software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
Typosquatting and malicious Go modules published to pkg.g...
How malicious Go modules exploit pkg.go.dev's open publishing model, real typosquatting attacks like steelpoor/tlsproxy, and why Go's module proxy makes cleanup so hard.
What is a Private Package Registry
A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.
What is Artifact Repository Security
Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.
Goroutine leaks and data races as denial-of-service and s...
Goroutine leaks and data races aren't just bugs — they're exploitable DoS and logic-corruption vectors. Here's how they work, real incidents, and how Safeguard catches them.
What is Reproducible Builds
Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.
What is Runtime Protection
Runtime protection catches what pre-deployment scanning can't — live attacks like the XZ Utils backdoor and Log4Shell exploitation, detected only in production.
What is a Security Baseline
A security baseline is the minimum, testable set of controls every system or repo must meet — here's how it differs from policy, and how to build one for your supply chain.
iOS app supply chain risk from third-party SDKs and ad li...
Third-party SDKs and ad libraries run inside your iOS app with your app's permissions. Here's how ios sdk supply chain risk hides in plain sight — and what Safeguard does about it.
What is Third-Party Risk Management
Third-party risk management explained: what it covers, why SolarWinds and MOVEit made it board-level, and how modern TPRM differs from supply chain security.
Third-party library risk in Android apps: permissions, SD...
Every Android app runs dozens of third-party SDKs with full app permissions. Here's how android third-party library risk turns into real data leaks — and how Safeguard catches it first.
What is Defense in Depth
Defense in depth stacks independent security layers—source, build, dependencies, artifacts, runtime—so no single failure causes a breach.
What is Security by Obscurity
Security by obscurity means hiding a system instead of securing it. Here's why that bet fails, with real breaches, real CVEs, and what to build instead.