Safeguard
Tag

Security

Safeguard articles tagged "Security" — guides, analysis, and best practices for software supply chain and application security.

58 articles

Emerging Technology

WebAssembly Security: New Capabilities, New Supply Chain Questions

WebAssembly is expanding beyond the browser into server-side and edge workloads. The security model and supply chain implications deserve closer scrutiny.

Jul 18, 20235 min read
DevSecOps

SpotBugs Security Detectors for Java: A Practical Guide

SpotBugs with Find Security Bugs is the most effective free security analysis tool for Java. Here is how to get real results from it.

Jun 22, 20234 min read
Software Supply Chain Security

npm Install Script Security: The Code That Runs Before Your Code

npm install scripts execute arbitrary code during package installation. They are the most exploited vector in JavaScript supply chain attacks.

Jun 2, 20234 min read
Application Security

TLS Library Comparison: OpenSSL vs BoringSSL vs LibreSSL vs rustls

Your TLS library choice has massive security implications. Here is an honest comparison of the major options and what each trade-off means.

May 25, 20235 min read
Dependency Management

The Security Implications of Semantic Versioning

Semver promises predictability in dependency management. In practice, it creates a trust model with serious security implications that most developers do not consider.

Apr 28, 20236 min read
Software Supply Chain Security

Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism

Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in supply chain attacks.

Apr 8, 20234 min read
Container Security

BuildKit and Buildah: Building Containers Without Giving Away the Keys

Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.

Mar 12, 20236 min read
Analysis

Dependency Pinning vs. Ranges: The Tradeoffs

Should you pin exact dependency versions or use ranges? The answer is more nuanced than most teams think, and getting it wrong has real security implications.

Jan 25, 20236 min read
Application Security

Cryptographic Library Selection Guide: Choosing Wisely for Your Stack

Picking the wrong crypto library means either rolling your own crypto or using a library with a poor security track record. Here is how to choose.

Jan 22, 20235 min read
DevSecOps

PHPStan Security Analysis: Static Typing as a Security Tool for PHP

PHPStan brings static analysis to PHP. Its type checking catches entire classes of bugs that lead to security vulnerabilities in PHP applications.

Jan 8, 20235 min read
DevSecOps

Release Management Security Checklist

A pre-release security checklist that covers dependency verification, vulnerability scanning, SBOM generation, and artifact integrity for every production release.

Dec 28, 20226 min read
Open Source

Open Source Funding, Sustainability, and Security

The software industry runs on open source maintained by unpaid volunteers. Until we fix the funding problem, we can't fix the security problem.

Dec 15, 20229 min read
Security (Page 4) — Safeguard Blog