software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Log4Shell RCE in Apache Log4j (CVE-2021-44228)
A deep dive into CVE-2021-44228 (Log4Shell): the critical Log4j RCE vulnerability, its timeline, affected versions, and concrete remediation steps.
libwebp heap buffer overflow zero-day (CVE-2023-4863)
A heap buffer overflow in libwebp, actively exploited in a zero-click iOS spyware chain, exposed browsers, Electron apps, and containers alike.
Enforcing container compliance with Azure Policy
How Azure Policy enforces container compliance on AKS—registry restriction, regulatory mapping, and where admission-time policy alone falls short.
Log4j JDBC Appender RCE (CVE-2021-44832)
CVE-2021-44832 lets attackers with logging-config write access achieve RCE via Log4j2's JDBC Appender — and Log4Shell fixes alone don't stop it.
lodash template code injection (CVE-2021-23337)
CVE-2021-23337 lets attackers inject code via lodash's template function. Here's the impact, affected versions, CVSS/EPSS context, and how to remediate it.
zlib heap buffer overflow via crafted input (CVE-2022-37434)
CVE-2022-37434: a heap buffer overflow in zlib's gzip header parsing. Affected versions, CVSS/EPSS/KEV context, timeline, and how to remediate it.
EJS template engine RCE via client option (CVE-2022-29078)
CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.
SBOM requirements for financial services under DORA
DORA now requires EU financial entities to track every software component down to the dependency level. Here's what the SBOM requirements actually mean.
CVE analysis: critical vulnerabilities in open source fin...
Log4Shell, Spring4Shell, and the Struts flaw behind Equifax: real CVEs still lurking in banking and fintech open source stacks, with fixes and detection tips.
GLBA Safeguards Rule requirements for software vendor ris...
What the FTC's GLBA Safeguards Rule requires for vendor risk management: contract terms, assessment frequency, and liability when a vendor fails.
Python requests library proxy-auth credential leak (CVE-2023-32681)
CVE-2023-32681 lets Python's requests library leak Proxy-Authorization credentials to destination servers on HTTPS redirects. Here's the impact, timeline, and fix.
NAIC Insurance Data Security Model Law compliance for sof...
What NAIC model law software vendor compliance means for insurtech and SaaS vendors, and how insurer TPRM programs are enforcing it in contracts today.