Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Software Supply Chain Security

Malicious dependency attacks in the software supply chain

Dependency confusion attacks let attackers hijack builds by publishing malicious packages with higher version numbers to public registries. Here's how they work and how to stop them.

Apr 4, 20267 min read
Software Supply Chain Security

What is Typosquatting

Typosquatting tricks developers into installing malicious lookalike packages. Learn how it works, real npm/PyPI attacks, and how to detect it.

Apr 4, 20267 min read
Software Supply Chain Security

What Are Malicious Packages

Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.

Apr 3, 20267 min read
Software Supply Chain Security

Managing risk in the software supply chain

Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.

Apr 3, 20268 min read
Open Source Security

Open Source License Compliance

Redis, Elasticsearch, and Terraform all changed licenses in the last three years. Here's how license compliance actually breaks, and how to catch it before you ship.

Apr 3, 20267 min read
Software Supply Chain Security

Software supply chain security: threat vectors & solutions

Real incidents, real numbers: how modern software supply chain threat vectors work, why SBOMs alone don't stop them, and what actually closes the gap.

Apr 2, 20268 min read
Open Source Security

Copyleft vs Permissive Licenses

Copyleft and permissive licenses trigger different legal obligations. Here's how GPL, AGPL, MIT, and Apache 2.0 actually differ — with real lawsuits and relicensing cases.

Apr 2, 20267 min read
Vulnerability Management

Streamlining the vulnerability management lifecycle

Most teams find CVEs fast but fix them slowly. Here's why the vulnerability management lifecycle breaks down after scanning — and how to close the gap.

Apr 2, 20267 min read
Application Security

Attack surface reduction: practical strategies to minimiz...

Base images are one layer. Real attack surface reduction covers dependencies, build pipelines, and provenance too — here's what Chainguard's approach misses.

Apr 2, 20267 min read
Software Supply Chain Security

Sigstore, Cosign, and keyless container image signing

How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.

Mar 30, 20267 min read
Buyer's Guides

Anchore vs. Snyk / Wiz / Sysdig / Aqua / Chainguard posit...

Evaluating Anchore alternatives? See how Safeguard, Snyk, Wiz, Sysdig, Aqua, and Chainguard actually differ on SBOM, runtime, and compliance.

Mar 29, 20269 min read
Vulnerability Analysis

What is a Man-in-the-Middle Attack

A man-in-the-middle attack lets adversaries intercept trusted connections -- from Wi-Fi logins to CI/CD package fetches -- with real-world cases and defenses.

Mar 28, 20267 min read
software-supply-chain-security (Page 19) — Safeguard Blog