compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
SOX Compliance for Software: IT General Controls and the Supply Chain
Sarbanes-Oxley is a financial-reporting law, but it reaches deep into the software that produces the numbers. Here's how IT general controls, change management, and dependency integrity fit under SOX.
How to Set Up a Vulnerability Policy Gate
Define a written, version-controlled policy for which vulnerabilities block a release, enforce it consistently across CLI and CI, and manage time-boxed exceptions without an allowlist that lives forever.
SOC 2 and software supply chain security: mapping the Trust Services Criteria
SOC 2 never says the words 'software bill of materials,' but auditors increasingly expect supply-chain evidence. Here's how the Trust Services Criteria map to your dependencies.
ISO 27001 vs SOC 2: Which Certification Matters More
ISO 27001 and SOC 2 answer different questions. Here's how to read both when vetting supply chain security vendors like Snyk and Safeguard.
The FedRAMP Authorization Guide: Paths, Baselines, and Continuous Monitoring
FedRAMP is how cloud products earn the right to sell to U.S. federal agencies. Here's how the authorization paths work, what the NIST 800-53 baselines require, and where your software supply chain gets scrutinized.
The NIST Secure Software Development Framework (SSDF), explained
NIST SP 800-218 is the framework behind federal secure-development attestations. Here's what its four practice groups ask of you and how to produce the evidence.
Checkmarx vs Veracode: A Neutral AppSec Comparison for 2026
Checkmarx and Veracode are both enterprise application security platforms with deep SAST roots, but they differ in analysis method and deployment model. An honest side-by-side, plus where a third option fits.
The HIPAA Security Rule for Software Teams: Safeguards, Structure, and Change Ahead
The HIPAA Security Rule is technology-neutral by design, but its administrative, physical, and technical safeguards translate into concrete engineering work. Here's how the rule is structured and how a proposed 2025 overhaul could tighten it.
Policy as Code for Security: A Practical Guide
When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.
SBOMs and Executive Order 14028: how a 2021 order reshaped software supply chain policy
Executive Order 14028 made the software bill of materials a matter of federal policy. Here's the story of how it happened, what it requires, and what it means for you in 2026.
Software Supply Chain Security for Compliance Officers
For compliance officers, supply chain security is an evidence problem before it is a technical one. Here is how to map controls to frameworks, keep evidence current, and pass an audit without turning your engineers into a documentation team.
CMMC 2.0 Explained: What Defense Contractors and Their Software Must Do
CMMC 2.0 turns NIST SP 800-171 into a certification requirement for the defense supply chain. Here's how the three levels work, who assesses them, and where your software components fit.