software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
What is prototype pollution and why it keeps recurring in npm packages
Prototype pollution has hit lodash, jQuery, minimist, hoek, and immer since 2018. Here's how the bug works and why it keeps coming back in npm.
What crypto-agility means and how to design for algorithm...
What crypto agility really means, why SHA-1's decade-long death proved it, and how to design algorithm swaps into software before NIST's PQC deadlines force the issue.
Introduction to confidential computing and hardware-based...
Confidential computing seals data in use inside hardware-encrypted enclaves, closing the last gap in the encrypt-everywhere model. Here's how it works.
Key security risks unique to WebAssembly runtimes and mod...
WebAssembly runs your edge functions, service mesh plugins, and smart contracts. Here are the WebAssembly security risks hiding behind the sandbox.
Analysis of documented WebAssembly sandbox escape vulnera...
Real documented WASM sandbox escape cases in Wasmtime and Wasmer, covering affected versions, severity, disclosure timelines, and how to remediate.
How the WASI security model constrains system access for ...
WASI's capability model gives Wasm modules only the exact files, sockets, and resources they're explicitly granted—but misconfiguration and runtime bugs still leave real gaps to close.
Security considerations for running WebAssembly at the ed...
Wasm's sandbox is safe by default, not safe by construction. Here's where edge WebAssembly security breaks down -- in browsers, at the edge, and in the build pipeline.
How RAG poisoning attacks manipulate retrieval-augmented ...
RAG poisoning attacks corrupt the external knowledge base an LLM retrieves from, turning trusted documents into vectors for misinformation and data leaks.
How model extraction attacks steal proprietary AI model b...
Model extraction attacks let adversaries clone proprietary AI models through ordinary API queries alone. Here's how the attacks work, why they evade detection, and how to stop them.
What shadow AI is and how to discover unsanctioned AI use...
Shadow AI risk is spreading faster than governance can keep up. Here's what unsanctioned AI use looks like inside real enterprises and how to discover it before data leaks.
Glossary of AI Trust, Risk, and Security Management (AI T...
A glossary of AI trust risk security management concepts: the Gartner AI TRiSM framework, its four pillars, AI risk taxonomy, and adversarial threats.
RubyGems Escape Sequence Injection via Gem Name Output (C...
A look at CVE-2019-8321, the RubyGems escape sequence injection flaw in gem CLI output: affected versions, severity, and how to remediate it.