compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
DORA regulation deep dive: ICT risk, testing, and third-party rules
The Digital Operational Resilience Act applies to EU financial entities and their ICT providers. Here are the five pillars, the register of information, and what your software supply chain now has to withstand.
NIS2 Directive explained: the software and supply-chain obligations
NIS2 rewired EU cybersecurity law around supply-chain security, vulnerability handling, and 24-hour incident reporting. Here is who is in scope and what your software teams now have to prove.
SOC 2 Compliance FAQ: Trust Services Criteria, Type II, and Evidence
A precise FAQ on SOC 2 in 2026 — what it is, Type I vs Type II, the five Trust Services Criteria, observation periods, who performs the audit, and the evidence auditors actually test.
Software Supply Chain Security for Financial Services
Banks, insurers, and fintechs now answer to DORA, PCI DSS 4.0, NYDFS 500, and SEC disclosure rules for the software they depend on. Here is what a supply chain security program needs, and how Safeguard delivers it.
What is the EU Cyber Resilience Act (CRA)? A software supply chain guide
The Cyber Resilience Act sets binding cybersecurity rules for products with digital elements sold in the EU. Here's who it covers, what it demands of software, and how to prepare before the 2027 deadline.
What Is the MIT License? A Plain-English Guide
The MIT License is one of the shortest and most permissive open-source licenses in existence. Here is exactly what it lets you do, what it requires, and what it means for compliance.
SBOM as a supply chain defense strategy
SBOMs turn "are we affected?" from a weeks-long fire drill into a query. Here's how they defend against real supply chain attacks like Log4Shell and XZ Utils.
PCI DSS compliance for application security teams
PCI DSS 4.0's software inventory rules are enforced since March 2025. Here's why scanner-only tools like Checkmarx miss Requirements 6.3.2, 6.4.3, and 11.6.1.
HIPAA requirements and application security
HIPAA's Security Rule ties ePHI protection to application security, but scanner tools like Checkmarx rarely map findings to 45 CFR safeguards. Here's what compliance teams actually need.
SOC 2 Type II and vendor trust in AppSec tooling
Why SOC 2 Type II compliance is the real trust signal for AppSec vendors, where Checkmarx's public evidence falls short, and how Safeguard makes its audit trail verifiable.
Veracode Trust Center walkthrough / vendor security trans...
What Veracode's trust center actually proves about vendor security — and why SOC 2 reports don't answer software supply chain questions like SBOM and build provenance.
Software Development Lifecycle (SDLC) security
A secure SDLC needs more than periodic scans. See where Veracode's upload-and-scan model leaves supply chain gaps, and how continuous, provenance-aware security closes them.