Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

AI Security

Cursor's AI security agents: what they get right and what's missing

Cursor's Bugbot and MCP agents catch real bugs, but CurXecute and MCPoison show they open new attack surfaces SCA tools never had to face.

Jun 6, 20266 min read
SBOM

Software Dependency Cooldown Policies

A dependency cooldown policy delays new package versions for a set window so the ecosystem can catch malicious releases before they reach your build pipeline.

Jun 6, 20267 min read
SBOM

Sonatype SBOM Manager Overview

A concrete look at Sonatype SBOM Manager — its origins, pricing model, VEX support, and common adoption gaps — for teams evaluating an SBOM manager tool.

Jun 5, 20266 min read
Engineering

The Economics of Vulnerability Backlogs

A vulnerability backlog is an inventory problem with interest payments. Triage costs, carrying costs, and why fixing by EPSS beats fixing by CVSS on pure ROI.

Jun 4, 20267 min read
SBOM

Shadow Risks: Unmanaged and Unauthorized Dependencies

Shadow dependencies risk management is now core to SBOM strategy. See how unmanaged, unauthorized open source packages cause breaches Sonatype-style scans miss.

Jun 4, 20268 min read
Threat Intelligence

What Is Open Source Malware

Open source malware is code deliberately planted in packages to attack the systems that install it. Learn how it spreads, real incidents, and how it differs from CVEs.

Jun 3, 20267 min read
Buyer's Guides

Dependabot Alternatives in 2026: An Honest Buyer's Guide

An honest guide to Dependabot alternatives in 2026 — Renovate, Snyk, Socket, Endor Labs, Mend, and Safeguard — covering dependency updates, reachability analysis, malicious-package detection, and software supply chain security.

Jun 2, 20267 min read
Tools

Best Container Base Images for Security in 2026

Chainguard, distroless, Alpine, UBI micro, Ubuntu chiseled, and scratch, compared on CVE counts, size, libc, and the operational costs nobody puts in the marketing.

Jun 2, 20267 min read
Supply Chain

PyPI Malware News: What's Happening and How to Detect It

PyPI malware news keeps repeating the same pattern — typosquats, compromised maintainer accounts, and post-install scripts that exfiltrate credentials — here's how to actually catch it.

Jun 2, 20265 min read
Application Security

What Is Perimeter Protection in Application Security

Perimeter protection screens packages at the gate — but xz-utils, SolarWinds, and event-stream all slipped past firewalls. Here's what it catches, and what it misses.

Jun 2, 20267 min read
Vulnerability Analysis

The CWE Top 25 most dangerous software weaknesses

MITRE's 2023 CWE Top 25 ranks the software weaknesses behind 43,996 CVEs. Here's how it's scored, what moved, and how to prioritize fixes.

Jun 1, 20266 min read
Application Security

SAST vs DAST: static and dynamic application security tes...

SAST catches insecure code before deploy; DAST tests running apps after. We compare both against JFrog's Artifactory-first model and Safeguard's supply-chain-native approach.

Jun 1, 20268 min read
software-supply-chain-security (Page 9) — Safeguard Blog