Policy
Safeguard articles tagged "Policy" — guides, analysis, and best practices for software supply chain and application security.
23 articles
EU Cyber Solidarity Act: Regulation 2025/38 in Force
Regulation (EU) 2025/38 entered into force on 4 February 2025, establishing an EU Cybersecurity Reserve, alert system of cross-border hubs, and ENISA-led incident review mechanism.
RubyGems Reserved Namespace Claims
A look at how organizations can claim reserved namespace prefixes on RubyGems.org, what the policy currently supports, and where it falls short for real enterprise use cases.
GCP Binary Authorization Policy Patterns
Policy design patterns for GCP Binary Authorization that hold up in production: attestor topology, exception handling, continuous validation, and the shapes that stop a deploy-time compromise without blocking legitimate rollouts.
Cosign Verification Policies in Production
Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.
Executive Order 14028, Three Years Later: Progress, Gaps, and What Comes Next
Three years after the landmark cybersecurity executive order, SBOM adoption is growing but uneven, secure development attestation is rolling out, and the gap between policy and practice remains wide.
CISA's Secure by Design Pledge: Voluntary Commitments with Real Teeth
CISA launched a voluntary pledge asking software manufacturers to commit to specific security improvements. Over 100 companies signed. Here is what the pledge actually requires and whether it matters.
Ruby Gem Reserved Names Policy
How RubyGems.org handles reserved gem names, what protections exist for trademark holders, and where the policy creates friction for legitimate namespace claims.
Software Liability in 2024: The Shift From Caveat Emptor to Vendor Accountability
Governments worldwide are moving to hold software vendors liable for security failures. Here is what the shifting liability landscape means for software producers and consumers.
The Ransomware Payment Ban Debate: Arguments, Evidence, and Unintended Consequences
Should governments ban ransomware payments? The debate intensified through 2023 as attacks escalated, with strong arguments on both sides and no clear consensus.
Open Source Policy Template for Enterprises
A practical template for crafting an enterprise open-source usage policy that balances developer freedom with security and compliance requirements.
Kubernetes Admission Controllers for Supply Chain Policy
Admission controllers are the only Kubernetes enforcement point that sees every workload before it runs. That makes them the right place to enforce image provenance, signing, and SBOM policies.