Industry Analysis
In-depth guides and analysis on industry analysis from the Safeguard engineering team.
294 articles
The emerging role of the AI security engineer
OWASP's 2025 LLM Top 10 ranks prompt injection #1 and calls it structurally unfixable by parameterization — a signal that AppSec skills alone no longer cover the job.
The State of Open Source Security: What a Year of Disclosure Data Shows
454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.
How the security industry is scaling partnerships for AI risk
No vendor covers model security, agent runtime policy, supply-chain risk, and code-level AppSec alone — partner-sourced ARR at one major vendor grew over 6x from 2023 to 2025.
MSSP and partner program models in AppSec
Checkmarx built an MSSP and partner program around code scanning. Here's how that model works, where it misses software supply chain risk, and what to check before signing.
The hidden cost of surface-level code security
Legacy SAST/SCA scanning piles up findings without context, quietly building code security debt whose hidden cost shows up in engineering hours, audits, and breaches.
Application Security Strategy for 2026: AI, DevSecOps, an...
AppSec platform consolidation is reshaping 2026 strategy. See how it compares to Veracode's approach and where Safeguard fits in a unified DevSecOps stack.
Financial services application security compliance
PCI DSS 4.0, DORA, and NYDFS 500 now demand provable SBOM and provenance evidence — see where legacy SCA tools like Black Duck fall short for financial services teams.
Medical device software security and compliance
FDA's 2023 cybersecurity mandate turned SBOMs into a submission gate. Here's what medical device makers actually need, and where legacy SCA tools like Black Duck fall short.
Public sector / government application security requirements
EO 14028, CISA's attestation form, and FedRAMP have made government application security compliance its own discipline. Here's what's required and where legacy SCA tools like Black Duck fall short.
Embedded software and ISV security programs
Black Duck built its business on binary composition analysis for embedded software. Here's what that approach misses in 2026, and what a modern ISV security program needs instead.
Automotive software security (connected/autonomous vehicles)
UN R155 and R156 are now mandatory for every vehicle sold in the EU, Japan, and Korea. Here's what automotive software security compliance actually requires, and where Black Duck falls short.
InnerSource Practices for Enterprise Development
InnerSource speeds up enterprise code reuse, but it also turns every internal team into an unaudited package publisher. Here's where governance breaks and how to fix it.