Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Open Source Security

What is a Package Manager

Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.

Feb 8, 20267 min read
Open Source Security

What is PyPI Security

PyPI security stops typosquats, dependency confusion, and poisoned CI builds before pip install ever runs your code.

Feb 8, 20267 min read
Open Source Security

What is Maven Security

Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.

Feb 8, 20267 min read
Industry Analysis

Rust memory safety vulnerabilities despite the borrow che...

The borrow checker doesn't stop everything. Here's how rust unsafe code vulnerabilities slip past Rust's safety guarantees and reach production.

Feb 6, 20267 min read
Industry Analysis

Auditing unsafe Rust FFI boundaries for memory corruption...

A step-by-step rust ffi security audit: map unsafe boundaries, fuzz with cargo-fuzz, run Miri and sanitizers, and verify ownership to catch memory corruption before shipping.

Feb 5, 20268 min read
Open Source Security

What is License Scanning

License scanning finds every open source license in your dependency tree before it becomes a legal or compliance problem — here's how it works and why it changed in 2024.

Feb 4, 20266 min read
Software Supply Chain Security

Anatomy of a Go module supply chain compromise: lessons f...

Real incidents like the xz-utils backdoor reveal the anatomy of a go module supply chain compromise: maintainer trust, init() execution, and immutable proxy caching.

Feb 3, 20269 min read
Open Source Security

NuGet supply chain attacks: typosquatting and dependency ...

NuGet typosquatting and dependency confusion let attackers plant malicious packages in .NET builds. Here's how real campaigns worked and how to stop them.

Jan 31, 20268 min read
Open Source Security

NuGet package signing, source mapping, and verifying pack...

A practical guide to NuGet package signing, source mapping, and provenance verification for .NET teams — with commands, config, and a troubleshooting checklist.

Jan 31, 20268 min read
Open Source Security

Case study: a malicious NuGet package compromise and its ...

Inside the Moq/SponsorLink malicious NuGet package incident: what shipped, who was exposed, and how to harden your .NET build pipeline against the next one.

Jan 30, 20268 min read
Compliance

What is Vendor Risk Management

Vendor risk management now means tracking code-level supply chain risk, not just SOC 2 reports—here's what it covers, how to tier vendors, and what regulations require it.

Jan 29, 20267 min read
Open Source Security

Maven Central dependency confusion and namespace collisio...

How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.

Jan 29, 20267 min read
software-supply-chain (Page 19) — Safeguard Blog