Best Practices
In-depth guides and analysis on best practices from the Safeguard engineering team.
252 articles
Code Signing Infrastructure Breach Response
A compromised signing key is the quietest crisis in security. A concrete playbook for responding when your code signing infrastructure is implicated.
AWS IAM Roles Anywhere and the Supply Chain
IAM Roles Anywhere lets workloads outside AWS assume IAM roles using X.509 certificates. It is also becoming the authentication layer for supply chain tools. Here is what the threat model looks like.
Forking Strategy for Enterprise OSS
Forking was once a last resort. In 2024 it became a standard response to license changes, governance failures, and stalled projects. A good forking strategy is now an enterprise competency.
Scoping a Vulnerability Bounty Program for Supply Chain
How to scope a bug bounty program that addresses supply chain risks: in-scope assets, payout tiers, triage workflow, and avoiding the trap of dependency CVE bounties.
EHR System Dependency Governance
Electronic Health Record platforms carry decades of transitive dependencies. A practical governance model for hospitals, vendors, and compliance officers.
On-Prem to Cloud Supply Chain Continuity
A year inside a financial services cloud migration, and how to keep your software supply chain intact when everything else about the environment changes.
React Native Supply Chain Risks in 2024
React Native bundles native modules, JavaScript dependencies, and CodePush-style OTA updates into one app. The supply chain is vast and the remediation path is slower than web apps. Here is where it actually goes wrong.
AWS SSM Parameter Store Security
Parameter Store is everywhere in AWS workloads, which means it accumulates secrets, configuration, and bad IAM over time. Here is the security review I run on every Parameter Store deployment.
Package Registry Forensic Log Analysis
Extracting investigative signal from package registry logs — publish events, download patterns, and account activity — during a supply chain incident.
Azure App Service Deployment Security
App Service deployments are easy, which is the problem. A look at the deployment paths, credential surfaces, and hardening steps that matter for production workloads.
GCP Pub/Sub Security Configuration
A working security configuration for GCP Pub/Sub: topic and subscription IAM, message encryption, VPC Service Controls, dead-letter handling, and the failure modes that turn a messaging layer into an attack surface.
Doppler Enterprise Secrets Platform Reviewed
Doppler pitches itself as the secrets platform that gets out of developers' way. A detailed look at what works, what does not, and the trade-offs against Vault, Infisical, and the cloud-native options.