Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Post-Breach Supply Chain Hardening: Lessons from Real Incidents

After a supply chain breach, the remediation window is your best opportunity to implement controls that should have existed before the incident. This guide covers what to harden and in what order.

Apr 22, 20237 min read
Software Supply Chain Security

Maven Plugin Verification: Trusting Your Build-Time Dependencies

Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.

Apr 15, 20234 min read
Software Supply Chain Security

Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism

Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in supply chain attacks.

Apr 8, 20234 min read
Software Supply Chain Security

Cross-Language Dependency Analysis: Bridging npm, pip, Maven, and Beyond

Modern applications use multiple languages and package ecosystems. Analyzing dependencies across these boundaries requires techniques that single-ecosystem tools cannot provide.

Mar 18, 20236 min read
Software Supply Chain Security

Go Module Checksum Database: How It Secures Your Dependencies

Go checksum database is one of the most underappreciated supply chain security features in any language ecosystem. Here is how it works and where it falls short.

Mar 18, 20235 min read
Software Supply Chain Security

Maven Dependency Resolution Attacks: Exploiting Java's Build System

Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM manipulation. Here is what Java teams need to know.

Mar 5, 20235 min read
Software Supply Chain Security

Automating Typosquatting Detection for Package Registries

Typosquatting remains one of the most effective supply chain attacks. Automated detection using string distance algorithms, behavioral analysis, and registry monitoring can catch malicious packages before they reach your builds.

Mar 5, 20235 min read
Software Supply Chain Security

Symlink Attacks in Package Managers: Following Links to Trouble

Symbolic links in package archives can redirect file operations to unintended locations. Here is how this old trick still works against modern tools.

Jan 8, 20234 min read
Software Supply Chain Security

Cargo Build Script Security: What build.rs Can Do to Your Machine

Rust build scripts run arbitrary code during compilation. Here is what they can access and how to evaluate the risk in your dependency tree.

Dec 8, 20224 min read
Software Supply Chain Security

Rust Adoption in Security-Critical Software: Where We Stand

Rust promises memory safety without garbage collection. Here is an honest look at where adoption stands and what it means for supply chain security.

Nov 12, 20226 min read
Software Supply Chain Security

Software Supply Chain Forensics: Investigation Techniques After a Compromise

When a supply chain compromise is confirmed or suspected, forensic investigation must trace the attack path through dependencies, build systems, and artifacts. This guide covers the methodology.

Nov 12, 20227 min read
Software Supply Chain Security

Software Update Signing and Verification: Getting It Right

Signed updates are table stakes for software distribution. But the signing and verification process has pitfalls that undermine the entire security model.

Nov 8, 20225 min read
Software Supply Chain Security (Page 14) — Supply Chain Security Blog | Safeguard