Safeguard
Tag

least-privilege

Safeguard articles tagged "least-privilege" — guides, analysis, and best practices for software supply chain and application security.

46 articles

Cloud Security

AWS IAM: common vulnerabilities and fixes

Rhino Security Labs catalogs 21+ IAM privilege-escalation paths to full admin — most start with one over-scoped policy nobody remembers writing.

Jul 16, 20266 min read
Best Practices

Ransomware defense strategy for engineering teams

Ransomware hit 44% of breaches in Verizon's 2025 DBIR, up from 32% a year prior. Here's the backup, access, and detection playbook that actually stops it.

Jul 15, 20266 min read
Cloud Security

Common AWS IAM privilege-escalation paths and how to design least privilege

Rhino Security Labs cataloged 21 distinct AWS IAM privilege-escalation methods in 2018 — most still work today, and most are invisible to a manifest scan.

Jul 14, 20266 min read
Best Practices

The security hygiene checklist most engineering orgs still skip

22% of breaches start with stolen credentials, per Verizon's 2025 DBIR. A quarter-long hygiene checklist — patching, MFA, secrets, least privilege — closes most of that gap.

Jul 14, 20266 min read
Kubernetes Security

A practical guide to least privilege in Kubernetes RBAC

One RBAC flaw, CVE-2018-1002105 (CVSS 9.8), let any authenticated user escalate to cluster-admin — here's how to actually scope roles so that never happens again.

Jul 13, 20266 min read
Cloud Security

Secure-by-design principles for cloud architecture: prevention over detection

The 2019 Capital One breach hit 700+ S3 buckets through one SSRF call. Secure-by-design architecture stops that path before it exists.

Jul 12, 20267 min read
Container Security

Container-handling security fundamentals: immutability, signing, and privilege drops

Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.

Jul 11, 20267 min read
Container Security

Container security: five best practices for provenance, runtime, and network

A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.

Jul 11, 20266 min read
AI Security

Least-privilege scoping for AI agents with write access to code, CI, and cloud

OWASP's 2025 LLM Top 10 names Excessive Agency a top risk; a single over-scoped CI token already dumped secrets from 23,000+ repos in 2025.

Jul 10, 20268 min read
Supply Chain Security

CI/CD pipeline hardening against supply chain attacks

23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.

Jul 10, 20267 min read
AI Security

The Security Chores Agents Should Handle Themselves

Enabling 2FA, rotating a password, revoking a stale session, minting a scoped key — the account-hygiene tasks everyone postpones. When an agent can do them through MCP, 'later' becomes 'now.'

Jul 9, 20264 min read
AI Security

Death by a Thousand Tools: Governing an MCP Server at Scale

A 900-tool MCP server is powerful and terrifying in equal measure. The answer isn't fewer tools — it's per-tenant governance, where each capability is off until an admin turns it on.

Jul 9, 20264 min read
least-privilege — Safeguard Blog