best-practices
Safeguard articles tagged "best-practices" — guides, analysis, and best practices for software supply chain and application security.
105 articles
The Complete Guide to Dependency Lifecycle Management
Dependencies are not static. They are born, maintained, deprecated, and abandoned. Here is how to manage the full lifecycle of your software dependencies.
Container SBOM Generation: Best Practices for 2025
Container images are multi-layered artifacts that challenge SBOM generators. Here is how to generate comprehensive, accurate SBOMs for containerized applications.
SBOM Quality Metrics: Moving Beyond Completeness
Most SBOM quality discussions stop at completeness. Real quality requires measuring accuracy, freshness, depth, and actionability. Here is a practical framework.
Bounty Program Scoping for Dependencies
How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.
Coordinated Disclosure Zero-Day Playbook
A playbook for coordinated disclosure of zero-day vulnerabilities, covering timelines, stakeholder management, embargo discipline, and the judgement calls in between.
Container Security Best Practices for 2025: Beyond Image Scanning
Container security has evolved far past vulnerability scanning. Here is what mature container security programs look like heading into 2025.
AWS IAM Roles Anywhere and the Supply Chain
IAM Roles Anywhere lets workloads outside AWS assume IAM roles using X.509 certificates. It is also becoming the authentication layer for supply chain tools. Here is what the threat model looks like.
AWS SSM Parameter Store Security
Parameter Store is everywhere in AWS workloads, which means it accumulates secrets, configuration, and bad IAM over time. Here is the security review I run on every Parameter Store deployment.
Azure App Service Deployment Security
App Service deployments are easy, which is the problem. A look at the deployment paths, credential surfaces, and hardening steps that matter for production workloads.
GCP Pub/Sub Security Configuration
A working security configuration for GCP Pub/Sub: topic and subscription IAM, message encryption, VPC Service Controls, dead-letter handling, and the failure modes that turn a messaging layer into an attack surface.
Doppler Enterprise Secrets Platform Reviewed
Doppler pitches itself as the secrets platform that gets out of developers' way. A detailed look at what works, what does not, and the trade-offs against Vault, Infisical, and the cloud-native options.
AWS Step Functions Workflow Security
Step Functions workflows orchestrate everything from data pipelines to security automations. The workflow IAM role is almost always the most powerful thing in the stack. Here is how to lock it down.