Safeguard
Topic

Concepts

In-depth guides and analysis on concepts from the Safeguard engineering team.

116 articles

Concepts

Understanding Open Source Security Risk

Open source powers nearly every modern application, but the code you inherit brings risks you did not write. This guide explains where open source risk comes from, how it reaches your product, and how to manage it without abandoning the ecosystem.

Jul 6, 20266 min read
Concepts

What Is a Security Advisory

A security advisory is an official notice that a product has a security flaw, plus how to fix it. Here is what advisories contain, who issues them, and how to act on one.

Jul 6, 20266 min read
Concepts

What Is ASPM (Application Security Posture Management)?

Application Security Posture Management (ASPM) unifies findings from every AppSec tool into one correlated, prioritized view of your risk. Here's what ASPM is, the tool-sprawl problem it solves, and how it differs from CSPM and ASOC.

Jul 6, 20266 min read
Concepts

What Is the in-toto Framework?

in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.

Jul 6, 20266 min read
Concepts

False Positives vs False Negatives: What's the Difference?

A false positive flags something safe as dangerous. A false negative misses something dangerous entirely. One wastes your time; the other gets you breached.

Jul 5, 20266 min read
Concepts

Introduction to Secure Software Development

Security is not a phase you bolt on at the end — it is a set of practices woven through every stage of building software. This guide introduces the secure development lifecycle, the practices that matter at each stage, and how to get started.

Jul 5, 20266 min read
Concepts

The Security Design Review: A Practical Guide

A security design review examines a system's architecture before it is built to find flaws that no code scanner can catch. Here's how to run one that finds real problems while they are still cheap to fix.

Jul 5, 20267 min read
Concepts

What Is a CVSS Score

A CVSS score rates how severe a security flaw is on a scale of 0 to 10. Here is what the number means, how to read it, and why it is only part of the risk picture.

Jul 5, 20266 min read
Concepts

What Is Shift-Left Security? A Plain-English Explanation

Shift-left security means moving security checks earlier in development — into the IDE, the commit, and the pull request — so flaws are caught while they're cheap to fix. Here's what it actually means and how to do it without slowing teams down.

Jul 5, 20267 min read
Concepts

What Is Sigstore?

Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.

Jul 5, 20266 min read
Concepts

What Is the LGPL License? Linking and Weak Copyleft

The GNU Lesser GPL is a weak-copyleft license designed for libraries. It lets proprietary software link to LGPL code without becoming GPL. Here is how the linking rules actually work.

Jul 5, 20266 min read
Concepts

Introduction to Vulnerability Scanning

Vulnerability scanning is how teams find known weaknesses before attackers do. This guide explains what a scanner actually does, the main types, how a scan works end to end, and how to turn a wall of findings into a short list of things worth fixing.

Jul 4, 20266 min read
Concepts (Page 2) — Supply Chain Security Blog | Safeguard