software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
The Generational Divide in Attitudes Toward AI-Assisted C...
Younger developers trust AI-generated code far more than senior engineers do. That gap decides who reviews a PR before a vulnerability ships — and it's already showing up in real breaches.
Reading the Tea Leaves of Security Vendor Partner-of-the-...
Vendor Partner-of-the-Year awards dominate cybersecurity conference season. Here's what the criteria really measure — and the supply chain risk they don't.
Are AI Coding Assistant Vendors Ready to Own Their Securi...
AI coding assistants ship indemnification for copyright suits, not for the vulnerabilities they introduce. Here's the liability gap enterprises need to understand.
What is a Build Cache Poisoning Attack
Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.
How Analyst Firms Are Redrawing Category Lines Around ASPM
Gartner, Forrester, and other analyst firms are redrawing the boundaries around ASPM, CNAPP, and traditional AppSec testing — reshaping how security teams buy and organize tools.
How to Verify an npm Package Before Installing It
Five checks that take about four minutes — tarball inspection, install-script review, provenance verification, maintainer signals — before you let a new npm package run code on your machine.
NIS2 Directive: What EU Software Vendors Must Do Now
NIS2 is in force, transposition is late in half the EU, and the obligations bind anyway if you're in scope. The supply chain security and 24-hour reporting duties, decoded.
How to Vet a GitHub Action Before You Trust It with Secrets
Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.
Monitoring Package Maintainer Changes as a Threat Signal
Most package hijacks start with a maintainer change nobody was watching. Registry metadata makes these events observable — if you bother to look.
What is Typo-Squatting Detection
Typo-squatting detection identifies malicious packages named one keystroke away from real ones — requets instead of requests — before they reach your build.
Vendoring Dependencies: When It Helps and When It Hurts Security
Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.
What is a Trusted Publisher (PyPI and npm)
A trusted publisher lets your CI workflow publish packages with short-lived OIDC tokens instead of stored API keys. Here's how it works on PyPI and where npm stands.