software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
The Codecov Bash uploader breach
How a Docker image flaw let attackers tamper with Codecov's Bash Uploader for 65 days, exfiltrating CI secrets from HashiCorp, Twilio, and more.
3CX DesktopApp supply chain compromise
How North Korea-linked hackers turned a signed, trusted 3CX VoIP installer into malware — and the double supply chain attack that made it possible.
Snyk vs Aikido Security Comparison
Comparing Snyk and Aikido as code scanners misses the bigger question: can you prove what actually shipped? Here's where Safeguard's supply chain security fits.
Artifact Tampering and Integrity: Trusting What You Actually Ship
Artifact tampering alters a build output after it leaves source control, so what you deploy differs from what you reviewed. Here is how it works and how to verify integrity.
The NIST Secure Software Development Framework (SSDF), explained
NIST SP 800-218 is the framework behind federal secure-development attestations. Here's what its four practice groups ask of you and how to produce the evidence.
The XZ Utils backdoor CVE-2024-3094 explained
CVE-2024-3094 hid a remote-access backdoor inside xz-utils via a years-long social engineering campaign. Here's the timeline, impact, and fix.
Snyk vs SonarQube for SAST
Snyk Code and SonarQube both do SAST, but neither started as a supply chain security platform. Here's how their approaches differ, and where Safeguard fits.
event-stream npm package backdoor incident
How a routine maintainer handoff let attackers slip a Bitcoin-stealing backdoor into event-stream, hitting millions of npm installs for ten weeks.
ua-parser-js npm hijack incident
In 2021, a hijacked npm account pushed cryptomining and password-stealing malware into ua-parser-js for 4 hours. Here's what happened and how to catch it faster.
Snyk Pricing: Is It Worth the Cost
Snyk's tiered, per-seat pricing looks simple until you scale. A buyer's-guide breakdown of what drives Snyk's total cost, and how Safeguard approaches supply chain security pricing differently.
colors.js and faker.js protestware sabotage
In 2022, maintainer Marak Squires turned colors.js and faker.js into protestware, breaking 19,000+ npm projects and coining a new supply chain threat term.
What Is Application Security (AppSec) 101
AppSec used to mean scanning code for known bugs. Here's why that's no longer enough, what CVE-matching tools like Snyk miss, and what a real supply chain security program requires.