sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
Finding vulnerable code hidden inside shaded and uber JARs
JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.
Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization
One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.
Secure SDLC: A Practical Guide to Embedding Security Gates in Every Phase
NIST finalized the Secure Software Development Framework in February 2022, yet most teams still bolt security on at release. Here's where the gates actually belong.
Building an OSPO security governance model for license and vulnerability risk
77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.
React and TypeScript security best practices for 2026
A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.
A framework for consolidating SAST, DAST, and SCA tools
Enterprises run 45 security tools on average, and 50+ tool stacks detect incidents 8% worse. Here's when AppSec consolidation actually pays off.
The secure SDLC implementation guide: gates for every phase
NIST's SSDF names four practice groups, but most teams bolt security onto one phase. Here's how to gate design, code, build, and release instead.
Top open-source vulnerabilities in the npm ecosystem
Sonatype logged 512,000+ malicious npm packages in a year — a 156% jump. Here are the recurring vulnerability classes and how to catch them in CI.
Integrating C/C++ security scanning into CI pipelines
Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.
A patching playbook for critical open-source CVEs
Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.
Preventing insecure deserialization in Node.js
A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.
The security implications of Node.js worker_threads
Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.