compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
Achieving PCI DSS compliance through AppSec testing
PCI DSS 4.0 made application security testing mandatory, not optional. Here's what auditors check, where scanner-only programs fail, and how to close the gaps.
HIPAA application security validation testing
A 2025 HHS rule proposes fixed testing cadences for HIPAA. Heres what security testing requirements demand now, and how Safeguard closes the gaps Veracode leaves.
FedRAMP Moderate authorization and AppSec controls
Veracode's FedRAMP Moderate authorization is a procurement accelerant, not proof of AppSec efficacy. Here's what the badge covers, what it doesn't, and what federal buyers should verify.
DORA (Digital Operational Resilience Act) and code-level ...
DORA turns code-level and open-source risk into a regulatory obligation. Here's what dora compliance software security actually requires, and where tools like Veracode fall short.
Application Security for the Public Sector: What's Different
Application security for public sector agencies runs under FedRAMP, StateRAMP, and Executive Order 14028 SBOM mandates that private-sector programs rarely have to satisfy on the same timeline.
ISO 27001/27002 mapping for application security controls
ISO 27001:2022 maps 10+ Annex A controls directly to secure development. Here's how to evidence them, and where SAST-only tools like Veracode fall short.
NIST SP 800-53 control mapping for AppSec
How NIST SP 800-53's SA, RA, and SR control families map to modern AppSec — and where legacy scanners like Veracode leave supply-chain evidence gaps.
SOC 2 Type II reporting for AppSec vendors and buyers
A SOC 2 Type II badge isn't enough due diligence for AppSec vendors. Here's what to actually check in the report—scope, exceptions, and subservice carve-outs—before you trust one.
Why a Customer Trust Center matters for vendor risk reviews
Vendor security reviews stall without a live trust center. See what appsec teams check, how Veracode approaches transparency, and how Safeguard's trust center speeds reviews.
Applying CIS Benchmarks to cloud infrastructure
CIS Benchmarks turn "be secure" into testable checks for AWS, Azure, and GCP — here's how to move from annual audit to continuous enforcement.
What open source scans miss in M&A due diligence
Open source composition scans like Black Duck catch known packages and licenses — but M&A due diligence needs to catch what those scans miss too.
What is a Software Bill of Materials workflow (SPDX/SBOM)...
A practical breakdown of SPDX-based SBOM compliance workflows — NTIA rules, EU CRA and FDA deadlines, where Black Duck falls short, and how continuous SBOM generation closes the gap.