software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
SBOM adoption in underwriting and actuarial software
Insurers price risk with software built on unvetted open-source code. Here's how SBOM underwriting software closes that blind spot.
Sentry SDK sensitive data exposure (CVE-2021-23727)
CVE-2021-23727 let sentry-sdk for Python leak OS environment variables into Sentry events, exposing secrets. Here's the impact, timeline, and fix.
Jackson-databind RCE via JDOM gadget (CVE-2020-36189)
CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.
Apache Commons FileUpload RCE (CVE-2016-1000031)
CVE-2016-1000031 is a critical Apache Commons FileUpload deserialization RCE that still lurks in transitive Java dependencies years after its fix.
Spring Security OAuth2 client vulnerability (CVE-2022-31690)
CVE-2022-31690 in Spring Security's OAuth2 client can let one principal obtain another's token. Here's the impact, CVSS/EPSS context, and how to remediate.
TSA pipeline cybersecurity directive and software supply ...
A breakdown of TSA's pipeline cybersecurity directives and the software supply chain requirements they impose on operators and oil and gas vendors alike.
What agentic AI security means and why traditional AppSec...
Traditional AppSec was built for static code, not decision-making agents. Here's what agentic AI security actually covers—and why autonomous agents need a new defense model.
Security implications of AI browser agents that click, br...
AI browser agents click, browse, and pay with your credentials -- and prompt injection attacks like EchoLeak and CometJacking prove they can be hijacked to do it.
Explaining Model Context Protocol and its expanding attac...
MCP security is now urgent: MCP servers grew from 700 to 16,000+ in a year, and most are unaudited. Here is the threat model and how Safeguard secures it.
How tool poisoning attacks compromise MCP tool descriptions
A single poisoned tool description can turn a trusted MCP server into a silent data-exfiltration channel. Here's how these attacks work — and how to stop them.
Why training data provenance matters for trustworthy AI m...
Poisoned datasets and untraceable training data are already causing lawsuits and breaches. Here's why training data provenance is now a security requirement.
What an AI Bill of Materials is and why enterprises need one
An AI bill of materials (AIBOM) inventories the models, data, and dependencies behind an AI system. Here's what it is and why enterprises need one.