software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
Zero-CVE Images vs Hardening Your Own: Cost and Risk Compared
Buy zero-CVE base images or build hardened ones yourself? A cost-and-risk comparison with real numbers: engineering hours, subscription pricing, and CVE half-life.
XXE (XML External Entity) attack
A precise breakdown of what an XXE attack is, how XML external entity injection works, a real-world exploit example, the billion laughs attack, and prevention techniques.
What is Compliance Automation
Compliance automation replaces manual audit evidence with continuous, API-driven monitoring — here's how it works, which frameworks it covers, and why supply chain evidence changes the equation.
What is the OWASP Software Assurance Maturity Model (SAMM)
A concrete breakdown of OWASP SAMM's 5 functions, 15 practices, and 30 streams, how its maturity levels work, and how it compares to BSIMM.
CVSS scoring
What is CVSS? A clear breakdown of the Common Vulnerability Scoring System, base vs temporal scores, CVSS v4 changes, and how to prioritize real risk.
Go (Golang) Security Explained
Go's memory safety stops buffer overflows, not logic bugs, typosquatted modules, or CI-pipeline compromise. Here's what actually threatens Go security.
CWE (Common Weakness Enumeration)
What is CWE? A plain-English guide to the Common Weakness Enumeration, how it differs from CVE, its classification hierarchy, and the Top 25 list.
CISA KEV catalog
The CISA KEV catalog lists vulnerabilities with confirmed real-world exploitation. Here's what it is, how entries get added, deadlines, and remediation rules.
Static Analysis vs Dynamic Analysis
Static analysis reads code before it runs; dynamic analysis watches it execute. Here's how the two differ, catch different bugs, and work best together.
Snyk vs Checkmarx Comparison
Snyk vs Checkmarx compared on SAST/SCA depth, pricing, IaC/container coverage, and their real Log4Shell response — plus where reachability analysis closes the gap.
Snyk vs Wiz Comparison
Snyk secures code, Wiz secures cloud infrastructure — a concrete look at pricing, coverage, dev workflow fit, and Google's $32B Wiz acquisition.
How to enable Dependabot version updates
A step-by-step guide to enabling Dependabot version updates on GitHub, including dependabot.yml configuration, scheduling, and verification checks.