software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
Outdated Software Components: Quantifying the Risk
Outdated dependencies sit in nearly every codebase. Here's what Equifax and Log4Shell reveal about the real cost of unpatched software supply chain risk.
AI Bill of Materials (AI-BOM) for Model Supply Chains
An AI-BOM tracks every model, dataset, and dependency in your ML pipeline so a compromised base model or license issue can be traced in minutes, not weeks.
Missing Encryption of Sensitive Data
Missing encryption of sensitive data (CWE-311) drove breaches from Equifax to CVS Health. Here's how it happens across the software supply chain and how to catch it early.
Post-Quantum Cryptography Migration for Application Security
NIST finalized PQC standards in 2024, but most companies can't even inventory where RSA and ECC live in their stack. Here's a realistic migration roadmap for AppSec teams.
SQL Injection Prevention in Rust with sqlx
sqlx blocks SQL injection by default with compile-time query checks and bind parameters — but format!() and raw SQL calls can still reopen the gap. Here's how to audit for it.
What is Binary Provenance
Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.
How to Set Up Dependency Review on GitHub Pull Requests
GitHub's dependency-review-action can block PRs that introduce vulnerable or badly-licensed packages. Here is the exact configuration, plus the cases it silently misses.
What is Secretless Authentication in CI/CD
Secretless authentication replaces stored CI credentials with short-lived OIDC tokens minted per job. Here's the trust-policy plumbing, provider support, and the pitfalls.
Securing GitHub Actions Reusable Workflows at Scale
Reusable workflows centralize CI logic — and centralize compromise. Pinning, secrets scoping, org policy, and the review process that keeps one bad merge from owning 400 repos.
How Snyk Open Source's PR checks block merges based on se...
A technical look at how Snyk Open Source's PR checks scan pull requests, compare severity to configured thresholds, and gate merges in CI/CD.
What is a Vulnerability Exploitability eXchange (VEX) Statement
A VEX statement is a machine-readable assertion of whether a product is actually affected by a CVE — the document that stops your customers from triaging your SBOM for you.
Java Supply Chain Security Beyond Log4Shell
Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.