software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Developer infrastructure posture: integrating ASPM early
Prisma Cloud built ASPM outward from the cloud. Real breaches like tj-actions and SolarWinds start earlier, in developer infrastructure that needs its own continuous posture model.
What Is the CI/CD Pipeline (and CI/CD security)?
CI/CD pipelines now hold more privileged access than any other system — yet they're the least monitored. Here's what CI/CD pipeline security really requires.
LLM Traces and Evals: The Missing Layer in AI Supply Chain Security
Prompt traces and offline evals are standard hygiene for ML teams, but almost nobody treats them as supply chain telemetry. They should be. Here's how traces and evals plug into SBOM and reachability as a fourth security signal.
Application Security: a practitioner's guide
A practitioner's guide to application security: SAST, SCA, secrets, and supply chain integrity—plus how Safeguard compares to Prisma Cloud's CNAPP.
Top cloud data security solutions
Prisma Cloud's DSPM bolts data classification onto a 30-module CNAPP after resources already exist in the cloud. Here's why that misses the supply chain risks that matter most.
Forecasting the cloud security landscape (annual predicti...
Where does cloud security head into 2027? We break down six concrete predictions on CNAPP consolidation, supply chain risk, and Prisma Cloud gaps.
What Is CNAPP? (Cloud-Native Application Protection Platf...
CNAPP unifies CSPM, CWPP, CIEM, and app security into one platform. Here's the Gartner-defined pillars, how Prisma Cloud stacks up, and the supply-chain gap it leaves.
Attack Surface Management (ASM): best practices guide
A practical attack surface management best practices guide for software supply chains, covering SBOMs, base image hardening, CI/CD exposure, and a 90-day rollout plan.
What Are Transitive Dependencies
Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.
Direct vs Transitive Dependencies
Most known vulnerabilities live in transitive dependencies, not the ones in your manifest. Here's how to tell them apart and prioritize what's exploitable.
A guide to modern vulnerability scanning
Scanners disagree, CVE volume is exploding, and hardened base images solve only one layer. Here's how modern vulnerability scanning actually works — and where prioritization beats raw CVE counts.
Types of Open Source Licenses
A breakdown of permissive, copyleft, and source-available license types—MIT, GPL, AGPL, SSPL—and why misclassified licenses create hidden supply chain risk.