Concepts
In-depth guides and analysis on concepts from the Safeguard engineering team.
116 articles
What is a Trusted Publisher (PyPI and npm)
A trusted publisher lets your CI workflow publish packages with short-lived OIDC tokens instead of stored API keys. Here's how it works on PyPI and where npm stands.
What Is a Nonce? The Number Used Once in Cryptography
A nonce is a value used a single time to keep cryptographic operations fresh and stop attackers from replaying old messages. Small idea, outsized importance.
What Is End-to-End Encryption? Privacy From Sender to Recipient
End-to-end encryption keeps data readable only by the sender and intended recipient, so not even the service carrying the message can see its contents.
What Is a Certificate Authority? The Root of Digital Trust
A certificate authority is the trusted third party that vouches for who owns a public key. It is the reason your browser can trust a website it has never seen before.
What Is Key Management? Protecting the Keys That Protect Everything
Key management is the discipline of generating, storing, rotating, and retiring cryptographic keys safely. Strong encryption is only as good as the way its keys are handled.
What Is Mutual TLS (mTLS)? Two-Way Authentication Explained
Mutual TLS makes both sides of a connection prove their identity with certificates, not just the server. It is the backbone of zero-trust communication between services.
What Is TLS? Transport Layer Security Explained
TLS is the protocol that encrypts data in transit across the internet, turning the padlock in your browser into real protection against eavesdropping and tampering.
What Is Hashing? A Plain-English Guide to One-Way Functions
Hashing turns any input into a fixed-size fingerprint that cannot be reversed. It quietly powers password storage, integrity checks, and digital signatures across modern software.
What is Continuous Compliance Monitoring
Continuous compliance monitoring replaces the annual audit scramble with automated, always-on checks that map live system evidence to control requirements.
What is a Post-Quantum Migration Plan
A post-quantum migration plan is your inventory-and-replacement roadmap from RSA and ECC to ML-KEM and ML-DSA. Here's what a credible one contains, step by step.
What is a Package Registry Mirror
A package registry mirror is a local copy or caching proxy of a public registry. It keeps builds running when npm is down — and controls what enters your supply chain.
What Is ABAC (Attribute-Based Access Control)
ABAC decides access by evaluating attributes of the user, resource, action, and environment against policy rules. Learn how it works and when to choose it over roles.