Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Concepts

What is Dependency Pinning

Dependency pinning locks every package in your build to an exact, verified version so the code you tested is the code you ship. Here's how to do it per ecosystem.

Oct 8, 20246 min read
Engineering

Rust Crate Security: cargo audit, cargo vet and Beyond

cargo audit catches known-bad versions, cargo vet forces someone to actually read the code. What each tool covers, what neither covers, and how to run both without hating your CI.

Sep 20, 20246 min read
Engineering

Software Escrow and Supply Chain Continuity Planning

Most escrow deposits are write-only: nobody ever verifies they build. What escrow actually covers, when to pay for verification, and what continuity means for SaaS and OSS.

Sep 19, 20247 min read
Engineering

A Beginner's Guide to Threat Modeling Your Build Pipeline

Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.

Aug 25, 20247 min read
Guides

How to Run a Tabletop Exercise for a Supply Chain Breach

A 90-minute tabletop built on a compromised dependency scenario will expose more gaps than a year of policy reviews. Here is the full agenda, injects included.

Jul 11, 20246 min read
Comparisons

SCA vs SAST vs DAST: Which Do You Actually Need First

Three scanner acronyms, one budget. A spec-level comparison of SCA, SAST, and DAST — what each catches, what each costs to run, and the order that pays off fastest.

Jul 2, 20246 min read
Compliance

HIPAA and Third-Party Software Components: A Developer Guide

HIPAA never mentions npm, but a vulnerable dependency in an ePHI system is a Security Rule problem. How risk analysis, patching, and BAAs map to your dependency tree.

Jun 23, 20246 min read
Concepts

What is Red Teaming

Red teaming emulates a real adversary to test not just your defenses but your ability to detect and respond. Here's how it works and how it differs from a pentest.

Jun 20, 20245 min read
Compliance

PCI DSS 4.0 Software Supply Chain Requirements Explained

PCI DSS 4.0 quietly turned component inventories, third-party code review, and payment page script control into audit line items. Here's the requirement-by-requirement map.

May 23, 20246 min read
Concepts

What is a Security Audit

A security audit is an evidence-based check that your controls actually meet a standard. Here's the process, the main frameworks, and how it differs from a pentest.

May 9, 20245 min read
Concepts

What is Egress Filtering in CI

Egress filtering in CI restricts where build jobs can send traffic, so a compromised dependency can't exfiltrate your secrets. Here's how to roll it out without breaking builds.

May 8, 20247 min read
Concepts

What is Repo-Jacking

Repo-jacking hijacks renamed or deleted GitHub namespaces to serve attacker code at trusted URLs. Here's how the redirect trick works and how to audit your exposure.

May 5, 20247 min read
software-supply-chain-security (Page 40) — Safeguard Blog