software-composition-analysis
Safeguard articles tagged "software-composition-analysis" — guides, analysis, and best practices for software supply chain and application security.
82 articles
HIPAA compliance and software composition analysis for he...
HIPAA doesn't name software composition analysis, but auditors increasingly expect it. Here's how healthcare teams use SCA to manage third-party risk and protect ePHI.
Third-party risk management for telehealth platforms
A six-step playbook for telehealth vendor risk management: inventory PHI flows, tier HIPAA business associate risk, run SCA on vendor SDKs, and monitor continuously.
Buyer's guide: selecting an SBOM tool for medical device ...
A buyer's guide comparing SBOM and SCA tools for medical device makers navigating FDA cybersecurity requirements, with honest vendor strengths and limitations.
NIST 800-171 and software composition analysis for defens...
How NIST 800-171 software composition analysis, DFARS 252.204-7012, and CMMC 2.0 reshape open-source risk management for defense contractors protecting CUI.
Log4j SocketServer unsafe deserialization (CVE-2019-17571)
A deep dive into CVE-2019-17571, the Log4j 1.x SocketServer deserialization flaw enabling remote code execution, with remediation guidance.
dom4j XML external entity vulnerability (CVE-2018-1000632)
CVE-2018-1000632, the dom4j XXE vulnerability, let attackers inject and tamper with XML via unescaped addElement/addAttribute calls. Here's the fix.
CocoaPods Orphaned Pod Takeover Vulnerability (CVE-2024-3...
CVE-2024-38368 let attackers claim orphaned CocoaPods and push malicious code into any iOS or macOS app still depending on them. Here is what to check.
Apache Maven's Insecure HTTP Repository Resolution Enabli...
CVE-2021-26291 shows how Apache Maven resolved dependencies over plain HTTP, letting a MITM attacker swap in malicious artifacts during the build.
Best open source software composition analysis (SCA) tools
A practical comparison of the best open source SCA tools — vulnerability coverage, license scanning, and CI/CD fit — with honest strengths and limitations for each.
CVE-2020-7729: Command injection in node-notifier
CVE-2020-7729 lets attacker-influenced input reach node-notifier's OS notifier calls, enabling command injection. Here's the impact, timeline, and fix.
How Snyk Container detects application-level dependencies...
A mechanical look at how Snyk Container scans image filesystems to detect npm, pip, Maven, and other application dependencies bundled inside containers.
How Snyk Open Source builds a full dependency tree from p...
How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.