compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
Cloud Scanning vs Hybrid Scanning: Deployment Models for ...
SaaS vs self-hosted SCA deployment compared on data residency, air-gap support, and audit scope, with a look at how Safeguard's flexible deployment model differs from cloud-only platforms.
NY DFS 23 NYCRR 500 amendments and third-party software risk in 2026
The November 2023 amendments to NY DFS 23 NYCRR Part 500 tightened third-party service provider requirements and added new obligations around software supply chain risk. Covered entities are now in steady-state implementation.
"Enterprise-Grade Security": What the Label Should Actually Mean
Enterprise grade security is a marketing phrase until it's backed by specific controls — here's what to actually check before a vendor's claim earns the label.
EO 14028 producer self-attestation: where the CISA Form sits in 2026
The CISA Secure Software Development Attestation Form went live in March 2024. Two years and several revisions later, here is what producers actually have to attest, and where the common gotchas are.
ISO 42001 and AI Management Systems for Security Teams
ISO 42001 makes AI governance auditable and certifiable. Here's what security teams need to build an AIMS, where Endor Labs' AI code-risk scoring falls short, and how Safeguard closes the gap.
PCI DSS Requirements for Application Security Testing
PCI DSS 4.0's March 2025 deadline made SBOMs and 30-day patch SLAs mandatory. Here's what Requirements 6.3.2, 6.4.2, and 11.3 actually demand, and where Endor Labs leaves compliance gaps.
State Privacy Laws 2025-2026: The Security Mandates Hidden Inside
Twenty state comprehensive privacy laws are in force by 2026. Most carry baseline security mandates that security teams - not just privacy lawyers - must operationalize.
DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026
BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.
FTC Section 5 and software security: how 'unfair practices' became a supply chain doctrine
The Federal Trade Commission has spent the last several years building a software-security enforcement theory under Section 5. Drizly, SolarWinds, and Henry Schein each contributed pieces of the framework.
SOC 2 compliance guide for engineering teams
SOC 2 audits fail on missing evidence, not bad intentions. Here's what engineering teams must actually build, track, and prove — with real timelines and costs.
ISO 27001 compliance for software development teams
ISO/IEC 27001:2022 audits now check 8 SDLC controls directly — SBOMs, vulnerability SLAs, and CI/CD evidence dev teams commonly get flagged on.
CISA's Secure-by-Design pledge two years in: vendor commitments and procurement effects
CISA's Secure-by-Design pledge launched in April 2024 with seven voluntary goals. Two years later, signatories are publishing progress reports and procurement teams are starting to ask hard questions.