Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Compliance

CMMC Level 2 for Software Vendors: A Practical Roadmap

CMMC Level 2 means all 110 NIST SP 800-171 controls, assessed by a C3PAO for most contractors. Here's the scoping, gap-closing, and evidence roadmap for software vendors.

May 3, 20246 min read
Guides

How to Meet EO 14028 Self-Attestation Requirements Step by Step

The CISA attestation form is final and the deadlines are real. Here is the step-by-step path: scope, SSDF evidence, POA&Ms, and RSAA submission.

May 2, 20247 min read
Guides

How to Audit Python Dependencies with pip-audit (and What It Misses)

pip-audit checks your Python dependencies against the PyPA advisory database in one command. Here is how to run it well in CI, and the four gaps it leaves open.

Apr 26, 20246 min read
Guides

How to Write a Vulnerability Disclosure Policy Developers Respect

Most VDPs are lawyer documents nobody reads. Here is how to write one with real safe harbor, honest SLAs, and an intake path researchers will actually use.

Apr 22, 20247 min read
Engineering

SLSA Level 3 in Practice: What It Takes

SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.

Apr 19, 20246 min read
Concepts

What is Fuzzing

Fuzzing feeds programs malformed input at machine speed to trigger crashes and expose memory-safety bugs. Here's how fuzz testing works and why it matters.

Apr 18, 20246 min read
Engineering

PHP Composer Security: Lockfiles, Packagist and Abandoned Packages

composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.

Apr 18, 20246 min read
Compliance

ISO 27001 Annex A Controls That Touch Your Build Pipeline

ISO 27001:2022 has 93 Annex A controls, and about a dozen land squarely on CI/CD. Here's the control-by-control map from clause number to pipeline artifact.

Mar 20, 20246 min read
Concepts

What is a Software Attestation

A software attestation is a signed, machine-readable claim about an artifact — who built it, what it contains, which checks it passed — that a machine can verify before trusting it.

Mar 10, 20246 min read
Concepts

What is RASP

RASP runs inside an application and blocks attacks in real time, from the inside out. Here's how it works, how it differs from a WAF, and where it fits.

Mar 5, 20245 min read
Engineering

Security Debt: Measuring and Paying It Down

Security debt is the gap between the risk you're carrying and the risk you've decided to carry. Here's how to measure it in vuln-days and pay it down without a heroic quarter.

Mar 5, 20247 min read
Guides

How to Generate an SBOM in a GitLab CI Pipeline

A working .gitlab-ci.yml for SBOM generation with Syft: CycloneDX report artifacts, a Grype scan stage, and Cosign attestations pushed next to the image.

Mar 3, 20245 min read
software-supply-chain-security (Page 41) — Safeguard Blog