Safeguard
Tag

compliance

Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.

435 articles

Product

Cloud Scanning vs Hybrid Scanning: Deployment Models for ...

SaaS vs self-hosted SCA deployment compared on data residency, air-gap support, and audit scope, with a look at how Safeguard's flexible deployment model differs from cloud-only platforms.

May 20, 20268 min read
Compliance

NY DFS 23 NYCRR 500 amendments and third-party software risk in 2026

The November 2023 amendments to NY DFS 23 NYCRR Part 500 tightened third-party service provider requirements and added new obligations around software supply chain risk. Covered entities are now in steady-state implementation.

May 14, 20268 min read
Enterprise

"Enterprise-Grade Security": What the Label Should Actually Mean

Enterprise grade security is a marketing phrase until it's backed by specific controls — here's what to actually check before a vendor's claim earns the label.

May 14, 20264 min read
Compliance

EO 14028 producer self-attestation: where the CISA Form sits in 2026

The CISA Secure Software Development Attestation Form went live in March 2024. Two years and several revisions later, here is what producers actually have to attest, and where the common gotchas are.

May 14, 20268 min read
AI Security

ISO 42001 and AI Management Systems for Security Teams

ISO 42001 makes AI governance auditable and certifiable. Here's what security teams need to build an AIMS, where Endor Labs' AI code-risk scoring falls short, and how Safeguard closes the gap.

May 14, 20267 min read
SBOM & Compliance

PCI DSS Requirements for Application Security Testing

PCI DSS 4.0's March 2025 deadline made SBOMs and 30-day patch SLAs mandatory. Here's what Requirements 6.3.2, 6.4.2, and 11.3 actually demand, and where Endor Labs leaves compliance gaps.

May 14, 20267 min read
Compliance

State Privacy Laws 2025-2026: The Security Mandates Hidden Inside

Twenty state comprehensive privacy laws are in force by 2026. Most carry baseline security mandates that security teams - not just privacy lawyers - must operationalize.

May 13, 20267 min read
Compliance

DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026

BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.

May 13, 20268 min read
Compliance

FTC Section 5 and software security: how 'unfair practices' became a supply chain doctrine

The Federal Trade Commission has spent the last several years building a software-security enforcement theory under Section 5. Drizly, SolarWinds, and Henry Schein each contributed pieces of the framework.

May 13, 20268 min read
Compliance

SOC 2 compliance guide for engineering teams

SOC 2 audits fail on missing evidence, not bad intentions. Here's what engineering teams must actually build, track, and prove — with real timelines and costs.

May 13, 20267 min read
Compliance

ISO 27001 compliance for software development teams

ISO/IEC 27001:2022 audits now check 8 SDLC controls directly — SBOMs, vulnerability SLAs, and CI/CD evidence dev teams commonly get flagged on.

May 13, 20268 min read
Compliance

CISA's Secure-by-Design pledge two years in: vendor commitments and procurement effects

CISA's Secure-by-Design pledge launched in April 2024 with seven voluntary goals. Two years later, signatories are publishing progress reports and procurement teams are starting to ask hard questions.

May 12, 20268 min read
compliance (Page 9) — Safeguard Blog