Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Build System Poisoning Techniques: How Attackers Corrupt Your Pipeline

Build systems transform source code into deployable artifacts. When attackers poison the build, every artifact is compromised. Here is how it happens.

Sep 8, 20234 min read
Software Supply Chain Security

Cloud Marketplace Security: What AWS and Azure Listings Actually Verify

Buying software through AWS Marketplace or Azure Marketplace feels safe. But what security verification actually happens before a listing goes live?

Sep 8, 20234 min read
Software Supply Chain Security

Secure Package Publishing Checklist for Open Source Maintainers

Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.

Aug 28, 20237 min read
Software Supply Chain Security

pip Install Hooks Security: The Python Packaging Backdoor

Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.

Aug 18, 20234 min read
Software Supply Chain Security

Internal Package Naming Best Practices to Prevent Dependency Confusion

The wrong naming convention for internal packages makes dependency confusion attacks trivial. Here is how to name packages so attackers cannot substitute them.

Aug 8, 20234 min read
Software Supply Chain Security

Python Wheel Security Verification: What You Are Missing

Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.

Jul 22, 20235 min read
Software Supply Chain Security

Supply Chain Risk Scoring Algorithms: How They Work and Where They Fail

Risk scoring turns complex supply chain data into actionable numbers. But the algorithms behind these scores have assumptions and blind spots that security teams must understand.

Jul 18, 20237 min read
Software Supply Chain Security

NuGet Package Tampering Detection: Securing the .NET Supply Chain

NuGet packages can be tampered with at multiple points in the supply chain. Here is how to detect and prevent package tampering in your .NET projects.

Jul 5, 20235 min read
Software Supply Chain Security

Starjacking Attacks on Package Registries: Exploiting Repository Trust

Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packages to popular repositories to appear legitimate. Here is how it works.

Jul 5, 20235 min read
Software Supply Chain Security

npm Install Script Security: The Code That Runs Before Your Code

npm install scripts execute arbitrary code during package installation. They are the most exploited vector in JavaScript supply chain attacks.

Jun 2, 20234 min read
Software Supply Chain Security

Malware Analysis Techniques for Suspicious npm Packages

When an npm package looks suspicious, you need a systematic approach to determine if it is malicious. These analysis techniques separate noise from genuine threats.

May 15, 20236 min read
Software Supply Chain Security

SBOMs for SaaS Products: What Customers Are Starting to Demand

SBOMs were originally for on-premises software. Now SaaS customers are asking for them too. Here is what that means and how to respond.

May 8, 20234 min read
Software Supply Chain Security (Page 13) — Supply Chain Security Blog | Safeguard