governance
Safeguard articles tagged "governance" — guides, analysis, and best practices for software supply chain and application security.
47 articles
Measuring AppSec Program Effectiveness in 2026
The metrics that actually distinguish high-functioning application security programs from theater, with concrete formulas and reporting cadences for 2026.
CISO FAQ: Software Supply Chain Security 2026
The questions CISOs actually ask about software supply chain security in 2026: scope, budget, reporting lines, SBOMs, AI code, and where to start.
Enterprise RAG Security Rollout Antipatterns
Retrieval-augmented generation systems are where enterprise AI meets enterprise data, and where most security rollouts stumble. A catalog of the antipatterns we keep seeing.
Build a Software Supply Chain Program in 90 Days
A pragmatic, phase-by-phase blueprint for standing up a credible software supply chain security program inside a single fiscal quarter without boiling the ocean.
Enterprise AI Security Rollout: The Governance Gap
Most enterprises rolled out AI-for-security tools faster than their governance processes could keep up. The resulting gap is where most of the pain from 2025 deployments lives.
Gemini 2.5 Pro and the Late Safety Report
Google released Gemini 2.5 Pro Experimental on March 25, 2025 without a contemporaneous safety report. The UK reaction set a precedent.
Open Source Maintainer Succession Planning: A Supply Chain Imperative
When a solo maintainer disappears, entire dependency chains are at risk. How organizations should approach succession planning for critical open source projects.
The CVE Program Funding Crisis: What Happened and What It Means
The CVE program nearly lost its funding in early 2025, exposing deep structural risks in how we track vulnerabilities. Here is what happened and where we go from here.
Writing a Deprecation Policy for Third-Party Components
End-of-life libraries leave codebases only when something forces them out. A written component deprecation policy with triggers, timelines, and CI gates does the forcing on your schedule, not an attacker's.
NIST CSF 2.0 Rollout: Field Observations
NIST CSF 2.0 added the Govern function, broadened the target audience, and clarified supply chain expectations. Field observations from the first year of adoption.
Foundation-Neutral Governance Evaluation
CNCF, Linux Foundation, Apache, Eclipse — each has a different governance model. A practical evaluation of what that means for projects considering adoption.
Open Source Foundation Governance Models
The Linux Foundation, Apache Software Foundation, CNCF, and Eclipse each codify different theories of how open source projects should be governed. The differences matter more than most adopters realize.