software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
What is Dependency Pinning
Dependency pinning locks every package in your build to an exact, verified version so the code you tested is the code you ship. Here's how to do it per ecosystem.
Rust Crate Security: cargo audit, cargo vet and Beyond
cargo audit catches known-bad versions, cargo vet forces someone to actually read the code. What each tool covers, what neither covers, and how to run both without hating your CI.
Software Escrow and Supply Chain Continuity Planning
Most escrow deposits are write-only: nobody ever verifies they build. What escrow actually covers, when to pay for verification, and what continuity means for SaaS and OSS.
A Beginner's Guide to Threat Modeling Your Build Pipeline
Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.
How to Run a Tabletop Exercise for a Supply Chain Breach
A 90-minute tabletop built on a compromised dependency scenario will expose more gaps than a year of policy reviews. Here is the full agenda, injects included.
SCA vs SAST vs DAST: Which Do You Actually Need First
Three scanner acronyms, one budget. A spec-level comparison of SCA, SAST, and DAST — what each catches, what each costs to run, and the order that pays off fastest.
HIPAA and Third-Party Software Components: A Developer Guide
HIPAA never mentions npm, but a vulnerable dependency in an ePHI system is a Security Rule problem. How risk analysis, patching, and BAAs map to your dependency tree.
What is Red Teaming
Red teaming emulates a real adversary to test not just your defenses but your ability to detect and respond. Here's how it works and how it differs from a pentest.
PCI DSS 4.0 Software Supply Chain Requirements Explained
PCI DSS 4.0 quietly turned component inventories, third-party code review, and payment page script control into audit line items. Here's the requirement-by-requirement map.
What is a Security Audit
A security audit is an evidence-based check that your controls actually meet a standard. Here's the process, the main frameworks, and how it differs from a pentest.
What is Egress Filtering in CI
Egress filtering in CI restricts where build jobs can send traffic, so a compromised dependency can't exfiltrate your secrets. Here's how to roll it out without breaking builds.
What is Repo-Jacking
Repo-jacking hijacks renamed or deleted GitHub namespaces to serve attacker code at trusted URLs. Here's how the redirect trick works and how to audit your exposure.