compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
432 articles
Designing tamper-evident CloudTrail logging across an AWS organization
AWS CloudTrail's default event history holds only 90 days. A centralized, hash-validated org trail is what actually survives an incident or an audit.
Security compliance frameworks cheat sheet: SOC 2, ISO 27001, PCI DSS, HIPAA
SOC 2, ISO 27001, PCI DSS 4.0, and HIPAA share roughly the same engineering controls — build them once and stop re-implementing access control four times.
FedRAMP Moderate: What It Actually Requires From Your Security Architecture
FedRAMP Moderate maps to roughly 300 NIST 800-53 controls — and FedRAMP 20x is now replacing the old triennial paperwork cycle with continuous evidence.
What healthtech AppSec needs beyond generic security practices
242.9 million records were exposed in 2024 HIPAA breaches. Generic AppSec checklists don't satisfy FDA premarket SBOM rules or a pending HIPAA rewrite.
What CISA's Secure by Design Pledge Actually Requires
CISA's Secure by Design pledge asks 68+ vendors for measurable one-year progress on 7 goals. Here's what those goals mean for engineering teams.
The DevSecOps metrics that actually indicate program maturity
CISA's KEV directive now demands 3-day fixes for the riskiest bugs. Here's why raw finding counts are the wrong way to measure a DevSecOps program.
A Practical Guide to EU Cyber Resilience Act Compliance
The CRA's 24-hour vulnerability reporting clock starts 11 September 2026. Here's how to build the SDLC changes now instead of scrambling later.
A HIPAA technical safeguards checklist for application security teams
HHS reported 663 large healthcare breaches in 2024 exposing 242.9M records. Here's how §164.312's technical safeguards map to concrete app-sec controls.
The 2026 SBOM compliance guide: where a software bill of materials is now required
SBOM requirements have spread from a single US executive order to regulations across sectors and continents. Here's a framework-by-framework map of where you need one in 2026.
CCPA and CPRA for Developers: What the Code Actually Has to Do
California's privacy laws are usually framed as a legal problem, but honoring opt-outs, deleting data, and maintaining reasonable security are engineering problems. Here's the developer's view of CCPA and CPRA.
Data Residency and Security: FAQ
Where your data lives, what actually leaves your boundary, region pinning, customer-held keys, and how residency differs from sovereignty in a security platform.
DORA compliance for financial services: the software supply chain angle
The Digital Operational Resilience Act is now in force across EU financial services. Here's how its five pillars reach into your software supply chain and ICT third parties.