sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
Mend vs Black Duck: Functional Comparison
Compare Mend (formerly WhiteSource) and Black Duck on SBOM export, license policy, detection sources, deployment model, and enterprise reporting for 2024 SCA selection.
Spring4Shell: What Shipped and How to Patch It
What the Spring4Shell vulnerability actually was, which configurations were exposed, and the concrete patch and mitigation steps that closed it.
GitHub Advanced Security vs Alternatives, Early 2024
GitHub Advanced Security anchors many AppSec programs in 2024, but Snyk, Semgrep, Endor, and others are credible alternatives. Here is an honest comparison.
GitHub Licenses: Choosing One for Your Repo
A practical walkthrough of the license options GitHub surfaces when you create a repo, and how to pick one that matches what you actually want people to do with your code.
Endor Labs SCA Review: Reachability Analysis Changes the Game
A review of Endor Labs and its reachability-based approach to software composition analysis, examining how call graph analysis reduces vulnerability noise.
jQuery 1.10.2 Vulnerabilities: Should You Still Worry?
jQuery 1.10.2, released in 2013, predates the fixes for three well-documented CVEs — CVE-2015-9251, CVE-2019-11358, and CVE-2020-11022/11023 — which means yes, it's genuinely still worth worrying about.
Veracode SCA: Mature Application Security Meets Dependency Scanning
An overview of Veracode's SCA capabilities within their broader application security platform, covering vulnerability prioritization, agent-based scanning, and enterprise features.
Open Source vs Commercial SCA Tools: An Honest Comparison
Free SCA tools have gotten remarkably good. Commercial tools still offer advantages. Here is when each makes sense for your organization.
Checkmarx SCA: Application Security from a SAST Pioneer
A review of Checkmarx SCA covering its integration with the broader Checkmarx AST platform, vulnerability detection, and exploitability analysis capabilities.
Dependabot Security Updates: Behavior Deep Dive
A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.
Snyk vs Dependabot: A Head-to-Head Comparison
Evaluate Snyk and Dependabot on vulnerability detection, ecosystem coverage, CI integration, pricing, and remediation to pick the right SCA tool for your team.
Vendor Lock-In in Security Tooling: The Hidden Cost of Integration
Deep integration with a security vendor creates efficiency but also dependency. Here is how to evaluate lock-in risk in your security tooling decisions.