governance
Safeguard articles tagged "governance" — guides, analysis, and best practices for software supply chain and application security.
47 articles
Death by a Thousand Tools: Governing an MCP Server at Scale
A 900-tool MCP server is powerful and terrifying in equal measure. The answer isn't fewer tools — it's per-tenant governance, where each capability is off until an admin turns it on.
The DevSecOps metrics that actually indicate program maturity
CISA's KEV directive now demands 3-day fixes for the riskiest bugs. Here's why raw finding counts are the wrong way to measure a DevSecOps program.
How to Set Up a Vulnerability Policy Gate
Define a written, version-controlled policy for which vulnerabilities block a release, enforce it consistently across CLI and CI, and manage time-boxed exceptions without an allowlist that lives forever.
Governing MCP tools with per-tenant feature flags
Safeguard's MCP server exposes 650+ tools. Here's how per-tool feature flags keep each tenant scoped to exactly what it needs — with safe defaults and a fail-safe that narrows, never widens, on error.
Policy as Code for Security: A Practical Guide
When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.
Software Supply Chain Security for CISOs
The CISO does not write the vulnerable dependency, but answers for it to the board, the auditor, and the regulator. Here is how to run a supply chain program that stands up to all three.
NIS2's First Enforcement Wave (May 2026): What the Early Proceedings Tell Compliance Teams
By May 2026 the first NIS2 enforcement actions are surfacing across early-transposing member states, starting with registration and notification failures. We analyze what authorities are pursuing first and how to build evidence that survives the escalation.
Linux Foundation versus Apache Software Foundation: how governance shapes supply-chain risk
Both foundations host critical software, but they organize it very differently. The Linux Foundation's project-by-project incubation model and the ASF's uniform graduation process produce different risk profiles for the consumers downstream.
A practical framework for assessing single-maintainer project risk
Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.
Maintainer burnout is a supply-chain risk: lessons from xz-utils
The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.
CISA Secure by Design Operational Guidance 2026
Translating CISA's Secure by Design pledge into operational engineering work in 2026, with the specific control mappings and evidence practices that hold up to audit.
OpenSSF's Maintainer Handoff Governance: From Burnout-Driven Sabotage to Structured Repository Transfer
After colors.js, event-stream, and the colors-faker sabotage incidents, the OpenSSF Securing Software Repositories WG drafted guidance for when registries should allow ownership transfer of long-standing projects. Here is the defender view.