Safeguard
Tag

governance

Safeguard articles tagged "governance" — guides, analysis, and best practices for software supply chain and application security.

47 articles

AI Security

Death by a Thousand Tools: Governing an MCP Server at Scale

A 900-tool MCP server is powerful and terrifying in equal measure. The answer isn't fewer tools — it's per-tenant governance, where each capability is off until an admin turns it on.

Jul 9, 20264 min read
DevSecOps

The DevSecOps metrics that actually indicate program maturity

CISA's KEV directive now demands 3-day fixes for the riskiest bugs. Here's why raw finding counts are the wrong way to measure a DevSecOps program.

Jul 9, 20267 min read
Tutorials

How to Set Up a Vulnerability Policy Gate

Define a written, version-controlled policy for which vulnerabilities block a release, enforce it consistently across CLI and CI, and manage time-boxed exceptions without an allowlist that lives forever.

Jul 6, 20265 min read
AI Security

Governing MCP tools with per-tenant feature flags

Safeguard's MCP server exposes 650+ tools. Here's how per-tool feature flags keep each tenant scoped to exactly what it needs — with safe defaults and a fail-safe that narrows, never widens, on error.

Jul 6, 20263 min read
DevSecOps

Policy as Code for Security: A Practical Guide

When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.

Jul 4, 20266 min read
Solutions

Software Supply Chain Security for CISOs

The CISO does not write the vulnerable dependency, but answers for it to the board, the auditor, and the regulator. Here is how to run a supply chain program that stands up to all three.

Jul 1, 20266 min read
Regulatory Compliance

NIS2's First Enforcement Wave (May 2026): What the Early Proceedings Tell Compliance Teams

By May 2026 the first NIS2 enforcement actions are surfacing across early-transposing member states, starting with registration and notification failures. We analyze what authorities are pursuing first and how to build evidence that survives the escalation.

May 20, 202611 min read
Industry Insights

Linux Foundation versus Apache Software Foundation: how governance shapes supply-chain risk

Both foundations host critical software, but they organize it very differently. The Linux Foundation's project-by-project incubation model and the ASF's uniform graduation process produce different risk profiles for the consumers downstream.

May 15, 20268 min read
Open Source

A practical framework for assessing single-maintainer project risk

Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.

May 14, 20268 min read
Open Source

Maintainer burnout is a supply-chain risk: lessons from xz-utils

The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.

May 13, 20267 min read
Compliance

CISA Secure by Design Operational Guidance 2026

Translating CISA's Secure by Design pledge into operational engineering work in 2026, with the specific control mappings and evidence practices that hold up to audit.

May 8, 20265 min read
Open Source Security

OpenSSF's Maintainer Handoff Governance: From Burnout-Driven Sabotage to Structured Repository Transfer

After colors.js, event-stream, and the colors-faker sabotage incidents, the OpenSSF Securing Software Repositories WG drafted guidance for when registries should allow ownership transfer of long-standing projects. Here is the defender view.

Apr 15, 20266 min read
governance — Safeguard Blog