Concepts
In-depth guides and analysis on concepts from the Safeguard engineering team.
116 articles
Understanding Open Source Security Risk
Open source powers nearly every modern application, but the code you inherit brings risks you did not write. This guide explains where open source risk comes from, how it reaches your product, and how to manage it without abandoning the ecosystem.
What Is a Security Advisory
A security advisory is an official notice that a product has a security flaw, plus how to fix it. Here is what advisories contain, who issues them, and how to act on one.
What Is ASPM (Application Security Posture Management)?
Application Security Posture Management (ASPM) unifies findings from every AppSec tool into one correlated, prioritized view of your risk. Here's what ASPM is, the tool-sprawl problem it solves, and how it differs from CSPM and ASOC.
What Is the in-toto Framework?
in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.
False Positives vs False Negatives: What's the Difference?
A false positive flags something safe as dangerous. A false negative misses something dangerous entirely. One wastes your time; the other gets you breached.
Introduction to Secure Software Development
Security is not a phase you bolt on at the end — it is a set of practices woven through every stage of building software. This guide introduces the secure development lifecycle, the practices that matter at each stage, and how to get started.
The Security Design Review: A Practical Guide
A security design review examines a system's architecture before it is built to find flaws that no code scanner can catch. Here's how to run one that finds real problems while they are still cheap to fix.
What Is a CVSS Score
A CVSS score rates how severe a security flaw is on a scale of 0 to 10. Here is what the number means, how to read it, and why it is only part of the risk picture.
What Is Shift-Left Security? A Plain-English Explanation
Shift-left security means moving security checks earlier in development — into the IDE, the commit, and the pull request — so flaws are caught while they're cheap to fix. Here's what it actually means and how to do it without slowing teams down.
What Is Sigstore?
Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.
What Is the LGPL License? Linking and Weak Copyleft
The GNU Lesser GPL is a weak-copyleft license designed for libraries. It lets proprietary software link to LGPL code without becoming GPL. Here is how the linking rules actually work.
Introduction to Vulnerability Scanning
Vulnerability scanning is how teams find known weaknesses before attackers do. This guide explains what a scanner actually does, the main types, how a scan works end to end, and how to turn a wall of findings into a short list of things worth fixing.