Safeguard
Tag

sca

Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.

345 articles

Application Security

Finding vulnerable code hidden inside shaded and uber JARs

JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.

Jul 16, 20266 min read
Application Security

Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization

One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.

Jul 16, 20265 min read
DevSecOps

Secure SDLC: A Practical Guide to Embedding Security Gates in Every Phase

NIST finalized the Secure Software Development Framework in February 2022, yet most teams still bolt security on at release. Here's where the gates actually belong.

Jul 16, 20267 min read
Open Source Security

Building an OSPO security governance model for license and vulnerability risk

77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.

Jul 15, 20266 min read
Application Security

React and TypeScript security best practices for 2026

A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.

Jul 15, 20266 min read
DevSecOps

A framework for consolidating SAST, DAST, and SCA tools

Enterprises run 45 security tools on average, and 50+ tool stacks detect incidents 8% worse. Here's when AppSec consolidation actually pays off.

Jul 15, 20266 min read
DevSecOps

The secure SDLC implementation guide: gates for every phase

NIST's SSDF names four practice groups, but most teams bolt security onto one phase. Here's how to gate design, code, build, and release instead.

Jul 14, 20267 min read
Open Source Security

Top open-source vulnerabilities in the npm ecosystem

Sonatype logged 512,000+ malicious npm packages in a year — a 156% jump. Here are the recurring vulnerability classes and how to catch them in CI.

Jul 14, 20267 min read
Application Security

Integrating C/C++ security scanning into CI pipelines

Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.

Jul 13, 20267 min read
Supply Chain Security

A patching playbook for critical open-source CVEs

Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.

Jul 13, 20266 min read
Application Security

Preventing insecure deserialization in Node.js

A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.

Jul 13, 20265 min read
Application Security

The security implications of Node.js worker_threads

Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.

Jul 12, 20266 min read
sca — Safeguard Blog