Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Post-Breach Supply Chain Hardening: Lessons from Real Incidents
After a supply chain breach, the remediation window is your best opportunity to implement controls that should have existed before the incident. This guide covers what to harden and in what order.
Maven Plugin Verification: Trusting Your Build-Time Dependencies
Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.
Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism
Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in supply chain attacks.
Cross-Language Dependency Analysis: Bridging npm, pip, Maven, and Beyond
Modern applications use multiple languages and package ecosystems. Analyzing dependencies across these boundaries requires techniques that single-ecosystem tools cannot provide.
Go Module Checksum Database: How It Secures Your Dependencies
Go checksum database is one of the most underappreciated supply chain security features in any language ecosystem. Here is how it works and where it falls short.
Maven Dependency Resolution Attacks: Exploiting Java's Build System
Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM manipulation. Here is what Java teams need to know.
Automating Typosquatting Detection for Package Registries
Typosquatting remains one of the most effective supply chain attacks. Automated detection using string distance algorithms, behavioral analysis, and registry monitoring can catch malicious packages before they reach your builds.
Symlink Attacks in Package Managers: Following Links to Trouble
Symbolic links in package archives can redirect file operations to unintended locations. Here is how this old trick still works against modern tools.
Cargo Build Script Security: What build.rs Can Do to Your Machine
Rust build scripts run arbitrary code during compilation. Here is what they can access and how to evaluate the risk in your dependency tree.
Rust Adoption in Security-Critical Software: Where We Stand
Rust promises memory safety without garbage collection. Here is an honest look at where adoption stands and what it means for supply chain security.
Software Supply Chain Forensics: Investigation Techniques After a Compromise
When a supply chain compromise is confirmed or suspected, forensic investigation must trace the attack path through dependencies, build systems, and artifacts. This guide covers the methodology.
Software Update Signing and Verification: Getting It Right
Signed updates are table stakes for software distribution. But the signing and verification process has pitfalls that undermine the entire security model.