risk-management
Safeguard articles tagged "risk-management" — guides, analysis, and best practices for software supply chain and application security.
31 articles
Embedding security-by-design into DevSecOps risk management across the SDLC
NIST's SSDF turns 'shift left' into eleven concrete practices — but a framework on paper doesn't stop a bad merge. Here's how to make it enforceable.
A practical AppSec maturity model: five stages, self-assessment included
OWASP SAMM v2 scores 15 practices on a 0–3 scale; BSIMM15 measured 121 firms and found SCA adoption up 67%. Here's a five-stage model to self-assess against.
Software Supply Chain Security for CISOs
The CISO does not write the vulnerable dependency, but answers for it to the board, the auditor, and the regulator. Here is how to run a supply chain program that stands up to all three.
What Is a Security Control?
A security control is a safeguard that prevents, detects, or responds to threats to reduce risk. Learn the types, categories, and how frameworks organize them.
Managing risk in the software supply chain
Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.
NIST Cybersecurity Framework (CSF) explained
NIST CSF 2.0 added a Govern function and supply chain risk category in 2024. Here's what it requires, how Vanta maps it, and where build-level evidence closes the gap.
Who needs SOC 2 compliance? A breakdown by company stage/...
SOC 2 isn't legally required, but it's now a deal-blocker as early as seed stage. Here's a stage-by-stage, industry-by-industry breakdown of who actually needs it.
What is AI Governance
AI governance means the policies and technical controls that keep AI models, data, and agents safe, compliant, and auditable across your software supply chain.
What is the NIST Cybersecurity Framework
A breakdown of the NIST Cybersecurity Framework's six functions, its 2024 update, and why GV.SC makes it central to software supply chain security.
What is a Security Risk Assessment
A security risk assessment ranks real business risk, not raw CVE counts. Here's what it involves, how often it's required, and how it differs from scanning.
What is Compliance Automation
Compliance automation replaces manual audit evidence with continuous, API-driven monitoring — here's how it works, which frameworks it covers, and why supply chain evidence changes the equation.
Gartner SRM Summit 2025 Recap
Gartner's 2025 Security & Risk Management Summit pushed CISOs to focus on supply chain risk, AI governance, and measurable outcomes. Here is the analyst view.