Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Build System Poisoning Techniques: How Attackers Corrupt Your Pipeline
Build systems transform source code into deployable artifacts. When attackers poison the build, every artifact is compromised. Here is how it happens.
Cloud Marketplace Security: What AWS and Azure Listings Actually Verify
Buying software through AWS Marketplace or Azure Marketplace feels safe. But what security verification actually happens before a listing goes live?
Secure Package Publishing Checklist for Open Source Maintainers
Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.
pip Install Hooks Security: The Python Packaging Backdoor
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Internal Package Naming Best Practices to Prevent Dependency Confusion
The wrong naming convention for internal packages makes dependency confusion attacks trivial. Here is how to name packages so attackers cannot substitute them.
Python Wheel Security Verification: What You Are Missing
Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.
Supply Chain Risk Scoring Algorithms: How They Work and Where They Fail
Risk scoring turns complex supply chain data into actionable numbers. But the algorithms behind these scores have assumptions and blind spots that security teams must understand.
NuGet Package Tampering Detection: Securing the .NET Supply Chain
NuGet packages can be tampered with at multiple points in the supply chain. Here is how to detect and prevent package tampering in your .NET projects.
Starjacking Attacks on Package Registries: Exploiting Repository Trust
Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packages to popular repositories to appear legitimate. Here is how it works.
npm Install Script Security: The Code That Runs Before Your Code
npm install scripts execute arbitrary code during package installation. They are the most exploited vector in JavaScript supply chain attacks.
Malware Analysis Techniques for Suspicious npm Packages
When an npm package looks suspicious, you need a systematic approach to determine if it is malicious. These analysis techniques separate noise from genuine threats.
SBOMs for SaaS Products: What Customers Are Starting to Demand
SBOMs were originally for on-premises software. Now SaaS customers are asking for them too. Here is what that means and how to respond.