sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
ASPM fundamentals: what application security posture management actually aggregates
Gartner coined the ASPM term in May 2023 and projects over 40% of organizations building software will adopt it by 2026 — here is what it actually does.
ASPM fundamentals for security teams
Gartner projects over 40% of organizations will adopt Application Security Posture Management by 2026 — here's what it actually aggregates and how to judge if yours is working.
A framework for integrating ASPM into an existing AppSec program
Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.
Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs
Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.
What developer-first supply chain security actually requires
The xz-utils backdoor was caught by a 500ms SSH login delay, not a scanner. Real developer-first security means catching it before the commit ships.
A reference architecture for SAST, SCA, and DAST gates that don't block developers
Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.
Enriching SBOMs with Vulnerability and License Metadata
A base SBOM only lists what's in your build — OSV.dev, EPSS, and OpenSSF Scorecard turn that inventory into a prioritized risk decision.
Designing an application security program from first principles
Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.
Wiring dependency and SAST scanning into your JavaScript CLI workflow
npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.
The Moq NuGet incident: how a mocking library harvested developer emails
In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.
The security case for Node.js's newer runtime features
Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.
The security risk of LLMs reviving abandoned open-source packages
USENIX Security 2025 found 19.7% of LLM code samples hallucinate a package name — and real, dormant packages carry the same blind trust.