Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Vulnerability Analysis

Log4Shell RCE in Apache Log4j (CVE-2021-44228)

A deep dive into CVE-2021-44228 (Log4Shell): the critical Log4j RCE vulnerability, its timeline, affected versions, and concrete remediation steps.

Jan 19, 20267 min read
Vulnerability Analysis

libwebp heap buffer overflow zero-day (CVE-2023-4863)

A heap buffer overflow in libwebp, actively exploited in a zero-click iOS spyware chain, exposed browsers, Electron apps, and containers alike.

Jan 16, 20268 min read
AI Security

Enforcing container compliance with Azure Policy

How Azure Policy enforces container compliance on AKS—registry restriction, regulatory mapping, and where admission-time policy alone falls short.

Jan 14, 20268 min read
Vulnerability Analysis

Log4j JDBC Appender RCE (CVE-2021-44832)

CVE-2021-44832 lets attackers with logging-config write access achieve RCE via Log4j2's JDBC Appender — and Log4Shell fixes alone don't stop it.

Jan 14, 20267 min read
Vulnerability Analysis

lodash template code injection (CVE-2021-23337)

CVE-2021-23337 lets attackers inject code via lodash's template function. Here's the impact, affected versions, CVSS/EPSS context, and how to remediate it.

Jan 12, 20268 min read
Vulnerability Analysis

zlib heap buffer overflow via crafted input (CVE-2022-37434)

CVE-2022-37434: a heap buffer overflow in zlib's gzip header parsing. Affected versions, CVSS/EPSS/KEV context, timeline, and how to remediate it.

Jan 7, 20268 min read
Vulnerability Analysis

EJS template engine RCE via client option (CVE-2022-29078)

CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.

Jan 5, 20267 min read
SBOM & Compliance

SBOM requirements for financial services under DORA

DORA now requires EU financial entities to track every software component down to the dependency level. Here's what the SBOM requirements actually mean.

Jan 5, 20267 min read
Open Source Security

CVE analysis: critical vulnerabilities in open source fin...

Log4Shell, Spring4Shell, and the Struts flaw behind Equifax: real CVEs still lurking in banking and fintech open source stacks, with fixes and detection tips.

Jan 3, 20268 min read
Regulatory Compliance

GLBA Safeguards Rule requirements for software vendor ris...

What the FTC's GLBA Safeguards Rule requires for vendor risk management: contract terms, assessment frequency, and liability when a vendor fails.

Jan 3, 20268 min read
Vulnerability Analysis

Python requests library proxy-auth credential leak (CVE-2023-32681)

CVE-2023-32681 lets Python's requests library leak Proxy-Authorization credentials to destination servers on HTTPS redirects. Here's the impact, timeline, and fix.

Dec 31, 20258 min read
Regulatory Compliance

NAIC Insurance Data Security Model Law compliance for sof...

What NAIC model law software vendor compliance means for insurtech and SaaS vendors, and how insurer TPRM programs are enforcing it in contracts today.

Dec 31, 20258 min read
software-supply-chain (Page 21) — Safeguard Blog