable secrets platform, covering architecture, operational post - [Insurance Industry Software Supply Chain](https://safeguard.sh/resources/blog/insurance-industry-software-supply-chain): Insurers underwrite cyber risk while running on the same fragile dependency graphs as everyone else. A look at the indus - [Vite Build Tool Security Considerations](https://safeguard.sh/resources/blog/vite-build-tool-security-considerations): Vite has become the default build tool for a generation of JavaScript frameworks. Its plugin model, dev server, and depe - [Harness.io Supply Chain Security Reviewed](https://safeguard.sh/resources/blog/harness-io-supply-chain-security-review): A security review of the Harness.io platform covering SSCA, CI/CD governance, STO integration, and the practical configu - [Maven Central Changes in 2024 and Their Security Impact](https://safeguard.sh/resources/blog/maven-central-changes-2024-security-impact): Sonatype made several Maven Central changes in 2024 that materially affected the Java supply chain. A rundown of what ch - [Rails Application Template Security](https://safeguard.sh/resources/blog/rails-application-template-security): Rails application templates are powerful and dangerous: how they execute, what they can touch, and how to use them safel - [Symbolic Execution for Dependency Analysis](https://safeguard.sh/resources/blog/symbolic-execution-for-dependency-analysis): Symbolic execution explores program paths without concrete inputs. For supply-chain work, it answers reachability questi - [Check Point VPN Zero-Day CVE-2024-24919: Information Disclosure Under Active Exploitation](https://safeguard.sh/resources/blog/check-point-vpn-cve-2024-24919-zero-day): A critical information disclosure vulnerability in Check Point VPN products allowed attackers to read sensitive files in - [Cisco Duo Incident: Supply Chain Depth](https://safeguard.sh/resources/blog/cisco-duo-incident-supply-chain-depth): Cisco Duo's 2024 disclosure about a telephony provider breach exposed SMS and voice MFA logs; the supply chain depth of - [GCP Cloud Build Hardening in Production](https://safeguard.sh/resources/blog/gcp-cloud-build-hardening-production): Lessons from hardening Cloud Build pipelines in production environments: private pools, least-privilege service accounts - [OSS Contributor License Agreements Reviewed](https://safeguard.sh/resources/blog/oss-contributor-license-agreements-review): CLAs, DCOs, and the subtle differences between Apache ICLAs, Google corporate CLAs, and Eclipse ECAs shape what contribu - [Message Queue Security: Hardening Kafka, RabbitMQ, and Event Brokers](https://safeguard.sh/resources/blog/message-queue-security-kafka-rabbitmq): Message queues are the nervous system of modern architectures. A compromised broker can intercept, modify, or inject mes - [Go Workspaces Supply Chain Risks](https://safeguard.sh/resources/blog/go-workspaces-supply-chain-risks): Go workspaces make multi-module development feel natural, but the go.work file introduces a new trust boundary that can - [PyPI Package Yanking Policies Analyzed](https://safeguard.sh/resources/blog/pypi-package-yanking-policies-analysis): Yanking is PyPI's narrow, deliberately blunt tool for dealing with broken releases. A close analysis of what it does, wh - [Sumo Logic for Supply Chain Observability: A Practitioner's Guide](https://safeguard.sh/resources/blog/sumo-logic-supply-chain-observability): Architect Sumo Logic dashboards, queries, and anomaly detection for software supply chain visibility across SCM, CI/CD, - [FastAPI Security Best Practices](https://safeguard.sh/resources/blog/fastapi-security-best-practices): Securing FastAPI applications with Pydantic validation, OAuth2 integration, and dependency injection patterns. - [How to Measure Dependency Freshness in CI](https://safeguard.sh/resources/blog/how-to-measure-dependency-freshness-in-ci): A practical CI tutorial for measuring dependency freshness, setting SLOs for version drift, and failing builds when pack - [SOX IT Controls Meet Software Controls](https://safeguard.sh/resources/blog/sox-it-controls-meets-software-controls): Sarbanes-Oxley IT general controls predate modern software delivery. Here's how change management, access, and segregati - [Utilities Sector NERC CIP Software Supply Chain](https://safeguard.sh/resources/blog/utilities-sector-nerc-cip-software-supply-chain): NERC CIP-013 turned software supply chain into a regulated obligation for the bulk electric system. A practical look at - [Deepfakes and Social Engineering: The Human Layer of Supply Chain Attacks](https://safeguard.sh/resources/blog/deepfake-social-engineering-supply-chain): AI-generated deepfakes are making social engineering attacks against software supply chains more convincing and harder t - [SBOM Visualization Tools Compared: Making Dependency Data Actionable](https://safeguard.sh/resources/blog/sbom-visualization-tools-comparison): An SBOM in JSON or XML format is data. A visualization turns that data into insight. This comparison examines how differ - [GitHub Enterprise Server CVE-2024-4985: SAML Authentication Bypass](https://safeguard.sh/resources/blog/github-enterprise-server-cve-2024-4985): A critical authentication bypass in GitHub Enterprise Server allowed attackers to forge SAML responses and gain administ - [Azure Key Vault Rotation Patterns](https://safeguard.sh/resources/blog/azure-key-vault-rotation-patterns): Rotation is the Key Vault feature most teams nominally have and few actually operate. A walk through the patterns that w - [.NET Supply Chain Audit Patterns](https://safeguard.sh/resources/blog/dotnet-supply-chain-audit-patterns): Auditing a .NET supply chain is a different exercise than auditing a JavaScript one, and the patterns that actually find - [Migrating SBOM Tooling Providers](https://safeguard.sh/resources/blog/migrating-sbom-tooling-provider-migration): A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, o - [Pants Build Tool Security Posture](https://safeguard.sh/resources/blog/pants-build-tool-security-posture): A practitioner's view of the Pants build system's security properties, covering sandboxing, third-party resolution, and - [Managing Python Package Namespace Conflicts](https://safeguard.sh/resources/blog/python-package-namespace-conflicts-management): Python's flat namespace creates real security problems. Here is how namespace packages, shadowing, and install order int - [Rust no_std Supply Chain Considerations](https://safeguard.sh/resources/blog/rust-no-std-supply-chain-considerations): Writing Rust for embedded or kernel targets drops you into no_std territory, and the supply chain rules are different th - [SLSA for Go Releases: A Practical Guide](https://safeguard.sh/resources/blog/slsa-for-go-releases-practical-guide): Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing an - [Griffin AI: Your Autonomous Supply Chain Security Analyst](https://safeguard.sh/resources/blog/safeguard-griffin-ai-autonomous-security): Griffin is Safeguard's AI assistant that answers natural-language questions about your software supply chain, correlates - [SBOM for EdTech Platforms: Protecting Student Data Through Supply Chain Transparency](https://safeguard.sh/resources/blog/sbom-for-edtech-platforms): EdTech platforms handle some of the most sensitive data — children's information. FERPA, COPPA, and state student privac - [The OSS Pledge: Adoption Tracking at Six Months](https://safeguard.sh/resources/blog/oss-pledge-adoption-tracking-2024): Six months after the OSS Pledge launch, adoption is climbing but uneven. Who signed, who followed through with funding, - [containerd Security Configuration Guide](https://safeguard.sh/resources/blog/containerd-security-configuration-guide): containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to cl - [Kotlin Multiplatform Supply Chain Risks](https://safeguard.sh/resources/blog/kotlin-multiplatform-supply-chain-risks): Kotlin Multiplatform ships one codebase to JVM, iOS, Android, JS, and native targets. The supply chain surface expands i - [Disaster Recovery for Supply Chain Security Incidents](https://safeguard.sh/resources/blog/disaster-recovery-supply-chain-incidents): When a critical dependency is compromised, your disaster recovery plan determines whether you recover in hours or weeks. - [False Positive Rates in Container Scanning: Why Your Scanner Lies to You](https://safeguard.sh/resources/blog/false-positive-rates-container-scanning): Container scanners produce mountains of findings. A significant percentage are false positives. Here is how to measure a - [Executive Order 14028, Three Years Later: Progress, Gaps, and What Comes Next](https://safeguard.sh/resources/blog/eo-14028-three-years-later-progress-report): Three years after the landmark cybersecurity executive order, SBOM adoption is growing but uneven, secure development at - [CNCF Project Security Audits: What They Find and Why They Matter](https://safeguard.sh/resources/blog/cncf-project-security-audits): The Cloud Native Computing Foundation funds independent security audits for its projects. The findings reveal patterns t - [Dell Data Breach Exposes 49 Million Customer Records via API Abuse](https://safeguard.sh/resources/blog/dell-49-million-customer-records): In May 2024, Dell Technologies disclosed a breach exposing 49 million customer records after a threat actor exploited a - [APT29 Cozy Bear: Supply Chain Tradecraft](https://safeguard.sh/resources/blog/apt29-cozy-bear-supply-chain-tradecraft): How Russia's SVR-linked APT29 quietly industrialized supply chain compromise from SolarWinds to TeamCity and JetBrains t - [AWS CodeBuild Supply Chain Hardening Guide](https://safeguard.sh/resources/blog/aws-codebuild-supply-chain-hardening-guide): CodeBuild projects are where most AWS supply chain compromises end up executing. Here is a practical hardening guide bui - [Quantifying Digital Supply Chain Risk](https://safeguard.sh/resources/blog/digital-supply-chain-risk-quantification): Security teams struggle to express supply chain risk in business terms. This guide covers frameworks and methods for qua - [Homebrew Cask Security Verification: What Gets Checked Before Installation](https://safeguard.sh/resources/blog/homebrew-cask-security-verification): Homebrew Cask installs macOS applications from the command line. Here is what security verification happens (and what do - [Maven Plugin Verification: Securing Your Java Build Pipeline](https://safeguard.sh/resources/blog/maven-plugin-verification-guide): Maven plugins execute during your build with full JVM access. Here is how to verify they are legitimate and have not bee - [Next.js Security Hardening Guide](https://safeguard.sh/resources/blog/nextjs-security-hardening-guide): Harden your Next.js application with secure headers, API route protection, and server component safety practices. - [Third-Party Risk Management for Software Vendors](https://safeguard.sh/resources/blog/third-party-risk-management-software-vendors-program): A practical TPRM program for software vendors covering intake, tiering, annual review, SBOM ingestion, and continuous mo - [Developer Workstation Forensics for Supply Chain](https://safeguard.sh/resources/blog/developer-workstation-forensics-supply-chain): Forensic procedures for a developer workstation that may have executed a malicious package, from live triage through ful - [Open Source AI Model Security: The Emerging Threat Landscape](https://safeguard.sh/resources/blog/open-source-ai-model-security-landscape): As open source AI models proliferate, their security implications extend far beyond traditional software vulnerabilities - [GraphQL Injection Prevention: Securing Your API Layer](https://safeguard.sh/resources/blog/graphql-injection-prevention): GraphQL's flexible query language introduces injection risks that differ fundamentally from REST APIs. Preventing GraphQ - [SAST Tool Accuracy Benchmarks 2024: What the Data Actually Shows](https://safeguard.sh/resources/blog/sast-tool-accuracy-benchmarks-2024): Static Application Security Testing tools vary dramatically in accuracy. We analyze detection rates, false positive rate - [Safeguard Open Source Manager: Understanding the Health of Your Dependencies](https://safeguard.sh/resources/blog/safeguard-open-source-manager-launch): Vulnerability counts do not tell the full story. Open Source Manager evaluates the health, maintainability, and trustwor - [AWS AppConfig Dynamic Config Security](https://safeguard.sh/resources/blog/aws-appconfig-dynamic-config-security): AppConfig ships configuration changes to running applications in seconds. That makes it a powerful tool and a compelling - [Spring Dependency Management Supply Chain](https://safeguard.sh/resources/blog/spring-dependency-management-supply-chain): Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth u - [Chronicle Security Supply Chain Queries](https://safeguard.sh/resources/blog/chronicle-security-supply-chain-queries): Writing YARA-L detection rules and UDM queries in Google Chronicle (now Security Operations) to catch software supply ch - [Critical Infrastructure Software Supply Chain](https://safeguard.sh/resources/blog/critical-infrastructure-software-supply-chain): How the 16 critical infrastructure sectors are absorbing software supply chain obligations under PPD-21, NSM-22, and CIS - [Twilio 2022 Incidents: Supply Chain Lessons](https://safeguard.sh/resources/blog/twilio-2022-incidents-supply-chain-lessons): Twilio disclosed two social engineering incidents in 2022 that cascaded through its customer base; the supply chain less - [Coordinated Vulnerability Disclosure: A Complete Guide](https://safeguard.sh/resources/blog/coordinated-vulnerability-disclosure-guide): Coordinated disclosure protects users while giving vendors time to fix. Here is how to run a disclosure process that wor - [EU NIS2 Directive: What Software Supply Chain Teams Need to Know](https://safeguard.sh/resources/blog/eu-nis2-directive-software-supply-chain): The NIS2 Directive imposes new cybersecurity obligations across the EU, with specific requirements for supply chain risk - [Medical Device SBOM Requirements in Practice](https://safeguard.sh/resources/blog/medical-device-sbom-requirements-practical): SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on wh - [npm Registry Authentication Deep Dive](https://safeguard.sh/resources/blog/npm-registry-authentication-deep-dive): The npm registry supports four distinct authentication flows. Most teams use one, badly. A tour of how auth actually wor - [Corporate OSS Contribution Policies](https://safeguard.sh/resources/blog/corporate-oss-contribution-policies): Google, Microsoft, Red Hat, and a long tail of smaller companies have built contribution policies that shape how their e - [1Password Secrets Automation in CI](https://safeguard.sh/resources/blog/one-password-secrets-automation-ci): 1Password has quietly become a credible secrets backend for CI/CD. A walkthrough of Connect, Service Accounts, and the C - [PyPI Supply Chain Attacks: Q1 2024 Roundup](https://safeguard.sh/resources/blog/pypi-supply-chain-attacks-q1-2024): Q1 2024 brought typosquats, stealer campaigns, and a week-long new-user freeze on PyPI. Here is what the attacks looked - [Taint Analysis for Zero-Day Discovery: A Primer](https://safeguard.sh/resources/blog/taint-analysis-for-zero-day-discovery-primer): A practitioner's walk-through of taint analysis as a zero-day discovery technique, from classic Livshits and Lam foundat - [Azure DevOps YAML Pipeline Hardening](https://safeguard.sh/resources/blog/azure-devops-yaml-pipeline-hardening): A practical, line-by-line walk through hardening Azure DevOps YAML pipelines — template injection, task version pinning, - [Container Security Scanning in 2024: Benchmarks, Tools, and What Actually Matters](https://safeguard.sh/resources/blog/container-security-scanning-benchmarks-2024): Container image scanning tools vary widely in detection rates, false positive rates, and coverage. Here is a practical a - [Conti Ransomware Supply Chain Patterns](https://safeguard.sh/resources/blog/conti-ransomware-supply-chain-patterns): Before Conti splintered in 2022, its affiliates turned MSPs, RMM tools, and identity infrastructure into repeatable supp - [Palo Alto GlobalProtect Zero-Day: Response Timeline](https://safeguard.sh/resources/blog/palo-alto-globalprotect-zero-day-response-2024): CVE-2024-3400 hit GlobalProtect with pre-auth RCE and ongoing exploitation. Here is the response timeline, the UPSTYLE t - [PyPI Package Namespace Governance](https://safeguard.sh/resources/blog/pypi-package-namespace-governance): PyPI's flat global namespace is one of Python packaging's oldest design decisions. How it's governed today, where the te - [RubyGems 2FA Enforcement Analysis](https://safeguard.sh/resources/blog/rubygems-2fa-enforcement-analysis): A look at how RubyGems.org rolled out mandatory 2FA for high-traffic gem maintainers, what it has caught, and what gaps - [Sigstore Rekor Transparency Log Operations](https://safeguard.sh/resources/blog/sigstore-rekor-transparency-log-operations): Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams real - [Black Basta Ransomware: Techniques and Tactics in 2024](https://safeguard.sh/resources/blog/black-basta-ransomware-techniques-2024): Black Basta evolved from a Conti offshoot into one of the most technically advanced ransomware operations, using novel i - [Insurance Industry Software Risk Assessment and Supply Chain Security](https://safeguard.sh/resources/blog/insurance-industry-software-risk-assessment): Insurers manage massive amounts of sensitive data through complex software systems. Here's how the insurance industry sh - [UK Product Security and Telecommunications Infrastructure Act: Software Implications](https://safeguard.sh/resources/blog/uk-product-security-telecommunications-act): The UK's PSTI Act bans default passwords and mandates vulnerability disclosure. Here's what it means for software embedd - [Penetration Testing CI/CD Pipelines](https://safeguard.sh/resources/blog/penetration-testing-ci-cd-pipelines): Your CI/CD pipeline is a high-value target. Here's how to pen test build systems, artifact repositories, and deployment - [GCP Cloud Functions Supply Chain Risks](https://safeguard.sh/resources/blog/gcp-cloud-functions-supply-chain-risks): The supply-chain risks unique to GCP Cloud Functions: dependency resolution at deploy time, buildpack trust, runtime ide - [Migrating Jenkins to GitHub Actions: Security](https://safeguard.sh/resources/blog/migrating-from-jenkins-to-github-actions-security): A case study in moving a sprawling Jenkins estate to GitHub Actions without losing supply chain visibility, artifact int - [Supply Chain Incident Forensics Playbook](https://safeguard.sh/resources/blog/supply-chain-incident-forensics-playbook): A practical, hour-by-hour forensics playbook for responding to software supply chain incidents, from first alert through - [AWS Lambda Supply Chain Risks You Are Probably Ignoring](https://safeguard.sh/resources/blog/aws-lambda-supply-chain-risks): Serverless does not mean secure. Here are the supply chain risks hiding in your Lambda functions and how to address them - [Managing Third-Party Software Risk With Safeguard TPRM](https://safeguard.sh/resources/blog/safeguard-tprm-third-party-risk): Your vendors' software is your risk. Safeguard TPRM gives you continuous visibility into the supply chain security postu - [Sisense Data Breach: When Your Analytics Platform Becomes the Threat](https://safeguard.sh/resources/blog/sisense-breach-cisa-advisory): CISA issued a rare advisory urging Sisense customers to reset credentials after attackers compromised the business intel - [SPDX 3.0: What Changed and Why It Matters](https://safeguard.sh/resources/blog/spdx-3-0-specification-what-changed): SPDX 3.0 is a major overhaul of the ISO-standard SBOM format. Here is a practical breakdown of the new profile system, l - [Privacy Engineering in Software Supply Chains](https://safeguard.sh/resources/blog/privacy-engineering-supply-chains): Privacy by design cannot stop at your own code. Every dependency, every third-party service, every SDK in your supply ch - [Australia's Essential Eight and Software Supply Chain](https://safeguard.sh/resources/blog/australia-essential-eight-supply-chain): The ACSC's November 2023 Essential Eight update tightened patching, application control, and software inventory expectat - [Roku Credential Stuffing Attacks Compromise 576,000 Accounts](https://safeguard.sh/resources/blog/roku-576000-accounts-credential-stuffing): In April 2024, Roku disclosed that two separate credential stuffing campaigns had compromised approximately 576,000 cust - [Go Dependency Visualization for Security](https://safeguard.sh/resources/blog/go-dependency-visualization-for-security): The Go module graph is comparatively small, which makes it one of the few ecosystems where visualizing dependencies is a - [BuildKit Cache Security Considerations for Container Builds](https://safeguard.sh/resources/blog/buildkit-cache-security-considerations): BuildKit's caching is what makes container builds fast. It is also a potential vector for cache poisoning attacks if not - [Envoy Proxy Security Hardening for Production Deployments](https://safeguard.sh/resources/blog/envoy-proxy-security-hardening): Envoy powers service meshes and API gateways across the industry. Its default configuration prioritizes connectivity ove - [IoT Firmware SBOMs: From Nice-to-Have to Regulatory Requirement](https://safeguard.sh/resources/blog/iot-firmware-sbom-requirements): Government mandates and industry standards are making SBOMs mandatory for IoT firmware. Here's what manufacturers need t - [Palo Alto PAN-OS Zero-Day CVE-2024-3400: Command Injection in GlobalProtect](https://safeguard.sh/resources/blog/palo-alto-pan-os-cve-2024-3400-zero-day): A critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProtect feature was exploited as a zero-da - [Open-Source Contribution Security Guide](https://safeguard.sh/resources/blog/open-source-contribution-security-guide): How to contribute to open-source projects without introducing security vulnerabilities, and how to evaluate the security - [Django Security Best Practices, 2024 Edition](https://safeguard.sh/resources/blog/django-security-best-practices-2024-edition): From SECRET_KEY hygiene to middleware ordering, the Django security checklist worth actually following in 2024, grounded - [Compliance Dashboard Design Patterns for Supply Chain Security](https://safeguard.sh/resources/blog/compliance-dashboard-design-patterns): Compliance dashboards translate complex supply chain data into actionable views for auditors, executives, and engineerin - [CISA's Secure by Design Pledge: Voluntary Commitments with Real Teeth](https://safeguard.sh/resources/blog/cisa-secure-by-design-pledge): CISA launched a voluntary pledge asking software manufacturers to commit to specific security improvements. Over 100 com - [Bazel Hermetic Builds: Supply Chain Benefits](https://safeguard.sh/resources/blog/bazel-hermetic-builds-supply-chain-benefits): How Bazel's hermeticity model reduces supply chain risk, with concrete WORKSPACE and MODULE.bazel examples from real mig - [HIPAA Meets HITRUST: Supply Chain Depth](https://safeguard.sh/resources/blog/hipaa-meets-hitrust-supply-chain-depth): HIPAA's Security Rule is thin on supply chain specifics. HITRUST CSF fills the gap with prescriptive third-party and sof - [Kubernetes Network Policies: The Supply Chain Angle](https://safeguard.sh/resources/blog/kubernetes-network-policies-supply-chain-angle): Network policies are usually framed as a zero-trust tool. They are also one of the best defenses against a compromised d - [PowerShell Module Supply Chain Security](https://safeguard.sh/resources/blog/powershell-module-supply-chain-security): PowerShell modules are a supply chain people forget exists, and the trust model is weaker than NuGet's. Here is why that - [How Often Should You Scan for Vulnerabilities?](https://safeguard.sh/resources/blog/vulnerability-scanning-frequency-guide): Finding the right vulnerability scanning frequency for your organization. Too often wastes resources, too rarely leaves - [WebSocket Security in Modern Applications](https://safeguard.sh/resources/blog/websocket-security-modern-applications): WebSockets enable real-time communication but introduce attack surfaces that traditional HTTP security controls miss ent - [AI Model Poisoning: Detection Techniques for the Software Supply Chain](https://safeguard.sh/resources/blog/ai-model-poisoning-detection-techniques): Poisoned AI models are a supply chain threat that traditional security tools can't detect. Here are the emerging techniq - [Kubernetes Secrets Management: Vault, Sealed Secrets, SOPS, and External Secrets Compared](https://safeguard.sh/resources/blog/kubernetes-secrets-management-comparison): Kubernetes Secrets are base64-encoded, not encrypted. That is the start of the problem. Here is a no-nonsense comparison - [Latin America's Evolving Cybersecurity Regulations and Supply Chain Implications](https://safeguard.sh/resources/blog/latin-america-cybersecurity-regulations): From Brazil's LGPD to Mexico's cybersecurity reforms, Latin America is building a regulatory framework that will reshape - [cargo audit vs cargo deny](https://safeguard.sh/resources/blog/cargo-audit-vs-cargo-deny-comparison): A practical head-to-head between cargo-audit 0.21 and cargo-deny 0.16 based on six months of running both in production - [XZ Utils Backdoor: Technical Breakdown](https://safeguard.sh/resources/blog/xz-utils-backdoor-technical-breakdown): The xz-utils backdoor (CVE-2024-3094) nearly compromised SSH on every modern Linux distro. Here is how the implant worke - [Prototype Pollution in JavaScript: Prevention Guide](https://safeguard.sh/resources/blog/prototype-pollution-javascript-prevention): Prototype pollution lets attackers modify the behavior of all JavaScript objects by injecting properties into Object.pro - [Threat Intelligence Feeds for Supply Chain Security](https://safeguard.sh/resources/blog/threat-intelligence-feeds-supply-chain): Supply chain threat intelligence goes beyond CVE databases. Specialized feeds track malicious packages, compromised main - [After XZ Utils: Rethinking Trust in Open Source Software](https://safeguard.sh/resources/blog/xz-utils-lessons-for-open-source-trust): The XZ Utils backdoor forced the industry to confront uncomfortable questions about maintainer trust, funding, and the s - [Enterprise SCA Tool Evaluation Framework](https://safeguard.sh/resources/blog/enterprise-sca-tool-evaluation-framework): Choosing a software composition analysis tool for the enterprise? Here's a structured evaluation framework covering what - [Mend vs Black Duck: Functional Comparison](https://safeguard.sh/resources/blog/mend-vs-black-duck-functional-comparison-2024): Compare Mend (formerly WhiteSource) and Black Duck on SBOM export, license policy, detection sources, deployment model, - [Jenkins Pipeline Supply Chain Security](https://safeguard.sh/resources/blog/jenkins-pipeline-supply-chain-security): How Jenkins pipelines end up as supply chain attack vectors, covering Groovy sandbox risks, plugin CVEs, credential bind - [Forking Security: What Happens When Open Source Projects Diverge](https://safeguard.sh/resources/blog/forking-security-when-projects-diverge): When an open source project forks, the security implications cascade through every downstream consumer. Understanding fo - [Safeguard Portal: Giving Your Customers a Window Into Your Supply Chain](https://safeguard.sh/resources/blog/safeguard-portal-customer-transparency): The Safeguard Portal lets you share SBOM data, vulnerability status, and compliance documentation with customers through - [How One Engineer's Curiosity Saved Linux: The XZ Utils Backdoor Discovery Story](https://safeguard.sh/resources/blog/xz-utils-backdoor-how-it-was-discovered): Andres Freund noticed SSH was 500ms slower than expected. That observation prevented the most dangerous supply chain att - [PCI DSS 4.0 Software Security Requirements](https://safeguard.sh/resources/blog/pci-dss-4-0-software-security-requirements): PCI DSS 4.0 became mandatory on March 31, 2024, overhauling software security, SBOM visibility, and supply chain control - [AT&T Data Breach: 73 Million Customer Records Surface on the Dark Web](https://safeguard.sh/resources/blog/att-73-million-records-dark-web): In March 2024, AT&T confirmed that a dataset containing personal information of approximately 73 million current and for - [XZ Utils Backdoor (CVE-2024-3094): The Most Sophisticated Supply Chain Attack Ever Discovered](https://safeguard.sh/resources/blog/xz-utils-backdoor-cve-2024-3094-analysis): A multi-year social engineering campaign planted a backdoor in XZ Utils that would have compromised SSH on most Linux di - [Go Proxy and Private Module Security](https://safeguard.sh/resources/blog/go-proxy-private-module-security): Mixing public and private modules through a Go proxy is where most teams get their configuration wrong, and the mistakes - [Ninja Build Supply Chain Considerations](https://safeguard.sh/resources/blog/ninja-build-supply-chain-considerations): Ninja is a low-level build tool, not a package manager. That framing matters for understanding its supply chain properti - [Splunk Supply Chain Detection Content Pack](https://safeguard.sh/resources/blog/splunk-supply-chain-detection-content-pack): A practical look at building a Splunk content pack for software supply chain threats, with SPL searches for CI/CD anomal - [GCP Cloud Run Supply Chain Security](https://safeguard.sh/resources/blog/gcp-cloud-run-supply-chain-security): A practical playbook for protecting the supply chain of services running on Cloud Run: image provenance, Binary Authoriz - [GitHub Advanced Security vs Alternatives, Early 2024](https://safeguard.sh/resources/blog/github-advanced-security-vs-alternatives-2024): GitHub Advanced Security anchors many AppSec programs in 2024, but Snyk, Semgrep, Endor, and others are credible alterna - [Maven Enforcer Plugin Security Rules](https://safeguard.sh/resources/blog/maven-enforcer-plugin-security-rules): Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that bloc - [SLSA Build L1 to L3 Migration Playbook](https://safeguard.sh/resources/blog/slsa-build-l1-to-l3-migration-playbook): Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we u - [Dependency Firewalls: Concept, Architecture, and Implementation](https://safeguard.sh/resources/blog/dependency-firewall-concept-implementation): A dependency firewall sits between your build system and public registries, filtering packages based on security policie - [Defense Industrial Base Supply Chain and CMMC](https://safeguard.sh/resources/blog/defense-industrial-base-supply-chain-cmmc): How the Defense Industrial Base is adapting its software supply chain to CMMC 2.0, NIST SP 800-171, and DFARS flow-down - [NestJS Enterprise Security Guide](https://safeguard.sh/resources/blog/nest-js-enterprise-security-guide): NestJS dominates the enterprise Node.js space because of its Angular-style decorators, dependency injection, and opinion - [Post-Quantum Cryptography Transition: A Practical Guide for Engineering Teams](https://safeguard.sh/resources/blog/post-quantum-cryptography-transition-guide): NIST has finalized its post-quantum standards. Here's a hands-on guide for engineering teams beginning the migration fro - [Wolfi OS: The Linux Distribution Built for Secure Containers](https://safeguard.sh/resources/blog/wolfi-os-container-base-image-security): Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date package - [npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain](https://safeguard.sh/resources/blog/npm-lifecycle-scripts-security-risks): npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest - [Rust Build Scripts: A Supply Chain Risk Profile](https://safeguard.sh/resources/blog/rust-supply-chain-build-scripts-risk): Why build.rs is the highest-leverage attack surface in the Rust ecosystem, with concrete examples from 2023 and 2024 inc - [Prisma Cloud Container Security: Palo Alto's Cloud Native Play](https://safeguard.sh/resources/blog/prisma-cloud-container-security-review): A review of Prisma Cloud's container and cloud workload security features, covering image scanning, runtime protection, - [AWS Lambda Layers: Supply Chain Risks](https://safeguard.sh/resources/blog/aws-lambda-layers-supply-chain-risks): Lambda layers feel like a convenience but they are a supply chain attack surface that most teams do not treat as code. H - [Okta 2022-2023 Incidents: Supply Chain Lessons](https://safeguard.sh/resources/blog/okta-2022-2023-incidents-supply-chain-lessons): A retrospective on Okta's string of security incidents from 2022 through 2023 and what they teach us about identity prov - [Single-Maintainer Bus Factor Risk in OSS](https://safeguard.sh/resources/blog/open-source-single-maintainer-bus-factor-risk): A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a sup - [SOC 2 Meets SSDF: A Practical Mapping](https://safeguard.sh/resources/blog/soc2-meets-ssdf-mapping-practical): SOC 2 auditors are starting to ask about secure development practices. Here's how to map NIST SSDF tasks onto SOC 2 Trus - [Cloud Security Posture Management: A No-Nonsense Guide](https://safeguard.sh/resources/blog/cloud-security-posture-management-guide): What CSPM actually does, where it falls short, and how to get real value from posture management instead of drowning in - [Node.js Permission Model: Restricting What Your Code Can Do](https://safeguard.sh/resources/blog/nodejs-permission-model): Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, b - [GitHub's Supply Chain Security Features](https://safeguard.sh/resources/blog/github-supply-chain-security-features): A comprehensive look at GitHub's evolving supply chain security toolkit, from Dependabot to code scanning, and how these - [Where Technical Debt Meets Security Debt](https://safeguard.sh/resources/blog/technical-debt-security-debt-intersection): Technical debt and security debt are deeply intertwined. Untangling them requires understanding how shortcuts in code qu - [Vault Supply Chain Integration Patterns](https://safeguard.sh/resources/blog/hashicorp-vault-supply-chain-integration-patterns): HashiCorp Vault is a Swiss Army knife for secrets, but most teams use it as a glorified key-value store. A walkthrough o - [Ruby Gem Reserved Names Policy](https://safeguard.sh/resources/blog/ruby-gem-reserved-names-policy): How RubyGems.org handles reserved gem names, what protections exist for trademark holders, and where the policy creates - [ESSCM: Enterprise SBOM Management at Scale](https://safeguard.sh/resources/blog/safeguard-esscm-enterprise-sbom-management): Managing SBOMs across hundreds of products requires more than file storage. ESSCM brings lifecycle management, versionin - [NIST NVD Slowdown: What the Vulnerability Enrichment Backlog Means for Security Teams](https://safeguard.sh/resources/blog/nist-nvd-slowdown-vulnerability-enrichment): NIST's National Vulnerability Database nearly stopped enriching CVEs in early 2024, creating a growing backlog that left - [Security Testing for Data Pipelines: A Practical Guide](https://safeguard.sh/resources/blog/security-testing-data-pipelines): Data pipelines ingest, transform, and move sensitive information across systems. Here is how to identify and address the - [PyPI Account Recovery: A Security Model Review](https://safeguard.sh/resources/blog/pypi-account-recovery-security-model): Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery wo - [Azure Functions Supply Chain Security](https://safeguard.sh/resources/blog/azure-functions-supply-chain-security): Azure Functions hide a surprising amount of supply chain risk — Oryx builds, run-from-package, extension bundles, and th - [Chocolatey Package Security on Windows: What You Need to Know](https://safeguard.sh/resources/blog/chocolatey-package-security-windows): Chocolatey is the de facto package manager for Windows automation. Its trust model and security features deserve more sc - [.NET Trimming Security Implications: What Gets Cut and Why It Matters](https://safeguard.sh/resources/blog/dotnet-trimming-security-implications): IL trimming reduces .NET application size but can silently remove security-relevant code paths. Here is what you need to - [Security Architecture Review Process: A Practical Framework](https://safeguard.sh/resources/blog/security-architecture-review-process): Architecture reviews catch security issues before code is written. Most organizations skip them or do them poorly. Here - [Energy Sector Software Security and NERC CIP Compliance](https://safeguard.sh/resources/blog/energy-sector-software-security-nerc-cip): Power utilities and energy companies must secure software supply chains while meeting NERC CIP requirements. Here's a pr - [Endor Labs SCA Review: Reachability Analysis Changes the Game](https://safeguard.sh/resources/blog/endor-labs-sca-platform-review): A review of Endor Labs and its reachability-based approach to software composition analysis, examining how call graph an - [Flutter and Dart Dependency Security: A Practical Guide](https://safeguard.sh/resources/blog/flutter-dart-dependency-security-guide): Flutter apps pull dozens of Dart packages from pub.dev. Most teams never audit them. Here is how to manage dependency se - [CISA Secure Software Development Attestation: What Vendors Must Know](https://safeguard.sh/resources/blog/cisa-secure-software-development-attestation): CISA now requires software vendors selling to the US government to attest to secure development practices. Here's what t - [CISA KEV Catalog Growth: A 2024 Q1 Analysis](https://safeguard.sh/resources/blog/cisa-kev-catalog-growth-analysis-2024): CISA added 40+ CVEs to the Known Exploited Vulnerabilities catalog in Q1 2024. We break down the vendor mix, the edge-de - [.NET 8 Supply Chain Improvements](https://safeguard.sh/resources/blog/dotnet-8-supply-chain-improvements): .NET 8 quietly shipped several supply chain improvements worth knowing — NuGet audit, signed packages, SBOM tooling, and - [Kubernetes CVE-2024-3177: Bypassing Mountable Secrets Policy](https://safeguard.sh/resources/blog/kubernetes-vulnerability-cve-2024-3177): A medium-severity Kubernetes vulnerability allowed pods to access secrets they should not have been able to mount, under - [BianLian's Pivot: From Ransomware Encryption to Pure Data Extortion](https://safeguard.sh/resources/blog/bianlian-ransomware-data-extortion-evolution): BianLian abandoned encryption entirely in favor of data theft and extortion. This shift reveals where ransomware economi - [CI/CD Compromise Investigation Steps](https://safeguard.sh/resources/blog/ci-cd-compromise-investigation-steps): A step-by-step investigation playbook for suspected CI/CD pipeline compromise, from runner forensics to secrets rotation - [How to Publish an npm Package With Provenance](https://safeguard.sh/resources/blog/how-to-publish-npm-package-with-provenance): A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically - [Tekton Pipelines Hardening Guide](https://safeguard.sh/resources/blog/tekton-pipelines-hardening-guide): A practical hardening guide for Tekton Pipelines covering TaskRun isolation, step image provenance, workspace secrets, a - [VM to Container: Supply Chain Implications of the Migration](https://safeguard.sh/resources/blog/vm-to-container-supply-chain-implications): What changes in your software supply chain when you move from virtual machines to containers, and how to adapt governanc - [Certificate Pinning for Software Updates: When and How to Pin](https://safeguard.sh/resources/blog/certificate-pinning-software-updates): Certificate pinning can protect your update channel from MITM attacks, but it introduces operational complexity. Here is - [Mobile Application Security Testing: Beyond the OWASP Mobile Top 10](https://safeguard.sh/resources/blog/mobile-application-security-testing): Mobile apps have unique security challenges that web-focused tools miss entirely. Here is a practical testing methodolog - [Security KPI Frameworks: Measuring What Matters Without Drowning in Metrics](https://safeguard.sh/resources/blog/security-kpi-frameworks-guide): Most security metrics measure activity, not outcomes. Here is how to build a KPI framework that tells leadership whether - [Fintech Software Supply Chain Regulatory Map](https://safeguard.sh/resources/blog/fintech-software-supply-chain-regulatory-map): A practical tour through the tangle of regulations, supervisory letters, and industry standards that now govern how fint - [Kubernetes Secrets Encryption Providers Reviewed](https://safeguard.sh/resources/blog/kubernetes-secrets-encryption-providers-review): etcd encryption at rest finally works out of the box. The question is which provider you use, and the trade-offs have sh - [Abandoned Package Takeover: When Maintainers Walk Away](https://safeguard.sh/resources/blog/abandoned-package-takeover-risks): Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over packa - [Capacitor and Ionic Hybrid App Security: A Practical Guide](https://safeguard.sh/resources/blog/capacitor-ionic-hybrid-app-security): Capacitor-based hybrid apps blend web technologies with native device access. This combination creates a unique attack s - [Crates.io Security Audit Results: The State of Rust Package Security](https://safeguard.sh/resources/blog/crates-io-security-audit-results): Security audits of the Rust crate ecosystem reveal patterns of unsafe code, build script risks, and supply chain vulnera - [Software Liability in 2024: The Shift From Caveat Emptor to Vendor Accountability](https://safeguard.sh/resources/blog/software-liability-shifting-landscape-2024): Governments worldwide are moving to hold software vendors liable for security failures. Here is what the shifting liabil - [Argo CD GitOps Security Guide](https://safeguard.sh/resources/blog/argo-cd-gitops-security-guide): Securing Argo CD deployments with RBAC, SSO integration, secret management, and network policies for production Kubernet - [Securing Software Update Mechanisms](https://safeguard.sh/resources/blog/software-update-mechanism-security): Software updates are a double-edged sword: they deliver patches but also provide a trusted channel attackers can exploit - [Introducing Safeguard: Software Supply Chain Security, Done Right](https://safeguard.sh/resources/blog/introducing-safeguard-software-supply-chain-security): Today we are launching Safeguard, a platform purpose-built for managing the security of your software supply chain from - [AWS SAM Template Security Considerations](https://safeguard.sh/resources/blog/aws-sam-template-security-considerations): SAM templates look simple and that is exactly the problem. The defaults are generous, the transforms are opaque, and the - [How to Set Up Sigstore in Your Build Pipeline](https://safeguard.sh/resources/blog/how-to-set-up-sigstore-in-your-build-pipeline): Wire Sigstore into GitHub Actions end-to-end: OIDC identity, Cosign signing, Rekor transparency, and policy-controller e - [Lazarus Group Software Supply Chain Campaigns](https://safeguard.sh/resources/blog/lazarus-group-software-supply-chain-campaigns): A field analyst's look at how North Korea's Lazarus Group has turned software supply chains into a strategic weapon, fro - [LockBit Takedown: Inside Operation Cronos](https://safeguard.sh/resources/blog/lockbit-takedown-operation-cronos-analysis): Operation Cronos seized LockBit's leak site in February 2024. We unpack the NCA-led takedown, the decryptor release, and - [Multi-Cloud Security Posture Management for Supply Chains](https://safeguard.sh/resources/blog/multi-cloud-security-posture-management): Running workloads across AWS, Azure, and GCP multiplies your attack surface. This guide covers cloud security posture ma - [Building a Security Champions Program](https://safeguard.sh/resources/blog/security-champions-program-building-guide): A step-by-step guide to launching a security champions program that scales your security team's influence across enginee - [Building a Software Vendor Security Scorecard](https://safeguard.sh/resources/blog/software-vendor-security-scorecard): Not all vendors are equal when it comes to security. Here is how to build a scorecard that objectively evaluates vendor - [Earthly Reproducible Builds and Security](https://safeguard.sh/resources/blog/earthly-reproducible-builds-security): How Earthly's reproducible, containerized build system eliminates environment drift and strengthens build integrity for - [CISA's Memory-Safe Languages Roadmap: What It Means for Software Development](https://safeguard.sh/resources/blog/cisa-memory-safe-languages-roadmap): CISA publishes a roadmap urging the industry to transition to memory-safe programming languages, targeting the root caus - [NIST Cybersecurity Framework 2.0: What Changed and Why It Matters](https://safeguard.sh/resources/blog/nist-cybersecurity-framework-2-0-guide): NIST CSF 2.0 introduces a new Govern function and expands supply chain risk management. Here's what security teams need - [NuGet Package Signing: Enterprise Rollout](https://safeguard.sh/resources/blog/nuget-package-signing-enterprise-rollout): Rolling NuGet package signing enforcement across a large .NET estate is a policy and tooling problem, not a cryptography - [Poetry and Python Supply Chain Security](https://safeguard.sh/resources/blog/python-poetry-supply-chain-security): Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typ - [PDF Supply Chain Attack Vectors: When Documents Become Weapons](https://safeguard.sh/resources/blog/pdf-supply-chain-attack-vectors): PDFs are trusted by default in most organizations. That trust makes them a potent vector for supply chain attacks. Here - [Change Healthcare Breach: The Worst Healthcare Data Breach in U.S. History](https://safeguard.sh/resources/blog/unitedhealth-change-healthcare-breach): In February 2024, a ransomware attack on Change Healthcare paralyzed the U.S. healthcare payment system for weeks and ul - [Change Healthcare Ransomware Attack: The Breach That Disrupted American Healthcare](https://safeguard.sh/resources/blog/change-healthcare-ransomware-attack): The BlackCat/ALPHV ransomware attack on Change Healthcare caused the largest healthcare IT disruption in U.S. history, a - [Operation Cronos: How Law Enforcement Dismantled LockBit Ransomware](https://safeguard.sh/resources/blog/lockbit-ransomware-takedown-operation-cronos): A coordinated international operation seized LockBit's infrastructure, arrested affiliates, and obtained decryption keys - [Dependency Confusion in Private Registries: The Attack That Keeps Working](https://safeguard.sh/resources/blog/dependency-confusion-private-registries): Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organ - [Security Awareness Training That Developers Don't Hate](https://safeguard.sh/resources/blog/security-awareness-training-developers): Traditional security training is boring and ineffective. Here is how to build a training program developers actually eng - [SBOMs for Microservices Architecture: Managing Complexity at Scale](https://safeguard.sh/resources/blog/sbom-for-microservices-architecture): When your application is 50 services with 50 dependency trees, SBOM management stops being simple. Here's how to handle - [Shopify's Supply Chain Security Program](https://safeguard.sh/resources/blog/shopify-supply-chain-security-program): How Shopify built a supply chain security program that protects millions of merchants while maintaining the development - [Fortinet FortiOS CVE-2024-21762: Exploitation Patterns](https://safeguard.sh/resources/blog/fortinet-fortios-cve-2024-21762-exploitation): CVE-2024-21762 gave attackers pre-auth RCE on FortiGate SSL VPN. We trace the exploitation patterns, scanner behavior, a - [gVisor Runtime Security Deep Dive](https://safeguard.sh/resources/blog/gvisor-runtime-security-deep-dive): gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, wit - [NYDFS Cybersecurity Regulation: Software Security Requirements for Financial Firms](https://safeguard.sh/resources/blog/nydfs-cybersecurity-regulation-software): New York's DFS cybersecurity regulation sets a high bar for financial institutions. Here's how the 2023 amendments affec - [Supply Chain Incident Notification Laws: A Global Overview](https://safeguard.sh/resources/blog/supply-chain-incident-notification-laws): Governments worldwide are mandating supply chain incident disclosure. Here is what organizations need to know about noti - [Semgrep vs CodeQL: Static Analysis for Security Teams](https://safeguard.sh/resources/blog/semgrep-codeql-sast-comparison): A deep comparison of Semgrep and CodeQL for static application security testing, covering rule writing, performance, lan - [XML External Entity (XXE) Prevention: Disabling the Features That Attack You](https://safeguard.sh/resources/blog/xml-external-entity-xxe-prevention): XXE attacks exploit XML parser features that most applications never need. Here is how to disable them across every majo - [How to Enforce Cosign Signatures in Kubernetes Admission](https://safeguard.sh/resources/blog/how-to-enforce-cosign-signatures-in-kubernetes-admission): A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore poli - [.NET NuGet Package Security](https://safeguard.sh/resources/blog/dotnet-nuget-package-security): Securing your .NET supply chain with NuGet package signing, lock files, and vulnerability scanning. - [Media and Entertainment Software Supply Chain Security](https://safeguard.sh/resources/blog/media-entertainment-software-supply-chain): Streaming platforms, studios, and media companies depend on complex software stacks. Here's how the entertainment indust - [Why We Built Safeguard](https://safeguard.sh/resources/blog/why-we-built-safeguard): The software supply chain is broken. We started Safeguard because existing tools treated SBOM as a checkbox exercise ins - [Azure Managed Identities and the Supply Chain](https://safeguard.sh/resources/blog/azure-managed-identities-supply-chain): Managed identities are the credential primitive that fixes most supply chain risk in Azure — but only if you use them th - [Bank of America Breach via Infosys McCamish Exposes 57,000 Customers](https://safeguard.sh/resources/blog/bank-of-america-infosys-mccamish-breach): In February 2024, Bank of America disclosed that a ransomware attack on its service provider Infosys McCamish Systems ha - [Multi-Stage Docker Builds: The Security Implications Nobody Talks About](https://safeguard.sh/resources/blog/multi-stage-docker-builds-security): Multi-stage builds reduce image size, but they also introduce security considerations around build secrets, layer cachin - [Service Worker Security Risks: The Persistent Threat in Your Browser](https://safeguard.sh/resources/blog/service-worker-security-risks): Service workers intercept network requests, cache content, and run in the background. When compromised, they become a pe - [Compliance as Code: Implementation Guide for Security Teams](https://safeguard.sh/resources/blog/compliance-as-code-implementation-guide): Compliance as code transforms audit requirements into automated checks. This guide covers frameworks, tooling, and pract - [go mod tidy: The Security Implications](https://safeguard.sh/resources/blog/go-mod-tidy-security-implications): Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and - [npm Package Visibility Audit Techniques](https://safeguard.sh/resources/blog/npm-package-visibility-audit-techniques): Public when it should have been private. Private when it should have been archived. The state of npm package visibility - [SBOMs for AI/ML Models: Why Machine Learning Needs a Bill of Materials](https://safeguard.sh/resources/blog/sbom-for-ai-ml-models-emerging-standards): As AI models become critical infrastructure, the need for transparency about their components, training data, and depend - [Remix Framework Security Deep Dive](https://safeguard.sh/resources/blog/remix-framework-security-deep-dive): Remix's server-first architecture and loader/action primitives make for a distinctive security model. The framework enco - [Building vs Buying Security Tools: Making the Right Call](https://safeguard.sh/resources/blog/building-vs-buying-security-tools): Every security team faces the build-vs-buy decision. Here is a framework for deciding when to build custom tools and whe - [Government Contractor SBOM Compliance: Meeting Federal Requirements](https://safeguard.sh/resources/blog/government-contractor-sbom-compliance): Federal agencies are mandating SBOMs from their software suppliers. If you sell software to the government, here's what - [Green Software and Security: When Sustainability Meets Supply Chain Risk](https://safeguard.sh/resources/blog/green-software-security-sustainability): The push for sustainable software is changing how we build and deploy applications. Security teams need to understand wh - [Software Updates in Air-Gapped Environments: Security Without Connectivity](https://safeguard.sh/resources/blog/air-gapped-environment-software-updates): Air-gapped environments protect critical infrastructure by eliminating network connectivity. But software still needs up - [The Annual Vendor Security Review Cadence](https://safeguard.sh/resources/blog/annual-vendor-security-review-cadence): A complete timeline and workflow for running the annual vendor security review cycle, staffed sustainably, with clear de - [Privilege Escalation in Web Applications: Attacks and Defenses](https://safeguard.sh/resources/blog/privilege-escalation-web-applications): Privilege escalation vulnerabilities let attackers elevate their access level within an application. This guide covers b - [Secure Development Environment Setup: A Practical Guide](https://safeguard.sh/resources/blog/secure-development-environment-setup): Setting up a secure development environment involves more than installing an IDE. From OS hardening to credential manage - [South Korea's Cybersecurity Regulations and Software Supply Chain Requirements](https://safeguard.sh/resources/blog/south-korea-cybersecurity-regulations): South Korea is strengthening cybersecurity regulations with new supply chain security frameworks. Here's the landscape f - [AnyDesk Production Systems Compromised: Code Signing Certificates Stolen](https://safeguard.sh/resources/blog/anydesk-production-systems-compromised): AnyDesk confirmed a breach of their production systems in late January 2024, forcing revocation of code signing certific - [Cloudflare's Thanksgiving 2023 Breach: How Okta Credentials Led to a Nation-State Intrusion](https://safeguard.sh/resources/blog/cloudflare-thanksgiving-2023-breach-okta): Cloudflare disclosed that a nation-state actor used credentials stolen from the October 2023 Okta breach to access their - [Secure Boot UEFI and Software Supply Chain Links](https://safeguard.sh/resources/blog/secure-boot-uefi-software-supply-chain-links): How UEFI Secure Boot, shim, and Microsoft third-party UEFI CA connect to software supply chain risk in OS and firmware u - [SBOMs for Defense Contractors: Aligning with CMMC and DoD Requirements](https://safeguard.sh/resources/blog/sbom-for-defense-contractors-cmmc): Defense contractors face unique SBOM challenges. This guide covers CMMC alignment, DFARS clauses, and practical steps to - [YAML Deserialization Attacks and How to Prevent Them](https://safeguard.sh/resources/blog/yaml-deserialization-attacks-prevention): YAML looks innocent but its deserialization features have led to remote code execution in countless applications. Here i - [Vite and Turbopack: Security Considerations for Next-Gen Build Tools](https://safeguard.sh/resources/blog/vite-turbopack-build-security): Vite and Turbopack represent the next generation of JavaScript build tools. Their architectures introduce new security c - [SBOM for Fintech Startups: Compliance and Security from Day One](https://safeguard.sh/resources/blog/sbom-for-fintech-startups): Fintech startups face intense regulatory scrutiny from the start. SBOMs are not just good practice — they are becoming a - [Midnight Blizzard and the Microsoft Email Breach](https://safeguard.sh/resources/blog/midnight-blizzard-microsoft-email-breach-analysis): Russia's SVR-linked Midnight Blizzard sat inside Microsoft's corporate email for weeks. Here is what the January 2024 di - [Auditing AI-Generated Code: A Practical Security Guide](https://safeguard.sh/resources/blog/ai-code-generation-security-audit-guide): AI code generation tools are producing millions of lines of code daily. Here is a practical framework for auditing AI-ge - [SBOM API Integration Patterns for Development Teams](https://safeguard.sh/resources/blog/sbom-api-integration-patterns): SBOMs locked in files are static inventory. SBOMs exposed through APIs become live infrastructure. Here's how to build t - [Trello API Scraping Exposes 15 Million User Accounts](https://safeguard.sh/resources/blog/trello-15-million-accounts-exposed): In January 2024, a threat actor used an insecure Trello API endpoint to scrape and correlate email addresses with Trello - [Netflix's Open-Source Security Approach](https://safeguard.sh/resources/blog/netflix-open-source-security-approach): How Netflix manages security across hundreds of open-source projects and thousands of internal dependencies while mainta - [npm audit vs pnpm audit vs yarn audit](https://safeguard.sh/resources/blog/npm-audit-vs-pnpm-audit-vs-yarn-audit): Three audit tools, three philosophies, three blind spots. A ground-level comparison of how npm, pnpm, and yarn surface v - [Manufacturing OT Software Supply Chain: Securing the Factory Floor](https://safeguard.sh/resources/blog/manufacturing-ot-software-supply-chain): Manufacturing OT systems depend on software supply chains that most security teams don't monitor. Here's how to extend s - [React Application Security Guide](https://safeguard.sh/resources/blog/react-application-security-guide): Securing React applications from XSS, dependency vulnerabilities, and common frontend attack patterns. - [Microsoft Breached by Midnight Blizzard: Russian Hackers Read Executive Emails](https://safeguard.sh/resources/blog/microsoft-midnight-blizzard-email-breach): In January 2024, Microsoft disclosed that the Russian state-sponsored group Midnight Blizzard had been reading emails of - [Midnight Blizzard Breaches Microsoft: What the Exchange Online Attack Means for Everyone](https://safeguard.sh/resources/blog/midnight-blizzard-microsoft-exchange-breach): Russian state actors compromised Microsoft executive email accounts through a password spray attack on a legacy test ten - [Veracode SCA: Mature Application Security Meets Dependency Scanning](https://safeguard.sh/resources/blog/veracode-sca-platform-overview): An overview of Veracode's SCA capabilities within their broader application security platform, covering vulnerability pr - [How to Detect Typosquatting in Package Installs](https://safeguard.sh/resources/blog/how-to-detect-typosquatting-in-package-installs): Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, dow - [Software Component Lifecycle Management](https://safeguard.sh/resources/blog/software-component-lifecycle-management): Components do not stay secure forever. This guide covers managing the full lifecycle of software dependencies -- from ad - [How to Security Audit an Open Source Project Before Adoption](https://safeguard.sh/resources/blog/open-source-project-security-audit-guide): Adopting an open source dependency is a trust decision. This guide provides a structured methodology for evaluating the - [Bun Runtime Security Considerations: Speed vs. Safety Trade-offs](https://safeguard.sh/resources/blog/bun-runtime-security-considerations): Bun prioritizes performance over Node.js compatibility. But some of those performance choices have security implications - [Akira Ransomware: Exploiting VPN Vulnerabilities for Supply Chain Entry](https://safeguard.sh/resources/blog/akira-ransomware-supply-chain-entry): Akira ransomware systematically exploited Cisco VPN vulnerabilities as its primary entry vector, targeting organizations - [AWS ECR Image Scanning: A Deep Dive Into What It Catches and What It Misses](https://safeguard.sh/resources/blog/aws-ecr-image-scanning-deep-dive): ECR offers both basic and enhanced scanning. The difference between them determines whether your container security is r - [Express and Node.js Security Hardening](https://safeguard.sh/resources/blog/express-nodejs-security-hardening): Practical security hardening for Express.js applications covering middleware, input validation, and production deploymen - [Platform Engineering and Security: Building Guardrails, Not Gates](https://safeguard.sh/resources/blog/platform-engineering-security-integration): Platform engineering teams are becoming the stewards of developer experience. Here's how to make supply chain security a - [Vulnerability SLA Compliance Tracking That Actually Works](https://safeguard.sh/resources/blog/vulnerability-sla-compliance-tracking): Most organizations define vulnerability SLAs and then fail to meet them. The problem is not motivation. It is measuremen - [Ivanti Connect Secure Zero-Day: CVE-2024-21887 and CVE-2023-46805 Exploited in the Wild](https://safeguard.sh/resources/blog/ivanti-connect-secure-cve-2024-21887-zero-day): Two chained zero-days in Ivanti Connect Secure VPN appliances gave attackers unauthenticated remote code execution. Here - [Ansible Galaxy Security Risks: The Infrastructure Supply Chain You Forgot About](https://safeguard.sh/resources/blog/ansible-galaxy-security-risks): Ansible Galaxy roles and collections execute with root privileges on your infrastructure. Most teams apply zero security - [Gradle Plugin Security Risks: The Code That Runs Before Your Code](https://safeguard.sh/resources/blog/gradle-plugin-security-risks): Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why - [npm Registry Governance and the Security of node_modules](https://safeguard.sh/resources/blog/npm-registry-governance-and-security): The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every N - [HTTP Request Smuggling: A Practical Guide](https://safeguard.sh/resources/blog/http-request-smuggling-guide): HTTP request smuggling exploits disagreements between frontend and backend servers about where one request ends and the - [IAST vs RASP: Runtime Protection Approaches Compared](https://safeguard.sh/resources/blog/iast-rasp-runtime-protection-comparison): Interactive Application Security Testing and Runtime Application Self-Protection both operate at runtime, but they serve - [AI Code Review for Security: How Effective Is It Really?](https://safeguard.sh/resources/blog/ai-code-review-security-effectiveness): AI-powered code review tools promise to catch vulnerabilities faster than humans. We tested the claims against reality. - [How to Write a Security Advisory That Actually Helps](https://safeguard.sh/resources/blog/security-advisory-writing-guide): Most security advisories are either too vague to be actionable or too detailed to be safe. Here is how to write advisori - [Apache OFBiz CVE-2023-51467: Authentication Bypass in Enterprise Resource Planning](https://safeguard.sh/resources/blog/apache-ofbiz-cve-2023-51467-auth-bypass): CVE-2023-51467 bypassed a previous patch for an authentication flaw in Apache OFBiz, granting unauthenticated access to - [npm Team Access Model Hardening](https://safeguard.sh/resources/blog/npm-team-access-model-hardening): Npm's team-based permissions are more expressive than most organizations use. A walkthrough of the access model and the - [Software Supply Chain Security in 2023: Year in Review](https://safeguard.sh/resources/blog/software-supply-chain-security-2023-year-review): From the MOVEit mass exploitation to AI model risks, 2023 proved that supply chain attacks are accelerating in both soph - [Vulnerability Disclosure Policy Template](https://safeguard.sh/resources/blog/vulnerability-disclosure-policy-template): A practical template for creating a vulnerability disclosure policy, with guidance on safe harbor provisions, response t - [VF Corporation Ransomware Attack Disrupts Vans, North Face, and Timberland](https://safeguard.sh/resources/blog/vans-vf-corporation-ransomware): In December 2023, VF Corporation, parent company of Vans, The North Face, and Timberland, suffered a ransomware attack t - [Xfinity Breach via Citrix Bleed Exposes 35.9 Million Customers](https://safeguard.sh/resources/blog/xfinity-citrix-bleed-35-million): In December 2023, Comcast's Xfinity division disclosed that attackers exploiting the Citrix Bleed vulnerability had acce - [Building a Security Automation Playbook Library for Supply Chain Defense](https://safeguard.sh/resources/blog/security-automation-playbook-library): Security automation playbooks codify response procedures into executable workflows. A well-designed playbook library tur - [Red Team Supply Chain Attack Simulation](https://safeguard.sh/resources/blog/red-team-supply-chain-attack-simulation): How red teams can simulate real-world supply chain attacks to test organizational defenses—from dependency confusion to - [SEC Cyber Disclosure Rules: What Public Companies Must Do Now](https://safeguard.sh/resources/blog/sec-cyber-disclosure-rules-impact): The SEC's new cybersecurity disclosure rules require public companies to report material incidents within four days. Her - [Autonomous Security Remediation: The Promise and Peril of Self-Healing Software](https://safeguard.sh/resources/blog/autonomous-security-remediation-future): Automated vulnerability patching sounds ideal until you consider what happens when the automation gets it wrong. Here's - [JFrog Artifactory Hardening Guide](https://safeguard.sh/resources/blog/jfrog-artifactory-hardening-guide-2023): Artifactory is the most common artifact repository in enterprise. It is also a default-permissive system where misconfig - [API Gateway Security Patterns That Actually Work](https://safeguard.sh/resources/blog/api-gateway-security-patterns): API gateways sit between the internet and your services. Getting the security patterns right here multiplies your defens - [Puppet Forge Supply Chain Security: Trusting Your Configuration Management](https://safeguard.sh/resources/blog/puppet-forge-supply-chain-security): Puppet modules from the Forge run with root-level access on your servers. The supply chain security of these modules des - [Container Runtime Security Comparison: runc, gVisor, Kata, and Firecracker](https://safeguard.sh/resources/blog/container-runtime-comparison-security): Your container runtime determines the strength of your isolation boundary. Here is an honest comparison of runc, gVisor, - [Education Sector Software Security: Protecting Students and Data](https://safeguard.sh/resources/blog/education-sector-software-security): Schools and universities rely on hundreds of software applications with limited security staff. Here's how education ins - [Log4j Two Years Later: Are We Actually Safer?](https://safeguard.sh/resources/blog/log4j-two-years-later-are-we-safer): Two years after Log4Shell shook the internet, many organizations still have vulnerable Log4j instances. The vulnerabilit - [Post-Install Hooks Across Package Managers: A Comparative Security Analysis](https://safeguard.sh/resources/blog/post-install-hooks-across-package-managers): Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the - [Norton Healthcare Ransomware Breach Exposes 2.5 Million Patient Records](https://safeguard.sh/resources/blog/norton-healthcare-ransomware-breach): In December 2023, Norton Healthcare disclosed that a May ransomware attack by the ALPHV/BlackCat group had compromised p - [WAF Bypass Techniques and What They Mean for Supply Chain Security](https://safeguard.sh/resources/blog/web-application-firewall-bypass-techniques): Web Application Firewalls are a critical defense layer, but they are routinely bypassed. Understanding bypass techniques - [Firmware Analysis and Reverse Engineering for Security Teams](https://safeguard.sh/resources/blog/firmware-analysis-reverse-engineering-security): Firmware is the forgotten attack surface. Here are the techniques security teams use to uncover hidden vulnerabilities i - [Multi-Cloud Container Security: Building a Unified Strategy](https://safeguard.sh/resources/blog/multi-cloud-container-security-strategy): How to maintain consistent container security across AWS, Azure, and GCP without drowning in tool sprawl and fragmented - [Security Observability and Telemetry: Seeing What Matters](https://safeguard.sh/resources/blog/security-observability-telemetry-guide): Traditional security monitoring drowns you in alerts. Security observability flips the model — providing context-rich te - [Apache Struts CVE-2023-50164: Critical File Upload RCE Echoes Equifax-Era Nightmares](https://safeguard.sh/resources/blog/apache-struts-cve-2023-50164-rce): A critical path traversal vulnerability in Apache Struts allowed RCE through file upload manipulation. The disclosure tr - [OpenShift Security Context Constraints: A Guide](https://safeguard.sh/resources/blog/openshift-security-context-constraints-guide): SCCs predate Pod Security Admission by a decade and are more powerful. That power is also why OpenShift newcomers find t - [How to Verify a PyPI Package Before Install](https://safeguard.sh/resources/blog/how-to-verify-pypi-package-before-install): A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and s - [Deserialization Attacks in Java and Python](https://safeguard.sh/resources/blog/deserialization-attacks-java-python): Insecure deserialization turns data parsing into code execution. This guide covers deserialization attacks in Java and P - [Purple Team Exercises for Supply Chain Security](https://safeguard.sh/resources/blog/purple-team-supply-chain-exercises): Purple team exercises combine offensive and defensive perspectives to test supply chain defenses. Here is how to structu - [Managing Security Debt: A Practical Guide](https://safeguard.sh/resources/blog/managing-security-debt-practical-guide): Security debt is inevitable, but it does not have to be unmanageable. Learn how to quantify, prioritize, and systematica - [Open Source Dependency Health Metrics That Actually Matter](https://safeguard.sh/resources/blog/open-source-dependency-health-metrics): Star counts and download numbers tell you popularity, not health. The metrics that predict dependency risk are harder to - [Monorepo Security: Dependency Management at Scale](https://safeguard.sh/resources/blog/monorepo-security-dependency-management): Monorepos centralize code but create unique security challenges. Learn how to manage shared dependencies, enforce securi - [Federal SBOM Mandate: Compliance Deadlines and What They Mean for Vendors](https://safeguard.sh/resources/blog/federal-sbom-mandate-compliance-deadline): Federal agencies are tightening SBOM requirements for software suppliers. Here's what vendors need to know about complia - [npm Scripts Sandboxing Techniques](https://safeguard.sh/resources/blog/npm-scripts-sandboxing-techniques): Postinstall scripts have been the supply-chain attacker's favorite tool for a decade. Here are the sandboxing techniques - [SOX IT Controls and Software Supply Chain](https://safeguard.sh/resources/blog/sox-it-controls-software-supply-chain-intersection): SOX ITGCs are being rewritten around open-source software and build integrity as PCAOB and SEC scrutiny extends ICFR int - [Dollar Tree Third-Party Breach Impacts Nearly 2 Million Employees](https://safeguard.sh/resources/blog/dollar-tree-third-party-breach): In November 2023, Dollar Tree disclosed that a breach at its third-party service provider Zeroed-In Technologies exposed - [How to Audit npm Postinstall Scripts Safely](https://safeguard.sh/resources/blog/how-to-audit-npm-postinstall-scripts-safely): Inspect every lifecycle script in your node_modules tree, disable dangerous ones by default, and catch malicious postins - [Chainguard Images: The Zero-CVE Container Base Image Revolution](https://safeguard.sh/resources/blog/chainguard-images-minimal-containers): Chainguard ships container images with zero known CVEs. That sounds like marketing until you understand how they build t - [AI Model Supply Chain Risks: Hugging Face and the New Attack Surface](https://safeguard.sh/resources/blog/ai-model-supply-chain-hugging-face-risks): As organizations download pre-trained models from Hugging Face and other model hubs, the AI supply chain introduces risk - [Security Considerations When Migrating from Monolith to Microservices](https://safeguard.sh/resources/blog/monolith-to-microservices-security-migration): Decomposing a monolith into microservices changes the attack surface fundamentally. The security model that worked for t - [Legacy Software and Supply Chain Risks](https://safeguard.sh/resources/blog/legacy-software-supply-chain-risks): Legacy systems are supply chain time bombs—running outdated dependencies, unsupported frameworks, and unmaintained libra - [Express.js Security Middleware: An Audit](https://safeguard.sh/resources/blog/express-js-security-middleware-audit): Express remains the default Node.js framework at most shops, and its middleware ecosystem is a thirteen-year accumulatio - [Healthcare Software Security: HIPAA, SBOMs, and Patient Safety](https://safeguard.sh/resources/blog/healthcare-software-security-hipaa-sbom): Medical devices and healthcare IT systems depend on software with hidden vulnerabilities. Here's how SBOMs and supply ch - [MongoDB Atlas Breach: Customer Metadata Exposed in Corporate Systems Attack](https://safeguard.sh/resources/blog/mongodb-atlas-breach-customer-data): MongoDB disclosed unauthorized access to its corporate systems in December 2023, exposing customer metadata and contact - [API Key Rotation Automation: A Practical Implementation Guide](https://safeguard.sh/resources/blog/api-key-rotation-automation-guide): Manual key rotation does not happen. Automated rotation does. Here is how to implement zero-downtime API key rotation fo - [SonarQube Security Scanning: Code Quality Meets Application Security](https://safeguard.sh/resources/blog/sonarqube-security-scanning-review): A review of SonarQube's security scanning capabilities, examining how its code quality heritage shapes its approach to v - [Apache Web Server Hardening Guide for Production Environments](https://safeguard.sh/resources/blog/apache-web-server-hardening-guide): Apache httpd still serves millions of websites. Its default configuration exposes information, accepts weak TLS, and ena - [Snap Store and Flatpak Security Models Compared](https://safeguard.sh/resources/blog/snap-store-flatpak-security-models): Universal Linux packaging formats promise sandboxed applications. Their security models differ significantly, and neithe - [Travis CI Security Best Practices](https://safeguard.sh/resources/blog/travis-ci-security-best-practices): Security hardening for Travis CI pipelines covering secret management, build isolation, and migration considerations for - [Boeing Hit by LockBit Ransomware: 43GB of Sensitive Data Leaked](https://safeguard.sh/resources/blog/boeing-lockbit-ransomware-data-leak): In November 2023, the LockBit ransomware gang published 43 gigabytes of Boeing's internal data after the aerospace giant - [Rust Cargo Dependency Security Guide](https://safeguard.sh/resources/blog/rust-cargo-dependency-security-guide): How to secure your Rust supply chain with Cargo.lock, crate auditing, and build script controls. - [Singapore's Cybersecurity Act and Software Supply Chain Obligations](https://safeguard.sh/resources/blog/singapore-cybersecurity-act-supply-chain): Singapore's regulatory approach to cybersecurity is maturing fast, with supply chain security becoming a central pillar. - [govulncheck in Production Integration](https://safeguard.sh/resources/blog/govulncheck-production-integration): govulncheck is the best vulnerability scanner the Go ecosystem has ever had, but turning it from a demo into a productio - [Apache ActiveMQ CVE-2023-46604: Ransomware Groups Exploit Critical RCE](https://safeguard.sh/resources/blog/apache-activemq-cve-2023-46604-rce): A critical remote code execution flaw in Apache ActiveMQ was rapidly weaponized by ransomware operators, with exploitati - [Citrix Bleed CVE-2023-4966: Session Token Theft That Bypassed Every Authentication Control](https://safeguard.sh/resources/blog/citrix-bleed-cve-2023-4966-exploitation): Citrix Bleed allowed attackers to steal session tokens from NetScaler ADC, bypassing MFA and all authentication controls - [Java Module System Security Features: What JPMS Actually Delivers](https://safeguard.sh/resources/blog/java-module-system-security-features): The Java Platform Module System promised stronger encapsulation and security boundaries. Here is what it actually delive - [The LLM Supply Chain: Risks Hiding in Foundation Models](https://safeguard.sh/resources/blog/large-language-model-supply-chain-risks): Large language models have their own supply chains: training data, fine-tuning datasets, model weights, and serving infr - [OAuth Token Security Throughout the Lifecycle](https://safeguard.sh/resources/blog/oauth-token-security-lifecycle): OAuth tokens grant access to APIs, services, and user data. Their security across creation, storage, use, and revocation - [CI/CD Credential Theft Prevention](https://safeguard.sh/resources/blog/ci-cd-credential-theft-prevention): CI/CD pipelines are treasure troves of secrets -- cloud credentials, API keys, signing certificates. Preventing credenti - [Deno's Permission-Based Security Model: What It Gets Right and Where It Falls Short](https://safeguard.sh/resources/blog/deno-runtime-security-model-analysis): Deno was built with security as a first-class concern, requiring explicit permissions for file, network, and environment - [Executive Order 14028 at the Two-Year Mark](https://safeguard.sh/resources/blog/executive-order-14028-year-two-checkpoint): Two years after Executive Order 14028 on federal cybersecurity, the operational impact is clearer. What actually changed - [SBOMs in the Automotive Industry: Navigating Software-Defined Vehicles](https://safeguard.sh/resources/blog/software-bill-of-materials-automotive-industry): Modern vehicles contain over 100 million lines of code. The automotive industry is waking up to software supply chain se - [CMMC 2.0 and Software Supply Chain Security: A Practical Guide](https://safeguard.sh/resources/blog/cmmc-2-0-software-supply-chain-guide): CMMC 2.0 is reshaping defense contracting requirements. Here's how software supply chain security maps to the new maturi - [Container Escape Techniques in 2023: What's Changed and What Hasn't](https://safeguard.sh/resources/blog/container-escape-techniques-2023-update): Container escapes remain a real threat in multi-tenant environments. A look at the latest techniques, CVEs, and defenses - [Deno Security Model Advantages: Runtime Permissions Done Right](https://safeguard.sh/resources/blog/deno-security-model-advantages): Deno requires explicit permission grants for file, network, and environment access. This capability-based model changes - [Dependency Hijacking Prevention: A Comprehensive Guide](https://safeguard.sh/resources/blog/dependency-hijacking-prevention-guide): Dependency hijacking encompasses multiple attack techniques that redirect dependency resolution to attacker-controlled p - [Pulumi and Crossplane Security: IaC Beyond Terraform](https://safeguard.sh/resources/blog/pulumi-crossplane-iac-security): Security considerations for Pulumi and Crossplane as infrastructure-as-code alternatives, including unique risks and har - [React Native Security Considerations for Mobile Supply Chains](https://safeguard.sh/resources/blog/react-native-security-considerations): React Native introduces unique security challenges at the intersection of JavaScript and native mobile code. Understandi - [RubyGems Yanked Gems: Security Risks of Removed Ruby Packages](https://safeguard.sh/resources/blog/rubygems-yanked-gems-security): When a Ruby gem is yanked from RubyGems.org, it creates security risks for projects that depended on it. Understanding t - [API Security Testing Against the OWASP API Top 10: A Hands-On Guide](https://safeguard.sh/resources/blog/api-security-testing-owasp-guide): APIs are now the primary attack surface for most applications. Here is how to test for the OWASP API Security Top 10 ris - [Cloudflare's Supply Chain Security Model](https://safeguard.sh/resources/blog/cloudflare-supply-chain-security-model): How Cloudflare secures the software supply chain for infrastructure that sits between the internet and millions of websi - [Wiz Cloud Security Platform: Agentless Done at Scale](https://safeguard.sh/resources/blog/wiz-cloud-security-platform-overview): An overview of Wiz's cloud security platform, covering its agentless architecture, graph-based risk analysis, and how it - [Mr. Cooper Mortgage Breach Exposes 14.7 Million Customers](https://safeguard.sh/resources/blog/mr-cooper-mortgage-data-breach): In November 2023, mortgage giant Mr. Cooper disclosed a cyberattack that compromised the personal and financial data of - [CISA's Secure by Default: Shifting Responsibility to Software Manufacturers](https://safeguard.sh/resources/blog/cisa-secure-by-default-guidance): CISA's Secure by Design guidance pushes software vendors to ship secure defaults and take ownership of customer security - [PyPI 2FA Enrollment: Enterprise Rollout](https://safeguard.sh/resources/blog/pypi-2fa-enrollment-enterprise-rollout): PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rol - [Building a Software Supply Chain Risk Register](https://safeguard.sh/resources/blog/supply-chain-risk-register-template): A risk register is the backbone of supply chain risk management. Here is a practical template for identifying, scoring, - [Dagger CI/CD Security Benefits](https://safeguard.sh/resources/blog/dagger-ci-cd-security-benefits): How Dagger's containerized pipeline model improves CI/CD security with hermetic builds, portability, and reduced platfor - [F5 BIG-IP CVE-2023-46747: Authentication Bypass Puts Network Infrastructure at Risk](https://safeguard.sh/resources/blog/f5-big-ip-cve-2023-46747-authentication-bypass): A critical authentication bypass in F5 BIG-IP allowed unauthenticated attackers to gain administrative access. The vulne - [A History of Browser Sandbox Escapes and What They Teach Us](https://safeguard.sh/resources/blog/browser-sandbox-escape-history): Browser sandboxes are the last line of defense against web-based attacks. When they fail, everything is exposed. Here is - [Building a DevSecOps Culture: Beyond Tools and into Teams](https://safeguard.sh/resources/blog/devsecops-culture-building-security-teams): DevSecOps is a culture shift, not a tooling decision. Practical strategies for building security into development teams - [Confidential Computing: A New Trust Model for Software Supply Chains](https://safeguard.sh/resources/blog/confidential-computing-supply-chain): Confidential computing protects data in use through hardware-based enclaves. It could fundamentally change how we think - [Southeast Asia's Software Supply Chain Security Gap](https://safeguard.sh/resources/blog/southeast-asia-supply-chain-security): Southeast Asia's booming tech sector is building fast but securing slowly. Supply chain attacks targeting the region are - [Trivy vs Grype: Container Scanning Head-to-Head](https://safeguard.sh/resources/blog/trivy-vs-grype-container-scanning-2023): Compare Trivy and Grype on vulnerability database sources, scan speed, OS coverage, SBOM integration, and CI ergonomics - [Okta's Support System Breach: Identity Provider Under Fire Again](https://safeguard.sh/resources/blog/okta-support-system-breach-october-2023): Okta disclosed that attackers used stolen credentials to access its customer support system, downloading HAR files conta - [CISO Quarterly Reporting Template: What the Board Actually Needs to See](https://safeguard.sh/resources/blog/ciso-quarterly-reporting-template): Most CISO board reports contain too many technical details and not enough business context. Here is a reporting template - [RSA Conference 2023 Supply Chain Track: Field Notes](https://safeguard.sh/resources/blog/rsa-conference-2023-supply-chain-track-notes): Five takeaways from the supply chain sessions at RSA Conference 2023, from SBOM adoption skepticism to attestation tooli - [SBOMs for Embedded Systems: Firmware Transparency](https://safeguard.sh/resources/blog/sbom-for-embedded-systems): Embedded devices run for decades and rarely get patched. SBOMs bring transparency to firmware that the IoT industry desp - [Uber's Security Transformation Post-Breach](https://safeguard.sh/resources/blog/uber-security-transformation-post-breach): How Uber rebuilt its security program after the 2016 data breach and the 2022 Lapsus$ compromise, with hard-won lessons - [Cisco IOS XE CVE-2023-20198: Tens of Thousands of Devices Implanted](https://safeguard.sh/resources/blog/cisco-ios-xe-cve-2023-20198-implant): A critical zero-day in Cisco IOS XE's web UI allowed unauthenticated attackers to create admin accounts and deploy impla - [Cisco IOS XE CVE-2023-20198: The Zero-Day That Compromised Tens of Thousands of Network Devices](https://safeguard.sh/resources/blog/cisco-ios-xe-webui-cve-2023-20198-implant): CVE-2023-20198 in Cisco IOS XE allowed unauthenticated attackers to create admin accounts on network devices. Over 40,00 - [TypeScript Security Best Practices](https://safeguard.sh/resources/blog/typescript-security-best-practices): How TypeScript's type system helps catch security bugs at compile time, and what it cannot protect you from. - [How to Enable Dependency Review on GitHub PRs](https://safeguard.sh/resources/blog/how-to-enable-github-dependency-review-on-prs): A step-by-step tutorial for turning on GitHub Dependency Review, enforcing license and severity policies, and getting fa - [Progressive Web App Security: The Risks Hiding in the Browser](https://safeguard.sh/resources/blog/progressive-web-app-security-guide): PWAs blur the line between websites and applications. Their security model is browser-based, which introduces different - [Scratch vs Distroless: Choosing the Right Minimal Container Image](https://safeguard.sh/resources/blog/scratch-vs-distroless-minimal-images): Both scratch and distroless promise minimal attack surface. The right choice depends on your runtime, your debugging nee - [Incident Response Tabletop Exercises: A Practical Guide for Supply Chain Scenarios](https://safeguard.sh/resources/blog/incident-response-tabletop-exercises-guide): Your incident response plan is untested until people have walked through it under pressure. Here is how to design and ru - [Insecure Deserialization: Why Untrusted Data Should Never Become Objects](https://safeguard.sh/resources/blog/insecure-deserialization-prevention): Deserialization vulnerabilities turn data into code execution. Here is how they work, which languages are most affected, - [curl CVE-2023-38545: The Worst curl Vulnerability in Years](https://safeguard.sh/resources/blog/curl-cve-2023-38545-heap-buffer-overflow): A heap buffer overflow in curl's SOCKS5 proxy handshake earned a severity rating of HIGH from curl's creator Daniel Sten - [HTTP/2 Rapid Reset: The Largest DDoS Attacks in Internet History](https://safeguard.sh/resources/blog/http2-rapid-reset-cve-2023-44487-ddos): CVE-2023-44487 exploits a design flaw in HTTP/2 to amplify DDoS attacks, enabling record-breaking attacks peaking at 398 - [Cloud-Native Application Protection: Beyond the Buzzword](https://safeguard.sh/resources/blog/cloud-native-application-protection-guide): CNAPP promises unified cloud security. Here is what it actually delivers, where it falls short, and how to evaluate plat - [Open Source vs Commercial SCA Tools: An Honest Comparison](https://safeguard.sh/resources/blog/open-source-vs-commercial-sca): Free SCA tools have gotten remarkably good. Commercial tools still offer advantages. Here is when each makes sense for y - [Scattered Spider: The Social Engineering Group That Outmaneuvered Enterprise Security](https://safeguard.sh/resources/blog/scattered-spider-social-engineering-attacks): Scattered Spider combined aggressive social engineering with deep knowledge of enterprise IT to breach MGM Resorts, Caes - [Package Registry Mirroring: Security Benefits and Hidden Risks](https://safeguard.sh/resources/blog/package-registry-mirroring-security): Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their - [Python setuptools Security Considerations](https://safeguard.sh/resources/blog/python-setuptools-security-considerations): setuptools is the default Python packaging backend and its security properties matter for anyone who builds, installs, o - [Authorization Vulnerabilities: Prevention and Best Practices](https://safeguard.sh/resources/blog/authorization-vulnerabilities-prevention): Authorization flaws let authenticated users access resources and perform actions beyond their intended permissions. Lear - [OpenSSF Scorecard v5: Raising the Bar for Open Source Security](https://safeguard.sh/resources/blog/openssf-scorecard-v5-release): The latest release of OpenSSF Scorecard introduces new checks and improved accuracy, helping organizations make data-dri - [Zero Trust for Developer Workstations: Rethinking Endpoint Security](https://safeguard.sh/resources/blog/zero-trust-developer-workstations): Developer workstations have elevated access to source code, build systems, and deployment pipelines. Zero Trust principl - [When Observability Meets Security: The Convergence That Changes Everything](https://safeguard.sh/resources/blog/observability-security-convergence): Observability and security have operated in silos for too long. Their convergence creates capabilities that neither coul - [JetBrains TeamCity CVE-2023-42793: When Your Build Server Becomes the Attack Vector](https://safeguard.sh/resources/blog/jetbrains-teamcity-cve-2023-42793-exploitation): A critical authentication bypass in TeamCity allowed unauthenticated attackers to gain admin access to CI/CD servers. St - [OWASP Top 10 for LLM Applications: A First Look](https://safeguard.sh/resources/blog/owasp-top-10-for-llm-applications-first-look): OWASP published its first Top 10 for LLM Applications on August 1, 2023. Here is what it covers, where it overreaches, a - [JSON Parsing Library Vulnerabilities You Should Know About](https://safeguard.sh/resources/blog/json-parsing-library-vulnerabilities): JSON is the lingua franca of APIs, but the libraries that parse it have had serious security issues. Here is what to wat - [Webpack vs Rollup vs esbuild: A Security Comparison](https://safeguard.sh/resources/blog/webpack-rollup-esbuild-security): Choosing a bundler is usually about speed and features. Here is how Webpack, Rollup, and esbuild compare on the dimensio - [Checkmarx SCA: Application Security from a SAST Pioneer](https://safeguard.sh/resources/blog/checkmarx-sca-platform-review): A review of Checkmarx SCA covering its integration with the broader Checkmarx AST platform, vulnerability detection, and - [Progress WS_FTP CVE-2023-40044: Another File Transfer Platform Falls to Pre-Auth RCE](https://safeguard.sh/resources/blog/progress-ws-ftp-cve-2023-40044-critical): A critical deserialization vulnerability in Progress WS_FTP Server allowed unauthenticated RCE. Coming after MOVEit, it - [Designing a Vulnerability Triage Workflow That Works](https://safeguard.sh/resources/blog/vulnerability-triage-workflow-design): Most vulnerability triage processes are broken. Here is how to design a workflow that reduces noise, routes issues to th - [Securing LLM Applications: The OWASP Top 10 for Large Language Models](https://safeguard.sh/resources/blog/securing-llm-applications-owasp-top-10): OWASP released its Top 10 for LLM Applications in August 2023, providing the first standardized framework for understand - [SBOM Storage and Distribution Infrastructure](https://safeguard.sh/resources/blog/sbom-storage-distribution-infrastructure): Generating SBOMs is solved. Storing, versioning, and distributing them at scale is the next engineering challenge. - [AI Hallucinations Meet Package Confusion: A New Class of Supply Chain Attack](https://safeguard.sh/resources/blog/ai-hallucination-package-confusion-attacks): When LLMs hallucinate package names that don't exist, attackers can register them. This supply chain attack vector is al - [Spring Boot Security and Dependency Management](https://safeguard.sh/resources/blog/spring-boot-security-dependency-management): Securing Spring Boot applications with dependency management BOMs, vulnerability scanning, and hardened configurations. - [SBOM for the Gaming Industry: Why Game Studios Need Software Transparency](https://safeguard.sh/resources/blog/sbom-for-gaming-industry): Game studios ship millions of lines of code with complex dependency chains across engines, middleware, and third-party S - [SBOM Tooling Landscape in 2023: What Actually Works](https://safeguard.sh/resources/blog/sbom-tooling-landscape-2023): The SBOM tooling ecosystem has matured significantly, but choosing the right tools still requires understanding the trad - [Microsoft's Secure Supply Chain Practices](https://safeguard.sh/resources/blog/microsoft-secure-supply-chain-practices): How Microsoft rebuilt its security posture after years of high-profile incidents, implementing supply chain controls tha - [Python Packaging Authority and the Security of pip install](https://safeguard.sh/resources/blog/python-packaging-authority-security): Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the a - [MGM Resorts and Caesars Hit by Scattered Spider: Social Engineering at Scale](https://safeguard.sh/resources/blog/mgm-resorts-caesars-scattered-spider-2023): In September 2023, the Scattered Spider hacking group crippled MGM Resorts and extorted Caesars Entertainment through ph - [Dependabot Security Updates: Behavior Deep Dive](https://safeguard.sh/resources/blog/dependabot-security-updates-behavior-2023): A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, a - [Electron App Supply Chain Security Posture](https://safeguard.sh/resources/blog/electron-app-supply-chain-security-posture): Electron apps ship Chromium, Node.js, and your entire npm tree to a user's desktop, running with the privileges of the l - [API Security Through the Supply Chain Lens](https://safeguard.sh/resources/blog/api-security-supply-chain-considerations): APIs are both an attack surface and a supply chain dependency. This guide examines API security risks from authenticatio - [Canada's Cybersecurity Strategy and the Push for SBOM Adoption](https://safeguard.sh/resources/blog/canada-cyber-security-strategy-sbom): Canada is integrating software supply chain security into its national cyber strategy. Here's where SBOMs fit in and wha - [Dart/Flutter Dependency Security: Securing the Mobile Supply Chain](https://safeguard.sh/resources/blog/dart-flutter-dependency-security): Flutter's pub ecosystem is growing fast. The security tooling has not kept pace. Here is what you need to know about sec - [GitHub Packages Security Features: What You Get and What You Do Not](https://safeguard.sh/resources/blog/github-packages-security-features): GitHub Packages integrates tightly with GitHub Actions and repositories. Its security features are convenient but have g - [Building a Supply Chain Security Metrics Dashboard That Drives Action](https://safeguard.sh/resources/blog/supply-chain-security-metrics-dashboard): Most security dashboards display data nobody acts on. Here is how to build supply chain metrics that actually drive secu - [gRPC Security Considerations: Protecting High-Performance Service Communication](https://safeguard.sh/resources/blog/grpc-security-considerations-guide): gRPC's binary protocol and HTTP/2 transport make it fast. They also make it harder to inspect, monitor, and secure than - [SLSA v1.0: Software Provenance Attestation Goes Mainstream](https://safeguard.sh/resources/blog/software-provenance-attestation-slsa-v1): The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that' - [Edge Computing and the Distributed Supply Chain Security Challenge](https://safeguard.sh/resources/blog/edge-computing-software-supply-chain): As compute moves to the edge, software supply chain security must adapt to environments with limited visibility, constra - [Build System Poisoning Techniques: How Attackers Corrupt Your Pipeline](https://safeguard.sh/resources/blog/build-system-poisoning-techniques): Build systems transform source code into deployable artifacts. When attackers poison the build, every artifact is compro - [Cloud Marketplace Security: What AWS and Azure Listings Actually Verify](https://safeguard.sh/resources/blog/cloud-marketplace-security-aws-azure): Buying software through AWS Marketplace or Azure Marketplace feels safe. But what security verification actually happens - [Cache Poisoning Attacks: How They Work and How to Prevent Them](https://safeguard.sh/resources/blog/cache-poisoning-attacks-prevention): Cache poisoning attacks manipulate web caches to serve malicious content to other users. This guide covers web cache poi - [DAST Tool Comparison for Enterprise: What Matters Beyond Feature Lists](https://safeguard.sh/resources/blog/dast-tool-comparison-enterprise-2023): Enterprise DAST tools differ in how they handle modern application architectures, API testing, and CI/CD integration. He - [Massive PyPI Malware Campaign Targets Developers with Credential Stealers](https://safeguard.sh/resources/blog/pypi-malware-campaign-targeting-developers): A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to st - [Pipenv Security Posture Review](https://safeguard.sh/resources/blog/pipenv-security-posture-review-2023): Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, a - [The Ransomware Payment Ban Debate: Arguments, Evidence, and Unintended Consequences](https://safeguard.sh/resources/blog/ransomware-payment-ban-debate-analysis): Should governments ban ransomware payments? The debate intensified through 2023 as attacks escalated, with strong argume - [Secure Package Publishing Checklist for Open Source Maintainers](https://safeguard.sh/resources/blog/secure-package-publishing-checklist): Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the - [Changelog and Security Disclosure Best Practices](https://safeguard.sh/resources/blog/changelog-security-disclosure-practices): How you communicate security changes in your changelog affects both your users' safety and your project's trustworthines - [Bitbucket Pipelines Security Guide](https://safeguard.sh/resources/blog/bitbucket-pipelines-security-guide): Securing Bitbucket Pipelines with secure variables, deployment permissions, and pipeline hardening. - [Runtime SBOM vs. Build-Time SBOM: Which Do You Actually Need?](https://safeguard.sh/resources/blog/runtime-sbom-vs-build-time-sbom): Build-time SBOMs capture what goes into your software; runtime SBOMs capture what actually runs. Understanding the diffe - [Security Incident Communication Guide](https://safeguard.sh/resources/blog/security-incident-communication-guide): How to communicate during and after a security incident without making things worse. Templates, timelines, and principle - [Socket.dev: Detecting Supply Chain Attacks Before They Hit](https://safeguard.sh/resources/blog/socket-dev-supply-chain-detection): A review of Socket.dev's approach to supply chain security, focusing on behavior analysis of npm packages, install scrip - [WinRAR Zero-Day CVE-2023-38831: Weaponized Archives in the Wild](https://safeguard.sh/resources/blog/winrar-cve-2023-38831-zero-day-exploitation): A WinRAR vulnerability exploited since April 2023 allowed attackers to execute arbitrary code when users opened seemingl - [Japan's Approach to Cybersecurity and Software Supply Chain Security](https://safeguard.sh/resources/blog/japan-cybersecurity-software-supply-chain): Japan is rapidly building cybersecurity policy around software supply chain risk. Here's what the regulatory landscape l - [pip Install Hooks Security: The Python Packaging Backdoor](https://safeguard.sh/resources/blog/pip-install-hooks-security): Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the - [DevSecOps Toolchain Integration Patterns That Actually Work](https://safeguard.sh/resources/blog/devsecops-toolchain-integration-patterns): Most DevSecOps tool integrations fail because they are bolted on rather than designed in. Here are integration patterns - [Kubernetes Network Policies Deep Dive: From Zero Trust to Microsegmentation](https://safeguard.sh/resources/blog/kubernetes-network-policies-deep-dive): By default, every pod can talk to every other pod. Network policies change that, but most implementations are incomplete - [Threat Hunting in the Software Supply Chain](https://safeguard.sh/resources/blog/threat-hunting-software-supply-chain): Proactive threat hunting techniques adapted for software supply chain security—because waiting for alerts isn't enough w - [Security Champions With a Supply Chain Focus](https://safeguard.sh/resources/blog/security-champions-program-supply-chain-focus): Designing and running a security champions program specifically for supply chain risks, including recruitment, training, - [Vulnerability Remediation SLAs: Best Practices for Real Teams](https://safeguard.sh/resources/blog/vulnerability-remediation-sla-best-practices): Setting vulnerability remediation deadlines is easy. Actually meeting them is hard. This guide covers practical SLA fram - [GitHub Dependabot and the State of Automated Dependency Security](https://safeguard.sh/resources/blog/github-dependabot-supply-chain-security): Dependabot has become the default for dependency updates, but its limitations highlight why automated scanning alone isn - [Africa's Digital Transformation: Security Challenges at Scale](https://safeguard.sh/resources/blog/africa-digital-transformation-security-challenges): Africa is leapfrogging traditional IT infrastructure with mobile-first, cloud-native solutions. But the cybersecurity fo - [Google Cloud Build Supply Chain Security: From Source to Deploy](https://safeguard.sh/resources/blog/google-cloud-build-supply-chain-security): How to secure your Cloud Build pipelines with SLSA provenance, Binary Authorization, and artifact verification for end-t - [Kubernetes Ingress Security Configuration: Getting It Right](https://safeguard.sh/resources/blog/kubernetes-ingress-security-configuration): Ingress controllers are the front door to your Kubernetes cluster. Misconfigurations here expose everything behind them. - [Terraform Provider Verification: Securing Your Infrastructure as Code Supply Chain](https://safeguard.sh/resources/blog/terraform-provider-verification-guide): Terraform providers are plugins that execute with full access to your infrastructure credentials. Verifying their integr - [Kubernetes 1.27 Security Highlights](https://safeguard.sh/resources/blog/kubernetes-1-27-security-highlights): Kubernetes 1.27 graduated seccomp default, introduced in-place pod resize, and cleaned up admission. Here is what actual - [npm Lockfile v3 Security Improvements](https://safeguard.sh/resources/blog/npm-lockfile-v3-security-improvements): Lockfile v3 is more than a format bump. It quietly fixed a class of integrity bugs that plagued v1 and v2, and the diffe - [LLM Prompt Injection: The New Supply Chain Attack Vector](https://safeguard.sh/resources/blog/llm-prompt-injection-supply-chain-risk): Prompt injection attacks against large language models represent a dangerous new frontier in software supply chain secur - [Internal Package Naming Best Practices to Prevent Dependency Confusion](https://safeguard.sh/resources/blog/internal-package-naming-best-practices): The wrong naming convention for internal packages makes dependency confusion attacks trivial. Here is how to name packag - [Ivanti EPMM Zero-Day CVE-2023-35078: Norwegian Government Breach](https://safeguard.sh/resources/blog/ivanti-epmm-cve-2023-35078-zero-day): A critical authentication bypass in Ivanti's Endpoint Manager Mobile was exploited to breach Norwegian government agenci - [The Hidden Risk of Abandoned Open Source Projects](https://safeguard.sh/resources/blog/abandoned-open-source-project-risks): Abandoned open source projects do not disappear. They continue to be installed, depended upon, and deployed in productio - [How to Generate SBOMs From Maven Projects](https://safeguard.sh/resources/blog/how-to-generate-sboms-from-maven-projects-cli): Produce accurate CycloneDX SBOMs from Maven builds using the official plugin, handle multi-module reactors, and ship att - [Game Day Exercises for Supply Chain Incidents: Practicing Before the Real Thing](https://safeguard.sh/resources/blog/game-day-exercises-supply-chain): Game day exercises simulate supply chain attacks and failures, testing your team's response procedures before a real inc - [Template Injection (SSTI) Prevention Guide](https://safeguard.sh/resources/blog/template-injection-ssti-prevention): Server-Side Template Injection turns template engines into code execution engines. This guide covers SSTI in Jinja2, Twi - [OSV Schema: The Open Source Vulnerability Database Format Explained](https://safeguard.sh/resources/blog/osv-schema-vulnerability-database-format): OSV provides a standardized format for vulnerability data that is purpose-built for open-source ecosystems. Here is how - [Pharmaceutical Software Validation and Supply Chain Security](https://safeguard.sh/resources/blog/pharmaceutical-software-validation-supply-chain): Pharma companies must validate software used in drug manufacturing and clinical trials. Software supply chain security i - [npm Tightens Unpublish Rules: What It Means for Supply Chain Security](https://safeguard.sh/resources/blog/npm-unpublish-policy-changes-2023): npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain im - [Kotlin detekt Security Rules: Catching Vulnerabilities in Kotlin Code](https://safeguard.sh/resources/blog/kotlin-detekt-security-rules): detekt is Kotlin's primary static analysis tool. Its security-relevant rules catch patterns that lead to vulnerabilities - [Open Source Vulnerability Rewards: Can Bug Bounties Save Open Source?](https://safeguard.sh/resources/blog/oss-vulnerability-rewards-programs): Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source p - [Distroless Container Images: Stripping the Attack Surface to Nothing](https://safeguard.sh/resources/blog/distroless-container-images-security): Distroless images remove the shell, package manager, and everything else an attacker needs post-exploitation. Here is ho - [Zenbleed: AMD CPU Vulnerability Leaks Data Across Processes (CVE-2023-20593)](https://safeguard.sh/resources/blog/zenbleed-amd-cpu-vulnerability-cve-2023-20593): A speculative execution bug in AMD Zen 2 processors allows attackers to steal sensitive data at 30KB per core per second - [Golang Module Security and Verification](https://safeguard.sh/resources/blog/golang-module-security-verification): Securing your Go module supply chain with checksum databases, GOPROXY, and vendor directories. - [Security Challenges in Polyglot Repositories](https://safeguard.sh/resources/blog/polyglot-repository-security-challenges): Repositories containing multiple programming languages multiply the security tooling, configuration, and expertise requi - [Python Wheel Security Verification: What You Are Missing](https://safeguard.sh/resources/blog/python-wheel-security-verification): Python wheels are the standard packaging format, but their security verification story has significant gaps that most de - [Automated Security Testing in CI/CD Pipelines](https://safeguard.sh/resources/blog/automated-security-testing-in-ci-cd): A hands-on guide to embedding SAST, SCA, secret scanning, and container analysis into your CI/CD pipeline without making - [IAST Explained: Why Instrumented Security Testing Catches What Others Miss](https://safeguard.sh/resources/blog/interactive-application-security-testing): IAST combines the precision of SAST with the realism of DAST. Here is how it works, where it fits, and what it actually - [Reproducible Builds in the Go Ecosystem](https://safeguard.sh/resources/blog/reproducible-builds-go-ecosystem-2023): Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in - [Aqua Security Platform Review: Cloud Native Security Done Right](https://safeguard.sh/resources/blog/aqua-security-platform-review-2023): An in-depth review of the Aqua Security platform covering container security, runtime protection, Kubernetes scanning, a - [CI/CD Secret Sprawl: How Pipeline Credentials Become Your Biggest Risk](https://safeguard.sh/resources/blog/ci-cd-secret-sprawl-management): Your CI/CD pipeline has more credentials than your production environment. Secret sprawl across pipelines creates a mass - [How to Structure an SBOM Review Process](https://safeguard.sh/resources/blog/how-to-structure-an-sbom-review-process): Build a repeatable SBOM review workflow that catches license risks, stale dependencies, and unexpected components before - [WebAssembly Security: New Capabilities, New Supply Chain Questions](https://safeguard.sh/resources/blog/wasm-webassembly-security-considerations): WebAssembly is expanding beyond the browser into server-side and edge workloads. The security model and supply chain imp - [Citrix NetScaler Zero-Day CVE-2023-3519: Mass Exploitation in the Wild](https://safeguard.sh/resources/blog/citrix-netscaler-cve-2023-3519-zero-day): CVE-2023-3519 allowed unauthenticated remote code execution on Citrix NetScaler ADC and Gateway devices, leading to wide - [Supply Chain Risk Scoring Algorithms: How They Work and Where They Fail](https://safeguard.sh/resources/blog/supply-chain-risk-scoring-algorithms): Risk scoring turns complex supply chain data into actionable numbers. But the algorithms behind these scores have assump - [Aerospace and Defense Software Supply Chain Security](https://safeguard.sh/resources/blog/aerospace-defense-software-supply-chain): Aerospace and defense organizations face nation-state threats targeting software supply chains. Here's how to build resi - [Security Debt: Tracking and Remediation Strategies](https://safeguard.sh/resources/blog/security-debt-tracking-remediation): Security debt accumulates silently—unpatched dependencies, skipped reviews, deferred upgrades. Here's how to measure it - [Svelte and SvelteKit Security Best Practices for Production Apps](https://safeguard.sh/resources/blog/svelte-sveltekit-security-best-practices): Svelte's compile-time approach reduces runtime attack surface, but SvelteKit introduces server-side considerations that - [ITAR and EAR Export Controls: What Software Teams Need to Know](https://safeguard.sh/resources/blog/itar-ear-export-control-software): Export control regulations affect software development more than most teams realize. Here's how ITAR and EAR intersect w - [The Economics of Vulnerability Bounties: Who Wins and Who Loses](https://safeguard.sh/resources/blog/vulnerability-bounty-economics-analysis): Bug bounty programs are a billion-dollar market. But the economics do not work equally well for everyone. A look at who - [Zimbra Collaboration CVE-2023-37580: XSS Zero-Day Exploited by Four Nation-State Groups](https://safeguard.sh/resources/blog/zimbra-collaboration-cve-2023-37580-xss): A reflected XSS vulnerability in Zimbra Collaboration was exploited by four distinct threat groups targeting government - [JumpCloud Supply Chain Attack: North Korea's Lazarus Group Strikes Again](https://safeguard.sh/resources/blog/jumpcloud-supply-chain-attack-north-korea): How North Korean threat actors compromised JumpCloud's infrastructure to target cryptocurrency firms through a sophistic - [Load Balancer Security Considerations for Modern Architectures](https://safeguard.sh/resources/blog/load-balancer-security-considerations): Load balancers terminate TLS, distribute traffic, and make routing decisions. Their security configuration affects every - [Rate Limiting in Package Registries: Balancing Security and Developer Experience](https://safeguard.sh/resources/blog/rate-limiting-package-registries): Docker Hub's rate limits broke builds worldwide. Rate limiting is necessary for registry security, but getting it wrong - [Vulnerability Chaining: Real-World Examples and Defense Strategies](https://safeguard.sh/resources/blog/vulnerability-chaining-real-world-examples): Individual vulnerabilities rarely tell the full story. This deep dive examines how attackers chain low-severity bugs int - [Stripe's Dependency Security Practices](https://safeguard.sh/resources/blog/stripe-dependency-security-practices): How Stripe secures its software dependencies while processing billions of dollars in payments, with a focus on Ruby ecos - [Digital Twins and Supply Chain Security: Securing the Virtual Mirror](https://safeguard.sh/resources/blog/digital-twin-security-supply-chain): Digital twins replicate physical systems in software. When the software supply chain of a digital twin is compromised, t - [Cloud-Native SBOM Generation Strategies That Actually Work](https://safeguard.sh/resources/blog/cloud-native-sbom-generation-strategies): Practical strategies for generating and managing Software Bills of Materials in cloud-native environments, beyond the co - [Nonprofit Organization Cybersecurity: A Practical Guide](https://safeguard.sh/resources/blog/nonprofit-organization-cybersecurity-guide): Nonprofits handle donor data and sensitive beneficiary information with limited budgets. Here's a realistic guide to man - [SSH Key Management for Organizations: Beyond the Basics](https://safeguard.sh/resources/blog/ssh-key-management-organizations): SSH keys provide access to your most critical infrastructure. Most organizations manage them poorly. Here is how to do i - [CircleCI Security Configuration Guide](https://safeguard.sh/resources/blog/circleci-security-configuration-guide): Practical steps to secure your CircleCI pipelines, from context management and OIDC to orb vetting and runner isolation. - [GitHub Advanced Security: CodeQL, Dependabot, and Secret Scanning in Practice](https://safeguard.sh/resources/blog/github-advanced-security-review): A review of GitHub Advanced Security covering CodeQL SAST, Dependabot SCA, secret scanning, and how the integrated secur - [Clop Ransomware and the MOVEit Campaign: Mass Exploitation at Scale](https://safeguard.sh/resources/blog/clop-ransomware-moveit-campaign-analysis): Clop's exploitation of MOVEit Transfer compromised over 2,500 organizations in one campaign, demonstrating a shift from - [Electron ContextBridge Security: Building Safe Desktop Apps](https://safeguard.sh/resources/blog/electron-contextbridge-security): Electron's ContextBridge is the secure boundary between web content and Node.js APIs. This guide covers how to use it co - [NuGet Package Tampering Detection: Securing the .NET Supply Chain](https://safeguard.sh/resources/blog/nuget-package-tampering-detection): NuGet packages can be tampered with at multiple points in the supply chain. Here is how to detect and prevent package ta - [Starjacking Attacks on Package Registries: Exploiting Repository Trust](https://safeguard.sh/resources/blog/starjacking-attacks-package-registries): Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packag - [Domain Squatting and Package Registry Attacks](https://safeguard.sh/resources/blog/domain-squatting-package-registries): Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack - [Kotlin Gradle Dependency Verification](https://safeguard.sh/resources/blog/kotlin-gradle-dependency-verification): Implement dependency verification in Kotlin Gradle projects with checksums, PGP signatures, and repository filtering. - [Automated SBOM Drift Detection: When Your Bill of Materials Goes Stale](https://safeguard.sh/resources/blog/automated-sbom-drift-detection): An SBOM that does not match what is actually deployed is worse than no SBOM at all. Here is how to detect and prevent SB - [Harness CI/CD Security Features](https://safeguard.sh/resources/blog/harness-ci-cd-security-features): Leveraging Harness platform security capabilities including governance policies, secret management, and pipeline securit - [MOVEit Vulnerability Mass Exploitation: A Field Analysis](https://safeguard.sh/resources/blog/moveit-vulnerability-mass-exploitation-analysis): Inside the Cl0p ransomware gang's zero-day attack on Progress MOVEit Transfer, the CVE-2023-34362 timeline, and the supp - [Runtime Application Self-Protection (RASP): A Practical Guide](https://safeguard.sh/resources/blog/runtime-application-self-protection-rasp-guide): RASP embeds security directly into the application runtime, detecting and blocking attacks from inside the app. It's pow - [Microsegmentation for Software Supply Chain Security](https://safeguard.sh/resources/blog/microsegmentation-supply-chain-security): Microsegmentation limits lateral movement after a breach. Applied to software supply chains, it contains the blast radiu - [Automotive Cybersecurity: UNECE WP.29 and Software Supply Chain Security](https://safeguard.sh/resources/blog/automotive-cybersecurity-unece-wp29): Connected vehicles depend on millions of lines of code. UNECE WP.29 regulations now require automotive manufacturers to - [Microsoft Teams Vulnerability: External Tenant Attacks and the Collaboration Security Gap](https://safeguard.sh/resources/blog/microsoft-teams-vulnerability-giftofspeed): Researchers demonstrated that Microsoft Teams' default configuration allowed external attackers to deliver malware direc - [SpotBugs Security Detectors for Java: A Practical Guide](https://safeguard.sh/resources/blog/spotbugs-security-detectors-java): SpotBugs with Find Security Bugs is the most effective free security analysis tool for Java. Here is how to get real res - [CycloneDX v1.5: New Features and What They Mean for Your SBOM Program](https://safeguard.sh/resources/blog/cyclonedx-v1-5-new-features-guide): CycloneDX v1.5 introduced formulation, machine learning BOMs, and expanded evidence. Here is what changed and how to tak - [Quantum Computing and the Coming Cryptography Crisis in Supply Chains](https://safeguard.sh/resources/blog/quantum-computing-cryptography-supply-chain): Quantum computers threaten the cryptographic foundations of software supply chains. The time to prepare is now, not when - [Progress MOVEit: Second Critical Vulnerability Discovered Amid Breach Fallout](https://safeguard.sh/resources/blog/progress-moveit-second-vulnerability-discovered): While organizations were still reeling from the first MOVEit zero-day, a second critical vulnerability was found — raisi - [Flask Application Security: A Deep Dive](https://safeguard.sh/resources/blog/flask-application-security-deep-dive-2023): Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering s - [Server-Side Request Forgery (SSRF): The Vulnerability That Unlocks Cloud Metadata](https://safeguard.sh/resources/blog/server-side-request-forgery-ssrf-guide): SSRF lets attackers reach internal services through your application. In cloud environments, that often means access to - [Barracuda ESG Zero-Day CVE-2023-2868: When Patching Isn't Enough](https://safeguard.sh/resources/blog/barracuda-esg-zero-day-cve-2023-2868): Barracuda told customers to physically replace compromised Email Security Gateway appliances. The vulnerability had been - [Security Maturity Benchmarking: How to Measure Against Your Peers](https://safeguard.sh/resources/blog/security-maturity-benchmarking-peers): Security maturity models provide structure, but benchmarking against peers provides context. Here is how to build a mean - [DNS Security and Software Distribution: The Foundation Nobody Secures](https://safeguard.sh/resources/blog/dns-security-software-distribution): Every software download, package install, and API call starts with a DNS query. DNS compromise redirects your supply cha - [SBOMs for Mobile Applications: iOS and Android](https://safeguard.sh/resources/blog/sbom-for-mobile-applications-ios-android): Mobile apps ship to millions of devices and can't be patched silently. Here's how to build SBOM practices for iOS and An - [Snyk vs Dependabot: A Head-to-Head Comparison](https://safeguard.sh/resources/blog/snyk-vs-dependabot-head-to-head-2023): Evaluate Snyk and Dependabot on vulnerability detection, ecosystem coverage, CI integration, pricing, and remediation to - [Container Base Image Selection: A Security-First Decision Framework](https://safeguard.sh/resources/blog/container-base-image-selection-guide): Your base image choice determines your container security baseline. Most teams pick based on size or familiarity, not se - [FortiGate CVE-2023-27997: Critical Heap Overflow in SSL VPN](https://safeguard.sh/resources/blog/fortinet-fortigate-cve-2023-27997-heap-overflow): A pre-authentication heap overflow in FortiOS SSL VPN allowed remote code execution on hundreds of thousands of internet - [JetBrains Plugin Security Verification: Protecting Your IDE](https://safeguard.sh/resources/blog/jetbrains-plugin-security-verification): IDE plugins run with the same privileges as your IDE. A malicious IntelliJ plugin has access to your source code, creden - [JFrog Xray: Vulnerability Scanning Built Into Your Artifact Pipeline](https://safeguard.sh/resources/blog/jfrog-xray-vulnerability-scanning): A review of JFrog Xray for vulnerability scanning and license compliance, covering its deep integration with Artifactory - [MOVEit Breach Impact Assessment: The Cl0p Campaign's Fallout](https://safeguard.sh/resources/blog/moveit-breach-impact-assessment-cl0p): The MOVEit breach became one of the largest data theft incidents in history. Here's an assessment of the damage and what - [SWIFT CSCF: Software Security Requirements for Financial Messaging](https://safeguard.sh/resources/blog/swift-cscf-software-security-requirements): SWIFT's Customer Security Controls Framework sets mandatory security baselines for financial institutions. Here's the so - [Spotify's Dependency Management at Scale](https://safeguard.sh/resources/blog/spotify-dependency-management-at-scale): Inside Spotify's approach to managing thousands of dependencies across hundreds of microservices, balancing developer au - [Vendor Lock-In in Security Tooling: The Hidden Cost of Integration](https://safeguard.sh/resources/blog/vendor-lock-in-security-tooling): Deep integration with a security vendor creates efficiency but also dependency. Here is how to evaluate lock-in risk in - [Anchore Syft: The Go-To Open Source SBOM Generator](https://safeguard.sh/resources/blog/anchore-syft-sbom-generation-review): A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container sca - [CISSP, CEH, OSCP: How Security Certifications Address Supply Chain Risks](https://safeguard.sh/resources/blog/cissp-ceh-oscp-supply-chain-certifications): Major security certifications are updating their content to cover supply chain threats. Here is what CISSP, CEH, and OSC - [Authentication Bypass: Common Patterns Attackers Exploit](https://safeguard.sh/resources/blog/authentication-bypass-common-patterns): Authentication bypass vulnerabilities let attackers access protected resources without valid credentials. This guide cov - [EU Cyber Resilience Act: Impact on Software Developers and Open Source](https://safeguard.sh/resources/blog/eu-cyber-resilience-act-impact-on-developers): The EU's Cyber Resilience Act will impose mandatory cybersecurity requirements on all software sold in Europe. Here's wh - [WireGuard for Development Infrastructure: Fast, Simple, and Secure Tunneling](https://safeguard.sh/resources/blog/wireguard-development-infrastructure): WireGuard's simplicity and performance make it well-suited for securing development infrastructure. Here is how to deplo - [ChatGPT Plugins and the New Plugin Supply Chain Attack Surface](https://safeguard.sh/resources/blog/chatgpt-plugins-supply-chain-risks): AI plugins connect LLMs to external services, creating a supply chain of trust that most users never examine. The risks - [npm Install Script Security: The Code That Runs Before Your Code](https://safeguard.sh/resources/blog/npm-install-script-security): npm install scripts execute arbitrary code during package installation. They are the most exploited vector in JavaScript - [MOVEit Transfer CVE-2023-34362: The Zero-Day That Hit Thousands](https://safeguard.sh/resources/blog/moveit-transfer-cve-2023-34362-analysis): The MOVEit Transfer SQL injection zero-day exploited by Cl0p ransomware gang became 2023's most impactful vulnerability. - [Securing Your Private Package Registry](https://safeguard.sh/resources/blog/private-package-registry-security): Private package registries are high-value targets for supply chain attackers. Here is how to lock them down, from access - [The Security Implications of Package Bundlers](https://safeguard.sh/resources/blog/security-implications-package-bundlers): Bundlers transform your code and dependencies into production artifacts. The security implications of this transformatio - [Legal Tech Software Security and Compliance Considerations](https://safeguard.sh/resources/blog/legal-tech-software-security-compliance): Law firms and legal tech companies handle privileged data through increasingly complex software. Here's how to manage th - [TLS Library Comparison: OpenSSL vs BoringSSL vs LibreSSL vs rustls](https://safeguard.sh/resources/blog/tls-library-comparison-openssl-boringssl): Your TLS library choice has massive security implications. Here is an honest comparison of the major options and what ea - [HIPAA and Software Supply Chain Compliance for Health Tech](https://safeguard.sh/resources/blog/hipaa-software-supply-chain-compliance): HIPAA's Security Rule requires safeguards that extend to software dependencies. Here's what health tech developers and v - [Developer-Focused Security Awareness for Supply Chain](https://safeguard.sh/resources/blog/security-awareness-training-developer-focused-supply-chain): A supply-chain-specific developer awareness curriculum that replaces generic phishing drills with content engineers actu - [SBOM Validation and Quality Checks: Ensuring Your SBOMs Are Actually Useful](https://safeguard.sh/resources/blog/sbom-validation-quality-checks): A syntactically valid SBOM can still be useless. Here's how to validate structure, completeness, and accuracy to produce - [GCP Binary Authorization: Enforcing Container Trust at Deploy Time](https://safeguard.sh/resources/blog/gcp-binary-authorization-guide): A practical walkthrough of Binary Authorization on GKE, from attestor setup to break-glass procedures and CI/CD integrat - [Open Source Malware Detection Techniques for Package Registries](https://safeguard.sh/resources/blog/open-source-malware-detection-techniques): Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to - [Swift Security Analysis Tools: The Current Landscape](https://safeguard.sh/resources/blog/swift-security-analysis-tools): Swift's type safety helps, but it does not eliminate all security bugs. Here is the current tooling landscape for findin - [Inside the Apache Foundation's Security Practices](https://safeguard.sh/resources/blog/apache-foundation-security-practices): The Apache Software Foundation oversees 350+ projects including some of the most widely deployed software on earth. Thei - [Serverless Security: Supply Chain Risks in Lambda, Cloud Functions, and Azure Functions](https://safeguard.sh/resources/blog/serverless-security-supply-chain-risks): Serverless architectures shift the attack surface from infrastructure to application dependencies. This guide covers the - [NIST SSDF v1.1: Practical Adoption Notes](https://safeguard.sh/resources/blog/nist-ssdf-v1-1-practical-adoption): NIST SP 800-218 became the de facto baseline for federal software attestation in 2023. Here is how to adopt SSDF v1.1 wi - [Django Security and Supply Chain Guide](https://safeguard.sh/resources/blog/django-security-supply-chain-guide): Securing Django applications with built-in security features, dependency management, and supply chain protections. - [Double Extortion Ransomware: How Data Theft Changed the Game](https://safeguard.sh/resources/blog/double-extortion-ransomware-evolution): Double extortion transformed ransomware from a reversible nuisance into an irreversible data breach. The evolution from - [Google Assured Open Source Software: Curated Security for Enterprise Dependencies](https://safeguard.sh/resources/blog/google-assured-open-source-software-service): Google's Assured OSS service provides enterprise-grade security guarantees for open source packages. It's a compelling m - [Low-Code/No-Code Platforms: The Shadow Supply Chain in Your Organization](https://safeguard.sh/resources/blog/low-code-no-code-platform-security-risks): Citizen developers are building applications on low-code platforms faster than security teams can assess them. The suppl - [Malware Analysis Techniques for Suspicious npm Packages](https://safeguard.sh/resources/blog/malware-analysis-npm-packages-techniques): When an npm package looks suspicious, you need a systematic approach to determine if it is malicious. These analysis tec - [Artifactory Security Best Practices for Enterprise Teams](https://safeguard.sh/resources/blog/artifactory-security-best-practices): JFrog Artifactory is a universal artifact manager. Getting its security right requires understanding its permission mode - [Subresource Integrity Failures: When CDN Trust Goes Wrong](https://safeguard.sh/resources/blog/subresource-integrity-failures-guide): SRI protects against CDN compromises and supply chain attacks on client-side scripts. Most web applications do not use i - [Container Vulnerability Scanning: Comparing the Top Tools in 2023](https://safeguard.sh/resources/blog/container-vulnerability-scanning-comparison): Not all container scanners are equal. We compared Trivy, Grype, Snyk Container, and others on accuracy, speed, and cover - [SBOM Requirements for Financial Services: What You Need to Know](https://safeguard.sh/resources/blog/sbom-requirements-financial-services): Financial regulators are tightening software transparency requirements. Here's what banks, fintechs, and financial insti - [Elixir and Hex Package Security: Protecting the BEAM Ecosystem](https://safeguard.sh/resources/blog/elixir-hex-package-security): Elixir's Hex package manager serves a smaller but growing ecosystem. Smaller does not mean safer — here is what Elixir t - [Snyk vs Sonatype: A Head-to-Head SCA Comparison](https://safeguard.sh/resources/blog/snyk-vs-sonatype-comparison-2023): We break down the real differences between Snyk and Sonatype for software composition analysis, covering vulnerability d - [Environment Variable Injection in CI/CD Pipelines](https://safeguard.sh/resources/blog/environment-variable-injection-ci-cd): Environment variables in CI/CD systems carry secrets, configuration, and control flow. When attackers can inject or modi - [SBOMs for SaaS Products: What Customers Are Starting to Demand](https://safeguard.sh/resources/blog/sbom-for-saas-products): SBOMs were originally for on-premises software. Now SaaS customers are asking for them too. Here is what that means and - [How Google Secures Its Software Supply Chain](https://safeguard.sh/resources/blog/how-google-secures-software-supply-chain): An inside look at Google's multi-layered approach to supply chain security, from Binary Authorization to SLSA, and what - [MSI Breach: Intel Boot Guard Keys Leaked After Ransomware Attack](https://safeguard.sh/resources/blog/msi-breach-intel-boot-guard-keys-leaked): The Money Message ransomware gang breached MSI and leaked Intel Boot Guard private keys, undermining firmware security f - [Business Logic Vulnerabilities: The Flaws Scanners Cannot Find](https://safeguard.sh/resources/blog/business-logic-vulnerabilities-guide): Business logic vulnerabilities bypass every automated scanner because they are not coding errors. They are design errors - [SLSA v1.0: Supply-chain Levels for Software Artifacts Reaches Maturity](https://safeguard.sh/resources/blog/supply-chain-levels-for-software-artifacts-slsa-v1): SLSA v1.0 simplifies the framework and makes it practical to adopt. Here's what changed and how to implement it. - [The Security Implications of Semantic Versioning](https://safeguard.sh/resources/blog/semantic-versioning-security-implications): Semver promises predictability in dependency management. In practice, it creates a trust model with serious security imp - [CISA KEV Catalog: One Year Analysis of Known Exploited Vulnerabilities](https://safeguard.sh/resources/blog/cisa-kev-catalog-one-year-analysis): After one year, the CISA KEV catalog has reshaped how organizations prioritize patching. Here's what the data tells us a - [Post-Breach Supply Chain Hardening: Lessons from Real Incidents](https://safeguard.sh/resources/blog/post-breach-supply-chain-hardening): After a supply chain breach, the remediation window is your best opportunity to implement controls that should have exis - [CISA Secure by Design Principles: What They Mean for Software Teams](https://safeguard.sh/resources/blog/cisa-secure-by-design-principles): CISA's Secure by Design initiative shifts security responsibility from users to manufacturers. Here's what it means for - [PaperCut CVE-2023-27350: When Print Management Software Becomes a Ransomware Gateway](https://safeguard.sh/resources/blog/papercut-cve-2023-27350-rce-exploitation): CVE-2023-27350 in PaperCut NG/MF allowed unauthenticated RCE through the print management server. Cl0p and LockBit ranso - [How to Pin GitHub Actions to SHAs Correctly](https://safeguard.sh/resources/blog/how-to-pin-github-actions-to-shas-correctly): A hands-on guide to pinning every third-party GitHub Action to a full commit SHA, automating updates with Dependabot, an - [GitLab CI/CD Security Configuration](https://safeguard.sh/resources/blog/gitlab-cicd-security-configuration): Hardening GitLab CI/CD pipelines with protected variables, secure runners, and built-in security scanning. - [Open Source Intelligence (OSINT) for Supply Chain Security](https://safeguard.sh/resources/blog/open-source-intelligence-osint-supply-chain): How OSINT techniques can uncover supply chain threats hiding in plain sight—from compromised packages to suspicious main - [Maven Plugin Verification: Trusting Your Build-Time Dependencies](https://safeguard.sh/resources/blog/maven-plugin-verification): Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime depende - [npm Manifest Confusion: The Hidden Vulnerability in Every Node.js Project](https://safeguard.sh/resources/blog/npm-manifest-confusion-vulnerability): A fundamental flaw in npm's package handling allowed published package metadata to differ from actual package contents, - [Choosing Between SCA Tools in 2023](https://safeguard.sh/resources/blog/choosing-between-sca-tools-2023): A no-nonsense comparison of software composition analysis tools to help you pick the right one for your team's needs, bu - [Black Duck SCA: The Enterprise Stalwart of Open Source Security](https://safeguard.sh/resources/blog/black-duck-software-composition-analysis): A review of Synopsys Black Duck for software composition analysis, covering its strengths in license compliance, vulnera - [A Taxonomy of Open Source Supply Chain Attacks](https://safeguard.sh/resources/blog/open-source-supply-chain-attack-taxonomy): Supply chain attacks on open source come in distinct flavors. Understanding the taxonomy helps defenders prioritize cont - [Software Escrow and Supply Chain Continuity Planning](https://safeguard.sh/resources/blog/software-escrow-supply-chain-continuity): What happens when a critical vendor disappears? Software escrow arrangements protect your business continuity, but most - [Calico Network Policy Best Practices for Production Kubernetes](https://safeguard.sh/resources/blog/calico-network-policy-best-practices): Calico is the most widely deployed Kubernetes network plugin. Its policy model is powerful but has gotchas that trip up - [The Shared Responsibility Model for Software Supply Chain Security](https://safeguard.sh/resources/blog/shared-responsibility-model-supply-chain): Cloud providers defined the shared responsibility model for infrastructure. Software supply chains need the same clarity - [Software Heritage and the Case for Source Code Preservation](https://safeguard.sh/resources/blog/software-heritage-archive-preservation): Software Heritage archives the world's source code. Here is why that matters for supply chain security, reproducibility, - [Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism](https://safeguard.sh/resources/blog/post-install-hooks-package-managers): Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in sup - [Software Attestation in Practice: From Theory to Implementation](https://safeguard.sh/resources/blog/software-attestation-in-practice): Software attestation is moving from academic concept to practical requirement. Here's how to implement it in your build - [Measuring Security Program Effectiveness](https://safeguard.sh/resources/blog/measuring-security-program-effectiveness): Beyond vulnerability counts: practical metrics and measurement frameworks that actually tell you whether your security p - [3CX Desktop App: Anatomy of a Cascading Breach](https://safeguard.sh/resources/blog/3cx-desktop-app-cascading-breach): How a Trading Technologies installer from 2022 poisoned the 3CX build pipeline in 2023, producing the first publicly con - [Chaos Engineering for Supply Chain Resilience: Breaking Your Build to Make It Stronger](https://safeguard.sh/resources/blog/chaos-engineering-supply-chain-resilience): Chaos engineering principles applied to the software supply chain reveal hidden dependencies, single points of failure, - [Modern Command Injection Prevention: Beyond the Basics](https://safeguard.sh/resources/blog/command-injection-prevention-modern): Command injection remains in the OWASP Top 10 because developers keep making the same mistakes with new tools. Here is a - [Running Containers in Rootless Mode: A Practical Security Guide](https://safeguard.sh/resources/blog/container-rootless-mode-security-guide): Root in the container often means root on the host. Rootless mode breaks that assumption. Here is how to run Docker and - [Startup Security at Growth Stage: Building Enterprise-Grade Programs](https://safeguard.sh/resources/blog/startup-security-growth-stage-enterprise): Post-Series B, your startup is becoming an enterprise. Security programs that worked for 30 engineers will not work for - [3CX Attack Lessons: What Every Software Vendor Must Do Differently](https://safeguard.sh/resources/blog/3cx-attack-lessons-for-software-vendors): The 3CX supply chain attack exposed critical gaps in how software vendors protect their build pipelines. Here are the co - [3CX Supply Chain Attack: A Deep Dive into the North Korean Compromise](https://safeguard.sh/resources/blog/3cx-supply-chain-attack-analysis): The 3CX supply chain attack was a multi-stage operation linked to North Korea's Lazarus Group. Here's the full technical - [The March 2023 PyPI Malware Wave](https://safeguard.sh/resources/blog/pypi-malware-wave-march-2023): PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the i - [FISMA and Federal Software Security: Supply Chain Requirements Explained](https://safeguard.sh/resources/blog/fisma-federal-software-security-requirements): FISMA's authorization framework creates strict requirements for software in federal systems. Here's how supply chain sec - [Azure Container Registry Security: Locking Down Your Image Pipeline](https://safeguard.sh/resources/blog/azure-container-registry-security): How to secure Azure Container Registry with network isolation, content trust, and Microsoft Defender for Containers inte - [OpenAI ChatGPT Data Breach March 2023: What Was Exposed](https://safeguard.sh/resources/blog/openai-chatgpt-data-breach-march-2023): A bug in ChatGPT exposed user chat histories and payment information. Here's what happened and what it means for AI serv - [Threat Modeling the Software Supply Chain](https://safeguard.sh/resources/blog/threat-modeling-software-supply-chain): Traditional threat modeling focuses on your code. Supply chain threat modeling extends to every tool, dependency, and pr - [GitLab CI Security Scanning Setup](https://safeguard.sh/resources/blog/gitlab-ci-security-scanning-setup): Step-by-step guide to enabling SAST, DAST, dependency scanning, and container scanning in GitLab CI pipelines. - [Quantifying Security Debt: Methods That Actually Work](https://safeguard.sh/resources/blog/security-debt-quantification-methods): Everyone talks about security debt. Almost nobody measures it. Here are practical methods for putting numbers on the sec - [AI-Generated Code Security Risks: Copilot, ChatGPT, and the New Attack Surface](https://safeguard.sh/resources/blog/ai-generated-code-security-risks): AI code assistants are writing a growing share of production code. The security implications are significant and largely - [Cross-Language Dependency Analysis: Bridging npm, pip, Maven, and Beyond](https://safeguard.sh/resources/blog/cross-language-dependency-analysis): Modern applications use multiple languages and package ecosystems. Analyzing dependencies across these boundaries requir - [Go Module Checksum Database: How It Secures Your Dependencies](https://safeguard.sh/resources/blog/go-module-checksum-database-security): Go checksum database is one of the most underappreciated supply chain security features in any language ecosystem. Here - [Cross-Functional Security Collaboration](https://safeguard.sh/resources/blog/cross-functional-security-collaboration): Security isn't just the security team's problem. Building effective collaboration between security, engineering, product - [Dynamic Application Security Testing: A Practitioner's Guide to DAST Done Right](https://safeguard.sh/resources/blog/dynamic-application-security-testing-guide): DAST finds what source code analysis cannot. Here is how to set it up, tune it, and actually get value from it in a mode - [Ruby Brakeman Security Scanner: Rails-Aware Vulnerability Detection](https://safeguard.sh/resources/blog/ruby-brakeman-security-scanner): Brakeman understands Rails conventions and catches security issues that generic scanners miss. Here is how to use it eff - [Understanding EPSS: Exploit Prediction Scoring System Explained](https://safeguard.sh/resources/blog/understanding-epss-exploit-prediction-scoring): EPSS offers a data-driven approach to vulnerability prioritization. Learn how it works, how it compares to CVSS, and why - [Web3 Smart Contract Dependencies: A Supply Chain Security Blind Spot](https://safeguard.sh/resources/blog/web3-smart-contract-supply-chain-security): Smart contracts import code from unaudited libraries, creating supply chain risks that have already led to billions in l - [Chrome Extension Manifest V3: What It Means for Browser Supply Chain Security](https://safeguard.sh/resources/blog/chrome-extension-manifest-v3-security): Chrome's Manifest V3 restricts extension capabilities in the name of security. The changes help, but they do not solve t - [Go Modules Checksum Database: Five Years In](https://safeguard.sh/resources/blog/go-modules-checksum-database-five-years-in): sum.golang.org went public in August 2019. After four years of production, here is what the Go checksum database got rig - [DDoS Protection for Software Distribution Infrastructure](https://safeguard.sh/resources/blog/ddos-protection-software-distribution): Package registries, artifact repositories, and update servers are high-value DDoS targets. Taking them down disrupts ent - [Service Mesh mTLS Configuration: Getting Mutual TLS Right](https://safeguard.sh/resources/blog/service-mesh-mtls-configuration): Service meshes promise automatic mTLS. The reality involves permissive modes, certificate management complexity, and gap - [BuildKit and Buildah: Building Containers Without Giving Away the Keys](https://safeguard.sh/resources/blog/buildkit-buildah-secure-container-builds): Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer securi - [Security Code Review Best Practices](https://safeguard.sh/resources/blog/security-code-review-best-practices): How to make code reviews an effective security checkpoint without turning every PR into a week-long security audit. - [GitHub Private RSA Key Exposed in Public Repository](https://safeguard.sh/resources/blog/github-private-rsa-key-exposed-in-repository): GitHub's accidental exposure of its private RSA SSH host key in a public repository forced an emergency rotation affecti - [Code Signing Certificates and Software Supply Chain Integrity](https://safeguard.sh/resources/blog/code-signing-certificates-supply-chain): Code signing is a critical trust anchor in the software supply chain. This guide covers how it works, how it fails, and - [Fortinet FortiProxy CVE-2023-25610: Buffer Underwrite in Network Security Infrastructure](https://safeguard.sh/resources/blog/fortinet-fortiproxy-cve-2023-25610): CVE-2023-25610 allowed unauthenticated RCE on FortiOS and FortiProxy through a buffer underwrite vulnerability. Another - [Git Credential Security for Organizations: Locking Down Source Access](https://safeguard.sh/resources/blog/git-credential-security-organizations): Git credentials are the keys to your source code. Here is how organizations should manage them to prevent unauthorized a - [Java Maven and Gradle Dependency Security](https://safeguard.sh/resources/blog/java-maven-gradle-dependency-security): How to secure your Java dependency chain across Maven and Gradle builds, from signature verification to repository manag - [Email Security and Supply Chain Phishing Attacks](https://safeguard.sh/resources/blog/email-security-supply-chain-phishing): Phishing remains the top initial access vector for supply chain attacks. Targeted emails against developers, maintainers - [Kubernetes RBAC Security Best Practices for Supply Chain Protection](https://safeguard.sh/resources/blog/kubernetes-rbac-security-best-practices): Misconfigured Kubernetes RBAC is a common path to supply chain compromise. Here's how to lock down permissions in your c - [Maven Dependency Resolution Attacks: Exploiting Java's Build System](https://safeguard.sh/resources/blog/maven-dependency-resolution-attacks): Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM man - [PWA Service Worker Attack Surface: What Security Teams Overlook](https://safeguard.sh/resources/blog/pwa-service-worker-attack-surface): Service workers give Progressive Web Apps powerful offline and caching capabilities, but they also create a persistent a - [Automating Typosquatting Detection for Package Registries](https://safeguard.sh/resources/blog/typosquatting-detection-automation): Typosquatting remains one of the most effective supply chain attacks. Automated detection using string distance algorith - [Australia's Critical Infrastructure Security Act and Software Supply Chain Risk](https://safeguard.sh/resources/blog/australia-critical-infrastructure-security): Australia's SOCI Act imposes strict cybersecurity obligations on critical infrastructure. Here's what software suppliers - [Setting Up Continuous Dependency Monitoring From Scratch](https://safeguard.sh/resources/blog/continuous-dependency-monitoring-setup): Point-in-time dependency scans miss vulnerabilities disclosed between scans. Here is how to set up continuous monitoring - [GitLab Ultimate Security Features: Built-In Security Done Pragmatically](https://safeguard.sh/resources/blog/gitlab-ultimate-security-features-review): A review of GitLab Ultimate's security scanning features covering SAST, DAST, dependency scanning, container scanning, a - [Swift CocoaPods and SPM Security](https://safeguard.sh/resources/blog/swift-cocoapods-spm-security): Securing iOS and macOS dependencies with Swift Package Manager and CocoaPods, including checksum verification and source - [Spinnaker Deployment Security](https://safeguard.sh/resources/blog/spinnaker-deployment-security): Securing Spinnaker's multi-cloud deployment pipelines with authentication, authorization, pipeline constraints, and arti - [Securing GCP Artifact Registry: A Complete Guide](https://safeguard.sh/resources/blog/gcp-artifact-registry-security-guide): How to configure GCP Artifact Registry for security-first container and package management, from IAM policies to vulnera - [SBOM Requirements for Medical Devices: FDA's New Mandate](https://safeguard.sh/resources/blog/sbom-requirements-for-medical-devices-fda): The FDA now requires software bill of materials for medical device submissions. Here's what manufacturers need to know a - [gosec: Static Analysis for Go Security](https://safeguard.sh/resources/blog/gosec-static-analysis-go-security): gosec is the standard security linter for Go. Here is what it catches, what it misses, and how to integrate it effective - [Jira Service Management CVE-2023-22501: Broken Authentication Exposes Enterprise Workflows](https://safeguard.sh/resources/blog/jira-service-management-cve-2023-22501): A critical authentication vulnerability in Jira Service Management allowed attackers to impersonate users and gain acces - [SBOM Sharing and Distribution Best Practices](https://safeguard.sh/resources/blog/sbom-sharing-and-distribution-best-practices): Generating SBOMs is only half the battle. Sharing them securely and effectively with stakeholders requires careful plann - [Defense in Depth for the Software Supply Chain](https://safeguard.sh/resources/blog/defense-in-depth-software-supply-chain): No single control stops supply chain attacks. Defense in depth — layered controls across the entire software lifecycle — - [Alpine APK Security Model: Small Footprint, Big Trust Decisions](https://safeguard.sh/resources/blog/alpine-apk-security-model): Alpine Linux is the default choice for minimal containers. Its APK package manager has a different security model than a - [Android APK Supply Chain Verification: Beyond Play Protect](https://safeguard.sh/resources/blog/android-apk-supply-chain-verification): Google Play Protect scans for malware, but it does not verify supply chain integrity. Here is how to verify that the APK - [CDN Poisoning Attacks: How Cached Content Becomes a Weapon](https://safeguard.sh/resources/blog/cdn-poisoning-attacks-prevention): CDN cache poisoning turns your performance infrastructure into an attack vector. When the cache serves malicious content - [Cross-Site Scripting (XSS) Prevention: Context-Aware Encoding and Modern Defenses](https://safeguard.sh/resources/blog/cross-site-scripting-xss-prevention): XSS remains a top web vulnerability because output encoding is context-dependent. Here is how to get it right across HTM - [SBOMs for Serverless Applications: What Changes and What Doesn't](https://safeguard.sh/resources/blog/sbom-for-serverless-applications): Serverless doesn't mean dependency-free. Here's how to generate and manage SBOMs for Lambda functions, Azure Functions, - [PyPI Mandatory 2FA for Critical Packages: A Turning Point for Python Security](https://safeguard.sh/resources/blog/pypi-mandatory-2fa-for-critical-packages): PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward se - [Cybersecurity Budget Planning: A Practical Guide for Security Leaders](https://safeguard.sh/resources/blog/cybersecurity-budget-planning-guide): Budget season is every security leader's least favorite time. Here is how to build a cybersecurity budget that gets appr - [GoAnywhere MFT Zero-Day (CVE-2023-0669): Clop Ransomware's File Transfer Rampage](https://safeguard.sh/resources/blog/goanywhere-mft-cve-2023-0669-clop): The Clop ransomware gang exploited a pre-auth RCE in GoAnywhere MFT to breach over 130 organizations. The campaign fores - [Session Management Security: A Complete Guide](https://safeguard.sh/resources/blog/session-management-security-guide): Session management vulnerabilities enable account takeover, privilege escalation, and data theft. This guide covers sess - [VPN Security for Remote Development Teams: Beyond the Basics](https://safeguard.sh/resources/blog/vpn-security-remote-development-teams): Remote development teams depend on VPNs, but misconfigured VPNs create supply chain risks. Split tunneling, credential m - [ESLint Supply Chain Attack: Malicious npm Packages Targeting Developers](https://safeguard.sh/resources/blog/eslint-supply-chain-attack-npm-packages): Attackers published malicious packages impersonating ESLint on npm, exploiting developer trust in the popular linting to - [Fork Maintenance and Your Security Responsibilities](https://safeguard.sh/resources/blog/fork-maintenance-security-responsibilities): Forking an open source project means inheriting its security obligations. Here is what organizations need to know before - [Dependency Pinning vs. Ranges: The Tradeoffs](https://safeguard.sh/resources/blog/dependency-pinning-vs-ranges-tradeoffs): Should you pin exact dependency versions or use ranges? The answer is more nuanced than most teams think, and getting it - [GitHub RSA SSH Key Rotation Incident: Why It Mattered](https://safeguard.sh/resources/blog/github-rsa-ssh-key-rotation-incident): GitHub rotated its RSA SSH host key after accidental exposure. A small mistake with major supply chain implications for - [Dependabot vs Renovate: Which Dependency Update Bot Should You Use?](https://safeguard.sh/resources/blog/dependabot-renovate-comparison-guide): A practical guide comparing Dependabot and Renovate for automated dependency updates, covering configuration flexibility - [Cryptographic Library Selection Guide: Choosing Wisely for Your Stack](https://safeguard.sh/resources/blog/cryptographic-library-selection-guide): Picking the wrong crypto library means either rolling your own crypto or using a library with a poor security track reco - [Royal Ransomware: Why Healthcare Became the Primary Target](https://safeguard.sh/resources/blog/royal-ransomware-healthcare-targeting): Royal ransomware emerged from the ashes of Conti to become one of the most aggressive operations targeting healthcare or - [Securing AI/ML Pipelines: The Supply Chain You're Not Watching](https://safeguard.sh/resources/blog/securing-ai-ml-pipelines-supply-chain): AI/ML pipelines introduce unique supply chain risks from training data to model distribution. Most organizations have ze - [T-Mobile API Breach: 37 Million Records Stolen Through an Unsecured API](https://safeguard.sh/resources/blog/t-mobile-breach-2022-api-exploitation): In January 2023, T-Mobile disclosed that an attacker exploited an API to steal personal data of 37 million customers. It - [SBOM Format Conversion: Tools and Techniques](https://safeguard.sh/resources/blog/sbom-format-conversion-tools): Your supplier sends SPDX, your platform expects CycloneDX. Here's how to convert between SBOM formats without losing cri - [Azure Defender for Containers: Getting Real Security Value](https://safeguard.sh/resources/blog/azure-defender-for-containers-guide): How to configure and operationalize Microsoft Defender for Containers for ACR scanning, AKS runtime protection, and CI/C - [ChatGPT and AI Security Implications for Software Supply Chains](https://safeguard.sh/resources/blog/chatgpt-ai-security-implications-supply-chain): The explosion of AI tools like ChatGPT is reshaping how developers write code — and introducing new supply chain risks t - [CCPA/CPRA and Software Security: What Developers Must Know](https://safeguard.sh/resources/blog/ccpa-cpra-software-security-requirements): California's privacy laws impose security obligations on software that handles consumer data. Here's how CCPA and CPRA i - [Blue-Green Deployment Security](https://safeguard.sh/resources/blog/blue-green-deployment-security): Security considerations for blue-green deployment strategies including environment parity, rollback integrity, and data - [Sensitive Data Exposure Prevention: Protecting Data at Rest, in Transit, and in Use](https://safeguard.sh/resources/blog/sensitive-data-exposure-prevention): Data exposure is not just about encryption. It is about knowing where your sensitive data lives, how it moves, and who c - [CSP Bypass Techniques and Prevention: Beyond the Basics](https://safeguard.sh/resources/blog/csp-bypass-techniques-prevention): Content Security Policy is the strongest browser-side defense against XSS. But most CSP deployments are bypassable. Here - [Nexus Repository Security Hardening: Beyond the Defaults](https://safeguard.sh/resources/blog/nexus-repository-security-hardening): Sonatype Nexus is everywhere. Its default configuration is permissive. Here is how to lock it down for enterprise use. - [Container Image Hardening Checklist](https://safeguard.sh/resources/blog/container-image-hardening-checklist): A comprehensive checklist for hardening your container images, from base image selection to runtime protections, with pr - [OpenSSL Project Governance: Security Lessons from Heartbleed and Beyond](https://safeguard.sh/resources/blog/openssl-project-governance-security): OpenSSL's transformation from a two-person project securing half the internet to a properly governed foundation offers a - [CircleCI Credential Rotation: The Mass-Reset Event](https://safeguard.sh/resources/blog/circleci-credential-rotation-mass-event-2023): CircleCI told every customer to rotate every secret on January 4, 2023. Here is what actually happened and why the scope - [PHPStan Security Analysis: Static Typing as a Security Tool for PHP](https://safeguard.sh/resources/blog/phpstan-security-analysis): PHPStan brings static analysis to PHP. Its type checking catches entire classes of bugs that lead to security vulnerabil - [Symlink Attacks in Package Managers: Following Links to Trouble](https://safeguard.sh/resources/blog/symlink-attacks-package-managers): Symbolic links in package archives can redirect file operations to unintended locations. Here is how this old trick stil - [Vendor Concentration Risk in Software: When One Vendor Failure Breaks Everything](https://safeguard.sh/resources/blog/vendor-concentration-risk-software): Depending on too few vendors creates systemic risk. The CrowdStrike outage proved it. Here is how to assess and manage v - [Vue.js Security Best Practices](https://safeguard.sh/resources/blog/vue-js-security-best-practices): Securing Vue.js applications from template injection, XSS through v-html, and third-party plugin risks. - [CircleCI Security Incident January 2023: What Happened and What We Learned](https://safeguard.sh/resources/blog/circleci-security-incident-january-2023): CircleCI's January 2023 breach exposed secrets for thousands of organizations. Here's how the attack unfolded and what i - [Race Condition Vulnerabilities in Web Applications](https://safeguard.sh/resources/blog/race-condition-vulnerabilities-web-apps): Race conditions in web applications lead to double-spending, privilege escalation, and data corruption. This guide cover - [Slack GitHub Repository Theft: Stolen Tokens and the Risks of Third-Party Integrations](https://safeguard.sh/resources/blog/slack-github-repository-theft-2022): In December 2022, Slack disclosed that stolen employee tokens were used to access private GitHub repositories. The breac - [Release Management Security Checklist](https://safeguard.sh/resources/blog/release-management-security-checklist): A pre-release security checklist that covers dependency verification, vulnerability scanning, SBOM generation, and artif - [Responsible Disclosure in Open Source: The Messy Reality](https://safeguard.sh/resources/blog/responsible-disclosure-open-source): Responsible disclosure sounds simple in theory. In practice, coordinating vulnerability disclosure across open source pr - [Software Supply Chain Security in 2022: The Year Everything Changed](https://safeguard.sh/resources/blog/software-supply-chain-security-2022-year-review): From LastPass to Log4j's aftermath to new regulations, 2022 was the year supply chain security went from niche concern t - [GLBA and Financial Software Security: Safeguards Rule Deep Dive](https://safeguard.sh/resources/blog/glba-financial-software-security): The GLBA Safeguards Rule now requires specific cybersecurity controls for financial institutions. Here's how it affects - [Software Vendor Risk Scoring Methodology](https://safeguard.sh/resources/blog/software-vendor-risk-scoring-methodology): A practical framework for scoring and ranking software vendor risk based on supply chain security posture, vulnerability - [Open Source Funding, Sustainability, and Security](https://safeguard.sh/resources/blog/open-source-funding-sustainability-security): The software industry runs on open source maintained by unpaid volunteers. Until we fix the funding problem, we can't fi - [Security Budget Justification Guide](https://safeguard.sh/resources/blog/security-budget-justification-guide): How to build a compelling business case for security investment, with frameworks for quantifying risk, communicating wit - [Lessons from SolarWinds: Two Years Later](https://safeguard.sh/resources/blog/lessons-from-solarwinds-two-years-later): Two years after the SolarWinds breach reshaped cybersecurity, we examine what the industry actually learned and what org - [Cilium Network Security in Kubernetes: Beyond Basic Network Policies](https://safeguard.sh/resources/blog/cilium-network-security-kubernetes): Cilium uses eBPF to provide network security that standard Kubernetes NetworkPolicies cannot match. Here is what it adds - [GitHub Repository Security Settings Guide](https://safeguard.sh/resources/blog/github-repository-security-settings-guide): Configure GitHub repository security settings for branch protection, secret scanning, dependency alerts, and code scanni - [Log4j One Year Later: What We Learned and What We Didn't Fix](https://safeguard.sh/resources/blog/log4j-one-year-later-lessons-learned): A year after Log4Shell shook the internet, many organizations still had vulnerable instances. Here's what the anniversar - [Single Points of Failure in Software Supply Chains](https://safeguard.sh/resources/blog/single-points-of-failure-supply-chains): Your software supply chain has single points of failure that would take down your entire operation. Most organizations h - [FortiGate SSL-VPN Zero-Day (CVE-2022-42475): How a Heap Overflow Gave Attackers the Keys](https://safeguard.sh/resources/blog/fortinet-fortigate-ssl-vpn-cve-2022-42475): A heap-based buffer overflow in Fortinet's SSL-VPN was actively exploited before disclosure. State-sponsored actors used - [The End-of-Year Dependency Audit Ritual](https://safeguard.sh/resources/blog/end-of-year-dependency-audit-ritual-2022): Most dependency audits get done in a panic after a CVE lands. A planned year-end audit is cheaper, more thorough, and pr - [Startup Security at Series A: Scaling Without Breaking](https://safeguard.sh/resources/blog/startup-security-series-a-scaling): You have raised Series A, hired 20 engineers, and landed your first enterprise customers. Your seed-stage security short - [Cargo Build Script Security: What build.rs Can Do to Your Machine](https://safeguard.sh/resources/blog/cargo-build-script-security): Rust build scripts run arbitrary code during compilation. Here is what they can access and how to evaluate the risk in y - [FOSSA Review: Open Source License Compliance at Enterprise Scale](https://safeguard.sh/resources/blog/fossa-open-source-compliance-review): A review of FOSSA for open source license compliance and vulnerability management, covering license detection, policy au - [Kubernetes Pod Security Standards: From PodSecurityPolicy to the New Admission Controller](https://safeguard.sh/resources/blog/kubernetes-pod-security-standards): PodSecurityPolicy is dead. Pod Security Standards replaced it. Here is what changed, what the three levels mean, and how - [GitHub Code Signing Bypass: When the Trust Anchor Fails](https://safeguard.sh/resources/blog/github-code-signing-bypass-vulnerability): A vulnerability in GitHub's commit signature verification allowed attackers to forge signed commits. The flaw undermined - [LDAP Injection Prevention Guide](https://safeguard.sh/resources/blog/ldap-injection-prevention-guide): LDAP injection attacks manipulate directory service queries to bypass authentication, extract sensitive data, and enumer - [Property-Based Testing for Security: Defining Invariants That Must Never Break](https://safeguard.sh/resources/blog/property-based-testing-security): Property-based testing defines invariants about program behavior and generates thousands of test cases automatically. Fo - [PyPI Malware Campaigns Surge in Q4 2022: A Roundup of the Worst Offenders](https://safeguard.sh/resources/blog/pypi-malware-campaigns-q4-2022): Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shell - [Dependency Graph Analysis: Finding Hidden Transitive Risks](https://safeguard.sh/resources/blog/dependency-graph-analysis-transitive-risks): Your project has 50 direct dependencies. It actually depends on 1,200 packages. Transitive dependency analysis is how yo - [Incident Response Playbook for Supply Chain Attacks](https://safeguard.sh/resources/blog/incident-response-playbook-supply-chain-attacks): Supply chain attacks break your standard IR playbook. The compromise originates outside your perimeter, affects trusted - [5G Networks and the Software Supply Chain Risks Nobody Talks About](https://safeguard.sh/resources/blog/5g-network-software-supply-chain-risks): 5G networks are software-defined infrastructure built on open-source components. The supply chain implications are enorm - [LastPass Second Breach: Encrypted Vaults Stolen Using Data from First Attack](https://safeguard.sh/resources/blog/lastpass-second-breach-encrypted-vaults): LastPass revealed that the August breach enabled a second attack that exfiltrated encrypted customer vaults. The full sc - [Penetration Testing the Software Supply Chain](https://safeguard.sh/resources/blog/penetration-testing-software-supply-chain): Traditional pentests focus on the application. Supply chain pentesting targets the build pipeline, dependency resolution - [Startup Security Budget Allocation: Where to Spend First](https://safeguard.sh/resources/blog/startup-security-budget-allocation-guide): Startups can't afford to do everything at once. Here's how to allocate your security budget for maximum impact, includin - [Vulnerability Correlation Across Package Ecosystems](https://safeguard.sh/resources/blog/vulnerability-correlation-across-ecosystems): The same vulnerability often appears under different identifiers across npm, PyPI, Maven, and other ecosystems. Here is - [The Open Source Maintainer Burnout Crisis and Its Security Consequences](https://safeguard.sh/resources/blog/open-source-maintainer-burnout-crisis): Burned-out maintainers abandon projects, accept risky PRs without review, and hand off keys to strangers. The burnout cr - [Docker Desktop WSL2 Security Changes in 2022](https://safeguard.sh/resources/blog/docker-desktop-wsl2-security-changes-2022): Docker Desktop's WSL2 backend reshaped container security on Windows. Here is what changed in 2022 and the defects that - [AWS ECR Container Scanning: Beyond the Defaults](https://safeguard.sh/resources/blog/aws-ecr-container-scanning-guide): A deep dive into ECR scanning options, from basic Clair scanning to enhanced Inspector integration, and what most teams - [Python Package Security Best Practices](https://safeguard.sh/resources/blog/python-package-security-best-practices): Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verificat - [Scaling a Security Champions Network](https://safeguard.sh/resources/blog/security-champions-network-scaling): Security teams can't be everywhere. A well-structured security champions network extends security expertise into every d - [Browser Extension Supply Chain Attacks: The Overlooked Threat Vector](https://safeguard.sh/resources/blog/browser-extension-supply-chain-attacks): Browser extensions have become a prime target for supply chain attackers. With access to browsing data, credentials, and - [Podman vs Docker Security: What Actually Changes When You Drop the Daemon](https://safeguard.sh/resources/blog/podman-vs-docker-security-comparison): Podman is daemonless, rootless by default, and fork-exec instead of client-server. Here is what those architectural diff - [Runtime vs Static Container Analysis: Complementary, Not Competing](https://safeguard.sh/resources/blog/runtime-vs-static-container-analysis): Static scanning finds known vulnerabilities. Runtime analysis finds actual exploitation. Using only one gives you half t - [Rust Adoption in Security-Critical Software: Where We Stand](https://safeguard.sh/resources/blog/rust-adoption-security-critical-software): Rust promises memory safety without garbage collection. Here is an honest look at where adoption stands and what it mean - [Software Supply Chain Forensics: Investigation Techniques After a Compromise](https://safeguard.sh/resources/blog/software-supply-chain-forensics-guide): When a supply chain compromise is confirmed or suspected, forensic investigation must trace the attack path through depe - [WAF Rule Writing Best Practices: From Alert Fatigue to Actionable Protection](https://safeguard.sh/resources/blog/waf-rule-writing-best-practices): Most WAF deployments drown in false positives because the rules were never tuned. Here is how to write rules that protec - [Taming Static Analysis: A Practical Guide to False Positive Reduction](https://safeguard.sh/resources/blog/static-analysis-false-positive-reduction): False positives kill SAST adoption faster than anything else. Here is how to cut through the noise without missing real - [Vulnerability Coordination Across the Open Source Ecosystem](https://safeguard.sh/resources/blog/vulnerability-coordination-open-source): When a vulnerability affects a library used by thousands of projects, coordinating the fix is harder than writing the pa - [Automating Vulnerability Remediation: A Practical Guide](https://safeguard.sh/resources/blog/automating-vulnerability-remediation-guide): Stop drowning in CVE backlogs. Learn how to build automated remediation workflows that fix vulnerabilities faster withou - [Container Image Signing with Cosign: A Practical Deep Dive](https://safeguard.sh/resources/blog/container-image-signing-with-cosign): Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it - [Software Update Signing and Verification: Getting It Right](https://safeguard.sh/resources/blog/software-update-signing-verification): Signed updates are table stakes for software distribution. But the signing and verification process has pitfalls that un - [Jenkins Pipeline Security Hardening](https://safeguard.sh/resources/blog/jenkins-pipeline-security-hardening): How to lock down Jenkins pipelines against credential theft, script injection, and unauthorized access with practical ha - [Brand Protection on Package Registries: Defending Your Namespace](https://safeguard.sh/resources/blog/brand-protection-package-registries): Attackers impersonate legitimate organizations on package registries through name squatting, logo theft, and metadata ma - [PyPI Namespace Squatting: How Attackers Exploit Python's Flat Package Namespace](https://safeguard.sh/resources/blog/pypi-namespace-squatting-prevention): Python's package registry has no namespace protection. Attackers exploit this with typosquatting, namespace confusion, a - [Browser Extension Permission Models and Supply Chain Risk](https://safeguard.sh/resources/blog/browser-extension-permission-model): Browser extensions operate with broad permissions and auto-update silently. Here is how the extension permission model c - [Browser Extension Attacks and the Supply Chain](https://safeguard.sh/resources/blog/browser-supply-chain-extension-attacks): Browser extensions run with elevated privileges and update automatically. When attackers compromise or acquire popular e - [Dropbox Breach: Phishing Attack Exposes 130 Private GitHub Repositories](https://safeguard.sh/resources/blog/dropbox-phishing-attack-github-repositories): Attackers phished Dropbox employees by impersonating CircleCI, gaining access to 130 private GitHub repos containing int - [Makefile Injection Attacks: When Build Automation Becomes a Weapon](https://safeguard.sh/resources/blog/makefile-injection-attacks): Makefiles execute shell commands by design. When those commands incorporate untrusted input, the results are predictably - [OpenSSL CVE-2022-3602: The Critical That Wasn't (But Still Matters)](https://safeguard.sh/resources/blog/openssl-critical-vulnerability-cve-2022-3602): OpenSSL pre-announced a critical vulnerability that was later downgraded to high severity. The incident revealed as much - [Real Estate and PropTech Security Considerations](https://safeguard.sh/resources/blog/real-estate-proptech-security-considerations): PropTech platforms handle wire transfers, personal data, and property records. Software supply chain security is essenti - [Build Reproducibility: A Verification Guide](https://safeguard.sh/resources/blog/build-reproducibility-verification-guide): If you cannot reproduce a build bit-for-bit, you cannot verify it was not tampered with. This guide covers deterministic - [Security Impact Analysis for Dependency Updates](https://safeguard.sh/resources/blog/security-impact-analysis-dependency-updates): Updating a dependency is not just a version bump. Here is how to assess the security impact of dependency changes before - [Mend.io (WhiteSource): The Renamed SCA Veteran](https://safeguard.sh/resources/blog/mend-io-whitesource-sca-review): A review of Mend.io, formerly WhiteSource, covering its SCA capabilities, Renovate integration, automated remediation, a - [SQL Injection Prevention in 2022: Why It Still Happens and How to Stop It](https://safeguard.sh/resources/blog/sql-injection-prevention-modern-guide): SQL injection has been the top web vulnerability for over two decades. Modern frameworks help, but they do not make it i - [Tekton Pipeline Security Guide](https://safeguard.sh/resources/blog/tekton-pipeline-security-guide): Securing Tekton CI/CD pipelines on Kubernetes with task isolation, supply chain verification, and least-privilege servic - [Open Source Policy Template for Enterprises](https://safeguard.sh/resources/blog/open-source-policy-template-enterprises): A practical template for crafting an enterprise open-source usage policy that balances developer freedom with security a - [The SBOM Maturity Model: A Practical Roadmap for Enterprise Adoption](https://safeguard.sh/resources/blog/sbom-maturity-model-for-enterprises): Most organizations are still at SBOM Level 0. Here's a five-level maturity model to guide your journey from no SBOMs to - [Package Lock Files and Their Security Implications](https://safeguard.sh/resources/blog/package-lock-files-security-implications): Lock files are your first line of defense against dependency drift. This guide explains how package-lock.json, yarn.lock - [Text4Shell (CVE-2022-42889): Apache Commons Text and the Haunting Echo of Log4Shell](https://safeguard.sh/resources/blog/apache-commons-text-text4shell-cve-2022-42889): A critical RCE vulnerability in Apache Commons Text drew immediate comparisons to Log4Shell. While less severe in practi - [LockBit 3.0: The Evolution of the World's Most Prolific Ransomware Operation](https://safeguard.sh/resources/blog/lockbit-3-0-ransomware-evolution): LockBit 3.0 introduced bug bounties, new extortion tactics, and industrial-scale operations that made it the dominant ra - [Business Continuity Planning for Supply Chain Attacks](https://safeguard.sh/resources/blog/business-continuity-supply-chain-attacks): When a critical dependency is compromised or disappears, can your business keep running? Most organizations haven't answ - [VS Code Extension Marketplace Security: The IDE Supply Chain](https://safeguard.sh/resources/blog/vscode-extension-marketplace-security): VS Code extensions run with the same privileges as your editor — which means full access to your source code, terminal, - [Azure DevOps Pipeline Security Hardening: A Practical Guide](https://safeguard.sh/resources/blog/azure-devops-pipeline-security-hardening): How to lock down your Azure DevOps pipelines against supply chain attacks, credential leaks, and unauthorized deployment - [Bandit for Python Security Linting: Getting Real Value From Static Analysis](https://safeguard.sh/resources/blog/bandit-python-security-linting): Bandit scans Python code for security issues. Here is how to configure it so it catches real bugs without burying your t - [Sigstore Reaches GA: Free Software Signing for Everyone](https://safeguard.sh/resources/blog/sigstore-general-availability-software-signing): Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why thi - [Setting Up Pre-Commit Security Hooks](https://safeguard.sh/resources/blog/pre-commit-security-hooks-setup-guide): Catch secrets, vulnerable patterns, and misconfigurations before they reach your repository with pre-commit hooks that d - [Debian Repository Security: A Practical Hardening Guide](https://safeguard.sh/resources/blog/debian-repository-security-guide): Debian APT is powerful but riddled with trust assumptions. Here is how to lock it down for production environments. - [iOS Sideloading Security Implications for Enterprise Environments](https://safeguard.sh/resources/blog/ios-sideloading-security-implications): Regulatory pressure is forcing Apple to allow sideloading. For enterprise security teams, this changes the iOS threat mo - [OPA Gatekeeper for Kubernetes: Writing Policies That Actually Work](https://safeguard.sh/resources/blog/opa-gatekeeper-kubernetes-policies): Gatekeeper brings OPA's policy engine to Kubernetes. The learning curve is steep but the flexibility is unmatched. Here - [Tern: Container SBOM Generation Through Layer Analysis](https://safeguard.sh/resources/blog/tern-sbom-container-analysis-tool): A review of Tern, the open source tool that generates SBOMs by inspecting container image layers, including its strength - [CISA Self-Attestation Form: What Software Producers Need to Know](https://safeguard.sh/resources/blog/cisa-self-attestation-form-secure-software): OMB M-22-18 requires software producers selling to the federal government to self-attest to secure development practices - [GDPR and Software Supply Chain Obligations You Can't Ignore](https://safeguard.sh/resources/blog/gdpr-software-supply-chain-obligations): GDPR's security requirements extend deep into software supply chains. Here's where data protection law meets dependency - [Security ROI Calculation Methods That Actually Work](https://safeguard.sh/resources/blog/security-roi-calculation-methods): Calculating security ROI is notoriously difficult because you are measuring things that did not happen. Here are methods - [Package Manager Security: npm, pip, and Maven Compared](https://safeguard.sh/resources/blog/package-manager-security-npm-pip-maven): Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and M - [Generating SBOMs from Container Images: A Practical Guide](https://safeguard.sh/resources/blog/generating-sbom-from-container-images): Container images are opaque by default. Here's how to crack them open with SBOMs to see exactly what's running in produc - [Cookie Security for Modern Web Applications](https://safeguard.sh/resources/blog/cookie-security-modern-web-apps): Cookie misconfigurations remain one of the most common web vulnerabilities. From SameSite to cookie prefixes, here is ho - [Network Segmentation for Development Environments: Isolating the Build Pipeline](https://safeguard.sh/resources/blog/network-segmentation-development-environments): Development environments are often the weakest link in network security. Proper segmentation isolates build systems from - [PHP Composer Dependency Security](https://safeguard.sh/resources/blog/php-composer-dependency-security): Securing PHP applications through Composer lockfiles, Packagist verification, and automated vulnerability scanning. - [Telecommunications Supply Chain Security: Protecting Critical Infrastructure](https://safeguard.sh/resources/blog/telecommunications-supply-chain-security): Telecom networks are critical infrastructure that depend on complex software supply chains. Here's how carriers and equi - [Developer Productivity vs. Security: Finding the Real Balance](https://safeguard.sh/resources/blog/developer-productivity-security-balance): The security-productivity tension is real but often exaggerated. Most friction comes from bad tooling and poor processes - [Trusted Computing and TPM in the Software Supply Chain](https://safeguard.sh/resources/blog/trusted-computing-tpm-software-supply-chain): Trusted Platform Modules provide a hardware root of trust for verifying software integrity. Understanding how TPMs fit i - [npm Registry Security Gets Serious: 2022's Major Improvements](https://safeguard.sh/resources/blog/npm-registry-security-improvements-2022): From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. - [ProxyNotShell CVE-2022-41040: Microsoft Exchange Under Fire Again](https://safeguard.sh/resources/blog/microsoft-exchange-proxynotshell-cve-2022-41040): ProxyNotShell chained two Exchange vulnerabilities for authenticated RCE, exploited in the wild for weeks before Microso - [OSS Review Toolkit (ORT): Automating License Compliance at Scale](https://safeguard.sh/resources/blog/oss-review-toolkit-ort-license-compliance): The OSS Review Toolkit handles license scanning, vulnerability detection, and compliance policy enforcement. Here's how - [Migrating Dependencies for Security: A Step-by-Step Guide](https://safeguard.sh/resources/blog/migrating-dependencies-security-guide): When a dependency becomes a security liability, migration is the only real fix. Here is a structured approach to depende - [Database Extensions as Supply Chain Risk: The Overlooked Attack Surface](https://safeguard.sh/resources/blog/database-extension-supply-chain-risks): PostgreSQL extensions, MySQL plugins, and database add-ons run with database-level privileges. A compromised extension h - [Compression Library Vulnerabilities: From zlib to the xz Backdoor](https://safeguard.sh/resources/blog/compression-library-vulnerabilities-zlib-xz): Compression libraries are everywhere and trusted implicitly. The xz backdoor proved that trust can be weaponized. Here i - [The Open Source Software Security Act of 2022: What It Means for Developers](https://safeguard.sh/resources/blog/open-source-software-security-act-2022): The U.S. Senate introduced legislation directing CISA to secure open source software used by the federal government. Her - [Building an SBOM Program from Scratch: A Practical Guide](https://safeguard.sh/resources/blog/building-sbom-program-from-scratch): Standing up an SBOM program is more than picking a tool. This guide covers organizational buy-in, tooling selection, aut - [Kubernetes Admission Controllers for Supply Chain Policy](https://safeguard.sh/resources/blog/kubernetes-admission-controllers-supply-chain): Admission controllers are the only Kubernetes enforcement point that sees every workload before it runs. That makes them - [GoSec Static Analysis for Go: Practical Security Scanning](https://safeguard.sh/resources/blog/gosec-static-analysis-for-go): GoSec finds security issues in Go source code. Here is how to get the most out of it without fighting false positives al - [SOX Compliance in Software Development: The Supply Chain Angle](https://safeguard.sh/resources/blog/sox-compliance-software-development): Sarbanes-Oxley requirements for internal controls extend into software development and supply chain integrity. Here's th - [Uber's 2022 Breach: How an 18-Year-Old Social Engineered Past MFA](https://safeguard.sh/resources/blog/uber-breach-2022-social-engineering-attack): An attacker bombarded an Uber contractor with MFA push notifications until they accepted. What followed was a full compr - [Software Transparency and the EU Cyber Resilience Act](https://safeguard.sh/resources/blog/software-transparency-eu-cyber-resilience-act): The EU Cyber Resilience Act is rewriting the rules for software sold in Europe. Mandatory vulnerability handling, SBOM r - [Retail and E-Commerce Software Supply Chain Security](https://safeguard.sh/resources/blog/retail-ecommerce-software-supply-chain): E-commerce platforms process millions in transactions daily using open-source components. Here's how retail organization - [SPDX Specification: A Practical Guide for Security Teams](https://safeguard.sh/resources/blog/spdx-specification-practical-guide): SPDX is the ISO-standardized SBOM format. Here's how to use it effectively for security, not just license compliance. - [Trivy vs Grype: Open Source Vulnerability Scanners Compared](https://safeguard.sh/resources/blog/trivy-grype-vulnerability-scanner-comparison): A practical comparison of Trivy and Grype for vulnerability scanning, covering detection accuracy, performance, SBOM sup - [Angular Application Security Checklist](https://safeguard.sh/resources/blog/angular-application-security-checklist): A practical security checklist for Angular applications covering XSS prevention, dependency management, and secure confi - [CORS Misconfiguration Exploitation: The Silent API Exposure](https://safeguard.sh/resources/blog/cors-misconfiguration-exploitation): CORS misconfigurations are one of the most common web security issues. They silently expose your APIs to cross-origin da - [Harbor Registry Security Configuration: A Complete Hardening Guide](https://safeguard.sh/resources/blog/harbor-registry-security-configuration): Harbor is the most popular open-source container registry. Its security features are powerful but require deliberate con - [Canary Deployments and Security Monitoring](https://safeguard.sh/resources/blog/canary-deployments-security-monitoring): Using canary deployment strategies to catch security regressions before they reach all users, with monitoring patterns f - [Path Traversal in Dependency Installation: Writing Files Where They Should Not Go](https://safeguard.sh/resources/blog/path-traversal-dependency-installation): Package archives can contain path traversal sequences that write files outside the expected directory. Most developers n - [Rust Supply Chain Security: How crates.io Stacks Up Against npm and PyPI](https://safeguard.sh/resources/blog/rust-supply-chain-security-crates-io): Rust's crates.io registry has design advantages for supply chain security, but it's not immune. Here's an honest assessm - [Software Escrow Agreements: Security Implications You Should Negotiate](https://safeguard.sh/resources/blog/software-escrow-agreements-security): Software escrow protects you if a vendor goes under. But the security details in the agreement determine whether the esc - [Linux Kernel Supply Chain Security: How the World's Largest Project Protects Itself](https://safeguard.sh/resources/blog/linux-kernel-supply-chain-security): The Linux kernel is the most critical open source project on earth. Its supply chain security practices offer lessons fo - [Security Misconfiguration Checklist: The Low-Hanging Fruit Attackers Love](https://safeguard.sh/resources/blog/security-misconfiguration-checklist): Misconfigurations are the easiest vulnerabilities to find and exploit. Here is a practical checklist for web servers, fr - [SSRF Exploitation in Cloud Environments](https://safeguard.sh/resources/blog/ssrf-exploitation-cloud-environments): Server-Side Request Forgery is especially dangerous in cloud environments where metadata services expose credentials and - [The State of Software Supply Chain Attacks: Mid-2022 Report](https://safeguard.sh/resources/blog/software-supply-chain-attacks-state-of-2022): By mid-2022, supply chain attacks had surged 742% over the previous three years. Here's the data, the trends, and what d - [SLSA vs SSDF vs S2C2F: Framework Comparison](https://safeguard.sh/resources/blog/supply-chain-integrity-framework-comparison-2022): Three supply chain integrity frameworks. Three different authors. Three different audiences. A practical comparison of S - [Build Artifact Integrity Verification: From Source to Deployment](https://safeguard.sh/resources/blog/build-artifact-integrity-verification): If you cannot verify that your deployed artifact matches your reviewed source code, your entire code review process is s - [LastPass Breach: How a Compromised Developer Environment Exposed Millions](https://safeguard.sh/resources/blog/lastpass-security-breach-developer-environment): LastPass disclosed that an attacker accessed their development environment for four days. The full impact wouldn't be kn - [Plex Data Breach: 20 Million Users Forced to Reset Passwords](https://safeguard.sh/resources/blog/plex-data-breach-august-2022): A breach of Plex's systems exposed usernames, emails, and hashed passwords for approximately 20 million users, forcing t - [GitLab Critical RCE (CVE-2022-2884): Remote Code Execution via GitHub Import](https://safeguard.sh/resources/blog/gitlab-critical-vulnerability-cve-2022-2884): A critical vulnerability in GitLab's GitHub import feature allowed authenticated attackers to execute arbitrary code on - [Setting Up Dependency Scanning on GitHub](https://safeguard.sh/resources/blog/setting-up-dependency-scanning-github): A hands-on walkthrough for configuring automated dependency scanning in your GitHub repositories, from Dependabot alerts - [Infrastructure as Code Security: Scanning Terraform, CloudFormation, and Kubernetes Manifests](https://safeguard.sh/resources/blog/infrastructure-as-code-security-scanning): IaC scanning catches misconfigurations before they reach production. This guide covers tools, techniques, and integratio - [Building a Security Team from Scratch](https://safeguard.sh/resources/blog/building-security-team-from-scratch): A practical guide to hiring your first security engineers, defining roles, and building a security function that scales - [Malicious GitHub Commits: The Overlooked Supply Chain Attack Vector](https://safeguard.sh/resources/blog/malicious-github-commits-supply-chain-risk): Attackers can impersonate any committer on GitHub, inject malicious code through PRs, and exploit lax review processes. - [Software Supply Chain Security in Banking: A Practical Guide](https://safeguard.sh/resources/blog/software-supply-chain-security-banking): Banks face unique software supply chain risks. This guide covers real threats, regulatory expectations, and what securit - [Open Source Security Bounty Programs: Do They Actually Work?](https://safeguard.sh/resources/blog/open-source-security-bounty-programs): Bug bounty programs for open source projects promise market-driven vulnerability discovery. The reality is more complica - [Supply Chain Security for Government Agencies](https://safeguard.sh/resources/blog/supply-chain-security-for-government-agencies): Government agencies face unique software supply chain threats. Here's how federal and state organizations can protect cr - [Securing GitHub Actions: Hardening Your CI/CD Supply Chain](https://safeguard.sh/resources/blog/securing-github-actions-supply-chain): GitHub Actions is a powerful CI/CD platform — and a significant attack surface. Here's how to lock it down against suppl - [Security Metrics That Matter: A CISO Guide](https://safeguard.sh/resources/blog/security-metrics-that-matter-ciso-guide): Stop reporting vanity metrics. Here are the security measurements that actually inform decisions, demonstrate program ef - [eBPF for Security Monitoring: What It Can and Cannot Do](https://safeguard.sh/resources/blog/ebpf-security-monitoring-applications): eBPF is being called the future of security observability. It is genuinely powerful, but it is not a magic bullet for ru - [Docker Image Layer Security Analysis: What Lurks Beneath Your Containers](https://safeguard.sh/resources/blog/docker-image-layer-security-analysis): Every Docker image is a stack of layers, and each one can introduce vulnerabilities. Learn how to dissect image layers f - [Trivy for SBOM Generation and Vulnerability Scanning](https://safeguard.sh/resources/blog/trivy-sbom-generation-scanning): Trivy combines SBOM generation with vulnerability scanning in a single tool. Here's how to use both capabilities effecti - [Zimbra CVE-2022-37042: Authentication Bypass in a Widely Used Email Platform](https://safeguard.sh/resources/blog/zimbra-cve-2022-37042-authentication-bypass): CVE-2022-37042 allowed unauthenticated attackers to upload web shells to Zimbra email servers. Over 1,000 servers were c - [0ktapus: The Phishing Campaign That Hit Cloudflare, Twilio, and 130+ Organizations](https://safeguard.sh/resources/blog/cloudflare-twilio-0ktapus-phishing-campaign): A single phishing campaign compromised over 130 companies including Cloudflare and Twilio. Here's how the 0ktapus attack - [Docker Security Best Practices for Developers](https://safeguard.sh/resources/blog/docker-security-best-practices-developers): Practical Docker security from image building to runtime, covering multi-stage builds, user namespaces, and image scanni - [pip Install Hooks Security Risks: Code Execution During Package Installation](https://safeguard.sh/resources/blog/pip-install-hooks-security-risks): Running pip install can execute arbitrary code on your machine before you ever import the package. Here is how install h - [Startup Security at Seed Stage: What to Prioritize When Resources Are Scarce](https://safeguard.sh/resources/blog/startup-security-seed-stage-guide): You have five engineers, zero security staff, and a product to ship. Here is the minimum viable security program that pr - [Mutation Testing for Security Validation: Testing Your Tests](https://safeguard.sh/resources/blog/mutation-testing-security-validation): Mutation testing measures whether your security tests actually catch bugs by introducing small changes to code and check - [NoSQL Injection and MongoDB: Prevention Guide](https://safeguard.sh/resources/blog/nosql-injection-mongodb-prevention): NoSQL injection attacks exploit the query languages of non-relational databases to bypass authentication, extract data, - [Reproducible Builds: The Gold Standard for Supply Chain Integrity](https://safeguard.sh/resources/blog/reproducible-builds-supply-chain-integrity): If you can't rebuild a binary from source and get the same result, you can't verify that the binary matches the source. - [AWS Inspector V2 Container Scanning: What Changed and Why It Matters](https://safeguard.sh/resources/blog/aws-inspector-v2-container-scanning): A deep look at Amazon Inspector v2 for container scanning, its improvements over v1, and how to get the most out of it. - [Zero Trust Architecture for the Software Supply Chain](https://safeguard.sh/resources/blog/zero-trust-architecture-software-supply-chain): Zero trust isn't just for networks. Applying zero trust principles to your software supply chain fundamentally changes h - [Microservices Security Architecture: A Supply Chain Perspective](https://safeguard.sh/resources/blog/microservices-security-architecture-guide): Microservices multiply your dependency surface. This guide covers service mesh security, inter-service authentication, a - [Clippy Rust Security Lints: Catching What the Borrow Checker Misses](https://safeguard.sh/resources/blog/clippy-rust-security-lints): Rust's compiler catches memory safety bugs. Clippy catches everything else -- including security anti-patterns the borro - [Twitter Data Breach: 5.4 Million Accounts Exposed Through an API Vulnerability](https://safeguard.sh/resources/blog/twitter-54-million-data-breach): An API vulnerability in Twitter allowed attackers to link phone numbers and email addresses to Twitter accounts, ultimat - [Brazil's LGPD and Its Implications for Software Security](https://safeguard.sh/resources/blog/brazil-lgpd-software-security-implications): Brazil's data protection law creates obligations for software security and supply chain transparency. Here's what develo - [Atlassian Questions for Confluence CVE-2022-26138: A Hardcoded Password That Gave Away the Keys](https://safeguard.sh/resources/blog/atlassian-questions-for-confluence-cve-2022-26138): CVE-2022-26138 exposed a hardcoded password in the Questions for Confluence app, granting unauthenticated access to Conf - [VEX Explained: How Vulnerability Exploitability Exchange Cuts Through Alert Noise](https://safeguard.sh/resources/blog/vex-vulnerability-exploitability-exchange-guide): VEX documents let software producers tell consumers which vulnerabilities actually affect their products. Here's how VEX - [The Open Source Software Bill of Rights](https://safeguard.sh/resources/blog/open-source-software-bill-of-rights): As governments and enterprises demand more from open source maintainers, the community pushes back with a framework of r - [Bug Bounty Programs with a Supply Chain Focus](https://safeguard.sh/resources/blog/bug-bounty-programs-supply-chain-focus): Traditional bug bounty programs miss supply chain vulnerabilities. Here's how to design a bounty program that incentiviz - [NIST CSF Updates Put Supply Chain Risk Management Front and Center](https://safeguard.sh/resources/blog/nist-csf-update-supply-chain-risk-management): NIST's 2022 updates to the Cybersecurity Framework signal a major shift: supply chain risk management is no longer optio - [GitHub Actions Security Best Practices in 2022](https://safeguard.sh/resources/blog/github-actions-security-best-practices-2022): A practical guide to hardening your GitHub Actions workflows against supply chain attacks, secret leaks, and privilege e - [Azure AD Token Theft Campaigns: A 2022 Retrospective](https://safeguard.sh/resources/blog/azure-ad-token-theft-retrospective-2022): Token theft is the quiet successor to credential phishing, and 2022 turned it into an industry. Here is what the year's - [BlackCat/ALPHV Ransomware: Rust-Based Innovation and Supply Chain Exploitation](https://safeguard.sh/resources/blog/blackcat-alphv-ransomware-supply-chain): BlackCat (ALPHV) brought Rust programming, triple extortion, and supply chain targeting to the ransomware-as-a-service m - [JavaScript Dependency Security: The Complete Guide](https://safeguard.sh/resources/blog/javascript-dependency-security-complete-guide): A thorough walkthrough of securing your JavaScript dependency tree, from lockfile hygiene to automated auditing and runt - [NGINX Security Configuration Guide for Production Deployments](https://safeguard.sh/resources/blog/nginx-security-configuration-guide): NGINX powers a third of the internet. Its default configuration is optimized for getting started, not for production sec - [Notary v2 Content Trust: A Practical Implementation Guide](https://safeguard.sh/resources/blog/notary-v2-content-trust-guide): Docker Content Trust never gained traction. Notary v2, now called Notation, is the replacement. Here is how to implement - [Memory Safety Bugs in C/C++ Dependencies: The Hidden Risk in Your Software Supply Chain](https://safeguard.sh/resources/blog/memory-safety-bugs-c-cpp-dependencies): C and C++ libraries still power critical infrastructure everywhere. Their memory safety issues are your problem whether - [Protocol Buffer Security Considerations Beyond Serialization](https://safeguard.sh/resources/blog/protocol-buffer-security-considerations): Protobuf is everywhere in modern infrastructure. Its security implications go beyond just serialization format choice. H - [CDN Supply Chain Security Risks You Should Know](https://safeguard.sh/resources/blog/cdn-supply-chain-security-risks): Content delivery networks serve billions of software assets daily. When a CDN is compromised, the blast radius is enormo - [SAST vs DAST vs IAST: Which Application Security Testing Approach Fits Your Pipeline?](https://safeguard.sh/resources/blog/sast-vs-dast-vs-iast-comparison): A practical comparison of SAST, DAST, and IAST — when to use each, where they overlap, and why most teams need more than - [Dark Web Monitoring for Supply Chain Threats](https://safeguard.sh/resources/blog/dark-web-monitoring-supply-chain): Software supply chain credentials, stolen signing keys, and zero-day exploits for build tools are traded on dark web for - [How to Create Your First SBOM](https://safeguard.sh/resources/blog/how-to-create-your-first-sbom): A practical, step-by-step guide to generating your first Software Bill of Materials using open-source tools and integrat - [npm Lockfile Injection Attacks: How Tampered package-lock.json Files Compromise Builds](https://safeguard.sh/resources/blog/npm-lockfile-injection-attacks): Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency reso - [Retbleed: The Spectre Variant That Haunts Modern CPUs (CVE-2022-29900)](https://safeguard.sh/resources/blog/retbleed-spectre-variant-cve-2022-29900-analysis): Retbleed exploits return instructions to bypass Spectre mitigations on AMD and Intel processors. Here's what it means fo - [WebAssembly Security: A Deep Dive into the Sandbox Model](https://safeguard.sh/resources/blog/webassembly-security-sandbox-analysis): WebAssembly promises near-native performance with a strong security sandbox. But the sandbox model has nuances that deve - [Docker Scout for Container Security Analysis: A Practical Guide](https://safeguard.sh/resources/blog/docker-scout-container-analysis-guide): Docker Scout brings vulnerability scanning directly into the Docker CLI. Here is what it actually catches, where it fall - [Open Source Governance: Building an Enterprise Framework](https://safeguard.sh/resources/blog/open-source-governance-enterprise-framework): Ad-hoc open source usage creates legal, security, and operational risk. This guide walks through building a governance f - [India's CERT-In Cybersecurity Directives: Six-Hour Reporting and Beyond](https://safeguard.sh/resources/blog/india-cert-in-cyber-security-directives): India's CERT-In directives mandate six-hour incident reporting and strict logging requirements. Here's what organization - [Dependency Update Strategies for Large Codebases](https://safeguard.sh/resources/blog/dependency-update-strategies-for-large-codebases): At scale, keeping dependencies current is not a weekend chore — it is an engineering discipline. The wrong update strate - [The GitHub Codespaces Security Model, Examined](https://safeguard.sh/resources/blog/github-codespaces-security-model-2022): GitHub Codespaces has gone GA and is about to become the dev environment standard. Here is a close read of its security - [Terraform Security Scanning: What to Scan, When, and How](https://safeguard.sh/resources/blog/terraform-security-scanning-best-practices): A practical guide to integrating security scanning into your Terraform workflow without destroying developer productivit - [Managing End-of-Life Software Dependencies](https://safeguard.sh/resources/blog/managing-eol-software-dependencies): Every dependency eventually reaches end of life. Here is a practical framework for identifying, tracking, and migrating - [Secrets Management: Preventing Credential Leaks in Your Software Supply Chain](https://safeguard.sh/resources/blog/secrets-management-preventing-credential-leaks): Hardcoded credentials remain the most common source of breaches. Despite a decade of tooling improvements, secrets keep - [Environment Variable Injection in CI/CD: The Invisible Attack Surface](https://safeguard.sh/resources/blog/environment-variable-injection-cicd): CI/CD pipelines trust environment variables implicitly. Injecting or modifying them can hijack builds, steal secrets, an - [ESLint Security Rules Configuration: A Practical Guide](https://safeguard.sh/resources/blog/eslint-security-rules-configuration): ESLint can catch security issues before they reach production. Here is how to configure security-focused rules that actu - [Ruby Gems Supply Chain Security](https://safeguard.sh/resources/blog/ruby-gems-supply-chain-security): Protecting your Ruby applications from gem-based supply chain attacks with Bundler security features, gem signing, and a - [Securing Terraform Infrastructure as Code: A Practitioner's Guide](https://safeguard.sh/resources/blog/securing-terraform-infrastructure-as-code): Your Terraform code defines your production infrastructure. If an attacker compromises your HCL files, state files, or p - [Flux CD GitOps Security Practices](https://safeguard.sh/resources/blog/flux-cd-gitops-security-practices): Hardening Flux CD deployments with multi-tenancy, RBAC, secret encryption, and image verification for secure GitOps work - [Building a Supply Chain Risk Appetite Framework](https://safeguard.sh/resources/blog/supply-chain-risk-appetite-framework): Every organization accepts some supply chain risk. The question is whether that acceptance is deliberate and documented - [CPE Naming Convention and the Vulnerability Matching Problem](https://safeguard.sh/resources/blog/cpe-naming-convention-vulnerability-matching): CPE is the backbone of NVD vulnerability matching, and it is deeply flawed. Understanding its limitations is essential f - [Shifting Left Without Slowing Down](https://safeguard.sh/resources/blog/shifting-left-without-slowing-down): How to integrate security earlier in the development lifecycle without turning your CI pipeline into a bottleneck that d - [The OWASP Top 10 (2021) Through a Supply Chain Security Lens](https://safeguard.sh/resources/blog/owasp-top-10-2021-supply-chain-perspective): The 2021 OWASP Top 10 added supply chain risks for the first time. Here is what each category means when your code is mo - [The Log4Shell Response Playbook Six Months In](https://safeguard.sh/resources/blog/log4shell-response-playbook-six-months-in): Six months after CVE-2021-44228 broke the internet, here is what worked, what didn't, and the response patterns security - [Linux Distribution Package Signing: How It Actually Works](https://safeguard.sh/resources/blog/linux-distribution-package-signing): Package signing is the backbone of Linux software distribution security. Most teams trust it blindly without understandi - [Mobile App Store Security Bypass: How Malicious Apps Evade Review](https://safeguard.sh/resources/blog/mobile-app-store-security-bypass): App store review processes catch most malware. But the bypass techniques that work reveal systematic gaps in mobile supp - [Electron App Supply Chain Security: Desktop Apps Built on Web Dependencies](https://safeguard.sh/resources/blog/electron-app-supply-chain-security): Electron apps ship a full Chromium browser and Node.js runtime to the desktop. That means every web supply chain risk be - [Follina (CVE-2022-30190): The Microsoft Zero-Day That Bypassed Macro Protections](https://safeguard.sh/resources/blog/follina-cve-2022-30190-microsoft-zero-day): A Word document, no macros enabled, and full remote code execution. Follina exploited the Microsoft Support Diagnostic T - [Container Runtime Security Monitoring: Catching What Scanners Miss](https://safeguard.sh/resources/blog/container-runtime-security-monitoring): Image scanning finds known vulnerabilities before deployment. Runtime monitoring catches actual exploitation, zero-days, - [AWS Supply Chain Security Best Practices You Should Adopt Today](https://safeguard.sh/resources/blog/aws-supply-chain-security-best-practices): A practical guide to securing your software supply chain on AWS, from ECR image provenance to CodePipeline hardening. - [TLS Configuration Security Audit: What to Check and How](https://safeguard.sh/resources/blog/tls-configuration-security-audit): A misconfigured TLS setup can be worse than no encryption at all because it creates false confidence. Here is how to aud - [Kubernetes Supply Chain Policy Engines: Enforcing What Gets Deployed](https://safeguard.sh/resources/blog/kubernetes-supply-chain-policy-engine): Scanning for vulnerabilities means nothing if you cannot enforce the results. Supply chain policy engines in Kubernetes - [Security Headers Implementation Checklist: Hardening Your Web Application](https://safeguard.sh/resources/blog/security-headers-implementation-checklist): HTTP security headers are your first line of defense against XSS, clickjacking, and data injection attacks. Here is a pr - [Software-Defined Perimeters for Supply Chain Security](https://safeguard.sh/resources/blog/software-defined-perimeter-supply-chain): Software-Defined Perimeters can isolate build systems, artifact repositories, and deployment pipelines from unauthorized - [Hardware Supply Chain Trust Boundaries](https://safeguard.sh/resources/blog/hardware-supply-chain-trust-boundaries): Hardware travels through dozens of hands before reaching your data center. Understanding and enforcing trust boundaries - [SBOM 101: A Complete Beginner's Guide to Software Bill of Materials](https://safeguard.sh/resources/blog/sbom-101-complete-beginners-guide): Everything you need to know about Software Bills of Materials -- what they are, why they matter, and how to start genera - [Confluence Zero-Day (CVE-2022-26134): Atlassian's OGNL Injection Crisis](https://safeguard.sh/resources/blog/confluence-cve-2022-26134-atlassian-zero-day): An unauthenticated RCE zero-day in Confluence Server was being actively exploited before Atlassian even knew about it. T - [Evaluating Open Source Alternatives Through a Security Lens](https://safeguard.sh/resources/blog/open-source-alternative-evaluation-security): When choosing between open source packages that provide the same functionality, security factors should weigh as heavily - [Software Provenance Tracking: From Source to Production](https://safeguard.sh/resources/blog/software-provenance-tracking-best-practices): Software provenance answers the question: where did this code come from, who built it, and can I trust it? In 2022, prov - [Shield Health Group Data Breach: 2 Million Patient Records Exposed](https://safeguard.sh/resources/blog/shield-health-group-data-breach): A breach at Shield Health Group, a Massachusetts medical imaging provider, exposed personal and medical data of approxim - [Broken Access Control: The Number One Web Vulnerability and How to Fix It](https://safeguard.sh/resources/blog/broken-access-control-prevention-guide): Access control moved to the top of the OWASP Top 10 in 2021. Here is why it is so hard to get right and what a solid aut - [General Motors Credential Stuffing Attack: Loyalty Points Theft at Scale](https://safeguard.sh/resources/blog/general-motors-credential-stuffing): Attackers used credential stuffing to compromise GM customer accounts, stealing reward points and personal data — a remi - [Red Hat JBoss Vulnerability Exploitation: The Persistent Threat of Java Middleware](https://safeguard.sh/resources/blog/red-hat-jboss-vulnerability-exploitation): JBoss application servers have been a recurring target for attackers. From deserialization flaws to exposed management i - [Open Source Funding Models and Their Impact on Security](https://safeguard.sh/resources/blog/open-source-funding-models-security): The way open source projects get funded directly shapes their security outcomes. From corporate sponsorship to bounty pr - [PyPI Supply Chain Attacks: The ctx Package Compromise](https://safeguard.sh/resources/blog/pypi-supply-chain-attacks-ctx-package): The ctx package on PyPI was hijacked to steal environment variables from developer machines. The attack exploited an exp - [Image Parsing Vulnerabilities in Dependencies: The Pixel-Level Threat](https://safeguard.sh/resources/blog/image-parsing-vulnerabilities-dependencies): Every application that processes images depends on parsing libraries with a long history of memory corruption bugs. Here - [Secure Coding Practices: A Developer's Guide](https://safeguard.sh/resources/blog/secure-coding-practices-developers-guide): Practical secure coding habits every developer should build, covering input validation, authentication, dependency manag - [Why Dependency Pinning Alone Is Not Enough](https://safeguard.sh/resources/blog/why-dependency-pinning-alone-is-not-enough): Pinning dependencies feels like a complete answer to supply chain risk. It is not — and the gap between pinning and real - [Maven Central Supply Chain Risks: Securing the Java Ecosystem](https://safeguard.sh/resources/blog/maven-central-supply-chain-risks): Maven Central is the backbone of the Java ecosystem, serving billions of artifact downloads annually. Its unique trust m - [OCI Artifact Signing Standards: Making Sense of the Landscape](https://safeguard.sh/resources/blog/oci-artifact-signing-standards): Container image signing has gone through multiple iterations. Here is where the OCI standards stand now and what you nee - [SAML Security in a Supply Chain Context](https://safeguard.sh/resources/blog/saml-security-supply-chain-context): SAML is the authentication backbone for enterprise SSO. Its XML-based attack surface makes it a high-value target for su - [Zyxel Firewall CVE-2022-30525: Unauthenticated Command Injection in Your Perimeter Defense](https://safeguard.sh/resources/blog/zyxel-firewall-cve-2022-30525-rce): CVE-2022-30525 gave attackers unauthenticated OS command injection on Zyxel firewalls. The irony of a firewall being the - [Docker Container Escape Vulnerabilities: Techniques and Defenses](https://safeguard.sh/resources/blog/docker-container-escape-vulnerabilities): Containers are not VMs. When an attacker escapes a container, they own the host — and potentially every other container - [CycloneDX Specification Deep Dive: Beyond the Basics](https://safeguard.sh/resources/blog/cyclonedx-specification-deep-dive): CycloneDX is more than a component list. This deep dive covers services, vulnerabilities, compositions, and the parts of - [CISA SBOM Guidance: What Government Agencies Need to Know](https://safeguard.sh/resources/blog/cisa-sbom-guidance-for-government-agencies): CISA's evolving SBOM requirements are reshaping how government agencies procure and manage software. Here's what the gui - [Regular Expression Denial of Service (ReDoS): Detection and Prevention](https://safeguard.sh/resources/blog/regex-denial-of-service-redos-prevention): A single bad regex can bring down your entire application. ReDoS attacks exploit catastrophic backtracking to consume un - [Feature Flags Security Implications](https://safeguard.sh/resources/blog/feature-flags-security-implications): Understanding the security risks of feature flag systems and how to prevent unauthorized flag manipulation, data exposur - [File Upload Vulnerability Prevention: A Practical Guide](https://safeguard.sh/resources/blog/file-upload-vulnerability-prevention): File upload functionality is one of the most dangerous features in web applications. This guide covers the attack vector - [NIST SP 800-218 (SSDF) Final Publication: What It Means for Your Organization](https://safeguard.sh/resources/blog/nist-sp-800-218-ssdf-final-publication): NIST finalized the Secure Software Development Framework in February 2022. If you sell software to the US government — o - [CI/CD Pipeline Audit Logging: What to Capture and Why](https://safeguard.sh/resources/blog/cicd-pipeline-audit-logging): Your CI/CD pipeline is a high-value target. Without proper audit logging, you will not know when it has been compromised - [OpenSSF Alpha-Omega Project: Securing Open Source at Scale](https://safeguard.sh/resources/blog/openssf-alpha-omega-project-securing-open-source): The Alpha-Omega Project, backed by $5M from Google and Microsoft, aims to improve security of the most critical open sou - [Ephemeral Environments for Security Testing: A Modern Approach](https://safeguard.sh/resources/blog/ephemeral-environments-security-testing): Ephemeral environments — short-lived, on-demand copies of your application stack — are transforming how teams approach s - [npm Supply Chain Attacks: 2022 Q1 Report](https://safeguard.sh/resources/blog/npm-supply-chain-attacks-2022-q1-report): The first quarter of 2022 saw a surge in npm malware — from protestware to dependency confusion to credential-stealing p - [Costa Rica Conti Ransomware: The First Ransomware Attack to Trigger a National Emergency](https://safeguard.sh/resources/blog/costa-rica-conti-ransomware-national): The Conti ransomware group attacked Costa Rica's government systems so severely that the president declared a national e - [Beanstalk Farms Governance Attack: $182 Million Stolen Through a Democratic Vote](https://safeguard.sh/resources/blog/beanstalk-defi-governance-attack): Attackers used a flash loan to temporarily gain majority voting power in Beanstalk Farms' governance system, then voted - [GitHub OAuth Token Theft: The Heroku and Travis CI Breach](https://safeguard.sh/resources/blog/github-oauth-token-theft-heroku-travis-ci): Attackers stole OAuth tokens from Heroku and Travis CI to access private GitHub repositories across dozens of organizati - [Temp File Race Conditions in Build Systems: The TOCTOU Problem](https://safeguard.sh/resources/blog/temp-file-race-conditions-build-systems): Build systems create and process temporary files constantly. Race conditions in temp file handling can be exploited to i - [Azure DevOps Supply Chain Risks: Securing Your Microsoft CI/CD Pipeline](https://safeguard.sh/resources/blog/azure-devops-supply-chain-risks): Azure DevOps pipelines present unique supply chain risks from marketplace extensions to service connections. A breakdown - [Container Registry Hardening: The 2022 Baseline](https://safeguard.sh/resources/blog/container-registry-hardening-2022): Your container registry is a signing oracle, a software distribution system, and a typosquat target rolled into one. Her - [LAPSUS$ Group: Unconventional Attack Techniques That Embarrassed Big Tech](https://safeguard.sh/resources/blog/lapsus-group-attack-techniques-analysis): LAPSUS$ broke into Microsoft, Nvidia, Samsung, and Okta using social engineering and insider recruitment rather than sop - [SBOM Automation in CI/CD Pipelines: A Hands-On Guide](https://safeguard.sh/resources/blog/sbom-automation-in-ci-cd-pipelines): Generating SBOMs manually is unsustainable. Here's how to automate SBOM creation, validation, and distribution as part o - [Generating SBOMs with Syft: The Complete Guide](https://safeguard.sh/resources/blog/generating-sbom-with-syft-guide): Syft is the most popular open-source SBOM generator. Here's how to use it effectively for containers, directories, archi - [VMware Workspace ONE CVE-2022-22954: Server-Side Template Injection Goes Enterprise](https://safeguard.sh/resources/blog/vmware-workspace-one-cve-2022-22954): CVE-2022-22954 in VMware Workspace ONE Access allowed unauthenticated RCE via server-side template injection. Attackers - [Fuzz Testing Supply Chain Components: Finding Bugs Before Attackers Do](https://safeguard.sh/resources/blog/fuzz-testing-supply-chain-components): Fuzz testing discovers crashes, memory corruption, and logic errors by feeding random inputs to software. Applied to sup - [Mailchimp Social Engineering Breach: How an Employee Hack Compromised Crypto Customers](https://safeguard.sh/resources/blog/mailchimp-social-engineering-breach): A social engineering attack on Mailchimp employees gave attackers access to internal tools, which they used to target cr - [Spring4Shell (CVE-2022-22965) Response Analysis](https://safeguard.sh/resources/blog/spring4shell-cve-2022-22965-response-analysis): A 2010-era bypass resurfaced as CVE-2022-22965 on Spring Framework for JDK 9+. Here is how the disclosure, patch, and in - [Spring4Shell vs Log4Shell: Comparing Two Java Framework Crises](https://safeguard.sh/resources/blog/spring4shell-vs-log4shell-comparison): Both scored 9.8 on CVSS. Both affected millions of Java applications. But Log4Shell and Spring4Shell had fundamentally d - [Spring4Shell (CVE-2022-22965): Remote Code Execution in Spring Framework](https://safeguard.sh/resources/blog/spring4shell-cve-2022-22965-analysis): A critical RCE in Spring Framework sent Java teams scrambling. While less catastrophic than Log4Shell, Spring4Shell expo - [Ronin Network Hack: $625 Million Stolen from Axie Infinity's Blockchain Bridge](https://safeguard.sh/resources/blog/ronin-network-hack-625-million): North Korean hackers stole $625 million from the Ronin Network bridge powering Axie Infinity, exploiting compromised val - [Microsoft LAPSUS$ Breach: Source Code Access and the Limits of Perimeter Security](https://safeguard.sh/resources/blog/microsoft-lapsus-breach-source-code-access): LAPSUS$ claimed access to Microsoft's source code repositories, leaking 37GB of code from Bing, Cortana, and other proje - [Vulnerability Disclosure Programs: Building Trust with Security Researchers](https://safeguard.sh/resources/blog/vulnerability-disclosure-programs-best-practices): A well-designed vulnerability disclosure program turns external researchers into force multipliers for your security tea - [Okta LAPSUS$ Breach: When Your Identity Provider Gets Compromised](https://safeguard.sh/resources/blog/okta-lapsus-breach-january-2022): LAPSUS$ breached an Okta support contractor, gaining access to customer tenants. The incident raised critical questions - [A First-Principles Guide to Artifact Signing in 2022](https://safeguard.sh/resources/blog/first-principles-artifact-signing-guide-2022): Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you - [Kubernetes Supply Chain Security: Best Practices for 2022](https://safeguard.sh/resources/blog/kubernetes-supply-chain-security-best-practices): Kubernetes does not run your code — it runs container images built from layers of dependencies you may not control. Secu - [Certificate Authority Compromise and Supply Chain Risks](https://safeguard.sh/resources/blog/certificate-authority-compromise-risks): A compromised certificate authority can undermine TLS trust for your entire software supply chain. Understanding CA risk - [Dirty Pipe (CVE-2022-0847): A Deep Dive into the Linux Kernel Vulnerability](https://safeguard.sh/resources/blog/dirty-pipe-cve-2022-0847-linux-kernel-vulnerability): Dirty Pipe allowed any local user to overwrite data in read-only files, including SUID binaries, leading to trivial root - [Samsung LAPSUS$ Breach: 190GB of Source Code and the Cost of Insider Access](https://safeguard.sh/resources/blog/samsung-lapsus-breach-source-code-theft): The LAPSUS$ group stole 190GB of Samsung source code including biometric authentication algorithms and bootloader code. - [Conti Ransomware Leaks: What the Internal Files Revealed About Supply Chain Tools](https://safeguard.sh/resources/blog/conti-ransomware-leaks-supply-chain-tools): When Conti's internal communications leaked in early 2022, they exposed the operational playbook of a top-tier ransomwar - [NVIDIA LAPSUS$ Breach: Stolen Code Signing Certificates Used to Sign Malware](https://safeguard.sh/resources/blog/nvidia-lapsus-breach-code-signing-certificates): When LAPSUS$ breached NVIDIA, they stole code signing certificates that were immediately weaponized to sign malware. The - [Heroku and GitHub OAuth Token Theft: The Early Warning Signs](https://safeguard.sh/resources/blog/heroku-github-oauth-token-theft): Stolen OAuth tokens from Heroku's integration with GitHub gave attackers access to private repositories across dozens of - [SolarWinds Lessons Two Years On: What Actually Changed](https://safeguard.sh/resources/blog/solarwinds-lessons-two-years-on): Two years after the SolarWinds SUNBURST compromise, the industry has new frameworks and new vocabulary — but has the bui - [Event-Driven Architecture Security: Risks You Cannot Ignore](https://safeguard.sh/resources/blog/event-driven-architecture-security): Event-driven systems decouple producers from consumers, but that decoupling creates security blind spots. Here is how to - [Software Supply Chain Security for Startups: A Practical Guide](https://safeguard.sh/resources/blog/software-supply-chain-security-for-startups): You don't need a massive security team to get supply chain security right. Here's a pragmatic, prioritized approach for - [Open Source License Compliance: A Practical Guide for 2022](https://safeguard.sh/resources/blog/open-source-license-compliance-guide-2022): License compliance is not just a legal checkbox — it is a business risk. Misunderstanding copyleft obligations or violat - [SAP ICM CVE-2022-22536: ICMAD Vulnerabilities Hit the Heart of Enterprise Software](https://safeguard.sh/resources/blog/sap-icmad-cve-2022-22536-critical): CVE-2022-22536 scored a perfect CVSS 10.0, allowing unauthenticated request smuggling in SAP's Internet Communication Ma - [SBOM Formats Compared: CycloneDX vs SPDX in 2022](https://safeguard.sh/resources/blog/sbom-formats-compared-cyclonedx-vs-spdx): Two SBOM standards are competing for adoption. CycloneDX and SPDX take fundamentally different approaches to describing - [Firmware Supply Chain Security Guide](https://safeguard.sh/resources/blog/firmware-supply-chain-security-guide): Firmware runs below the operating system, making it invisible to most security tools. Compromised firmware can persist t - [News Corp Breach: Chinese Espionage Targeted Journalists for Two Years](https://safeguard.sh/resources/blog/news-corp-china-espionage-breach): A China-linked espionage operation infiltrated News Corp's systems for nearly two years, targeting journalists covering - [Polkit pkexec Privilege Escalation: CVE-2021-4034 (PwnKit)](https://safeguard.sh/resources/blog/polkit-pkexec-cve-2022-0847-dirty-pipe): A 12-year-old memory corruption bug in Polkit's pkexec gave any unprivileged local user instant root access on virtually - [Rust Crate Supply Chain Security: Lessons from a Growing Ecosystem](https://safeguard.sh/resources/blog/rust-crate-supply-chain-security): As Rust adoption accelerates, its crate ecosystem faces the same supply chain threats that plague npm and PyPI. Here's w - [Red Cross Data Breach: Attackers Targeted the World's Most Vulnerable People](https://safeguard.sh/resources/blog/red-cross-data-breach-2022): A sophisticated cyberattack on the International Committee of the Red Cross compromised personal data of over 515,000 hi - [Log4j and the Maintainer Burnout Crisis Nobody Talks About](https://safeguard.sh/resources/blog/log4j-maintainer-burnout-lessons): The Log4Shell vulnerability exposed more than a critical flaw in Java logging. It revealed a systemic failure in how the - [Crypto.com Hack: $34 Million Stolen by Bypassing Two-Factor Authentication](https://safeguard.sh/resources/blog/crypto-com-hack-34-million): Attackers bypassed Crypto.com's two-factor authentication system to drain approximately $34 million from 483 user accoun - [TypeScript Strict Mode Security Benefits: More Than Just Type Safety](https://safeguard.sh/resources/blog/typescript-strict-mode-security-benefits): TypeScript's strict mode catches entire categories of bugs at compile time. Some of those bugs have direct security impl - [colors.js and faker.js: When Maintainer Burnout Becomes a Supply Chain Crisis](https://safeguard.sh/resources/blog/colors-js-faker-js-open-source-maintainer-burnout): Marak Squires deliberately broke two of npm's most popular packages to protest the exploitation of open source maintaine - [node-ipc Protestware: When a Maintainer Weaponized the Supply Chain](https://safeguard.sh/resources/blog/node-ipc-protestware-peacenotwar-supply-chain): The node-ipc package was deliberately sabotaged by its maintainer to protest the Russia-Ukraine conflict, wiping files o - [Software Supply Chain Attacks 2021: A Complete Timeline](https://safeguard.sh/resources/blog/software-supply-chain-attacks-2021-timeline): 2021 was the year software supply chain attacks went mainstream. From SolarWinds aftermath to Log4Shell, here's every ma - [Container Image Vulnerabilities: 2021 Year in Review](https://safeguard.sh/resources/blog/container-image-vulnerabilities-2021-year-in-review): Container security matured significantly in 2021, but the vulnerability landscape in base images, registries, and runtim - [CISA Known Exploited Vulnerabilities Catalog Launched](https://safeguard.sh/resources/blog/cisa-known-exploited-vulnerabilities-catalog-launched): CISA's KEV catalog changes vulnerability management from theoretical risk to confirmed exploitation. Here's what it mean - [Detecting Log4Shell in Your Software Supply Chain](https://safeguard.sh/resources/blog/detecting-log4shell-in-your-software-supply-chain): Log4j isn't just in your code — it's in your vendors' code, your container base images, and your transitive dependencies - [Log4Shell Impact Assessment and Remediation Guide](https://safeguard.sh/resources/blog/log4shell-impact-assessment-and-remediation-guide): You know Log4Shell is bad. Now here's how to find every instance in your environment and fix it — including the edge cas - [Kronos Ransomware Attack: When Payroll Systems Go Dark Before the Holidays](https://safeguard.sh/resources/blog/kronos-ransomware-attack-payroll): A ransomware attack on Ultimate Kronos Group disrupted payroll and workforce management for millions of workers at hospi - [Log4Shell Vulnerability (CVE-2021-44228) Explained](https://safeguard.sh/resources/blog/log4shell-vulnerability-cve-2021-44228-explained): The most critical vulnerability in a decade dropped on a Friday. Log4Shell affects virtually every Java application and - [Grafana CVE-2021-43798: Directory Traversal in Everyone's Favorite Dashboard Tool](https://safeguard.sh/resources/blog/grafana-cve-2021-43798-directory-traversal): CVE-2021-43798 allowed unauthenticated directory traversal in Grafana, exposing configuration files and credentials. Exp - [gRPC Security Considerations for Microservice Architectures](https://safeguard.sh/resources/blog/grpc-security-considerations): gRPC powers high-performance microservice communication, but its binary protocol and code generation model introduce uni - [Vendor Concentration Risk: When Your Entire Stack Depends on One Company](https://safeguard.sh/resources/blog/vendor-concentration-risk-software-supply-chain): Relying too heavily on a single vendor creates systemic risk that most organizations dramatically underestimate. Here is - [Zero-Day Vulnerabilities in Open Source: 2021 in Review](https://safeguard.sh/resources/blog/zero-day-vulnerabilities-in-open-source-2021): 2021 saw a record number of zero-day exploits targeting open-source software. From Log4Shell to ProxyShell, here's what - [BGP Hijacking and Software Distribution Security](https://safeguard.sh/resources/blog/bgp-hijacking-software-distribution): BGP hijacking lets attackers reroute internet traffic at the network level, silently intercepting software downloads and - [Panasonic Data Breach: Four Months of Undetected Network Access](https://safeguard.sh/resources/blog/panasonic-data-breach-november-2021): Panasonic disclosed a data breach in November 2021, revealing that attackers had maintained access to its network for ov - [Zoho ManageEngine CVE-2021-44077: When IT Management Tools Get Owned](https://safeguard.sh/resources/blog/zoho-managengine-cve-2021-44077-exploitation): APT actors exploited CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus to breach critical infrastructure. An unauthen - [Software Composition Analysis: The 2021 Buyer's Guide](https://safeguard.sh/resources/blog/software-composition-analysis-sca-buyers-guide): SCA tools have exploded in number and capability. Here's how to evaluate them without getting lost in vendor marketing. - [XcodeGhost Revisited: How a Trojanized IDE Infected Thousands of iOS Apps](https://safeguard.sh/resources/blog/apple-macos-supply-chain-xcode-ghost): XcodeGhost compromised Apple's developer toolchain by distributing a modified Xcode IDE. Years later, the attack remains - [Robinhood Data Breach: Social Engineering Strikes the Trading Platform](https://safeguard.sh/resources/blog/robinhood-data-breach-2021): A social engineering attack on a Robinhood customer support employee exposed personal data of approximately 7 million us - [NTIA SBOM Minimum Elements: What Your SBOM Actually Needs to Contain](https://safeguard.sh/resources/blog/ntia-sbom-minimum-elements-guide): The NTIA published its minimum elements for SBOMs in July 2021. Here's a practical breakdown of what's required, what's - [Vulnerability Prioritization: Beyond CVSS Scores](https://safeguard.sh/resources/blog/vulnerability-prioritization-beyond-cvss-scores): CVSS scores alone lead to alert fatigue and misallocated resources. Here's how EPSS, reachability analysis, and exploit - [Cream Finance DeFi Hack: $130 Million Stolen Through Flash Loan Exploit](https://safeguard.sh/resources/blog/cream-finance-defi-hack-130-million): Cream Finance suffered its third exploit in 2021, losing $130 million through a sophisticated flash loan attack that exp - [The ua-parser-js npm Hijack of October 2021](https://safeguard.sh/resources/blog/ua-parser-js-npm-hijack-october-2021): An npm package with 8 million weekly downloads shipped a cryptominer and credential stealer for four hours. Here is the - [Sigstore and Cosign: Software Signing for the Rest of Us](https://safeguard.sh/resources/blog/sigstore-cosign-software-signing-explained): Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rek - [REvil Ransomware Shutdown: How Law Enforcement Took Down a Ransomware Empire](https://safeguard.sh/resources/blog/revil-ransomware-shutdown-law-enforcement): REvil was one of the most prolific ransomware-as-a-service operations until a coordinated law enforcement takedown disma - [Python PyPI Malware Campaigns in 2021](https://safeguard.sh/resources/blog/python-pypi-malware-campaigns-2021): Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltrati - [Apache HTTP Server CVE-2021-41773: A Path Traversal Bug That Should Have Been Caught in Code Review](https://safeguard.sh/resources/blog/apache-http-server-cve-2021-41773-path-traversal): CVE-2021-41773 allowed path traversal and RCE on Apache HTTP Server 2.4.49. The fix was incomplete, leading to CVE-2021- - [Twitch Source Code Leak: What 125GB of Exposed Data Tells Us About Internal Security](https://safeguard.sh/resources/blog/twitch-source-code-leak-october-2021): In October 2021, an anonymous hacker dumped Twitch's entire source code, internal tools, and creator payout data. The br - [Docker Hub Malicious Images and Cryptomining Campaigns](https://safeguard.sh/resources/blog/docker-hub-malicious-images-cryptomining): Researchers found that millions of Docker Hub pulls go to images containing cryptominers, backdoors, and other malware. - [Binary Analysis for Supply Chain Verification](https://safeguard.sh/resources/blog/binary-analysis-supply-chain-verification): When you can't audit source code, binary analysis becomes your last line of defense. Understanding how to verify compile - [GitHub Actions Security: Hidden Supply Chain Risks](https://safeguard.sh/resources/blog/github-actions-security-supply-chain-risks): GitHub Actions workflows execute third-party code with access to your repository secrets. Most teams don't realize how m - [Apple's iCloud CSAM Scanning Controversy: Privacy vs. Security at Scale](https://safeguard.sh/resources/blog/apple-icloud-csam-privacy-security): Apple's 2021 announcement of on-device CSAM scanning ignited a fierce debate about surveillance, encryption, and the bou - [Travis CI Token Leak Retrospective](https://safeguard.sh/resources/blog/travis-ci-token-leak-retrospective-2021): Travis CI exposed secrets from public repo forks for weeks in 2021. Here is the exact defect, who was affected, and the - [npm colors and faker Sabotage: When Maintainers Revolt](https://safeguard.sh/resources/blog/npm-colors-faker-sabotage-open-source-trust): The maintainer of colors and faker deliberately corrupted his own packages, affecting thousands of projects. It raised u - [Business Impact Analysis for Software Dependency Failures](https://safeguard.sh/resources/blog/business-impact-analysis-dependency-failures): Most BIAs ignore software dependencies entirely. Here is how to quantify the real business impact when a critical librar - [GraphQL API Security Best Practices](https://safeguard.sh/resources/blog/graphql-api-security-best-practices): GraphQL gives clients extraordinary power over queries. That flexibility is also its biggest security risk. Here is how - [ChaosDB: The Microsoft Azure Cosmos DB Vulnerability That Exposed Thousands of Databases](https://safeguard.sh/resources/blog/microsoft-cosmosdb-chaosdb-vulnerability): A critical vulnerability in Azure Cosmos DB allowed any user to gain full admin access to other customers' database inst - [Third-Party Risk Management for Software Vendors: Beyond the Questionnaire](https://safeguard.sh/resources/blog/third-party-risk-management-software-vendors): Security questionnaires are still how most organizations evaluate vendor risk. They're also still mostly useless. Here's - [Pegasus Spyware and NSO Group: The Supply Chain of Surveillance](https://safeguard.sh/resources/blog/pegasus-spyware-nso-group-supply-chain): The Pegasus Project revealed NSO Group's spyware targeting journalists, activists, and politicians through zero-click ex - [SLSA Framework Introduction: Securing Supply Chain Integrity](https://safeguard.sh/resources/blog/slsa-framework-introduction-supply-chain-integrity): Google's SLSA framework provides a graduated model for supply chain integrity, from basic provenance to fully verified b - [DevSecOps Maturity Model: Where Does Your Organization Stand?](https://safeguard.sh/resources/blog/devsecops-maturity-model-where-do-you-stand): Most teams claim they've adopted DevSecOps. Few have actually matured beyond running a scanner in CI. Here's a practical - [Regular Expression Denial of Service (ReDoS): When Patterns Attack](https://safeguard.sh/resources/blog/redos-regular-expression-denial-of-service): A single poorly written regex can take down your server. ReDoS is a subtle denial-of-service vulnerability hiding in dep - [Securing CI/CD Pipelines from Supply Chain Attacks](https://safeguard.sh/resources/blog/securing-ci-cd-pipelines-from-supply-chain-attacks): CI/CD pipelines are the new attack surface. From poisoned dependencies to compromised build tools, here's how to lock do - [Accenture LockBit Ransomware Attack: When a Security Consultant Gets Hacked](https://safeguard.sh/resources/blog/accenture-lockbit-ransomware-attack): LockBit ransomware operators breached Accenture, a major global consulting firm, claiming to have stolen 6TB of data and - [ProxyShell: The Microsoft Exchange Exploit Chain That Wouldn't Stop](https://safeguard.sh/resources/blog/proxyshell-microsoft-exchange-exploitation): ProxyShell chained three Exchange vulnerabilities for unauthenticated remote code execution. Months after patches were a - [Typosquatting Attacks on npm and PyPI Explained](https://safeguard.sh/resources/blog/typosquatting-attacks-npm-pypi-explained): Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real exa - [DNS Hijacking and Its Supply Chain Implications](https://safeguard.sh/resources/blog/dns-hijacking-supply-chain-implications): DNS hijacking can redirect software updates, package downloads, and API calls to attacker-controlled servers. Here's how - [Open Source Security: State of the Union 2021](https://safeguard.sh/resources/blog/open-source-security-state-of-the-union-2021): Open source powers the modern internet, but its security model is under strain. Here's the 2021 landscape of open source - [Why Software Bill of Materials Matter](https://safeguard.sh/resources/blog/why-software-bill-of-materials-matter): SBOMs are the foundation of software supply chain security. Without knowing what's in your software, you can't secure it - [LinkedIn Data Scraping: 700 Million User Records Sold on the Dark Web](https://safeguard.sh/resources/blog/linkedin-data-scraping-700-million): A threat actor scraped data from 700 million LinkedIn users — 93% of the platform's user base — and put it up for sale, - [npm Package ua-parser-js Compromised: 8 Million Weekly Downloads Weaponized](https://safeguard.sh/resources/blog/npm-package-ua-parser-js-compromised): Attackers hijacked the ua-parser-js npm package account and published malicious versions containing cryptominers and pas - [Kaseya VSA Ransomware: A Supply Chain Analysis](https://safeguard.sh/resources/blog/kaseya-vsa-ransomware-supply-chain-analysis): REvil chained three zero-days in Kaseya VSA to push ransomware through 1,500 MSP customers on July 2, 2021. Here is the - [PrintNightmare CVE-2021-34527: The Windows Print Spooler Bug That Haunted Every Enterprise](https://safeguard.sh/resources/blog/printnightmare-cve-2021-34527-windows): PrintNightmare gave attackers SYSTEM-level access through the Windows Print Spooler service running on nearly every Wind - [Kaseya VSA Ransomware: Supply Chain Attack Hits 1,500 Businesses](https://safeguard.sh/resources/blog/kaseya-vsa-ransomware-supply-chain-attack): REvil exploited Kaseya's VSA platform to push ransomware to managed service providers and their customers. Up to 1,500 b - [Facebook Data Leak: 533 Million Users Exposed Through a Contact Import Feature](https://safeguard.sh/resources/blog/facebook-data-leak-533-million): Personal data from 533 million Facebook users across 106 countries was posted on a hacking forum, exposing phone numbers - [MessagePack Security Implications: Binary Serialization Risks](https://safeguard.sh/resources/blog/messagepack-security-implications): MessagePack is faster than JSON but shares some of JSON's security pitfalls while adding new ones. Here is what to watch - [Disaster Recovery Planning for Software Supply Chain Incidents](https://safeguard.sh/resources/blog/disaster-recovery-software-supply-chain-incidents): When a supply chain attack hits, your DR plan needs to cover more than just infrastructure failover. Here is how to prep - [Microsoft Exchange HAFNIUM Attack: Four Zero-Days That Compromised 30,000 Organizations](https://safeguard.sh/resources/blog/microsoft-exchange-hafnium-attack): Chinese state-sponsored group HAFNIUM exploited four zero-day vulnerabilities in Microsoft Exchange Server, compromising - [NIST SSDF Framework: A Practical Guide](https://safeguard.sh/resources/blog/nist-ssdf-framework-practical-guide): The Secure Software Development Framework (SSDF) is becoming the baseline for federal software security. Here's what it - [Pulse Secure VPN Zero-Day CVE-2021-22893: When Your Security Gateway Becomes the Backdoor](https://safeguard.sh/resources/blog/pulse-secure-vpn-cve-2021-22893): Chinese APT groups exploited CVE-2021-22893 in Pulse Secure VPN to breach defense contractors and government agencies. T - [Dependency Confusion Attacks Explained](https://safeguard.sh/resources/blog/dependency-confusion-attacks-explained): Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build - [JBS Foods Ransomware Attack: When Hackers Targeted the World's Meat Supply](https://safeguard.sh/resources/blog/jbs-foods-ransomware-supply-chain): REvil ransomware shut down the world's largest meat processor, disrupting supply chains across the US, Australia, and Ca - [Understanding SBOM Requirements Under EO 14028](https://safeguard.sh/resources/blog/understanding-sbom-requirements-under-eo-14028): Executive Order 14028 mandates SBOMs for federal software procurement. Here's a practical breakdown of what's required, - [Accellion FTA Breach: How a Legacy File Transfer Tool Became a Supply Chain Nightmare](https://safeguard.sh/resources/blog/accellion-fta-breach-supply-chain): The Accellion FTA breach hit over 100 organizations through a 20-year-old file transfer appliance. Here's what went wron - [Codecov Bash Uploader Compromise: A Supply Chain Attack on CI/CD](https://safeguard.sh/resources/blog/codecov-bash-uploader-compromise): Attackers modified Codecov's bash uploader script to steal environment variables from CI pipelines. Thousands of reposit - [SolarWinds SUNBURST: Lessons for Supply Chain Security](https://safeguard.sh/resources/blog/solarwinds-sunburst-lessons-for-supply-chain-security): The SolarWinds attack compromised 18,000 organizations through a single tampered update. Six months later, here's what t - [Executive Order 14028: What It Means for Software Supply Chain Security](https://safeguard.sh/resources/blog/executive-order-14028-software-supply-chain-security): President Biden's Executive Order 14028 redefined how the federal government approaches cybersecurity. Here's what every - [Colonial Pipeline Ransomware Attack: How a Single Password Shut Down America's Fuel Supply](https://safeguard.sh/resources/blog/colonial-pipeline-ransomware-attack-2021): The 2021 Colonial Pipeline attack exposed critical infrastructure vulnerabilities when a compromised VPN password led to - [Codecov Bash Uploader Compromise: A Retrospective](https://safeguard.sh/resources/blog/codecov-bash-uploader-compromise-retrospective): A single altered line in Codecov's Bash Uploader leaked CI secrets for 69 days across thousands of repos. Here is what a - [Software Escrow Agreements: The Security Layer Most Companies Forget](https://safeguard.sh/resources/blog/software-escrow-agreements-security-guide): Software escrow agreements protect your organization when a critical vendor goes dark. Here is how to structure them wit - [Rust Foundation Formation: Security Implications](https://safeguard.sh/resources/blog/rust-foundation-formation-security-implications): The Rust Foundation launched February 8, 2021. Here is what its formation actually changed for the security of Rust and - [SunBurst: A Supply Chain Attack Evolution Study](https://safeguard.sh/resources/blog/sunburst-supply-chain-attack-evolution-2020): The SolarWinds SunBurst campaign rewrote the supply chain threat model. Five years of research reveal what changed and w - [Shellshock, Five Years On: The Lessons That Stuck](https://safeguard.sh/resources/blog/shellshock-bash-vulnerability-lessons): Five years after CVE-2014-6271, Shellshock remains the clearest case study in how one interpreter bug becomes thousands - [Heartbleed at Five Years: A Practitioner Retrospective](https://safeguard.sh/resources/blog/heartbleed-openssl-five-year-retrospective): Five years after CVE-2014-0160, Heartbleed still shapes how we think about shared cryptographic libraries, disclosure et - [ASUS Live Update and ShadowHammer: The Backdoor](https://safeguard.sh/resources/blog/asus-live-update-backdoor-shadowhammer): Operation ShadowHammer pushed a signed backdoor to roughly half a million ASUS laptops, targeting a list of 600 specific - [XcodeGhost: When the Compiler Was the Attacker](https://safeguard.sh/resources/blog/xcodeghost-ios-compiler-supply-chain-2015): XcodeGhost in 2015 infected at least 128 million iOS users through a malicious Xcode download. It is still the cleanest - [event-stream: The Copay Attack That Rewrote npm](https://safeguard.sh/resources/blog/event-stream-npm-malicious-publish-2018): The 2018 event-stream incident was npm's first high-profile maintainer-handoff attack. The details still shape how we ev - [CCleaner 2017: Anatomy of a Quiet Supply Chain Hit](https://safeguard.sh/resources/blog/ccleaner-supply-chain-attack-2017-analysis): The CCleaner backdoor of 2017 was among the first modern build-system compromises to achieve mass distribution through a - [Equifax: The Supply Chain Angle Few Talked About](https://safeguard.sh/resources/blog/equifax-data-breach-supply-chain-angle): The 2017 Equifax breach is a case study in Apache Struts, inherited dependencies, and a vulnerability management process - [M.E.Doc and NotPetya: The Origin Story](https://safeguard.sh/resources/blog/ukrainian-m-e-doc-notpetya-origin-story): The forensic detail of how M.E.Doc's update server became the delivery mechanism for NotPetya, and what it means for sma - [NotPetya's Origin: A Supply Chain Story From Ukraine](https://safeguard.sh/resources/blog/notpetya-ukraine-supply-chain-origin): NotPetya is remembered as ransomware. It was not. It was a supply chain wiper that detonated through Ukrainian tax softw - [WannaCry's Supply Chain Dimensions](https://safeguard.sh/resources/blog/wannacry-ransomware-supply-chain-dimensions): WannaCry was not a supply chain attack in the usual sense. Its real supply chain story is EternalBlue, NSA leaks, and th ## Contact - Email: hi@safeguard.sh - Website: https://safeguard.sh