Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Software Supply Chain Security

CycloneDX

CycloneDX is the OWASP-backed SBOM standard for tracking software components, vulnerabilities, and VEX statements. Here's what is CycloneDX and how it compares to SPDX.

Mar 3, 20267 min read
Software Supply Chain Security

SPDX

What is SPDX? A plain-English guide to the ISO-standard SBOM and license format that documents what's really inside your software.

Mar 3, 20267 min read
Software Supply Chain Security

Build provenance

What is build provenance and why does it matter? A practical guide to SLSA attestations, provenance predicates, and verification pipelines for software supply chains.

Mar 3, 20267 min read
Engineering

Alpine vs Distroless vs Ubuntu Base Images: Security Tradeoffs

Alpine is small, distroless is smaller, Ubuntu is comfortable. The real security question is CVE surface vs debuggability vs compatibility — with numbers.

Mar 2, 20267 min read
Identity Security

Zero trust architecture (ZTA)

A precise definition of zero trust architecture, the NIST 800-207 model, ZTNA vs VPN, and how zero trust principles apply to securing modern software supply chains.

Feb 28, 20267 min read
Cryptography

Hash collision attack

What is a hash collision, and why does it break integrity checks and signatures? A precise definition, the SHA-1 collision attack, and how Safeguard closes the gap.

Feb 28, 20266 min read
Cryptography

Elliptic curve cryptography (ECC)

A precise, technical answer to what is elliptic curve cryptography — plus how ECC vs RSA, ECDSA signatures, and ECDH key exchange secure modern systems.

Feb 27, 20267 min read
Compliance

What is ISO 27001

ISO 27001 is the international ISMS standard with 93 Annex A controls. Here's what it requires, who needs it, and what it costs to certify.

Feb 27, 20267 min read
Cryptography

Hardware Security Module (HSM)

What is an HSM? Learn how hardware security modules store signing keys, how HSM vs KMS differs, and why FIPS 140-2 HSMs protect code-signing keys.

Feb 27, 20267 min read
Compliance

What is the NIST Secure Software Development Framework (SSDF)

NIST SSDF (SP 800-218) explained: its four practice groups, the EO 14028 origin, federal attestation deadlines, and how it differs from SLSA and SP 800-53.

Feb 26, 20266 min read
Compliance

What is Executive Order 14028

EO 14028 forced federal software vendors to prove what's in their code. Here's what it requires, who it binds, and what's changed since 2021.

Feb 26, 20266 min read
Compliance

What is the EU Cyber Resilience Act

The EU Cyber Resilience Act sets binding cybersecurity rules for digital products, with reporting due by Sept 2026 and full compliance by Dec 2027.

Feb 26, 20266 min read
software-supply-chain-security (Page 26) — Safeguard Blog