Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

DevSecOps

The Generational Divide in Attitudes Toward AI-Assisted C...

Younger developers trust AI-generated code far more than senior engineers do. That gap decides who reviews a PR before a vulnerability ships — and it's already showing up in real breaches.

Jul 17, 20257 min read
Industry Analysis

Reading the Tea Leaves of Security Vendor Partner-of-the-...

Vendor Partner-of-the-Year awards dominate cybersecurity conference season. Here's what the criteria really measure — and the supply chain risk they don't.

Jul 16, 20257 min read
Industry Analysis

Are AI Coding Assistant Vendors Ready to Own Their Securi...

AI coding assistants ship indemnification for copyright suits, not for the vulnerabilities they introduce. Here's the liability gap enterprises need to understand.

Jul 15, 20258 min read
Concepts

What is a Build Cache Poisoning Attack

Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.

Jul 14, 20256 min read
Industry Analysis

How Analyst Firms Are Redrawing Category Lines Around ASPM

Gartner, Forrester, and other analyst firms are redrawing the boundaries around ASPM, CNAPP, and traditional AppSec testing — reshaping how security teams buy and organize tools.

Jul 14, 20257 min read
Guides

How to Verify an npm Package Before Installing It

Five checks that take about four minutes — tarball inspection, install-script review, provenance verification, maintainer signals — before you let a new npm package run code on your machine.

Jul 9, 20256 min read
Compliance

NIS2 Directive: What EU Software Vendors Must Do Now

NIS2 is in force, transposition is late in half the EU, and the obligations bind anyway if you're in scope. The supply chain security and 24-hour reporting duties, decoded.

Jul 8, 20256 min read
Guides

How to Vet a GitHub Action Before You Trust It with Secrets

Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.

Jun 22, 20256 min read
Engineering

Monitoring Package Maintainer Changes as a Threat Signal

Most package hijacks start with a maintainer change nobody was watching. Registry metadata makes these events observable — if you bother to look.

Jun 14, 20256 min read
Concepts

What is Typo-Squatting Detection

Typo-squatting detection identifies malicious packages named one keystroke away from real ones — requets instead of requests — before they reach your build.

Jun 7, 20256 min read
Engineering

Vendoring Dependencies: When It Helps and When It Hurts Security

Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.

May 25, 20257 min read
Concepts

What is a Trusted Publisher (PyPI and npm)

A trusted publisher lets your CI workflow publish packages with short-lived OIDC tokens instead of stored API keys. Here's how it works on PyPI and where npm stands.

May 21, 20257 min read
software-supply-chain-security (Page 38) — Safeguard Blog